S 4.259 Secure use of the ABAP Stack user management

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The secure use of the ABAP stack user administration is a prerequisite for system security, because it specifies who is allowed to access an SAP system as a matter of principle. The following aspects must be considered at a minimum when using the user administration. Depending on the operational scenario, it may be necessary to take into consideration additional issues resulting from the specific requirements of the company or government agency. This also includes any requirements resulting from legal regulations.

References to SAP documents containing information on user administration in SAP systems can be found in S 2.346 Use of the SAP documentation.

Naming conventions for users

User names must be unique. For this reason, a naming convention must be specified that guarantees unique user names even when two people have the same names. In general, a company or government agency will already have some form of unique identification for its employees, for example a personnel number, which can then be used for this purpose.

It makes sense to divide the users into user classes (for example internal users, external users, partners, and technical users) and to encode these classes in the user names as well.

Assigning unique user names

The user administration concept must ensure that a user name used on several different systems always refers to the same person.

Suitable organisational safeguards must be implemented to ensure that no more than one user can use a given user account (no account sharing).

Setting up an emergency administrator

An SAP account should be set up to administer the system in case of an emergency. It is recommended to assign an ordinary user name to this user account to avoid provoking direct attacks on this user account. This means the SAP* account must not be used for normal administration or emergency administration.

The emergency administrator is generally granted wide-ranging authorisations and must therefore be assigned a secure password. Procedures must be defined within the framework of contingency planning that specify how the account should be used (see S 2.341 Planning the use of SAP and S 6.97 Contingency planning for SAP systems). The password for the emergency administrator account should be stored at a secure location (e.g. in a safe). Access to the password should only be allowed when the two-man principle is applied.

Securing the standard users

An SAP system provides several standard users that need to be secured. The following users need to be secured:

The following actions must be taken to secure the users:

The deactivation of user IDs may lead to a loss in functionality. Whether the user ID should only be activated temporarily or needs to be activated permanently depends on the purpose of the system and must be decided on a case-by-case basis. The additional risk incurred by an activated standard user with, under some circumstances, a known default password must be taken into consideration.

It is not recommended to delete the SAP* and DDIC users, since they are created automatically, for example when creating a new client. For the SAP* user, it is possible to specify that this user will not be created automatically using the profile parameter "logon/no_automatic_user_sapstar". It is recommended to enable this parameter.

Before deactivating the SAP* user, an alternative user account for emergency administration must be created and ready for use.

The installation of new components may lead to the creation of additional standard users. These users must then be secured accordingly after completing the installation.

References to SAP documentation describing how to handle standard users in SAP systems can be found in S 2.346 Use of the SAP documentation.

Changing standard passwords

The standard users (see above) are assigned default passwords during installation. These passwords must be changed to prevent users from gaining unauthorised access using these user ID/password combinations.

After changing the password, though, it may happen that some system functions do not work any more or do not run correctly any more. This is the case with the TMSADM (see also SAP Note 139854) and SAPCPIC users, for example. If the affected system function is used frequently, the standard user may need to be operated using the default password under some circumstances. This must be taken into consideration within the framework of the risk assessment.

It must be taken into consideration that the SAP* and DDIC users are created automatically, for example when creating new clients, if these user IDs do not exist yet or were deleted. In such cases, the newly created user IDs are assigned their default passwords.

Transaction SE38 can be used to generate report RSUSR003, which examines all clients for the existence of, for the lock status of, and for standard passwords for the SAP*, DDIC, SAPCPIC, and EARLYWATCH users.

Administration procedures

When performing user administration, the administration procedure used must be taken into consideration. If a central user administration is used, the user IDs should not be created locally.

The processes and procedures planned (see S 2.341 Planning the use of SAP) for local or central user administration must be implemented and maintained. The processes should also contain rules for handling exceptions as well.

The following aspects must be taken into consideration in the administration procedure used:

Review questions:

© Federal Office for Information Security. All rights reserved.