Despite this widespread use, there have been very few books written on SAP implementation and security, despite a great deal of interest. (There are 220,000 members in an on-line SAP 'community' seeking information, ideas and tools on the IT Toolbox Website alone.) Managing SAP user authentication and authorizations is becoming more complex than ever, as there are more and more SAP products involved that have very different access issues. It's a complex area that requires focused expertise.
This book is designed for these network and systems administrator who deal with the complexity of having to make judgmental decisions regarding enormously complicated and technical data in the SAP landscape, as well as pay attention to new compliance rules and security regulations.
Most SAP users experience significant challenges when trying to manage and mitigate the risks in existing or new security solutions and usually end up facing repetitive, expensive re-work and perpetuated compliance challenges. This book is designed to help them properly and efficiently manage these challenges on an ongoing basis. It aims to remove the 'Black Box' mystique that surrounds SAP security.
* The most comprehensive coverage of the essentials of SAP security currently available: risk and control management, identity and access management, data protection and privacy, corporate governance, legal and regulatory compliance.
* This book contains information about SAP security that is not available anywhere else to help the reader avoid the gotchas that may leave them vulnerable during times of upgrade or other system changes
*Companion Web site provides custom SAP scripts, which readers can download to install, configure and troubleshoot SAP.
Throughout the world, high-profile large organizations (aerospace and defense, automotive, banking, chemicals, financial service providers, healthcare, high tech, insurance, oil and gas, pharmaceuticals, retail, telecommunications, and utilities) and governments are using SAP software to process their most mission-critical, highly sensitive data. With more than 100,000 installations, SAP is the world's largest enterprise software company and the world's third largest independent software supplier overall. Despite this widespread use, there have been very few books written on SAP implementation and security, despite a great deal of interest. (There are 220,000 members in an on-line SAP 'community' seeking information, ideas and tools on the IT Toolbox Website alone.) Managing SAP user authentication and authorizations is becoming more complex than ever, as there are more and more SAP products involved that have very different access issues. It's a complex area that requires focused expertise.This book is designed for these network and systems administrator who deal with the complexity of having to make judgmental decisions regarding enormously complicated and technical data in the SAP landscape, as well as pay attention to new compliance rules and security regulations.Most SAP users experience significant challenges when trying to manage and mitigate the risks in existing or new security solutions and usually end up facing repetitive, expensive re-work and perpetuated compliance challenges. This book is designed to help them properly and efficiently manage these challenges on an ongoing basis. It aims to remove the 'Black Box' mystique that surrounds SAP security. The most comprehensive coverage of the essentials of SAP security currently available: risk and control management, identity and access management, data protection and privacy, corporate governance, legal and regulatory compliance This book contains information about SAP security that is not available anywhere else to help the reader avoid the "e;gotchas"e; that may leave them vulnerable during times of upgrade or other system changes Companion Web site provides custom SAP scripts, which readers can download to install, configure and troubleshoot SAP
Front Cover 1
SAP Security Configuration and Deployment 4
Copyright Page 5
Technical Editor 6
Lead Author 7
Contributing Authors 8
Contents 10
Chapter 1: Introduction 20
Introduction 21
The SAP NetWeaver Technology Map 24
Scope 26
NetWeaver Web Application Server 26
ABAP Web AS 7.0 28
J2EE Web AS 7.0 29
UME Installation Options 30
Backend: UNIX/Oracle 34
Governance, Risk, and Compliance (GRC) 36
Summary 41
Solutions Fast Track 41
Frequently Asked Questions 44
Notes 46
Chapter 2: Concepts and Security Model 48
Introduction 49
ABAP 49
Authenticating Users 50
Using Secure Network Connection 51
Using Secure Sockets Layer 52
Using User ID and Password 52
Using X.509 Client Certificate 53
Using SAP Logon Tickets and Single Sign-on 53
Authorization Concept 54
User Master Record 56
Roles and Profiles 56
Authorization Objects and Field Values 56
Authorization Checks 57
Authorization Groups 58
User Management 59
Integrating User Management 60
Using Central User Administration 61
Using Lightweight Directory Access Protocol Synchronization 62
User Maintenance 64
Role Maintenance 65
Analyzing Authorization 66
Logging and Monitoring 66
Using Security Audit Log 67
Using Audit Info System (AIS) 67
Security Alerts in Computing Center Management System (CCMS) 67
Using the User Information System 67
Securing Transport Layer for SAP Web AS ABAP 70
Using Secure Store and Forward 73
Using Virus Scan Interface 74
Enforcing Security Policies 75
J2EE 76
J2EE Application Concept 77
Web Applications 78
Web Components 79
Web Container 80
Remote Objects 80
Authentication Concept 81
Authentication Approaches 82
Authentication Schemes 83
Authentication Mechanisms 83
Using User ID and Password 84
Using X.509 Certificate on SSL 85
Using Security Session IDs for SSO 87
Using Logon Tickets for SSO 88
Using Security Assertion Markup Language (SAML) Assertions for SSO 89
Using Kerberos Authentication SSO 91
Using Header Variables for SSO 92
Authenticating RMI-P4 Clients 93
Authorization Concept 93
User Stores 94
UME User Store Provider 94
DBMS User Store Provider 95
Authorization Checks 96
Roles or Permissions 96
J2EE Security Roles 97
UME Roles (or Permissions) 98
Access Control List 99
Portal Permissions 100
Security Zones 101
UME Actions 102
Authorization Groups 102
User Management 102
Integrating User Management 103
Using Lightweight Directory Access Protocol Synchronization 103
Using SAP Web AS ABAP 104
User Administration 104
Role Administration 105
Integrating User and Role Administration 105
Securing Transport Layer for SAP J2EE Engine 106
Enforcing Security Policies 108
GRC 110
SAP GRC Access Control 112
SAP GRC Process Control 114
Authorization Concept 116
Authorization Level 117
Task 117
Roles 118
Objects 118
SAP GRC Risk Management 119
Backend: Unix/Oracle 120
Security for UNIX 120
Installing Latest Security-Related Patches 120
Restricting Operating System Access 121
Protecting Operating System Files 121
Protecting Operating System Resources 123
Restricting Physical Server Access 125
Protecting Network Access 125
Securing an Oracle Database 126
Installing the Latest Oracle Security Patches 126
Protecting Standard Database Users 126
Protecting Database-Related Files 127
Protecting the Oracle Listener 128
Summary 129
Solutions Fast Track 129
Frequently Asked Questions 131
Chapter 3: ABAP 134
Introduction 135
Architecture 135
Identity Management 135
CUA 137
LDAP (Lightweight Directory Access Protocol) 140
Standard User ID/Pass 142
Role, Profile, and Authorization Concepts 144
What Is a Role? 144
Definition of a Profile 145
SAP Authorization Concept 145
Single Sign-on and Certificates 146
Password Rules 149
Using Secure Communication 150
HTTPS 151
SNC 152
Design 153
Strategy Considerations 153
Acquire or Develop a Security Policy 153
Establish a Core Policy Group 154
Authorization to Corporate Data and Application Functionality Will Be via Role Assignment to User IDs 154
Establish a Role Ownership Matrix That Will Maintain Segregation of Duties (SOD) 155
Establish Approval Procedures 155
Establish a Role Development Methodology 155
Establish a Testing Methodology 155
Establish a Change Management Procedure for Post-Production Role Changes 155
Role Documentation Will Use the Security Section of Role Matrix 156
Establish Security Administration Procedures 156
Custom ABAP Code Will Be Assigned a Transaction Code and Be Secured via One or More Methods as Deemed Appropriate by Local ABAP Security Guidelines 156
Standards 156
Naming Standards 157
Roles 157
Role Naming 158
Guiding Principles 159
Role Development Steps 161
Security Matrix 164
Tools 165
AL08 166
BDM2 166
Roles – Building and Maintenance 169
PFCG 169
Security-Related Parameters Setup 173
RZ10 173
RZ11 173
SCUL 175
SE93 178
SM04 179
Security Auditing 180
SM19 and SM20 180
SM58 187
SM59 187
Security Trace 189
ST01 189
SU01 194
SU02 197
SU03 198
SU24 198
SU53 199
SUGR 201
SUIM 201
TU02 204
WE05 204
Implementation 205
Identity Management 205
Setup of CUA 205
Setup of LDAP Con 206
SAP Generic Users 208
Single Sign-on and Certificates 209
Password Rules 212
Authorization Objects 213
Definition 214
Defined Fields 214
Procedure 214
Definition 214
Defined Fields 215
Procedure 215
Authorization Groups 215
Tables 216
Programs 217
Spool 218
File System 221
Securing the Operating System from the SAP Application with S_DATASET and S_PATH 222
BDC Sessions 225
Securing the Operating System from the SAP Application with Logical Commands 226
Single Sign-on with SAPGUI 227
Implementing Secure Communications 229
HTTPS 229
SNC 231
Certificates 232
Setting Up the PFCG_TIME_DEPENDENCY Job 232
Access to TEMSE – Temporary Sequential 233
System Locks (SM12) 234
Production Support 235
CUA Monitoring/Troubleshooting 235
RFC Access 239
Daily Tasks 240
SM04 – User Overview 240
AL08 – Users Logged On 240
SM21 – The System Log 241
SM19 – AIS Configuration 241
RZ20 – CCMS Monitoring 241
SUIM – User Information 241
ST22 – ABAP Dump Analysis 241
SA38 – Run Report RSUSR006 241
Weekly Tasks 241
SE16 – Table Browser 242
SCC4 – Client Administration 242
SCU3 – Table History 242
PFCG – Role Maintenance 242
Monthly Tasks 243
TU02 – Parameter Changes 243
SUIM – User Information 243
Transaction S_BCE_68002111 or Execute Program RSUSR008_009_NEW 243
Run Report RSUSR003 243
Summary 244
Solutions Fast Track 244
Frequently Asked Questions 246
Chapter 4: J2EE 248
Introduction 249
Users Maintenance 249
J2EE Authorization 259
The User Management Engine 260
User Self-Registration 261
Single Sign-on 263
Portal Configuration 263
ECC Configuration 264
J2EE Configuration for SID=DP1 (J2EE Engine) 264
Portal Test 265
Changing Passwords 266
Emergency User 269
Password Rules 270
Setting Up SSL 271
Installing the SAP Java Cryptographic Toolkit 272
Creating Server Keys 276
Generating Signed Certificates 279
Authentication 281
Implementing Client Certificates 283
Summary 286
Solutions Fast Track 286
Frequently Asked Questions 287
Chapter 5: GRC 288
Introduction 289
Architecture 292
Design Considerations 296
SAP Tools 299
Risk Management 299
Enterprise Portal 300
Compliance Calibrator 301
Segregation of Duties Report – by User 306
Segregation of Duties Report – by Role 307
Comparison Reports between Two Time Frames 307
Ad Hoc Queries 307
Access Control 308
SAP Process Control 311
Summary 314
Solutions Fast Track 314
Frequently Asked Questions 316
Notes 319
Chapter 6: Back End: UNIX/Oracle 320
Introduction 321
Database Security 321
Patches 322
Patch Implementation 323
Patching Procedures: Oracle to 10.2.0.2 323
Patching Oracle Security Patch CPU 324
Users 324
Default Passwords 328
Default Privileges 328
Password Rules 330
Restrict Network Access 330
Operating System Security 333
Changing Some Defaults 334
Techniques 335
Summary 340
Solutions Fast Track 340
Frequently Asked Questions 341
Chapter 7: Overview of Auditing 344
Introduction 345
SAP Controls 347
Master Record Settings 348
Customer Master Record Settings 348
Company Code Data Level 348
Reconciliation Account in General Ledger 348
Tolerance Group 349
Payment History Record 349
General Data Level 349
Name 349
Street Address Section 349
Sales Area Data Level 349
Terms of Payment–Billing Document 349
Taxes Sections–Billing Document 349
Customer Credit Management Master Record Settings 349
Credit Limit 350
Credit Limit: Total Limit Across All Control Areas 350
Risk Category 350
Vendor Master Record Settings 350
General Ledger Account Master Record 351
Material Master Records 352
Transactions and Configuration Related to Business Cycles 353
Revenue Cycle 353
Sales Order 353
Pick, Pack, and Ship 354
Billing 355
Customer Payment 356
Expenditure Cycle 357
Purchase Order 357
Goods Receipt 358
Invoice Verification 359
Payment to Vendor 359
Auditing Configuration Changes 360
Auditing Customized Programs 362
Auditing Basis 363
Auditing Security 364
Summary 367
Solutions Fast Track 367
Frequently Asked Questions 370
Glossary: Glossary of Terms 372
A 373
B 373
C 374
D 374
H 375
I 376
J 376
L 377
M 377
O 377
P 378
R 378
S 379
U 380
V 381
W 381
X 382
Index 384
| Erscheint lt. Verlag | 18.11.2008 |
|---|---|
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Mathematik / Informatik ► Informatik ► Theorie / Studium | |
| Informatik ► Weitere Themen ► SAP | |
| ISBN-10 | 0-08-057001-1 / 0080570011 |
| ISBN-13 | 978-0-08-057001-3 / 9780080570013 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 7,5 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 3,7 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
