Conversion to SAP S/4HANA using SUM: ABAP Systems on UNIX and Linux

Settings for Secure by Default

This section deals with information concerning the settings for the "Secure by Default" concept.

Settings for the Security Audit Log

The Security Audit Log is an important component for "Secure by Default" concept. You can use it to record security-related system information such as changes to user master records or unsuccessful logon attempts. This log is a tool designed for auditors who need to take a detailed look at what occurs in the AS ABAP system. By activating the audit log, you keep a record of those activities that you specify for your audit. You can then access this information for evaluation in the form of an audit analysis report. For more information on the Security Audit Log, see the documentation about ABAP Platform or SAP S/4HANA on the SAP Help Portal at http://help.sap.com.

If you already use the Security Audit Log, you need to ensure several settings for the system conversion:
  • Make sure that the current profile contains at least one active filter.
  • Make sure that the kernel parameter for the Security Audit Log activation is activated in transaction SM19 on tab Kernel Parameter.
  • Make sure that the parameter rec/client is used and set to client 000 and the business clients.

Enablement of Secure by Default Settings

As of SAP S/4HANA and SAP S/4HANA Foundation 1909, Secure by Default settings are applied for system conversions to SAP S/4HANA or SAP S/4HANA Foundation. Depending on the SAP S/4HANA release, the Secure by Default scope can vary. The settings affect the profile parameters, the ABAP platform configurations, and the SAP HANA auditing.

  • Profile parameters: You have the choice to skip the activation of the secure profile parameters. However, this is not recommended.

  • ABAP platform configurations and HANA auditing: Secure by Default settings are activated during the system conversion if no configuration has been done in the source system of the respective Secure by Default topic.

Note that if a corresponding configuration already exists in the source system, the Secure by Default settings are not applied. For example, if the source system has an SAP Security Audit Log configuration, existing settings are converted. Otherwise, the Secure by Default settings are activated during the system conversion. For more information, see SAP Note 2926224 Information published on SAP site.

If you perform a system conversion to

  • SAP S/4HANA 2021

  • SAP BW/4HANA 2021

  • SAP S/4HANA Foundation 2021

or a higher version, the Software Update Manager installs and enables HANA Audit Policies by default

  • during downtime, if you perform a system conversion where the source system is already running on an SAP HANA database

  • during the Prepare phase, if you perform a system conversion including database migration (DMO) to SAP HANA database

In addition, the following secure profile parameters for tp are provided for the Secure by Default settings:
Profile Name Value
VERS_AT_IMP ALWAYS
RECCLIENT ALL
TLOGOCHECK TRUE