Configuration & Security Analysis - Content

Configuration & Security Analysis (CSA) collects a comprehensive set of technical configuration data from SAP Solutions – on Premise and Cloud. Data is stored in containers, the so-called Config Stores. Each Config Store stores data of the same semantics. 

This document provides a list of available Config Stores as well as information about specifics of Config Stores for SAP Cloud Solutions.

Config Stores of SAP Cloud Solutions

This section provides information about the structure of and content of Config Stores that are available for SAP Business Technology Platform (SAP BTP) Services and other SAP Cloud Solutions.

The following SAP Cloud Products and Services are currently supported:

  • SAP Business Technology Platform
    • Credential Store
    • Destination Service (currently not available)
    • Identity Authentication
    • Mobile Service
    • Identity Provisioning

The list of supported services and products will be enhanced step by step starting Q4 2023.

Services, that are newly made available, must be activated in the CSA Application Configuration by switching on the corresponding Managed Component. New Config Stores, that are made available for already configured services, require no customer action.

 

Config Store - Structure and Cloud Content

Config Stores for SAP Cloud Solutions typically contain security configurations that are already validated by SAP and delivered with a compliance status with regard to Security Recommendations that are published in SAP Help Portal (e.g. SAP BTP Security Recommendations). Compliance is determined by the Cloud Service before pushing the data to SAP Cloud ALM and reflected in 2 columns that do not contain actual configuration data:

SECREC_INDEX = Index Id of the Security Recommendation as used in SAP Help Portal

SECREC_STATUS = COMPLIANT or NONCOMPLIANT (in rare cases: UNRATED).

Both Columns can have empty values if no recommendation exists for a specific configuration. Records may not exactly correspond to a single actual configuration in the SAP Cloud Service.

Examples:

Example 1: Data Record corresponding to an actual configuration(1:1)

Example 2: Data Record containing a bundle of actual configurations and values (1:N)

Example 3: Data Record based on the analysis of multiple unspecified configurations that are relevant for a SAP Security Recommendation (1:N)

The following table shows available Config Stores for SAP Cloud Solutions:

ServiceConfig Store NameConfig Store DescriptionHas SecRecHierarchy LevelAvailable since
Credential StoreCRS_CONFIGCredential ConfigurationtrueService2023-12
Identity AuthenticationIAS_CONFIGIdentity Authentication ConfigurationtrueService2023-12
Identity AuthenticationIAS_LANDSCAPE_INFOLandscape InformationfalseService2023-12
Identity AuthenticationIAS_BUNDLED_APP_CONFIGBundled Application ConfigurationtrueApp2023-12
Identity AuthenticationIAS_CHARGED_APP_CONFIGURATIONCharged Application ConfigurationtrueApp2023-12
Identity Authentication

IAS_SYS_APP_CONFIG

System Application ConfigurationtrueApp
2023-12
Identity ProvisioningIPS_CONFIGIdentity provisioning configurationtrueService2024-07
Identity ProvisioningIPS_LANDSCAPE_INFOLandscape informationfalseService2024-07
Identity ProvisioningIPS_PROXY_SYSTEM_CONFIGProxy ConfigurationtrueApp2024-07
Identity ProvisioningIPS_SOURCE_SYSTEM_CONFIGSource ConfigurationtrueApp2024-07
Identity ProvisioningIPS_TARGET_SYSTEM_CONFIGTarget ConfigurationtrueApp2024-07
Destination Service

DEST_SUBACCOUNT_DESTINATIONS

Noncompliant DestinationstrueBTP Subaccount2024-01
Destination ServiceDEST_LANDSCAPE_INFOLandscape informationfalseService2024-01
Mobile ServiceMOB_APPL_CONFIGApplication ConfigurationtrueApp2024-01

Limitations

HotNews: Activation of Destination Services Instances does not work and will be disabled until the issue with our CSA Integration is fixed (see below)

Other: The table below describes major limitations of services:

ServiceLimitationTarget Date
Destination ServiceNo data on destinations can be consumed due to an issue in integration design, that could not be detected during SAP internal testing. A re-implementation is in progress but will take several weeks.Q3
Destination ServiceStore DEST_SUBACCOUNT_DESTINATIONS contains only records of noncompliant destinationsopen
Destination ServiceSome fields describing a destination are delivered emptyopen
Destination ServiceOnly destinations (RFC, HTTP), that are maintained in subaccounts are delivered.open
Destination ServiceIn the course of extending current content, incompatible changes may be required.open
Identity ProvisioningData provided in stores IPS_* are currently subject to further optimization and enhancement. Records of some configurations and Security Recommendations will change within indicated time frame.2024-08

Config Stores of SAP On Premise Solutions

This section provides a list of Config Stores that are available for managed systems of type Application Server ABAP:

  • SAP Business Suite
  • SAP NetWeaver Application Server for ABAP (7.40 and higher)
  • SAP S/4HANA
  • SAP S/4HANA Cloud Private Edition

Process
 
ABAP Clients (T000)Namespace change settings
ABAP Code Vulnerability Analyzer statusNamespace change settings - Change log
ABAP Database interface

Path for backup and authorization

ABAP Generic Whitelists InformationPermitted trusted systems
ABAP HTTP URL Location Exception Table (HTTPURLLOC)RFC destinations type '3'
ABAP InstancesRFC destinations type 'G'
ABAP NotesRFC destinations type 'H'
ABAP Scenario-Based Checks InformationRFC destinations type 'L'
ABAP Secure Storage Encryption Key statusRFC destinations type 'T'
ABAP Start Authorization check (USOBAUTHINACTIVE)SAINT/SPAM level
ABAP UCON RFC Basic ScenarioSAP Kernel
ABAP UCON http white list ScenarioSAPUI5 library
Audit logSAPUI5 version
Clients - Change logSMLT Languages
Component change settingsSNC Access Control List (ACL)
Component change settings - Change logSOAManager Consumer Proxy Logical Ports
Crypto library versionSOAManager Service Definitions
Customizing settings for authorization processSSO2 - Access control list
Global change settingSecurity policy
Global change setting - Change logSet Values for the Session Manager / Profile Generator
HTTP WhitelistSoftware component level
HTTP Whitelist (UCON Client dependent)Standard users
HTTP Whitelist (UCON)Transport Tool
Http services (SICF)Transports
Installed software packagesUsage of password hashing
Instance parameterUser with SAP_ALL profile
Locked transactionsVirus scan groups
Maintenance areas for tablesVirus scan server