Overview of Security Concepts SAP BASIS

Traditional SAP implementation projects usually considered security just as the design and realization of the authorization concept. At the application level the authorization concept (user masters, profiles, authorizations, activity groups, roles) is key to provide access to needed transactions and ensure secure access to sensitive data and as such is extremely important within the SAP security infrastructure. However, systems within mySAP Business Suite applications and SAP NetWeaver do have many other levels that could be attacked, and therefore a consistent security strategy must also consider all these other layers and components of the SAP systems.

Security can be defined from two different perspectives that have in common the objective of protecting the company systems and information assets. These two perspectives are as follows:

  • Security as the protection measures and policies against unauthorized accesses by illegitimate users (both internal and external). An internal attack is considered when a SAP user tries to access or perform functions for which he or she is not allowed.
  • Security as protection measures against hardware, software, or any other type of environmental failures (disasters, fires, earthquakes, and others) using safety technologies (backup/restore/disaster recovery/standby systems /archiving and so on).

In this chapter only the first perspective is dealt with: explaining some of the most common and practical concepts of SAP security components and security infrastructure from the first perspective to protect SAP systems from unauthorized accesses. It must be noted that a global security policy includes other "non-SAP" related components that can be defined as "peripheral security," such as the measures that must be taken to protect workstations, servers, and networks from the many types of outside attacks (e.g., viruses, denial of services, password cracking, sniffers).

Security Policy Basics

Companies must implement some type of security policy to protect their assets, but also they are required to comply with their country's legal obligations, business agreements, and industry laws and regulations. For instance, many countries have some forms of laws for protecting confidential data of employees. It is also very important to keep all financial records for tax authorities. And in terms of business partners, it is of great importance to ensure the confidentiality of commercial agreements with vendors or customers.

Modern information systems and technologies are both the means and the containers of the strategic and operative business information. They are the known but hidden treasures of companies, and companies need to keep their treasures secure. The Security Policy is the set of procedures, standards, roles, and responsibilities covering and specifying all the security and organizational measures that companies must follow to protect their business from threats and vulnerabilities. An approach to security will have the objective of building a strong security policy and should start by assessing a risk analysis to implement, monitor, and enforce such policy. It is important to realize that security implementation never ends and must be continually updated, reviewed, communicated, implemented, monitored, and enforced.

The security strategy and risk analysis must first consider these basic issues:

  1. What is to be protected? Companies must identify those assets—such as critical information (customer list, employee personal data, contracts), hardware, software, intangibles (hours of operation, cost of nonrevenue, nonproduction) or others—that require some type and some degree of protection against unwanted and unauthorized access, which could damage or destroy to some degree such assets.
  2. Which are the possible threats? The second security issue is to identify the possible sources of attack and the degree of vulnerability of infrastructure. Threats are of different type and nature and sometimes unknown. They are often intentional, but can also be unintentional. They can be external threats or can be internal (for instance, by other geographical locations or by burned-out or frustrated employees).
  3. What protection measures can be taken? Finally, the risk analysis and the security policy must identify the best security measures to implement and enforce such policy efficiently. Measures can be standard measures included in the information system capabilities, additional and external security infrastructure, and behavioral rules. For instance, a basic and strong security measure is the password that users must provide to access systems; however, it is almost impossible with technical means to know whether someone told his or her password to someone else.

Efficiency in security policy means that measures do not include awkward procedures that would obstruct or make users' jobs more difficult. Security policies always follow a principle of controls, which means that the security strategy must approach the balance between risks and control measures. As indicated, security is a continuous process due to the fact that new assets, new threats, or new technology can be identified as well as some threats or assets that are obsolete and no longer need protection. These facts will make the security policy a living entity that also includes the retraining of employees. In the following sections, the SAP security infrastructure is discussed so that you can better identify threats and vulnerabilities as well as the standard and nonstandard measures that can be applied to better protect and secure your assets.

Risks and Vulnerabilities

The increasing need for broad and open connectivity within complex SAP system landscapes and the increasing number of components within the architecture combined with options for external communications increase the risk of being attacked. Systems are more vulnerable when a security policy is either insufficient or nonexistent. In these cases people trust that standard measures will be enough, but normally this is not the case.

The following is a brief list of threat types:

  • External network attacks to set systems unavailable
  • External password cracking attacks
  • Internal sabotage to set systems unavailable
  • Internal attacks for collecting confidential data
  • Unintentional internal attacks or misbehavior
  • Trojan programs
  • Intentional internal breach of security policy
  • Unintentional breach of security policy
  • Unknown attacks

The main point is that the greater the number of risks and the fewer security measures in place, the greater the vulnerability of systems and therefore company assets.

Basic Security Processes

The following sections introduce some of the basic processes that are common when dealing with security and that you will find referenced continuously during this chapter.


Authentication is the process that is used for verifying that users, programs, or services are actually who they say they are. Authentication is the cornerstone of any security infrastructure or technology. SAP's standard User Authentication verifies a user's identity through the use of logon passwords. (Unsuccessful logon attempts will cause the session to terminate and activate user locks.) As standard security measures, SAP provides several login profile parameters and an initial set of password rules that you can expand on according to your needs. Standard security measures already provide a moderate to high degree of protection. User Authentication applies mainly at the presentation level, but a breach will affect other layers as well.

Limitations on SAP standard authentication pertain to the legal export rules of different countries regarding encryption software and algorithms. SAP included SNC in the kernel to overcome these limitations. Additional security measures to raise your system to the highest protection level include the following:

  • Using external security products that support encryption. Any such products however must be SNC compliant (see the discussion later in this chapter on SNC).
  • Using techniques such as client certificates or logon tickets for Web User Authentication security. However, these methods can only work if other security layers, such as the network and Internet, are also properly protected over secure protocols such as SSL.

Further references for SAP user authentication can be found on the SAP online help, the Security Guide, and the SNC user's guide.

Smart-Card Authentication

SAP's standard smart-card authentication allows a "safer" authentication process. The users use cards, "smart cards," instead of passwords to log on to the security system. No password information is transmitted over the communication lines. Because the smart cards are often protected with a password or PIN, it is much more difficult for someone to compromise a user's authentication information. The use of hardware devices such as smart cards is normally configured using an external security system based on the SNC interface.

The smart cards that can be used for login into the SAP Enterprise Portal are actually holders of the private keys of users, so the cards work as digital certificates that authenticate the holder.


Authorization is the process that is used for determining what accesses or privileges are allowed for users. Authorizations are enforced by means of access controls, which are in charge of restricting user accesses.

SAP's User Authorization Concept

SAP's standard User Authorization secures user access to business data and transactions, ensuring that only preauthorized users gain access to data and processes. Userauthorizations are defined by Authorization administrators in coordination with key business users in authorization profiles that are stored in the SAP user master records. An initial set of authorization profiles is predefined by SAP; you can modify/add to these profiles and you can use the Profile Generator to create new profiles automatically based on user activity information. Authorization applies to the application level mainly, but remote communications, operating system commands, and the Change and Transport System must also be taken into account.

The SAP authorization system is very comprehensive but difficult to implement fully to achieve the strictest security standards. It is difficult to implement and maintain because it has a great deal of organizational projects in which users, key users, managers, and technical consultants are involved. Therefore, it is necessary to audit and monitor critical system authorizations. The SAP online documentation as well as the SAP security guide provides a good basic understanding and methodology for implementing the authorization concept.

You can increase the security level of SAP's User Authorization system by including well-defined developing standards along with a quality control that filters programs that do not implement the necessary security and authorization checks.


Privacy is the process that can be used for ensuring that data or information sent over a network or communication line is not accessed or read by unauthorized persons. A usual way of granting privacy is by using cryptography technology. Both authorization and privacy ensure the confidentiality of data and information. Within SAP landscapes privacy can be considered the highest security level that can be set by technological means and can be enforced by means of digital signatures, digital envelopes, and the use of the SNC and SSF components.


Integrity is the process that verifies that nothing or nobody modifies data from a source to a target. Similar to the privacy within mySAP landscapes, integrity can be enforced by means of digital signatures, digital envelopes, and the use of the SNC and SSF components.

Proof of Obligation

Obligation or proof of obligation is necessary for confirming and guaranteeing that a business message is correct so it can be considered a business transaction between business partners. For this reason in electronic commerce there must be enough security mechanisms to guarantee the nonrepudiation of business messages.


Auditing is the process of collecting and analyzing security data for verifying that the security policy and rules are complied with. Accounting is a way of measuring and/or restricting the use of system resources and as such is a form of authorization.


Cryptography is the technique based on mathematical algorithms and other methods to encode data and thus prevent data from being read or disclosed. Cryptography is commonly defined as the science of secret writing. SAP's encrypted communications secure the exchange of critical data. This is an important security aspect in e-commerce communications. You can use SAP's SNC (Secure Network Communications) or SSF (Secure Store and Forward) solutions and the SSL (Secure Sockets Layer) protocol to encrypt the data being transferred via HTTPS connections. Data encryption ensures that the data being exchanged are secured end-toend and protected from being intercepted.

SAP does not directly include encryption software within their solutions but provides the possibility of external security products that are compliant with SNC and SSF so it can be used for authentication, for single sign-on, for digital signatures and envelopes, and so on. If security measures are not taken seriously, the manipulation and disclosure of information or digital documents is relatively easy with the aid of the current technology. Most of the advanced security measures are based on cryptography technologies. The following sections discuss common topics in modern cryptography applied to information technology.

Public Key Cryptography

Public key cryptography is based on mathematical functions of one direction, meaning that it is impossible to observe the results. With this type of system each user that originates communications or messages has two keys:

  • A private one (secret)
  • A public one that is distributed to their communication partners

Every message that is sent with public key can only be decrypted using the private key. Let's consider an example of how this system works. Suppose that these keys are the keys for a wooden box: from one of the keys there is only a master copy that you have securely kept; from the other one you have as many copies as you want and you give them to all people who want to communicate with you. The messages are boxes that have two locks (one opens with the secret key and the other one opens with the public one), with the special feature that if the box is closed using one of the keys it can only be opened using the other one. Because of this procedure each communication partner has its own private key and the public keys from other partners.

If a person (sender A) wants to send a private message to another person (receiver B), the procedure would be as follows: it will introduce the message in a box that would be locked with the public key of the receiver so that only the receiver will be able to open it with his or her private key. Then there is the following question: once the message is received, how does the receiver know that the message comes from the person (sender A) and not from another person that has his or her public key? This is the type of problem that digital signatures try to solve.

Digital Signatures

Digital signatures are special appendixes that are added to the digital documents to show the authenticity of the origin and the integrity of those documents. A digital signature is equivalent to the traditional hand-written signatures on paper documents. When someone tries to modify a handwritten signature illegally, there are usually clues that can be detected by physical means. This is usually what guarantees the authenticity and integrity of data and information contained.

The digital signature must guarantee the same elements although using technological means. The first important point is that each digital signature will be different in every document. Otherwise it could be easy to copy and falsify digital signatures. For this reason the digital signature will depend on the document that is being signed using a mathematical function. This mathematical relationship allows for later verification of the validity and authenticity of the document.

The impossibility to falsify any type of digital signature is based on using characteristics or knowledge owned by the sender (the one that signs). Every time a person uses its analogical (handwritten) signature it generates a very similar graphic using its inherent graphological characteristics. In the case of digital signatures the signatory uses its secret private key. This is a very secure mechanism because even if the message is intercepted and someone wants to modify its content, he or she must also modify the signature and that cannot be done without knowing the secret private key.

To guarantee the security of digital signatures, the following points must be applied:

  • Digital signatures must be unique: only the signatory can generate them.
  • They cannot be falsified: in order to distort the signature the criminal should resolve very complex mathematical algorithms (considered computational safe).
  • Verifiable: they should be easily verifiable by the receiver or by a competent authority.
  • Nondeniable: the signatory cannot deny its own signature.
  • Feasible: digital signatures should be easily generated by the signatory.

Several different protocols based on private key cryptography were proposed in standard organizations. However, currently it has been concluded that the public key cryptography is safer. Digital signatures in use and according to the aforementioned characteristics are based on the RSA signature and the DSS signature (Digital Signature Standard). In certain countries digital signatures can be used legally as if they were handwritten. In terms of security this means proof of obligation and nonrepudiation. For this reason the use of digital signatures based on public key infrastructure can raise the system to a high degree of security.

Cryptography in SAP Systems

Since release 4.0 of SAP Basis R/3 in 1998, SAP systems have included the SSF (Secure Store and Forward) as a mechanism for protecting some of the data within the system. The SAP applications can use the SSF layer for securing the integrity, authenticity, and privacy of certain data. The key point of the SSF is that the data are still protected when they leave the SAP systems. The first applications using SSF are as follows:

  • Production planning-process industry
  • Product data management
  • ArchiveLink II

SAP is committed to providing further applications that support SSF. SSF uses digital signature and digital envelopes for securing data. The digital signature identifies the sender and ensures the data integrity whereas the digital envelope ensures that the message can only be opened by the receiver. Besides those features the Secure Store and Forward includes others that are relevant and important for electronic transactions:

  • SSF is asynchronous: the creation, transmission, reception, process, and confirmation of business transactions are different steps that can take place at different times without locking or affecting the applications in charge of the process.
  • Independence of the transport so that it should be possible to use different transfer mechanisms such as public networks, Internet, online services, magnetic disks, and so on as well as different protocols and communication services such as HTTP, FTP, e-mail, and EDI.

In order to perform these functions SSF requires the use of a third-party security product. Since release 4.5 of SAP R/3, the system has included the SAPSECULIB (SAP Security Library) as default provider for SSF services. SAPSECULIB is a software solution, but the functionality is limited to digital signatures. In order to support specific cryptographic hardware such as smart cards or for supporting digital envelopes, SSF needs to be complemented by an external product that must be certified by SAP.

To use digital signatures effectively, it is necessary to maintain a public key infrastructure (PKI). Because there is no accepted worldwide PKI, it is required for this infrastructure to be established in a secure provider domain.Digital signatures are available in SAP systems and the SAP Business Connector and XI and can be used to secure business documents in SAP environments. SAP's standard digital signatures authenticate the SAP systems data that are being transmitted and ensure that the senders (signatories) can be clearly determined. The subsequently assigned digital envelope ensures that the data contents will only be visible to the intended recipients. On SAP systems digital signatures are based on SSF.

Single Sign-On (SSO)

With SAP's standard Single Sign-On solution, users only need to enter their passwords once when they initially log on to the security system or the operating system. The security system then generates "credential" information so that the users can later automatically log on to other systems, such as R/3 or other mySAP Business Suite components, without any password information being transmitted over the communication lines. With SAP R/3 and further with the SAP Web Application Server systems, there are many possibilities for Single Sign-On, although not all of them provide the same level of service. Some of these are as follows:

  • External security product compliant with the SNC interface
  • Use of central administration
  • Trusted systems
  • Microsoft Windows security provider
  • Cookies
  • Client certificates (X.509)
  • Integration with LDAP servers
  • SAP logon tickets

You can find extensive information on Single Sign-On solution on the security page of the SAP Service Marketplace and in the online documentation, as well as a set of SAP Notes.


LDAP is the abbreviation of Lightweight Directory Access Protocol. A directory access protocol provides defined criteria to search, read, or write within a directory. Known for a long time (e.g., Novel Directory Services NDS, Netscape Directory Server) directories are having a comeback with the introduction of PKIs that require a LDAP server to store users and certificates and have them accessible for search and verification requests. Microsoft introduced LDAP functionality with Windows 2000 and its ability to use Active Directory Services.

Originating from the OSI Directory Access Protocol (DAP) introduced to the Internet community in August 1991, the X.500 Lightweight Directory Access Protocol is specified in RFC1777 from March 1995 as a read-only access protocol to the X.500 protocol suite (LDAP v2). The lightweight is derived from the fact that this directory access protocol provides read-only access to the main topics, variables, or features using TCP or other transport. This means that not all accessible values are represented using LDAP and that the corresponding layer is the transport layer bypassing much of the session/presentation overhead required for DAP. An update of LDAP can be found in RFC2251 from December 1997, which specifies LDAP v3 that has, in addition to other enhancements, writing capabilities within the directory.

Secure Socket Layer Protocol (SSL)

HTTP is the default protocol for transferring files on the World Wide Web. HTTP transports Web sites as plain-text files. So it is possible that a third party having access to the network can read or alter the data sent. The protocol has no proper mechanisms to ensure authentication and confidentiality for the data. For that purpose SSL encryption can be used. The HTTPS protocol transfers HTTP over an SSL connection. HTTPS offers options to encrypt the data and to identify the other party by its digital certificate. SSL/HTTPS provides confidentiality and integrity of the data transmitted and authentication of the user.

  • Confidentiality is ensured through strong encryption. So the information transmitted cannot be decrypted by anyone else and the intended recipient and is unreadable to third parties.
  • Data integrity ensures that a third party did not alter data sent through the network.
  • Authentication is provided through digital certificates that are very difficult to falsify.

When an HTTPS communication is set up, client and server first agree on a protocol version and define the encryption algorithms. Then they authenticate each other and use encryption techniques to generate the session information. The following sections provide an overview over the steps required to set up a HTTPS connection:

  1. The client sends a request to the SSL-enabled server.
  2. The server sends its public key and its certificate to the client.\
  3. The client checks if the certificate of the server was signed by a certificate authority whom the client trusts. Otherwise the client will abort the connection to the server.
  4. The client compares the information from the certificate with those it just received about the server: domain name and public key. If the information matches, the client accepts the server as authenticated. At this point the server might request a certificate from the client as well.
  5. The client creates a session key, encrypts it with the public key of the server, and sends it to the server.
  6. The server receives the session key and encrypts it with its private key.
  7. Client and server use the session key to encrypt and decrypt the data they send and receive

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status