Solved: Security Guidance

Former Member · ‎01-13-2009

Just a quick question and I hope it's ok to post it here.

I hate to say that I am new to SAP Security, about 8 months of experience on my first implementation. I worked very hard to learn enough to get my first job and couldn't be happier now. After 8 months I really feel that I am getting very good and knowledgeable about SAP and Security. The focus I had when I started-knowing exactly what I had to learn and should learn has been lessening. I'm finding it harder everyday to find the focus on what I should be learning and need to know. I try to spend at least an hour a night learning more about SAP by reading a book, or learning about a concept and even just playing in our sandbox.

When I started in SAP I set a goal of becoming a master, a guru and someone my team can always turn to for an answer. I know it won't happen overnight or even in a year but it is my goal.I read the posts on here from a few people and admire the depth and breadth of their knowledge. I want that and yes, I am very impatient!

For those of your that have been in Security for awhile what would you recommend I learn and master? What should I focus my energy on learning? Is it simply technical or should I learn some of the more functional lessons? Should I pick a module or two and master it from a technical standpoint?

My problems is that I want to learn it all - I cannot figure out for the life of me right now what is most relevant and will provide my employer the best return on their investment in me. I really would appreciate your advice and guidance.

Todd

Former Member · ‎01-13-2009

Hi Todd,

There was a related question a while back which I put my thoughts on:

My 2p worth is that decent security admins should know why as well as how

A good understanding of the auth concept is the best start.

The biggest skills gap in my opinion, is understanding where security fits into business processes, the control frameworks - the big picture.

Arguably, this takes longer to get to know than the tech side, but when you know it, the value to your firm is higner than knowing all the tables off the top of your head (but know how to find them....).

Audit is a good way of getting to know your main risks and how you manage them via preventative controls (security). It also prepares you well for working with auditors, business people etc.

Basis skills can be useful, but if you understand the basics of the data dictionary & how authority-checks work, it's not going to take you long to learn how to run in a transport.

Cheers

Alex

Private_Member_119218 · ‎01-13-2009

Hey, Todd!

I understand where you're coming from. I'm pretty much in the same boat as you are.

To answer your question, well, if you are technically inclined and the sort that likes to know all the gory details about the system you are working with, I suggest you look into learning Basis. From what I've gathered, Basis + Security is a very common combination of specializations, and for a good reason - the knowledge and skills in one augment those in the other.

Plus, Basis people are the ones everyone goes to to ask the really arcane questions about obscure problems. If you're the sort that likes figuring those out, learning Basis is your ticket.

Another thing you can try looking into is Auditing. Ties in with Security, obviously.

Former Member · ‎01-13-2009

A commonly made mistake is to see security as part of basis, Yes one should have a thorough knowledge of the tables that sit behind security, but in real live no security consultant should ever be asked to commit basis tasks unless the project management made the mistake of hiring someone to do both jobs.

Audit is better to focus on. As that is where your added value for a project comes from. Do not try to learn business modules, but focus on how to ask the right questions from the business consultants /key users.

Remember SAP is a team effort no one can know or do ALL. But be sure to be the best in your own area and to be able to communicate with the rest of the team.

Private_Member_119218 · ‎01-13-2009

I agree with you, Auke. Security is not part of Basis and the same person should not be responsible for both at the same time.

However, knowledge of Basis will afford the person a greater understanding of the inner workings of an SAP system and thus allowing to secure her more thoroughly.

Either way, what we have here are subjective opinions and this thread is about providing options, not definitive answers. I'm just trying to further explain my opinion.

Cheers.

Former Member · ‎01-13-2009

Hi Todd,

Try to focus and learn more on the things you are working on. If you are working on R/3 security only try get complete hold of it. Attend trainings on ADM 940, 950 & 960.

Also, it would be an added advantage if you can gain an overview of the business processes. It makes your communication much more easier.

As Auke mentions it is a teamwork and no one can master all....

Former Member · ‎01-13-2009

Hi Todd,

There was a related question a while back which I put my thoughts on:

My 2p worth is that decent security admins should know why as well as how

A good understanding of the auth concept is the best start.

The biggest skills gap in my opinion, is understanding where security fits into business processes, the control frameworks - the big picture.

Arguably, this takes longer to get to know than the tech side, but when you know it, the value to your firm is higner than knowing all the tables off the top of your head (but know how to find them....).

Audit is a good way of getting to know your main risks and how you manage them via preventative controls (security). It also prepares you well for working with auditors, business people etc.

Basis skills can be useful, but if you understand the basics of the data dictionary & how authority-checks work, it's not going to take you long to learn how to run in a transport.

Cheers

Alex

Former Member · ‎01-13-2009

Thanks to everyone for the great answers!

I want to know more than just security so I am doing some basis tasks like setting up RFCs etc. Luckily our job definitions right now are very loose and I have the latitude to touch many other areas of SAP. This includes being tasked with installing and configuring NWIM. Kinda cool.

For some reason I thought I should learn the inner workings of modules. At the same time I realize I know enough about security to support any module. Not sure if I could implement one on my own right now but working towards it.

Thanks again

Todd

Former Member · ‎01-13-2009

I understand that the thread is closed, but will "chime in" anyways...

> Todd wrote:

> When I started in SAP I set a goal of becoming a master, a guru and someone my team can always turn to for an answer. .... I want that and yes, I am very impatient!

I attended a training course last year on ABAP Objects and wrote a blog about what I would all know now, had I only known some of it earlier. There is also a lively discussion around it, and different opinions about which approach is best. Personally, I think making the investment in training in the fundamentals and techniques earlier is better, and then deepen the knowledge from there.

You can find it on the main page of http://sdn.sap.com since a few days, or via the profile later.

> Alex wrote:

> Audit is a good way of getting to know your main risks .... It also prepares you well for working with auditors.

Agree with that. Ever tried to audit an ex-auditor?

Cheers,

Julius

Former Member · ‎01-13-2009

Auditors? Ever hack a hacker? I worked in IT Security before SAP and loved to hack people trying to get into my employer's networks.

Thanks again to everyone. Very helpful.