Preface

17

Target Audience

17

How This Book Is Organized

18

Acknowledgments

22

1 User Management

25

1.1 Types of SAP User IDs

26

1.2 SAP Standard Accounts

28

1.3 Transaction SU01: Managing User Account Lifecycle

29

1.4 Transaction SU10: Managing User Accounts in Bulk

42

1.4.1 Selecting Users

42

1.4.2 Actions for the Selected Users

46

1.5 User Groups

49

1.6 Tables Related to User Management

50

1.7 Securing Passwords

51

1.7.1 Password-Related SAP Hash Tables

52

1.7.2 The Logon Process

52

1.7.3 Password-Related System Parameters

53

1.7.4 Table USR40: Obviating Obvious Passwords

55

1.7.5 Some Recommendations to Secure Passwords

55

1.8 Transaction SUIM: The SAP User Information Management Reports

57

1.9 Change Documents for Users

66

1.10 Security Policies

67

1.11 Miscellaneous User Management Topics

70

1.11.1 User Naming Conventions

70

1.11.2 User Buffer

71

1.11.3 Inactive Users

72

1.12 Summary

72

2 User Authentication

73

2.1 The Single Sign-On Concept

75

2.1.1 Single Sign-On Components

76

2.1.2 Single Sign-On Adoption Project

78

2.2 Single Sign-On Technologies for SAP

79

2.2.1 Kerberos

79

2.2.2 SPNEGO

82

2.2.3 SAML

83

2.2.4 OAuth 2.0 and OpenID Connect

86

2.2.5 X.509 Certificate

89

2.3 Setting Up a Service Provider

90

2.3.1 Setting Up SAML Using Transaction SICF

90

2.3.2 Enabling ABAP Application Server as a SAML 2.0 Service Provider

93

2.4 SAP Solutions for Single-Sign On

95

2.4.1 SAP Single Sign-On 3.0

96

2.4.2 SAP Secure Login Service for SAP GUI

98

2.5 Summary

99

3 Authorizations and Role Design

101

3.1 SAP Authorization Concept

102

3.1.1 Authorization Objects

103

3.1.2 Authorization Profiles

107

3.1.3 Roles

110

3.1.4 Authorization Checks

111

3.2 The Role Concept

125

3.2.1 Role Lifecycle Management

126

3.2.2 Single Roles

128

3.2.3 Composite Roles

128

3.2.4 Master and Derived Roles

129

3.2.5 Enabler Roles

132

3.2.6 Naming Convention for Roles

134

3.2.7 Naming Conventions for SAP Fiori Catalogs, Spaces, and Pages

139

3.3 Transaction PFCG: The Profile Generator

140

3.3.1 Navigating Transaction PFCG

141

3.3.2 Creating a Single Role

147

3.3.3 Creating Composite Roles

152

3.3.4 Creating Master and Derived Roles

156

3.3.5 Working with Roles in Bulk

161

3.3.6 Comparing Role Menus

165

3.3.7 Displaying the Overview Status

166

3.3.8 Working with Role Versions

167

3.3.9 Assigning and Removing Roles

169

3.4 Mass Change of Field Values in Roles

171

3.5 More on Transaction Codes

173

3.5.1 Types of Transactions

173

3.5.2 Calling Transactions

176

3.5.3 Restricting Transactions

178

3.6 Spool-Related Authorizations

181

3.7 Checking Authorizations in ABAP Programs

182

3.8 Transaction SACF: Switchable Authorizations

185

3.9 Other Useful Authorizations

187

3.9.1 Table Access Authorizations

187

3.9.2 RFC Authorizations

189

3.9.3 Background Job Authorizations

191

3.9.4 Query Authorization

193

3.9.5 Report and Program Authorizations

194

3.9.6 Developer Authorization

196

3.9.7 Upload and Download Authorization

197

3.10 Summary

198

4 SAP Fiori Security

201

4.1 Core Foundations of SAP Fiori

202

4.1.1 Evolution of SAP Fiori

202

4.1.2 SAP Fiori Design Principles

203

4.1.3 SAPUI5 Framework

204

4.1.4 SAP Fiori Content Model

205

4.1.5 OData Services

205

4.1.6 SAP Fiori Launchpad

206

4.2 Types of SAP Fiori Apps

207

4.2.1 Transactional Apps

208

4.2.2 Analytical Apps

209

4.2.3 Object Pages

210

4.3 Managing Access to SAP Fiori Apps

210

4.3.1 Catalogs

210

4.3.2 Groups

217

4.3.3 Spaces and Pages

219

4.4 SAP Fiori Authorizations and Role Design

232

4.4.1 SAP Fiori Architecture

232

4.4.2 Technical Deployment Models

232

4.4.3 Role Management in Embedded Versus Central Hub Implementation

233

4.4.4 SAP Fiori Authorization Model

234

4.4.5 Analyzing SAP Fiori Apps in Roles

238

4.4.6 Useful Transactions in SAP Fiori

239

4.5 Summary

241

5 Client Security

243

5.1 Client Overview

244

5.2 Managing Clients

245

5.2.1 Creating a New Client

246

5.2.2 Modifying the Settings of a Client

250

5.2.3 Deleting a Client

251

5.3 Securing Clients

253

5.4 Summary

257

6 Kernel Security

259

6.1 Components of SAP Kernel

260

6.1.1 Tier 1 Components

261

6.1.2 Tier 2 Components

263

6.1.3 Tier 3 Components

266

6.2 SAP Cryptographic Library

267

6.2.1 Transaction STRUST

267

6.2.2 Configuration

268

6.2.3 Cryptographic Functions and Services

269

6.3 Updating the SAP Kernel

270

6.3.1 Kernel Versioning

270

6.3.2 Kernel Patching

273

6.4 Patch Management

277

6.4.1 SAP’s Patch Release Strategy

277

6.4.2 Basic Patching Units: SAP Notes

279

6.4.3 Applying Security Patches

280

6.5 Summary

285

7 ABAP Development Security

287

7.1 Common Threats and Vulnerabilities

288

7.1.1 Inadequate Access Control

288

7.1.2 Custom Code Vulnerabilities

289

7.1.3 Insecure Change and Transport Management

291

7.1.4 Insecure Interfaces

292

7.1.5 Insider Threats

293

7.2 Managing Access to the Development Environment

294

7.2.1 Development Environment Actors

294

7.2.2 Tools Used in the Development Environment

295

7.2.3 Segregation of Duties in the Development Environment

297

7.3 Secure Software Development Lifecycle in ABAP

300

7.3.1 SDLC Models

300

7.3.2 SSDLC for ABAP

302

7.4 Tools and Techniques for ABAP Security

304

7.4.1 Code Inspector

305

7.4.2 SAP Code Vulnerability Analyzer

307

7.4.3 ABAP Test Cockpit

308

7.5 Summary

310

8 Database Security for SAP

313

8.1 Securing a Generic Database

314

8.1.1 Attack Vectors for a Database

314

8.1.2 Defending a Database

317

8.2 Securing the SAP HANA Database

321

8.2.1 Security Administration Tools

322

8.2.2 User Privileges

323

8.2.3 User Roles

326

8.2.4 Creating Roles

327

8.2.5 Creating Users

329

8.2.6 Creating an Audit Policy

334

8.2.7 Data Masking

342

8.2.8 Anonymization

344

8.3 Securing Data at Rest: Encryption

346

8.3.1 Types of Data-at-Rest Encryption in SAP HANA

346

8.3.2 Key Management Architecture

347

8.3.3 Key Management in the Cloud Environment

349

8.3.4 Client-Side Encryption in SAP HANA

350

8.4 Summary

351

9 Logging and Monitoring for SAP Databases

353

9.1 Internal Controls and Audit Cycle

354

9.1.1 Audit Types

355

9.1.2 Audit Personas

356

9.1.3 Audit Process

357

9.1.4 Internal Control Environment

358

9.2 Database Monitoring Tools

360

9.2.1 Transaction DBACOCKPIT

361

9.2.2 Transactions ST04, DB12, and DB13

365

9.3 Logging Tools

366

9.3.1 Classic Transactions

366

9.3.2 New Transactions

369

9.4 Security-Focused Database Monitoring

374

9.4.1 User and Access Monitoring

375

9.4.2 Suspicious Activity and Performance-Related Actions

381

9.5 Summary

384

10 System Profiles and Parameters

387

10.1 Profiles and Parameters

388

10.1.1 Profiles in OS and Database

388

10.1.2 Types of Profiles

390

10.1.3 Parameter Naming

392

10.1.4 Tables Related to Profiles

392

10.1.5 Static and Dynamic Parameters

395

10.2 Viewing and Maintaining Parameters

397

10.2.1 Viewing Parameters

397

10.2.2 Modifying Parameters

401

10.3 Profile Parameter Governance

403

10.4 Password and Other Security-Related Parameters

405

10.5 Summary

408

11 Transport Security

411

11.1 SAP Transport Mechanism

412

11.1.1 Change and Transport System

412

11.1.2 Transport Directory

415

11.1.3 Transaction SE03: Transport Organizer Tool

416

11.1.4 Transaction STMS: Transport Management System

419

11.2 Role Transport

421

11.3 Authorizations Related to Transport System

424

11.4 Viewing CTS from a Security Perspective

427

11.4.1 Securing CTS at the OS Level

427

11.4.2 Securing CTS Against Landscape-Based Attacks

428

11.5 Transport Tools

429

11.5.1 Change Request Management

430

11.5.2 Focused Build for SAP Solution Manager

432

11.5.3 Adaptation Transport Organizer and SAP Cloud Transport Management

434

11.5.4 SAP Cloud ALM

434

11.6 Summary

436

12 Logging and Monitoring for the SAP Environment

437

12.1 Logging and Monitoring at the OS Level

438

12.1.1 Command-Line Tools: sapcontrol and saposcol

439

12.1.2 Linux- and UNIX-Specific Commands

441

12.1.3 Windows-Specific Commands

442

12.2 Developing a Logging and Monitoring Strategy

442

12.3 Using Blockchain for Logging

446

12.3.1 What Is a Blockchain?

447

12.3.2 What Is a Smart Contract?

449

12.3.3 Using Blockchain to Secure SAP Security and System Logs

450

12.4 Using SAP Enterprise Threat Detection to Analyze Security Audit Logs

451

12.4.1 Core Capabilities

453

12.4.2 Architecture and Data Flow

454

12.5 Connecting SAP Logs to the Enterprise SIEM Tool

456

12.6 Summary

459

13 Network Security

463

13.1 Network-Level Threats and Defense Strategy

463

13.2 Network Access Control

465

13.2.1 Firewalls

466

13.2.2 Application-Level Gateways

468

13.2.3 Zero-Trust Network Access

469

13.2.4 Securing SAP Services and Ports

471

13.2.5 Access Control Lists

474

13.2.6 Securing Settings for the Message Server

476

13.2.7 Periodic Review of Network Settings

477

13.3 SAP Perimeter and Connectivity Controls

479

13.3.1 Network Protocols

480

13.3.2 SAProuter

481

13.3.3 Cloud Connector

482

13.3.4 SAP Web Dispatcher

483

13.4 Unified Connectivity

486

13.4.1 UCON-Related Role and Authorization

487

13.4.2 Setting Up UCON in Your Environment

488

13.4.3 Blocking Outward Connections: Transaction UCON_CHW

490

13.5 Summary

491

14 Securing Data in Motion

493

14.1 Decrypting Cryptography

494

14.1.1 Cryptography Basics

495

14.1.2 Symmetric and Asymmetric Key Cryptography

497

14.1.3 Public Key Infrastructure

501

14.1.4 Communication Security in ABAP Application Server

503

14.2 SSL and TLS Protocols

504

14.2.1 SSL and TLS Basics

504

14.2.2 Enabling TLS in the SAP Environment

506

14.2.3 Creating a Server PSE Using Transaction STRUST

507

14.2.4 Installing a CA Certificate in the Server’s PSE

511

14.3 Internet Communication Manager

515

14.3.1 Important Parameters for Configuring ICM

516

14.3.2 Web Administration Interface

517

14.3.3 Restricting Access Through Access Control Lists

518

14.3.4 Configuring an Authorization File to Control Access

520

14.3.5 ICM Security Log

523

14.4 Summary

526

15 Securing SAP Infrastructure

527

15.1 On-Premise Versus Cloud

528

15.2 Planning for Secure SAP Landscape

532

15.2.1 System Architecture

532

15.2.2 Network and Perimeter Security

535

15.2.3 Identity and Access Management

536

15.2.4 Communication Security

537

15.2.5 Application-Level Security

537

15.2.6 Database Security

538

15.2.7 Logging and Monitoring

538

15.2.8 Patch Management

539

15.2.9 Governance and Operating Model

539

15.2.10 Security Baseline Template

540

15.2.11 Secure Operations Map

541

15.3 Developing Policies

542

15.3.1 Policies, Guidelines, and Standards

542

15.3.2 Developing an SAP Security Policy

543

15.4 Other Infrastructure-Related Considerations

548

15.4.1 Physical Security

548

15.4.2 Operating Systems

551

15.4.3 Secure Virtualization

557

15.4.4 Network Security

561

15.4.5 Monitoring

564

15.5 Summary

566

16 Securing Cloud-Based Applications

567

16.1 Identity and Access Management

568

16.1.1 Identity Authentication Service

570

16.1.2 Identity Provisioning Service

579

16.1.3 Best Practices for Identity, Authentication, and Provisioning

585

16.2 SAP Business Technology Platform Security

586

16.2.1 Security Responsibility

587

16.2.2 Relevant Applications and Services

587

16.2.3 Threat Vectors

588

16.2.4 Security Best Practices

591

16.2.5 Users, Roles, and Role Collections

593

16.3 Integration Security

599

16.4 Best Security Practices for Cloud-Based Applications

602

16.4.1 Clean Core Policy

603

16.4.2 Best Practices

605

16.5 Summary

607