S 6.97 Contingency planning for SAP systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Just like for every other IT system, contingency planning needs to be performed for an SAP system. In order to prepare properly for an emergency, a business continuity concept must be created during the planning and conception phase (see S 2.341 Planning the use of SAP) that also defines the emergencies to be taken into account in the framework of contingency planning.

The following emergencies should be taken into account at a minimum:

• The failure of an SAP server
• The failure of the database of an SAP system
• The compromising of an SAP system
• The failure of the transport system (ABAP) or of the software deployment system (JAVA)
• The failure of an entire computer centre.

In general, an SAP system is no different from any other IT system in terms of contingency planning. For this reason, it is necessary to implement the relevant contingency safeguards from other modules that are applicable to the IT systems (e.g. server computers, client computers, and databases) belonging to the SAP system.

The responsibilities arising in the framework of contingency planning and the responsibilities for the emergency procedures defined must be clearly assigned to specific persons. It is recommended to conduct emergency drills regularly and modify the processes based on the experience gained from these exercises.

Contingency planning should at least consist of the following safeguards, and the list of safeguards must be expanded according to individual requirements:

• An emergency administrator should be set up, and rules for the use of this account must be specified.
• The data in an SAP system must be backed up regularly. -The backup procedure and backup intervals must be specified in the data backup policy.
• Restoration procedures must be specified for an SAP system.
• A backup system should be held in reserve if the availability requirements are correspondingly high.

Depending on the operational scenario, contingency planning can also include planning protection against computer viruses (see S 4.271 Computer virus protection for SAP systems).

Emergency administration

An emergency administrator account is needed in case the normal administrator user IDs cannot be used any more to access an SAP system. Since the ABAP stack and Java stack are each equipped with their own user administration system, an emergency administrator account must be defined in each stack.

In the ABAP stack, this account can also be granted authorisations corresponding to the sum of the authorisations available in the SAP_ALL and SAP_NEW profiles. This provides the emergency administrator with full control over the ABAP stack of the SAP system.

In the Java stack, this account must be assigned to the group of administrators. The members of the administrator group have full control over the Java stack by default.

In NetWeaver 04 (Java 6.40) and higher, user administration is realised in Java using the User Management Engine (UME) (see also S 4.267 Secure use of the SAP Java Stack user management). This is a group- and role-based administration supporting different storage locations for the respective user accounts. The name of the group of administrators differs depending on the storage location. If the user accounts are stored in a database or an LDAP directory, then this group is called "Administrators". If the user accounts are stored in the ABAP stack, then it is called "SAP_J2EE_ADMIN". Users in this group do not have full administrative rights and only posses the rights needed for basis administration and user administration in the Java stack. The general emergency user for the Java stack is the "SAP*" user account available by default in SAP, but this account can only be used when the Java stack is operated in the single-user mode. In this mode, though, only the "SAP*" user can log on. For this reason, an additional emergency user account must be created that can also be used during normal operation.

The accounts used for emergency administration must be assigned strong passwords. The persons responsible must be informed of the storage location of the passwords. The passwords must be changed after an emergency so that they are only disclosed when the emergency administration procedure is triggered.

It must be noted that access to the accounts used for emergency administration must always be available. This means that the accounts may not be deactivated or locked. For this reason, the access data must be protected well.

When an account is used for emergency administration, it is impossible to determine which person had access to the SAP system. For this reason, the system administrators and security management must be informed of an emergency promptly. They must be provided with the following information in this case:

• What kind of emergency is the current emergency?
• Who accessed the SAP system and when was it accessed?
• What activities were performed and which changes were made?

Backup

One of the contingency planning safeguards to be performed regularly is the backup of the data of an SAP system. Data backup procedures also need to be designed for an SAP system in the framework of the organisation-wide backup concept. The responsibilities and process flows must be defined and implemented.

The following must be specified, among other things, in the backup concept:

• When will which components and data be backed up?
• Who is authorised to back up these components and data?
• Who is authorised to restore data?
• Who has access to the archived backup data?
• Where will the backup data be stored for safekeeping? In particular, it must be ensured that the backup data is stored at a physically separate location from the productive data.

The data of an SAP system is stored primarily in the database, but a data backup can only be reduced to backing up the database in pure ABAP stack installations (e.g. on SAP R/3 systems). In particular, the use of the Java stack requires additional data to be backed up. This additional data includes, in particular, all data stored in the SAP directory tree of the file system.

For the Java stack, it is also necessary to back up the data (e.g. additional databases or files) accessed by the installed applications. If this data is not backed up, inconsistencies can arise in the application data. The administrators responsible must also be informed of the storage location of the backup media and of the proper restoration process.

Additional documentation is described in S 2.346 Use of the SAP documentation.

Backup system

Under some circumstances, small companies and government agencies operate an SAP system in which all components of the system are installed on a single computer (single-server installation). If an emergency arises that cannot be handled by restoring the backed up data, for example due to defective hardware, then a replacement system must be purchased. Since it generally takes time to obtain a replacement system, such emergencies can lead to long downtimes. For this reason, it is recommended to keep a backup system in reserve that has been prepared in advance so that it is only necessary to restore the last data backup to resume operations.

Review questions:

• Was an emergency administrator account set up for SAP systems and were rules for its use specified?
• Is the data of the SAP system backed up regularly?
• Was a restoration procedure defined for the SAP system?
• If the availability requirements are high, is a backup system held in reserve for the SAP system?