Skip to Content
Product Information

Displaying Security Alerts in the SAP EarlyWatch Alert Workspace

 

Most likely you all know SAP EarlyWatch Alert; an automatic diagnostic service that monitors the essential administrative areas of an SAP system. SAP recommends that you consume the corresponding reports in the cloud-based SAP EarlyWatch Alert Workspace in the SAP ONE Support Launchpad.

If you don’t know the SAP EarlyWatch Alert Workspace, use the Web Assistant for help. It contains detailed help content as an overlay on top of all the SAP EarlyWatch Alert apps. To enable this Web Assistant simply click on the question mark in the upper right hand corner of the screen:

From the workspace, you can start different apps covering different aspects of SAP EarlyWatch Alert information. One of these apps is the SAP EarlyWatch Alert Solution Finder, containing a powerful search function over all your SAP EarlyWatch Alert reports for any search term or affected system.

But now to the main topic of the blog – getting information about the security status of your system landscape. If there are security issues in your system landscape, most likely there’ll be a corresponding alert in the SAP EarlyWatch Alert reports.

So far customers sometimes have entered “Security” as a search term in the SAP EarlyWatch Alert Solution Finder to find corresponding alerts and associated recommendations. Meanwhile, this has been improved significantly – now alerts are characterized by categories and sub-categories, which you can select as an additional search criterion. To do so, just check the needed category in the dropdown list box Alert Category in the header of the Solution Finder:

Because of the special importance of security alerts, there is now also another card available in the SAP EarlyWatch Alert Workspace: the Security Status. A preliminary version of this card will be released on October 04, 2019, with the final UI described here coming two weeks later.

Using this card, you don’t have to start another app to see a summary of the security issues in your system landscape. The card displays the number of systems in which security alerts exist, both in total and broken down by category and rating. So for every security alert category, you can see the number of systems with red alerts, yellow alerts and without alerts. You also have the option of displaying only the alerts of the most recent report per system (New Alerts) or the alerts that re-occurred since one or multiple of the previous reports (All Alerts):

In detail, the following security checks are performed in SAP EarlyWatch Alert depending on the system type (also see SAP note 863362):

Category ABAP SAP HANA
Critical Authorizations Users have critical authorizations, like:

  • SAP_ALL profile,
  • Display all tables
  • Run all Reports
  • Debug & replace
  • administer RFC connections
  • change user passwords
  • display other users spool requests
  • Users have the critical privilege DATA ADMIN.
Communication 
  • Protection of passwords in database connections is insecure.
  • Security weaknesses identified in the gateway or the message server configuration.
  • Gateway Access Control List (reg_info/sec_info) does not exist (delivery status) or contains trivial entries.
  • SAP HANA internal network configuration is insecure.
  • SAP HANA network settings for system replication is insecure.
Configuration 
  • Secure password policy is not sufficiently enforced.
  • SAP HANA database: Secure password policy is not sufficiently enforced.
  • SQL Trace is configured to write all result sets.
  • SSFS Master Encryption Key is not changed.
Security Maintenance
  • Age of support package (support with SAP security notes is no longer ensured)
Security Review and Monitoring
  • Recommended audit configuration is not applied.
Standard Users 
  • Standard users (including SAP* or DDIC) have default Password.
  • User SYSTEM is active and valid.
  • Invalid connect attempts of user SYSTEM.

If you click the Security Status card, the SAP EarlyWatch Solution Finder is called with the following alert filter settings:

  • If you click the card header, all categories of security alerts are displayed.
  • If you click a category, only the corresponding security alerts are displayed.
  • There is no filter for Age (in contrast to the conventional Solution Finder, where by default only alerts of the latest report for each system are displayed). The reason is that you usually call the Solution Finder once per week to check whether new alerts have occurred. In contrast, the Security Status answers the question of existing security issues, regardless of how long the corresponding alert already exists.
  • There is no filter for Alert Rating in contrast to the conventional Solution Finder, where by default only decisive red alerts are displayed for each system). The reason is that you are usually interested in the most severe alerts first when calling the Solution Finder. In contrast, the Security Status should give you a complete overview about security issues, regardless of the alert rating.

As usual, you will find a recommendation how to solve the issue for every alert found.

Because of the fundamental importance of security alerts, the search for these alerts is protected by an additional authorization. User administrators can assign this authorization in the SAP ONE Support Launchpad in the Support User Management app. Please note the following in this context:

  • The authorization is initially assigned to super administrators only.
  • Super administrators can assign the authorization to user administrators or directly to users.

In Detail, you need the following authorizations:

  • The already existing authorization Service Reports and Feedback (section Reports) to view SAP EarlyWatch Alert reports and apps.
  • The new authorization Display Security Alerts in SAP EarlyWatch Alert Workspace (section Reports) to use the alert category Security in the application SAP EarlyWatch Alert Solution Finder and to access the card Security Status.

More information

Blog: Using the SAP EarlyWatch Alert Solution Finder Effectively

Blog: Cookbook for SAP EarlyWatch Alert Workspace

Blog: SAP EarlyWatch Alert Workspace – gain an overview on your system landscape health

Video: Solve Alerts with the SAP EarlyWatch Alert Workspace

1 Comment
You must be Logged on to comment or reply to a post.
  • Actually I can’t see the Alert Category “Security” in my Early Watch Alert Workspace.

    When is the Alert Category “Security” general available ?