SAP Securityi

SAP SecurityAbout the TutorialSAP Security is required to protect SAP Systems and Critical Information fromUnauthorized Access in a Distributed Environment while accessing the system locally orremotely. It covers various Authentication Methods, Database Security, Network andCommunication Security and protecting standard users and other best practices thatshould be followed in maintaining your SAP Environment.In a SAP Distributed Environment, there is always a need that you protect your criticalinformation and data from unauthorized access. Human Errors, Incorrect AccessProvisioning shouldn’t allow unauthorized access to system and there is a need to maintainand review the profile policies and system security policies in your SAP environment.AudienceThis tutorial is suitable for those professionals who have a good understanding about SAPBasis tasks and a basic understanding of the system security. After completing this tutorial,you will find yourself at a moderate level of expertise in implementation of the securityconcepts in a SAP system.PrerequisitesBefore you start with this tutorial, we assume that you are well-versed with SAP Basisactivities – User Creations, Password Management, and RFC’s. In addition, you shouldhave a basic understanding of security terms in the Window and UNIX environment.Copyright & Disclaimer Copyright 2018 by Tutorials Point (I) Pvt. Ltd.All the content and graphics published in this e-book are the property of Tutorials Point (I)Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute or republishany contents or a part of contents of this e-book in any manner without written consentof the publisher.We strive to update the contents of our website and tutorials as timely and as precisely aspossible, however, the contents may contain inaccuracies or errors. Tutorials Point (I) Pvt.Ltd. provides no guarantee regarding the accuracy, timeliness or completeness of ourwebsite or its contents including this tutorial. If you discover any errors on our website orin this tutorial, please notify us at [email protected]

SAP SecurityTable of ContentsAbout the Tutorial . iAudience . iPrerequisites . iCopyright & Disclaimer. iTable of Contents . ii1.SAP SECURITY – OVERVIEW . 1Why is Security Required? . 12.SAP SECURITY – USER AUTHENTICATION & MANAGEMENT . 3Authentication Mechanism in a SAP System . 3User Management Tools in a SAP System . 4Password Policy . 6Illegal Passwords . 8Profile Parameters . 93.SAP SECURITY – NETWORK COMMUNICATION SECURITY. 15Network Topology in a SAP System . 15SAP Network Services . 16Private Keys . 174.SAP SECURITY – PROTECTING STANDARD USERS. 19How to See the List of Clients in a SAP System? . 20How to Change Password of a Standard User? . 255.SAP SECURITY – UN-AUTHORIZING LOGONS PROTECTIONS . 26Logging off Idle Users . 32ii

SAP Security6.SAP SECURITY – SYSTEM AUTHORIZATION CONCEPT . 34User Types . 34Creating a User . 35Central User Administration (CUA) . 38Protecting Specific Profiles in SAP . 41PFCG. 44Role Maintenance . 44Creating Roles in PFCG . 48Transporting and Distributing Roles . 50Authorization Info System Transaction – SUIM . 527.SAP SECURITY – UNIX PLATFORM . 558.SAP SECURITY – WINDOWS PLATFORM . 579.SAP SECURITY – DATABASES . 59Oracle Standard Users . 59Password Management for DB Users . 6010. SAP SECURITY – USER AUTHENTICATION & SINGLE SIGN-ON . 62SAP Single Sign-On Concept . 6211. SAP SECURITY – LOGON TICKETS . 68iii

1. SAP Security – OverviewSAP SecurityIn a SAP Distributed Environment, there is always a need that you protect your criticalinformation and data from unauthorized access. Human Errors, Incorrect AccessProvisioning shouldn’t allow unauthorized access to any system and there is a need tomaintain and review the profile policies and system security policies in your SAPEnvironment.To make the system secure, you should have good understanding of user access profiles,password policies, data encryption and authorization methods to be used in the system.You should regularly check SAP System Landscape and monitor all the changes that aremade in configuration and access profiles.The standard super users should be well-protected and user profile parameters and valuesshould be set carefully to meet the system security requirements.While communicating over a network, you should understand the network topology andnetwork services should be reviewed and enabled after considerable checks. Data over thenetwork should be well protected by using private keys.Why is Security Required?To access the information in a distributed environment, there is a possibility that criticalinformation and data is leaked to unauthorized access and system security is broken dueto either – Lack of password policies, Standard super users are not well maintained, orany other reasons.A few key reasons of breach of access in a SAP system are as follows: Strong password policies are not maintained. Standard users, super user, DB users are not properly maintained and passwordsare not changed regularly. Profile parameters are not correctly defined. Unsuccessful logon attempts are not monitored and idle user session end policiesare not defined. Network Communication security is not considered while sending data over internetand no use of encryption keys. Database users are not maintained properly and no security measures areconsidered while setting up the information database. Single Sign-on’s are not properly configured and maintained in a SAP environment.To overcome all the above reasons there is a need that you define security policies in yourSAP environment. Security parameters should be defined and password policies should bereviewed after regular time intervals.1

SAP SecurityThe Database Security is one of the critical component of securing your SAP environment.So, there is a need that you manage your database users and see to it that passwords arewell protected.The following Security mechanism should be applied in the system to protect SAPEnvironment from any unauthorized access: User Authentication and Management Network Communication Security Protecting Standard Users and Super users Unsuccessful Logons Protections Profile parameters and password policies SAP System Security in Unix and Windows Platform Single Sign-On ConceptSo, the security in SAP system is required in a distributed environment and you need tobe sure that your data and processes support your business needs without allowingunauthorized access to critical information. In a SAP system, human errors, negligence,or attempted manipulation on the system can result in loss of critical information.2

2. SAP Security – User Authentication &ManagementSAP SecurityIf an unauthorized user can access SAP system under a known authorized user and canmake configuration changes and manipulate system configuration and key policies. If anauthorized user has access to important data and information of a system, then that usercan also access other critical information as well. This enhances the use of secureauthentication to protect the Availability, Integrity and Privacy of a User System.Authentication Mechanism in a SAP SystemAuthentication mechanism defines the way you access your SAP system. There are variousauthentication methods that are provided: User Id’s and user management tools Secure Network Communication SAP Logon Tickets X.509 Client CertificatesUser ID’s and User Management ToolsMost common method of authentication in a SAP system is by using the username andpassword to login. The User ID’s to login are created by the SAP Administrator. To providesecure authentication mechanism via the username and password, there is a need todefine password policies that doesn’t allow users to set easy predicted password.SAP provides various default parameters that you should set to define password policiespassword length, password complexity, default password change, etc.3

SAP SecurityUser Management Tools in a SAP SystemSAP NetWeaver System provides various user management tools that can be used toeffectively manage users in your environment. They provide very strong authenticationmethod for both type of NetWeaver Application servers – Java and ABAP.Some of the most common User Management Tools are:User Management for ABAP Application Server (Transaction Code: SU01)You can use user management Transaction-Code SU01 to maintain users in your ABAPbased Application Servers.SAP NetWeaver Identity ManagementYou can use SAP NetWeaver Identity Management for user management as well as formanaging roles and role assignments in your SAP environment.4

SAP SecurityPFCG RolesYou can use profile generator PFCG to create roles and assign authorizations to users inABAP based systems.Transaction Code: PFCGCentral User AdministrationYou can use CUA to maintain users for multiple ABAP-based systems. You can also sync itwith your directory servers. Using this tool, you can manage all the user master recordcentrally from the client of the system.Transaction Code: SCUA and create distribution model.5

SAP SecurityUser Management Engine UMEYou can use UME roles to control the user authorization in the system. An administratorcan use actions which represent the smallest entity of UME role that a user can use tobuild access rights.You can open UME administration console using SAP NetWeaver Administrator option.Password PolicyA password policy is defined as a set of instructions that a user must follow to improvesystem security by using strong passwords and by using them properly. In manyorganizations, password policy is shared as a part of security awareness training and it ismandatory for users to maintain the policy for security of critical systems and informationin an organization.Using password policy in a SAP sys