SAP Security Configuration and Deployment: The IT Administrator's Guide to Best Practices

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Throughout the world, high-profile large organizations (aerospace and defense, automotive, banking, chemicals, financial service providers, healthcare, high tech, insurance, oil and gas, pharmaceuticals, retail, telecommunications, and utilities) and governments are using SAP software to process their most mission-critical, highly sensitive data. With more than 100,000 installations, SAP is the world's largest enterprise software company and the world's third largest independent software supplier overall. Despite this widespread use, there have been very few books written on SAP implementation and security, despite a great deal of interest. (There are 220,000 members in an on-line SAP 'community' seeking information, ideas and tools on the IT Toolbox Website alone.) Managing SAP user authentication and authorizations is becoming more complex than ever, as there are more and more SAP products involved that have very different access issues. It's a complex area that requires focused expertise.This book is designed for these network and systems administrator who deal with the complexity of having to make judgmental decisions regarding enormously complicated and technical data in the SAP landscape, as well as pay attention to new compliance rules and security regulations.Most SAP users experience significant challenges when trying to manage and mitigate the risks in existing or new security solutions and usually end up facing repetitive, expensive re-work and perpetuated compliance challenges. This book is designed to help them properly and efficiently manage these challenges on an ongoing basis. It aims to remove the 'Black Box' mystique that surrounds SAP security. * The most comprehensive coverage of the essentials of SAP security currently available: risk and control management, identity and access management, data protection and privacy, corporate governance, legal and regulatory compliance.* This book contains information about SAP security that is not available anywhere else to help the reader avoid the "gotchas" that may leave them vulnerable during times of upgrade or other system changes *Companion Web site provides custom SAP scripts, which readers can download to install, configure and troubleshoot SAP.

Author(s): Joey Hirao, Mimi Choi, Perry Cox, Steven Passer
Edition: 1st
Year: 2008

Language: English
Pages: 392

cover......Page 1
Copyright......Page 2
Technical Editor......Page 3
Lead Author......Page 4
Contributing Authors......Page 5
Introduction......Page 7
Introduction......Page 8
The SAP NetWeaver Technology Map......Page 11
NetWeaver Web Application Server......Page 13
ABAP Web AS 7.0......Page 15
J2EE Web AS 7.0......Page 16
UME Installation Options......Page 17
Backend: UNIX/Oracle......Page 21
Governance, Risk, and Compliance (GRC)......Page 23
ABAP Web AS 7.0......Page 28
Backend: UNIX/Oracle......Page 29
Governance, Risk, and Compliance (GRC)......Page 30
Frequently Asked Questions......Page 31
Notes......Page 33
Concepts and Security Model......Page 34
ABAP......Page 35
Authenticating Users......Page 36
Using Secure Network Connection......Page 37
Using User ID and Password......Page 38
Using SAP Logon Tickets and Single Sign-on......Page 39
Authorization Concept......Page 40
Authorization Objects and Field Values......Page 42
Authorization Checks......Page 43
Authorization Groups......Page 44
User Management......Page 45
Integrating User Management......Page 46
Using Central User Administration......Page 47
Using Lightweight Directory Access Protocol Synchronization......Page 48
User Maintenance......Page 50
Role Maintenance......Page 51
Logging and Monitoring......Page 52
Using the User Information System......Page 53
Securing Transport
Layer for SAP Web AS ABAP......Page 56
Using Secure Store and Forward......Page 59
Using Virus Scan Interface......Page 60
Enforcing Security Policies......Page 61
J2EE......Page 62
J2EE Application Concept......Page 63
Web Applications......Page 64
Web Components......Page 65
Remote Objects......Page 66
Authentication Concept......Page 67
Authentication Approaches......Page 68
Authentication Mechanisms......Page 69
Using User ID and Password......Page 70
Using X.509 Certificate on SSL......Page 71
Using Security Session IDs for SSO......Page 73
Using Logon Tickets for SSO......Page 74
Using Security Assertion Markup Language (SAML) Assertions for SSO......Page 75
Using Kerberos Authentication SSO......Page 77
Using Header Variables for SSO......Page 78
Authorization Concept......Page 79
UME User Store Provider......Page 80
DBMS User Store Provider......Page 81
Roles or Permissions......Page 82
J2EE Security Roles......Page 83
UME Roles (or Permissions)......Page 84
Access Control List......Page 85
Portal Permissions......Page 86
Security Zones......Page 87
User Management......Page 88
Using Lightweight Directory Access Protocol Synchronization......Page 89
User Administration......Page 90
Integrating User and Role Administration......Page 91
Securing Transport
Layer for SAP J2EE Engine......Page 92
Enforcing Security Policies......Page 94
GRC......Page 96
SAP GRC Access Control......Page 98
SAP GRC Process Control......Page 100
Authorization Concept......Page 102
Task......Page 103
Objects......Page 104
SAP GRC Risk Management......Page 105
Installing Latest Security-Related Patches......Page 106
Protecting Operating System Files......Page 107
Protecting Operating System Resources......Page 109
Protecting Network Access......Page 111
Protecting Standard Database Users......Page 112
Protecting Database-Related Files......Page 113
Protecting the Oracle Listener......Page 114
ABAP......Page 115
Backend: UNIX/Oracle......Page 116
Frequently Asked Questions......Page 117
ABAP......Page 119
Identity Management......Page 120
CUA......Page 122
LDAP (Lightweight Directory Access Protocol)......Page 125
Standard User ID/Pass......Page 127
What Is a Role?......Page 129
SAP Authorization Concept......Page 130
Single Sign-on and Certificates......Page 131
Password Rules......Page 134
Using Secure Communication......Page 135
HTTPS......Page 136
SNC......Page 137
Acquire or Develop a Security Policy......Page 138
Authorization to Corporate Data and Application Functionality Will Be via Role Assignment to User IDs......Page 139
Establish a Change Management Procedure for Post-Production Role Changes......Page 140
Standards......Page 141
Roles......Page 142
Role Naming......Page 143
Guiding Principles......Page 144
Role Development Steps......Page 146
Security Matrix......Page 149
Tools......Page 150
BDM2......Page 151
PFCG......Page 154
RZ11......Page 158
SCUL......Page 160
SE93......Page 163
SM04......Page 164
SM19 and SM20......Page 165
SM59......Page 172
ST01......Page 174
SU01......Page 179
SU02......Page 182
SU24......Page 183
SU53......Page 184
SUIM......Page 186
WE05......Page 189
Setup of CUA......Page 190
Setup of LDAP Con......Page 191
SAP Generic Users......Page 193
Single Sign-on and Certificates......Page 194
Password Rules......Page 197
Authorization Objects......Page 198
Definition......Page 199
Authorization Groups......Page 200
Tables......Page 201
Programs......Page 202
Spool......Page 203
File System......Page 206
Securing the Operating System from the SAP Application with S_DATASET and S_PATH......Page 207
BDC Sessions......Page 210
Securing the Operating System from the SAP Application with Logical Commands......Page 211
Single Sign-on with SAPGUI......Page 212
HTTPS......Page 214
SNC......Page 216
Setting Up the PFCG_TIME_DEPENDENCY Job......Page 217
Access to TEMSE – Temporary Sequential......Page 218
System Locks (SM12)......Page 219
CUA Monitoring/ Troubleshooting......Page 220
RFC Access......Page 224
AL08 – Users Logged On......Page 225
Weekly Tasks......Page 226
PFCG – Role Maintenance......Page 227
Run Report RSUSR003......Page 228
Architecture......Page 229
Implementation......Page 230
Frequently Asked Questions......Page 231
J2EE......Page 232
Users Maintenance......Page 233
J2EE Authorization......Page 243
The User Management Engine......Page 244
User Self-Registration......Page 245
Portal Configuration......Page 247
J2EE Configuration for SID=DP1 (J2EE Engine)......Page 248
Portal Test......Page 249
Changing Passwords......Page 250
Emergency User......Page 253
Password Rules......Page 254
Setting Up SSL......Page 255
Installing the SAP Java Cryptographic Toolkit......Page 256
Creating Server Keys......Page 260
Generating Signed Certificates......Page 263
Authentication......Page 265
Implementing Client Certificates......Page 267
Setting Up SSL......Page 270
Frequently Asked Questions......Page 271
GRC......Page 272
Introduction......Page 273
Architecture......Page 276
Design Considerations......Page 280
Risk Management......Page 283
Enterprise Portal......Page 284
Compliance Calibrator......Page 285
Segregation of Duties Report – by User......Page 290
Ad Hoc Queries......Page 291
Access Control......Page 292
SAP Process Control......Page 295
Architecture......Page 298
SAP Tools......Page 299
Frequently Asked Questions......Page 300
Notes......Page 303
Back End:UNIX/Oracle......Page 304
Database Security......Page 305
Patches......Page 306
Patching Procedures: Oracle to 10.2.0.2......Page 307
Users......Page 308
Default Passwords......Page 309
Default Privileges......Page 312
Restrict Network Access......Page 314
Operating System Security......Page 317
Changing Some Defaults......Page 318
Techniques......Page 319
Operating System Security......Page 324
Frequently Asked Questions......Page 325
Overview of Auditing......Page 327
Introduction......Page 328
SAP Controls......Page 330
Reconciliation Account in General Ledger......Page 331
Customer Credit
Management Master Record Settings......Page 332
Vendor Master Record Settings......Page 333
General Ledger Account Master Record......Page 334
Material Master Records......Page 335
Sales Order......Page 336
Pick, Pack, and Ship......Page 337
Billing......Page 338
Customer Payment......Page 339
Purchase Order......Page 340
Goods Receipt......Page 341
Payment to Vendor......Page 342
Auditing Configuration Changes......Page 343
Auditing Customized Programs......Page 345
Auditing Basis......Page 346
Auditing Security......Page 347
SAP Controls......Page 350
Auditing Configuration Changes......Page 351
Auditing Security......Page 352
Frequently Asked Questions......Page 353
Glossary of Terms......Page 355
B......Page 356
D......Page 357
H......Page 358
J......Page 359
O......Page 360
R......Page 361
S......Page 362
U......Page 363
W......Page 364
X......Page 365
A......Page 366
G......Page 367
J......Page 368
O......Page 369
S......Page 370
T......Page 372
V......Page 373