SAP Security Management

Information Systems Department
SAP Security Management - Baseline
For HUL Internal Use Only

Not to be photocopied or sent outside
SAP Security Management
Approval Record
Date
Version
Document Owner
Remarks
Pages
25 June 07
1.0
Vinod P Thomas
(CISO)
Original Document
16
16th Oct 12
1.4
TISO
Updated Document
21
Change History
Date
Team /
Owner
Version
Change History
29 Aug 07
Vinod P
Thomas
(CISO)
1.1
The recommended value for the parameter

rdisp/gui_auto_logout changed from 600 to 1800
17 Dec 09
Vinod P
Thomas
(CISO)
1.2
1st Revision. Enhancements to Profile

Parameters and inclusion of Java Stack and
Security Base Line requirements for additional
SAP Components as listed in Item 2 Summary.
6.1-Baseline Security Parameters for SAP R/3 &
ABAP
Parameter value for Login/ticket_expiration_time
reworded to 1:00 (One hours)
6.5-Use of SAP* and profiles SAP_ALL,
SAP_NEW, recommendations added for
maintenance of SAP*
6.7 - Review of access to Maintenance of Profile
Parameters RZ10, RZ11
7.1-Basic Security Settings for Java Stack
7.2-Security Audit Log for JAVA Stack
8.1 Profile Parameters for EP & CE - Number of
minutes before an EP user ID is unlocked in
UME after a series of failed logon attempts
change to 3 minutes
New security parameter Superadmin.activated
added to secure usage of SAP*.
8.2 Security requirements
Administrators
For HUL Internal use only
for
EP
Page 2 of 21
Super
9 - Security Requirements for TREX

10-Security Requirements SAP APO
23
2011
June
1.3
6.1 The default value 1 for profile parameter

Login/min_password_diff has been changed to 3
to enforce stringent password policy.
6.1 The default value for profile parameter
Login/update_logon_timestamp has been updated
from M to m
13 October TISO
2012
1.4
Aligned with global baseline

Renamed the SAP applications
Page 3 of 21
Table of Contents
1
PURPOSE OF THIS DOCUMENT..............................................................................5
SUMMARY........................................................................................................... 5
RESPONSIBILITY.................................................................................................. 5
REVIEW OF SECURITY PARAMETERS......................................................................5
CHANGES REQUIRED FROM THE BASELINE............................................................6
BASELINE SECURITY REQUIREMENTS FOR ABAP STACK..........................................7
6.1
BASELINE SECURITY PARAMETERS
6.2
CLIENT
6.3
COMPANY CODE SETTINGS:...............................................................................12
6.4
SAP SYSTEM ACCOUNTS, POWERFUL PROFILES
6.5
TABLE & PROGRAM ADMINISTRATION...................................................................12
6.6
USE
6.7
ROLE ADMINISTRATION.....................................................................................13
6.8
INFO
PROVIDER
6.9
LIST
OF PASSWORDS NOT TO BE USED.................................................................15
ABAP STACK................................................7
SETTINGS:............................................................................................ 11
SAP*
AND PROFILES
AND
PROGRAM ACCESS:....................12
SAP_ALL, SAP_NEW..............................................13
MAINTENANCE...........................................................................14
6.10
REVIEW
6.11
BATCH PROCESSING & SPOOL MANAGEMENT......................................................16
6.12
TRANSPORT MANAGEMENT SYSTEM...................................................................17
OF ACCESS TO
MAINTENANCE
OF
PROFILE PARAMETERS.............................15
SECURITY REQUIREMENTS FOR JAVA STACK.........................................................18

7.1
BASIC SECURITY SETTINGS
FOR JAVA
7.2
SECURITY AUDIT LOG
JAVA STACK...............................................................18
FOR
STACK..........................................................18
SECURITY REQUIREMENTS FOR SAP NETWEAVER PORTAL (EP & CE)......................19

8.1
8.2
OF
FOR
PROFILE PARAMETERS
SECURITY
FOR
EP & CE..................................................................19
REQUIREMENTS FOR
EP SUPER ADMINISTRATORS.....................................20
SECURITY REQUIREMENTS FOR TREX..................................................................21

9.1
DATA STORAGE SECURITY...................................................................................21
10 SECURITY REQUIREMENTS SAP APO....................................................................21

10.1 TRACE
READS
GATEWAY USER............................................................................21
Page 4 of 21
Purpose of this Document

The purpose of this document is to ensure a minimum level of security is enabled on SAP
system by means of defining the baseline security parameters, procedure to be followed for
implementing changes to security parameters and usage of privileged accounts in SAP.
Summary
These procedures apply to Hindustan Unilever Limited (HUL) and all of its subsidiaries and
affiliates. This document describes the security parameter settings to be configured on the
following systems covers both ABAP and Java Stack.
ECC
CUA
EP
PI
SRM
SNC
KPRO
APO LC
BW
BI Java
SM
CE
CRM
Responsibility
The responsibility for enforcing these baseline parameters and procedures lies with Technical
Information Security Officer (TISO) in coordination with the Basis Track Lead and Business
Representative.
Review of security parameters

The following reviews shall be conducted to ensure SAP application security:
Review of security settings: The actual parameter values set in the systems shall be
reviewed and signed off twice in a year by Technical Information Security Officer (TISO) in
consultation with Basis Track Lead. Evidence of review in the form of comparison between
the baseline parameters and actual parameters, identification of deviations if any, and
Page 5 of 21

appropriate remarks shall be maintained with the TISO to fulfill compliance requirements. If
deviations are observed, appropriate action shall be taken by the TISO.
Changes Required from the Baseline

Changes required to actual settings resulting in deviations from the baseline shall be reviewed
on a case-to-case basis and shall be for a defined period based on business need. The
following process shall be followed:
The Basis Track Lead shall send a request to TISO for an exception to the policy providing
reasons for deviations required from the standard baseline parameter;
TISO shall evaluate the request and grant approval if deemed necessary; and
The Basis Team shall implement the change based on the approved request.
Page 6 of 21
Baseline Security Requirements for ABAP Stack
6.1
Baseline Security Parameters for ABAP Stack

The ABAP stack settings are applicable to
1. ECC
2. Central User Administration (CUA)
3. SAP Netweaver Portal (EP)
4. PI
5. SRM
6. SNC
7. APO LC
8. Business Information Warehouse (BIW)
9. Solution Manager
10. CRM
Recommended
Value
Explanation
Login/min_password_lng
This parameter determines the minimum

length of the logon password.
Login/min_password_digits
This parameter sets the minimum number

of digits (0-9) that the password MUST
contain.
Login/min_password_letters

of letters (A-Z) that the password MUST
contain.

of special characters (!@ $%&/()=?`*+~#_.,;:{[]}\<> and space) the password MUST
contain.
Parameter
Login/min_password_specials
This parameter defines the characters of

which a password can consist:
Login/password_charset
Value 0: The password can only consist of

digits, letters, and the following 32 (ASCII)
special characters: !@ $%&/()=?`*+~#-_.,;:
{[]}\<>
Page 7 of 21
Parameter
Recommended
Value
Login/min_password_diff
Login/password_expiration_time
90
login/password_change_for_SSO
Explanation
With this parameter, the administrator can
specify in how many characters in the new
password MUST be different from the old
password if the uses changes his or her
password.
Value 0 means that users are not forced to
change their password. Value > 0 specifies
the number of days after which the user has
to change the logon password. (Exception:
users of type SERVICE)
With password-based logon, the system
checks if the users password MUST be
changed (possible reasons: initial
password, or password has expired). With
non-password-based logon variants (SSO:
SNC, X.509, PAS, logon ticket), the system
has, up to now, not checked whether the
user has a password that he or she MUST
change.
There are several types of user
authentication:
- Using password (conventional logon)
- Using an external security product (SNC)
Login/disable_password_logon
Login/password_logon_usergroup
Login/disable_multi_gui_login
NULL
1
- Using an X.509 browser certificate

(intranet / Internet)
- Using a Workplace Single Sign-On (SSO)
ticket
The default logon method is password user
authentication.
Controls the deactivation of passwordbased logon for user groups
If this parameter is set to value 1, multiple
dialog logons to (in the same client and
under the same user name) are blocked by
the system:
When the system recognizes a multiple
logon, it displays a dialog box with the
options Terminate the current sessions or
Terminate this logon. This parameter
works with SAPgui logons.
System logons using the Remote Function
Call (RFC) are controlled using the
parameter %%login/disable_multi_rfc_login
%%.
Logons with SERVICE user master records
Page 8 of 21
Parameter
Login/multi_login_users
Recommended
Value
IBMBASIS,
DDIC
Login/fails_to_session_end
Login/fails_to_user_lock
Login/failed_user_auto_unlock
Login/accept_sso2_ticket
Login/create_sso2_ticket
Explanation
are also not subject to the multiple logons
check.
This list contains the R/3 user IDs allowed
to log on to the system multiple times.
This profile parameter only applies for
dialog users.
Number of incorrect logons allowed for a
user until the logon procedure is terminated.
Every time a user enters an incorrect
password, the counter is raised for that
users master record. The logon attempts
can be logged in the Security Audit Log.
When the limit set by this parameter is
surpassed, the user is locked. This is also
logged in the SysLog.
The lock becomes invalid at the end of the
current day. (Exception: see
login/failed_user_auto_unlock)
The incorrect logon counter is reset when
the user logs on with the correct password.
Logons that do not require a password do
not change this counter. Active user locks
have effect for all logons.
Controls the unlocking of users locked by
logging on incorrectly. If the parameter is
set to 1 (default), the system does not
consider users locked due to incorrect
logon in the previous days. The locks
remain if the parameter value is 0.
To allow the use of Single Sign-On (SSO) in
the mySAP.com Workplace, SSO tickets
can be used. Alternatively, you can use
X.509 client certificates for user
authentication. Workplace component
systems SHOULD permit logon through
SSO ticket (login/accept_sso2_ticket = 1).
If only the second method (X.509 client
certificates) is used or you do not want to
use Single Sign-On you can use the SSO
ticket to deactivate the logon
(login/accept_sso2_ticket=0).
can be used. Alternatively, you can use
Page 9 of 21
Parameter
Login/ticket_expiration_time
Recommended
Value
1:00 (One
Hour)
Login/ticket_only_by_https
Login/ticket_only_to_host
Login/disable_cpic
Login/no_automatic_user_sapstar
Explanation
X.509 client certificates for user
authentication. Note this requires additional
configuration steps for the Workplace
engine (ITS).
The Workplace server SHOULD permit the
generation of SSO tickets:
login/create_sso2_ticket = 1 : SSO ticket
incl.certificate
login/create_sso2_ticket = 2 : SSO ticket
without certificate
Ticket generation SHOULD be deactivated
for Workplace component systems
(login/create_sso2_ticket = 0).
can be used. When an SSO ticket is
generated, validity period can be defined.
After this period has passed, the SSO ticket
can no longer be used for logging on to
Workplace component system.
The user MUST then re-log on to the
Workplace server to get a new SSO ticket.
Specifies how the logon ticket created when
you log on using http(s) is set in the
browser.
1: Ticket is only sent by the browser during
HTTPS connections. 0: Ticket is always
sent.
Specifies how the logon ticket created when
you log on using http(s) is set in the
browser.
0: At requests, the ticket is set to all servers
in the domain
1: At requests, the ticket is only sent to the
server that created the ticket.
If this parameter is set to 1, then incoming
connections of the type CPIC are rejected.
(Message class 00, message number 161)
Incoming connections of the type RFC are
not affected.
If the user master record belonging to user
SAP* is deleted, it is possible to re-log on
with SAP* and initial password PASS.
SAP* then has the following attributes:
- The user has all authorisation, as
Page 10 of 21
Parameter
Recommended
Value
Explanation
authorisation checks cannot be executed.
Login/system_client
Login/update_logon_timestamp
rdisp/gui_auto_logout
Auth/rfc_authority_check
6.2
300
- You cannot change the standard password

PASS.
Using profile parameter
login/no_automatic_user_sapstar, you can
deactivate the special attributes of SAP*.
The standard client is defaulted for each
logon but can be overwritten by the user.
The parameter value 300 for R3 and 100 for
the remaining systems.
A time stamp (date and time) can be
generated for every logon. This parameter
is used to set the accuracy and therefore
the update rate.
1800
Permitted values: D day accuracy; h hour accuracy; m - minute accuracy

(default); s - second accuracy (backwards
compatible)
This parameter defines inactive users are
automatically logged off from the SAP
system after a specific period of time has
expired. This parameter specifies the time
period in seconds. By default, the automatic
logoff is deactivated in the SAP system
(value 0), that is, the users are not logged
off, even if they do not perform any actions
over a long period of time.
This parameter determines whether object
S_RFC is checked during Remote Function
Calls:
Value 0: No check against S_RFC
Value 1: Check active but no check for
SRFC-FUGR
Value 2: Check active and check against
SRFC-FUGR
(FUGR is a RFC Type)
Client settings:
All SAP production clients SHOULD have the following settings which can be set and
reviewed using TCode SCC4 and selecting the relevant client in the list of clients displayed:
Client role SHOULD be set to Production
Page 11 of 21
6.3
An appropriate promote-to-production procedure MUST be in place to ensure that all

modifications and new development are tested and authorized prior to their transport to the
production environment.
Changes to SAP standard programs SHOULD be avoided wherever possible.
Access to change system settings (transaction SE06) MUST be restricted to SAP BASIS
Administrators.
Changes and Transports for client-specific objects SHOULD be set to No Changes

Allowed. Any deviation to this must be authorized by the BISO & TISO & approved by
Head of IT
Cross-Client Object Changes SHOULD be set to No Changes to Repository and crossclient Customizing Objs
Protection: Client Copier and Comparison Tool SHOULD be set to Protection level 1: No
Overwriting
CATT and eCATT Restrictions SHOULD be set to eCATT and CATT Not Allowed
Company Code Settings:

Company codes in production client SHOULD be set as Productive.
6.4
SAP System Accounts, Powerful Profiles and Program Access:
Password change for default accounts: The default password for the SAP standard user
accounts SHOULD be changed: The standard user accounts are:
SAP*
DDIC
SAPCPIC
EARLYWATCH
6.5
SAP* and DDIC SHOULD be assigned to user group SUPER only.
Table & Program Administration
Access to table display and maintenance transactions (SE11, SE16, SE17, SM30, SM31
etc) SHOULD be restricted to appropriate support individuals.
Any support users allocated access to table display and maintenance transactions (SE11,
SE16, SE17, SM30, SM31 etc) SHOULD NOT be allowed to perform direct table
updates in the production system.
Page 12 of 21
6.6
6.7
Super users and support users with access to table display transactions SHOULD be
restricted to only displaying appropriate (system) tables using table authorization groups.
Access to change client independent tables SHOULD be restricted to a very limited group
of support users using the S_TABU_CLI authorization object.
Access to execute programs directly via development transactions (SA38, SE38, SE84,
etc) SHOULD NOT be allocated to users in the production system.
Authorizations for the S_DEVELOP object SHOULD NOT be present in end-user roles in
the production system.
Access to sensitive programs SHOULD be restricted using the S_PROGRAM object.
Maintenance access to DEBUG MUST be restricted using the S_DEVELOP authorization

to ensure that users cannot bypass logic and authorization restrictions.
Where DEBUG access has been allowed this MUST NOT be combined with access to
replace values.
Use of SAP* and profiles SAP_ALL, SAP_NEW
All authorizations to SAP* account SHOULD be removed and the account SHOULD be
locked.
A separate user ID should be created with the same authorizations as SAP* and the User
ID should be invoked through Firefighter process
No user SHOULD be assigned the SAP_ALL or the SAP_NEW profile outside of the
Firefighter process.
The ALEREMOTE userID MUST be defined as a background user and hold a limited
access profile.
The BWREMOTE userID MUST be defined as a background user and hold a limited
access profile.
All data transfer userIDs MUST be defined as background users and hold a limited access
profile.
The analysis authorization 0BIALL SHOULD NOT be assigned to users in the system.
Role Administration
Access to administration of Analysis Authorizations via transaction RSECADMIN MUST be

restricted to authorized SAP Security Administrators only.
Individuals with access to Analysis Authorization administration activities SHOULD NOT

have access to user administration activities.
A list of business approvers MUST be maintained by the System Owner and appropriate
approvals MUST always be sought prior to any changes to Analysis Authorizations.
Page 13 of 21
6.8
Analysis Authorization maintenance approvals MUST always be documented for audit

purposes.
The infoprovidors accessible to each end user role SHOULD be restricted using the
authorization object S_RSCOMP.
The infoprovidors accessible to support users SHOULD be restricted using the

authorization object S_RSCOMP1.
The DSO objects available to support users SHOULD be restricted using the authorization
object S_RS_ODS0.
The Infocube objects available to support users SHOULD be restricted using the
authorization object S_RS_ICUBE.
Publisher roles MUST be appropriately restricted using the S_USER* authorizations.
The authorization object S_RS_AUTH SHOULD NOT be allocated with a * or 0BIALL

value in roles.
Authorization relevant characteristics MUST be set to create access restrictions reflecting

the level of control in the SAP ECC system.
Access to set the authorization relevance of characteristics MUST be restricted to

authorized individuals only using the authorization object S_RSEC and MUST not be
available in the production environment.
Access to maintain infoObjects MUST NOT be available in the production system and
must be restricted using the authorization object S_RS_IOBJ
Access to write queries SHOULD be restricted to a limited number of authorized users

only.
Queries and query results MUST only be published to users who are authorized and
approved to view the data.
Info provider Maintenance
Access to maintain Infocube objects MUST NOT be available in the production system
and must be restricted using the authorization object S_RS_ICUBE.
Access to activate infocubes MUST NOT be available in the production system and must
be restricted to authorised individuals only using the authorisation object S_RS_ICUBE.
Access to maintain DSO objects MUST NOT be available in the production system and
must be restricted using the authorisation object S_RS_ODS.
Access to activate DSO objects MUST NOT be available in the production system and
must be restricted to authorised individuals only using the authorisation object S_RS_ODS
Access to maintain Multiprovidors MUST NOT be available in the production system and
must be restricted using the authorisation object S_RS_MPR0.
Page 14 of 21
6.9
Access to activate Multiprovidors MUST NOT be available in the production system and
MUST be restricted to authorised individuals only using the authorisation object
S_RS_MPR0.
Direct access to display data held within infoprovidors MUST NOT be available to end
users in the production system.
Direct access to display DSO objects MUST NOT be available to end users in the
production system.
List of passwords not to be used

The table USR40 stores the list of easily guessable passwords. Every time a new password is
assigned to a user, SAP automatically checks this table and will not allow the user to use a
password that is stored in USR40. This table MUST be kept updated with combinations of
easily guessable passwords. The following values are an illustrative list.
6.10
*ABC*
*BCS*
*FUSION*
*HLL*
*HP*
*IBM*
*INFRA*
*INIT*
*JINI*
*PASS*
*SAP*
*UNILEV*
123*
Review of access to Maintenance of Profile Parameters
Transaction codes RZ10 and RZ11 are used to maintain profile parameters and MUST be
given only to SAP BASIS Administrators and closely monitored and controlled.
Page 15 of 21
Confidential or Red Status data MUST have the same level of protection as the production
environment and agreement from the information owner.Access to system administration
transactions (e.g. SCC* & SE*) MUST be strictly controlled and segregated from other
incompatible duties.
The authorization object S_ADMI_FCD MUST be restricted appropriately to ensure that

users only have access to BASIS functions appropriate to their job.
The authorization object S_LOG_COM MUST be restricted appropriately to ensure that

users only have access to execute logical system commands where absolutely necessary.
Access to the operating system command prompt or the ability to execute operating
system commands MUST be appropriately by restricting access to transactions SM49
(Execute external OS commands) and SM69 (Maintain External OS Commands).
Access to the Computer Centre Management System (CCMS) MUST be restricted to the
BASIS team using the authorization object S_RZL_ADM.
The SAP user buffer SHOULD be capable of holding the maximum number of
authorizations (2000 or greater) unless performance is being adversely affected. The
parameter setting "auth/auth_number_in_userbuffer = 2000" (or greater) SHOULD be
made (where applicable) in order to achieve this.
Access to to the standard user maintenance transactions (SU01/SU10) and other methods
of maintaining users (such as OY22, OY27, SAPMSUU0, BAPI_USER_CHANGE etc...)
MUST be restricted to the user administration team.
The S_USER authorization objects (S_USER_AUT, S_USER_GRP, S_USER_AGR,

S_USER_PRO) SHOULD be used to appropriately restrict and segregate user
administration activities and ensure that individuals with access to user administration
activities do not have access to role administration activities and vice versa.
Individuals with access to role administration activities SHOULD NOT have access to user
administration activities.
Transaction SU24 SHOULD always be maintained where additional authorization checks

are identified
Roles SHOULD always contain transaction code specification and a * value (or wide
ranges) for the S_TCODE object SHOULD not be present in any end user roles.
All roles MUST be fully documented and this documentation MUST be updated when
changes are made.
User roles SHOULD be defined to ensure that users have the minimum access required to
perform their normal business duties.
Users MUST not be allocated access to all function groups and the FUGR value for
authorization object S_RFC MUST not be set to equal '*'.
Page 16 of 21
6.11
6.12
Batch Processing & Spool Management
Access to manage any batch job SHOULD be restricted to its owner and selected batch
administrators.
Access to administer, schedule and delete the batch jobs of other users MUST be
restricted to selected batch administrators and MUST be controlled using the authorization
object S_BTCH_ADM.
Access to work on other users' scheduled batches MUST be restricted to batch

administrators only and MUST be controlled using the authorization object S_BTCH_JOB.
Access to execute batches in another user's name MUST be restricted to limited

circumstances and the allocation of S_BTCH_NAM authorizations MUST be limited.
Access to manage and view any spool output SHOULD be restricted to its owner.
Authorization groups SHOULD be configured on sensitive spool jobs.
Access to sensitive spool jobs SHOULD be restricted using the authorization object
S_SPO_ACT.
Transport Management System
Access to the transport management system transactions (STMS, SE10 etc) MUST be
restricted in the production system to the BASIS administration team.
Access to import data into the production system MUST be limited by ensuring that the
S_TRANSPRT authorization object is allocated to the BASIS administration team.
Access to administer the change and transport system (CTS) MUST be restricted to the
BASIS team using the authorization object S_CTS_ADMI.
Page 17 of 21
Security Requirements for Java Stack

The JAVA stack settings are applicable to
1. SAP Netweaver Portal (EP)
2. PI
3. SRM
4. BI Java
5. Solution Manager
6. CE
7. CRM
7.1
7.2
Basic Security Settings for Java Stack
The J2EE_GUEST user account SHOULD be locked.
SDM administrator password SHOULD be provided to only J2EE administrator group and
documented so that it is guarded against unauthorized usage.
The \usr\sap\<SID>\SYS\global\security\data\SecStore.properties
secured and owned by SAPSID User access at the OS level
file
SHOULD
Security Audit Log for JAVA Stack
The security audit log file SHOULD be used for controlling and monitoring.
Location of the files in the file system is as below:

Security Log at
<drive>:\usr\sap\<SID>\<instance_number>\j2ee\cluster\server<n>\log\system\security.<n>.log
Trace files at
<drive>:\usr\sap\<SID>\<instance_number>\j2ee\cluster\server<n>\log\defaultTrace.<n>.trc
Page 18 of 21
be
Security Requirements for SAP NetWeaver Portal (EP & CE)
8.1
Profile Parameters for EP & CE

Parameter
Auto_unlock_time
Cert_logon_required
Lock_after_invalid_attempts
Recommend
ed Value
3
FALSE
3
log_client_hostaddress
TRUE
log_client_hostname
FALSE
oldpass_in_newpass_allowed
FALSE
Password_alpha_numeric_required
password_change_allowed
TRUE
password_change_required
TRUE
password_expire_days
90
password_history
10
password_last_change_date_default
12/31/9999
password_max_length
14
password_min_length
password_mix_case_required
password_special_char_required
userid_digits
Explanation
Number of minutes before a
user ID is unlocked after a series
of failed logon attempts.
Defines whether certificate logon
is required.
Number of failed logon attempts
before user is locked.
The UME logs the user host IP
address.
When enabled, the UME (Portal
User management engine) logs
the user hostname.
Defines whether old password
can be part of new password.
Minimum number of alphabetic
and numeric characters in
passwords.
Users can change their
passwords. Administrators can
reset users passwords.
Newly created user is required
to change his or her initial
password when he or she first
logs on.
Number of days before
password expires.
Users cannot use the password
used the last 10 times.
If a user has never changed his
or her password using the AS for
Java, this date counts as the last
date on which the user changed
his or her password.
Maximum length of the
password
Minimum password length.
Minimum number of upper and
lower case letters in passwords.
Minimum number of special
characters in passwords.
Minimum number of digits in
user logon ID
Page 19 of 21

Parameter
userid_in_password_allowed
FALSE
userid_lowercase
Userid_special_char_required
-1
Useridmaxlength
Useridminlength
20
6
Superadmin.activated
8.2
Recommend
ed Value
False
Explanation
Value < 0: Digits are not allowed
Value = 0: Digits are allowed
Value > 0: Digits are required
Defines whether user ID can be
part of password. User ID
cannot be part of the password
Minimum number of lowercase
characters in user logon ID
Value < 0: Lowercase characters
are forbidden.
Value = 0: Lowercase characters
are allowed.
Value > 0: Lowercase characters
are required.
Minimum number of special
characters in user logon ID
Value < 0: Special characters
are forbidden.
Value = 0: Special characters
are allowed.
Value > 0: Special characters
are required.
Maximum length of user ID
Minimum length of user ID
Usage of user SAP* is
deactivated if the value is set to
false
Security requirements for EP Super Administrators
In case of emergency, activating the super administrator SAP* should be done through the
approval of Basis track leads. The transaction logs for the duration of access should be
review and signed off with CISO
The Super Administration role SHOULD be assigned only to Administrator user accounts.
Sensitive Administrative URLs SHOULD not be available over the internet
For NetWeaver User Administration

<http/https>://<AS_Java_hostname>:<AS_Java_HTTP_port>/nwa/ident
ity
<http/https>://<AS_Java_hostname>:<AS_Java_HTTP_port>/useradmin
For Netweaver Administration
<http/https>://<AS_Java_hostname>:<AS_Java_HTTP_port>/nwa
<http/https>://<AS_Java_hostname>:<AS_Java_HTTP_port>/nwapi
Page 20 of 21
For WSDL
http://<server>:<port>/NavigationWS/NavigationWSConfig?wsdl
For SLD
http://<host>:<port>/sld
Security Requirements for TREX
9.1
Data Storage Security

Data Storage Location
Access to following TREX data storage locations SHOULD be restricted and owned by SAP
SID user at OS level
On UNIX /usr/sap/<SID>/TRX<instance_number> ; On Windows <disk_drive>

\usr\sap\<SID>\TRX<instance_number>
10
Security Requirements SAP APO
10.1
Trace reads / gateway user

The SAP APO Optimizer writes log files to the gateway file system. The log files are located
in the following directory. This folder MUST be protected on the server against unauthorised
access and SHOULD be owned by SAP SID user.
<Drive :> \usr\sap\<SID>\<Gxx>\log
<SID> = Gateway-ID on the SAP APO optimizer server
<Gxx> = Gateway number
Page 21 of 21

SAP Security Management - v1.4

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SAP Security Management - v1.4

Transféré par

Droits d'auteur :

Formats disponibles

Information Systems Department