S 4.272 Secure use of the SAP transport system
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
New functionality is installed and changed objects are imported into the ABAP stack using the SAP Transport Management System (TMS). Since such operations pose a basic risk, the transport system must be configured and used as securely as possible. The following aspects therefore must be taken into consideration for the transport management system:
In general, the persons creating, testing, and executing the transports must be familiar with the concepts and procedures of the SAP transport mechanism (i.e. the Transport Organizer and Transport Management System).
Authorisations in the transport system
It must be ensured that only authorised persons are able to access the transport system by protecting the transactions used by the transport system and by setting the authorisations accordingly. The following transactions are affected in this case: SE01, SE03, SE06, SE09, SE10, STMS*
Protecting the transport directory
The data to be transported is stored in files located in the transport directory of the file system. For this reason, access to the transport directory must be restricted at the operating system and network levels so that only authorised persons and authorised remote instances are able to access this directory. It must be noted in this case that the instances in a given transport domain all need access to the same transport directory.
It must be considered that unauthorised changes to the transport files may lead to errors when importing data or even to additional security problems.
Secure transmission of transports
Transports are loaded into an SAP system from the file system. It is possible to use a central transport directory that can be accessed using the local network for this purpose. Alternatively, it is also possible to transmit transport files manually or automatically at specific times using file transfer mechanisms (e.g. FTP, SFPT, and SCP).
Since transport files need to be protected against unauthorised reading and changes, the transmission mechanism used must guarantee the security of the data, for example using encryption.
References to documentation on the transport management system can be found in S 2.346 Use of the SAP documentation.
Review questions:
- Are the persons in charge familiar with the concepts and procedures of the SAP transport mechanism (Transport, Organizer, Transport Management System)?
- Has it been ensured that only authorised persons are granted access to the SAP transport system?
- Has access to the transport directory of the SAP system also been restricted at operating system and network levels?
- Are transport files of the SAP system protected against being viewed or modified without authorisation?