Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security Blueprint doc

Former Member

‎09-18-2008 11:47 PM

0 Kudos

Hello,

1.Do we have document / template for SAP security blueprint?

2. What is meaning of AS-IS processes, with respect to security?

3.How do we go about documenting To-Be processes, with respect to security?

Thanks in advance.

VJ

6 REPLIES 6

Former Member

‎09-19-2008 7:36 AM

0 Kudos

Hi

1. Yes thankyou

2. As-Is means the current procesess. Your question can be interpreted in 2 ways.

i. your security design supports the business processes, e.g. transactions & restrictions used and allocation of those to users so they can run those business processes.

ii. Your current security processes e.g. your user & role creation process etc

3. The functional team will document the to-be processes. They (and you) can use these processes to identify inscope transactions, important restrictions (e.g. new doctypes being used) and creation of roles. There are lots of ways of documenting it, at the minimum you want to capture the new tx to role mapping, important restrictions per business process or functional area & to-be organisational structure.

Former Member
In response to Former Member

‎09-19-2008 10:00 AM

0 Kudos

>alex

>1. Yes thankyou

If you are talking of ASAP doc then I am sorry to say the ASAP security plan is very complex to follow and doc are not comprehensive.

There is nothing as in blue print. Requirements gathering and Testing of role (its and documentation) is not properly explained.

Former Member
In response to Former Member

‎09-19-2008 10:38 AM

0 Kudos

> 

> >alex
> >1. Yes thankyou
> 
> If you are talking of ASAP doc then I am sorry to say the ASAP security plan is very complex to follow and doc are not comprehensive. 
> There is nothing as in blue print. Requirements gathering and Testing of role (its and documentation) is not properly explained.

I am not referring to ASAP, though from a security perspective, in my experience, ASAP is fine to follow & use if you spend the time required to get used to it.

I have seen many, many security blueprints which would benefit from using the various ASAP elements, despite it's weak points.

Former Member

‎09-19-2008 1:25 PM

0 Kudos

Hello Alex,

Thank you for answers.

Is there any place i can get a sample of document / template of security blueprint.

Thanks,

Vijay

Former Member
In response to Former Member

‎09-19-2008 3:21 PM

0 Kudos

I can't think of anywhere where blueprint docs are available. Blueprint docs usually take quite a while to put together & there is obvious reluctance of people to make available work which likely remains the property of their company/client.

Hussein did well to mention ASAP, you can download it and get some useful templates from there. More info here: https://websmp101.sap-ag.de/roadmaps

Have a think about stuff like the following:

Security Objectives

Security Approach

TX to Role Mappings

Restriction Requirements

Compliance Requirements (SOX, internal security standards)

Build Standards

Developer Security standards

User Management

Basically all the stuff you need to be able to build from your set of blueprint docs

Have fun & good luck

jurjen_heeck
Active Contributor
In response to Former Member

‎09-19-2008 3:25 PM

0 Kudos

> I can't think of anywhere where blueprint docs are available. Blueprint docs usually take quite a while to put together & there is obvious reluctance of people to make available work which likely remains the property of their company/client.

Very well put Alex! Julius, Maybe a small text like this one could enter the sticky?