BCS Security & GRC FAQs
Answers to common questions regarding information on all security and GRC related issues
Why do we need measurement standards-based QCI calculations in the SAP Oil, Gas, and Energy system?
SAP Oil, Gas, and Energy (SAP OG&E) comes with an open interface – the Quantity Conversion Interface (QCI).
- SAP OG&E does not deliver any validated, measurement standards-based quantity conversion solution for the QCI
- Business processes require thousands of quantity conversions per day
- For a multitude of units of measure (UoM) of various quantities (SAP dimensions) such calculations must be performed – e.g. for gross & net standard masses, gross & net standard weights, gross standard & observed volumes, net standard & observed volumes, superior and inferior energies etc.
Why should I retire my SAP Oil, Gas and Energy “CALL SYSTEM” “API-C” usage?
As described in the blog article “Complete compromise of an SAP system” (SecurityBridge Group 2024), if one member of the “Operating System – Database – SAP System” trio falls, they all fall.
Gaining access to “rsbdcos0” is named as a method by which operating system calls could be executed by a SAP user, but why bother when “CALL SYSTEM” is being used?
“CALL SYSTEM” can be used in a legacy SAP Oil, Gas, and Energy (SAP OG&E) system environment to execute external files (generally referred to as “API-C” calculations) creating risk of an uncontrolled “bridge” within an ERP-level SAP OG&E system to trigger operating system (OS) –
What is CTP and CTG?
CTP stands for “Compliance & Transparency – Petroleum”. CTP is an integral part of BCP, delivered with QuantityWare BCS, programmed in SAP ABAP.
CTG stands for “Compliance & Transparency – Gas” . CTG is an integral part of BCG, delivered with QuantityWare BCS, programmed in SAP ABAP.
CTP and CTG provide BCS consultants and customers the ability to analyze, document and govern quantity conversion configurations and calculations (legacy SAP QCI configurations as well as state-of-the-art BCS configurations) from a central,
How does the QCI tolerance check for manual/external quantity value entry work?
SAP QCI conversion groups, as well as the MQCI conversion groups, support direct entry of quantity values from external systems, e.g. TAS systems.
The external values may have been calculated / determined in an unknown way, but are believed to be trustworthy and thus required in the SAP system as is. Once entered into the SAP system, they are compared with the SAP QCI / MQCI calculated results, which are defined by the SAP QCI/MQCI conversion group configuration – based on well defined measurement standards implementations defined in your BCS implementation project.
If deviations occur,
Why is it necessary to use the QuantityWare service portal?
It is defined in QuantityWare usage contracts, that the QuantityWare Service Portal (https://service.quantityware.com) is the single channel of communication for all service issues.
Note: QuantityWare internal security policies explicitly forbid QuantityWare staff to send e-mails with attachments to customers or prospective customers.
The QuantityWare Service Portal provides the following advantages:
- Secure (HTTPS-encrypted) document transfer and communications
- Monitoring by multiple members of the QuantityWare team
- Easily accessible history of past queries
- In-line with good business practices (transparency and accountability)
Contact your organization’s “Cust.
Are there QuantityWare BCS specific authorization roles available for the Petroleum and Gas Measurement Cockpit?
Yes.
All details are available in QuantityWare note 000056.
I receive a SAINT and SPAM (OCS) "Signature file missing" message, what does this mean?
As described in SAP Note 2645739, 3rd parties working with SAP whose Add-On packages are not delivered by SAP through the SAP Software Download Portal, have no access to SAP digital signature technologies.
QuantityWare has a high commitment to security and provides SHA-512 checksums for all files which can be downloaded from the QuantityWare Service Portal. Ensure that the checksum(s) of your downloaded package(s) and those published in the service portal match, before applying the package(s) in question.
Consult the SPAM / SAINT online documentation regarding the workaround for this issue:
((More →) Extras → Settings → Load Packages → Check Archive Signature).