Critical Infrastructure Protection - Air Transportation
During critical infrastructure outages, we realize that no matter who owns the asset or industry Government must respond. Anthony McKinney in Aerospace and Defense, Co-Innovation Lab, Defense, Governance, Risk and Compliance, Public Sector, SAP Developer Network, SAP NetWeaver Platform, SAP Research, Security [Nov. 19, 2009 08:44 AM | 0 Comments | Permalink]

Show ST01 authorization trace
Report ZSHOWAUTHTRACE reads the current ST01 trace file and shows the authorization trace data in a simple to use grid format. Frank Buchholz in ABAP, Application Server, Code Exchange, Security [Nov. 16, 2009 01:46 AM | 3 Comments | Permalink]

ZSU53 - Missing authorization assistance
A tool which lists profiles/roles containing the missing authorizations from your profile! As compared to SU53, ZSU53 (the missing authorization assistance) not only tells you which profiles/roles contain the authorization but also lists the users associated with it! Asim Rasheed Mian in ABAP, ERP, Identity Management, SAP Developer Network, Security [Nov. 10, 2009 08:56 AM | 9 Comments | Permalink]

Integrating 3rd-party Cryptographic Providers into NetWeaver Java - What's Possible and What's Not
This article explains how to plug a 3rd-party JCE-compliant cryptographic provider into your SAP NetWeaver J2EE engine, and what to expect after that, i.e. what security functions will benefit from the 3rd-party crypto provider, whether standard functions will break, etc. Dong Pan in Application Server, Security [Nov. 06, 2009 02:26 AM | 1 Comments | Permalink]

Fighting crime and terrorism with a prototype of advanced integrated analytics capabilities for police agencies
SAP Research France demonstrates in this blog entry how combining latest social network analysis technologies from the SAP Business Objects Innovation Center together with the Investigation Case Management system helps police organizations to speed up their investigation processes. Cedric Ulmer in Analytics, Business Intelligence (BI), Business Objects, Defense, Emerging Technologies, Public Sector, Security, SAP Research [Nov. 06, 2009 02:24 AM | 1 Comments | Permalink]

Few "BUGS" - An Outsiders View
"Bugs" "Trace" "Rules of Engagement" Shekar.J in Security [Nov. 06, 2009 02:20 AM | 0 Comments | Permalink]

SSO with SPNego not working on Windows 7 / Windows 2008 R2
With Windows 7 and Windows 2008 R2 Microsoft removed the DES encryption used by SAPs SPNego implementation from the default encryption types for Kerberos. In this blog I outline the steps neccessary to get Single Sign On with SPNego working again. Holger Bruchelt in Security, Application Server, Duet, Enterprise Portal (EP), SAP NetWeaver Platform [Nov. 05, 2009 04:39 PM | 6 Comments | Permalink]

Y-Code or Why Code?
Need for customised codes in today's environment Babu Jayendran in ABAP, Business Process Expert, ERP, Security [Nov. 05, 2009 01:28 AM | 4 Comments | Permalink]

Hacker's Lunch @ SAP TechEd Vienna
At SAP TechEd09 in Vienna I presented an Expert Lounge session on Security. 57 folks signed up for the "Hacker's Lunch" and a little crowd of innocent bystanders gathered over time as well. It went 40 minutes overtime with the Q&A’s at the end and several people asked me to share the presentation and notes. Here they are. Julius Bussche in ABAP, Application Server, Governance, Risk and Compliance, Run SAP, SAP TechEd, Security [Nov. 01, 2009 02:05 PM | 4 Comments | Permalink]

Authorization in SAP Inbox for Substitution
Upon substitution, initiated by person going in leave or vacation, to person acting in his place through SAP inbox or UWL Package in Portal; selective authorization roles in initiator profile should be granted to the actor once the substitution activated, or deleted once the substation has been expired. Adel A. Abuhaimed in ABAP, Business Rules Management, Governance, Risk and Compliance, Security [Oct. 30, 2009 12:50 PM | 0 Comments | Permalink]

ASUG Webcast: How to Implement Secure A2A and B2B Scenarios Using SAP NetWeaver
A reminder on the ASUG webcast tomorrow on "How to Implement Secure A2A and B2B Scenarios Using SAP NetWeaver" Srini Tanikella in Application Server, SAP NetWeaver Platform, SAP Process Integration (PI), Security, Service-Oriented Architecture [Oct. 27, 2009 10:20 PM | 0 Comments | Permalink]

Podcast:: How it Works - Identity Management Reporting
New Podcast about reporting in SAP NetWeaver Identity Management. It will show you how to create a report template using SAP Business Objects Crystal Reports which retrieves data from an SAP NetWeaver Identity Management 7.1 system. This template can then be used for reporting purposes. Oliver Nocon in Crystal Reports, Identity Management, Security [Oct. 27, 2009 07:33 AM | 0 Comments | Download Media | Permalink]

Security Diagnostics: Improving the Analysis Process Through Influence
Security Diagnostics: Improving the analysis process for failed authorization checks in SAP. Greg Capps in Governance, Risk and Compliance, SAP TechEd, Security [Oct. 19, 2009 05:38 AM | 1 Comments | Permalink]

Another full day for security professionals at #SAPTechEd09
There were plenty of activities and security-related sessions to keep me busy for a third day. Read on for my thoughts on my Thursday agenda at #SAPTechEd09 in Phoenix. Gretchen Lindquist in SAP TechEd, Security, Business Process Expert, Governance, Risk and Compliance, Identity Management [Oct. 15, 2009 04:43 PM | 0 Comments | Permalink]

My agenda runneth over! The second day at #SAPTechEd09
Even putting in a non-stop 12 hour day was not enough for me to fit in everything I wanted to do at #SAPTechEd09 today. Read on for personal observations on those education and networking events I was able to fit in to my final agenda. Gretchen Lindquist in SAP TechEd, Security, Business Process Expert [Oct. 14, 2009 05:54 PM | 0 Comments | Permalink]

Clear and concise recommendations from SAP have arrived (finally)
SAP is providing you with clear and concise recommendations. You don't want to miss them Dagfinn Parnas in Business Solutions, Interoperability, SAP TechEd, Security, Standards [Oct. 13, 2009 06:05 PM | 0 Comments | Permalink]

Thoughts on the first day at SAP TechEd 09
Not able to be with us in Phoenix, or just wondering what you might have missed? Read on for Gretchen's observations on the security-related sessions and other activities she attended the first day at TechEd 09. Gretchen Lindquist in SAP TechEd, Security [Oct. 13, 2009 04:13 PM | 0 Comments | Permalink]

Trust Architecture for Securely Shared Services: The TAS3 project
Towards a Trusted Internet ! Citizens must be empowered to manage their personal data, understand who and how it is being used, and moreover know that they won't be lost or exploited by any unauthorised and untrusted party. In this blog entry, we present the TAS3 project addressing this topic. Magali Seguran in Security, Service-Oriented Architecture, SAP Research [Oct. 13, 2009 10:27 AM | 0 Comments | Permalink]

SPIDERMAN is working in my system or a bug in the debugger?
This blog focuses on a feature of the new ABAP debugger that could be dangerous if you have the S_DEVELOP / DEBUG authorizations in a productive environment Andrea Olivieri in Beginner, ABAP, Beyond SAP, ERP, Security [Oct. 09, 2009 05:49 AM | 1 Comments | Permalink]

Transaction SE16N vulnerability
Remove access to transaction SE16N from your production systems. Martin English in ERP, SAP NetWeaver Platform, Security [Oct. 09, 2009 05:41 AM | 4 Comments | Permalink]

The case of the lost SAPLOGON.INI
I thought I'd just throw this out there to see if anyone else experienced a similar issue that I did. I lost my SAPLOGON.INI file and then 1 day it magically reappeared again... Kevin Wilson in Beginner, Security [Oct. 08, 2009 08:53 PM | 2 Comments | Permalink]

TechEd Bangalore – Half a TechEd?
SAP TechEd in Bangalore has a lot less sessions than Vienna - why is this? Paul Tomlinson in Enhancement Packages, Enterprise Portal (EP), Governance, Risk and Compliance, Identity Management, Java Programming, Ranting, SAP TechEd, Security [Oct. 08, 2009 03:05 AM | 4 Comments | Permalink]

Are Controls and Security Synonymous? Not really.
Every so often I see a comment on a blog or in a forum suggesting that security and controls are essentially synonymous. In my experience such a simplistic view is how security gets dumped on for controls failures. See if you agree with my logic. Gretchen Lindquist in Beginner, Beyond SAP, Business Process Expert, Governance, Risk and Compliance, Security, SAP TechEd [Oct. 07, 2009 10:46 AM | 5 Comments | Permalink]

Security and IdM@TechEd 09: Get ready for the next generation Single Sign-On challenges!
Wondering which TechEd hands on session about security and identity management you should attend? Here is my recommendation... Martin Raepple in SAP TechEd, Service-Oriented Architecture, Security, ABAP, Application Server, Business Process Management, Business Process Modeling, ERP, Identity Management, Interoperability, Interoperability .NET, Interoperability IBM, SAP NetWeaver Platform, Standards [Oct. 05, 2009 08:25 AM | 0 Comments | Permalink]

Encryption everywhere -- Securing your Duet landscape
This blog takes a look at the connections and security related configurations in complex NetWeaver landscape -- like a Duet installation (WebAS Java to WebAS ABAP, WebAS Java to IIS, ...). As a result you should not only know how to secure your landscape, but also get a better understanding of what components are involved. Holger Bruchelt in Duet, SAP NetWeaver Platform, Security, SAP xApps [Oct. 03, 2009 09:44 AM | 0 Comments | Permalink]

Model-driven Runtime Monitoring of Service-Oriented Architectures – The MASTER Project Part II
In this blog entry, we continue our presentation of the benefits that the EU MASTER project brings to companies in the area of compliance. In particular, we explain the methodology and translation process from constraints and control objectives that are defined at an high-level of abstraction towards languages used to configure runtime components in the MASTER architecture. Theodoor SCHOLTE in Business Process Management, Governance, Risk and Compliance, SAP Research, Security, Service-Oriented Architecture [Oct. 03, 2009 09:43 AM | 0 Comments | Permalink]

SAP Usability Test Center at SAP TechEd Vienna
SAP Usability Test Center at SAP TechEd Vienna has opened for registration usability test persons Martin Hofmann in Business Intelligence (BI), Service-Oriented Architecture, Security, SAP TechEd, SAP Solution Manager, SAP Process Integration (PI), SAP NetWeaver Platform, Product Lifecycle Management, Organizational Change Management, Knowledge Management (KM), Java Programming, Enterprise Portal (EP), Eclipse, Composition Environment (CE), Business Rules Management, Business Process Modeling, Business Process Expert, Web Dynpro [Sep. 30, 2009 05:19 AM | 0 Comments | Permalink]

What is SAP Influence?
What are the avenues to Influence SAP functionality? Were you aware that ASUG and other SAP User Groups globally use the voice of the customer to influence SAP solutions. This blog discusses the different ways to Influence SAP functionality and invites you to participate at SAP TechEd in a session targeted for influence of SAP Security, GRC Access Control and Netweaver identity Management. Greg Capps in Governance, Risk and Compliance, Identity Management, SAP SAPPHIRE, SAP TechEd, Security [Sep. 28, 2009 02:24 PM | 2 Comments | Permalink]

Support packs and security: a not-so-odd couple
Support pack strategies may not be the top of the list of security professionals' concerns, but perhaps it deserves a closer look. This issue and others are topics I plan to take up at Expert Networking sessions at SAP TechEd in Phoenix. Read on for more about it. Gretchen Lindquist in Business Process Expert, Governance, Risk and Compliance, SAP TechEd, Security [Sep. 28, 2009 07:15 AM | 1 Comments | Permalink]

A well secured Information System, may facilitate willing adoption of BPM! - Part 3
On the premise that a secure information system may be a facilitative factor for adoption of BPM, it was suggested that of the various models available for ISMS, the ISO/IEC Standard 27001:2005 may be considered for implementation by organizations as it promotes systems approach and process approach. In the earlier two blogs on this topic, an overview of the core operative clauses and the control objectives were covered. In this blog the Supportive clauses, informative clauses and the documentation requirements are being briefly described to complete the glimpse on the Standard. Anbazhagan Sam Venkatesan in Business Process Expert, Business Process Management, Security, Standards [Sep. 19, 2009 10:40 AM | 0 Comments | Permalink]

Setup SAML 1.1-based Web SSO from NetWeaver CE to non-SAP systems
Find out how you can turn your NetWeaver CE system into a Single Sign-On gateway to non-SAP systems as well as SAP systems. This blog elaborates the detailed steps on how to setup SAML 1.1 based Web SSO from NetWeaver CE 7.1 (or above) to non-SAP systems. Dong Pan in Security, SAP NetWeaver Platform, Composition Environment (CE) [Sep. 18, 2009 12:20 AM | 0 Comments | Permalink]

Model-driven Runtime Monitoring of Service-Oriented Architectures - The MASTER Project Part I
In this blog entry, we continue our presentation on the benefits that the EU MASTER project brings to companies in the area of compliance. In particular, we explain the specific needs from companies, the way these needs can be addressed, and a particular research topic related to the configuration of compliance management tools for Service-Oriented Architectures. Theodoor SCHOLTE in Security, Business Process Management, Governance, Risk and Compliance, SAP Research, Service-Oriented Architecture [Sep. 17, 2009 11:55 PM | 0 Comments | Permalink]

A Glimpse at the ISO/IEC Standard 27001:2005 on ISMS
This blog has been started on the premise that a good security of information systems may be a facilitative factor for adoption of BPM by organizations and of the various models available for ISMS, the ISO/IEC Standard 27001:2005 may be considered for adoption. In the earlier blog on this topic an overview of the core operative clauses of the Standard were covered. In this blog the rest of them are being briefly described to provide a glimpse on the Standard. Anbazhagan Sam Venkatesan in Business Process Expert, Business Process Management, Security [Sep. 14, 2009 10:53 PM | 0 Comments | Permalink]

A lesson learnt on Integration and Complexity
The NetWeaver Developer Studio needs to log into a server in several places. For this there is an easy way to keep user and password to automate this. But what if the server forces you to update the password every once in a while? Benny Schaich-Lebek in Java Programming, Security, Standards [Sep. 10, 2009 06:36 AM | 9 Comments | Permalink]

Coming to TechEd 2009 Vienna? Looking for Details & Best Practices about SAP NetWeaver Identity Management
You are visiting TechEd 2009 in Vienna and want to learn details about SAP NetWeaver Identity Management. Here you find a condensed collection of sessions which may interest you. Oliver Nocon in Identity Management, SAP NetWeaver Platform, Security [Sep. 07, 2009 02:12 AM | 0 Comments | Permalink]

We all have lessons to learn from the Heartland data breach – whether board member, executive, or professional
IT professionals, board members, executives, and auditors: the major data breach at Heartland is an opportunity to learn. Reliance on compliance audits may be misplaced. Norman Marks in Business Process Expert, Governance, Risk and Compliance, Security [Sep. 02, 2009 05:01 PM | 0 Comments | Permalink]

Logon!!! Just Hold Your Mouse
This blog is about emerging SAP technology in its hottest trends.I am sure you will enjoy it. Have a best day ahead. Srivastava.G in Security, Emerging Technologies, ERP, Application Server, Analytics [Sep. 02, 2009 04:00 AM | 6 Comments | Permalink]

SAP Security And Biometrics
Description of Biometrics.With the introduction on how SAP is emerging into the fields of Biometrics section of technology. Srivastava.G in Security, Emerging Technologies, Business Process Management, Analytics, ABAP [Sep. 01, 2009 01:18 AM | 0 Comments | Permalink]

ASUG Chapter Meeting At My Place - Come On Over!
Information about an ASUG Chapter meeting - open to ASUG members and prospective members. But you must register to attend. It's being held where I work. Jim Spath in Webinars, Travel and Logistics Services, Sustainability, Security, SAP TechEd, SAP Solution Manager, Business Process Expert, Application Server [Aug. 29, 2009 04:23 AM | 1 Comments | Permalink]

Security how it can baffle you
How Security can take you by surprise!!! Vinod Jose in Security [Aug. 20, 2009 11:50 PM | 4 Comments | Permalink]

Beyond PCI - keeping RAW credit card numbers out of your SAP applications
Beyond PCI - eliminating the entry of RAW credit card numbers from your SAP applications to remove them from scope for PCI audits. Eric Bushman in ABAP, Business Process Expert, CRM, Emerging Technologies, Enhancement Packages, ERP, Governance, Risk and Compliance, Security, Service-Oriented Architecture [Aug. 14, 2009 08:38 AM | 0 Comments | Permalink]

The two-edged sword of security automation
An exchange I had recently with one of our end users brought home to me the fact that the automation of security role assignments has both plusses and minuses in respect to controls and quality. How to emphasize the upside and minimize the downside is the million dollar question. Gretchen Lindquist in Business Process Expert, Governance, Risk and Compliance, Identity Management, Security [Aug. 03, 2009 10:23 AM | 8 Comments | Permalink]

The importance of being (appropriately) supported...
A few months ago I blogged about "The importance of being trained" after attending an ABAP training course with SAP's Education Department which left me regretting not having done it earlier. Different opinions about the cost : benefit ratios of training approaches were voiced in the resulting discussions, and I would like to follow-up with another positive experience of a similar nature which is also not for free - but in my books well worth it if you have made serious investments in your business and SAP technologies to support it. Julius Bussche in Security [Aug. 03, 2009 08:51 AM | 6 Comments | Permalink]

Do you want something more than SSO (Single Sign-On) can offer ?
Many SAP customers are familiar with SSO (e.g. Single Sign-On), and the benefits it can bring to their users. However, I have worked with a number of SAP customers who have specific use cases where SSO causes problems for some users when they need to logon to SAP systems. This blog discribes and discusses these problems, and mentions some solutions. Tim Alsop in ABAP, Governance, Risk and Compliance, SAP NetWeaver Platform, Security [Jul. 30, 2009 04:48 AM | 3 Comments | Permalink]

System Landscape planning with Global and Local Zones - Part 1
SAP NetWeaver and SAP Business Suite 7 is the building infrastructure for an open, flexibel and adaptable business process solution. But this flexibility on the user-side, might come along with an increasingly complex infrastructure. Questions like "How do I separate the individual components?", "Shall I use virtual machines or hardware?" and "What about Zoning?", are common amongst Solution Architects and others responsible for an IT landscape. This blog tries to answer these questions. Christian Guenther in Business Suite 7, Enterprise Portal (EP), ERP, SAP NetWeaver Platform, Security [Jul. 29, 2009 09:08 AM | 0 Comments | Permalink]

Best Paper Award at SecurWare'09
SAP Research Sophia Antipolis (France) is proud to announce that Paul El-Khoury, Gomez Laurent, Dr. Laube Annett and Alessandro Sorniotti won the Best Paper Award at the SecurWare conference for their paper: “A Security Pattern for Untraceable Secret Handshakes“. This paper is the result of a joint work between two European research project Serenity and WASP. Laurent Gomez in SAP Research, Security [Jul. 23, 2009 09:32 AM | 1 Comments | Permalink]

Using YubiKey OTP to secure your Portal
This blog describes a quick proof of concept I did to enable secure access to the SAP Enterprise Portal using the Yubico YubiKey One Time Password generator. I also discuss some of the pros and cons of implementing such a system. Simon Kemp in Emerging Technologies, Enterprise Portal (EP), Identity Management, Java Programming, Security [Jul. 23, 2009 12:02 AM | 0 Comments | Permalink]

What's ahead in SAP security, identity management, and compliance?
If you work in SAP security, identity management, or compliance at an ASUG member organization, don't miss these upcoming opportunities to learn about the road ahead for SAP solutions. Gretchen Lindquist in Security, Identity Management, Governance, Risk and Compliance, Business Process Expert [Jul. 17, 2009 08:31 AM | 1 Comments | Permalink]

BusinessObjects Enterprise and client side SNC Part 2 of 2
Ingo Hilgefort in Analytics, Business Intelligence (BI), Business Objects, Crystal Reports, SAP NetWeaver Platform, Security [Jul. 03, 2009 09:15 AM | 6 Comments | Permalink]

BusinessObjects Enterprise and client side SNC Part 1 of 2
In this 2 part blog series I am showing the steps on how you can use SNC for client authentication in combination with BusinessObjects Enterprise. Ingo Hilgefort in Analytics, Business Intelligence (BI), Business Objects, Crystal Reports, SAP NetWeaver Platform, Security [Jul. 03, 2009 09:06 AM | 2 Comments | Permalink]