Security Impact Analysis

The Security Impact Analysis workflow performs an impact analysis for security-related changes in transports. Security-related changes include changes to roles (identified as object type ACGR), and changes to ABAP objects that contain AUTHORITY-CHECK statements. Transportable tasks are obtained from the E070 table on the analysis system; these provide the set of changing objects to be used by the analysis. If an SAP Solution Manager System is provided, the workflow’s results include the ChaRM ID associated with each task.

If there are any objects with security changes to analyze, workflow generates an Excel report which is emailed to the specified recipients. The report includes:

  • Analyzed transports with security or ABAP-related changes.

  • Role details.

  • Impacted objects.

  • Impacted roles.

  • User details.

The workflow should be scheduled to run periodically. During each run, an Impact Analysis is performed for the transportable tasks from the analysis system that have not yet been processed.

By default, the Security Impact Analysis workflow reports the following object types as impacted.

Object Type Description
CLAS Class
FUNC Function
IDOC IDoc
PROG Program
SSFO Smart Form
TCOD Transaction
WAPA BSP Application

However, a user with Administrator privileges may customize these defaults as follows.

  1. Select the Administration > Configuration > Impact Analysis folder in the LiveCompare hierarchy.

  2. In the TypesToFind section, deselect the object types to be excluded from the used, impacted and most-at-risk results. Note that if no items are selected, all the above object types will be used as the default.

  3. Click ‘Save’ to save your changes.

These changes affect all subsequent runs of the Security Impact Analysis workflow, but they do not affect any existing workflow results.

Parallel impact analysis

You may run the Security Impact Analysis workflow in parallel with other impact analysis apps and workflows. See here for details.

Prerequisites

The Security Impact Analysis workflow uses a Pipeline to identify the Analysis, Comparison, Usage and SAP Solution Manager systems to be used the analysis. Before the Security Impact Analysis workflow is run, you must create a Pipeline that includes the appropriate systems. In the Pipeline:

  • The Analysis System field stores the RFC Destination for your Analysis system.

  • The Comparison System field stores the RFC Destination for the system on which to compare the most-at-risk executables.

  • The Usage System field stores the RFC Destination for the system from which performance history data has been obtained.

  • If required. the SAP Solution Manager System field stores the RFC Destination to the RFC Destination from which to retrieve the ChaRM IDs associated with each transportable task.

The Create Object Links Cache workflow from the Prerequisites templates folder should be run to create an object links cache database for the Analysis system.

You will need to make sure that performance history data is available on the Performance History System. Select the RFC Destination in the LiveCompare hierarchy, click the PHD tab and set a schedule for the retrieval of performance history data. You can also retrieve performance history data for an RFC Destination using the Collect Performance History Data action. See the Retrieve performance history data topic for details.

  • The ChangingObjectsToIgnore External Data Source removes tables whose names begin with ENH or AGR from the set of changing objects.

  • The TransportsToIgnore External Data Source contains regular expressions which are used to filter out transports containing custom objects.

If required, these External Data Sources may be edited in the LiveCompare Studio using the ‘Replace Data File’ option.

LiveCompare should be configured to send emails. See the Guided Configuration - Email help topic for details.

The workflow populates the InfoSec chart in the LiveCompare Dashboard.

Prepare the workflow

The Security Impact Analysis workflow should be run in a separate workspace for each system to be analyzed. To prepare the Security Impact Analysis workflow, carry out the following steps.

  1. Create a new workspace whose name reflects the system to be analyzed, for example SIA - <Analysis System>.

  2. Select the Templates > Impact Analysis > Security Impact Analysis template in the LiveCompare hierarchy and choose ‘Copy to Workspace’ from the context menu.

  3. Select SIA - <Analysis System> as the target workspace, and click Copy. A number of dependent templates will also be copied.

  4. Copy the Templates > Impact Analysis > Initialize Task Store workflow to the SIA - <Analysis System> workspace.

  5. If required, configure the Initialize Task Store workflow to set the date from which to retrieve developer tasks. See the template’s help file for details.

  6. Run the Initialize Task Store workflow in the SIA - <Analysis System> workspace.

Select the Security Impact Analysis workflow in the SIA - <Analysis System> workspace, and configure the workflow as follows.

  1. Set the Pipeline parameter to the Pipeline that includes your Analysis, Comparison, Usage and SAP Solution Manager systems.

  2. Set the Security Email String List parameter to a list of email recipients for the Security Impact Analysis report. Each email address should be stored a separate string entry.

  3. Set the From String parameter to the EmailFromAddress value stored in the Configuration - Email screen. You may need to check this setting with a LiveCompare Administrator.

Schedule the workflow

The Security Impact Analysis workflows should be run using a schedule. The following workflows will need to be scheduled. To schedule a workflow, select it in the LiveCompare hierarchy and choose ‘Schedule Run’ from the context menu.

Create Object Links Cache

This workflow should be copied from the Prerequisites templates folder to each of your SIA - <Analysis System> workspaces. It should be configured to create an object links cache database for the analysis system and then scheduled to run once each week. If possible, the workflow should be scheduled to run when no developer tasks are being performed on the analysis system (for example, outside office hours).

Security Impact Analysis

This workflow performs an impact analysis for the most recent set of transportable tasks submitted on the Analysis system, and sends report links to the specified email recipients. It should be scheduled to run as required on a daily basis, for example several times each day, depending on how frequently you wish to review the impact analysis reports.

Workflow results

The Security Impact Analysis workflow generates an Excel report which includes the following spreadsheets.

Home

This spreadsheet lists each analyzed transport with a security or ABAP change (in the TASK column), and the related security object (in the CHILD_NAME and CHILD_TYPE) columns. The CHANGE_TYPE column is set to ABAP for AUTHORITY-CHECK related changes, or to Security for security-related changes. The ROLE_DETAILS column lists the number of impacted roles. Click a hyperlink in this column to display the role details in the Role Details spreadsheet.

If an SAP Solution Manager System is provided in the Security Impact Analysis workflow, the CHANGE_ID column contains the ChaRM ID associated with each task.

Role Details

This spreadsheet lists the details for the roles listed in the Home spreadsheet’s CHILD_NAME column. The STATUS column is set to ‘Insert’ if the role exists on the Analysis system only, ‘Remove’’ of the role exists on the Comparison system only, ‘Same’ if the role is the same on each system, or ‘Change’ if the role is different on each system.

Impacted Objects

This spreadsheet lists used impacted objects in the NAME and TYPE columns, and the objects that impact them in the CHILD_TYPE and CHILD_NAME columns.

For each used impacted object:

  • The USAGE column lists the impacted object’s usage count according to the available performance history data.

  • The IMPACTED_ROLES column lists the number of roles impacted by each impacted object. Click a hyperlink to display the object’s impacted roles in the Impacted Roles spreadsheet.

  • The USERS column lists the number of users for each impacted object. Click a hyperlink in this column to display the users in the USERS spreadsheet.

Impacted Roles

This spreadsheet lists details for the impacted roles, including each role’s name, and its associated impacted object. The results are filtered to only include roles assigned to active accounts.

Users

This spreadsheet lists usage details for the impacted objects, obtained from the available performance history data.

Help

This spreadsheet provides help for each of the spreadsheet reports.

Run Security Impact Analysis with the Smart Impact app

If the Security Impact Analysis workflow is scheduled to run at the same time as the Smart Impact app, there may be a delay while the Smart Impact app updates an object link cache database that is required by the Security Impact Analysis workflow.

To resolve this, a second RFC Destination that refers to the same SAP analysis system may be created in LiveCompare. The first RFC Destination may be used with the Security Impact Analysis workflow, and the second RFC Destination may be used with the Smart Impact app.

LiveCompare Dashboard