S 5.128 Protection of the SAP ALE (IDoc/BAPI) interface

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The Application Link Enabling interface (ALE) is used as a communication mechanism to integrate business processes across several SAP systems or other external systems. Business data and system data (when using the central user administration, for example) is transported between the sender and receiver systems using the interface. The receiving systems process this data automatically. For this reason, the ALE interface must be secured. Here, the following must be taken into consideration:

• ALE uses the RFC protocol (more exactly: transactional RFC, tRFC) for data transmission. For this reason, all RFC-specific security safeguards must be implemented (see S 5.126 Protection of the SAP RFC interface).
• ALE destinations in the sender system must be protected, since authentication information must be stored on the sender system (see S 4.263 Protection of SAP destinations).
• ALE authorisations must be granted restrictively on the receiver system (see also S 4.261 Secure handling of critical SAP rights).
• ALE administration authorisations must only be granted to authorised administrators.
• The user IDs entered in the sender systems for ALE destinations must not possess ALE administration authorisations on the receiver system.
• The user IDs entered in the sender systems for ALE destinations must be of the "communication" type on the receiver system.
• Normal users must not be allowed to have any ALE authorisations.
• For external, non-SAP systems, the authentication information stored and used to access the ALE interface must be protected. The information should only be accessible to the system components and ALE administrators.

References to additional information on securing the ALE interface can be found in S 2.346 Use of the SAP documentation.

Review questions:

• Has the ALE interface been secured in the SAP system?
• Have the ALE administration authorisations only been assigned to the authorised administrators in the SAP system?
• When accessing the ALE interface using non-SAP systems: Is the authentication information stored in a protected manner?