SAP System Security

Joe Markgraf is a senior cloud architect and advisor for SAP HANA Enterprise Cloud at SAP. Before joining SAP he worked as a Basis and security administrator, contributing to both small- and large-scale SAP system implementations. He holds a business degree with a focus on information system management from Oregon State University. He enjoys playing vintage video games and shooting sports with his family in Washington State. Alessandro Banzer is the Chief Executive Officer of Xiting, LLC. He has worked in information technology since 2004, specializing in SAP in 2009. Since then, Alessandro has been involved with global SAP projects in various roles. Alessandro is an active contributor and moderator in the Governance, Risk, and Compliance space on SAP Community, as well as a speaker at SAPPHIRE, ASUG, SAPInsider, and other SAP-related events. He holds a degree in business information technology, as well as an executive master of business administration from Hult International Business School in London, UK.

Preface
Target Audience
System Administration: A Vast Field of Options
What Is Basis?
Structure of This Book
Introduction
Potential Threats
The Onion Concept
Risk and True Cost of Security
The Administrator's Role in Security
Summary
Configuring Profiles and Parameters
Understanding System Parameters
System Profiles
Profile and Parameter Structure
Static and Dynamic Parameters
Viewing and Setting Parameters
Key Security-Related Parameters
Controlling Access to Change Parameters
Summary
Restricting Transactional Access
Clients
Who Should Be Able to Lock and Unlock Transactions?
Which Transactions to Lock
Locking Transactions
Viewing Locked Transactions
Summary
Securing Clients
Client Settings
Client Logon Locking
Summary
Securing the Kernel
Understanding the Kernel
Common Cryptographic Library
Kernel Update
Summary
Managing Users
What Is a User ID in SAP?
Different User Types
The User Buffer
Creating and Maintaining a User
Copy a User
Change Documents for Users
Mass User Changes with Transaction SU10
User Naming Convention
Security Policies
Maintain User Groups
Central User Administration
User Lock Status
User Classification
User-Related Tables
Securing Default Accounts
User Access Reviews
Inactive Users
Password and Logon Security
Segregation of Duties
Summary
Configuring Authorizations
Authorization Fundamentals
SAP Role Design Concepts
The Profile Generator
Assign and Remove Roles
Lock and Unlock Transactions
Transaction SUIM: User Information System
Role Transport
Common Standard Profiles
Types of Transactions
Table Authorizations
Printer Authorizations
Other Important Authorization Objects
Transaction SACF: Switchable Authorizations
Customizing Entries in Tables PRGN_CUST and SSM_CUST
Mass Maintenance of Values within Roles
Upgrading to a New Release
ABAP Debugger
Authorization Redesign and Cleanup
Introduction to SAP GRC Access Control
Summary
Authentication
What Is Single Sign-On?
Single Sign-On Technologies
SAP GUI Single Sign-On Setup
SAML
Summary
Patching
Patching Concepts: SAP’s Approach to Patching
Application of Security SAP Notes
Implications of Upgrades and Support Packages
Evaluating Security with SAP Solution Manager
Summary
Securing Transports
Transport System Concepts
Transport Authorizations
Operating System–Level Considerations
Landscape Considerations
Summary
Auditing and Logging
External Audits
Internal Audits
Auditing Tools
Summary
Securing Network Communications
Choosing a Network Security Strategy
Securing Using Access Controls
Securing the Transport Layer
Connecting to the Internet and Other Networks
Summary
Configuring Encryption
Introduction to Cryptography
Enabling SSL/TLS
The Internet Connection Manager
SAP Web Dispatcher
Summary
Database Security
Platform-Independent Database Considerations
Securing the Database Connection
Logging and Encrypting Your Database
Summary
Infrastructure Security
Business Secure Cell Concept
Secure Landscape
Policy
Operating System Considerations
Monitoring
Virtualization Security Considerations
Network Security Considerations
Physical Security
Summary
The Authors
Index