More Food for Security Monitors – tracking user and role changes in SAP S/4HANA Cloud 2208
Almost exactly one year ago, with our SAP S/4HANA Cloud Release 2108, we made the Security Audit Log (SAL) API available to customers. The SAL is probably the most important log for security monitoring – but often it doesn’t give you the full picture.
For example, the SAL might show you that a specific user has started a specific transaction – but it doesn’t tell you if a user was created or roles have been changed.
To close that gap, with 2208 we are publishing more APIs. With these newly available APIs, the security monitoring tools of our customers can form a more comprehensive picture of security relevant events. In addition to helping your security department analyze potential attacks better, those APIs – and that includes the SAL API – will also make your auditors happy, since it makes their life a lot easier.
There are now two new APIs which can be accessed: the Business Role Changelog API and the Business User Changelog API.
Those two are doubtlessly relevant for security: Enhancing what is recorded in the Security Audit Log, the Business Role Changelog and the Business User Changelog show you who has made which change to business roles or a business user. As this is both relevant for potential forensic analyses as well as for the yearly system audit, we have now included the option to consume this data via an API as well as through the app.
Let’s go to the fun part, though, and look at some examples.
Retrieving User/Role Changes via API
The first scenario that comes to mind is whether one user (or a group of users) changed any data of other users. Hence, if you want to find out whether any of those malicious users which start with “_BAD” changed other users, your query string would be:
If you want to narrow it down and display all changes that user _BAD0815 has done to user 4711, the resulting query would be:
/sap/opu/odata/sap/APS_IAM_API_BUSER_CDOC/BusinessUserChanges?$filter=BusinessUserID eq '4711' and ChangedByUserID eq '_BAD0815'
Both of these examples show a change of the business user. Let’s look at an example of a business role change. One word of caution: Queries for role changes can become really complex really quick – therefore, in order not to risk running into a time-out or error, we strongly recommend setting a filter on the ChangedOn attribute whenever running a complex query to narrow down the search.
To take a fairly complex example: say you want to know who has changed a particular role in the past few days. Not only that, you also want to restrict your results to the malicious users from one of our previous examples. You query string would then be:
sap/opu/odata/sap/APS_IAM_API_BROLE_CDOC/BusinessRoleChanges?$filter=ChangedOn gt datetimeoffset'2022-08-08T00:00:00.00Z' and BusinessRoleID eq 'FIN_ADMIN' and substringof('_BAD', ChangedByUserName)
And that’s really it. A documentation of the newly released APIs can be found here:
A better SAL API
We introduced the SAL API last year. Now, there are some enhancements to that API, though they are of a more technical nature. More precisely, we have added more attributes to identify the user which triggered the event better.
Speaking of the Security Audit Log: Sometimes security relevant events have to be checked manually – which in the SAP S/4HANA Cloud system is possible with the respective App “Display the Security Audit Log”. When you log on to your SAP S/4HANA system now, you might notice that the SAL app has a new appearance. This new appearance is mostly because we changed the method of developing this UI to the Fiori freestyle method. There aren’t too many changes in the features, with the notable exception that you can now see the archived SAL events, as well.
In summary, with the newly released APIs, monitoring your SAP S/4HANA Cloud system becomes significantly more comprehensive.