DevSecOps for SAP with ChaRM
Deutsche Bahn AG is a federally owned mobility and transport group of the Federal Republic of Germany and is represented by the Federal Ministry of Digital Affairs and Transport. DB AG consists of around 600 affiliated companies and operates not only the majority of the German rail network but also the majority of rail transport within Germany. In addition, the DB Group acts as an international transport and logistics company.
In the SAP world, authorizations determine which programs and activities can be performed. These are assigned to SAP users via “roles” to determine which users can perform which activities in an SAP system. Combining authorizations in the SAP landscape and classifying them as critical depending on their characteristics and combination is a common approach used by customers. This often involves transporting a large number of roles through the system landscape, which contain critical authorizations and must be approved before they can be transported.
The problem that Deutsche Bahn faced was that there was no solution that supported this procedure technically. Checks always had to be carried out manually in the productive system. This meant an immense expenditure of time. The challenge was therefore to design a solution that made it possible to automatically check a combination of defined critical authorizations depending on their characteristics and to integrate them in a DevOps Cycle. The DevOps Cycle enables a daily import to production.
For the customer, the agile approach of our team meant that the respective status was discussed at regular, smaller intervals. Following joint discussions, new requirements were defined, implemented and, if necessary, old ones were discarded. The customer was therefore always informed about all development steps and could test the new status himself after each implementation. Towards the end of the project, the new function was tested again in a final test phase before it could be validated on a real use case after go-live, where no errors occurred.
Cross ALM, using its own DevOps extensions for ChaRM, created an automatic way to check roles and authorization values before importing them into the follow-on system.
Previously, Deutsche Bahn had defined all combinations of critical authorizations in the SAP system.
In case of a critical authorization, the change is prevented from being processed in an automated DevOps cycle. Critical authorization must be imported into production via a special approval.
Thus, our team was able to not only design and develop a fully flexible solution, but also fully automate the entire validation process of the authorizations, from checking to notifying the responsible persons.
“Thanks to the DevOps enhancements for ChaRM and the new methodology, we have managed to establish “management by exception” and set a standard for authorization changes.”
Eduard Legler, Responsible for SAP Authorization at Deutsche Bahn