S 4.268 Secure configuration of rights for the SAP Java Stack

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The following must be taken into consideration when planning and configuring the SAP Java stack authorisations:

• The SAP Java stack authorisation concept is fundamentally different from the authorisation concept of the ABAP stack, since it implements the concepts of the J2EE Java specification.
• Detailed knowledge of the J2EE security model and security concept is necessary for correct and secure configuration. For this reason, configuration should only be performed by trained administrators.
• Access restrictions for resources and for Java protection domains (code-based security) are configured using the "security" service.
• Access restrictions for JNDI objects (Java object registry and name service) are configured using the "naming" service.
• Access restrictions for Java Bean methods are configured using the "ejb" service in the properties of each Bean object on the "Security" tab.
• The objects available in each case depend on which applications are installed.
• The "root" group, which is available in version 6.40 and lower, is not a group of administrators, but actually contains all users. The group is therefore similar to the "Everyone" group in Windows.
• After installation, the default authorisation settings must be checked and modified under some circumstances according to the authorisation concept created.

In general, authorisations should be granted restrictively. When planning the authorisations, it is necessary to decide which users need which authorisations for which objects.

Review questions:

• Have the administrators received sufficient training regarding the configuration of the SAP Java stack authorisations?
• Have the preset authorisations been adapted in accordance with the authorisation concept after SAP Java stack installation?
• Have the authorisations of the SAP Java stack been assigned restrictively?