BCS Security & GRC FAQs
Answers to common questions regarding information on all security and GRC related issues
Why do we need measurement standards-based QCI calculations in the SAP Oil, Gas, and Energy system?
SAP Oil, Gas, and Energy (SAP OG&E) comes with an open interface – the Quantity Conversion Interface (QCI).
- SAP OG&E does not deliver any validated, measurement standards-based quantity conversion solution for the QCI
- Business processes require thousands of quantity conversions per day
- For a multitude of units of measure (UoM) of various quantities (SAP dimensions) such calculations must be performed – e.g. for gross & net standard masses, gross & net standard weights, gross standard & observed volumes, net standard & observed volumes, superior and inferior energies etc.
Why should I retire my SAP Oil, Gas and Energy “CALL SYSTEM” “API-C” usage?
As described in the blog article “Complete compromise of an SAP system” (Protect4S SAP Security automation), if one member of the “Operating System – Database – SAP System” trio falls, they all fall.
Gaining access to “rsbdcos0” is named as a method by which operating system calls could be executed by a SAP user, but why bother when “CALL SYSTEM” is being used?
“CALL SYSTEM” can be used in a legacy SAP Oil, Gas, and Energy (SAP OG&E) system environment to execute external files (generally referred to as “API-C” calculations) creating risk of an uncontrolled “bridge” within an ERP-level SAP OG&E system to trigger operating system (OS) –
Why is it necessary to use the QuantityWare service portal?
It is defined in QuantityWare usage contracts, that the QuantityWare Service Portal (https://service.quantityware.com) is the single channel of communication for all service issues.
Note: QuantityWare internal security policies explicitly forbid QuantityWare staff to send e-mails with attachments to customers or prospective customers.
The QuantityWare Service Portal provides the following advantages:
- Secure (HTTPS-encrypted) document transfer and communications
- Monitoring by multiple members of the QuantityWare team
- Easily accessible history of past queries
- In-line with good business practices (transparency and accountability)
Contact your organization’s “Cust.
Are there QuantityWare BCS specific authorization roles available for the Petroleum and Gas Measurement Cockpit?
Yes, all details are available in QuantityWare note 000056.
I receive a SAINT and SPAM (OCS) "Signature file missing" message, what does this mean?
As described in SAP Note 2645739, 3rd parties working with SAP whose Add-On packages are not delivered by SAP through the SAP Software Download Portal, have no access to SAP digital signature technologies.
QuantityWare has a high commitment to security and provides SHA-512 checksums for all files which can be downloaded from the QuantityWare Service Portal. Ensure that the checksum(s) of your downloaded package(s) and those published in the service portal match, before applying the package(s) in question.
Consult the SPAM / SAINT online documentation regarding the workaround for this issue:
((More →) Extras → Settings → Load Packages → Check Archive Signature).