0INFOPROV vs 0TCAIPROV

I recently faced an authorization issue when a new BW/BEx report was created. It wasn’t accessible by end users. When I traced in t-code RSECADMIN I got below error message:

Authorization missing for aggregation (":"): Char: 0INFOPROV – empty

From the trace itself, it looked like it is obvious. Analysis authorization object used in role of end user lack a 0INFOPROV characteristics. In particular its column aggregation. I followed up my analysis by checking corresponding analysis authorization object.

By definition (see e.g. here) every analysis authorization object needs to have below three characteristics:

0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity)

 

Therefore, no mention of the 0INFOPROV that popped up in the RSECADMIN’s trace. From this, it seemed that my analysis authorization object is setup in correct way. Nevertheless, why the RSECADMIN’s trace is complaining about 0INFOPROV? What is relation between the 0INFOPROV and 0TCAIPROV? The latter is referenced to earlier one. However, that shouldn’t matter...

It turned out that the 0INFOPROV was set to be an Authorization Relevant (in table RSDCHA field AUTHRELFL is set to X). As you can see on below picture, the 0INFOPROV comes from a Business Content as not Authorization Relevant (tables in both systems) however in the SAP BW system in question (table at the picture’s bottom) the active version of the characteristics was enabled as Authorization Relevant. That particular setting was driving the security trace to mark the 0INFOPROV as not present in the analysis authorization object. Once I included the 0INFOPROV (and its column aggregation) into the analysis authorization object effected, business user was able to access the report.

More information:

Defining Analysis Authorizations

820183 - New authorization concept in BI

1956404 - Characteristics 0TCAIPROV, 0TCAACTVT, 0TCAVALID are no longer Authorization Relevant after Upgrade to BW7.3 or higher

SAP Security Audit Log

Security of computer systems (cybersecurity, or IT security) is very important part of today's word. ERP systems are not excluded from it. In this case a term Enterprise information security is used. Systems are becoming so complex and complexity brings vulnerability, bugs etc that can be misused by an attacker.

In SAP NetWaver ABAP Stack/ABAP Platform based systems there are few tools available that support analyzing of security aspects. One of them is called SAP Security Audit Log (in short SecAudit). It comprises of few t-codes like SM18, SM19 and/or SM20. Purpose is to generate logs of security-related system on different events. Such as configuration changes or unsuccessful logon attempts (dialog, background (e.g. Over RFC)); changes to user master records; RFC calls to function modules; successful/unsuccessful transaction starts; changes to the audit configuration; files uploads/downloads, activation/deactivation of HTTP services; changes to ICF (Internet Connection Framework); usage of digital certificates/signatures; unsuccessful password checks; activities in Virus Scan Interface (VSI) etc. The events to be logged are defined in the Audit Log’s configuration. The recorded events provide information useful for monitoring changes to the SAP system or for tracking a series of events.

SM19 - Configuration of security audit log. Static/Dynamic configuration, Kernel Parameters - to create profiles for the Security Audit Log. With the filters in the profile, determine which events are to be recorded for which users.

SM20 / SM20N - Analysis of Security Audit Log

SM18 - Reorganize Security Audit Log, deletion of old SecAudit logs

 

More information:

Online docu

Support site component: BC-SEC-SAL

539404 - FAQ: Answers to questions about the Security Audit Log

2191612 - FAQ | Use of Security Audit Log as of SAP NetWeaver 7.50

2546993 - Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

Security vulnerability Apache Log4j

On Dec 10^th an information about security vulnerability related to Apache Log4j software surfaced on internet. The Apache Log4j is an open-source library written in Java. It is used in many software packages based on JAVA for logging purposes. Issue in brief is that an attacker who can control log messages or log message parameters can execute arbitrary code when message lookup substitution is enabled. The issue was identified in log4j2 version and fixed in log4j 2.15.0 The vulnerability got its CVE (Common Vulnerabilities and Exposures) code as CVE-2021-44228 (or CVE-2021-44228). The CVE has a CVSS score of 10 - the most critical rating!

SAP as many other software vendors around the world is following up on this issue. Assessment whether and how the Log4j is used within the software is going on. In case the particular software is affected by the vulnerability, the software vendor shall release patch to fix it. At the time of writing this blog post SAP has released statement where the software that is/is not/not know yet affected is listed. Particular SAP Notes are listed in the statement so customers can follow up and implement patches.

From SAP Analytics solutions perspective there are SAP solutions that use the Log4j library. Therefore, SAP customer should closely monitor (see links below) this topic and take an action on software patching if they use any software that is identified as impacted.

 

More information:

SAP’s Response to CVE-2021-44228 Apache Log4j 2

Search the SAP Community for log4j

3129956 - CVE-2021-44228 - BusinessObjects impact for Log4j vulnerability

3130994 - CVE-2021-44228 - SAP Predictive Analytics impact for Log4j vulnerability

Knowledge Base Search - SAP ONE Support Launchpad

CISA

Authorization relevant t-codes in SAP BW

Here’s a brief overview of BW authorization / security relevant t-codes.

Transaction Code     Short text

RSECADMIN            Manage Analysis Authorizations

RSECAUTH               Maintenance of Analysis Auth.

RSECAUTH02           Mass Maintenance - Analysis Auths

RSECENVI                Assignment Environment Authorization

RSECPROT               Maintenance of Analysis Auth.

RSECSY                   Mass Maintenance - Analysis Auths

RSU01                     User Maint. BI Analysis Auth.

RSUDO                    Execution as Other User

RSUDU                    Execution as Other User

More information:

2182164 - RSECADMIN Overview [VIDEO]

OLAP Authorizations wiki

1234567 - The authorization log RSECADMIN

2552884 - HowTo: Bex query authorization analysis - decision tree

177875 - Authorizations for investigation of OLAP problems

2044628 - How to record and save an OLAP authorization trace using transaction RSECADMIN

Few remarks on usage of RSUDO / RSECADMIN t-codes

Suite of t-codes like RSECADMIN (central t-code Analysis Authorization management) and RSUDO (Execution as Other User) are very important while analyzing issues of production queries. Very important is feature of the RSUDO (btw it is very smart name of the t-code, similarly like on OS level – execute something on behalf of other user) which simply executes the BW report on behalf of other user.

Normally we can expect that while user A executes particular query on behalf of other user (let’s say user B) the query result should be the same as the same query is executed by user B directly.

However, such an assumption might be wrong. Especially it can be wrong on cases in where customer exit variable is used in the query definition or in user's authorization definition. Other case can be while a system variable sy-uname is used in customer exit variable coding.

Reason is that value of variable sy-uname can’t be converted in case one user executes the query on behalf of other. The system cannot change the sy-uname variable. Thus the A value of the sy-uname is in place for user A and B value for the same is in place for user B.

One of the solution how to avoid such a situation is to avoid usage of sy-uname in the customer exit coding. This can be done at least for cases when variable is used in the query definition or in user's authorization definition. By leveraging function module  RSEC_GET_USERNAME in coding a proper user name (the one of which analysis authorization should be evaluated ) can be retrieved.

See also help pop-up in t-code RSUDO available under button “How does this work”.

More information:

1914703 - Transaction RSECADMIN "Execute as User" has different BW query result compared to direct BW query execution result by this user

Unified Connectivity (UCon) framework part 2

I wrote about the UCon already few years ago see here: NetWeaver Unified Connectivity (UCON).
This post has refreshed info on the topic.

I introduced whitening / blacking (list) features of SAP in my older blog spot: White / Black Lists. In SAP terminology a securing of some of SAP objects is also called in as Unified Connectivity (UCON). It was introduced on NetWeaver platform in version 74. Very high level speaking the UCON is all about logging and blocking. By using the UCON only those of remote enabled function modules (RFM or BAPI) that are used in deployed scenarios are allowed to be executed. Execution of rest of them is forbidden and thus the NetWeaver system is secured on server side because possible attack to the system is reduced. 

To identify which RFMs are to be exposed and which are to blocked there are three phase process and toolset provided by the UCON. 

First of all, a system parameter ucon/rfc/active needs to be set in tcode RZ11 – system profile parameters. 

In 1^st phase (Logging) you need to identify objects that ae accessed from outside systems. Here a tool called ”Phase Tool Unified Connectivity” (tcode UCONPHTL, prog UCON_PHASE_TOOL) is used. Also CCMS contains SAP Unified Connectivity Monitor Templates that are supporting the tool. 

Now in 2nd phase (Evaluation) it checks whether objects are not interrupting deployed business scenarios by being blocked.  Also tcode UCONPHTL is used in here.

And finally in 3^rd phase (Activation) it needs to be confirmed that UCON checks will become effective. 

There is also possibility to override blocking settings of some RFM delivered by SAP. This is of course at your own risk. The ABAP program RS_RFC_BLACKLIST_CUSTOM can be used for that. By giving the RFM name to the program you can see what were original settings of the RFM. No need to add that all changes to the settings are logged. So by this way blacklisted RFM can be unblocked. The settings done by the program are transportable.

More information:

UCON documentation

UCON wiki

Security vulnerability – Meltdown and Spectre

Year 2018 started a bit crazy when it comes to computer security. Security researches published a huge security vulnerabilities related to CPUs – computer’s microprocessors. 

If you remember year 2015 and a bug called Heartbleed that was almost nothing comparing to these two. The two are considered as "catastrophic" by security analysts. In short the Meltdown allows a rogue process to read any kernel memory, also in case the process is not authorized to do so. The Spectre is abusing a branch prediction of microprocessor’s cache that affects microprocessors with speculative execution. This involves cashed data which may be read/modified by tricking the accept requests.

One of the issues related to these vulnerabilities is that the Spectre is not easy to be fixed. Also while employing the fixes it is causing CPU’s performance degradation.

The vulnerabilities are affecting wide variety of devices - almost every device using microprocessors especially made by Intel, ARM, possibly also AMD. As SAP systems are running on these processors as well the SAP is paying an attention to the vulnerabilities. There are special SAP Notes (see below) prepared and being updated that advise customers on what to do.

More information:

2585591 - How to protect against speculative execution vulnerabilities on Windows?

2586312 - Linux: How to protect against speculative execution vulnerabilities?

Meltdown attack

Wiki -Meltdown

Wiki - Spectre

Evaluating user password in NetWeaver ABAP systems

ABAP programmers sometime need to authenticate a user during the runtime of some ABAP application. As an example of this need; one can say that if user is supposed to confirm some data in ABAP application a system shall ask for user’s password and once it is correct it really does the confirmation. Assumption here is that once user is entering the password he or she must be really aware that a particular activity (e.g. confirming a batch in manufacturing process) is untended to be done.

So being as the ABAP programmer how would I validate the user password? Luckily SAP is providing a very handy function module to do that. The name of the FM is SUSR_LOGIN_CHECK_RFC. It has very simple interface of importing parameters and by evaluating exceptions I can suite my application with regards either validation passed, user is locked, password is wrong etc.

REPORT ZMM_PWD_CHECK.

PARAMETERS: p_usr TYPE sy-uname,
            p_pwd TYPE rsyst-bcode.

CALL FUNCTION 'SUSR_LOGIN_CHECK_RFC'
 EXPORTING
   bname                  = sy-uname
   password               = p_pwd
 EXCEPTIONS
   wait                   = 1
   user_locked            = 2
   user_not_active        = 3
   password_expired       = 4
   wrong_password         = 5
   no_check_for_this_user = 6
   internal_error         = 7.

WRITE: sy-subrc.
CASE sy-subrc.
  WHEN 0. WRITE: 'everything OK'.
  WHEN 1. WRITE: 'wait'.
  WHEN 2. WRITE: 'user_locked '.
  WHEN 3. WRITE: 'user_not_active'.
  WHEN 4. WRITE: 'password_expired'.
  WHEN 5. WRITE: 'wrong_password '.
  WHEN 6. WRITE: 'no_check_for_this_user'.
  WHEN 7. WRITE: 'internal_error'.
  WHEN OTHERS.
ENDCASE.

Source code available at: github.com/softy12/ABAP-PWD-CHECK

White / Black Lists

In general similar to any other industry or area of people's interests also in terms of SAP we talk about white and black lists.

Basically anything which is on the white list is approved or recognized or just simply speaking it is considered to be safe. On other hand anything which is on the black list is forbidden, unknown or just not safe.

In terms of SAP we can talk similarly here in here about programming objects. It can be also an access to certain objects where there are some objects that can be accessed (while list) and objects to which an access is denied (black list).

Let focus on e.g. RFC function modules. Some of them can be protected by authorization and therefore are on the white list. Access to some other RFC FM can be forbidden and they are put to black list. Usually the RFC FM are protected by authorization object S_RFC.

last update: 07/08/2018

Related information:
Unified Connectivity Framework - UCON

1664340 - Documentation of authorization object S_RFC is unclear

Special characters in Analysis Authorization values

First a brief info on what Analysis Authorization is.

Analysis Authorizations (AAUT) is concept used in BW systems to grant an access to the data in the system for users. This AUT concept is not based on the standard authorization concept of SAP as it is used in SAP transactional systems like ECC. The AAUT concept serves the purpose of users that access query data.

Unlike standard authorization concept of SAP which is based on classic authorization objects the AAUT concept is based on so called Analysis Authorization object. Such an object includes a group of characteristics and there are values defined for these characteristics which an access will be granted to. The AAUT object (or so called authorization objects for reporting) can include any characteristics that are flagged as authorization-relevant characteristics. This flag is available on maintenance screen of the characteristics in RSA1 -> Modeling -> Business Explorer -> Authorization Relevant. Once the flag is enabled AAUT objects for reporting can be generated for the characteristic.

While BW report or query is running by user the system selects the data from infoprovider. Once there is an authorization relevant characteristics part of the data set the system evaluates whether user has enough authorization for the whole data set. Only in case use fulfills the AUT values they the data is displayed.

The AAUT objects are maintained in tcode RSECAUTH (you can jump there also via tcode RSECADMIN). One AAUT object can have multiple characteristic included and each of them can have multiple values against which an access is evaluated. Basically the values can be of two types: flat values or hierarchy values. All operators like EQ, BT, GT, LE etc. are possible.

Now let’s see what different flat values that can be entered here are. Except regular values where the value is precisely spelled out there can be also following ones:

* (asterisk): represents any number of characters

+ (plus): represents exactly one character

: (colon): authorization for aggregated values, serves for purposes of displaying aggregated values (e.g. totals), in case there are two characteristic values tied to different key figures and user is only authorized to see the data for characteristics of one value having Colon in the AAUT object will enable the user to see the total coming from both values of the characteristic.

$ (dollar sign): enables usage of BW variables of type customer exit in authorizations, the variable name is introduced by dollar sign.

Few examples:

I EQ      02                                   //fixed value

I EQ      0TCT_24                           // fixed value          

I CP      A*                                   // patter                

I EQ      $VAR_SECT                       //variable

I EQ      :                                     //for aggregated values

Law of Personal Data Protection in SAP BW

By default SAP BW provides logging capabilities of data access. Means all users access to data can be logged and evaluated from security and audit point of view. For regular usage of system usually this is enough. Some countries are requiring IT systems to fulfill their own rules while processing personal data. One of example is Spain which few years back introduced so call Ley Orgánica de Protección de Datos de Carácter Personal (LOPD) law.

As BW is one of systems that can store personal information; SAP had to provide capabilities within the SAP BW system to adhere the law. This resulted in introduction of LOPD Access Logging in Reporting and Planning Applications as feature of the SAP BW and/or SAP NetWeaver.

The LOPD feature involves logging all access to sensitive personal data stored in SAP BW. Technically it is delivered via BADI RSEC_LEGAL_AUDIT_SAP. By implementing mentioned BADI the LOPD feature is enabled. As next steps particular InfoProviders which store personal data need to be customized as LOPD relevant via customizing table RSECLOPDIP. Once these things are setup system collects the LOPD relevant data.

Useful information:

933441 - Frequently asked questions on BW 7.0 and data protection

SAP Enterprise Threat Detection (ETD)

As more and more companies are facing security issues and threats are usually first in the line a topic of monitoring and evaluating of security related events becomes very important for every big software vendor. SAP jumped on this bandwagon as well with their offering called SAP Enterprise Threat Detection.

The aim of this solution is to:

•  offer real-time data platform for performing forensic investigations in order to discover suspicious patterns
•  automatically evaluate of attack detection patterns
•  analyze and correlate log
• integrate custom log providers
• find threats focused on SAP software

So all in all it helps to identify the real attacks as they are happening and analyze the threats quickly enough to neutralize them before serious damage occurs.

Technically it is based on processing of data collected by ESP (Event Stream Processor). The ESP gets the data from SAP NetWeaver Application servers (JAVA and ABAP), from SAP HANA database and from non-SAP sources. The ESP then collected data provides to SAP HANA engine to evaluate and analyze them and generate alerts based on analyses results. Analyses that are done in HANA are patterns based. The patterns are developed and enhanced by SAP. Customers can change them according their needs and also they can create completely new ones.

Currently there is an SP02 available for SAP Enterprise Threat Detection 1.0.

More information:

Collection of materials

ETD Overview

ETD Roadmap

Online docu

How to recognize whether SNC is installed in SAP system?

SNC is very often used by SAP customers to secure the data exchange between SAP and external systems. Also communication form SAP GUI to SAP backend by default is not encrypted. To secure communication like these and SNC needs to be implemented in SAP systems landscape.

The SNC or Secure Network Communication is an interface securing communications between two secure SAP systems; it provides application-level, end-to-end level of security. Protection is usually provided by an external security product that is available to SAP system using SNC interface. The interface complies with internet standard Generic Security Services Application Programming Interface (GSS API) version 2. The default product provided by SAP is the SAP Cryptographic Library, which you can use for SNC between SAP System server components.

Sometime there is a question form customers whether they do have the SNC in place. How to quickly check this? There are couples of ways…

1. By running Function Module SNC_CHECK_ACTIVE: The FM has no import parameters. Therefore just open the tcode SE37 put the name of the FM and run it. In case the SNC is enabled in particular SAP system there is export parameter ACTIVE set to X returned.

2. table USRACL: it stored SNC Access Control List (ACL)for users. In case the SNC is enabled every user recognized in field BNAME has field PNAME populated. In that field a canonical name is stored in format:

p:CN=@company_domain

e.g. p:CN=MMARUSKIN@MARUSKIN.EU

3. t-code SU01: in case the SNC is enabled an particular user has following data in tab strip called SNC:

SNC Status: SNC is active on this application server

SNC Data: SNC Name: p:CN=@company_domain

t-code STAUTHTRACE

I recently faced authorization issue. As usually I sent an output of t-code SU53 which is evaluate of authorization check to SAP security team. As colleague from the security had some issues with finding the objects which authorization was missing to be granted for my user we sat together to see the issue. While we were working on it he showed my new interesting t-code of which existence I wasn’t aware before. It is the t-code STAUTHTRACE.

The t-code allows system-wide trace evaluation. This solves very common issue in case of system with multiple application servers. In such a case you need to perform analysis of authorization checks on particular server where user is logged to.

The trace in the t-code is very detailed. It basically shows all trace (similarly to t-code SU22) needed for analyze any kind of AUT issues. The trace so detailed but is limited authorization checks only.

The new t-code is available as of following NW releases: NW Basis 700 SP27, 701 SP12, 702 SP12, 730 SP8, 731 SP5 and NW 74+.

More information:

1707841 - STAUTHTRACE: System-wide trace evaluation

1603756 - Using StAuthTrace to record authorization checks

Online docu

Where to find information about SAP Security?

Every day SAP admins are facing many challenges. One of them is related to security. Also someone one may not consider security as an issue. But according surveys like here or here we can see that security is very important in SAP systems as well. Within this post I want to highlight few pages where we can learn about different aspects about security within SAP systems.

SAP Support Security site

SAP Security Notes: service.sap.com/securitynotes

Patch Day MM/YYYY Notes - SAP releases security notes (a fixes of wide range of security issues discovered within SAP software) within SAP Notes that are called Patch Day Notes; search for patch day at service.sap.com/notes

service.sap.com/support -> Help & Support -> Search for SAP Notes and SAP Knowledge Base Articles -> SAP Security Notes -> White Papers or access it via direct link: SAP Security Recommendations

1536783 - SAP SECURITY RECOMMENDATIONS - PROTECTING JAVA- AND ABAP BAS

Reporting security issues to SAP

ShellShock – UNIX/Linux systems bash vulnerabilities, is SAP affected?

Earlier this year we all experienced a bug in OpenSSL called Heartbleed. Seems there is never enough security issue around and last week ShellShock appeared. The ShellShock is vulnerabilities (CVE-2014-6271 and CVE-2014-7169) in UNIX/Linux’s bash (GNU Bourne-Again Shell) shell.  The bash is command line shell used in many UNIX/Linux/Mac OS based operating systems. Flaw in there can potentially allow attacker execute shell commands. This can be achieved by attaching malicious code in environment variables used by the OS. To fix this patch for needs to be applied for specific OS. A vendor of particular OS needs to provide the patch and customers have to apply it.

In case of SAP as an application running on affected OS situation is as follows. As SAP has standardized its OS scripts on C Shell there should be an issue. However there might be customer’s script still bash based. Therefore a careful and thoroughful checks are advised to be performed.

Anyway SAP is still investigating what influence this vulnerability may have on its software. Therefore keep an eye on SAP Note below to receive up to data information from SAP about the issue.

More information:

2072994 - "ShellShock“ vulnerability (CVE-2014-6271)

Shellshock – Lessons Learned for SAP Customers

Software archeology in terms of SAP

"REPORT HAS BEEN DEACTIVATED". You may find statement saying that within ABAP code like reports. One may wonder what does it actually mean. Usually the case is that the code is obsolete and it should not be longer used.

What makes SAP code obsolete? These are cases I’m thinking of:

·      Particular function was rewritten (refactored) and an old one is not needed any more and is obsolete.

·       Functionality implementation error. Some part of functionality was intended to be present but later it was decided to do not implement it but some initial code remains. Thus remaining code is obsolete.

·     Implementation errors in security area. There is potential security risk or vulnerable patterns with the code. These can be following - just to name few: hardcoded users or passwords, performing certain code without logging it or without checking authorization objects, direct access to critical DB tables, injections issues (ABAP, SQL one), RFC execution, directory traversing, using of wait commands, etc. These errors were not detected during security checks of development cycle and were rolled out to customer’s systems. These kind of errors make parts of the code obsolete.

As soon as the refactored code is delivered or implementation type of errors were explored a corrections are prepared (mostly in form of SAP Notes). These corrections mark the code as obsolete and prevent execution of it.

That’s basically what happened in case if we see e.g. REPORT HAS BEEN DEACTIVATED in the ABAP code.

To enforce that particular ABAP code will not be used it is even commented out. The code needs to be comment out instead of simply removing whole objects in order to prevent unnecessary ABAP dump. By this user informed about obsolescence: 

Other point of view (as suggested in the comment that introduces deactivation of the function) is software archeology (see 1^st screenshot). Even seems it is practice in SAP that after few more releases particular code is not only commented but also removed it is very nice to see a track of software archeology J

Scanning custom ABAP code for security risks

Similarly as SAP is during security checks of the standard software that they are delivering they offering tools enabling doing of the same for customers. There is a tool called "SAP NetWeaver Application Server add-on for code vulnerability analysis" or also known as Code Vulnerability Analyzer (CVA).  The tool carries out a static analysis of the custom ABAP source code in order to reveal possible security risks.

The tool is available in NetWeaver ABAP Stack based deployments starting with version:

7.0 NetWeaver: in EHP2 SP 14 or higher

7.0 NetWeaver: in EHP3 SP 09 or higher

7.3 NetWeaver: in EHP1 SP 09 or higher

7.4 NetWeaver: in SP05 or higher

 

In order to use the CVA tool first execution of system wide security checks needs to be enabled with report RSLIN_SEC_LICENSE_SETUP. Afterwards in standard ABAP code checking tools like: ABAP Test Cockpit (ATC), Code Inspector (SCI), and extended program check; the security checks are available. Option of these checks is usually called: "Security Analyses in Extended Program Check". Also notice that the tool has several limitations -> see SAP Notes below for details.

Notice that usage of the security check features for custom code is licensed separately and there are additional costs incurred.

- update 2022NOV22-

There are following other tools that can be used to scan ABAP code:

- t-code CODE_SCANNER (prog AFX_CODE_SCANNER)

- program RS_ABAP_SOURCE_SCAN

- program RS_B4HANA_CODE_SCAN – specific to BW systems, included in BW/4 Starter-Addon 

More information:

1855773 - Security checks for customer-specific ABAP programs

1697494 - Customer Code Scans

1841643 - Customer Security Vulnerability Scans

1949276 - Code vulnerability analyzer: Restrictions

NetWeaver Unified Connectivity (UCON)

See also part two of UCon here: Unified Connectivity (UCon) framework part 2

UCON is new connection framework in SAP NetWeaver aiming to deal also with security aspects of RFC (Remote Function Calls) calls from outside systems into SAP NetWeaver systems. The UCON framework reduces no of Remote Function Modules (RFM) which can be accessed or let say called from outside systems.

SAP ERP solution contains approximately 38k of RFMs. By default one can call all of them without any issues. As typically in customers production systems only few of them are needed so by utilizing UCON one can limit those RFMs which are needed.

What needs to be done in order to deploy the UCON?

- NetWeaver system where UCON will be used must have following system profile parameter UCON/RFC/ACTIVE set to 1.

- Set up and generate communication assembly (CA) in TA UCONPHTL.

- Schedule batch job SAP_UCON_MANAGEMENT to collect RFC statistic recording.

Notice that UCON is only available as of SAP NetWeaver version 7.4.

Further information:

UCON online docu

How-to videos

SCN doc about UCON

UCON overview presentation