Security configuration settings are crucial to run SaaS applications: Are certificates maintained, is CSP enabled, are protection allowlists valid? However, given the ease with which SaaS apps can be deployed by business users, it can quickly become confusing to maintain a good security posture for all of them.

SaaS Security Posture Management (SSPM) solutions help in identifying gaps in configuration settings across all SaaS apps in use.

And that makes SSPM solutions different compared to SIEM and CASB solutions. SIEM (Security Incident and Event Management) solutions analyze logs for suspicious patterns. CASB (Cloud Access Security Broker) solutions can enforce security policies based on user behavior and configuration settings.

With SAP S/4HANA Cloud Public Edition 2402, SAP provides APIs to enable customers to gain insights into their security configuration settings. The available APIs are based on SAP’s security recommendations and cover aspects managed by the customer that might require business decisions, like user and authorization management.

Available Use Cases and APIs for SAP S/4HANA Cloud Public Edition

The following APIs are available with SAP S/4HANA Cloud Public Edition, 2402 under api.sap.com. Potential use cases are listed below to serve as examples.

Business user role/authorization configuration

It is possible to use the following APIs to retrieve business user and role data, e.g. users with important roles. Customers can monitor high-risk roles and role-catalog combinations and limit their usage. The idea is to help monitor critical cases, and not to uncover authorization flaws.

• Business User - Read Logon Details (Type: ODATA V4): Read logon details, such as username, validity, group and assigned business roles using this synchronous inbound service.
• Business Role - Read (Type: ODATA V4): Read business role details using this synchronous inbound service.

The corresponding SAP Fiori apps to cover this use case are Maintain Business Users (F1303) and Maintain Business Roles (F1492). Further documentation also referenced in our security recommendations can be found in our help portal.

Detection of unused users/connections

The following APIs support the use case to enable customers retrieve an overview of either locked or unused business users. Ideally a definition is available how much time must pass to assess if business users are locked / unused for too long. The same applies for communication users, especially if the communication user is unused for a long time, but assigned to a communication arrangement.

• Business User - Read Logon Details (Type: ODATA V4): Read logon details, such as username, validity, group and assigned business roles using this synchronous inbound service.
• Communication User - Read (Type: ODATA V4): Read communication user using this synchronous inbound service.

As written before, users can also achieve the same with SAP Fiori app Maintain Business Users (F1303). Regarding communication user maintenance, the suitable SAP Fiori app is Maintain Communication Users (F1338). Our SAP help portal also provides the following information regarding role maintenance and communication management.

Communication settings (authentication methods etc.)

To gain insights into communication settings, the following APIs can be used. Ideally, customers define a policy to determine acceptable combinations of communication arrangements and authentication methods and an identification via API of communication arrangements violating this policy can be established, or communication users used in multiple communication arrangements.

• Communication User - Read (Type: ODATA V4): Read communication user using this synchronous inbound service.
• Communication System - Read (Type: ODATA V4): Read communication systems using this synchronous inbound service.
• Communication Arrangement - Read (Type: ODATA V4): Read communication arrangements using this synchronous inbound service.

The above mentioned documentation regarding communication management is good start to dive deeper into the details on communication settings. Corresponding SAP Fiori apps are Maintain Communication Users (F1338), Communication Systems (F1762) and Communication Arrangements (F1763).

HTTP protection (csp, cors, framing) configuration

To protect the UI user, a status of the customer-defined Content Security Policy can be fetched as well as information on specific functionality available through protection allowlists, like clickjacking protection.

• Content Security Policy - Read (Type: ODATA V4): Read Content Security Policy (CSP) using this synchronous inbound service.
• Protection Allowlist - Read (Type: ODATA V4): Read the protection allowlists using this synchronous inbound service.

This section of the secure communication chapter of the SAP S/4HANA Cloud Public Edition documentation provides details on CSP and allowlists. Respective SAP Fiori apps are Manage Content Security Policy (F3856) and Maintain Protection Allowlists (F3195).

Trusted certificates

Retrieving a status of certificate trust lists for trusted certification authorities.

• Certificate - Read (Type: ODATA V4): Read the client certificates and certificate trust lists using this synchronous inbound service.

Documentation covering certificate trust lists can be found here. The corresponding SAP Fiori apps are Maintain Certificate Trust List (F2275) for root certificates and Maintain Client Certificates (F5350) for client certificates.

Conclusion

With SAP S/4HANA Cloud Public Edition 2402, SAP enhances its security posture and enables customers to harness insights from the configuration status of various security features of SAP S/4HANA Cloud Public Edition.