S 2.346 Use of the SAP documentation
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator, Head of IT, Developer
SAP provides a number of documents and information. Administrators must be familiar with the available documentation in particular and the available documentation must be checked regularly for updates.
SAP provides information centrally via the SAP Service Marketplace (http://service.sap.com). Note that JavaScript must be enabled in the browser for access and that authentication usually needs to be provided. An exception to this is the SAP Help Portal, which can be used to obtain the product documentation.
The SAP Service Marketplace contains references to additional sources of information. Some examples are mentioned below:
- The SAP Service Marketplace offers tips on SAP or additional software. The security-relevant information, which can be found by clicking on the "/security" quick link, is important. It is also possible to subscribe to the SAP Security Newsletter here, which contains security-relevant information and is distributed by email. Furthermore, the SAP Product Security Guides, which are offered under the "/securityguide" quick link, are also important in this regard. The SAP NetWeaver Security Guide is particularly relevant in the context of this safeguard.
- Instructions and extensive documentation are available for all products on the SAP Help Portal (http://help.sap.com).
- The SAP Developer Network (http://sdn.sap.com) is intended as a source of information for developers. It is necessary to register, but registration is free.
In the following, the SAP documents relevant to the individual safeguards of this module are specified. The documents can be found on the SAP Help Portal if not specified otherwise.
S 2.341 Planning the use of SAP
Detailed information on user administration in SAP systems can be found in the SAP document "Identity Management" in the "User and Roles (BC-SEC-USR)" chapter in the "User Maintenance" and "Central User Administration" sections, as well as in the "User Management Engine" section.
SAP offers extensive information on the subject of resource planning (also referred to as "sizing") at the Service Marketplace. Under the heading "Solution Life-Cycle Management", information on the subjects "Quick Sizer Tool" and "Sizing Guidelines" can be found, among other information. This information is an aid for resource planning.
Detailed information on the recommended system landscape can generally be found in the security guides for the individual SAP products that can be found at the SAP Service Marketplace under the "securityguide" heading.
Detailed information on the transport system can be found in the SAP document "SAP NetWeaver Technical Operations Manual" in the "Software Change Management" sections of the ABAP and Java stack descriptions.
S 2.347 Regular security checks of SAP systems
Detailed information on the audit information system (AIS) can be found in SAP Note 451960.
S 2.342 Planning of SAP rights
Detailed information that can be used when planning the authorisation concept can be found in the SAP document "Identity Management" in the "User and Roles (BC-SEC-USR)" section and in the "SAP Authorization Concept" section.
S 2.349 Secure software development for SAP systems
Additional information on debugging authorisations can be found in SAP Note 13202 and Note 65968.
S 4.256 Secure installation of SAP systems
Additional detailed information on securing the operating system can be found in the SAP document "SAP NetWeaver Security Guide" in the "SAP System Security Under UNIX/LINUX" and in the "SAP System Security Under Windows" sections.
S 4.258 Secure configuration of the SAP ABAP Stack
The IMG documentation to be taken into account during installation can be found in the SAP document "Customizing (BC-CUS)" in the "Implementation Guide (IMG)" section.
Detailed information on handling profiles can be found in the SAP document "Configuration" in the "Profiles" section.
Detailed information on the subject of system change options can be found in the SAP document "Transport Organizer (BC-CTS-ORG)" in the section "Setting the system change options".
Administrators must be very familiar with the effects of changes to client configurations. The corresponding detailed documentation can be found in the SAP document "Transport Organizer (BC-CTS-ORG)" in the "Client Control" section.
Detailed descriptions of how to secure operating system commands can be found in the SAP document "SAP NetWeaver Security Guide" in the "Logical Operating System Commands" section, as well as in the "Configuration" document in the section "External Operating System Commands: Content".
Additional detailed information on single sign-on can be found in the SAP document "SAP NetWeaver Security Guide" in the "User Authentication and Single Sign-On" section, as well as in the "Using Logon Tickets" document.
Additional information on SNC can be found in the SAP document "SAP NetWeaver Security Guide" in the "Transport Layer Security" section.
S 4.259 Secure use of the ABAP Stack user management
Additional information on user administration in SAP systems can be found in the SAP document "Identity Management" in the "First Installation Procedure" section.
Detailed information on handling standard users can be found in the SAP document "SAP NetWeaver Security Guide" in the "Protecting Standard Users" section.
S 4.260 Rights management for SAP systems
Detailed information on designing the authorisation management and on the relevant authorisations can be found in the SAP document "Identity Management" in the "Organizing Authorization Management" section.
Detailed information on authorisation management when the Profile Generator is used can be found in the SAP document "Identity Management" in the "Role Maintenance" section.
S 4.261 Secure handling of critical SAP rights
General information on authorisation checks can be found in the SAP document "Identity Management" in the "Authorization Checks" section. The identification of critical authorisations requires appropriate knowledge of the underlying authorisation checks.
Additional information on SAP system authorisations can be found in the SAP document "Identity Management" in the "Protective Measures for Special Profiles" section.
S 4.262 Configuration of additional SAP authorisation checks
Additional information on how to disable authorisation checks can be found in the SAP document "Identity Management" in the "Authorization Checks" and "Reducing the Scope of Authorization Checks" sections.
Additional information on the configuration of authorisation groups can be found in the SAP document "ALV Grid Control (BC-SRV-ALV)" in the "Assigning and Maintaining Authorization Groups" section.
S 4.263 Protection of SAP destinations
Additional, detailed information on controlling access to destinations can be found in the SAP document "RCF/ICF Security Guide" in the section "Controlling Access to RFC Destinations".
S 4.264 Restricting direct table changes in SAP systems
Detailed information on parameter transactions can be found in the following documents:
- SAP document "RFC Security Guide", "Authorization Object S_TABU_DIS (Table Maintenance)" section
- Documentation of the Implementation Guide (IMG, SPRO Transaction) under "SAP Web Application Server/ System Administration/ Users and Authorizations/ Line-oriented Authorizations"
- SAP document "Authorizations in mySAP HR" in the "Cross-Application Authorization Objects" section
Additional information on parameter transactions and authorisations in relationship with transaction SE93 can be found in the following SAP documents:
- SAP document "ABAP Programming (BC-ABA)", "Parameter Transaction" section
- SAP document "Identity Management", "Authorization Checks" section
S 4.265 Secure configuration of batch processing on SAP systems
Additional details on batch processing can be found in the SAP document "Background Processing" in the section "Authorizations for Background Processing".
S 4.266 Secure configuration of the SAP Java Stack
Information on the Java stack services and their operation can be found in the corresponding manuals, for example the SAP document "Technical Operations Manual for SAP NetWeaver" in the "Administration of the SAP Web Application Server (JAVA)" section, as well as in the corresponding "Architecture Manual", "Administration Manual" and "Development Manual" documents.
The SAP Note 606733 offers additional, detailed information on the problems associated with HTTP PUT.
S 4.269 Secure configuration of the SAP system database
The SAP recommendations for securing the database can be found in the SAP document "Operating System and Database Platform Security Guides" in the "Database Access Protection" section. Recommendations are provided for various database products.
S 4.270 Logging of SAP events
Detailed descriptions of the system monitoring functions can be found in the SAP document "Tools for System Monitoring and Troubleshooting".
Additional information on tracking changes can be found in SAP Note 1916 and in the resources referenced in the note.
S 4.271 Computer virus protection for SAP systems
Additional, detailed information on the interface for computer virus protection programs can be found in the SAP document "Virus Scan Interface". Information on the products that can be connected using this interface can be found in the SAP Service Marketplace under the "securitypartners" quick link below "Partners for Virus Scan Interface (NW-VSI)".
S 4.272 Secure use of the SAP transport system
Detailed information on the transport management system can be found in the SAP document "Change and Transport System - Overview (BC-CTS)" and in "Transport Management System (BC-CTS-TMS)".
S 4.273 Secure use of the SAP Java Stack software deployment
Additional, detailed information on software distribution in the SAP Java stack can be found in the SAP document "SAP NetWeaver Java Development Infrastructure".
S 5.125 Protection of communication with SAP systems
Detailed information on the SNC configuration can be found in the SAP document "Administration Manual" in the section "Configuring SNC (SAP J2EE Engine to ABAP Engine)". Additional information can be found in the SAP document "Network and Transport Layer Security" in the "Secure Network Communications (SNC)" section.
Detailed instructions on the installation and configuration of SSL can be found in the SAP document "System Security" in the "Configuring the SAP Web AS for Supporting SSL" section and in the SAP document "Administration Manual" in the "Configuring the Use of SSL on the SAP J2EE Engine" section. Information on the protection provided by SSL for internal LDAP accesses to the Java stack is described in document "Configuring SSL Between UME and LDAP Directory (SAP NW 04)".
S 5.126 Protection of the SAP RFC interface
Detailed information on RFC communication can be found in the SAP document "RFC/ICF Security Guide" in the "RFC Scenarios" section.
Additional information on the subject of trusted systems can be found in the SAP documents "RFC/ICF Security Guide" in the "Authorization Object S_RFCACL" section and in the document "Components of SAP Communication Technology" in "RFC" chapter in the "Trusted System: Trust Relationships Between SAP Systems" section.
Additional, detailed information on the sideinfo file can be found in the SAP document "Components of SAP Communication Technology" in the "Introduction to RFC Client Programs" section and in document "SAP Gateway" in the "Side Information Tables" section.
Detailed information on external RFC servers can be found in the SAP document "RFC/ICF Security Guide" in the "Security Measures - Overview (RFC)" and "RFC Communication Between SAP Systems and External (Non-SAP) systems" sections. Information on the RFC SDK can be found in document "Components of SAP Communication Technology" in the "The RFC API" and "Contents of the RFC SDK" sections.
More detailed information on the SAP gateway can be found in the SAP document "SAP Gateway" in the "Security Settings in SAP Gateway".
S 5.127 Protection of the SAP Internet Connection Framework (ICF)
Additional, detailed information on the ICF can be found in the SAP document "Components of SAP Communication Technology" in the chapter "Internet Communication Framework" in the "Administration: HTTP Communication Using the SAP System as a Server" section and in the SAP document "RFC/ICF Security Guide" in the "ICF Scenarios" section.
S 5.128 Protection of the SAP ALE (IDoc/BAPI) interface
Additional information on securing the ALE interface can be found in the SAP document "Security Guide ALE (ALE Applications)".
S 5.129 Secure configuration of HTTP-based services on SAP systems
Additional, detailed information on the SOAP interface can be found in the SAP document "Components of SAP Communication Technology" in the "Internet Communication Framework" chapter in the "SOAP Framework" section.
Additional information on the content server interface can be found in the SAP document "SAP Content Server Security Guide" and in the document "Knowledge Provider (BC-SRV_KPR)" in the "SAP Content Server HTTP 4.5 Interface" section.
S 6.97 Contingency planning for SAP systems
Detailed information on backups can be found in the "SAP NetWeaver Technical Operations Manual". For the ABAP stack in the "Backup and Recovery" and "Creating a Homogeneous System Copy" sections, and for the Java stack in the "Backup and Recovery of the SAP Web Application Server (Java)" section.
Review questions:
- Are the administrators familiar with the documents provided by SAP?
- Are the documents provided by SAP checked for updates at regular intervals?