Security Issues in ABAP Software Maintenance
Here you find the most important security aspects to be observed when working with the ABAP maintenance tools Support Package Manager, SAP Add-On Installation Tool and Note Assistant.
SAP provides you with regular updates in the form of Support Package Stacks, Add-On Installation Packages, and Add-On Upgrade Packages. Urgent corrections and solutions to minor problems are available in the form of SAP Notes.
ABAP Support Packages are imported using the Support Package Manager, while ABAP Add-On Packages and Add-On Upgrade Packages are installed using the SAP Add-On Installation Tool. ABAP Note corrections are implemented using Note Assistant.
For more information about Support Package Manager and SAP Add-On Installation Tool, see https://help.sap.com/spmanager.
Roles and Authorizations for ABAP Software Maintenance
The following roles and authorizations are available for software maintenance:
| Tool | Authorization |
|
Support Package Manager/SAP Add-On Installation Tool |
Authorization profile S_OCS_STD (standard OCS profile) (see Authorizations in the Support Package Manager documentation and Authorizations for SAP Add-On Installation Tool in the SAP Add-On Installation Tool documentation at https://help.sap.com/spmanager) |
|
Note Assistant |
To work with Note Assistant, you need the general developer authorization (in role SAP_BC_DWB_ABAPDEVELOPER, for example). |
Security Issues When Importing Support Packages
To import Support Packages with Support Package Manager, you need the DDIC User. If this has been locked for security reasons, Support Package Manager informs you that you need to temporarily unlock it in order to perform the import process.
Security Issues When Loading SAP Notes
There are various ways in which you can load SAP Notes in your system. You can load them from SAP Support Portal laden and then upload them in Note Assistant. When doing this, you need to be sure that the Notes are really from SAP Support Portal.
Alternatively, you can load SAP Notes in your system directly by establishing an RFC connection to SAP. If you use this method, you need to make sure that the SAP Notes are loaded via the RFC connection SAPSNOTE. You should protect this connection from unauthorized access. You also need to take note of the information contained in the RFC/ICF Security Guide. For information about how to create connection SAPSNOTE, see Activating Note Assistant in the Note Assistant documentation.
Configuring the System Landscape for Changes
To implement SAP Notes, the software component in which the SAP Note is implemented must be modifiable. If you set a software component to Modifiable, you should set it back to Not Modifiable after implementing the SAP Note. This prevents other users with developer authorization from making changes to the software component. This applies in particular when implementing SAP Notes in production systems.