Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How Security design can effect the performance of SAP System

Go to solution
Former Member

‎08-23-2013 8:51 AM

0 Kudos

Dear experts ,

We have a landscape where we have Business one ,xrpm ,BO etc ssytem and have a role design where techincal role are separated from org roles (Enabler role concept ) which means when a user need roles he will be requesting for techincal role and the org based role for which company location he belongs .

I understand this security desing approach is debatable but i my question is different here .

Now in current landscape we are getting system performance issue . All the involved team (basis ,hardware etc ) have been asked to see how best system performance can be improved .

Me as part of security team have got same task and need to see if because of security design performance is effected .

I would like to take yuou input that what all need to be checked fro msecurity point of view for system performance .

I think role clean up will help a little bit but not much .Also we are running ST01 trace to see where tcode is taking more time ,

Kindly share your view /experince on this .

Kind regards

Ashish

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎08-26-2013 8:16 AM

0 Kudos

Hi Asheesh,

If there is latency in information retrieval then the DBA should check if the DB size has increased considerably. If performance degradation is noticed in a tcode execution then check if the there custom tcodes creating issue. Your solutioning/architect should check if there was any change/update made to the existing architecture and if any application is causing performance related issue. Sometimes network congestion in LAN also increases in latency and query/search results are affected.

Thank you,

Nagarajan Viswanathan

13 REPLIES 13

Go to solution
Former Member

‎08-26-2013 7:48 AM

0 Kudos

Dear Experts

Would appreciate your valuable input on this .

Kind regards

Asheesh

Go to solution
Former Member

‎08-26-2013 8:16 AM

0 Kudos

Hi Asheesh,

If there is latency in information retrieval then the DBA should check if the DB size has increased considerably. If performance degradation is noticed in a tcode execution then check if the there custom tcodes creating issue. Your solutioning/architect should check if there was any change/update made to the existing architecture and if any application is causing performance related issue. Sometimes network congestion in LAN also increases in latency and query/search results are affected.

Thank you,

Nagarajan Viswanathan

Go to solution
Former Member
In response to Former Member

‎08-26-2013 8:32 AM

0 Kudos

Thank you Nagarajan

we are checking few of these and will do consider others suggetsed by you .

I am wondering how a complex security design can effect the performance .any idea ?

Kind regards

Asheesh

Go to solution
Former Member
In response to Former Member

‎08-26-2013 8:41 AM

0 Kudos

Hi Asheesh,

In your initial post you have mentioned "system performance", can you please elaborate on this as to since when the systems are responding slow, are any specific set of users affected so that you can find out which server/module related data store or device is causing latency.

A few other things to consider would be: 1. Are you using any encryption product to encrypt data that is coming to/from public network!. 2. Has the user base and business data increased substantially in the recent time. 3. Did the initial solution/plan of implementing SAP ERP has any point which points towards hardware optimization. 3. Are you having servers in VM etc.

Thank you,

Nagarajan Viswanathan

Go to solution
Former Member
In response to Former Member

‎08-26-2013 8:49 AM

0 Kudos

Thank you Nagarajan

Your points really make sense and i am going to check in that direction as well.

We are facing performance issue when user are accessing few business tcode . we have enable trace ST01 and try to se which auth object creating issue .

Also we are wondering how SAP security (org roles and technical role ) can be cause of this (performance when user running few tcode ) .

Kind regards

Asheesh

Go to solution
Former Member
In response to Former Member

‎08-26-2013 9:00 AM

0 Kudos

You are welcome Asheesh. I liked your query and the interest to look into the issue that is being reported by your company users.

Now, at least you have come to know that the latency/slowness in system response is being observed when certain tcodes are executed, they could be custom tocodes and the underlying query may be searching data based on certain filters/parameters that could be the reason (its a thought because we don't have the required input to diagnose the issue). The roles that you think may be the reason in slowness also may be because they have those tocdes which are running slow.

Thank you,

Nagarajan Viswanathan

Go to solution
nishad_showkath
Explorer

‎08-26-2013 9:04 AM

0 Kudos

Hi Asheesh,

I never have heard that security design of roles causing some system performance unless, the org values given in roles are very broad and user are executing the tcode for wide range of org values.

Just ensure, if the system performance is different when the same tcode is run for different org value range.

Also can you please tell whether you are facing same system performance for the tcode in both production and test environment... if yes, then is it possible for a test, that you modify the security role as per the usual practice followed to have org values in derived roles in test environment and then try executing the tcode again. Just to confirm if the security design is causing this issue.

Also check if 2 users running the same tcode are having same performance or different.

These are few test which i feel so, however my gut feeling is that this is not due to a security design issue even though I don't recommend the way its been created for your client (separate role for org fields).

Go to solution
Former Member
In response to nishad_showkath

‎08-26-2013 9:34 AM

0 Kudos

Hello Nishad

Hope you are doing good !

You are reaching to the issue .I think because of the broad org values issue is occuring .As in need to verify this from Security point of view i think looing itno broad org vlaues will help .

Can you please let me know what more need to be looked into for broad org values

Kind regards

Asheesh

Go to solution
nishad_showkath
Explorer

‎08-26-2013 10:11 AM

0 Kudos

Hi Asheesh,

I am doing good...What about you....??

I think, we need to know which tcode the user is running and for what selection criteria. Try to check which all org field this tcode is running and check the values checked in ST01 trace for these org fields...

Also try to run same tcode in test environment with some test roles with customized values the above mentioned org fields and see if still its causing performance issue...

eg:- one of the org field is cost center...try restriction cost center in a test role...and assign it instead of the broad role and try executing the tcode again in test system...

Go to solution
Former Member
In response to nishad_showkath

‎08-26-2013 11:19 AM

0 Kudos 
Nishad Showkath wrote:
I am doing good...

No, superman does good. You are doing well...

Just the role itself is not enough to compare performance. Some transactions actually dynamically adapt themselves to the combination of amount of data and whether or not line-by-line authority-checks are needed. You will then observe that the transaction runs much faster with SAP_ALL...  🙂

Performance problems from an armada of derived roles can also be caused in transporting them, as you should always transport the whole series, regarldess of how big or small the change was.

But the most neglected security consideration IMO remains load balancing and sizing and encryption termination design without taking security into concern or vis-versa. Causes very expensive problems and performance concerns normally win over security ones...

Cheers,

Julius

Go to solution
nishad_showkath
Explorer
In response to nishad_showkath

‎08-27-2013 3:28 AM

0 Kudos

May be superman always consider to be physically well and hence No superman does good...

Still I would say, I am doing good, since i referred rather to emotional state than physical state and For sure I am not a superman

I agree to your points, that may be role itself may not be enough to compare performance and it different tcodes behaves differently....

I just wanted to ensure that if it is exactly a security design issue which is causing this performance or something else... May be it can load balancing or encryption or any other issue which is actually causing this performance issue...

Asheesh, do let us know if you got any further updates with this...


Go to solution
Former Member
In response to nishad_showkath

‎08-27-2013 10:06 AM

0 Kudos

thnaks nishad for your input , i will let you know once our analysis is done .

Kind regards

Asheesh

Go to solution
Former Member

‎08-28-2013 2:38 PM

0 Kudos

Hi Ashish,

One of the arguments for the (rather flawed) enabler concepts is that it is supposed to reduce the number of buffered auth objects but that's not usually much of a problem on newer systems unless you have >100k users.  What version of SAP are you running?

From a security POV I would be looking at the average number of authorisations (not roles/profiles) assigned to users, use of large area menu's & large role menu's (historically could cause problems but not seen much measurable effect on ECC systems.

You can use ST03N to analyse transaction performance statistics, some will have long execution times from their very nature (large volumes of data returned, lots of dialog steps, random badly performing custom lookups) but it may well be that you ID key transactions and look at optimising them.


Cheers