Store Customizing (ABAP)

Store Customizing can be used for activating and custom-tailored filtering of pre-configured config stores. The feature is currently available for all ABAP systems.

Store Customizing is a well-known feature from SAP Solution Manager Configuration Validation, that has been rebuilt in SAP Focused Run. It addresses the need to collect user and authorization data for various aspects that play an important role in security and compliance validations. Due to the large amount of data that can be associated with roles and authorizations, we recommend to limit data collection as much as needed for specific purpose. While this is likely already a requirement from GDPR legislation perspective, it is also recommended for optimal performance and for capacity, sizing and license considerations.

Below you find a list of customizing types that are available with store customizing (Each item is listed with "Name" and "TECHNICAL NAME"): Each customizing type corresponds to an own extractor and config store. Data collection for the customizing types is independent from each other and may include partially redundant data. 

Scope

In this section you find a list of customizing types that are available with store customizing (Each item is listed with "Name" and "TECHNICAL NAME"): Each customizing type corresponds to an own extractor and config store. Data collection for the customizing types is independent from each other and may include partially redundant data. 

Enter

Role names or role name patterns with * as wildcard

Roles that have ACTVT 08 or 09 assigned are collected.

Background: "Roles made for 3rd users must not contain ACTVT 08 o r 09"

Enter Profiles  e.g. 

SAP_ALL
SAP_NEW
S_TCD_ALL

 

 

Collects users having a specific authorization profile(s) assigned.

Enter

Role names or role name patterns with * as wildcard

 

collects roles with authorizations regarding the object P_ABAP.

Enter

Role names or role name patterns with * as wildcard

 

This customizing selects role <pattern*> with a display authorization (ACTVT 03) authorization.
Optional it is possible to add the another ACTVT e.g. 16 and collect the roles starting with ZSAP
Parameter          Value
ACTVT                 03,16
ROLE0001         ZSAP*    
 

Role names or role name patterns or role name pattern

 

of roles having

INFTY
Object           Fieldname              From


P_PERNR      INFTY                     *
or
Y_ORIGIN     INFTY                       *
or
PLOG             INFTY                       *

 



 

Enter Check ID (character field length 30), Role Pattern and User Pattern

Collects roles of a user pattern or all users of a role pattern .
It is also possible and recommended to get the the number of users instead of the user IDs  provided that fit to a user pattern:

'User pattern':
A dedicated user or a user pattern can be used here.
For counting the number of users enter <COUNT *> 

e.g. number of users starting with an C assigned to roles starting with ZSAP

Check ID                              Role Pattern       User Pattern

ZSAP_ROLE_USER            ZSAP*                  <COUNT C*>

 

 

Collects roles according the authorizations defined in customizing. 

The 'Combination ID' represents one authorization check and is used as result key in the content structure of the Config Store. The boolean result of the 'Combination ID' is the logical 'AND' combination of its 'Authorization IDs'. In the most cases it is not required to use more than one 'Authorization ID'.

The boolean result of an 'Authorization ID' is the logical 'AND' combination of its 'Groups'.
Each 'Group' is either an 'AND' or an 'OR' group. This is defined by the setting in the column 'AND/OR'. Within an 'AND Group' all equal 'Objects' are treated as one and combined together to the other 'Groups' of the 'Authorization ID'. In contrary to this, each record of an 'OR Group' is combined on its own to the other 'Groups' of the 'Authorization ID'.

 

The following example defines to collect roles that do have authorization for all rfc destinations and transaction SM59. As different Authorization IDs are used the authorizations might be provided by different profiles.

Combination ID Authorization ID Group Object Field Name From To AND/OR
ADMIN_RFC SRFCADM DEST S_RFC_ADM RFCDEST #*   AND
ADMIN_RFC SRFCADM TYPE S_RFC_ADM RFCTYPE #*   AND
ADMIN_RFC STCODE TCD S_TCODE
 TCD SM59   AND


The technical names of the columns are 

COMB_ID AUTH_ID AUTH_GROUP OBJECT FIELD LOW HIGH SEARCHTYPE

Enter a short text as Parameter and role pattern as Value, e.g.
 

Parameter     Value
ROLE0001     ZSAP*

 

Collect roles which have got individual organization element (LOW field content $% of table AGR_1251)

Enter a short text as Parameter and role pattern as Value, e.g.

 

Parameter     Value
ROLE0001     ZSAP*

 

Collect roles and its VARBL which have got generic organization element (LOW field content of table AGR_1252)

Enter a short text as Parameter and role pattern as Value, e.g.

Parameter     Value

ROLE0001     ZSAP*

Collects roles with names starting with ZSAP

 

Enter a short text as Parameter and role pattern as Value, e.g.

Parameter     Value
ROLE0001     ZSAP*

 

Collects roles with names according customizing that provide authorization to display the content of tables checking 
S_TABU_DIS

      DICBERCLS                      PC, PS, PCDS
      ACTVT                               *
 

Enter a short text as Parameter and role pattern as Value, e.g.

Parameter          Value

ROLE000001     ZSAP*

 

Collects roles with names according customizing that provide authorization to display the content of tables checking 
S_TCODE

      TCD                                   SE*

Optional: Add to customizing transactions like SE03 or SE80

LOW0000001      SE80
LOW0000002      SE03
This male the collector to collect roles having S_TCODE TCD SE80 or SE03


 

Enter the name of a table or pattern as Table Name e.g.

Table Name
USR*

 

Delivers the assigned authorization classes (CCLASS of table TDDAT) of customizing table patterns, e.g. of the tables starting with USR

 

 

Enter the name of a transaction as Transaction Code e.g.
Transaction Code
PFCG

 

Delivers the users having authorization for the transaction defined customizing,
e.g. User having authorization for PFCG 
(S_TCODE  TCD = PFCG)

Collects users according the authorizations defined in customizing. 

The 'Combination ID' represents one authorization check and is used as result key in the content structure of the Config Store. The boolean result of the 'Combination ID' is the logical 'AND' combination of its 'Authorization IDs'. In the most cases it is not required to use more than one 'Authorization ID'.

The boolean result of an 'Authorization ID' is the logical 'AND' combination of its 'Groups'.
Each 'Group' is either an 'AND' or an 'OR' group. This is defined by the setting in the column 'AND/OR'. Within an 'AND Group' all equal 'Objects' are treated as one and combined together to the other 'Groups' of the 'Authorization ID'. In contrary to this, each record of an 'OR Group' is combined on its own to the other 'Groups' of the 'Authorization ID'.

The following example defines to collect users that do have authorization for all rfc destinations and transaction SM59. As different Authorization IDs are used the authorizations might be provided by different profiles.

Combination ID Authorization ID Group Object Field Name From To AND/OR
ADMIN_RFC SRFCADM DEST S_RFC_ADM RFCDEST #*   AND
ADMIN_RFC SRFCADM TYPE S_RFC_ADM RFCTYPE #*   AND
ADMIN_RFC STCODE TCD S_TCODE
 TCD SM59   AND


The technical names of the columns are:

COMB_ID AUTH_ID AUTH_GROUP OBJECT FIELD LOW HIGH SEARCHTYPE

Enter Check ID (character field length 30), User Pattern and User Type, e.g.

Check ID         User Name                 User Type

BASISUSER    *BC*                             DIALOG

 

Collects user by pattern and user type specified in the customizing.

 

Setup

To setup an extractor with Store Customizing the following steps need to be performed:

NoStep

Description
1Run Administration and then Template Configurationget a list of defined templates

2Perform Store CustomizingCreate a customizing and define the patterns for the collected data in the Template Configuration of CSA Template Management.
The Id (Custumizing_ID) is needed to define a store template

In Template Management Create Store Collector Item (SCI) 

Press +  (Add) Create a new item.
Confirm to use the wizard. Select the Template Type and enter the Required Parameters including the Custumizing_ID. Confirm.
An Collector Item (i.e. an XML definition) in CSA Template Management is added.
4Configure Extractor ItemsThe CSA collector frame configures new collector items automatically within 1 hour.
The configurations can also be started manually in the CSA Administration by the button ‘Setup' or by re-performing the Managed System Setup.
5Validate Extractor SetupCheck the collector status in CSA Administration for errors and warnings.

Prerequisites

  • Available since FRUN 3.00
  • Available since ST-A/PI release 01T SP01 in the managed system
  • The user in the ABAP managed system does require additional authorization that has to be assigned:
    Either
      AUTHORITY OBJECT 'S_TABU_DIS' ACTVT=03   DICBERCLS=SC
    or
      AUTHORITY OBJECT 'S_TABU_NAM' ACTVT=03   TABLE=USR02
  • The administration user performing the setup may use the role SAP_FRN_AAD_CSA_ALL