What are SAP Notes?


SAP® security notes - be at peace with your system

Generalizing, we can say that they are small software updates - they contain corrections to the code, include a description of the problem, etc. Their second role is support, which does not contain corrections/updates but documents a specific problem, often in broad terms.
These pools are appropriately called simply notes (SAP® Notes) and knowledge base articles
(SAP® Knowledge Base Articles).

To further approximate the function of the notes, another division can be introduced to get to the heart of the matter - security.

  • HotNews, or top-priority notes, which, implemented at the right time, prevent serious trouble or, in a critical situation, allow you to quickly "put out the fire."
  • Security Notes, which increase the security of the system.
  • Legal Change Notes, which respond to changes in regulations, etc.

So we see that the notes are ... helpful. Many of them are 'unfriendly' because of their complexity, but as you increase your competence, level of knowledge and experience regarding SAP® systems, the discomfort will disappear.

Where and how to look for security notes?

The simplest answer: on SAP® Support Portal (https://support.sap.com/securitynotes). Links of various kinds, such as 'Expert Search', among others, cannot be overlooked. However, the recommended option is to have an efficient Solution Manager system so that you can easily keep your systems 'up to date'.

How? It's just a little more difficult. At the time of writing this article, the security notes can be found on SAP® Launchpad in the 'System Operations and Maintenance' section, 'SAP Security Notes' tile.

Initially, on the tile itself, we get an indication of how many security notes there are to review.
If it's a sizable number, then... weak! Someone is not performing routine Controls. You can explain yourself by regularly updating the system, but only partially. A clear recommendation is that every customer must regularly review the list of notes and must Verify for each entry whether the security note is suitable for the system in its possession, and what to do if implementation of the note is necessary.

Several filters are available to help verify the security notes for suitability, such as: system (does it apply to ours), category (e.g.: program error), priority (importance), etc.

Patch Day Notes - to the rescue

These specific notes are published periodically, on what is known as SAP® Security Patch Day, at the every second Tuesday of every month. The collection of these notes ranges from 'Low' to 'HotNews' priority, very often reported by external sources, most of which have CVSS scores.
CVSS stands for 'Common Vulnerability Scoring System' and is designed to provide a snapshot in point form of the characteristics of a security vulnerability and its criticality. In this article, we will not focus on what exactly makes up CVSS scoring, but it is nevertheless worth familiarizing yourself with. Plenty of material and documentation is widely available online.

Patch Day Notes should (and even must) be one of the elements of the necessary minimum
In the security administrator's calendar.


RSECNOTE? When was that...? Formerly an enjoyable piece of "software". Today - save yourself who can!
Well, maybe a lot of exaggeration, but the message is clear. We no longer use this functionality. So why has it been brought up here? As a starting point for the above-mentioned topic, which will lead us to: 1890782 - RSECNOTE no longer supported and. https://support.sap.com/sysrec And, following the thread to the ball, to a lot of interesting information expanding the above issue.

Well, enjoy your reading and as they say -. STAY SAFE 🙂

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.