SAP S/4HANA Cloud, public edition – Secure by Default (Part 2)
Comparing SAP S/4HANA Cloud, public edition, with SAP S/4HANA on premise, several differences in its IT audit capabilities become obvious. This blog post is part of a series of articles where we compare the audit process of SAP S/4HANA Cloud, public edition, with the audit process for SAP S/4HANA on Premise.
To summarize the most important differences: As SAP S/4HANA Cloud, public edition, is a SaaS offering, the most obvious difference is customer access, which is only possible on application level.
SAP has also evolved its user experience with ERP transactions being replaced by SAP Fiori apps, applications providing access to business functionality in a more modern way. That is why customers only have access through business authorizations authenticated using SAP Identity Authentication Services.
Compared to SAP S/4HANA on premise running in an on-premise environment, some functionality has been replaced with modern apps, some configurations are in the responsibility of SAP and some functionality is no longer accessible. Some examples:
- System access is only possible through a dedicated authentication service
- Critical authorizations are no longer available (e.g., SAP_ALL, or debug and replace authorizations)
- System table access is no longer possible
- Direct execution of ABAP reports or transaction codes is no longer available
- System software changes are applied by SAP on a regular schedule
Secure by Default
Another area where a SaaS offering differs from an on premise solution is the configuration of security relevant settings.
In a cloud environment, as is the case with SAP S/4HANA Cloud, public edition, SAP is responsible for most platform-related security configurations and has hereby followed a secure-by-default approach, which can be clustered into the following paragraphs.
These paragraphs provide more details on the measures SAP applied to SAP S/4HANA Cloud, public edition, and the options customers still have to access required functionality in case of an IT audit.
Authentication and Authorization
Customer business user authentication is solely possible through a dedicated identity provider, for example the SAP Identity Authentication Service. This also means that authentication settings (e.g., password policy) cannot be reviewed on SAP S/4HANA Cloud, public edition, systems themselves.
Further, so-called business catalogs represent the smallest authorizations entity for customers. Critical authorizations (e.g., containing SAP_ALL profile or debug & replace authorization) are not available for customers, similar to SAP default users (e.g., users DDIC, SAP* or TMSADM).
Particularly, technical users must be mentioned here as well. In an on-premise environment, -SAP has not defined roles and authorizations for technical users in the context of a communication scenario, for example establishing a connection between two on-premise systems. In SAP S/4HANA Cloud, public edition, communication users for a similar scenario are strictly defined so that authorizations fit the respective communication arrangement.
While an SAP S/4HANA on premise solution provides report RSUSR100N to access user-related change documents across the system, in SAP S/4HANA Cloud, public edition, two SAP Fiori apps are now available to support customers in getting an overview of existing business users and their authorizations. Users for communication scenarios can be reviewed in a separate SAP Fiori app (Maintain Communication Users – F1338).
Maintain Business Users – F1303
As the name implies, the SAP Fiori app Maintain Business Users allows editing of business user data, e.g., assigning or removing roles, locking or unlocking users or downloading a list of users. This app also contains the user related change documents to trace user changes like creation, locking, etc.
SAP Fiori application “Maintain Business Users”
IAM Information System – F2450
The SAP Fiori app IAM Information System allows for the display of information about the usage of business roles, business catalogs, business users and restrictions, and how they are related. The functionality is similar to transaction SUIM in the SAP S/4HANA on premise solution. For example, you can use this app to check if a business user is using a particular app and to check which authorizations they have.
SAP Fiori application “IAM Information System”
As mentioned before, contrary to an on-premise solution, system table access is not possible in SAP S/4HANA Cloud, public edition. As a result, access to tables like USR02, or E070 is not possible. Table data can be accessed through corresponding SAP S/4HANA Cloud Fiori applications, e.g. Maintain Business Users or the recently introduced Customer Data Browser (CDB).
SAP system profile parameters are also not accessible to customers and cannot be controlled by them. The necessary configuration lies within the responsibility of SAP, is defined by SAP and is configured in all systems accordingly.
The security audit log (SAL) and table logging for dedicated database tables is enabled by default and cannot be switched off by customers.
In SAP S/4HANA on premise, transaction SM20 / rsau_read_log can be used to check if the security audit log is adequately enabled and configured to log security critical activities of users.
In SAP S/4HANA Cloud, public edition, while the security audit log is always enabled, two SAP Fiori applications are available for verifying this in an audit context.
Please note that the activation and configuration of the security audit log is solely the responsibility of SAP. Customers can review logged events and types.
Display Security Audit Log – F4204
With this app you can display information about security-relevant events that occur in your SAP system, for example failed or successful logon attempts.
SAP Fiori application “Display Security Audit Log”
Display Static System Audit – F5461
With this app, you can get a quick overview of static system information. This app provides an overview of logged events available through the Display Security Audit Log (F4204) application and further information specific to the system environment, e.g., the tenant role, or the status of the security audit log and table change log. During an audit, it can be necessary to get a quick overview of static system information.
SAP Fiori application “Display Static System Audit”
Software change management of SAP S/4HANA Cloud, public edition, is explained in more detail in a later blog post of this series. This paragraph puts a focus on the characteristics of change management of SAP S/4HANA Cloud, public edition, in comparison to an on-premise appliance.
Updating the SAP S/4HANA Cloud, public edition, software is the responsibility of SAP. New software versions are first installed on all non-production systems to allow customers testing of potential changes to their business processes. After a defined schedule, all production systems are getting updated to the latest SAP S/4HANA Cloud, public edition, release. Currently new software releases are applied by SAP every six months and additionally hotfixes are applied monthly. Emergency patches can be rolled out on demand. Necessary security updates are also regularly rolled out as part of this software delivery process. The current release can be seen on the SAP Fiori app Static System Audit or the About section available in the user profile.
System changeability cannot be controlled by the customer. Depending on the tenant role (test or production), this is set by SAP. Transaction SCC4 provides an overview of existing clients and production status in an SAP S/4HANA on premise system. In SAP S/4HANA Cloud, public edition, the tenant role (e.g., test, production) can be found in the above-mentioned SAP Fiori app Display Static System Audit (F5461).
Business configuration changes by customers are done with standardized processes in SAP S/4HANA Cloud, public edition. This process ensures that changes are first applied to the non-production system, can be tested by customers, and afterwards are applied to the production system.
Software change management concludes our overview of secure by default in SAP S/4HANA Cloud, public edition.
In our next blog post we will focus on access management of SAP S/4HANA, public edition, and how it can be audited.
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.