Sap Security Tutorial

Sap security - Table of Content

• Introduction to SAP security
• Why is security required?
• Benefits of the SAP security in the organizations
• Network communication security
• SAP security- UNIX system
• SAP security- Windows platform
• Final take

Introduction to SAP security:

SAP security is one of the essential function modules that is required to secure the SAP system requirements and critical data from any unauthorized access while transferring data in the distributed environments. SAP security enables organizations to maintain and review the profile policies, and system policies locally or remotely. To secure your system, it’s important to understand the user access policies, data encryption, authorization methods, and profile policies. SAP security enables you to regularly check “SAP system Landscape” and always keep your eyes on changes you made in the configuration and access profiles. With the help of SAP security, standard super-users will be well protected, user profile parameters, and values.

Want to Become a Master in SAP Security? Then visit here to learn SAP Security Training from hkrtrainings

Why is security required?

The following are the few scenarios that explain the needs of SAP security;

• Leaked data while data transmission in the remote system, lack of password policies, superuser profiles are not well maintained, and many more reasons.
• Unable to maintain the strong password policies in the organizations.
• Profile parameters are not properly well defined in the system.
• Unsuccessful login attempts and the users’ sessions policies are not well defined. 
• Failed to maintain the network communication security while sending data over the internet or intranet, and not properly maintaining encryption keys.
• Failed to maintain database users properly and no security measures were considered while performing system configurations or installations.

To overcome all the above reasons we need a security system that should define the security policies in the SAP environment. Database security is one of the severe problems that commonly occur, so it’s mandatory to maintain the database users and check for the passwords are well protected or not.

Below is the important security mechanism that should be applied in the SAP system environments. They are:

• User Authentication management.
• Network communication security management
• Protecting the super users and standard users
• Unsuccessful login protections.
• Well-maintained profile parameters and password policies.
• Adaptation of SAP security policies in Unix and Windows platforms.
• Maintaining single sign-on(SSO) concepts.

The following image gives you a complete idea of SAP security policies:

SAP Security Training

• Master Your Craft
• Lifetime LMS & Faculty Access
• 24/7 online expert support
• Real-world & Project Based Learning

Explore Curriculum

Benefits of the SAP security in the organizations:

• Reduces the risk of granting inappropriate access through the application of a standard role design approach.
• Reduces fraud and compliance through close management of the powerful IDs.
• Visibility and auditing of the superuser access that includes automation of the processes to log, review, and approve the activities performed with superuser access.
• Offers full automation of user administration and secure role processes, including workflow for requesting, reviewing, and approving changes to user access and SAP security roles.
• Elimination of time-consuming and manual activities during the access approval process.
• Increased reliance on preventive security controls (as opposed to detective reporting controls) to maintain clean SAP control environments.
• Implementation of an overall information governance framework.

User Authentication and Management in the SAP Security system:

Let me explain a common scenario that we face every day; If an unauthorized user tried to access the SAP system under a known authorized user, and tried to make configuration changes, manipulate the system configuration, and key policies. If an authorized user accesses the system and important data, there might be chances that unauthorized users can also access other critical information as well. So to reduce such scenarios, we need an authorized and secured system.

The user authentication mechanism in the SAP Security system;

Here is a few authentication methods provided,

• User Id and User management tools.
• Securing the network communications.
• SAP logon tickets.
• X.509 Client certificates.

User Id and User management tools:

The most common method to access the SAP system is by using the UserId and password, UserIDs are created by system administrators. SAP offers various parameters to define the password policies such as password length, password complexity, and default password change, etc.

User management tools in the SAP system:

SAP NetWeaver system offers various user management tools that help to manage users in the environments. They also provide a strong authentication service for Netweaver applications such as JAVA and ABAP.

User management for the application server in ABAP (use the transaction code: SU01),

Network communication security:

Network communication security is used to login into an application server by using a secured authentication method. You can also use SNC (secure network communication) for user authentication that can be done through SAP GUI (graphical user interfaces) for windows or by using RFC (remote functional calls) connections.

Network communication security makes use of various network topologies that eliminate threats and prevent network attacks.

A well-defined network topology doesn’t allow intruders to connect to the organization’s LAN (local area network, hence there are no security loopholes on the network services.

In the following image, you can see the network topology;

It is always good to place your database and application server in a separate VLAN (Virtual LAN). It allows users to improve the access control system and increases the security of the SAP system. Frontend SAP systems are implemented in different VLANs, so it’s not easy to get into the separate server VLAN, and that bypasses the security of the SAP system.

In your SAP system, the most common targeted areas of network attacks are Landscape, application servers, and Database. In the windows/ Unix, these network services are maintained in a separate file /etc/services as shown in the below the diagram;

Become a SAP Security professional by learning this HKR SAP Security interview questions

Subscribe to our youtube channel to get new updates..!

Subscribe

SAP security- UNIX system:

When we talk about SAP security in the UNIX platform, the following are the important criteria that we should consider;

a. Password protection

b. Deactivating BSD remote services.

a. Password protection:

In the UNIX platform, an intruder or attacker uses a dictionary attacker program to identify the password stored in the UNIX operating system. So to avoid this, you can store your password in a shadow password file, only root users are able to access this file to improve the system security.

b.Deactivating BSD remote services:

BSD remote services that allow remote access to the UNIX systems. When a remote connection is initiated through the files  /etc/host.equiv and $HOME/.rhosts. These file types consist of information about the hostname and IP address of the connection source and a wildcard character.

You can deactivate any threat scenario by using the file name inetd. conf in the UNIX system as shown below;

SAP security- Windows platform:

In your windows OS, you need to create different users and groups to run the SAP system securely. It is always good to add all WIN NT users to use groups to ease the management tasks. In the Windows OS, there are types of users groups used;

• Global groups
• Local groups

In the below image, you can notice the global groups and local groups;

1. Global groups:

Generally, all the global groups are available in WIN at the domain level and that can be used to assign users from multiple servers. You can choose the global group as per your requirements, although it is recommended to use a naming convention as per the SAP S/3 system installation. The standard global group name available in the SAP system installation is SAP__GlobalAdmin.

The following are the commonly used global groups in the WIN;

• SAPadmin: this group consists of all the SAP administrators.
• SAPusers: this group consists of all the SAP application users.
• SAPservice: this group consists of a list of SAP system programs.
• DomainGroups: this group consists of the list of all the SAP users who come under the Domain side.

2. Local groups:

Local groups are limited to one server in the Windows domain, however, they increase the security of the SAP environment.

Users can notice the relation between local and global groups: let me make a list of them.

• A single user can be a part of the global group and a local group as well.
• In a few cases, you can also include a global group in the local group.

You can create a local group with the following file name;

SAP__LocalAdmin.

Standard users in a Windows platform:

Window NT User −

• Administrator − Administrator accounts with access to all the resources.
• Guest − Only guest access to all the resources in the system.

SAP System User −

• ADM SAP − System Administrator with full access to all SAP resources.
• SAPService − Special user responsible to run SAP services.

Database Users −

• − To run database-specific services on the Windows platform.

• − Database user to perform general DB operations.

Final take:

The SAP security tutorial article explains the fundamental concepts of SAP security such as Introduction, benefits, purpose, user authentications, SAP security in both Windows and UNIX environments. We hope our articles are helpful and reaching out to many tech communities across the world.

Related articles:

1. SAP Security