14
Patrick Boch Ensuring Security in SAP Systems - excerpt -
Patrick Boch
Ensuring Security in SAP Systems
- exc
erpt -
ISBN 978-3-8249-1876-8
© TÜV Media GmbH, TÜV Rheinland Group 2015Produced and published by: TÜV Media GmbH (Cologne, Germany)www.tuev-media.de
® TÜV, TUEV and TUV are registered trademarks.Use thereof requires prior consent.
The contents of this work have been developed and compiled by the publisher and editors to the best oftheir knowledge and judgment. However, no legal liability is assumed for the accuracy of individual infor-mation. The same applies to web sites referenced by hyperlinks. It is explicitly declared herewith that wehave no influence on the content and formulation on the linked pages and thus also assume no responsibilityfor them. The wording of the laws, regulations and standards are fundamentally applicable as is relevantcase law.
Bibliographic information of the German National Library
The national library (DNB) has registered this publication in the German National Bibliography.Detailed bibliographic information is available online at http://dnb.d-nb.de.
Tools:
Checklist.xls SAP Security Checklist
The clip icon in the text refers to the corresponding files in the Annex.
- exc
erpt -
Ensuring Security in SAP Systems
SAP systems contain companies’ mostvaluable data. Therefore, sufficient atten-tion must always be paid to the measuresinvolved in securing them. Such informa-tion is precisely what malicious entitiesseek to access, and the number of attacksregistered on SAP systems has increased– in some cases, dramatically so – in re-cent years. It is thus all the more impor-tant to scrutinize all of the aspects ofsafeguarding SAP systems. This docu-ment describes the most crucial areas,settings, and considerations that shouldbe observed in the process. Along with theconfiguration of SAP NetWeaver (Basis),
these mainly cover dealing with criticalauthorizations and securing elementsbetween SAP installations and the greaterIT landscape, be it with regard to thedatabase, operating system, or internalnetwork at hand or in communicating withexternal services or the Internet.
Arbeitshilfe:
• SAP Security Checklist
Author: Patrick BochE-Mail: [email protected]
1 Motivation
Enterprise resource planning (ERP) systems typically containsome of the most sensitive and valuable data pertaining to agiven company or public authority. Therefore, this informa-tion and the systems that work with it demand higher stan-dards of protection. Many of the ERP systems currently usedare based on products sold by SAP SE. In terms of the tech-nology involved in securing these systems, SAP has taken aunique stance: Its systems utilize standard databases runningon standard databases and standard hardware, and they arenow also based on standard networks. For this reason, twolines of argumentation are most often taken when questionsarise concerning SAP security:
• Typical statements often include claims that “normal“ ITsecurity measures already cover every possible vulnera-
Increasedneed forprotection
Implausiblearguments:
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 1
- exc
erpt -
bility, or that hackers “always have to get through thefirewall first!“
• SAP systems come with an authorization concept thatensures data security.
However, this represents only half of the story. While so-phisticated concepts for both authorizations and IT security ingeneral are key components of any comprehensive SAP se-curity framework, the increasing complexity of SAP applica-tions (see Figure 1) now requires measures and an overarchingapproach that are tailored to the situation at hand.
The days in which SAP systems were run separately fromcompanies’ existing operational and administrative structureswere already history years ago. Through portals and self-ser-vice functions, these systems have begun to interact more andmore with the outside world. Supplier portals and e-recruitingapplications are now relatively commonplace and capable ofproviding remote access to SAP systems. Nevertheless, teamsresponsible for SAP operations are, in organizational terms,still often compartmentalized from general IT operations andIT security departments. SAP departments are also primarilyconcerned with pure operational performance, which meansthat security aspects are often considered only in passing. Inthese teams’ defense, however, it should be stated that com-panies’ dependence on the availability of their SAP serversprecludes even critical security updates from being installedor configurations from being changed without extensiveplanning.
All this notwithstanding, the complexity and myriad inter-faces involved in a modern SAP system demand that specialpriority be given to the topic of security. An insecure SAPsystem can, after all, quickly make all other security measuresirrelevant. To offer a few examples:
The openworld of SAP
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 2
- exc
erpt -
• In one of its custom developments, a company discoveredlines of programming that sent all of its quarterly results toa private e-mail address. The employee to whom the ad-dress belonged had not worked for the company in years.
• SAP itself warned customers of a security issue in SAPGateway that allowed users to execute any operating sys-tem command on corresponding servers without everhaving to enter a username or password.
• A penetration test one company conducted revealed in-secure configuration settings in SAP Solution Manager.To make matters worse, the company had outsourced itsSAP system operations to a hosting provider, where thevulnerability allowed unauthorized access to more than 40systems of other customers – some of which could haveincluded competitors, partners, or suppliers.
Fig. 1: Complexity of SAP landscapes
Vulnerabilities
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 3
- exc
erpt -
These are extreme examples, of course, but even these ob-vious (and above all, known) security issues can still be foundin many SAP systems today. There are also a number of po-tential vulnerabilities that do not even require any particulartechnical expertise. In the case of many known issues in SAPsystems, an unauthorized user only needs knowledge of astandard user and his or her password, or to enter a shortABAP command into an input field. This requires nothingmore than a brief online search.
2 SAP System (In-)Security
Various reasons explain the relatively high level of vulnera-bility exhibited by SAP systems. First of all, there is SAP’stechnology in itself: The core of every SAP system is based ontechnology from the 1.990s, which is when SAP achieved itsfirst major success with its R/3 system. Some of this techno-logy has even existed since the 1.970s. SAP has, of course,updated its applications to reflect more modern circumstan-ces, but it is these updates in particular that have resulted innumerous security holes and not done a great deal to simplifythe company’s systems.
The SAP systems currently in use are in a similar predica-ment: They have grown over periods of years and been sup-plemented with new components, while the companies thatrun them have developed and updated their own applicationsor replaced them with new solutions. As a result, potentialvulnerabilities have often been passed down over the yearswithout being noticed.
Meanwhile, SAP applications are often implemented underconsiderable pressure to finalize projects. This frequentlycomes at the cost of security, which can rarely be found at the
Systemlandscapeexpansion
Securityhardlya priority
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 4
- exc
erpt -
top of companies’ priority lists. In many cases, pressure is alsothe reason why administrative authorizations see use evenafter projects have been completed, and why applications arerife with workarounds that produce more vulnerabilities andprove difficult to eliminate.
For hackers who can familiarize themselves with the currentweaknesses using scaled-down – and sometimes free – versi-ons of SAP systems at no major expense, SAP represents theperfect target.
Is there any way to address existing vulnerabilities and preventnew ones as effectively as possible?
3 Basic Configuration of SAP Systems
Customers have largely adopted the three-system lines re-commended by SAP. Indeed, it certainly makes sense to followan orderly approval and testing process and avoid conductingdevelopment in productive systems. To ensure the security ofthe individual systems and their three-level arrangement as awhole, several fundamental factors and settings should beconsidered.
The development system should only be used for company-specific parameterization and development. General functio-nal testing activities should continue to be carried out in thissystem, as well.
No development or customizing should take place in thissystem; it should only be used to test functions imported fromthe development system under near-productive conditions.During client configuration, the consolidation system shouldbe set to the status “not changeable“. The SAP transactions
Developmentsystem
Integrationsystem
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 5
- exc
erpt -
SE03 and SCC4 should be used to set up the system such thatthe configuration cannot be modified directly in a client-in-dependent or -dependent fashion. Although the integrationsystem generally represents a mirror image of the productiveenvironment, a concept for generating test data or at leastanonymizing productive data used for testing purposes inthese systems should be developed.
The productive system should also be set to the status “notchangeable“ using the aforementioned transactions. Deve-lopment should be prohibited in this system. To avoid incon-sistencies, no authorizations should be modified in the pro-ductive system; only SAP users should be assigned user roles,as these changes are easy to overlook in the upstream inte-gration system. Authorizations should generally be granted ina restrictive manner.
Along with these role-specific measures, there are furthersettings that should be put in place to secure the SAP system aswell as possible during basic configuration.
3.1 Built-in security measures
In recent years, SAP has gone to great lengths to improve thesecurity of its products, such as by initiating a recurring seriesof Security Patch Days. A Security Patch Day FAQ is availableat [1]. SAP now also releases a monthly list of security notesdesigned to eliminate potential vulnerabilities. These notesshould be observed and the corresponding updates carried outwhenever possible. To aid users in determining whether anyparticular security updates still need to be applied to an SAPsystem, SAP created the RSECNOTE report, which has sincebeen replaced by the system recommendations offered in SAPSolution Manager. Both variants provide specific informationon missing security measures.
Productivesystem
Securityinformationfrom SAP
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 6
- exc
erpt -
Activating the Security Audit Log, which keeps track of allsecurity-related events in an SAP system, is also important inthis context. Under the standard settings, however, this featureonly records a small amount of information. This is why theactivation of a wide range of logging functions SAP providesout-of-the-box should be included in any list of security-re-levant settings. These various tools can be used to log eventsdown to the modification of tables, which may be advisablefor especially critical tables in order to comprehend and ju-stify any dubious changes discovered in the course of forensicexamination.
3.2 Managing standard users
The adjustment of standard users is an important step thatshould already be completed during SAP system installation.Every new SAP system comes with a series of such users thatare automatically created and activated. They are assignedknown passwords and, since they are primarily intended foremergency purposes, granted extensive authorizations. Stan-dard users should thus be updated with new passwords andassigned to appropriate user groups (administrators, forexample) directly following installation.
3.3 SAP Solution Manager
In unveiling SAP Solution Manager some time ago, SAP ad-ded an offering to its portfolio that enables customers to ad-minister their SAP system landscapes from a central location.Along with functions for central user administration, syn-chronization of customizing, and central project documenta-tion, it includes several monitoring components, such as theEarly Watch Service and – of particular interest in this context– the Security Optimization Service (SOS). An overview ofSOS is available at [2].
Activatelogging
Modifystandardusers
The nervecenter
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 7
- exc
erpt -
The central hub SAP Solution Manager provides does, how-ever, present a number of risks. It is a popular target for ha-ckers, who view it as a source of valuable system informationand a staging area for further attacks on other systems. Mea-nwhile, SAP Solution Manager is also not an element focusedon by financial auditors or accountants, which is why it isoften secured to a lesser extent. For this reason, it should besubjected to several additional security measures along withthose that should apply to every SAP system:
• Securing the settings specific to SAP Solution Manager(SAP already provides a number of excellent guides)
• Ensuring that a productive SAP Solution Manager is notconnected to systems with lower-level security
• Avoiding connecting SAP Solution Manager to the publicInternet whenever possible, WebGUI is active by default.
4 Configuring Operating Systems for SAP
These days, companies’ operating systems are typically wellprotected against attacks, not least due to the generally higherlevel of security awareness. This document will thus forgo amore detailed examination of common security measures foroperating systems and servers. The extensive permissions andpossibilities through which an operating system can be ma-nipulated from within an SAP system are, however, less well-known. Particular attention should be paid to two things in thisregard:
• An SAP system must be able to access a number of dir-ectories on its server in order to store data or read infor-mation necessary for its operations (profile parameters,for example). Unfortunately, the system’s initial settings
Minimizeoperatingsystemaccess
Limit accessto operatingsystemdirectory
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 8
- exc
erpt -
limit neither its read nor (in many cases) its write access toall operating system directories. This opens myriad backdoors through which potential hackers can compromisethe operating system or the SAP system itself. Therefore,access to the operating system level from within the SAPsystem should be handled as restrictively as possible.
• The three-tier architecture of SAP systems requires com-munication between the individual levels and activation ofthe necessary network services. However, these servicesshould never be activated indiscriminately. Authorizedsystems and activated services should be handled in arestrictive manner to prevent unauthorized access fromother computers as effectively as possible.
5 Database Configuration
Like all ERP systems, SAP systems store essential data in adatabase that also requires special protection. If this is neg-lected, a hacker can circumvent the SAP application serverand the authorizations in place on it to directly manipulate thedatabase’s contents. From a security perspective, it is criticalthat the security of this data depends upon a single databaseuser. Regardless of the possible ways to administer aut-horization concepts at the SAP level in an orderly, granularfashion, the application accesses the database through this oneuser account. For this reason, it is absolutely imperative thatthis user’s initial password be changed immediately duringinstallation and at regular subsequent intervals. All othermeasures designed to secure the database software should, ofcourse, also be taken.
When planning an SAP installation, considerations must bemade as to how the application and database server can best bekept separate from the rest of the company network. Unau-
Limitnetworkcommunicatio-ns
Securedatabase
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 9
- exc
erpt -
thorized users must be prevented from using SQL to contactthe SAP database from their normal workstation computers.For administrators and other employees with correspondingauthorization, this can be achieved by means of filter rules onupstream security systems. In addition to the database soft-ware settings, the encryption of the communication betweenthe SAP system and the database requires special attention.The necessary parameters can be set directly within the SAPsystem.
6 Password Security Configuration
Usernames and passwords are the standard form of authenti-cation in SAP systems. They represent the last security barrierusers need to negotiate in order to access confidential data.For this reason, it is crucial that the default values set duringinstallation be changed.
In SAP systems, password parameters are generally establis-hed based on profile parameters (see Figure 2). Since release7.31 of SAP NetWeaver, it has also been possible to set pass-word guidelines based on users or user groups by means of thetransaction SECPOL. This increases the level of complexityinvolved, but is definitely a sensible way to differentiate bet-ween “normal“ users and administrators, for example.
In recent years, SAP has defined a number of prudent para-meters with regard to password security. The correspondingauthentication values should all be adjusted accordinglywhenever possible. While suitable recommendations for thesevalues can be found in the audit guide provided by the Ger-man-speaking SAP User Group (DSAG), basic considerationsof the role of the system in question and a company’s generalsecurity guidelines should also be part of the process of de-
Passwordparameters
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 10
- exc
erpt -
fining them. The DSAG’s audit guide is available for down-load at [3].
Fig. 2: Illustration of password parameters in SAP systems (RSUSR003 report)
Particularly in the case of SAP systems that have grown overtime, password guidelines should be reviewed and adjusted asneeded. This is due to the fact that encrypted passwords arestored in a table, where they can be called up at any time. Bydefinition, the encryption used should not be reversible, butmany older methods are now relatively easy to crack usingcorresponding tools. In SAP tables, these insecure forms ofencryption can be found in the BCODE field; efforts shouldbe made to ensure that these fields are empty to preventpassword decryption.
Encryptionalgorithms
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 11
- exc
erpt -
6.1 Identity and access management
Due to the increasing complexity of SAP systems and otherinternal and external systems company employees are requi-red to access, Single Sign-On (SSO) technology has begun tosee widespread use over the past decade. SAP provides anumber of mechanisms for implementing SSO with back-endsystems. While this form of authentication is certainly sensi-ble and, above all, convenient for users, there are several pit-falls that should be avoided.
SAP Logon Tickets merit particular mention in this regard, asthey likely represent the most popular mechanism for au-thenticating users by means of SSO. There are two profileparameters that require proper configuration: The parameter“login/ticket_only_per_https“ ensures that unencrypted Lo-gon Tickets are not accepted for the SAP system in question,while “login/ticket_only_to_host“ guarantees that Logon Ti-ckets will only be sent to the server that generated them.
7 Critical Authorizations
Many companies conflate a sophisticated role and authoriza-tion concept with the overall topic of SAP security. Roles andauthorizations definitely do play a key role in any SAP secu-rity concept, but SAP security covers a great many other as-pects, as well.
For a role and authorization concept per se, it is important tofactor in more than just the business processes at hand. Ofcourse, having critical business processes in particular che-cked using the Seggregation of Duty (SoD) principle is acrucial task that should always be performed for all essentialtransactions and processes that involve critical data. Review-
SecureSingleSign-On
Role andauthorizationconcept
Ensuring Security in SAP Systems
E T�V Media GmbH Seite 12
- exc
erpt -
| Kategorie | Description | Description of the value | recommended value |
| Benutzerverwaltung | Number of records in user tables with password hash values in field BCODE | Number of records in user tables with password hash values in field BCODE | 0 |
| Benutzerverwaltung | Last login not within a certain period of time | number of users who violate the rule | 0 |
| Benutzerverwaltung | Last password change not within a given period of time | number of users who violate the rule | 0 |
| Benutzerverwaltung | Users locked due to too many failed login attempts | number of locked users | 0 |
| Benutzerverwaltung | Users locked by a local administrator | number of locked users | 0 |
| Benutzerverwaltung | Users locked by a global administrator | number of locked users | 0 |
| Berechtigungen - Allgemein | Users who have SAP_ALL or a similar profile assigned to them | number of users with SAP_ALL or a similar profile | 0 |
| Berechtigungen - Allgemein | Users with authorization to execute all remote-enabled function modules | number of users with authorization S_RFC '*' | 0 |
| Berechtigungen - Allgemein | Users who have SAP_NEW assigned to them in a productive client | number of users who have SAP_NEW assigned to them | 0 |
| Berechtigungen - Allgemein | Authorization checks suppressed using SU24 | number of suppressed checks deviating from SAP standard | 0 |
| Berechtigungen - Allgemein | Authorization check suppressed for file operations, CPIC calls and calls to kernel functions | value of the profile parameter "auth/system_access_check_off" | 1 |
| Berechtigungen - Allgemein | Users with authorization S_DEVELOP and change options | number of users with S_DEVELOP change rights | 0 |
| Berechtigungen - Allgemein | Users with authorization to execute all transactions | number of users with authorization S_TCODE '*' | 0 |
| Berechtigungen - Allgemein | Users with authorization for generic file access | number of users with authorization S_DATASET '*' (PROGRAM and FILENAME) | 0 |
| Berechtigungen - Allgemein | Users with authorization to start critical transactions | number of users with authorization for critical transactions | 0 |
| Berechtigungen - Allgemein | Existence of an activated SAP_NEW profile | indicator that the profile SAP_NEW exists | X |
| Berechtigungen - Allgemein | Users with authorization rights to delete system locks in SM12 | number of users with authorization to delete system locks | 0 |
| Berechtigungen - Allgemein | Users with authorization S_DEVELOP and change options for fields in debug mode | number of users with S_DEVELOP debug and change field rights | 0 |
| Berechtigungen - Allgemein | Users with authorization to read the SAP System Log | number of users with authorization S_ADMI_FCD SM21 | 0 |
| Berechtigungen - Allgemein | Users with authorization to change the client change option (Table T000) | number of users with authorization to change T000 | 0 |
| Berechtigungen - Allgemein | Users with authorization to plan background jobs using other users | number of users with authorization to schedule background jobs using another user ID | 0 |
| Berechtigungen - Allgemein | Users with authorization to change the system change option | number of users with authorization to maintain system change options | 0 |
| Berechtigungen - Allgemein | Users with authorization to maintain arbitrary tables in production | number of users with authorization to maintain arbitrary tables in PRD | 0 |
| Berechtigungen - Allgemein | Users with authorization to change client-dependent tables | number of users with universal authorization to change client-dependent tables | 0 |
| Berechtigungen - Allgemein | Users with authorization to change tables with Authorization Group &NC& | number of users with authorization S_TABU_DIS ACTVT 02 &NC& | 0 |
| Berechtigungen - Allgemein | Users with authorization to change update parameters | number of users with authorization to change profile parameters | 0 |
| Berechtigungen - Allgemein | Users with authorization to create OS cmd entries in SM69 | number of users with authorization to create OS cmd entries in SM69 | 0 |
| Berechtigungen - Allgemein | Users with authorization to execute OS cmd entries from SM49 | number of users with authorization to exec OS cmd entries from SM49 | 0 |
| Berechtigungen - Allgemein | Users with authorization to exec OS cmd via RSBDCOS0 | number of users with authorization to exec OS cmd via RSBDCOS0 | 0 |
| Berechtigungen - Allgemein | Users with authorization to execute CPIC calls | number of users with authorization to execute CPIC calls | 0 |
| Berechtigungen - Allgemein | Users with authorization to use C kernel calls | number of users with authorization to use C kernel calls | 0 |
| Berechtigungen - Allgemein | Users with authorization to use OLE calls | number of users with authorization to use OLE calls | 0 |
| Berechtigungen - Allgemein | Users with authorization to manage RFC connections | number of users with authorization to manage RFC connections | 0 |
| Berechtigungen - Allgemein | Benutzer mit der Berechtigung kritische RFC-Funktionsbausteine auszuführen | number of users with authorization S_RFC for critical modules | 0 |
| Berechtigungen - Allgemein | Users with authorization to execute RFC_ABAP_INSTALL_AND_RUN | number of users with authorization to exec RFC_ABAP_INSTALL_AND_RUN | 0 |
| Berechtigungen - Allgemein | Users with authorization to manage trusted systems | number of users with authorization to manage trusted systems | 0 |
| Berechtigungen - Allgemein | Users with authorization to use trusted connections | number of users with authorization to use trusted connections | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to activate the SAP Security Audit Log and change the customizing | number of users with authorization to activate the SAP Security Audit Log and change the customizing | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to display the logs of SAP Security Audit Log | number of users with authorization to display the logs of SAP Security Audit Log | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to delete the logs of SAP Security Audit Log | number of users with authorization to delete the logs of SAP Security Audit Log | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to maintain the check indicator or proposals of the profile generator | number of users with authorization to maintain the check indicator or proposals of the profile generator | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to delete table log entries | number of users with authorization to delete table log entries | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to delete data which is destined for archiving without sucessfully finished archiving | number of users with authorization to delete data which is destined for archiving without sucessful finished archiving | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to lock transaction codes | number of users with authorization to lock transaction codes | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to display RFC logon information | number of users with authorization to display RFC logon information | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to maintain all Batch-Input sessions | number of users with authorization to maintain all Batch Input sessions | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to release Batch Input sessions | number of users with authorization to release Batch Input sessions | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to analyze Batch Input sessions and logs | number of users with authorization to analyze Batch Input sessions and logs | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to execute Batch Input sessions | number of users with authorization to execute Batch Input sessions | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to lock/unlock Batch Input sessions | number of users with authorization to lock/unlock Batch Input sessions | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to reorganize Batch Input sessions and logs | number of users with authorization to reorganize Batch Input sessions and logs | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to delete Batch Input sessions | number of users with authorization to delete Batch Input sessions | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to see TemSe objects | number of users with authorization to see TemSe objects SPOOL* | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to initialize the CTS configuration | number of users with authorization to initialize the CTS configuration | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to maintain the transport routes (CTS) | number of users with authorization to maintain the transport routes (CTS) | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to create development classes | number of users with authorization to create development classes | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to import single transport orders | number of users with authorization to import single transport orders | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to import all transport orders of the import queue | number of users with authorization to import all transport orders of the import queue | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to delete transports from the import queue | number of users with authorization to delete transports from the import queue | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to approve transport orders (CTS) | number of users with authorization to approve transport orders (CTS) | 0 |
| Berechtigungen - Basisadministration (Allgemein) | Users with authorization to copy clients | number of users with authorization to copy clients | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to copy clients | number of users with authorization to maintain the user group SUPER | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to do user master authorizations: role check | number of users with authorization S_USER_AGR '*' | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to do user master maintenance: Authorizations | number of users with authorization S_USER_AUT "*" | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to do user master maintenance: User Groups | number of users with authorization S_USER_GRP "*" | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to do user master maintenance: Authorization Profile | number of users with authorization S_USER_PRO "*" | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to do user master maintenance: System-Specific Assignments | number of users with authorization S_USER_SAS "*" | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to do user master maintenance: System for Central User Maintenance | number of users with authorization S_USER_SYS "*" | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to do user master maintenance: Transactions in Roles | number of users with authorization S_USER_TCD "*" | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to do user master maintenance: Field Values in Roles | number of users with authorization S_USER_VAL "*" | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to create user groups | number of users with authorization S_USER_GRP "*" in SUSR | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to change user groups | number of users with authorization S_USER_GRP "*" in SU01 | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to create users | number of users with authorization S_USER_GRP '01' in SU01 | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to lock or delete users | number of users with authorization S_USER_GRP '05' or '06' in SU01 | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to change users out of the CUA | number of users with authorization S_USER_SYS '02' in SU01 or PFCG | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to create roles | number of users with authorization S_USER_AGR '01' in PFCG | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to change roles | number of users with authorization S_USER_AGR '02' in PFCG | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to create tcodes in roles | number of users with authorization S_USER_AGR and S_USER_TCD | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to change roles with all authorization values | number of users with authorization S_USER_AGR and S_USER_VAL | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to create profiles | number of users with authorization S_USER_PRO '01' in SU02 | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to change profiles | number of users with authorization S_USER_PRO '02' in SU02 | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to assign roles to users | number of users with authorization S_USER_AGR '02' and '22' in PFCG | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to assign and revoke profiles to users | number of users with authorization S_USER_GRP '02' and S_USER_PRO '22' in SU01 or PFCG | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to assign and revoke roles or profiles to users | number of users with authorization S_USER_GRP '02' or '22' and S_USER_PRO '22' in SU01 | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to deactivate authorization objects | number of users with authorization S_USER_OBJ '02' or '07' in AUTH_SWITCH_OBJECTS | 0 |
| Berechtigungen - Benutzeradministration | Users with authorization to change own user group | number of users with authorization S_USER_GRP '*' or own user group in SU01 | 0 |
| Berechtigungen - Entwicklung | Users with authorization to create transport requests in the development system | number of users with authorization to create transport requests in the development client | 0 |
| Berechtigungen - Entwicklung | Users with authorization to create transport tasks in the development system | number of users with authorization to create transport tasks in the development client | 0 |
| Berechtigungen - Entwicklung | Users with authorization to release transport requests in the development system | number of users with authorization to release transport requests in the development client | 0 |
| Berechtigungen - Entwicklung | Users with authorization to import patches into the production system | number of users with authorization to import patches into the production client | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to full access to batch handling in all clients | number of users with authorization to full access to batch handling in all clients | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to unlimited access to batch job control | number of users with authorization to unlimited access to batch job control | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to release own jobs | number of users with authorization to release own jobs | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to release jobs with external commands | number of users with authorization to release jobs with external commands | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to delete batch jobs of other users | number of users with authorization to delete batch jobs of other users | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to display batch jobs of other users | number of users with authorization to display batch jobs of other users | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to display the content of print jobs | number of users with authorization to display the content of print jobs | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to display the content of print jobs of other users in the same client | number of users with authorization to display the content of print jobs of other users in the same client | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to display the content of print jobs of other users in all clients | number of users with authorization to display the content of print jobs of other users in the all clients | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to redirect the output to another printer | number of users with authorization to redirect the output to another printer | 0 |
| Berechtigungen - Job- und Spoolverwaltung | Users with authorization to change the parameters of a print job like the owner | number of users with authorization to change the parameters of a print job | 0 |
| Berechtigungen - Zentrale Funktionen | Users with authorization to control IDOCs | number of users with authorization to control IDOCs | 0 |
| Berechtigungen - Zentrale Funktionen | Users with authorization S_HIERARCH "*" | number of users with authorization S_HIERARCH "*" | 0 |
| Berechtigungen - Zentrale Funktionen | Users with authorization to maintain objects of change documents | number of users with authorization to maintain objects of change documents | 0 |
| Berechtigungen - Zentrale Funktionen | Users with authorization to delete change documents | number of users with authorization to delete change documents | 0 |
| Berechtigungen - Zentrale Funktionen | Users with authorization to maintain number range objects | number of users with authorization to maintain number range objects | 0 |
| Berechtigungen - Zentrale Funktionen | Users with authorization to change the current number level of all number ranges | number of users with authorization to change the current number level of all number ranges | 0 |
| Betriebliche Kontinuität | Check on fully qualified RFC connections | number of RFC destinations that are fully qualified | 0 |
| Betriebliche Kontinuität | Availability of RFC connections to ABAP systems (RFC type 3) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Buffer of number range intervals | highest usage of a number range interval in % | 80 |
| Betriebliche Kontinuität | Availability of internal RFC connections (RFC type I) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Availability of RFC connections to R/2 systems (RFC type 2) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Availability of TCP/IP connections (RFC type T) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Availability of logical RFC connections (RFC type L) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Availability of SNA or CPI-C connections (RFC type S) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Availability of connections via ABAP Driver (RFC type X) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Availability of CMC connections (RFC type M) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Availability of HTTP connections to ABAP systems (RFC type H) | number of unavailable RFC destinations | 0 |
| Betriebliche Kontinuität | Availability of HTTP connections to external servers (RFC type G) | number of unavailable RFC destinations | 0 |
| Forensik | Field changes in debugging sessions found in the system log (SM21) | number of relevant events in the System Log | 0 |
| Forensik | Execution of report RSBDCOS0 found in the system log (SM21) | number of relevant events in the System Log | 0 |
| Kommunikationssicherheit | SAP Gateway: RFC access control - reginfo & secinfo | return code of the Test Case | 0 |
| Kommunikationssicherheit | Active critical ICF services | number of active critical ICF services | 0 |
| Kommunikationssicherheit | Reject RFC connections for users with expired password | value of the profile parameter "rfc/reject_expired_passwd" | 1 |
| Kommunikationssicherheit | Disabled authorization check against S_RFC | value of the profile parameter "auth/rfc_authority_check" | 1 |
| Passwort-Richtlinie | Days to wait to change password again | value of the profile parameter "login/password_change_waittime" | 1 |
| Passwort-Richtlinie | Minimum password length | value of the profile parameter "login/min_password_lng" | 8 |
| Passwort-Richtlinie | Number of entries in the password history | value of the profile parameter "login/password_history_size" | 15 |
| Passwort-Richtlinie | System checks password during logon against current policies | value of the profile parameter "login/password_compliance_to_current_policy" | 1 |
| Passwort-Richtlinie | Validity period of passwords | value of the profile parameter "login/password_expiration_time" | 1 ... 90 |
| Passwort-Richtlinie | Number of unsuccessful logon attempts before the system locks the user | value of the profile parameter "login/fails_to_user_lock" | 5 |
| Passwort-Richtlinie | Automatic unlock of users at midnight | value of the profile parameter "login/failed_user_auto_unlock" | 0 |
| Passwort-Richtlinie | Maximum number of failed logon attempts before logon attempt is terminated | value of the profile parameter "login/fails_to_session_end" | 3 |
| Passwort-Richtlinie | Minimum number of characters that have to be different from the old password | value of the profile parameter "login/min_password_diff" | 3 |
| Passwort-Richtlinie | Maximum period for which an initial password remains valid if it is not used | value of the profile parameter "login/password_max_idle_initial" | 1 ... 3 |
| Passwort-Richtlinie | Validity period of changed passwords | return code of the Test Case | 0 |
| Passwort-Richtlinie | Profile parameters for password complexity | calculated value of the password strength | 65 |
| Passwort-Richtlinie | Disable multi-logons with SAP GUI | value of the profile parameter "login/disable_multi_gui_login" | 1 |
| Protokollierung | Activation of table logging via profile parameter rec/client | return code of the Test Case | 2 |
| Protokollierung | Check if the Security Audit Log is up and running | number of configuration problems | is initial |
| Protokollierung | Logging of table changes via TMS (RECCLIENT) | return code of the Test Case | 2 |
| Schutz der Systemintegrität | Configuration of clients in table T000 | number of improper configured clients | 0 |
| Schutz der Systemintegrität | System change options | number of modifiable namespaces and components | is initial |
| Schutz der Systemintegrität | Users with developer key in a production environment | number of users with developer key in a production system | 0 |
| Schutz der Systemintegrität | Transport requests with repairs | number of transports with repairs | 0 |
| Standardbenutzer | Deactivation of the automatic login user SAP* | value of the profile parameter "login/no_automatic_user_sapstar" | 1 |
| Standardbenutzer | Expected user groups of users | number of users with wrong user group | 0 |
| Standardbenutzer | SAP standard users with trivial passwords | number of SAP standard users with trivial passwords | 0 |
| Standardbenutzer | Existence, lock and authorizations of the SAP* standard user | number of found users SAP* with problems | 0 |
| Standardbenutzer | Expected roles and profiles of users | number of users with unexpected authorizations | 0 |
| Systeminstallation | SAP GUI Versions | number of SAPGUI versions in conflict with the policy | 0 |
| Systeminstallation | Missing security notes (RSECNOTE) | number of missing security notes | 0 |
| Web-AS-Sicherheit | Send login ticket only via HTTPS | value of the profile parameter "login/ticket_only_by_https" | 1 |
| Web-AS-Sicherheit | Send login ticket only to host | value of the profile parameter "login/ticket_only_to_host" | 1 |
| Web-AS-Sicherheit | Disable extensive HTTP error messages | value of the profile parameter "is/HTTP/show_detailed_errors" | FALSE |
| Web-AS-Sicherheit | HTTPonly for all ICF cookies | value of the profile parameter "icf/set_HTTPonly_flag_on_cookies" | 0 |
![to the ANNEX Annex to the EDPB - EDPS Joint Opinion 2 ......2021/01/19 · 1.2 Transparency Commented [A3]: The EDPB and the EDPS invite the Commission to refer to the corresponding](https://static.documents.pub/doc/80x56/60be80193ef8237243479d20/to-the-annex-annex-to-the-edpb-edps-joint-opinion-2-20210119-12.jpg)
