Security Issues in ABAP Software Maintenance (SAP Library

Security Issues in ABAP Software Maintenance

SAP provides you with regular updates in the form of Support Package Stacks, Add-On Installation Packages, and Add-On Upgrade Packages. Urgent corrections and solutions to minor problems are available in the form of SAP Notes.

ABAP Support Packages are imported using Support Package Manager, while ABAP Add-On Packages and Add-On Upgrade Packages are installed using Add-On Installation Tool. ABAP Note corrections are implemented using Note Assistant.

Note

You should only import Support Packages from a trusted source, for example from SAP Support Portal or from SAP CDs. The same applies for Add-On Packages. SAP Notes should only be obtained from SAP Support Portal or via an RFC connection to SAP, while non-SAP packages should always be obtained directly from the manufacturer.

Roles and Authorizations for ABAP Software Maintenance

The following roles and authorizations are available for software maintenance:

Tool	Authorization
Support Package Manager/ Add-On Installation Tool	Authorization profile S_OCS_STD (standard OCS profile) (see Authorizations in the Support Package Manager documentation and Authorizations for Add-On Installation Tool in the Add-On Installation Tool documentation.
Note Assistant	To work with Note Assistant, you need the general developer authorization (in role SAP_BC_DWB_ABAPDEVELOPER, for example).

Security Issues When Importing Support Packages

To import Support Packages with Support Package Manager, you need the DDIC User. It this has been locked for security reasons, Support Package Manager informs you that you need to temporarily unlock it in order to perform the import process.

Security Issues When Loading SAP Notes

There are various ways in which you can load SAP Notes in your system. You can load them from SAP Support Portal laden and then upload them in Note Assistant. When doing this, you need to be sure that the Notes are really from SAP Support Portal.

Alternatively, you can load SAP Notes in your system directly by establishing an RFC connection to SAP. If you use this method, you need to make sure that the SAP Notes are loaded via the RFC connection SAPSNOTE. You should protect this connection from unauthorized access. You also need to take note of the information contained in the RFC/ICF Security Guide. For information about how to create connection SAPSNOTE, see Activating Note Assistant in the Note Assistant documentation.

Configuring the System Landscape for Changes

To implement SAP Notes, the software component in which the SAP Note is implemented must be modifiable. If you set a software component to Modifiable, you should set it back to Not Modifiable after implementing the Note. This prevents other users with developer authorization from making changes to the software component. This applies in particular when implementing SAP Notes in production systems.