This section provides information about the structure of and content of Config Stores that are available for SAP Business Technology Platform (SAP BTP) Services and other SAP cloud solutions. The following SAP cloud products and services are currently supported:
SAP Business Technology Platform
SAP Datasphere
SAP HANA Cloud database
SAP SuccessFactors
The list of supported services and products will be enhanced step.
Services, that are newly made available, must be activated in the CSA Application Configuration by switching on the corresponding Managed Component. New Config Stores, that are made available for already configured services, require no customer action.
Config Store - Structure and Cloud Content
Config Stores for SAP Cloud Solutions typically contain security configurations that are already validated by SAP and delivered with a compliance status with regard to Security Recommendations that are published in SAP Help Portal (e.g. SAP BTP Security Recommendations(opens in new tab)). Compliance is determined by the Cloud Service before pushing the data to SAP Cloud ALM and reflected in 2 columns that do not contain actual configuration data:
SECREC_INDEX = Index Id of the Security Recommendation as used in SAP Help Portal
SECREC_STATUS = COMPLIANT or NONCOMPLIANT (in rare cases: UNRATED).
Both Columns can have empty values if no recommendation exists for a specific configuration. Records may not exactly correspond to a single actual configuration in the SAP Cloud Service.
Examples:
Example 1: Data Record corresponding to an actual configuration(1:1)
Example 2: Data Record containing a bundle of actual configurations and values (1:N)
Example 3: Data Record based on the analysis of multiple unspecified configurations that are relevant for a SAP Security Recommendation (1:N)
The following table shows available Config Stores for SAP Cloud Solutions:
| Service | Config Store Name | Config Store Description | Has SecRec | Hierarchy Level | Available since |
|---|---|---|---|---|---|
| Credential Store | CRS_CONFIG | Credential Configuration | true | Service | 2023-12 |
| Identity Authentication | IAS_CONFIG | Identity Authentication Configuration | true | Service | 2023-12 |
| Identity Authentication | IAS_LANDSCAPE_INFO | Landscape Information | false | Service | 2023-12 |
| Identity Authentication | IAS_BUNDLED_APP_CONFIG | Bundled Application Configuration | true | App | 2023-12 |
| Identity Authentication | IAS_CHARGED_APP_CONFIGURATION | Charged Application Configuration | true | App | 2023-12 |
| Identity Authentication | IAS_SYS_APP_CONFIG | System Application Configuration | true | App | 2023-12 |
| Identity Authentication | IAS_BUNDLED_APP_COND_AUTH_RULES | Bundled Application Configuration | false | App | 2025-02 |
| Identity Authentication | IAS_CHARGED_APP_COND_AUTH_RULES | Charged Application Configuration | false | App | 2025-02 |
| Identity Authentication | IAS_SYSTEM_APP_COND_AUTH_RULES | System Application Configuration | false | App | 2025-02 |
| Identity Authentication | IAS_BUNDLED_APP_RBA_RULES | Bundled Application Risk Based Authentication Rules | false | App | 2025-02 |
| Identity Authentication | IAS_CHARGED_APP_RBA_RULES | Charged Application Risk Based Authentication Rules | false | App | 2025-02 |
| Identity Authentication | IAS_SYSTEM_APP_RBA_RULES | System Application Risk Based Authentication Rules | false | App | 2025-02 |
| Identity Authentication | IAS_PASSWORD_POLICIES | Password Policy | false | Service | 2025-02 |
| Identity Authentication | IAS_CORPORATE_IDP_CONFIG_SECREC | Corporate IDP Config | false | App | 2025-04 |
| Identity Provisioning | IPS_CONFIG | Identity provisioning configuration | true | Service | 2024-07 |
| Identity Provisioning | IPS_LANDSCAPE_INFO | Landscape information | false | Service | 2024-07 |
| Identity Provisioning | IPS_PROXY_SYSTEM_CONFIG | Proxy Configuration | true | App | 2024-07 |
| Identity Provisioning | IPS_SOURCE_SYSTEM_CONFIG | Source Configuration | true | App | 2024-07 |
| Identity Provisioning | IPS_TARGET_SYSTEM_CONFIG | Target Configuration | true | App | 2024-07 |
| Mobile Service | MOB_APPL_CONFIG | Application Configuration | true | App | 2024-01 |
| Datasphere | DS_CONFIG_SECREC | Datasphere Configuration | true | Service | 2025-03 |
| Custom Domain Service | DOM_SERVER_CERTIFICATES_SECREC | Server Certificates | true | Service | 2025-04 |
| Custom Domain Service | DOM_TRUST_LIST_SECREC | Trusted Certificates | true | Service | 2025-04 |
| Custom Domain Service | DOM_TLS_CONFIG_SECREC | TLS Configurations | true | Service | 2025-04 |
| Cloud Logging Service | CLS_CONFIG_SECREC | Cloud Logging Configuration | true | Service | 2025-05 |
Limitations
HotNews: Activation of Destination Services Instances does not work and will be disabled until the issue with our CSA Integration is fixed (see below)
Other: The table below describes major limitations of services:
This section provides a list of Config Stores that are available for managed systems of type Application Server ABAP:
| Process | |
|---|---|
| ABAP Clients (T000) | Namespace change settings |
| ABAP Code Vulnerability Analyzer status | Namespace change settings - Change log |
| ABAP Database interface | Path for backup and authorization |
| ABAP Generic Whitelists Information | Permitted trusted systems |
| ABAP HTTP URL Location Exception Table (HTTPURLLOC) | RFC destinations type '3' |
| ABAP Instances | RFC destinations type 'G' |
| ABAP Notes | RFC destinations type 'H' |
| ABAP Scenario-Based Checks Information | RFC destinations type 'L' |
| ABAP Secure Storage Encryption Key status | RFC destinations type 'T' |
| ABAP Start Authorization check (USOBAUTHINACTIVE) | SAINT/SPAM level |
| ABAP UCON RFC Basic Scenario | SAP Kernel |
| ABAP UCON http white list Scenario | SAPUI5 library |
| Audit log | SAPUI5 version |
| Clients - Change log | SMLT Languages |
| Component change settings | SNC Access Control List (ACL) |
| Component change settings - Change log | SOAManager Consumer Proxy Logical Ports |
| Crypto library version | SOAManager Service Definitions |
| Customizing settings for authorization process | SSO2 - Access control list |
| Global change setting | Security policy |
| Global change setting - Change log | Set Values for the Session Manager / Profile Generator |
| HTTP Whitelist | Software component level |
| HTTP Whitelist (UCON Client dependent) | Standard users |
| HTTP Whitelist (UCON) | Transport Tool |
| Http services (SICF) | Transports |
| Installed software packages | Usage of password hashing |
| Instance parameter | User with SAP_ALL profile |
| Locked transactions | Virus scan groups |
| Maintenance areas for tables | Virus scan server |