SAP Security Configuration and Deployment: The IT Administrator's Guide to Best Practices

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $46.60
Usually ships in 1-2 business days
(Save 39%)
Other sellers (Paperback)
  • All (6) from $46.60   
  • New (5) from $46.60   
  • Used (1) from $60.31   


Throughout the world, high-profile large organizations (aerospace and defense, automotive, banking, chemicals, financial service providers, healthcare, high tech, insurance, oil and gas, pharmaceuticals, retail, telecommunications, and utilities) and governments are using SAP software to process their most mission-critical, highly sensitive data. With more than 100,000 installations, SAP is the world's largest enterprise software company and the world's third largest independent software supplier overall.

Despite this widespread use, there have been very few books written on SAP implementation and security, despite a great deal of interest. (There are 220,000 members in an on-line SAP 'community' seeking information, ideas and tools on the IT Toolbox Website alone.) Managing SAP user authentication and authorizations is becoming more complex than ever, as there are more and more SAP products involved that have very different access issues. It's a complex area that requires focused expertise.

This book is designed for these network and systems administrator who deal with the complexity of having to make judgmental decisions regarding enormously complicated and technical data in the SAP landscape, as well as pay attention to new compliance rules and security regulations.

Most SAP users experience significant challenges when trying to manage and mitigate the risks in existing or new security solutions and usually end up facing repetitive, expensive re-work and perpetuated compliance challenges. This book is designed to help them properly and efficiently manage these challenges on an ongoing basis. It aims to remove the 'Black Box' mystique that surrounds SAP security.

* The most comprehensive coverage of the essentials of SAP security currently available: risk and control management, identity and access management, data protection and privacy, corporate governance, legal and regulatory compliance.

* This book contains information about SAP security that is not available anywhere else to help the reader avoid the "gotchas" that may leave them vulnerable during times of upgrade or other system changes

*Companion Web site provides custom SAP scripts, which readers can download to install, configure and troubleshoot SAP.

Read More Show Less

Product Details

  • ISBN-13: 9781597492843
  • Publisher: Elsevier Science
  • Publication date: 11/14/2008
  • Pages: 392
  • Product dimensions: 7.40 (w) x 9.10 (h) x 1.00 (d)

Read an Excerpt

SAP Security Configuration and Deployment

The IR Administrator's Guide to Best Practices
By Joey Hirao Jeanmarie Hirao Mimi Choi Perry Cox Steven L. Passer

Syngress Publishing, Inc.

Copyright © 2009 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-057001-3

Chapter One


Solutions in this chapter:

* NetWeaver Web Application Server


* J2EE WEB AS 7.0

* Backend UNIX/Oracle

* Governance, Risk, and Compliance (GRC)

  •   Summary
  •   Solutions Fast Track
  •   Frequently Asked Questions


When you consider the changes in SAP over the years, it's an evolution that is both amazing and inspiring. The vision of R/3 back in 1993 compared to where it is today, 15 years later, highlights its initial purpose. That purpose was to enable business to be more efficient, effective, and integrated. Those of us that studied process engineering and realized that the decentralized information technology (IT) culture and islands of automation we had in the 1980s and early 1990s were ineffective in helping business evolve, understood this need for an integrated enterprise solution.

Rudy Puryear of Accenture Consulting discusses the evolution of IT systems from the 1970s to today. He describes three phases of an electronically driven economy. These phases are about how organizations develop and execute business strategy enabled by IT. The first era was data processing, next came information systems, and finally knowledge management. One sees how this evolution aligns with SAP's continuous improvement program. The desired outcome for IT to improve business efficiency has stayed consistent through the years. However, the delivery of value-producing systems has not been easy to achieve until we finally reached this knowledge management era. The state of art at the time R/3 was being developed was not in keeping with that early vision.

Now, we fast forward to today and can see that our vision goes beyond enabling business and sees IT as an almost equal partner in effecting business efficiency. Today's worker is now a knowledge worker enabled by Web-based flexible tools and technologies. These tools provide nearly instant information about the business problems they are working with. But with the incredible efficiency SAP can provide comes a heavy burden on infrastructure complexity. The systems requirements for SAP are significant in terms of IT architecture, development architecture, and security infrastructure. In fact, I would maintain that embedded into every aspect of the infrastructure is now a component of security specification that must be addressed. Unfortunately, we still see many occasions where security is the appendix of the infrastructure plan. Security is often relegated to an after-thought that only gets emergency attention when an event occurs, a question of senior management is asked, or an audit drives a specific change. It is the rare organization that has an embedded active security-thinking culture.

Security infrastructure as an embedded part of the IT culture has yet to be recognized in the mainstream. However, when you consider the initiatives being addressed in corporations, institutions, and governments throughout the world, you begin to understand the strategic intent in evolving security. In nearly every conference on technology in the SAP and out of the SAP space there is a topic on security. And, now, SAP NetWeaver technology has evolved to include the major SAP components necessary to implement the full life cycle of security infrastructure. While IT enables business, security enables IT, and hence security is the underlying foundation to the business enablement.

With IT organizations yet to adapt to this mind-set, the challenges are even greater. Most IT organizations are classically stove-piped and hence the skills and training associated with these stovepipes are yet to evolve. Even worse, often an organization creates project teams that may tax the stove-piped security group with a part-time representative. When I speak with young engineers across the organization, however, they seem to realize the change that's happening and are struggling to help their leaders make the right investments and reorganize to face the change. I challenge management to bring these facets out in the open and create enabling organizations that put the security mind-set at the forefront. It's no longer a cliché to say that security is everyone's responsibility. SAP has laid a foundation for this. In each aspect of SAP's NetWeaver use-case scenarios lies a security layer. SAP describes these as usage types, which determine the intended purpose of a system or sub-system. They are available by installing and configuring collections of software components.

Figure 1.1 presents NetWeaver as a collection of components that meet different needs up and down the integration stack. It is important to recognize that today SAP NetWeaver is more than just a collection of components; it is an open technology platform which offers a comprehensive set of technologic capabilities that are natively integrated to support the needs of IT organizations worldwide. By reviewing the full gamut of capabilities one arrives at IT Scenarios and IT Practices that I refer to as use-cases.

IT Scenarios identify how one uses SAP NetWeaver to solve specific business problems. This is accomplished through deployment of the integrated IT scenarios in a way that does not disrupt existing business operations. IT practices look at the overall SAP NetWeaver platform as a strategic investment. One views the usage framework vertically and determines the options to focus on critical business issues rather then specific business problems addressed by tactical scenarios. This flexibility is the power of SAP NetWeaver.

SAP recommends that each practice be broken into one or multiple IT scenarios, providing organizations with a process-oriented approach to making best use of NetWeaver. By implementing IT scenarios, customers can adopt core functionality of SAP NetWeaver in incremental phases. The aim of IT scenarios is to help customers, partners, and independent software vendors (ISVs) install and operate SAP NetWeaver, to run business applications (custom-built and packaged applications), or to implement a defined IT goal like migrating to the services architecture. Focusing on the flow of activities rather than on the nature of the involved components, IT scenarios are collections aimed at resolving specific business area challenges.

The best way to see these IT practices and IT scenarios is with the SAP NetWeaver Technology Map.

The SAP NetWeaver Technology Map

In Figure 1.1, each IT practice is on the left, with its associated IT scenarios to the right. Usage types describe how installations of SAP NetWeaver are used, and which capabilities each offers to the overall IT landscape. By providing installation and basic configuration support for SAP NetWeaver systems, usage types provide the groundwork to run IT and business scenarios. Usage types make system landscape planning easier by determining how capabilities provided by SAP NetWeaver can be deployed and activated in a SAP NetWeaver system. In addition, configuration will be simplified by offering configuration templates for usage types and IT scenarios. Usage types were introduced with SAP NetWeaver 7.0. Each scenario or practice has a security implication. Each instantiation comes with its own unique set of questions, technologies, and considerations for implementation and architecture.

As an organization implements a new component or scenario, the development cycle used to design, create, test, and deploy must adopt their design and testing methodology to ensure compliance. There are a host of tools and processes available for this. This book, then, is to be a model for highlighting the SAP technologies available for implementing and institutionalizing security into the technology plans and implementations throughout the industry.

Security can no longer be the afterthought for implementations. I contend that as an afterthought, it is more costly to implement and retrofit. But as a key component in the early planning of any implementation security, security considerations are an equal partner in the design. A simple example of this shift is the following. Let's take a mythical company, Superior Marbles Inc. Superior Marbles has successfully deployed SAP and is using the system to manage its assets. A key aspect to many assets in a firm is location. And, with assets that are used by the average worker, tracking can be quite difficult. Every two or three years an asset such as a PC or cell phone may need to be replaced or upgraded. Also, work or home office locations for these devices must be tracked. Finally, when an employee leaves of the assets must be collected and accounted for. So, in this example, let us consider the Superior Marbles sales team. The sales force often has a personal data assistant (PDA), a laptop, a printer, and so on. So in a firm with 50 sales people we are quickly dealing with at least 150 line items to track.

The capital acquisition is an easy entry into SAP by the purchasing/receiving organizations, but when the asset is delivered it is no longer easy to track. Typically, inside SAP the tracking is at a cost center/departmental level. But, with a useful kiosk through the Web, enabling the sales team to self manage the assets would prove extremely useful. So, an extension from the SAP database to an applet available to end-users (the sales people) over the Web will be our project. Many technologies are in play for this project. How will they securely log in? What will be presented to them and how will the data exchange occur back into SAP?

One can envision tackling the project via the typical analysis/requirements development process. But where are the security considerations determined and discussed with the user? They often aren't. It's left to IT network people, IT architects, and the developers to build on the basic requirements and ensure security. Even worse, there are times when audit concerns are missed until an actual audit, which can reveal additional shortcomings. So, the corrected approach is to address with the users the complete life cycle for the application and secure the application and its data. Having proper requirements specifications for the development team removes the ambiguity. And, better still, during audits these specifications are part of the development record and often this kind of data serves an important purpose as part of the catalog of documents used in building the application. So, then, what are the technologies that one must be concerned with in deploying an application within the SAP framework?

There are three key underlying concepts to all of the security infrastructure layers. These are data integrity, user access, and user authorization. Simply put, how is the data in the system ensured, how do users gain access, and what can users do with that access? The concepts associated with securing the infrastructure and applications will address these three key areas.


The scope of this discussion will be focused on four overlying security technologies that specifically encompass SAP. There are a host of certified for NetWeaver non-SAP, such as Microsoft's BizTalk framework that complement SAP; however, these are out of scope for this book. It is hoped that through a study of the components and considerations of the SAP technologies extension to the non-SAP is possible. The same considerations will be consistent across the infrastructure independent of the specific technology. Thus, we will focus on both ABAP and Java Web Application Server 7.0, Governance, Risk and Compliance (GRC) and the typical backend infrastructure foundations UNIx/Oracle. We do not mean to exclude specific, relevant technologies such as SQL Server or Linux, but we believe extensibility is appropriate and we also find in the main that UNIx/Oracle still appear to have the lion's share of systems in an SAP installation. Thus, if you are working in a heterogeneous landscape the concepts outlined here will still apply.

NetWeaver Web Application Server

SAP NetWeaver 7.0 provides an open integration and application platform and facilitates the implementation of Enterprise Services Architecture (see Figure 1.2). Both ABAP and Java are fully supported in SAP. Sizing considerations and architecture plans should be considered in order to determine the best model for implementing these stacks. While integrated ABAP/JAVA Web AS on the same server is possible, it is recommended to have separate hardware (application server) in either virtual or physical modes for the ABAP Web AS and the JAVA Web AS. Highlighted in the following sections is an overview of the J2EE Web AS and the ABAP Web AS feature, functions, and security insights.


Excerpted from SAP Security Configuration and Deployment by Joey Hirao Jeanmarie Hirao Mimi Choi Perry Cox Steven L. Passer Copyright © 2009 by Elsevier, Inc.. Excerpted by permission of Syngress Publishing, Inc.. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

SAP Security Introduction; Authorization Concept and Security Mechanics; Security Administration and Parameters; Security: Authorization Documentation and Tracing; Transaction Security; Table Security; Program Security; Profile Generator; Interfaces and Conversions; Systems Monitoring and Management; System Profiles; Job Scheduling; Programming; Database management and monitoring; Technical Infrastructure; Identity and Access Management; Data Protection; Platform/Operating System Security; Vulnerability Management; Secure Change Management; Disaster Recovery; Regulatory Compliance, Auditing, Governance & Risk Compliance
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)