As SAP landscapes grow and become more hybrid, maintaining secure and compliant system configurations is no longer a one-time task—it’s an ongoing responsibility. As an IT administrator, you need clear visibility into system configurations, early identification of security risks, and an easy way to validate compliance with SAP security recommendations.
The Configuration & Security Analysis (CSA) application in SAP Cloud ALM is designed to support exactly this. This blog walks you through how CSA works, how data is collected, how to navigate the application, and how to use the new Validation functionality to assess compliance.
What is Configuration & Security Analysis?
Configuration & Security Analysis provides a central place to monitor and validate security-relevant configurations across your SAP landscape, including:
SAP cloud-based applicationsSAP Business Technology Platform (BTP) servicesSAP Application Server ABAP systems
CSA continuously collects configuration data and compares it against SAP Security Recommendations and Security Baseline Templates. This allows administrators to detect configuration gaps early—before they become security incidents.
Where Configuration Data is Stored
All collected configuration and security data is stored in the Configuration & Change Database (CCDB), which runs on SAP HANA. The CSA Data Stores app in SAP Cloud ALM gives you access to this data in a structured and easy-to-analyse way.
How Data is Collected
On-Premise ABAP Systems
For systems such as SAP S/4HANA, CSA uses an HTTP-based Push Receiver approach:
Install required add-ons: ST-A/PI and ST-PIActivate the CSA use case using transaction /n/SDF/ALM_SETUPConfiguration data is automatically pushed to SAP Cloud ALM on a daily basis
In case of troubleshooting, CSA-related logs can be analysed using ,Transaction: SLG1, Object: /SDF/CALM, Sub-object: CSA
SAP Cloud Services
Data collection for SAP Cloud ALM tenants is managed through SAP Managed Connectivity. Administrators need to activate data collection in the CSA application.
More information here.
Navigating the CSA Data Stores Application
The CSA Data Stores application offers various perspectives for analysing configuration data:
Store Browser: Shows all configuration stores grouped by system or service type. You can drill down into individual configuration items and view snapshot-based change history.Changes: Displays configuration changes over time for the selected scope, including a complete change history since data collection began.Search: Allows you to search across configuration keys and values for all connected systems and services.Administration: Provides an overview of data quality and availability, helping you quickly identify systems with missing or incomplete data.Validation (New): Evaluates collected configuration data against predefined security checks to give you a clear compliance status.
Introducing the Validation Application
Previously, CSA focused mainly on collecting and monitoring configuration data. With the Validation application (introduced in early October), you can now perform automated compliance checks.
Key features:
SAP-delivered, pre-shipped security checksChecks are active by defaultChecks apply at the service or system type level, not individual systems
The list of supported checks depends on the service or system type.
Validation Overview: Your Compliance Dashboard
This page displays compliance status for all configured systems and services, providing a compliance score based on active checks.
Important notes:
Only the latest evaluation results are displayedResults appear only if:Data collection was successfulRelevant checks are activeYou are authorised via the Active Content List (ACL)
Selecting a system takes you directly to the detailed Check Results page.
CSA Navigation Concept
CSA follows a simple, three-level navigation model:
Landscape Level – Overall compliance statusService/System Level – Validation results per systemCheck Level – Detailed analysis of individual security checks
This structure makes it easy to move from high-level insights to technical details.
Configuring and Activating Checks
Administrators can manage which checks contribute to the compliance score by navigating to the Configuration page and activating or deactivating required checks.
Note: Pre-shipped checks cannot be modified. Only their activation status and scope can be managed.
If no scope is assigned, the check is applied to all systems of the selected type.
Data Collection Scope Options
Data collection can be enabled at:
Service levelTechnical system levelLogical system level
If enabled at the technical system level, at least one client must be selected. However, CSA always displays data at the technical system level.
Enhanced Checks Overview and Card View
The Checks Overview page lists all available checks per service or system type.
Additionally, the Data Stores card view now shows:
Compliance distributionCompliance percentageOverall status based on the worst compliance result
This allows you to quickly identify critical systems directly from the overview.
Conclusion
The Configuration & Security Analysis application in SAP Cloud ALM offers a centralised, structured, and practical way to monitor and validate security configurations across SAP landscapes. With the introduction of the Validation application, administrators can now assess compliance using SAP-recommended checks and take informed actions to improve system security.
Now Over to You
How are you using Configuration & Security Analysis in SAP Cloud ALM today?
Share your experience or questions in the comments—we’d love to hear from you.
Also check,
For an IT administrator perspective ,
As SAP landscapes grow and become more hybrid, maintaining secure and compliant system configurations is no longer a one-time task—it’s an ongoing responsibility. As an IT administrator, you need clear visibility into system configurations, early identification of security risks, and an easy way to validate compliance with SAP security recommendations.The Configuration & Security Analysis (CSA) application in SAP Cloud ALM is designed to support exactly this. This blog walks you through how CSA works, how data is collected, how to navigate the application, and how to use the new Validation functionality to assess compliance.What is Configuration & Security Analysis?Configuration & Security Analysis provides a central place to monitor and validate security-relevant configurations across your SAP landscape, including:SAP cloud-based applicationsSAP Business Technology Platform (BTP) servicesSAP Application Server ABAP systemsCSA continuously collects configuration data and compares it against SAP Security Recommendations and Security Baseline Templates. This allows administrators to detect configuration gaps early—before they become security incidents.Where Configuration Data is StoredAll collected configuration and security data is stored in the Configuration & Change Database (CCDB), which runs on SAP HANA. The CSA Data Stores app in SAP Cloud ALM gives you access to this data in a structured and easy-to-analyse way.How Data is CollectedOn-Premise ABAP SystemsFor systems such as SAP S/4HANA, CSA uses an HTTP-based Push Receiver approach:Install required add-ons: ST-A/PI and ST-PIActivate the CSA use case using transaction /n/SDF/ALM_SETUPConfiguration data is automatically pushed to SAP Cloud ALM on a daily basisIn case of troubleshooting, CSA-related logs can be analysed using ,Transaction: SLG1, Object: /SDF/CALM, Sub-object: CSASAP Cloud ServicesData collection for SAP Cloud ALM tenants is managed through SAP Managed Connectivity. Administrators need to activate data collection in the CSA application.More information here.Navigating the CSA Data Stores ApplicationThe CSA Data Stores application offers various perspectives for analysing configuration data:Store Browser: Shows all configuration stores grouped by system or service type. You can drill down into individual configuration items and view snapshot-based change history.Changes: Displays configuration changes over time for the selected scope, including a complete change history since data collection began.Search: Allows you to search across configuration keys and values for all connected systems and services.Administration: Provides an overview of data quality and availability, helping you quickly identify systems with missing or incomplete data.Validation (New): Evaluates collected configuration data against predefined security checks to give you a clear compliance status.Introducing the Validation ApplicationPreviously, CSA focused mainly on collecting and monitoring configuration data. With the Validation application (introduced in early October), you can now perform automated compliance checks.Key features:SAP-delivered, pre-shipped security checksChecks are active by defaultChecks apply at the service or system type level, not individual systemsThe list of supported checks depends on the service or system type.Validation Overview: Your Compliance DashboardThis page displays compliance status for all configured systems and services, providing a compliance score based on active checks.Important notes:Only the latest evaluation results are displayedResults appear only if:Data collection was successfulRelevant checks are activeYou are authorised via the Active Content List (ACL)Selecting a system takes you directly to the detailed Check Results page.CSA Navigation ConceptCSA follows a simple, three-level navigation model:Landscape Level – Overall compliance statusService/System Level – Validation results per systemCheck Level – Detailed analysis of individual security checksThis structure makes it easy to move from high-level insights to technical details.Configuring and Activating ChecksAdministrators can manage which checks contribute to the compliance score by navigating to the Configuration page and activating or deactivating required checks.Note: Pre-shipped checks cannot be modified. Only their activation status and scope can be managed.If no scope is assigned, the check is applied to all systems of the selected type.Data Collection Scope OptionsData collection can be enabled at:Service levelTechnical system levelLogical system levelIf enabled at the technical system level, at least one client must be selected. However, CSA always displays data at the technical system level.Enhanced Checks Overview and Card ViewThe Checks Overview page lists all available checks per service or system type.Additionally, the Data Stores card view now shows:Compliance distributionCompliance percentageOverall status based on the worst compliance resultThis allows you to quickly identify critical systems directly from the overview.ConclusionThe Configuration & Security Analysis application in SAP Cloud ALM offers a centralised, structured, and practical way to monitor and validate security configurations across SAP landscapes. With the introduction of the Validation application, administrators can now assess compliance using SAP-recommended checks and take informed actions to improve system security.Now Over to YouHow are you using Configuration & Security Analysis in SAP Cloud ALM today?Share your experience or questions in the comments—we’d love to hear from you.Also check, For an IT administrator perspective ,https://community.sap.com/t5/technology-blog-posts-by-sap/exploring-configuration-and-security-analysis-in-sap-cloud-alm-it-admin/ba-p/14295218 Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
