Security Impact Analysis
The Security Impact Analysis workflow performs an impact analysis for security-related changes in transports. Security-related changes include changes to roles (identified as object type ACGR), and changes to ABAP objects that contain AUTHORITY-CHECK statements. Transportable tasks are obtained from the E070 table on the analysis system; these provide the set of changing objects to be used by the analysis.
The workflow generates an Excel report which is emailed to the specified recipients. The report includes:
Analyzed transports with security or ABAP-related changes
-
Role details.
-
Impacted objects.
-
Impacted roles.
-
User details.
The workflow should be scheduled to run periodically. During each run, an Impact Analysis is performed for the transportable tasks from the analysis system that have not yet been processed.
By default, the Security Impact Analysis workflow reports the following object types as impacted.
| Object Type | Description |
|---|---|
| CLAS | Class |
| FUNC | Function |
| IDOC | IDoc |
| PROG | Program |
| SSFO | Smart Form |
| TCOD | Transaction |
| WAPA | BSP Application |
However, a user with Administrator privileges may customize these defaults as follows.
-
Select the Administration > Configuration > Impact Analysis folder in the LiveCompare hierarchy.
-
In the TypesToFind section, deselect the object types to be excluded from the used, impacted and most-at-risk results. Note that if no items are selected, all the above object types will be used as the default.
-
Click ‘Save’ to save your changes.
These changes affect all subsequent runs of the Security Impact Analysis workflow, but they do not affect any existing workflow results.
Prerequisites
The workflow requires access to RFC Destinations for an Analysis system to which developer changes will be submitted, and a Performance History System from which performance history data will be retrieved.
The Create Object Links Cache workflow from the Prerequisites templates folder should be run to create an Object Links Cache database for the Analysis system.
You should make sure that performance history data is available on the RFC Destination selected for the Performance History System. Select the RFC Destination in the LiveCompare hierarchy and click the PHD tab. Select the source for performance history data, and if necessary, the number of months of data to retrieve, then click ‘Update Data’. The performance history data may also be retrieved using a schedule. See the Retrieving Performance History Data help topic for details.
The ChangingObjectsToIgnore External Data Source removes tables whose names begin with ENH or AGR from the set of changing objects. If required, these External Data Sources may be edited in the LiveCompare Studio using the ‘Replace Data File’ option.
LiveCompare should be configured to send emails. See the Integrating LiveCompare with your Email System section of the LiveCompare Installation and Configuration Guide for details.
The workflow populates the InfoSec chart in the LiveCompare Dashboard.
Preparing the Workflow
The Security Impact Analysis workflow should be run in a separate workspace for each system to be analyzed. To prepare the Security Impact Analysis workflow, carry out the following steps.
-
Create a new workspace whose name reflects the system to be analyzed, for example SIA - <Analysis System>.
-
Select the Templates > Impact Analysis > Security Impact Analysis template in the LiveCompare hierarchy and choose ‘Copy to Workspace’ from the context menu.
-
Select SIA - <Analysis System> as the target workspace, and click Copy. A number of dependent templates will also be copied.
-
Copy the Templates > Impact Analysis > Initialize Task Store workflow to the SIA - <Analysis System> workspace.
-
If required, configure the Initialize Task Store workflow to set the date from which to retrieve developer tasks. See the template’s help file for details.
-
Run the Initialize Task Store workflow in the SIA - <Analysis System> workspace.
Select the Security Impact Analysis workflow in the SIA - <Analysis System> workspace, and configure the workflow as follows.
-
Set the Analysis System RFC Destination parameter to the RFC Destination for your Analysis system.
-
Set the Performance History System RFC Destination to the RFC Destination for the system from which performance history data has been obtained.
-
Set the Comparison System RFC Destination to the RFC Destination for the system on which to compare the most-at-risk executables.
-
Set the Email To String List parameter to a list of email recipients for the Security Impact Analysis report. Each email address should be stored a separate string entry.
-
Set the From String parameter to the EmailFromAddress value stored LiveCompare’s Configuration - Email screen. You may need to check this setting with a LiveCompare Administrator.
Scheduling Workflows
The Security Impact Analysis workflows should be run using a schedule. The following workflows will need to be scheduled. To schedule a workflow, select it in the LiveCompare hierarchy and choose ‘Schedule Run’ from the context menu.
Create Object Links Cache
This workflow should be copied from the Prerequisites templates folder to each of your SIA - <Analysis System> workspaces. It should be configured to create an Object Links Cache database for the analysis system and then scheduled to run once each week. If possible, the workflow should be scheduled to run when no developer tasks are being performed on the analysis system (for example, outside office hours).
Security Impact Analysis
This workflow performs an impact analysis for the most recent set of transportable tasks submitted on the Analysis system, and sends report links to the specified email recipients. It should be scheduled to run as required on a daily basis, for example several times each day, depending on how frequently you wish to review the impact analysis reports.
Workflow Results
The Security Impact Analysis workflow generates an Excel report which includes the following spreadsheets.
Home
This spreadsheet lists each analyzed transport with a security or ABAP change (in the TASK column), and the related security object (in the CHILD_NAME and CHILD_TYPE) columns. The CHANGE_TYPE column is set to ABAP for AUTHORITY-CHECK related changes, or to Security for security-related changes. The ROLE_DETAILS column lists the number of impacted roles. Click a hyperlink in this column to display the role details in the Role Details spreadsheet.
Role Details
This spreadsheet lists the details for the roles listed in the Home spreadsheet’s CHILD_NAME column. The STATUS column is set to ‘Insert’ if the role exists on the Analysis system only, ‘Remove’’ of the role exists on the Comparison system only, ‘Same’ if the role is the same on each system, or ‘Change’ if the role is different on each system.
Impacted Objects
This spreadsheet lists used impacted objects in the NAME and TYPE columns, and the objects that impact them in the CHILD_TYPE and CHILD_NAME columns.
For each used impacted object:
-
The USAGE column lists the impacted object’s usage count according to the available performance history data.
-
The IMPACTED_ROLES column lists the number of roles impacted by each impacted object. Click a hyperlink to display the object’s impacted roles in the Impacted Roles spreadsheet.
-
The USERS column lists the number of users for each impacted object. Click a hyperlink in this column to display the users in the USERS spreadsheet.
Impacted Roles
This spreadsheet lists details for the impacted roles, including each role’s name, and its associated impacted object. The results are filtered to only include roles assigned to active accounts.
Users
This spreadsheet lists usage details for the impacted objects, obtained from the available performance history data.
Help
This spreadsheet provides help for each of the spreadsheet reports.
Running Security Impact Analysis with the Smart Impact App
If the Security Impact Analysis workflow is scheduled to run at the same time as the Smart Impact App, there may be a delay while the Smart Impact App updates an object link cache database that is required by the Security Impact Analysis workflow.
To resolve this, a second RFC Destination that refers to the same SAP analysis system may be created in LiveCompare. The first RFC Destination may be used with the Security Impact Analysis workflow, and the second RFC Destination may be used with the Smart Impact App.