Planning & design of the system architecture
WebServices
SAP HANA has been one of the major topics in the SAP environment for the last few years. Many customers are currently faced with the question of whether or not to migrate your SAP system. In addition to the actual changeover itself, there are many other topics on which you should have already informed yourself in advance, as these influence the success of SAP HANA in your company. What do you already know about SAP HANA? I would like to encourage you to think about security in the following article. If you would like to learn about the architecture of HANA, I recommend a contribution from our colleagues at erlebe Software. SAP HANA Scenario But why are we even talking about HANA Security? Why is it so important to consider new security strategies with the new technology? With HANA it is possible to analyse data quickly. BW scenarios primarily benefit from the in-memory database (IMDB) used, as speed advantages in data access are particularly positive. Compared to a classic ERP / R3 scenario, the normal DB is replaced by HANA. The desired speed advantages result. However, migration is expected to be required for the changeover. This is caused by customer-specific developments in the system. HANA is not a further development of SAP ERP, HANA is the next stage of an ERP system. It is well known that an ERP system contains the capital of the companies. Therefore a new HANA system like all other ERP systems is also interesting for attackers. On the one hand, such a system contains the critical business data that are available for espionage. In addition, most business processes are mapped in such a system and offer an attack surface for sabotage. In addition, users do not initially know the new technology well. This also applies to administrators in the area of a new technology. Attackers quickly gain a dangerous leap of knowledge over these user groups. SAP HANA has a lot of new features, although many existing ones are used by SAP ERP, so there is a risk here.
In addition, the applications prepare the data in such a way that the user can visually capture it via the presentation layer. Conversely, the application server transfers all data that a user enters via the presentation layer to the underlying database.
Maintenance and transport of application and system modifications
This option is useful if several transactions are to be checked simultaneously for their existing assignment to a particular user. This variant must first identify all roles that have already been assigned to the user. This is done in the transaction SE16N by entering the table AGR_USERS. In addition, the limit of the maximum hit number can be set in this image. The user concerned must now be entered here. Furthermore, the output should be limited to the roles only. After the query is executed, all the roles assigned to the previously entered user are displayed. These are now completely marked and copied. Then in the transaction SE16N a step back is taken and this time the table AGR_1251 is selected. Now all the roles that have been copied previously are inserted here. In addition, the object S_TCODE and the transactions to be searched for are filtered. Warning: When entering transaction codes, be sure to be case-sensitive! At this point, the output can also be limited to the roles and object values (in this case, the transactions). After the query is executed, the transactions entered will now show those that the user can already perform. In addition, the role assigned to the transaction is shown. In conclusion, the SUIM is only partially suitable for identifying certain transactions with user assignment. Although the search using the S_TCODE permission object also allows you to view multiple transactions. However, since the result is missing the assignment of transactions considered to roles, the SUIM transaction can only be usefully used to check a single transaction for its existing assignment to a particular user.
Among other things, it determines which application server a user logs on to in order to distribute the workload (load balancing). The message server also enables the individual application servers to communicate with each other.
The "Shortcut for SAP Systems" tool is ideal for doing many tasks in the SAP basis more easily and quickly.
The scope of the check mode can be extended by self-defined check IDs.
Application layer: The application layer is the core of an R/3 SAP Basis system.