Reading Sample Sappress 1481 Sap System Security Guide

First-hand knowledge.
Reading Sample
In these chapters you will learn how to secure SAP system clients
and how to log system activities and prepare for audits.
“Securing Clients”
“Auditing and Logging”
Contents
Index
The Authors
Joe Markgraf and Alessandro Banzer

SAP System Security Guide
574 Pages, 2018, $79.95
ISBN 978-1-4932-1481-5
www.sap-press.com/4307
Chapter 4
Securing Clients
Before reading this chapter, you must have a basic understanding of 4
the client concept in an SAP system. You must also understand how to
navigate within SAP GUI.
In an SAP NetWeaver system, all business data is isolated on the client level. This
means that users that work in one client can’t access the data of another client. This
architecture is ideal for shared systems that multiple organizations might use. It also
allows for the separation of different clients for different activities or use cases. For
example, testing clients and development clients could be created on the same SAP
installation to allow users to develop and test in the same system without getting in
each other’s way. Some organizations will choose to have multiple development cli-
ents, or multiple test clients. Others will use different clients to separate HR and
finance activities. Some organizations will have each of their subsidiaries operate in
a separate client in the same master system.
Here are the basic rules that define clients:
쐍 Clients can never read or write to other clients.
쐍 The business data of a client is separated from other clients.
쐍 Clients share the same SID but have different client numbers.
쐍 Multiple clients may exist in an SAP system.
쐍 Clients may be copied or deleted and won’t affect other clients.
How is a client different than just having another system? To start, multiple clients
can exist in a single system. A client will typically represent a separate organization
or company within an SAP system but share the same technical SAP NetWeaver
instance. Therefore, the overhead to maintain the instance is shared. However, some
organizations will adhere to a strict, productive single client per system. It all
depends on the architecture your organization has chosen.
You can think of clients as floors of an office building. Multiple organizations can
occupy offices on different floors in an office building. All the building tenants share
79
4 Securing Clients 4.1 Client Settings
the same infrastructure (power, water, Internet, heating), but they operate as sepa- on how your SAP system has been set up. You’ll also see one or more productive
rate entities isolated from each other by the floor and ceiling. What’s said on one clients, or clients that contain your business data. These are clients that your users
floor isn’t overheard on another. A disruption on the top floor won’t affect the bot- will log in to and perform work on. Later in this chapter (Section 4.1.3), we’ll cover
tom floor. more about securing clients, but for now let’s explore the basics.
One key takeaway from this example is that in the office building some infrastruc- Now that you’re familiar with the concept of multiple clients, let’s explore the possible 4
ture is shared; in an SAP system, this shared infrastructure is called client-indepen- settings for each client. Some clients will be used to change code, others could be used
dent. Client-independent objects or tables are common for all clients. On the other for testing, and some will always be used by business end users in production. Client set-
hand, client-dependent objects are never shared with other clients. tings tell the SAP system what’s allowable and what’s restricted in each of these clients.
In a production or testing client, you wouldn’t want a developer to be able to change
Client-Dependent Database Tables: MANDT Field objects. On the other hand, in a development client you would want this activity to be
The technical table field that denotes a client is the MANDT field. This field is present in allowed. Settings like this are what we use to achieve a desired client scenario. In Sec-
all client-dependent tables. Client-independent tables don’t have a MANDT field and tion 4.1, we’ll walk through how to check the current settings for a client.
represent any and all clients. Use care when changing client-independent tables as As security administrators, we’re interested in client settings because we’d like to
they affect all clients. prevent users from being able to change objects unless absolutely necessary. Even if
the client settings are correct in one client, an errant setting in another client could
Most SAP NetWeaver systems have at least two clients, if not more. To identify what lead to changes being made and passed to another client within the same system,
clients exist in your SAP system, simply look at table T000, the clients table (see Figure even if that client had the correct settings. It’s imperative that client settings are
4.1). closely managed for all clients within both an SAP system and all SAP systems within
a landscape.
From time to time an administrator may be asked to change the settings of a client.
This activity should always be done temporarily because a client should have a steady
state in which its settings are fixed. Often, clients are opened for simple changes and
are then forgotten about and stay open until the next audit—or even worse, a mali-
cious user—discovers the issue. Take care not to let this happen in your organization.
4.1 Client Settings

It’s important for a security administrator to know and understand the different pos-
sible client settings and what they may be used for. Before we explore specific set-
tings in depth, let’s walk through how to check client settings in the system.
To check client settings, follow these steps:
Figure 4.1 Table T000: Client List 1. Navigate to Transaction SCC4 (see Figure 4.2).
2. Double-click the client you’d like to view. For this example, client 001 has been
Common clients you will see are client 000, client 001, and client 066. These clients selected (Figure 4.3).
are usually delivered/created by SAP. You may see more or fewer clients, depending
80 81
Now that you know how to navigate to these settings, let’s explore the information
on this screen in more detail.
4.1.1 Client Setting Fields

4
When viewing a client’s settings, you’ll see the following fields:
쐍 Client number
This is a three-digit number that identifies the client within the system. This must
be unique and is assigned when the client is created.
쐍 Client name or short text
Each client can have a short name assigned to it that helps identify it.
쐍 City
The city designation helps differentiate different clients when multiple organiza-
Figure 4.2 Transaction SCC4: Display Clients
tions or divisions are used.
쐍 Logical System
The logical system is a technical identifier that comes into play when using sys-
tem-to-system communication. It’s very important to have a proper logical sys-
tem name defined.
쐍 Currency
This field denotes what standard currency the client uses.
쐍 Last Changed By
This field denotes which user last changed the settings of the client. It is often
checked for auditing purposes.
쐍 Date
This field denotes the date the client was last changed.
쐍 Client Role
Possible choices are as follows:
– Production
For the active use of business users. It’s essential that no changes are made in
this client.
– Test
Developers use this client setting to test their Customizing settings and work-
bench developments.
– Customizing
Figure 4.3 Details of Client 001 in a Demo System For the creation of Customizing settings and workbench developments.
82 83
– Demo – No changes to cross-client customizing objects

For demonstration or prototyping purposes. Cross-client Customizing objects can’t be changed in a client with this setting.
– Training/Education – No changes to repository objects
Typically used to train users on changes before import into production. Objects of the SAP repository can’t be maintained in a client with this setting.
– SAP Reference – No changes to repository/cross-client customizing objects 4
Clients used by SAP. Combination of both previous restrictions: neither cross-client Customizing
쐍 Changes and Transports for Client-Specific Objects objects nor objects of the SAP repository can be changed in a client with this set-
Client-specific objects have values based on a client value. This means that a client- ting.
specific object can have a different value based on what client it’s contained in. 쐍 CATT and eCATT Restrictions
These options cover changes to these objects and how they’re transported using This setting either allows or restricts the Computer-Aided Test Tool (CATT) and
the transport system. Possible choices are as follows: enhanced CATT (eCATT), which are scripting utilities used for automated testing.
– Changes without automatic recording This setting either permits these scripts to run or prevents them from doing so.
This means that changes in the customizing settings of the client are allowed. 쐍 Restrictions
They aren’t automatically captured in a transport for moving to other systems This setting outlines other restrictions that can be made to the client. The options
or clients. Changes can be manually transported to other clients or systems. are:
– Automatic recording of changes – Locked due to client copy
This means that changes to the customizing settings of the client are allowed. This checkbox will indicate when the client is locked against logon. It’s used
They’re automatically captured in a transport for moving to other systems or during a client copy to prevent data changes during the copy. It’s not a select-
clients. able box because it only indicates status.
– No changes allowed – Protection against SAP Upgrade
Changes to the customizing settings of the client aren’t allowed with this set- This checkbox will prevent an upgrade from taking place on this client when the
ting. system itself is being upgraded. It’s only used in exceptional cases.
– Changes w/o automatic recording, no transports allowed
Changes are allowed to the customizing settings of the client but may not be
4.1.2 Suggested Client Settings
transported with this setting.
Table 4.1 through Table 4.4 list the suggested client settings for typical use cases. To
쐍 Cross-Client Object Changes
summarize, production and test clients shouldn’t be open to changes. However,
Cross-client objects have a single value for the entire system. This means that cross-
development clients should be because their purpose is to implement changes. As
client objects have the same value regardless of what client the user’s logged into.
always, client 000 should also be protected from changes because it’s the SAP-deliv-
These options cover changes to these objects and how they’re transported using
ered reference client.
the transport system. Possible choices are as follows:
– Changes to repository and cross-client customizing allowed Settings Client 000, Any System
There are no restrictions on the changes of cross-client objects for the client
Client role SAP reference
when this setting is used. Both cross-client Customizing objects and objects of
the SAP repository can be changed. Changes to client-specific objects No changes allowed
Table 4.1 Suggested Client Settings for Client 000 in All Systems
84 85
Changes to cross-client objects

4.1.3 Changing Client Settings
No changes to SAP repository or Customizing
Now, let’s walk through how to change client settings. Follow these steps:
Client copy protection Protection level 1: no overwriting
1. Navigate to Transaction SCC4.
Table 4.1 Suggested Client Settings for Client 000 in All Systems (Cont.) 2. In the upper-left menu, click Table View, then select Display • Change (Figure 4.4).
4
Settings Productive Clients
Client role Production
Changes to client-specific objects No changes allowed
Changes to cross-client objects No changes to SAP repository or Customizing
Table 4.2 Suggested Client Settings for Productive Clients
Settings Testing Clients
Client role Test Figure 4.4 Change Table View
Changes to client-specific objects No changes allowed

3. The system will prompt you with a warning about the table being cross-client
Changes to cross-client objects No changes to SAP repository or Customizing (Figure 4.5). Click the check button to proceed.
Client copy protection Protection level 0: no restrictions
Table 4.3 Suggested Client Settings for Testing Clients
Settings Development Clients
Client role Customizing
Changes to client-specific objects Changes are automatically recorded
Changes to cross-client objects Changes allowed to SAP repository or Customizing
Table 4.4 Suggested Client Settings for Development Clients
Figure 4.5 Cross-Client Warning
86 87
4 Securing Clients 4.2 Client Logon Locking
4. Double click on the row of the client you’d like to change settings for (Figure 4.6). 6. Once you’ve made your changes, click the Save icon .
Depending on your chosen client settings, you may see a transport request. This is to
ensure that your settings can be move to any other systems you choose. If you don’t
want to transport your client settings, delete the transport that you create to contain
this change. 4
4.2 Client Logon Locking

Occasionally, you’ll need to lock a client. This may be for an upgrade or a system
maintenance activity. Locking the client will prevent users from logging into the cli-
ent that is locked. A similar effect can be gained by locking all users in a client using
Transaction SE10, but the method described in this section is more quickly imple-
mented. Locking using Transaction SE10 will be covered in Chapter 6.
Figure 4.6 Select Client to Change Settings
5. The system will now display, in change mode, the settings for the client you have Remote Locking
selected (Figure 4.7). This procedure can be done in any client, to any client, or with an RFC connection to a
remote system with the proper authorizations.
To lock a client and prevent logon, follow these steps:

1. Navigate to Transaction SE37.
2. Enter the Function Module name "SCCR_LOCK_CLIENT" and click the Test/Execute
button in the toolbar (Figure 4.8).
Figure 4.7 Change Mode in Transaction SCC4 Figure 4.8 Enter Lock Client Function Module Name
88 89
4 Securing Clients 4.2 Client Logon Locking
3. Enter the number of the client for which you’d like to prevent logon (Figure 4.9). To unlock a client, follow these steps:
Click the Execute button in the toolbar. 1. Navigate to Transaction SE37.
2. Enter the Function Module name “SCCR_UNLOCK_CLIENT” and click the Test/Exe-
cute button in the toolbar (Figure 4.11).
4
Figure 4.9 Enter Number of Client to Lock
Figure 4.11 Enter Unlock Client Function Module Name

Now, if a user attempts to access the locked client, he will receive the notification
seen in Figure 4.10.
3. Enter the number of the client you’d like to unlock for logon (Figure 4.12). Click the
Execute button in the toolbar.
Figure 4.10 Client Locked against Logon Notification

Figure 4.12 Enter Number of Client to Unlock
90 91
4 Securing Clients
4.3 Summary
In this chapter, you learned about client settings and how they’re used to control
what’s allowed in each client. We covered what settings are appropriate in specific cli-
ent roles and what the production client should be set to. You also learned how to
lock users out of a client and how to reverse that lock.
In the next chapter, you will learn about the set of executables that make up the SAP
NetWeaver AS ABAP system, called the kernel. The kernel is an integral part of the sys-
tem that administrators must keep up to date.
92
Chapter 11
Auditing and Logging
To keep a system secure, it’s essential to have eyes on all parts of the
system and the changes being made therein. Security audit logging
records all security events for later analysis; table logging records
changes made to tables, including when the changes were made and
by whom. In this chapter, you’ll learn to configure and enable security
audit logging and table logging.
11
Certain activities in the SAP system are periodically checked and reviewed by an audi-
tor. Therefore, you must ensure that those activities are recorded in the system. The
security audit log provides a framework to record security-related events in the sys-
tem—for example, Remote Function Calls (RFCs), logon attempts, changes to the
audit configuration, and so on. The security audit log doesn’t log changes to the data
within the SAP system that are stored in the database. However, with the table-log-
ging functionality, you can record changes to a table. It’s not recommended to log all
table changes—only the ones that are considered important and hence for which
changes must be traceable. For example, important tables include table T000 (clients),
table TCUR (exchange rates), and others.
To analyze the workload of the SAP system, you can use the Workload Monitor, which
is also a neat tool to analyze a user’s history. The Workload Monitor records historical
usage data and allows you to drill down on a user level.
As data protection laws gain ground, protecting your data becomes more and more
important. To protect the privacy of and personal information in your SAP system,
along with sensitive and classified data, you can use Read Access Logging (RAL) to
record read activity.
In this chapter, you’ll learn how the different logging functionalities work, what
makes them unique, and the impact on your system.
379
11 Auditing and Logging 11.2 Internal Audits
11.1 External Audits given free access to a system, which tends to change the scope of the audit to what-
ever the auditor feels like digging into.
Often, a security administrator will find herself being asked to help with an external
Often, external audits are focused into categories similar to the following:
audit. Before we tackle the task of assisting with an audit, first we’ll cover what these
audits do for a company. 쐍 Internal controls
External audits are typically financial; that is, they center on the financial records of 쐍 Network activity
the company. These audits typically focus on any customer running the SAP ERP or 쐍 Database activity
SAP S/4HANA finance functionality on SAP NetWeaver AS ABAP. Two common 쐍 Login activity (success and failures)
audits that organizations go through are to check compliance with the Sarbanes- 쐍 Account or user activity
Oxley Act (SOX) and the International Financial Reporting Standard (IFRS). Each of
쐍 Information access
these audits is performed by an external auditor, an organization outside of your own
that performs the audit. This organization will send one or several auditors who will For each such category, the auditor will require proof that the controls for that cate-
be tasked with observing and recording proof that the practices of your organization gory are being applied. They may also ask for a random sample of users or transports,
comply with the controls required for your audit. or even provide a time frame and ask to see logs or proof that controls were being 11
The Sarbanes-Oxley Act of 2002 set forth internal financial auditing controls in the adhered to for that time.
United States that must be adhered to when preparing financial information for
reporting purposes. US-based financial systems are routinely audited to SOX stan-
dards. 11.2 Internal Audits
IFRS is an audit of accounting systems such that they can be compared between Internal audits are performed by individuals within your own organization. Often,
countries reliability. It’s common to see IFRS audits performed for multinational they focus on preparing for an external audit. However, this isn’t always the case.
companies. Internal audits can be used to ensure that a specific control or policy is being followed
Besides these two, there are many other audits that vary country by country. These by examining system activity, logs, or even user master records. This type of activity
auditing standards generally are prepared by a country’s government-mandated is usually mandated by either the security administrator or an internal audit depart-
accounting standards organizations and commonly follow Generally Accepted ment for the purposes of verification.
Auditing Standards (GAAS). Quite often, when an internal audit is performed, the objective is to improve adher-
The external auditor will be working off a set of controls, in which the security admin- ence to the controls that will be followed for an external audit. This will often leave
istrator will most likely be the person that is running the queries in the SAP system to the security administrator with a to-do list to satisfy the audit requirements. In addi-
satisfy those queries. Most queries are run through the User Information System tion, the security administrator may be consulted to help create controls that will
(UIS; Transaction SUIM). We’ll cover the use of the AIS later in this chapter. Auditors help keep compliance such that it’s not a major effort when an external audit is per-
may also ask for the output of some standard reports, among other things. formed.
Often, auditors may also ask for access to your system to run reports on their own. One of the common tasks for an internally led audit is to manage the number of users
Unless this is legally required, it’s a good idea to deny this request. When given the that have powerful authorizations, like SAP_ALL, or access to perform business-criti-
choice, it’s a more efficient practice for the SAP security administrator to run queries cal tasks, like pay vendors or create accounts. This is done by evaluating the roles and
given to them by an auditor. This is done to keep the security administrator in con- authorization objects that each user master record contains.
trol of the scope of the audit. If an audit is for financial compliance, the auditor The internal audit is also a good time to determine the effectiveness of your general
should be looking at finance-related authorization objects. Too often, auditors are security operations and process. Defining a set of controls and evaluating your
380 381
11 Auditing and Logging 11.3 Auditing Tools
system and users based on those controls can help enforce a strong, consistent level In addition to these events, the security audit log also logs certain activities that
of security. aren’t categorizable, such as the following:
쐍 Activation and deactivation of the HTTP security session management or
instances in which HTTP security sections were hard-exited
11.3 Auditing Tools 쐍 File downloads
SAP systems are equipped with a set of tools that can be used for auditing. Such tools 쐍 Access to the file system that coincides with the valid logical paths and file names
include the security audit log, the system log, table logging, the Workload Monitor, as specified in the system (particularly helpful in an analysis phase to determine
well as Read Access Logging and the User Information System. All these tools can be where access to files takes place before activating the actual validation)
utilized to extract and analyze data about certain activities in the system, such as 쐍 ICF recorder entries or changes to the administration settings
who logged on to a system, who changed a certain table, who accessed certain data,
쐍 The use of digital signatures performed by the system
and more. We'll explore each of these tools in more detail in the next sections.
쐍 Viruses found by the Virus Scan Interface
쐍 Errors that occur in the Virus Scan Interface
11.3.1 Security Audit Log 11
쐍 Unsuccessful password checks for a specific user in a specific client
The security audit log (SAL) records security-related activities in the system, such as
Once activated, the system will record the activities into a log file on the application
changes to user master records, logon attempts, RFCs, and so on. This tool is designed
server.
for auditors to log and review the activities in the system. With the SAL, an auditor
can reestablish a series of events that happened in the system.
Warning
The SAL offers wide flexibility in its usage. You can activate and deactivate it, as well
as change the filters as necessary. For example, you can activate the SAL before an Be cautious when activating the security audit log because it contains personal infor-
audit takes place and deactivate it once the audit has been performed. Also, you can mation that may be protected by data protection regulations—especially with the
new GDPR regulation from the European Union but also other protection laws in
change the filters and, for example, monitor a user if you've detected suspicious
other regions. Make sure that you adhere to the regulations in your area.
activity in the system.
The audit log must be activated before it can be used. To activate the audit log, you
have to specify which activities you want to record in the security audit log. The fol-
Versions
lowing activities are available:
Your SAP_BASIS component affects your version of the security audit log. With SAP
쐍 Successful and unsuccessful dialog logon attempts NetWeaver 7.5 SP 03 for SAP_BASIS, SAP has introduced new functionality in the
쐍 Successful and unsuccessful RFC logon attempts security audit log.
쐍 RFCs to function modules In the old version, the main transactions for the security audit log were Transactions
쐍 Changes to user master records SM18, SM19, and SM20. In the new version, SAP introduced several new transactions:
쐍 Successful and unsuccessful transaction starts 쐍 Transaction RSAU_CONFIG
쐍 Successful and unsuccessful report starts Maintenance of the kernel parameters and selection profiles relevant for the secu-
쐍 Changes to the audit configuration
rity audit log
382 383
쐍 Transaction RSAU_CONFIG_SHOW Classical Approach

Printable display version of Transaction RSAU_CONFIG In the classical approach, similar to the old version, the audit log is only stored on the
쐍 Transaction RSAU_READ_LOG file system of the application server. You can read the data from the file system, as
Audit log evaluation well as archive and delete old audit log files.
쐍 Transaction RSAU_READ_ARC Database Logging
Audit log evaluation in archive data
With the new functionality, it’s possible to save the audit log into the database. How-
쐍 Transaction RSAU_ADMIN ever, system events are stored in the file system as well. Storing the audit log in the
Administration of integrity protection for files; reorganization of log data database might result in a quick growth of table RSAU_BUF_DATA, which holds the data.
쐍 Transaction RSAU_TRANSFER With the archiving object BC_SAL you can, however, archive the data in that table.
File-based transfer of an audit profile With the database, you have an improved experience when accessing the data
because it’s quicker and the requirements for data privacy are met.
With the enhanced functionality and the new transaction codes, SAP delivers new
features as well: Mixed Scenarios
11
쐍 Save the audit log into the database, either in full or in part. With the enhanced functionality, you can also activate mixed scenarios in which you
쐍 Filter by user groups with the user attribute User Group for Authorization Check generally save the logs on the file system but selective events in the database. When
from the Logon Data tab in Transaction SU01. saving selective events in the database, you can access the data faster, which results
in a significantly increased performance. That makes sense especially when using sta-
쐍 Increase the number of filters from 10 to 90.
tistical data or if you run large evaluations against the log data.
쐍 Check the file integrity.
In a second scenario, you can use APIs to transfer data from the security audit log to
쐍 Use an enhanced authorization concept with authorization object S_SAL.
a central monitoring system (e.g., SAP Solution Manager). In that scenario, the SAL
쐍 An API for evaluating log data is provided with the class CL_SAL_ALERT_API. saves the data in the file system of the application server. Certain events that are rel-
evant for the central monitoring systems, such as those to create alerts, are stored in
Tip the file system and in database table RSAU_BUF_DATA. The API that transfers the data
If you use the new security audit log, we recommend locking the old transactions will read the data from the table and then automatically delete it. Your logs are still
with Transaction SM01_CUS in client 000. Parallel usage of the old and new func- available in the file system but will be removed from the database table and hence
tionality is possible but not recommended. don’t require archiving activities in the database.
Configuration
Usage Scenarios The new security audit log offers an enhanced configuration via Transaction RSAU_
Depending on your requirements, you can define usage scenarios differently. With CONFIG. Let's explore configuration in detail now.
the new security audit logging capability, you can define how and where you want to In general, the security audit log requires some parameters and the definition of fil-
store the audit log, as well as how to access it. With the old security audit log, you ters that define which events will be logged.
could only save data on the file system of the application server; with the new func-
To define the parameters, enter Transaction RSAU_CONFIG and open the Parameter
tionality, you can either save on the file system of the application server or in its data-
folder (Figure 11.1).
base. Also, shared scenarios are possible in which some parts will be stored in the
database and the some in the file system.
384 385
Create New Profile. Once the profile is created, you can go ahead and define the set-
tings. Remember that each profile must have at least one filter. To add additional fil-
ters, you can simply right-click the Profile folder and choose Create Filter.
Regardless of the filter you create and specify, it’s important to activate the filter once
defined by clicking the Activate button (Figure 11.2). Only active filters will be selected
at the next system start. You can define as many filters as you have defined in the
parameter maintenance for each profile.
11
Figure 11.1 Parameter Maintenance in Security Audit Log Configuration in Transaction Figure 11.2 Activation of Filters in Transaction RSAU_CONFIG
RSAU_CONFIG
Each filter that you add to a profile is linked via an OR connector. So, for example, if
The following can be configured: you have two filters, and the first filter logs everything for user group SUPER and the
쐍 Activate or deactivate logging. second filter everything for users starting with RFC*, then those two filters are OR
linked. That means that all users that belong to user group SUPER and all users start-
쐍 Define the recording target, whether it’s on the file system, in the database, or a
ing with RFC* will be logged. Note that user groups only allow for a specific value and
combined recording in both the file system and database.
that you can’t use wildcards as you can for the user name.
쐍 Define the number of filters per profile, up to 90.
In the Standard Selection screen, shown in Figure 11.3, where you define the client and
쐍 Define if you’ll allow generic user selection with an asterisk (*) character in the fil-
whether you want to restrict the logging of a user name or user group, you can select
ters.
the user group either positively or negatively. Select by User Group (Positive) means
쐍 Define if you log the IP address of the originator and not the terminal ID.
that you will log all users that are part of that user group. If you use the negative selec-
쐍 Activate or deactivate integrity protection format for log files in the file system. tion, the system logs the events for all users who aren’t part of the user group. Possi-
쐍 Define the memory space usage when file system storage is used. ble scenarios for a negative selection can include wanting to log RFC function calls for
쐍 Define the recording type in the database, whether it’s temporary data or perma- all users who aren’t technical and hence aren’t part of a certain user group because
nent data. those users shouldn’t perform RFCs.
In the profiles, you define which events will be logged. To create a new profile or an
additional profile, simply right-click the Static Configuration folder and choose
386 387
Figure 11.3 Standard Selection in Security Audit Log Configuration
In the Event Selection screen (Figure 11.4), you can define which events you want to
log. In the Classic event selection, you get the same options as in the old security
audit log.
11
Figure 11.5 Detailed Event Selection Options in Security Audit Log Configuration
Administration of Log Data

The administration of log data takes place in Transaction RSAU_ADMIN (Figure 11.6).
In the administration cockpit, you can check the integrity of the file-based log data
and reorganize obsolete files. For the database tables, you can use this cockpit to reor-
ganize table RSAU_BUF_DATA by means of deletion or archiving.
Figure 11.4 Classical Event Selection in Security Audit Log Configuration
In the Detail event selection (Figure 11.5), you can slice and dice on a more granular
level and pick and choose events more specifically. For example, in the classical selec-
tion, you choose Dialog Logon, whereas in the detailed selection you can decide
whether you want successful logons or failed logons.
If you defined the selection in the classic event selection, the underlying detailed
events will be selected.
To start the logging of a filter, it’s important that the switch Filter for Recording Active
is selected. You can have active and inactive filters. Therefore, it’s important to keep
an eye on the Active checkbox, as well as if the filter has been activated.
Figure 11.6 Log Data Administration Initial Screen
388 389
Integrity Protection
With the integrity protection setting of the SAL, you can protect the security audit log
from manipulation of its log files on the file system. However, it doesn’t prevent the
manipulation of the file but it will tell you if it was manipulated.
To protect the integrity of your files, you can create one hash-based message authen-
tication code (HMAC) per system. To create the HMAC key, choose Configure Integ-
rity Protection Format from the initial screen (Figure 11.7) and define your secret
Passphrase.
Figure 11.8 Check Integrity of Files
11
Figure 11.7 Configure Integrity Protection Format
If you wish to restore the key, a local backup file is generated that can be used in com-
bination with the passphrase. Make sure to store the backup file and passphrase so
that you can check the integrity of the system later.
If you decide not to create an individual system HMAC key, your integrity is at risk
because the integrated key must be considered to be known, as it is set to a default
value. That means that you can check the files only against unintentional corruption
or change and not against malicious manipulation.
Once configured, all log files written forward will be checked by the integrity protec-
tion format. To check the integrity of the files, you can choose Check Integrity of the
Files on the initial screen (Figure 11.8).
Shorter time frames can be analyzed in the foreground. However, larger periods will Figure 11.9 Display the Last Integrity Check Status
be run in the background. Once the check has been performed, you’ll see an overview
of all the files and their attributes (Figure 11.9). Also, you’ll see the status, which indi- To quickly navigate back to the last integrity check, you can choose the Display Last
cates whether the file has integrity issues or not. Integrity Check Status option in the selection screen.
390 391
Reorganize Log Files Remember, the deletion of log files should be carried out through this transaction
To reorganize log files by means of deleting the physical file from the file system, you because it performs an authorization check and follows the deletion process for files
can choose Reorganize log files from the initial screen (Figure 11.10). You can delete or in the integrity protection format. Deleting files manually from the file system is
display the data to be reorganized, as well as run a simulation mode first. The simula- considered a manipulation.
tion mode lets you see what will happen if you deselect the checkbox.
Reorganize Log Table
Reorganization of the database table is important when logging is activated to be
stored exclusively in the database table. For all other scenarios, reorganization is not
necessary; for example, APIs will delete the data after the transfer.
To delete data from the table, choose the Reorganize log table selection (Figure 11.12)
and enter the date before which you want data to be deleted.
11
Figure 11.10 Reorganize Log Files
The minimum age decides which files will be deleted. Once executed, you’ll see a
results screen (Figure 11.11) indicating which old files will be deleted (if run without
simulation).
Figure 11.12 Reorganize Log Table in Database
Evaluation of Log Data

You can evaluate the log data in Transaction RSAU_READ_LOG (Figure 11.13). You can
either evaluate the logs online in the foreground or send the report into the back-
ground. In the selection screen, you can set the time restrictions along with multiple
other options.
Figure 11.11 Delete Log Files
392 393
Figure 11.14 Standard Selection in Evaluation of Log Data
In the Data source selection (Figure 11.15), you can define if you want to read all your
files, a specific file or directory, or your database tables. 11
Figure 11.15 Data Source Selection in Evaluation of Log Data
The result screen shows the logged events in detail. For example, in Figure 11.16, you
can see successful logons by user WF-BATCH.
Figure 11.13 Evaluate Log Data Initial Screen
In the Standard Selections (Figure 11.14), you can set the selection type and, for exam-
ple, search based on a specific user, client, terminal, or audit class or based on the crit-
icality of the event. Also, you can reuse your filters and search for specific filters only.
The Instance Name field lets you input the instance that you want to evaluate. If you
have multiple application servers and want to only include the current application
instance, you can use the value <LOCAL>. Figure 11.16 Evaluation of Log Data Result Screen
394 395
Evaluate Archived Log Data The local log is always up to date, whereas the central log might have a slight delay as
To evaluate archived log data, you can use Transaction RSAU_READ_ARC (Figure the data must be written from the local application server to the central server.
11.17). In the selection screen, you can set the period, as well as other selections like the The main transaction to analyze the system log is Transaction SM21 (Figure 11.18), in
client, user, terminal, and so on. which you can read the system log and its messages. In the selection screen, you can
define basic and extended attributes to get to the messages that are most important
to you.
11
Figure 11.17 Read Security Audit Log Archive Data
11.3.2 System Log

Whereas the security audit log records security-related information about the sys-
tem, the system log records information that may signal system problems. As an Figure 11.18 Initial Screen in Transaction SM21 to Display System Log
administrator, the system log is an important tool to maintain the healthiness of
your system and keep the system up and running with good performance. The sys- In the result screen (Figure 11.19), you get an overview of all messages that have been
tem log records warnings, error messages, database read errors, rollbacks, and so on. logged by the SAP system. For each entry, you see the time stamp, instance, client,
The system log offers different types of logging depending on the host. On an UNIX user, and the priority of and information about the message. You can double-click
host, you have local and central logging available. If you run on a Microsoft Windows any line item.
NT host, you’ll only have local logging. In the local scenario, the log is stored locally
on the application server in a ring buffer. The ring buffer is overwritten once full.
Therefore, the system log is only available for a certain time frame as the size is lim-
ited. In the central log, each individual application server sends its local log to a cen-
tral server. Similar to the local log, the size of the central log is limited and hence it
doesn’t hold the information indefinitely.
In either scenario, we recommend analyzing the system log on a regular basis. Most
administrators check the system log daily to avoid any disruption to the SAP system. Figure 11.19 System Log Result Screen
396 397
After you double-click an item, you’ll see to the details of the message (Figure 11.20) to 쐍 ALL
dive further into the error. In addition to details about the message and the session, Logging always takes place; for client-specific tables, it takes place for all clients.
as well as technical and parameter details, you can also navigate to the trace from the Caution: This setting makes sense only in special cases. Note that in the case of ALL,
menu bar. changes are recorded in the log file for all test clients (including SAP client 000).
Once the table logging has been activated, you can define which tables will be logged.
To activate logging for a particular table, you have to define the properties in the
table itself. You can do that from Transaction SE13. SAP predelivers customizing
tables with the table change logging activated.
For the example shown in Figure 11.21 for table RFCDES (RFC Destinations), the table
change log is activated.
11
Figure 11.20 System Log Detail View
In the trace, you can see all the steps that the system performed for the message that
you selected. Analyzing traces requires a deep understanding of the SAP system and
is definitely an expert-tool only.
11.3.3 Table Logging

To enable table logging in general, you have to activate the table logging in the profile
parameter rec/client. Once activated, you can define tables to be logged in the table
properties. The profile parameter rec/client knows four different values:
쐍 OFF
Logging is deactivated.
Figure 11.21 Log Data Changes in Technical Settings of Table in Transaction SE13
쐍 nnn
Logging takes place for client-specific tables only in the client listed (001, 100, etc.). To check all tables that have the logging activated and to review the changes, you can
쐍 nnn,nnn,nnn use Transaction SCU3 (Figure 11.22). In Transaction SCU3, click List of Logged Tables to
Logging takes place for client-specific tables for the clients listed (a maximum of see an overview of all tables that have table change logging activated.
10 clients possible, comma-separated).
398 399
In the output view, you can get the details of what’s been changed in the table. In
Figure 11.24, you can see changes to table T000 (clients). You can see the type of
change, as well as which transaction and program were used to perform the change.
Figure 11.22 Initial Screen of Transaction SCU3
Warning
In an SAP NetWeaver 7.50 system with SAP ERP installed, SAP defined close to 30,000
tables with the table change log. Most of the tables are customizing tables and
hence do not contain master data that changes regularly.
11
Analyze Logs Figure 11.24 Display Table Change Logs
To analyze the changes that have been logged, you again can use Transaction SCU3. In
Transaction SCU3, go to Analyze Logs and make your selections. In the selection screen The data being analyzed in Transaction SCU3 is stored in table DBTABLOG. Transaction
(Figure 11.23), you must select one specific table or customizing object for analysis. SCU3 offers a fully functional cockpit to analyze the data efficiently.
This is enforced because the amount of data can be huge. For reporting purposes, we
suggest using the ALV Grid Display, which lets you sort and filter the output. SAP Note 1916
For more information about table logging, see SAP Note 1916 (Logging of Table
Changes in R/3).
Performance Impact
Table change logging shouldn’t have a performance impact if you only log customiz-
ing tables. Although SAP delivers many tables with table logging activated, those
tables usually contain little data that rarely changes. Avoid logging for master data
and transaction data tables because those tables are subject to mass changes and
hence would have a negative impact on the system performance. For custom tables,
you can define whether you want to activate table logging or not.
If you experience negative performance after activating table logging, you can find
out which tables log the most amount of data. In Transaction SCU3, you can validate
the table logging via the menu path Administration • Number of Logs (Selection). In
the selection screen (Figure 11.25), leave the Table Name field empty and analyze the
Figure 11.23 Evaluate Table Change Log in Transaction SCU3 last month (or extend the time if required).
400 401
11.3.4 Workload Monitor

The Workload Monitor lets you analyze system statistics in the SAP system. You can
report on different task types like background processing, dialog processing, update
processing, ALE, RFC, and so on. You will also see detailed information on CPU time,
number of changes to the database, number of users that use the system, and so on.
You can start the Workload Monitor in Transaction ST03N.
Apart from all the analysis capabilities to check the workload of your system, the
Transaction ST03N trace contains information that might be helpful for auditing
Figure 11.25 Number of Table Change Logs in Transaction SCU3
purposes. In Transaction ST03N, you can analyze the activity of a user and reproduce
the actions a user has executed in the system. In the user profile, you can see all the
In the results screen, you can see the number of entries per table logged. For the
users in a certain time frame and details of the actions they performed. In Figure 11.27,
example in Figure 11.25, table RFCDES logged 36 changes in the last 30 days, as shown
you can see that user ABANZER executed several transactions (e.g., Transactions
in Figure 11.26. You can sort the number of logs in descending order to quickly get an
RSAU_ADMIN, RSAU_READ_LOG, and so on). You can also see how many dialog steps
indication of which tables might cause a performance issue. 11
were executed along with the details of average response times.
Figure 11.26 Result Screen of Number of Table Change Logs
Figure 11.27 Workload Monitor for Specific User Profile in Transaction ST03N
Table logging shouldn’t have an impact on your overall system performance and
hence is a helpful feature to ensure the traceability of changes to customizing and
The workload is deactivated by default as it increases the chances for performance
other important tables in your SAP system.
implications. Therefore, we recommend activating it temporarily for specific analy-
sis. Before activation, make sure that you adhere to the laws and regulations in your
territory.
402 403
Warning
Analyzing user activities may not be permitted based on your area of operation. Also,
personal data protection regulations like GDPR may prohibit the use of such informa-
tion.
11.3.5 Read Access Logging

Read access logging (RAL) is a tool to monitor and record the read access to sensitive
and classified data in your SAP system. The type of data that you want to monitor can
be categorized as sensitive by law or by internal or external company policies. In the
context of the GDPR, companies must comply with the regulations and adhere to
standards about data privacy.
11
With the RAL framework, you can comply with the regulations because you always
know who accessed which data from where and when. Also, in case of a security breach Figure 11.28 Read Access Logging Initial Screen
or a leak of information, you can report not only who had access to the data from an
authorization standpoint but also who accessed the data through the logging. The configuration of RAL requires five steps, which are represented in the Web Dyn-
pro application that starts with Transaction SRALMANAGER:
The RAL framework works with different types of channels when a user is accessing
the data. Channels are the way the data leaves or enters the system (e.g., through SAP 1. You have to identify and determine under what circumstances the RAL will log
GUI). On the UI side, the RAL framework works with Dynpro (logging of Dynpro UI what type of data. For example, in view of GDPR, you have to protect personal
elements and ALV grids) and Web Dynpro (logging of context-bound UI elements). information of your employees. Therefore, you have to monitor and protect trans-
actions and tables that contain personal information, like Transaction SU01 (User
It also works with APIs such as the following:
Master Records), table USR02 (User Master Records), and so on.
쐍 Remote Function Calls (sRFC, aRFC, tRFC, qRFC, bgRFC)
2. In the second step, you have to define the purpose of the logging, which allows you
Logging of server- and client-side RFC-based communication
to group certain requirements. You can freely define a name for the logging pur-
쐍 Web services pose. The logging purpose is used to organize the data in the context of a specific
Logging of consumer- and provider-side web service communications use case, such as for GDPR.
쐍 OData channels 3. In the third step, you have to define the channels that you want to monitor. Com-
Logging of data consumed by SAP Fiori applications through OData services mon channels are Web Dynpro, RFCs, and so on.
4. Once you have the channels defined, you define the log domains. The log domains
Further Information group semantically similar or related fields. For example, in the Basis area, an
For more information about the OData channels for SAP Fiori applications, you can “account” is different than the “account” in the banking application. Therefore,
check SAP Note 2182094 (Read Access Logging in SAP Gateway). you want to classify similar content into log domains.
5. Finally, you define the conditions that must be met for the application to log the
The configuration and monitoring of the RAL is done in Transaction SRALMANAGER data—for example, which fields are being recorded and whether the access is
(Figure 11.28). recorded only or the content of the data is recorded as well.
404 405
For simplified operation of the RAL, you can define an exclusion list of users that 2. In the menu, click the User drop-down, then select With Critical Authorizations
won’t be logged. A common scenario is to exclude batch job users that perform mul- and click the Execute icon (Figure 11.29).
tiple reads, which would lead to a significant number of logs.
Once the configuration has been activated successfully, you can start to monitor the Direct Access
log entries in the Web Dynpro application. To review the logs, you can go to Read Alternatively, you can run report RSUSR008_009_NEW in Transaction SA38.
Access Log in the Monitor tab. You can search channel-specific, date-specific, or user
name-specific logs. 3. Next, choose the For Critical Authorizations radio button in the Variant Name box.
For the variant name, choose the predelivered SAP_RSUSR009 variant (Figure
11.3.6 User Information System 11.30).
The User Information System is one of the main tools required for both internal and
external audits. This tool is a directory for several programs that facilitate the
retrieval of information required for an audit. Most of the tools focus on users and
authorizations. However, the AIS also contains a powerful change document feature. 11
Each function is organized by its type in the menu tree and can be launched by dou-
ble-clicking the Execute button to the left of the function name.
As an example, let’s look up users with critical authorization combinations. This is a
common report used by auditors to satisfy audit controls. Proceed as follows:
1. Navigate to Transaction SUIM.
Figure 11.30 Critical Authorizations Selection Screen

Figure 11.29 Transaction SUIM Main Screen
406 407
11 Auditing and Logging 11.4 Summary
The system will return a list of critical authorizations (Figure 11.31) that each user has
Define Your Own Critical Authorizations in your system. If you have many super users, or administrators, this list could be in
You can also define a list of critical authorizations. You may receive a list of critical the thousands or tens of thousands. A review of this list and its users is done often,
authorizations or transaction codes from your internal auditor, external auditor, or with the appropriateness of each user’s access reviewed by either internal or external
functional business analysts. You may need to come up with this list on your own. A auditors.
good starting point is to use the SAP delivered variant, SAP_RSUSR009, but be sure to
adjust it for your auditing use.
11.4 Summary
4. Click the Execute button.
In this chapter, you learned about internal and external audits and their purpose in
an organization. You learned about auditing tools like security audit logging, the sys-
tem log, table logging, the Workload Monitor, and Read Access Logging. Finally, you
learned about the User Information System and how to use it to find users with criti-
cal authorizations.
11
In the next chapter, you’ll learn about how to secure network communications to
and from your SAP NetWeaver AS ABAP system. This is an important subject for a
security administrator because most attacks against an SAP system use the network
as an attack vector.
Figure 11.31 Report Generated with Critical Authorizations
408 409
Contents
Preface ..................................................................................................................................................... 19
1 Introduction 25
1.1 Potential Threats ................................................................................................................. 26

1.1.1 Data Breach ............................................................................................................ 27
1.1.2 Privacy Violations ................................................................................................. 27
1.1.3 Phishing ................................................................................................................... 27
1.1.4 Theft .......................................................................................................................... 28
1.1.5 Fraud ......................................................................................................................... 28
1.1.6 Brute Force Attacks .............................................................................................. 29
1.1.7 Disruption ............................................................................................................... 29
1.1.8 Who Represents a Threat? ................................................................................ 30
1.1.9 Understanding Modern-Day Vulnerabilities ............................................... 31
1.2 The Onion Concept .............................................................................................................. 34
1.2.1 Perimeter ................................................................................................................. 35
1.2.2 Operations .............................................................................................................. 35
1.2.3 Patching ................................................................................................................... 35
1.2.4 Human Factor ........................................................................................................ 36
1.2.5 Physical Security ................................................................................................... 36
1.2.6 Security Awareness .............................................................................................. 36
1.3 Risk and True Cost of Security ........................................................................................ 37
1.4 The Administrator's Role in Security ........................................................................... 40

1.4.1 Planning ................................................................................................................... 40
1.4.2 Execution ................................................................................................................. 41
1.4.3 Segregation of Duties ......................................................................................... 42
1.4.4 Audit Support ......................................................................................................... 42
1.4.5 Basis versus Security ............................................................................................ 43
1.5 Summary ................................................................................................................................. 43
7
Contents Contents
2 Configuring Profiles and Parameters 45 4 Securing Clients 79
2.1 Understanding System Parameters ............................................................................ 46 4.1 Client Settings ....................................................................................................................... 81
2.2 System Profiles ..................................................................................................................... 47 4.1.1 Client Setting Fields ............................................................................................. 83

4.1.2 Suggested Client Settings .................................................................................. 85
2.2.1 Instance Profile ..................................................................................................... 47
4.1.3 Changing Client Settings ................................................................................... 87
2.2.2 Default Profile ....................................................................................................... 48
2.2.3 Other Profiles ......................................................................................................... 49 4.2 Client Logon Locking .......................................................................................................... 89
2.3 Profile and Parameter Structure .................................................................................. 49 4.3 Summary ................................................................................................................................. 92

2.3.1 Profiles on the Operating System Level ........................................................ 51
2.3.2 Profiles on the Database Level ........................................................................ 52
2.4 Static and Dynamic Parameters ................................................................................... 53 5 Securing the Kernel 93
2.5 Viewing and Setting Parameters ................................................................................. 55
2.5.1 Viewing Parameters with ABAP Report RSPARAM ................................... 56 5.1 Understanding the Kernel ............................................................................................... 94
2.5.2 Viewing the Documentation with Transaction RZ11 .............................. 58 5.1.1 Kernel Patching ..................................................................................................... 96
2.5.3 Changing Parameters with Transaction RZ10 ........................................... 59 5.1.2 Kernel Versioning ................................................................................................. 97
2.6 Key Security-Related Parameters ................................................................................ 64 5.1.3 Checking the Kernel Version ............................................................................. 100
5.1.4 Checking the Kernel Version from the Operating System Level ........... 101
2.7 Controlling Access to Change Parameters ............................................................... 66
5.2 Common Cryptographic Library .................................................................................... 102
2.8 Summary ................................................................................................................................. 67
5.2.1 Checking the CommonCryptoLib in SAP GUI .............................................. 102
5.2.2 Checking the CommonCryptoLib on the OS Level ..................................... 103
5.3 Kernel Update ....................................................................................................................... 104
3 Restricting Transactional Access 69 5.3.1 Overall Kernel Update Process ......................................................................... 105
5.3.2 Downloading the Kernel .................................................................................... 107
3.1 Clients ....................................................................................................................................... 71 5.3.3 Installing the Kernel ............................................................................................ 110
3.2 Who Should Be Able to Lock and Unlock Transactions? .................................... 71 5.4 Summary ................................................................................................................................. 114
3.3 Which Transactions to Lock ............................................................................................ 71
3.4 Locking Transactions ......................................................................................................... 73

3.5 Viewing Locked Transactions ........................................................................................ 76
6 Managing Users 115
3.6 Summary ................................................................................................................................. 78

6.1 What Is a User ID in SAP? ................................................................................................. 115
6.2 Different User Types ........................................................................................................... 115
6.2.1 Dialog User: Type A .............................................................................................. 116
6.2.2 System User: Type B ............................................................................................ 116
6.2.3 Service User: Type S ............................................................................................. 117
8 9
Contents Contents
6.2.4 Communication User: Type C .......................................................................... 117 6.18 Password and Logon Security ........................................................................................ 158
6.2.5 Reference User: Type L ....................................................................................... 117 6.18.1 Where Does SAP Store Passwords? ................................................................ 158
6.3 The User Buffer .................................................................................................................... 117 6.18.2 What Is the Code Version? ................................................................................ 159
6.18.3 Why Do I Have to Protect These Tables? ...................................................... 159
6.4 Creating and Maintaining a User ................................................................................. 118
6.18.4 Logon Procedure ................................................................................................... 160
6.4.1 Documentation .................................................................................................... 119
6.18.5 Password Change Policy ..................................................................................... 161
6.4.2 Address .................................................................................................................... 120
6.4.3 Logon Data ............................................................................................................. 121 6.19 Segregation of Duties ........................................................................................................ 163
6.4.4 Secure Network Communication ................................................................... 122 6.20 Summary ................................................................................................................................. 165
6.4.5 Defaults ................................................................................................................... 123
6.4.6 Parameters ............................................................................................................. 124
6.4.7 Roles ......................................................................................................................... 125
6.4.8 Profiles ..................................................................................................................... 125
7 Configuring Authorizations 167
6.4.9 Groups ..................................................................................................................... 126

6.4.10 Personalization ..................................................................................................... 126 7.1 Authorization Fundamentals ......................................................................................... 168
6.4.11 License Data ........................................................................................................... 127 7.1.1 What is a Role? ...................................................................................................... 168
6.4.12 DBMS ........................................................................................................................ 127 7.1.2 What is a Profile? .................................................................................................. 168
7.1.3 Authorization Objects ......................................................................................... 169
6.5 Copy a User ............................................................................................................................ 128
7.1.4 The Profile Generator .......................................................................................... 169
6.6 Change Documents for Users ........................................................................................ 129 7.1.5 Authorization Checks .......................................................................................... 169
6.7 Mass User Changes with Transaction SU10 ............................................................ 131 7.1.6 Display Authorization Data ............................................................................... 171
7.1.7 The User Buffer ..................................................................................................... 173
6.8 User Naming Convention ................................................................................................ 139
7.1.8 Maintain Check Indicators: Transaction SU24 ........................................... 173
6.9 Security Policies ................................................................................................................... 140 7.1.9 System Trace .......................................................................................................... 175
6.10 Maintain User Groups ....................................................................................................... 145 7.2 SAP Role Design Concepts ............................................................................................... 180
6.11 Central User Administration .......................................................................................... 147 7.2.1 Single Roles ............................................................................................................. 181
6.11.1 Distribution Parameters for Fields (Transaction SCUM) ........................ 149 7.2.2 Derived Roles .......................................................................................................... 181
6.11.2 Background Jobs ................................................................................................... 150 7.2.3 Composite Roles ................................................................................................... 182
6.11.3 CUA-Related Tables ............................................................................................. 151 7.2.4 Enabler Roles .......................................................................................................... 182
7.2.5 Comparison of the Role Design Concepts .................................................... 183
6.12 User Lock Status ................................................................................................................... 151
7.2.6 Why Not Use Enabler Roles? ............................................................................. 184
6.13 User Classification .............................................................................................................. 152 7.2.7 What Impact Does a System Upgrade Have on Roles and
6.14 User-Related Tables ........................................................................................................... 153 Authorizations? ..................................................................................................... 188
7.2.8 Role-Naming Conventions ................................................................................ 188
6.15 Securing Default Accounts .............................................................................................. 154
7.3 The Profile Generator ........................................................................................................ 192
6.16 User Access Reviews .......................................................................................................... 156
7.3.1 Create a Single Role ............................................................................................. 192
6.17 Inactive Users ........................................................................................................................ 157 7.3.2 Create a Composite Role .................................................................................... 204
10 11
Contents Contents
7.3.3 Create a Master and Derived Role .................................................................. 207 7.12 Other Important Authorization Objects ................................................................... 249
7.3.4 Overview Status ................................................................................................... 213 7.12.1 Upload and Download Authorizations ......................................................... 249
7.3.5 Mass Generation of Profiles ............................................................................. 214 7.12.2 Report Authorizations ......................................................................................... 250
7.3.6 Mass Comparison ................................................................................................ 215 7.12.3 Background Jobs ................................................................................................... 251
7.3.7 Role Menu Comparison ...................................................................................... 216 7.12.4 ABAP Workbench .................................................................................................. 251
7.3.8 Role Versioning ..................................................................................................... 217 7.12.5 Batch Sessions ....................................................................................................... 251
7.4 Assign and Remove Roles ................................................................................................ 219 7.12.6 Query Authorizations .......................................................................................... 251
7.12.7 Remote Function Call Authorizations ............................................................ 252
7.5 Lock and Unlock Transactions ....................................................................................... 221
7.13 Transaction SACF: Switchable Authorizations ....................................................... 253
7.6 Transaction SUIM: User Information System ......................................................... 221
7.6.1 User ........................................................................................................................... 222 7.14 Customizing Entries in Tables PRGN_CUST and SSM_CUST ............................ 255
7.6.2 Roles ......................................................................................................................... 223 7.15 Mass Maintenance of Values within Roles .............................................................. 257
7.6.3 Profiles ..................................................................................................................... 223
7.16 Upgrading to a New Release .......................................................................................... 260
7.6.4 Authorizations ...................................................................................................... 223
7.6.5 Authorization Objects ........................................................................................ 224 7.17 ABAP Debugger .................................................................................................................... 267
7.6.6 Transasctions ........................................................................................................ 224 7.18 Authorization Redesign and Cleanup ......................................................................... 269
7.6.7 Comparisons .......................................................................................................... 224 7.18.1 Business Impact of Security Redesign ........................................................... 270
7.6.8 Where-Used Lists ................................................................................................. 225 7.18.2 Reducing the Business Impact of a Role Redesign Project ..................... 270
7.6.9 Change Documents ............................................................................................. 225 7.18.3 Gathering Authorization Data ......................................................................... 271
7.7 Role Transport ...................................................................................................................... 226 7.18.4 Testing Role Changes in Production .............................................................. 272
7.18.5 Automate Role Creation and Testing ............................................................ 273
7.8 Common Standard Profiles ............................................................................................. 228
7.19 Introduction to SAP GRC Access Control ................................................................... 273
7.9 Types of Transactions ........................................................................................................ 229
7.19.1 Access Risk Analysis ............................................................................................. 273
7.9.1 Dialog Transactions ............................................................................................. 230
7.19.2 Access Request Management .......................................................................... 274
7.9.2 Report Transactions ............................................................................................ 230
7.19.3 Business Role Management .............................................................................. 274
7.9.3 Object-Oriented Transactions ......................................................................... 231
7.19.4 Emergency Access Management .................................................................... 275
7.9.4 Variant Transactions ........................................................................................... 231
7.19.5 Segregation of Duties Management Process .............................................. 275
7.9.5 Parameter Transaction ....................................................................................... 234
7.9.6 Call Transaction in Transaction SE97 ............................................................ 237 7.20 Summary ................................................................................................................................. 277
7.10 Table Authorizations ......................................................................................................... 239

7.10.1 Table Group Authorizations via S_TABU_DIS ............................................ 240
7.10.2 Table Authorizations via S_TABU_NAM ...................................................... 241 8 Authentication 279
7.10.3 Cross-Client Table Authorizations via S_TABU_CLI .................................. 241
7.10.4 Line-Oriented Table Authorizations via S_TABU_LIN .............................. 241 8.1 What Is Single Sign-On? ................................................................................................... 279
7.10.5 Table Authorizations and Auditors ................................................................ 245 8.1.1 Common Components of SSO ......................................................................... 281
7.10.6 Table Views for Database Tables .................................................................... 245 8.1.2 Establishing a Plan for SSO Adoption ............................................................ 283
7.11 Printer Authorizations ...................................................................................................... 249 8.2 Single Sign-On Technologies .......................................................................................... 284
12 13
Contents Contents
8.2.1 X.509 Digital Certificates ................................................................................... 284 10 Securing Transports 359

8.2.2 Kerberos .................................................................................................................. 285
8.2.3 SPNEGO ................................................................................................................... 285
10.1 Transport System Concepts ............................................................................................ 360
8.2.4 SAP Logon Tickets ................................................................................................ 285
10.1.1 Operating System-Level Components ........................................................... 361
8.2.5 SAML ......................................................................................................................... 286
10.1.2 Controlling System Changes: Setting System/
8.3 SAP GUI Single Sign-On Setup ....................................................................................... 286 Client Change Options ........................................................................................ 363
8.3.1 Setting up Secure Network Communications in 10.1.3 Transport Management System Users ......................................................... 367
Transaction SCNWIZARD ................................................................................... 287 10.1.4 TMS RFC connections .......................................................................................... 370
8.3.2 Setting Up Kerberos Single Sign-on with SAP GUI .................................... 296
10.2 Transport Authorizations ................................................................................................. 373
8.4 SAML ......................................................................................................................................... 309
10.3 Operating System–Level Considerations .................................................................. 376
8.4.1 Principals ................................................................................................................. 310
8.4.2 Identity Providers ................................................................................................. 310 10.4 Landscape Considerations ............................................................................................... 377
8.4.3 Service Providers .................................................................................................. 310 10.5 Summary ................................................................................................................................. 378
8.4.4 SAML Assertions ................................................................................................... 311
8.4.5 Overall SAML Process .......................................................................................... 311
8.4.6 SAP NetWeaver AS ABAP Service Provider Setup ...................................... 312
8.4.7 ICF Service Authentication and SAP Fiori ..................................................... 338 11 Auditing and Logging 379
8.5 Summary ................................................................................................................................. 339

11.1 External Audits ..................................................................................................................... 380
11.2 Internal Audits ...................................................................................................................... 381
11.3 Auditing Tools ....................................................................................................................... 382
9 Patching 341
11.3.1 Security Audit Log ................................................................................................. 382
11.3.2 System Log .............................................................................................................. 396
9.1 Patching Concepts: SAP’s Approach to Patching .................................................. 341
11.3.3 Table Logging ......................................................................................................... 398
9.1.1 SAP Notes ................................................................................................................ 342
11.3.4 Workload Monitor ................................................................................................ 403
9.1.2 SAP Note Severity ................................................................................................. 343
11.3.5 Read Access Logging ............................................................................................ 404
9.1.3 Other Patching ...................................................................................................... 344
11.3.6 User Information System ................................................................................... 406
9.1.4 SAP Security Patch Day ...................................................................................... 344
11.4 Summary ................................................................................................................................. 409
9.2 Application of Security SAP Notes ............................................................................... 347
9.3 Implications of Upgrades and Support Packages ................................................. 354
9.4 Evaluating Security with SAP Solution Manager .................................................. 354

12 Securing Network Communications 411
9.4.1 SAP EarlyWatch Alert Reporting ..................................................................... 355
9.4.2 System Recommendations ............................................................................... 356
12.1 Choosing a Network Security Strategy ...................................................................... 411
9.4.3 Other Functionality ............................................................................................. 357
12.2 Securing Using Access Controls ..................................................................................... 412
9.5 Summary ................................................................................................................................. 358
12.2.1 Firewalls ................................................................................................................... 412
14 15
Contents Contents
12.2.2 Application-Level Gateways ............................................................................. 414 14 Database Security 489

12.2.3 Business Secure Cell ............................................................................................ 415
12.2.4 Securing Common Ports .................................................................................... 416
14.1 Platform-Independent Database Considerations ................................................. 490
12.2.5 Securing Services .................................................................................................. 417
14.1.1 Database Patching ............................................................................................... 490
12.2.6 Access Control Lists ............................................................................................. 418
14.1.2 Networking ............................................................................................................. 491
12.2.7 Tuning Network Access Control ...................................................................... 422
14.1.3 User Accounts ........................................................................................................ 492
12.3 Securing the Transport Layer ......................................................................................... 422 14.1.4 Database Backups ................................................................................................ 493
12.4 Connecting to the Internet and Other Networks ................................................. 424 14.1.5 Additional DB Functionality .............................................................................. 494
12.5 Summary ................................................................................................................................. 431 14.2 Securing the Database Connection ............................................................................. 495
14.2.1 Understanding the Database Connect Sequence ..................................... 495
14.2.2 SAP HANA Database: HDB User Store ........................................................... 498
14.2.3 Oracle Database: Secure Storage in File System ........................................ 500
13 Configuring Encryption 433 14.2.4 Microsoft SQL Server: Authentication ........................................................... 504
14.3 Logging and Encrypting Your Database .................................................................... 507
13.1 Introduction to Cryptography ....................................................................................... 433
14.3.1 SAP HANA Data Volume Encryption .............................................................. 508
13.1.1 Encryption in Depth ............................................................................................ 434
14.3.2 Oracle Transparent Data Encryption ............................................................. 511
13.1.2 Secure Communication in SAP NetWeaver ................................................. 448
14.3.3 MSSQL Server ......................................................................................................... 511
13.2 Enabling SSL/TLS ................................................................................................................. 451
14.4 Summary ................................................................................................................................. 511
13.2.1 Setting System Parameters .............................................................................. 451
13.2.2 Creating the TLS/SSL PSE ................................................................................... 454
13.2.3 Testing TLS/SSL ..................................................................................................... 460
13.2.4 Requesting and Installing Certificates .......................................................... 464 15 Infrastructure Security 513
13.3 The Internet Connection Manager .............................................................................. 468

13.3.1 ICM Concepts ........................................................................................................ 468 15.1 Business Secure Cell Concept ......................................................................................... 514
13.3.2 Important ICM Security Parameters .............................................................. 469 15.2 Secure Landscape ................................................................................................................. 515
13.3.3 Controlling Access Using Access Control List ............................................. 469
15.3 Policy ......................................................................................................................................... 519
13.3.4 Security Log ............................................................................................................ 473
15.3.1 Establishing Security Policy ............................................................................... 521
13.3.5 Controlling Access Using a Permission File ................................................. 475
15.3.2 Starting Points for Your Policy .......................................................................... 523
13.4 SAP Web Dispatcher .......................................................................................................... 481 15.3.3 Further Policies ...................................................................................................... 525
13.4.1 Initial Configuration of SAP Web Dispatcher ............................................. 483 15.3.4 Adopting Policy ..................................................................................................... 525
13.4.2 SSL with SAP Web Dispatcher .......................................................................... 486 15.3.5 Auditing and Reviewing Policy ......................................................................... 526
13.5 Summary ................................................................................................................................. 487 15.4 Operating System Considerations ............................................................................... 527
15.4.1 General Linux Recommendations ................................................................... 528
15.4.2 Microsoft Windows ............................................................................................. 530
15.4.3 Operating System Users ..................................................................................... 531
16 17
Contents
15.4.4 Viruses and Malware .......................................................................................... 531

15.4.5 Application Server File System ........................................................................ 539
15.5 Monitoring ............................................................................................................................. 540
15.5.1 OS Logs .................................................................................................................... 540
15.5.2 Application Logs ................................................................................................... 540
15.5.3 Certificate Revocation Lists .............................................................................. 541
15.6 Virtualization Security Considerations ..................................................................... 553
15.7 Network Security Considerations ................................................................................ 555

15.7.1 Auditing Using Vulnerability Scanners ......................................................... 556
15.7.2 Network Intrusion Detection ........................................................................... 558
15.7.3 Firewall .................................................................................................................... 559
15.7.4 Load Balancing ...................................................................................................... 559
15.8 Physical Security .................................................................................................................. 560
15.9 Summary ................................................................................................................................. 561
The Authors ........................................................................................................................................... 563

Index ........................................................................................................................................................ 565
18
Index
2FA .............................................................................. 280 Authorization (Cont.)
redesign ............................................................... 269
A trace ...................................................................... 180
Authorization checks .......................................... 169
ABAP debugger ...................................................... 267 exceptions ........................................................... 171
ABAP Program Editor ............................................. 70 maintain .............................................................. 173
ABAP support packages ......................................... 99 TSTCA check ....................................................... 169
ABAP system identifier ...................................... 300 Authorization object ........................................... 169
ABAP Workbench .................................................. 251 maintenance ...................................................... 197
Access control .............................................. 433, 523 status .................................................................... 198
Access Control List (ACL) ......................... 411, 469 Authorizations ....................................... 71, 115, 167
Access Request Management .......................... 274
ACL ........................................................... 376, 418, 473 B
file syntax ............................................................ 419
syntax ................................................................... 419 Background jobs ................................................... 251
trace files ............................................................. 422 Basis .............................................................................. 43
Active Directory Domain Services ................. 297 Basis administrator ................................................ 21
Adversaries ................................................................. 30 Botnets ......................................................................... 29
ALG logs .................................................................... 422 BR*Tools ................................................................... 502
ALV Grid Display ................................................... 400 Brute force attack .......................................... 29, 159
ALV list ...................................................................... 130 Business Process Change Analyzer ............... 357
Application logs ..................................................... 540 Business Role Management ............................. 274
Application-level gateways ............................... 414 Business secure cell .................................... 415, 514
Application-level proxies .................................. 414
ASCS profile ................................................................ 49 C
Assertions ................................................................ 282
Asymmetric communication .......................... 442 CA ................................................................................ 445
Asymmetric encryption ........................... 439, 442 Call transaction ..................................................... 237
Attack surface ........................................... 26, 41, 489 CA-signed certificates ......................................... 371
Attack vector .................................................... 41, 513 Central User Administration (CUA) ..... 147, 275
Audit logs ................................................................. 540 Certificate Authority ........................................... 444
Audit regulations .................................................. 522 Certificate revocation list .................................. 541
Auditing .......................................................... 379, 524 Certificate signing request ....................... 290, 429
Audits ........................................................................... 42 Certificates .............................................................. 282
Authentication ...................................................... 523 block ...................................................................... 551
Authentication servers ....................................... 282 Change documents .............................................. 129
authfile ...................................................................... 477 Change management .......................................... 524
Authorization Change Request Management
cleanup ................................................................. 269 (ChaRM) ...................................................... 357, 519
data ............................................................. 171, 271 Channels .................................................................. 404
download ............................................................ 249 ChaRM .............................................................. 357, 519
profiles ........................................................ 115, 125 Child role .................................................................. 207
565
Index Index
Cipher ........................................................................ 435 CVSS ............................................................................ 345 E I

recommendation ............................................. 453 score ....................................................................... 346
Cipher suite ............................................................. 436 Educating ................................................................. 525 IBM Tivoli Endpoint Manager ......................... 527
ClamAV scanner .................................................... 532 D Emergency Access Management .................... 275 ICF service authentication ................................ 338
Client settings ........................................................... 81 Enabler role ............................................................. 182 ICM ................................................. 418, 468, 473, 494
changing ................................................................ 87 Data breach ................................................................ 27 Encryption ..................................................... 411, 433 permissions file syntax .................................. 476
check ........................................................................ 81 Data security ........................................................... 523 asymmetric ......................................................... 439 security parameters ........................................ 469
fields ......................................................................... 83 Database ................................................................... 489 inverse relationship ......................................... 439 service ................................................................... 339
locking ..................................................................... 89 backup .................................................................. 493 key pairs ............................................................... 439 Web Administration Interface .................... 469
restrictions ............................................................ 85 client ...................................................................... 491 protocols .............................................................. 446 icmon ........................................................................ 477
transport request ................................................ 89 data manipulation .......................................... 492 symmetric ........................................................... 437 IDocs .......................................................................... 150
Client-dependent .................................................... 80 default password .............................................. 492 Encryption keys ..................................................... 436 IFRS ............................................................................. 380
Client-independent ................................................ 80 hardening ............................................................ 490 private .................................................................. 437 Infrastructure security ....................................... 513
Clients .......................................................................... 79 management consoles ................................... 494 Enhancement packages ...................................... 342 Integrity protection ............................................. 390
000 .................................................................... 80, 85 network ................................................................ 491 Enqueue replication server .................................. 49 Interdatabase communications ..................... 491
001 ............................................................................ 80 password .............................................................. 500 Enterprise PKI tools ............................................. 541 Intermediary CA ................................................... 445
066 ............................................................................ 80 patching ............................................................... 490 ERS profile ................................................................... 49 Intermediate certificate ..................................... 542
locking ..................................................................... 89 user ......................................................................... 127 EXT kernel ................................................................ 108 Internal audits ....................................................... 381
remote locking ..................................................... 89 user accounts ..................................................... 492 Internal threat .......................................................... 31
settings .................................................................... 81 Database encryption ............................................ 507 F International Telecommunications
table T000 ............................................................. 80 MSSQL ................................................................... 511 Union’s Standardization sector ................. 446
Clock skew tolerance ........................................... 317 Oracle .................................................................... 511 Firefighter ID ................................................ 117, 275 Internet Connection Manager (ICM) ............ 433
CN ............................................................................... 429 SAP HANA ............................................................ 508 Firewall ...................................................................... 412 Internet of Things ................................................ 555
Common Cryptographic Library ............. 95, 434 Database table, reorganize ................................ 393 configuration ..................................................... 559 IP bans ....................................................................... 556
Common name ..................................................... 443 DDIC ........................................................................... 155 deny/accept logs .............................................. 422
Common Vulnerability Scoring System ..... 344 DDIC user .................................................................. 367 Fraud ................................................................... 28, 490 K
CommonCryptoLib ................... 95, 102, 286, 354, DDoS ............................................................................. 29 Functional role ....................................................... 182
434, 449 Default users ........................................................... 154 Kerberos ................................................ 280, 285, 300
upgrading ........................................................... 103 Demilitarized zone ............................................... 414 G authentication servers ................................... 282
versions ................................................................ 102 Derived role ................................................... 181, 207 set up .................................................................... 296
Communications security ................................ 523 Dialog transactions .............................................. 229 GAAS .......................................................................... 380 SSO ................................................................ 296, 305
Composite role ............................................. 182, 204 Dialog user ..................................................... 116, 139 GDPR ....................................................... 167, 383, 404 SSO troubleshooting ....................................... 306
Configuration validation .................................. 357 Digital certificate ................................................... 443 token ..................................................................... 283
Corporate espionage ........................................... 489 public key ............................................................. 444 H Kernel ................................................................. 94, 181
Cost of security ......................................................... 37 signature .............................................................. 444 compatibility ........................................................ 98
CPIC ............................................................................ 117 Disaster recovery .................................................. 517 Hardening ......................................................... 41, 514 components .......................................................... 95
CRL .............................................................................. 542 Disruption ................................................................ 490 Hardware load balancers ................................... 483 core ........................................................................... 94
checks ................................................................... 552 Distinguished name ............................................. 444 HDB User Store ...................................................... 499 download ............................................................ 107
expirations ......................................................... 548 Distributed denial of service .............................. 29 Heartbleed attack .................................................. 434 DW package .......................................................... 94
Cryptography ......................................................... 433 Distribution parameters .................................... 149 HMAC ........................................................................ 390 DW.SAR ................................................................... 94
CSR ..................................................................... 290, 429 DMZ ............................................................................ 414 key .......................................................................... 390 executable .............................................................. 99
SAP Single Sign-On .......................................... 291 Domain controller ................................................ 360 Host policy .............................................................. 525 EXT ......................................................................... 108
CUA ............................................................................ 147 DW package ........................................................ 94, 98 HTTP protocol ........................................................ 424 extended maintenance .................................. 108
background jobs .............................................. 150 DW.SAR ........................................................ 94, 98, 105 HTTPS ........................................................................ 411 location ................................................................ 110
master system ................................................... 149 Dynamic parameters ............................................. 54 Hypervisor ............................................................... 554 patch level .............................................................. 98
tables .................................................................... 151 patching ................................................................. 96
566 567
Index Index
Kernel (Cont.) Message server ....................................................... 420 P R

release level ........................................................... 97 Message Server Monitor .................................... 420
release notes ......................................................... 96 Metasploit ......................................................... 31, 489 P4 protocol .............................................................. 424 R/3 ................................................................................. 21
selecting ............................................................... 107 Microsoft Active Directory ............ 281, 297, 302 Package RAL .................................................................... 379, 404
three-tier approach ......................................... 106 Federation Services .......................................... 282 disp+work ........................................................ 94, 98 RDBMS ...................................................................... 507
update ........................................................... 97, 104 server ..................................................................... 285 PAM ........................................................... 98, 106, 527 Read Access Logging ............................................ 379
upgrade ........................................................ 97, 111 Microsoft HyperV ................................................. 553 Parameter Red Hat Satellite .................................................... 527
utilities ........................................................ 109, 362 Microsoft SQL Server ........................................... 504 application area .................................................. 51 Reference user ....................................................... 117
version check ..................................................... 100 Microsoft Windows .................................... 503, 530 name ........................................................................ 51 Regression testing ................................................ 354
versions ................................................................... 99 Microsoft WSUS ..................................................... 527 transactions ....................................................... 229 Report
Kernel upgrade ...................................................... 111 Monitoring .............................................................. 540 value ......................................................................... 51 authorizations .................................................. 250
testing .................................................................. 111 Mounted directories ............................................ 361 Parameters .............................................................. 124 transactions ....................................................... 229
Key distribution center ...................................... 285 MSSQL ........................................................................ 504 Parent role ............................................................... 207 Report PFCG_ORGFIELD_CREATE ................. 203
Password .................................................................. 158 Report RSPARAM ..................................................... 56
L N change policy ..................................................... 161 Report RSUSR_DELETE_USERDOCU ............. 119
manager .............................................................. 162 Report RSUSR0003 ............................................... 156
LDAP ................................................................. 281, 424 Naming convention ............................................. 139 policy ........................................................................ 29 Report RSUSR008_009_NEW .................. 164, 407
Licensing classification ...................................... 127 roles ........................................................................ 188 resets ..................................................................... 123 Report RSUSR300 .................................................. 305
Lightweight Directory Access Protocol ....... 281 Nessus scanner ....................................................... 557 Patch Day Security Notes .................................. 344 Report S_TRUST_DOWNLOAD_CRL ............. 547
Linux ................................................................ 503, 528 Network access control ....................................... 412 Patching ............................................................. 35, 341 Report SU24_AUTO_REPAIR. ........................... 266
Load balancers ....................................................... 559 Network intrusion detection ............................ 558 Perimeter security ................................................... 35 RFC ........................................................... 117, 252, 379
Locked transactions Network security ................................................... 555 Permissions file syntax ...................................... 476 hardening ........................................................... 269
export ...................................................................... 78 strategy ................................................................ 411 Personal security environment ............ 291, 450 redesign ............................................................... 269
print .......................................................................... 78 Network Time Protocol ....................................... 317 Personalization objects ...................................... 126 users ...................................................................... 139
view .......................................................................... 76 Network vulnerability scanner ........................ 556 Phishing ................................................................ 27, 36 Risk ................................................................................ 37
Locking transactions .............................................. 73 Networking .............................................................. 491 spear .................................................................. 27, 36 Role
Log data NW-VSI ...................................................................... 532 Physical infrastructure .......................................... 36 assignments ....................................................... 136
administration ................................................. 389 Physical security ............................................ 36, 560 derivation ........................................................... 181
archived ............................................................... 396 O PKCS7 format certificate .................................... 293 design ................................................................... 180
evaluate ............................................................... 393 POODLE attack ....................................................... 434 maintenance ...................................................... 197
Log files ..................................................................... 422 OASIS Security Services Technical Positive authorization ........................................ 115 versioning ........................................................... 217
reorganize ........................................................... 392 Committee .......................................................... 309 Privacy violations .................................................... 27 Role menu ............................................................... 216
Logging ..................................................................... 379 Object-oriented transactions ........................... 229 Product Availability Matrix ................................. 98 comparison ........................................................ 216
Login profile parameters ................................... 162 Operational security .............................................. 35 Profile Generator ........................................ 169, 192 Roles .................................................................. 125, 168
Logon language ..................................................... 123 Operations ................................................................. 41 Profile parameters ......................................... 45, 161 assign .................................................................... 219
Logs, analyze .......................................................... 400 OR connector .......................................................... 387 database editing .................................................. 53 composite role .................................................. 168
OR linked .................................................................. 387 key parameters .................................................... 64 derived role ......................................................... 168
M Oracle database ...................................................... 500 table TPFET ............................................................ 52 mass assignment ............................................. 220
Oracle RDBMS ......................................................... 503 Profiles ............................................................ 125, 168 naming convention ........................................ 188
Malware .................................................................... 531 Oracle Transparent Data Encryption ............ 511 mass generation ............................................... 214 remove ................................................................. 219
Man-in-the-middle attack .......................... 33, 438 Org levels .................................................................. 201 standard .............................................................. 228 single role ............................................................ 168
Mass user comparison ....................................... 215 Org values ................................................................ 201 PSE ................................................. 291, 292, 450, 543 Rolling kernel switch ........................................... 114
Master role .............................................................. 207 Organizational unit .............................................. 297 Public key ................................................................. 444 Root CA ..................................................................... 445
maintenance ..................................................... 211 Organizational values ......................................... 201
MCOD ........................................................................ 415 OS logs ....................................................................... 540
568 569
Index Index
S SAP Note (Cont.) Service user ............................................................. 117 SSO (Cont.)

severity ................................................................. 343 firefighter ID ....................................................... 117 implementation ............................................... 283
S_A.DEVELOP ......................................................... 228 transporting ....................................................... 352 SGEN .......................................................................... 112 service providing systems ............................ 282
S_A.SYSTEM ............................................................ 228 SAP packages ............................................................. 99 SID ........................................................................ 79, 300 service users ....................................................... 283
SAL .............................................................................. 382 SAP Passport ............................................................ 284 SIDADM ............................................................. 46, 102 strategy ................................................................ 280
versions ................................................................ 383 SAP S/4HANA .......................................................... 127 Simple and Protected GSS-API Standard profiles .................................................. 228
SAML ....................................................... 280, 286, 309 SAP Secure Login Client ............................ 285, 305 Negotiation Mechanism ............................... 285 Standard users ....................................................... 154
assertion ..................................................... 283, 311 SAP security Single role ...................................................... 181, 192 Subnet ....................................................................... 415
authentication .................................................. 518 administrator ....................................................... 22 SNC ....................................... 122, 286, 371, 411, 423 Suggested client settings ...................................... 85
identity provider ..................................... 310, 319 audit ...................................................................... 245 certificate signed .............................................. 429 SUM ............................................................................ 341
logon ..................................................................... 311 SAP Security Patch Day ....................................... 344 debug .................................................................... 296 Support package .......................................... 344, 360
service provider ................................................ 310 SAP Single Sign-On ..................................... 123, 283 encryption ................................................. 416, 424 Security Notes ................................................... 344
setup ..................................................................... 312 SAP Solution Manager .................... 347, 354, 519 personal security environment .................. 291 upgrade ................................................................ 260
testing .................................................................. 331 7.2 ............................................................................ 356 PSE .......................................................................... 450 SUSE Linux .............................................................. 528
SAML 2.0 .......................................................... 284, 286 SAP Support Portal ............................................... 343 SAPCryptolib ...................................................... 292 SUSE Manager ........................................................ 527
SAP Fiori .............................................................. 286 SAP Web Dispatcher ................ 414, 479, 481, 559 SAPCryptoLib PSE ............................................. 293 Sybase ASE ............................................................... 501
SAML 2.0 authentication administration console .................................. 484 Socket Secure Layer ............................................. 446 Symmetric encryption .............................. 437, 442
disable .................................................................. 336 parameters .......................................................... 484 SoD ...................................................... 29, 42, 163, 167 System
SAP administrator ................................................... 22 SAP_ALL ............................. 118, 168, 228, 374, 518 auditing .................................................................. 29 administrator ....................................................... 22
SAP Cloud Platform Identity SAP_NEW ........................................................ 228, 518 management process ..................................... 275 log .......................................................................... 396
Authentication ........................................ 319, 331 SAP* ............................................................................. 154 Software Update Manager ................................. 341 upgrade ................................................................ 342
SAP EarlyWatch Alert .......................................... 355 sapcpe ........................................................................ 110 SOX ............................................................................. 380 user ........................................................................ 116
reporting ............................................................. 355 SAPEXEDB.SAR ....................................................... 109 SP stack kernel .......................................................... 99 System parameters ................................................. 45
SAP Easy Access ..................................................... 194 SAPLOGON client .................................................. 305 release ...................................................................... 99 access ....................................................................... 66
SAP Fiori .......................................................... 286, 339 sapmnt ........................................................................ 51 Spear phishing ................................................... 27, 36 audits ....................................................................... 66
SAP GRC SAPOSS RFC ............................................................. 349 SPNEGO .................................................................... 285 setting ...................................................................... 59
Action Usage Report ....................................... 271 SAProuter ....................................................... 414, 424 set up ..................................................................... 296 static and dynamic ............................................ 53
SAP GRC Access Control ....... 117, 152, 167, 188, all connections .................................................. 428 SQL server ................................................................ 505 viewing and setting ........................................... 55
271, 273 documentation ................................................. 425 Transparent Data Encryption ..................... 511 System profiles ......................................................... 47
SAP HANA ............................................. 494, 501, 528 Sarbanes-Oxley Act .............................................. 167 SQL TDE ..................................................................... 511 comments .............................................................. 50
HDB User Store ................................................. 498 SCCR_LOCK_CLIENT .............................................. 89 SSAE 16 ...................................................................... 561 database level ...................................................... 52
SAP HANA Studio ................................................. 498 SCCR_UNLOCK_CLIENT ........................................ 91 SSCM .......................................................................... 527 default profile ....................................................... 48
SAP HANA XS ......................................................... 494 Screening rule ......................................................... 471 SSFS ............................................................................. 500 instance profile .................................................... 47
SAP Identity Management ...................... 152, 188 Secure landscape design .................................... 517 SSL operating system level ...................................... 51
SAP landscape ............................................... 359, 515 Secure Network Communication (SNC) ....... 122 audit ...................................................................... 462 other profiles ........................................................ 49
SAP Logon Tickets ....................................... 284, 285 Secure Storage in File System .......................... 500 certificate ............................................................ 445 structure ................................................................. 49
SAP MaxDB ............................................................. 501 Security administrator .......................................... 40 termination ........................................................ 486 viewing properties .............................................. 54
SAP NetWeaver AS ABAP ...................................... 25 Security Assertion Markup Language SSL certificate installation ................................. 465 System trace ........................................................... 175
SAP NetWeaver AS ABAP 7.5 ............................... 22 (SAML) ................................................................... 286 testing ................................................................... 467 authorizations .................................................. 176
SAP NetWeaver AS Java ......................................... 22 Security audit log .................................................. 379 SSL/TLS ................................................... 416, 423, 451 return codes ....................................................... 177
SAP NetWeaver Virus Scan Interface ............ 532 Security parameters ............................................. 140 enable ................................................................... 451
SAP NetWeaver, ports ......................................... 417 Security planning .................................................... 41 SSO .............................................................................. 279 T
SAP Note ................................................................... 341 Security policy ........................................................ 521 adoption project ............................................... 283
digitally signed ................................................. 349 Segregation of duties (SoD) ................................. 29 components ........................................................ 281 Table access ............................................................. 493
implementation ............................................... 350 Service security ...................................................... 417 directory services ............................................. 281 Table authorizations ........................................... 239
revert ..................................................................... 348 identity provider systems ............................. 282 audits .................................................................... 245
570 571
Index Index
Table authorizations (Cont.) Transaction (Cont.) Transaction (Cont.) Treble control ......................................................... 164
cross-client ......................................................... 241 MMRV ..................................................................... 73 SM50 ..................................................................... 111 Trust chain .............................................................. 445
groups .................................................................. 240 object-oriented .................................................. 229 SM51 ....................................................................... 111 Trust Manager ............................................... 290, 449
line-oriented ...................................................... 241 OKP1 ......................................................................... 73 SM59 ............................................................ 252, 349 TSTC check ............................................................... 169
Table logging .......................................................... 398 PA20 ......................................................................... 73 SMICM .................................................................. 468 Two-factor authentication (2FA) .................... 280
Table T000 .................................................................. 80 PA30 ......................................................................... 73 SMMS .................................................................... 420
Table views .............................................................. 245 parameter ............................................................ 229 SNCWIZARD .................................... 286, 287, 300 U
TDMS ......................................................................... 518 PFCG ......................................... 122, 164, 168, 192 SNOTE ................................................................... 348
Tenable Network Security ................................. 557 PFCGMASSVAL .................................................. 257 SPAM ..................................................................... 341 Upgrade management ....................................... 524
Test Data Migration Server ............................... 518 report ..................................................................... 229 SQ00 ..................................................................... 252 Usage and procedure logging .......................... 357
The Onion Concept ................................................. 34 RSAU_ADMIN .................................................... 389 SQVI ....................................................................... 251 User
Thierry Zoller ......................................................... 462 RSAU_CONFIG ................................................... 385 SRALMANAGER ................................................. 404 access reviews ................................................... 156
Threat vector ............................................................. 26 RSAU_READ_LOG ............................................ 393 SSFA ....................................................................... 541 change documents .......................................... 129
Three-tier landscape ................................... 280, 516 RZ10 .................................................. 54, 56, 59, 453 SSM2 ...................................................................... 123 change role assignments .............................. 136
Ticket-granting ticket ......................................... 285 RZ11 .................................................................... 56, 58 ST01 ....................................................................... 179 classifications .................................................... 152
TLS .............................................................................. 446 SA38 ......................................................................... 72 ST03N .................................................................... 403 copy ....................................................................... 128
TLS/SSL SAFC ....................................................................... 254 ST22 ........................................................................ 111 default settings ................................................. 123
PSE ......................................................................... 455 SAML2 ................................................................... 316 STAD ...................................................................... 178 inactive ................................................................ 157
testing .................................................................. 460 SCC1 .......................................................................... 72 STAUTHTRACE .................................................. 176 licensing ............................................................... 153
TMS ................................................................... 116, 359 SCC4 ................................................................ 81, 234 STMS .............................................. 69, 72, 361, 372 log on verification ........................................... 160
authorizations .................................................. 373 SCC5 ......................................................................... 72 STRUST .................................... 102, 289, 449, 543 mass comparison ............................................. 215
configuration .................................................... 363 SCOT ...................................................................... 231 STUSOBTRACE ................................................... 180 mass processing ............................................... 131
default passwords ........................................... 367 SCU3 ....................................................................... 399 SU01 .................................................... 118, 122, 171 naming conventions ...................................... 139
Linux ..................................................................... 376 SCUM ..................................................................... 149 SU03 ...................................................................... 169 operations ........................................................... 135
RFC connections ............................................... 370 SE01 .......................................................................... 72 SU10 ...................................................... 72, 122, 131 search by logon ................................................ 133
route ...................................................................... 359 SE10 .......................................................................... 89 SU21 ................................................................ 72, 169 tables .................................................................... 153
SNC-protected RFC .......................................... 371 SE11 ........................................................................... 72 SU22 ....................................................................... 260 User administration ............................................ 145
user roles ............................................................. 374 SE16 .................................................... 153, 160, 240 SU24 ............................................. 72, 173, 192, 198 User buffer ...................................................... 118, 173
users ...................................................................... 367 SE16N ..................................................................... 240 SU3 ......................................................................... 124 User classification ................................................ 127
TMSADM user ........................................................ 367 SE17 ............................................................... 160, 240 SU53 ....................................................................... 172 User directory ........................................................ 281
Tokens ....................................................................... 282 SE37 .......................................................................... 89 SU56 ............................................................. 118, 173 User groups ............................................................. 145
Trace data ................................................................ 179 SE38 .......................................................... 70, 72, 368 SUGR ..................................................................... 145 User ID ...................................................................... 115
reuse ...................................................................... 179 SE93 ........................................................................ 170 SUIM ......................................... 221, 354, 380, 406 cryptic ................................................................... 139
Transaction SE97 ........................................................................ 237 SUPC ...................................................................... 214 User information system ............... 217, 382, 406
access control ....................................................... 69 SECPOL .................................................................. 140 SW37 ......................................................................... 72 User master record ........................... 115, 118, 145
administrative ..................................................... 72 SGEN ...................................................................... 112 variant .................................................................. 229 User master table .................................................. 151
AUTH_SWITCH_OBJECTS ............................. 264 SHD0 ..................................................................... 232 VSCAN ................................................................... 535 User types ................................................................ 115
CAT6 ......................................................................... 73 SICF ......................................................................... 460 Transport .................................................................. 360 default .................................................................. 154
CATS ......................................................................... 73 SICK ........................................................................ 111 administrator .................................................... 375 dialog users ........................................................ 139
CRCONFIG ........................................................... 545 SM01 ........................................................................ 73 domain ................................................................. 360 RFC users ............................................................. 139
dialog .................................................................... 229 SM01_CUS .......................................... 73, 221, 384 layer ....................................................................... 423
F110 ........................................................................... 73 SM01_DEV .................................................... 73, 221 operator ............................................................... 375 V
FK03 ................................................... 172, 184, 198 SM21 ............................................................. 111, 397 viewer .................................................................... 375
locking ........................................................... 69, 221 SM30 ........................................... 72, 147, 160, 240 Transport Layer Security ................................... 446 Value role ................................................................. 182
MIRO ........................................................................ 73 SM31 ....................................................................... 240 Transport Management System Variant transactions ............................................ 229
MMPV ...................................................................... 73 SM49 ........................................................................ 72 (TMS) .................................................... 69, 116, 359
572 573
Index
Viewing and setting parameters, W

Report RSPARAM ................................................ 56
Virtual LAN .............................................................. 556 wdispmon ................................................................ 477
Virtual machine escape ...................................... 554 Web Dispatcher ...................................................... 433
Virtual machines .................................................. 554 Windows authentication mode ...................... 505
Virtualization ......................................................... 553 Windows domain controller ............................ 530
Virus scan definitions ......................................... 537 Workload Monitor ...................................... 382, 403
Virus Scan Interface ............................................. 532
Viruses ...................................................................... 531 X
VMware ESX ............................................................ 553
VMware Go .............................................................. 527 X.509 certificates ...................... 279, 280, 284, 446
Vulnerability scanner ......................................... 557 XAMS .......................................................................... 272
Xen hypervisor ....................................................... 553
Xiting Authorizations Management
Suite ....................................................................... 272
574
First-hand knowledge.
Joe Markgraf is a senior cloud architect and advisor

for SAP HANA Enterprise Cloud at SAP. Before joining
SAP he worked as a Basis and security administrator,
contributing to both small- and large-scale SAP system
implementations. He holds a business degree with a fo-
cus on information system management from Oregon
State University. He enjoys playing vintage video games
and shooting sports with his family in Washington State.
Alessandro Banzer is the Chief Executive Officer of

Xiting, LLC. He has worked in information technology
since 2004, specializing in SAP in 2009. Since then,
Alessandro has been involved with global SAP projects
in various roles. Alessandro is an active contributor and
moderator in the Governance, Risk, and Compliance
space on SAP Community, as well as a speaker at SAPP-
HIRE, ASUG, SAPInsider, and other SAP-related events. He holds a degree
in business information technology, as well as an executive master of bu-
siness administration from Hult International Business School in London,
UK.
Joe Markgraf and Alessandro Banzer

SAP System Security Guide
574 Pages, 2018, $79.95 We hope you have enjoyed this reading sample. You may recommend
ISBN 978-1-4932-1481-5 or pass it on to others, but only in its entirety, including all pages. This
reading sample and all its parts are protected by copyright law. All usage
www.sap-press.com/4307 and exploitation rights are reserved by the author and the publisher.

Reading Sample Sappress 1481 Sap System Security Guide

Uploaded by

Copyright:

Available Formats

Reading Sample Sappress 1481 Sap System Security Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Reading Sample Sappress 1481 Sap System Security Guide

Uploaded by

Copyright:

Available Formats

First-hand knowledge.

Joe Markgraf and Alessandro Banzer

4.1 Client Settings

4.1.1 Client Setting Fields

– Demo – No changes to cross-client customizing objects

Changes to cross-client objects

Settings Productive Clients

Client role Production

Changes to client-specific objects No changes allowed

Changes to cross-client objects No changes to SAP repository or Customizing

Client copy protection Protection level 1: no overwriting

Table 4.2 Suggested Client Settings for Productive Clients

Settings Testing Clients

Client role Test Figure 4.4 Change Table View

Changes to client-specific objects No changes allowed

Client copy protection Protection level 0: no restrictions

Table 4.3 Suggested Client Settings for Testing Clients

Settings Development Clients

Client role Customizing

Changes to client-specific objects Changes are automatically recorded

Changes to cross-client objects Changes allowed to SAP repository or Customizing

Client copy protection Protection level 1: no overwriting

Table 4.4 Suggested Client Settings for Development Clients

Figure 4.5 Cross-Client Warning

4.2 Client Logon Locking

To lock a client and prevent logon, follow these steps:

Figure 4.9 Enter Number of Client to Lock

Figure 4.11 Enter Unlock Client Function Module Name

Figure 4.10 Client Locked against Logon Notification

쐍 Transaction RSAU_CONFIG_SHOW Classical Approach

Figure 11.3 Standard Selection in Security Audit Log Configuration

Administration of Log Data

Figure 11.4 Classical Event Selection in Security Audit Log Configuration

Figure 11.8 Check Integrity of Files

Figure 11.7 Configure Integrity Protection Format

Figure 11.10 Reorganize Log Files

Evaluation of Log Data

Figure 11.11 Delete Log Files

Figure 11.14 Standard Selection in Evaluation of Log Data

Figure 11.15 Data Source Selection in Evaluation of Log Data

Figure 11.13 Evaluate Log Data Initial Screen

Figure 11.17 Read Security Audit Log Archive Data

11.3.2 System Log

Figure 11.20 System Log Detail View

11.3.3 Table Logging

Figure 11.22 Initial Screen of Transaction SCU3

11.3.4 Workload Monitor

Figure 11.26 Result Screen of Number of Table Change Logs

11.3.5 Read Access Logging

Figure 11.30 Critical Authorizations Selection Screen

Figure 11.31 Report Generated with Critical Authorizations

1.1 Potential Threats ................................................................................................................. 26

1.4 The Administrator's Role in Security ........................................................................... 40

2 Configuring Profiles and Parameters 45 4 Securing Clients 79

2.1 Understanding System Parameters ............................................................................ 46 4.1 Client Settings ....................................................................................................................... 81

2.2 System Profiles ..................................................................................................................... 47 4.1.1 Client Setting Fields ............................................................................................. 83

2.3 Profile and Parameter Structure .................................................................................. 49 4.3 Summary ................................................................................................................................. 92

3.4 Locking Transactions ......................................................................................................... 73

3.6 Summary ................................................................................................................................. 78

6.4.9 Groups ..................................................................................................................... 126