Question: I have found it necessary to compare all instance profiles on all SAP App Servers from time to time. I wrote o PERL script that did this for me from the OS level but ofcourse that would not be a good solution for all SAP Security Administrators. So I was trying to find where in SAP an Administrator could do this. I am almost sure I have seen it before and used it but now I cannot find it. If it exists please let me know where it is.
I know how to check history of each parameter to see if it has been changed and by whom, but I need to be able to see if one of the parameters is different on one appserver, a comparison. If there is an SAP provided program for this, then can someone tell me if the solution below is what I am looking for.
Maybe you can check it out and tell me if it works.
Using RZ11 you can see if a parameter is marked for "check on all servers" or to be checked when you run the parameter check under utilities in RZ10. If that parameter is checked, in RZ11 does that mean that when I run the check in RZ10 it will include it in the report if the parameter is not the same in one of the app servers, and if this check is not there in RZ11 it will not be included in the report?
If so how can I flag it in RZ11 to be checked. Some parameters are marked to be checked and some are not, but they are not in a changeable mode in RZ11, so where do I tell the system to make this a parameter to be checked when I run the check all parameters under utilities in RZ10.
I think I am on the right track. Let me know if I am not.
Oh and THIS IS A SECURITY question. Because if a security related parameter is different on one appserver it is good to have a tool to quickly check.
And also the BASIS Forum has not been able to answer yet. hehe
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net
Answer:
You would have to write an ABAP and RFC enabled FM to retreive the data and you could do this simply with the SUBMIT command to report RSPARAM with the LIST TO MEMORY AND RETURN option then retreive the list and send it to the source system and compare. Rather simple code.
I wrote a report to enter what the values shoudl be and then run it in each system to campare against what it shoul dbe to what it is and run it on all systems , production is the most important though
Answer:
What John said... that is why the Basis people didn't answer you.
Answer:
Thanks for the feedback.
I am going to try this out.
Comparing all instance profiles on all systems
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment