I released new functionality for SAPSEC project, a new security pack dedicated to analysis of configuration differences has been published. To accomplish it the multi-logon feature was added to SAPGUI library. It means SAPSEC can connect to multi SAP session (in SAP Logon application) in new release. In manual mode you may open several SAP sessions to different SAP systems and SAPSEC can connect to all of them. Number of session is not limited. In our case SAPSEC connect to opened SAP sessions, collect some data to analyze and then compare the data from various sessions. If loaded configurations are identical, security checks are complied.
At the moment there is only a single check in the security pack – SAP Software component version comparison. So Why we need to compare software versions? In most cases you need to compare the software components across your system landscape (sandbox, development, test, acceptance, productive, training etc environments). If you do not install all updates synchronously on all systems, a significant lag of versions will be accumulated in one of the systems. And then any sorts of surprises are possible, the ABAP code successfully works on one system, but not on other. Therefore, you can spend a lot of time analyzing the occurred errors and it is recommended that you synchronize software versions from time to time in system landscape.
So, How the control works:
The most simple way of getting installation component information is by using the menu System/Status. Then click on the Status details button:
The system status details cannot be downloaded. To download the installed software table you can use function module OCS_GET_INSTALLED_SWPRODUCTS.
SAPSEC loaded the Installed software component versions table from each SAP system (from each opened SAP sessions in SAP Logon) and then conduct comparative analysis. If software versions aren’t the same the security check will be in NOT COMPLIED status and the additional report will be generated according to the analysis results. A report example is below:
As usual, the report is an excel file format that you can filter and analyze as you like. I suppose the column names are clear to everyone (the first column is software component name, then its version in the TS1 system, its version in the TS2 system and comparison status). Well, then analyze the discrepancies (red lines in the report), install new SPs and re-analyze.
In conclusion, a few words about next steps in developing the project. There are few ideas for development the configuration comparison checks:
- Profile parameter values comparative analysis.
- Installed notes comparative analysis.
- User role content (composite, single roles) comparative analysis.
Write comment if you are interested in any security checks above. I will try to prioritize them according to your opinion. If anyone has ideas, what other differences on system configurations would be interesting to analyze – write in the comments. I will think how to implement it.