7/22/2019 Itcs104 Fmc
1/130
Intended Users
Further contacts and information
For clarification of questions or any further informa
Owner & Administrators
IBM Security
Instructions
Please ensure that you fill in ALL questions on tab
Author
Revision History
Version Number Revision Date
5.1 8-Feb-08
ITCS104 v9.1 SAP Application Heal
Name
This document has been designed for conduc
Clive Gabel
7/22/2019 Itcs104 Fmc
2/130
v6.0 1-Aug-08
7/22/2019 Itcs104 Fmc
3/130
8-Sep-10
15-Mar-10
v6.1 9-Apr-09
v7 8-Sep-09
v8.0
v7.1
7/22/2019 Itcs104 Fmc
4/130
Approvals
pattabiraman
pattabiramanveeramony
pattabiraman
veeramony
pattabiraman
veeramony
pattabiraman
veeramony
Name Title
pattabiraman
veeramony
pattabiraman
veeramony
pattabiraman
veeramony
8-Jul-11
11-Oct-11v9.0
v9.1 13-Apr-12
v8.2
7/22/2019 Itcs104 Fmc
5/130
tion relating to this checklist, please send an email to the [email protected] taskid.
s that are relevant to devices for the months health check.
Date
8-Feb-08
Summary of Changes
Initial version
Updated by:
Clive Gabel
h Checking Proforma
ting health checking activities, on SAP Application platform, as defined within the the ITCS104 v9.1 Chapter 2.2.
7/22/2019 Itcs104 Fmc
6/130
Updated as per ITCS104 v6.0 dated 15/07/2008:
1.1:
Updated DB2 Replication for AIX Operating System Userids;
Updated CommonStore userid to match current practices;
Removed db2as since is only used in DB2 V7 or below;
2.1:
reusable passwords - wait times and history size changes added;removed need for login/min_password_specials parm;
5.2:
AIX provider of service shared userids - removed the use of SU (ITCS104
new requirements); updated CommonStore's userid to match current
practices; total review and updates to SAP security administrative and
system administrative authorization objects and values (including values that
are prohibited due to the authorization sensitivity - see Tables tab);
6:
Corrected parm names; allowed values to gave latitude for project-specific
growth and specified applicable SAP Releases; updated to allow rec/client
parm options and now only required logging for production environment;
Corrected SM19 system settings per SAP Release;7.1:
Removed requirement/row to "Verify that only approved users are included in
the access lists of OSRs beyond that allowed
to general users;
Clive Gabel
7/22/2019 Itcs104 Fmc
7/130
Updated as per ITCS104 v6.1 dated 28/02/2009:
Sect 1.1
Added clarification statements surrounding Shared SAP application userids -
Application owner SAP application userids for emergency use.
System Clients - Allow for multiple production clients and production client
number may be other than 100.
Allowed project latitude for System profile parameter setting of parmlogin/no_automatic_user_sapstar in non-production systems.
Removed zOS/TSO operating system userid entry due to it being covered
under zOS, OS390 and MVS Platforms Tech Spec (ITCS104 Chp. 2.1.8).
Removed MS Windows operating system userid entry due to it being
covered under the Microsoft Windows 2000 Servers Tech Spec (ITCS104
Chp. 2.1.3).
Sect 5.2
Added clarification statements on security administrative and system
administrative authorization objects & values matrix related to "prohibited"
and "allowed".
Corrected an oversight for AIX provider of service shared userids SAPR3,
SAP and SAPDB to allow the necessary DB2 connection for SAPkernel to be able to start.
Sect 6
Added new RECCLIENT system parm to enable logging of table changes
made from imported or transported entries to production.
Updated Activity auditing system settings for the different SAP release
levels.
Updated as per ITCS104 v7 dated 15/07/2009:
Sect 5.1 - Added clarification to SAP Release for applicable operating
system resource AIX settings.
Updated as per ITCS104 v7.1 dated 31/01/2010:
Sect 1.1 - For CPIC or Communication userids, added clarification on
passwords that are contained in a file. (Q.11)
Sect 5.2 - For the EarlyWatch Userid added new native SAP authorization
profile and clarifications on System Administrative authorization objects.
(Q166)
Updated to reflect changes in ITCS104 v8.0:
Sect 5.2 - Updated AIX provider of service shared userids for the DB2
parameters to align with SAP's recommendation.
(Q172-173)
Sect 5.2 - System and security administrative authority under SAP security
administrative and system administrative authorization objects & values -
added S_SDCC_ADD and S_SDCC_DAT (Secuirty Admin 5.2 - tab)
Sect 5.6 - Added new sub-section 5.6.1 Security, integrity APAR, advisory
process for SAP environments requirements to specify SAP applicationspecifics for ITCS104 chapter 3 section 3.5.3 Security advisory patch
management. (see Apar 5.6.1 - tab)
Sect 6 - Activity auditing - added the ability for multiple file system names
under the DIR_AUDIT and rsau/local/file parameters.
(Q220 & 227)
Nick Saxon
Nick Saxon
Nick Saxon
Nick Saxon
7/22/2019 Itcs104 Fmc
8/130
Updated to reflect changes in ITCS104 v8.2:
* Sect 1.1 - Updated the use of Reference Userids.
* Sect 3.1 - Corrected a link URL.
Updated to reflect changes in ITCS104 v9.0:
* Sect 7.1 - Change "P" to "P or Any Internet Reachable"
* Added four new controls to 5.1 Operating system resources for
SECAUDIT log directory * Update 1.1 Userids definition of Reference
Updated version number only to reflect ITCS104 v9.1. There are no
changes from ITCS104v9.0
Role
IGA-INDIA SAP BASIS-Team Leader
IGA-INDIA SAP BASIS-Team Leader
IGA-INDIA SAP BASIS-Team Leader
IGA-INDIA SAP BASIS-Team Leader
IGA-INDIA SAP BASIS-Team Leader
IGA-INDIA SAP BASIS-Team Leader
IGA-INDIA SAP BASIS-Team Leader
IGA-INDIA SAP BASIS-Team Leader 14-Dec-11
Adam Kasprzak
25-Sep-08
28/072011
06/10/2010
by default
12-Oct-09
25-Mar-08
14-Apr-10
4-Jun-09
Adam Kasprzak
Date Approved
Adam Kasprzak
7/22/2019 Itcs104 Fmc
9/130
8
7/22/2019 Itcs104 Fmc
10/130
7/22/2019 Itcs104 Fmc
11/130
7/22/2019 Itcs104 Fmc
12/130
7/22/2019 Itcs104 Fmc
13/130
INSTRUCTIONS:
Machine Name/Identifier Server Team & Contact Date Checked
FMC AHS SAP BASIS 20/06/2012
If the server value is NOT COMPLIANT to the value specifiedin the question, (ie the answer is NO or N/A) You MUST
enter the actual server setting or a comment to explain why
the question is not applicable
7/22/2019 Itcs104 Fmc
14/130
Question No. 1 2
Appendix ref: 1.1 Userids 1.1 Userids
Health CheckTool / Script
Heading SAP Application Userids SAP Application Userids
Comments
Userid owners 6 character
employee serial number and 3
character personnel system code
must be present in Account No.
Field.
Note: Applies to all types listed
below:
1. Dialog
2. BDC / Background / System
3. CPIC / Communication
4. Service
5. Reference
Is this the case ?
Sponsored userids must have *
at the beginning of the userid
owners 6 character employee
serial number and 3 character
personnel system code.
Note: Applies to all types listed
below:
1. Dialog
2. BDC / Background / System
3. CPIC / Communication
4. Service
5. Reference
Is this the case ?
Nil YES YES
7/22/2019 Itcs104 Fmc
15/130
3 4 5
1.1 Userids 1.1 Userids 1.1 Userids
SAP Application Userids
SAP Application
Userids SAP Application Userids
No SAP native profiles/role can
be assigned to any userid in
production except for the
exceptions noted within this table
or the userid table in section 5.2
(see Tables control tab).
Note: Applies to all types listed
below:
1. Dialog
2. BDC / Background / System
3. CPIC / Communication
4. Service
5. Reference
Is this the case ?
Interactive dialog:
Sponsored userids
on a Production
system must have
the full name of the
employee who will
be using the userid.
Is this the case ?
BDC / Background/
System :
Non-loggable (used for
running jobs, system
operations such as ALE,
workflow, batch jobs, etc.)
:
Userid is allowed to have
a non-expiring password.
Is this the case ?
YES YES YES
7/22/2019 Itcs104 Fmc
16/130
6 7 8 9
1.1 Userids 1.1 Userids 1.1 Userids 1.1 Userids
SAP Application Userids
SAP Application
Userids
SAP Application
Userids SAP Application Userids
BDC / Background/
System :
Non-loggable (used for
running jobs, system
operations such as ALE,
workflow, batch jobs, etc.)
:
Expired or initial
passwords are not
checked.
Is this the case ?
CPIC / Communication :
Non-loggable (used for
system to system
communication) :
Userid is allowed to have
a non-expiring password.
Is this the case ?
CPIC / Communication :
Non-loggable (used for
system to system
communication) :
Expired or initial
passwords are not
checked.
Is this the case ?
CPIC / Communication :
Non-loggable (used for
system to system
communication) :
Password on a Production
userid must be different
from the password for the
same userid on all non-
production systems in the
landscape.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
17/130
10 11
1.1 Userids 1.1 Userids
SAP Application Userids SAP Application Userids
CPIC / Communication :
Non-loggable (used for
system to system
communication) :
Password on a test userid
on test clients may be the
same, but the password
must be different from
Production userid and any
other non-Test
systems/clients.
Is this the case ?
CPIC / Communication :
Non-loggable (used for system to
system communication) :
If the password of this userid is
contained in a file(s) at the operating
system level then the location of that
file(s) needs to be documented and the
permissions of the file(s) need to be set
to 700 (i.e. permissions for
read/write/execute are for the owning id
of the file(s) only).
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
18/130
12
1.1 Userids
SAP Application Userids
Service
(4.6 C and higher) :
Service IDs should generally not be used since they are not
compliant with ITCS104 and adequate protections are not
available in SAP to minimize the risk of users logging on to
the IDs. However, if service IDs are absolutely necessary, the
following three conditions must be met:
1. The ID must be set up with read only access.
2. The BPO must document the mitigating controls to ensure
the IDs are not misused.
3. The SAP technical specification owner must approve the
use of the service IDs.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
19/130
13 14
1.1 Userids 1.1 Userids
SAP Application Userids
Shared SAP application userids -
Provider of service SAP application
userids
Reference
(4.6 C and higher) :
Non-person user that allows for the assignment of identical
users such as internet users.
(used for CRM and SRM systems)
A Reference ID cannot directly log on to the system.
1. Userid is allowed to have a non-expiring password.
2. Expired or initial passwords are not checked.
3. All reference userids must be assigned to secure user
group REFID.
4. Access to update userids in secure user group(s) is
prohibited, except through a defined and controlled
emergency process.
Is this the case ?
The following ids may be required for the
operation of SAP. The password of these
ids may be provided to the System
Administrative group supporting the SAP
instance provided that individual
accountability is maintained for dialog ids.
The Provider of Service must define the
controls surrounding this access :
SAPCPIC :
Userid type is CPIC or Communication.
Is this the case ?
N/A YES
7/22/2019 Itcs104 Fmc
20/130
15 16
1.1 Userids 1.1 Userids
Shared SAP application userids -
Provider of service SAP application
userids
Shared SAP application userids - Provider of
service SAP application userids
The following ids may be required for
the operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained for dialog ids. The Provider
of Service must define the controls
surrounding this access :
SAPCPIC :
Profile S_A.CPIC must be assigned.
Is this the case ?
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
(used by BTS or SAP when performing
problem analysis) :
Userid type is dialog.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
21/130
17
1.1 Userids
Shared SAP application userids - Provider of
service SAP application userids
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
(used by BTS or SAP when performing
problem analysis) :
Userid is locked or set to have the validity date in
the past when not in use.
Is this the case ?
YES
7/22/2019 Itcs104 Fmc
22/130
18
1.1 Userids
Shared SAP application userids - Provider of
service SAP application userids
The following ids may be required for the operation of
SAP. The password of these ids may be provided to the
System Administrative group supporting the SAP
instance provided that individual accountability is
maintained for dialog ids. The Provider of Service must
define the controls surrounding this access :
(used by BTS or SAP when performing problem
analysis) :
SAP native roles/profiles can be assigned with the
exception of SAP_ALL and/or SAP_NEW and/or
equivalent.
Is this the case ?
YES
7/22/2019 Itcs104 Fmc
23/130
19
1.1 Userids
Shared SAP application userids - Provider of
service SAP application userids
The following ids may be required for the operation of
SAP. The password of these ids may be provided to the
System Administrative group supporting the SAP
instance provided that individual accountability is
maintained for dialog ids. The Provider of Service must
define the controls surrounding this access :
:
Userid type is CPIC or Communication.
Is this the case ?
YES
7/22/2019 Itcs104 Fmc
24/130
20
1.1 Userids
Shared SAP application userids - Provider of
service SAP application userids
The following ids may be required for the operation of
SAP. The password of these ids may be provided to the
System Administrative group supporting the SAP
instance provided that individual accountability is
maintained for dialog ids. The Provider of Service must
define the controls surrounding this access :
:
Profile Z9_CSTORE or equivalent must be assigned.
Is this the case ?
YES
7/22/2019 Itcs104 Fmc
25/130
21 22
1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP application userids
Shared SAP application userids - Application
owner SAP application userids
The following ids may be required for the operation of
SAP. The Application Owner must define and
document the controls surrounding approvals,
issuance, audit trails, and usage of these ids.
Individual accountability must be maintained for dialog
ids :
Dialog ID for emergency use (May be stand-alone
emergency access ID or existing end-user ID) :
Userid type is dialog.
Is this the case ?
The following ids may be required for the operation of
SAP. The Application Owner must define and
document the controls surrounding approvals,
issuance, audit trails, and usage of these ids.
Individual accountability must be maintained for dialog
ids:
Dialog ID for emergency use (May be stand-alone
emergency access ID or existing end-user ID) :
SAP native roles/profiles can be assigned with the
exception of SAP_ALL and/or SAP_NEW and/or
equivalent.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
26/130
23 24
1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP application userids
Shared SAP application userids - Application
owner SAP application userids
The following ids may be required for the operation of
SAP. The Application Owner must define and
document the controls surrounding approvals,
issuance, audit trails, and usage of these ids.
Individual accountability must be maintained for dialog
ids:
Dialog ID for emergency use (May be stand-alone
emergency access ID or existing end-user ID) :
The use of prohibited system administrative
authorization objects specified in section 5.2 may be
necessary or required for emergency access.
Is this the case ?
The following ids may be required for the operation of
SAP. The Application Owner must define and
document the controls surrounding approvals,
issuance, audit trails, and usage of these ids.
Individual accountability must be maintained for dialog
ids:
Dialog ID for emergency use (May be stand-alone
emergency access ID or existing end-user ID) :
If stand-alone emergency access IDs are used:
userid must be locked (or controlled by the validity
date) when not in use, and relocked when access is
complete.
password must be changed after each use.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
27/130
25 26
1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP application userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
The following ids may be required for the operation of
SAP. The Application Owner must define and
document the controls surrounding approvals,
issuance, audit trails, and usage of these ids.
Individual accountability must be maintained for dialog
ids:
Dialog ID for emergency use (May be stand-alone
emergency access ID or existing end-user ID) :
If existing end-user id
Roles/profiles must be added prior to use and
removed when access is complete.
Is this the case ?
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
(Used for running batch jobs) :
Userid type is Background or BDC or System.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
28/130
27 28
1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
(Used for running batch jobs) :
Only access required per job description is allowed.
Is this the case ?
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
(Used for running batch jobs) :
Userid must not have SAP_ALL and/or SAP_NEW
and/or equivalent assigned.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
29/130
29 30
1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
WF-BATCH (Workflow Batch ID) :
Userid type is Background or BDC or System.
Is this the case ?
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
WF-BATCH (Workflow Batch ID) :
Only access required per job description is allowed.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
30/130
31 32
1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
WF-BATCH (Workflow Batch ID) :
Userid must not have SAP_ALL and/or SAP_NEW
and/or equivalent assigned.
Is this the case ?
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
(Communication ID) :
Userid type is CPIC or Communication.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
31/130
33
1.1 Userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
(Communication ID) :
Only access required per job description is allowed.
Is this the case ?
YES
7/22/2019 Itcs104 Fmc
32/130
34 35
1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP non-dialog operational userids
Shared SAP application userids - Application
owner SAP application test userids
The following ids may be required for the operation of
SAP. The Application Owner must define the controls
surrounding these ids :
(Communication ID) :
Userid must not have SAP_ALL and/or SAP_NEW
and/or equivalent assigned.
Is this the case ?
The following ids may be used to test SAP
access. The Application Owner must define the
controls surrounding use of these userids :
(Used for testing project
defined roles or profiles) :
Must not exist on production client.
Note: see section 5.2 for information on shared
privileged SAP userids.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
33/130
36 37
1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP application test userids
Shared SAP application userids - Application
owner SAP application test userids
The following ids may be used to test SAP
access. The Application Owner must define the
controls surrounding use of these userids :
(Used for testing project
defined roles or profiles) :
Production role(s)/profile(s) will be assigned to
an id.
Note: see section 5.2 for information on shared
privileged SAP userids.
Is this the case ?
The following ids may be used to test SAP
access. The Application Owner must define the
controls surrounding use of these userids :
(Used for testing project
defined roles or profiles) :
Passwords may be shared.
Note: see section 5.2 for information on shared
privileged SAP userids.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
34/130
38 39 40
1.1 Userids 1.1 Userids 1.1 Userids
Shared SAP application userids - Application
owner SAP application test userids
Operating system
userids -
AIX
Operating system
userids -
AIX
The following ids may be used to test SAP
access. The Application Owner must define the
controls surrounding use of these userids :
(Used for testing project
defined roles or profiles) :
Individual accountability does not have to be
maintained.
Note: see section 5.2 for information on shared
privileged SAP userids.
Is this the case ?
Must be limited to
approved systems and
application support
personnel.
Note: see section 5.2 for
information on shared
privileged operating
system userids.
Is this the case ?
No DB2 users except
db2, adm, or
DB2 Replication userids.
Note: see section 5.2 for
information on shared
privileged operating
system userids.
Is this the case ?
YES YES N/A
7/22/2019 Itcs104 Fmc
35/130
41 42 43 44
1.1 Userids 1.1 Userids 1.1 Userids 1.1 Userids
Operating system
userids -
AIX
Operating system
userids -
AIX
Operating system
userids -
AIX
Operating system
userids -
AIX
If DB2 replication is used,
the following rules must
apply:
1. The gecos field in the
etc/passwd file must be
updated to include a
description of the purpose
of the id (without removing
or modifying any existing
data in the field.)
Is this the case ?
If DB2 replication is used,
the following rules must
apply:
2. Userids using only the
Capture process must be
limited to DBADM auth.
Is this the case ?
If DB2 replication is used,
the following rules must
apply:
3. Userids using only the
Apply process must be
limited to only having
SELECT access to the
SAPR3 or SAP table
schemas.
Is this the case ?
If DB2 replication is used,
the following rules must
apply:
4. The same userid using
both Capture and Apply
processes must be limited
to DBADM auth.
Is this the case ?
N/A N/A N/A N/A
7/22/2019 Itcs104 Fmc
36/130
45 46 47 48
1.1 Userids 1.1 Userids 1.1 Userids 1.1 Userids
Operating system
userids -
AIX
Operating system
userids -
DB2 Replication
Operating system
userids -
DB2 Replication System clients
The DB2 Replication
Capture userid must not
update any tables in the
SAPR3 or SAP table
schemas.
Note:see section 5.2 for
information on shared
privileged operating
system userids.
Is this the case ?
DB2 Replication (Capture
and/or Apply process:
DB2I ID : rlogin=false
Is this the case ?
DB2 Replication (Capture
and/or Apply process:
DB2I ID :login=false
Is this the case ?
Client 000 (SAP
Reference client) :
must exist on system.
applicable system types :
S,D,C,E,R,P
Is this the case ?
N/A N/A N/A YES
7/22/2019 Itcs104 Fmc
37/130
49 50 51 52
1.1 Userids 1.1 Userids 1.1 Userids 1.1 Userids
System clients System clients System clients System clients
Client 001 (SAP sample
client) :
must exist on system.
applicable system types :
S,D,C,E,R,P
Is this the case ?
Client 066 (EarlyWatch
client) :
must exist on system.
applicable system types :
S,D,C,E,R,P
Is this the case ?
Production client -
:
must exist on system.
applicable system types :
P
Is this the case ?
Production client -
:
Client number defined as
required by project
applicable system types :
P
Is this the case ?
YES YES N/A N/A
7/22/2019 Itcs104 Fmc
38/130
53 54 55 56
1.1 Userids 1.1 Userids 1.1 Userids 2.1 Reusable passwords
System clients System profile Employment verification System profile
Client :
must be defined as
required by project.
applicable system types :
S,D,C,E,R
Is this the case ?
login/no_automatic_user_
sapstar :
must be set optional 0 or 1
applicable system types :
S,D,C,E,R (if 0, must have
control surrounding SAP*
userid to ensure it's not
deleted.)
Is this the case ?
Quarterly employment
verification checks must
be done on all clients.
applicable system types :
S,D,C,E,R,P
Is this the case ?
login/min_password_lng :
must be set to 8.
applicable system types :
S,D,C,E,R,P
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
39/130
57 58 59
2.1 Reusable passwords 2.1 Reusable passwords 2.1 Reusable passwords
System profile System profile System profile
login/password_expiration
_time :
must be set to 90.
applicable system types :
S,D,C,E,R,P
Is this the case ?
llogin/min_password_diff :
must be set to 1.
applicable system types :
S,D,C,E,R,P
Is this the case ?
For SAP 4.7 and higher :
login/min_password_digits must be
set to 1.
applicable system types :
S,D,C,E,R,P
Is this the case ?
YES YES NA
7/22/2019 Itcs104 Fmc
40/130
60 61 62
2.1 Reusable passwords 2.1 Reusable passwords 2.1 Reusable passwords
System profile System profile System profile
For SAP 4.7 and higher :
login/min_password_letters must
be set to 1.
applicable system types :
S,D,C,E,R,P
Is this the case ?
For Basis 7.0 and ECC 6.0, and
higher :
login/password_change_waittime
must be set to 1.
applicable system types :
S,D,C,E,R,P
Is this the case ?
For Basis 7.0 and ECC 6.0, and
higher :
login/password_history_size must
be set to 8.
applicable system types :
S,D,C,E,R,P
Is this the case ?
NA NA NA
7/22/2019 Itcs104 Fmc
41/130
63 64
3.1 Business Use Notice3.1 Business Use Notice
(Chapter 1.3.3 Authorization)
Business Use Notice Business Use Notice
Business Use Notice must be
implemented.
SAP release 4.5 and lower:
Go to transaction SE80 => Repository
Information System => Program Library
=> Program Sub-Object => Screen
Enter the program name (SAPMSYST)
Enter the screen number (0020)
SAP release 4.6 and higher:
See SAP OSS note 205487 for
instructions.
Is this the case ?
The following notification (or equivalent
statements, with concurrence of IBM
counsel) must be presented to people
logging onto IBM systems during the
identification and authentication process if
the IBM system is running an operating
system that can provide such a
notification:
"IBM's internal systems must only be used
for conducting IBM's business or for
purposes authorized by IBM management"
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
42/130
65 66
3.1 Business Use Notice 4.1 Encryption
Business Use Notice Storage
For all SAP systems (non-production and
production) that do not contain SPI, PI, or
are not subject to export controls
restrictions/prohibitions, the following text
is required :
"Unless previously authorized, this system
must not include information that is subject
to export control restrictions/prohibitions,
Sensitive Personal Information (SPI) or
Personal Information (PI). Refer to:
Privacy and Data Protection (hyperlink in
commentary cell) for detailed
requirements."
Is this the case ?
Native SAP Credit Card
Encryption must be
used.
As of 2007, SAP only
supports encryption of
passwords and credit
card numbers.
Password encryption is
standard SAP
functionality.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
43/130
67
4.1 Encryption
Storage
In order to implement encryption of credit card numbers, the following OSS notes
must be evaluated and implemented if applicable :
Release independent OSS notes: 455033, 690999, 894022, 1042745, 1034482
Core OSS notes for encryption on 4.6C system: 633462, 662340, 766703, 813198,
827347, 836079
Other OSS notes for consideration for 4.6C system: 663593, 738459, 790161,
791178, 812658, 840392, 858295, 874594, 978358
Note: This list is the minimum list of OSS notes to be reviewed for a 4.6C system.
OSS should be searched for other releases and for other notes which may apply to
functions in use for each SAP System.
Is this the case ?
YES
7/22/2019 Itcs104 Fmc
44/130
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings
/secaudit
Owner is adm
Is this the case?
/secaudit
Group is sapsys
Is this the case?
/secaudit
Permission is 750
Is this the case?
YES YES YES
7/22/2019 Itcs104 Fmc
45/130
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings
/secaudit/
Owner is adm
Is this the case?
/secaudit/
Group is sapsys
Is this the case?
/secaudit/
Permission is 750
Is this the case?
YES YES YES
7/22/2019 Itcs104 Fmc
46/130
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings
/secaudit/*
Owner is adm
Is this the case?
/secaudit/*
Group is sapsys
Is this the case?
/secaudit/*
Permission is xx0
Is this the case?
YES YES YES
7/22/2019 Itcs104 Fmc
47/130
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings
/secaudit//*
Owner is adm
Is this the case?
/secaudit//*
Group is sapsys
Is this the case?
/secaudit//*
Permission is xx0
Is this the case?
N/A N/A N/A
7/22/2019 Itcs104 Fmc
48/130
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings
SUDO access list file
/etc/sudoers
Owner is root
Is this the case?
SUDO access list file
/etc/sudoers
Group is system
Is this the case?
SUDO access list file
/etc/sudoers
Permission is 440
Is this the case?
YES YES YES
7/22/2019 Itcs104 Fmc
49/130
73
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings
SUDO log /var/adm/sudo.log :
Owner is root
Is this the case ?
SUDO log /var/adm/sudo.log :
Group is system
Is this the case ?
SUDO log
/var/adm/sudo.log :
Permission must be 600
Is this the case ?
YES YES YES
7/22/2019 Itcs104 Fmc
50/130
74 75 76 77
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
SU log /var/adm/sulog :
Owner is root
Is this the case ?
SU log /var/adm/sulog :
Group is system
Is this the case ?
SU log /var/adm/sulog :
Permission must be 600
Is this the case ?
adm, SAPR3,
SAP password file
for SAP 4.x and higher ;
/sapmnt//global/xxx
x.conf :
Owner is d2
Note: represents
the system id of the SAP
system.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
51/130
78 79 80 81
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
adm, SAPR3,
SAP password file
for SAP 4.x and higher ;
/sapmnt//global/xxx
x.conf :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
adm, SAPR3,
SAP password file
for SAP 4.x and higher ;
/sapmnt//global/xxx
x.conf :
Permission must be 740
(
7/22/2019 Itcs104 Fmc
52/130
82 83 84 85
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/sapmnt//exe :
Permission must be 775.
Note: represents
the system id of the SAP
system.
Is this the case ?
/sapmnt//exe/sapos
col :
Owner is root
Note: represents
the system id of the SAP
system.
Is this the case ?
/sapmnt//exe/sapos
col :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/sapmnt//exe/sapos
col :
Permission must be
4755.
Note: represents
the system id of the SAP
system.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
53/130
86 87 88 89
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/sapmnt//global :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
/sapmnt//global :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/sapmnt//global :
Permission must be 700.
Note: represents
the system id of the SAP
system.
Is this the case ?
/sapmnt//profile :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
54/130
90 91 92 93
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/sapmnt//profile :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/sapmnt//profile :
Permission must be 755.
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap/ :
Permission must be 751.
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap/ :
Permission must be 755.
Note: represents
the system id of the SAP
system.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
55/130
94 95 96 97
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/usr/sap//* :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//* :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//* :
Permission must be 750.
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//sec :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
56/130
98 99 100 101
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/usr/sap//sec :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//sec :
Permission must be 700.
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//SYS :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//SYS :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
57/130
102 103 104 105
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/usr/sap//SYS :
Permission must be 755.
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//SYS/* :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//SYS/* :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap//SYS/* :
Permission must be 755.
Note: represents
the system id of the SAP
system.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
58/130
106 107 108 109
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/usr/sap/trans :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap/trans :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap/trans :
Permission must be 775.
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap/trans/* :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
YES YES YES N/A
7/22/2019 Itcs104 Fmc
59/130
110 111 112 113
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/usr/sap/trans/* :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap/trans/* :
Permission must be 770.
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap/trans/.sapconf :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
/usr/sap/trans/.sapconf :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
N/A N/A N/A N/A
7/22/2019 Itcs104 Fmc
60/130
114 115 116 117
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/usr/sap/trans/.sapconf :
Permission must be 775.
Note: represents
the system id of the SAP
system.
Is this the case ?
/ :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
/ :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
/ :
Permission must be 700.
Note: represents
the system id of the SAP
system.
Is this the case ?
N/A N/A N/A N/A
7/22/2019 Itcs104 Fmc
61/130
118 119 120 121
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
//* :
Owner is adm
Note: represents
the system id of the SAP
system.
Is this the case ?
//* :
Group is sapsys
Note: represents
the system id of the SAP
system.
Is this the case ?
//* :
Permission must be 700.
Note: represents
the system id of the SAP
system.
Is this the case ?
/db2/ :
Owner is db2
Note: represents
the system id of the SAP
system.
Is this the case ?
N/A N/A N/A N/A
7/22/2019 Itcs104 Fmc
62/130
122 123 124 125
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/db2/ :
Group is sysadm (SAP
7/22/2019 Itcs104 Fmc
63/130
126 127 128 129
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/db2//log_dir :
Permission must be 755.
Note: represents
the system id of the SAP
system.
Is this the case ?
/db2//log_archive :
Owner is db2
Note: represents
the system id of the SAP
system.
Is this the case ?
/db2//log_archive :
Group is sysadm (SAP
7/22/2019 Itcs104 Fmc
64/130
130 131 132 133
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/db2//log_retrieve :
Owner is db2
Note: represents
the system id of the SAP
system.
Is this the case ?
/db2//log_retrieve :
(SAP
7/22/2019 Itcs104 Fmc
65/130
134 135 136 137
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/db2//sapdata :
Group is sysadm (SAP
7/22/2019 Itcs104 Fmc
66/130
138 139 140 141
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings AIX settings
/.netrc (allows remote
access) :
Owner has read and
write access.
Is this the case ?
/.netrc (allows remote
access) :
sid must also
have read and/or write
access if file is accessed
from SAP application.
Is this the case ?
/.rhosts (allows remote
access) :
must have read access
only by root.
Is this the case ?
/.rhosts (allows remote
access) :
must have write access
only by root.
Is this the case ?
YES YES YES YES
7/22/2019 Itcs104 Fmc
67/130
142 143 144
5.1 Operating system
resources
5.1 Operating system
resources
5.1 Operating system
resources
AIX settings AIX settings AIX settings
The following AIX userid
and primary AIX groupid
combination may own
OSRs in the SAP AIX
environment :
Userid: root
Groupid: system
Is this the case ?
The following AIX userid
and primary AIX groupid
combination may own
OSRs in the SAP AIX
environment :
Userid: db2
Groupid: sapsys
Is this the case ?
The following AIX userid
and primary AIX groupid
combination may own
OSRs in the SAP AIX
environment :
Userid: adm
Groupid: sapsys
Is this the case ?
YES YES YES
7/22/2019 Itcs104 Fmc
68/130
145 146 147
5.1 Operating system
resources
5.2 System and security
administrative authority
5.2 System and security
administrative authority
AIX settings
Shared SAP application userids
- Provider of service privileged
SAP application userids
Shared SAP application userids -
Provider of service privileged SAP
application userids
The following AIX userid and
primary AIX groupid combination
may own OSRs in the SAP AIX
environment :
Application owner userids
Application owner groups
Is this the case ?
The following ids are required for
the operation of SAP. The
password of these ids may be
provided to the System
Administrative group supporting
the SAP instance provided that
individual accountability is
maintained. The Provider of
Service must define the controls
surrounding this access :
SAP*
Userid type is dialog.
Is this the case ?
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
SAP*
Userid must exist in all clients.
Is this the case ?
YES YES YES
7/22/2019 Itcs104 Fmc
69/130
148 149
5.2 System and security administrative
authority
5.2 System and security administrative
authority
Shared SAP application userids -
Provider of service privileged SAP
application userids
Shared SAP application userids -
Provider of service privileged SAP
application userids
The following ids are required for the
operation of SAP. The password of these
ids may be provided to the System
Administrative group supporting the SAP
instance provided that individual
accountability is maintained. The Provider
of Service must define the controls
surrounding this access :
SAP*
Userid must never be deleted.
Is this the case ?
The following ids are required for the
operation of SAP. The password of these
ids may be provided to the System
Administrative group supporting the SAP
instance provided that individual
accountability is maintained. The Provider
of Service must define the controls
surrounding this access :
SAP*
Userid must be locked in all clients except
when required for system maintenance.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
70/130
150 151
5.2 System and security
administrative authority
5.2 System and security
administrative authority
Shared SAP application userids -
Provider of service privileged SAP
application userids
Shared SAP application userids -
Provider of service privileged SAP
application userids
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
SAP*
Userid must be assigned to group
SUPER in each client.
Is this the case ?
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
SAP*
Profiles SAP_ALL and SAP_NEW, or
equivalent are assigned.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
71/130
152 153
5.2 System and security
administrative authority
5.2 System and security
administrative authority
Shared SAP application userids -
Provider of service privileged SAP
application userids
Shared SAP application userids -
Provider of service privileged SAP
application userids
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
DDIC
Userid type is dialog.
Is this the case ?
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
DDIC
Userid must exist in client 000, 001,
100 (or the production client) and any
client in the CTS path.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
72/130
154 155
5.2 System and security
administrative authority
5.2 System and security
administrative authority
Shared SAP application userids -
Provider of service privileged SAP
application userids
Shared SAP application userids -
Provider of service privileged SAP
application userids
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
DDIC
Userid must never be deleted.
Is this the case ?
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
DDIC
Userid must never be locked.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
73/130
156 157
5.2 System and security
administrative authority
5.2 System and security
administrative authority
Shared SAP application userids -
Provider of service privileged SAP
application userids
Shared SAP application userids -
Provider of service privileged SAP
application userids
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
DDIC
Userid must be assigned to group
SUPER.
Is this the case ?
The following ids are required for the
operation of SAP. The password of
these ids may be provided to the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
DDIC
Profiles SAP_ALL and SAP_NEW, or
equivalent are assigned.
Is this the case ?
YES YES
7/22/2019 Itcs104 Fmc
74/130
158 159
5.2 System and security administrative authority 5.2 System and security administrative authority
Shared SAP application userids - Provider of
service privileged SAP application userids
Shared SAP application userids - Provider of
service privileged SAP application userids
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
(Used for installing
Hotpacks or system upgrades.) :
Userid type is dialog.
Is this the case ?
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
(Used for installing
Hotpacks or system upgrades.) :
Userid must be assigned to group SUPER.
Is this the case ?
YES N/A
7/22/2019 Itcs104 Fmc
75/130
160 161
5.2 System and security administrative authority 5.2 System and security administrative authority
Shared SAP application userids - Provider of
service privileged SAP application userids
Shared SAP application userids - Provider of
service privileged SAP application userids
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
(Used for installing
Hotpacks or system upgrades.) :
Userid must only exist in client 000.
Is this the case ?
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
(Used for installing
Hotpacks or system upgrades.) :
Profiles SAP_ALL and SAP_NEW, or equivalent
can be assigned.
Is this the case ?
N/A N/A
7/22/2019 Itcs104 Fmc
76/130
162 163
5.2 System and security administrative authority 5.2 System and security administrative authority
Shared SAP application userids - Provider of
service privileged SAP application userids
Shared SAP application userids - Provider of
service privileged SAP application userids
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
EARLYWATCH (Used by SAP / BTS when
Earlywatch sessions are conducted.) :
Userid type is dialog.
Is this the case ?
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
EARLYWATCH (Used by SAP / BTS when
Earlywatch sessions are conducted.) :
Userid must only exist in client 066.
Is this the case ?
N/A N/A
7/22/2019 Itcs104 Fmc
77/130
164 165
5.2 System and security administrative authority 5.2 System and security administrative authority
Shared SAP application userids - Provider of
service privileged SAP application userids
Shared SAP application userids - Provider of
service privileged SAP application userids
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
EARLYWATCH (Used by SAP / BTS when
Earlywatch sessions are conducted.) :
Userid must be locked when not in use.
Is this the case ?
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
EARLYWATCH (Used by SAP / BTS when
Earlywatch sessions are conducted.) :
Profile S_TOOLS_EX_A is assigned.
Is this the case ?
N/A N/A
7/22/2019 Itcs104 Fmc
78/130
166 167
5.2 System and security administrative authority5.2 System and security administrative
authority
Shared SAP application userids - Provider of
service privileged SAP application userids AIX provider of service shared userids
The following ids may be required for the operation
of SAP. The password of these ids may be provided
to the System Administrative group supporting the
SAP instance provided that individual accountability
is maintained for dialog ids. The Provider of Service
must define the controls surrounding this access :
EARLYWATCH (Used by SAP / BTS when
Earlywatch sessions are conducted.) :
If SDCCN is used, profile S_SDCC_ADM_N must
also be assigned.
Is this the case ?
The following ids are required for the
operation of SAP. The password of these
ids may be shared among the System
Administrative group supporting the SAP
instance provided that individual
accountability is maintained. The Provider
of Service must define the controls
surrounding this access. Any additional
AIX privileged userids in support of Bolt on
applications must be identified and
documented. Support personnel must use
SUDO from their personal id to connect to
any shared AIX userids :
ROOT (AIX) :
rlogin=false
Is this the case ?
N/A N/A
7/22/2019 Itcs104 Fmc
79/130
168
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP. The
password of these ids may be shared among the System
Administrative group supporting the SAP instance provided
that individual accountability is maintained. The Provider of
Service must define the controls surrounding this access. Any
additional AIX privileged userids in support of Bolt on
applications must be identified and documented. Support
personnel must use SUDO from their personal id to connect to
any shared AIX userids :
ROOT (AIX) :
login=true (on SAP instance where there are no sensitive
programs).
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
80/130
169
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP. The
password of these ids may be shared among the System
Administrative group supporting the SAP instance provided
that individual accountability is maintained. The Provider of
Service must define the controls surrounding this access. Any
additional AIX privileged userids in support of Bolt on
applications must be identified and documented. Support
personnel must use SUDO from their personal id to connect to
any shared AIX userids :
ROOT (AIX) :
login=false (on SAP instances where sensitive programs
reside).
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
81/130
170
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
ROOT (AIX) :
Root must be included in /etc/ftpusers file.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
82/130
171
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
7/22/2019 Itcs104 Fmc
83/130
172
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
7/22/2019 Itcs104 Fmc
84/130
173
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
7/22/2019 Itcs104 Fmc
85/130
174
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
ADM (AIX with DB2) :
rlogin=true
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
86/130
175
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
ADM (AIX with DB2) :
login=false
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
87/130
176
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
ADM (AIX with DB2) :
NOCHECK must be set in /etc/security/passwd
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
88/130
177
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAPR3 (AIX with DB2) :
May be the DB2 owner of SAP database.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
89/130
178
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP. The
password of these ids may be shared among the System
Administrative group supporting the SAP instance provided
that individual accountability is maintained. The Provider of
Service must define the controls surrounding this access. Any
additional AIX privileged userids in support of Bolt on
applications must be identified and documented. Support
personnel must use SUDO from their personal id to connect to
any shared AIX userids :
SAPR3 (AIX with DB2) :
Userid cannot connect / sign on to DB2 and is not a DB2 user.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
90/130
179
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAPR3 (AIX with DB2) :
rlogin=true
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
91/130
180
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAPR3 (AIX with DB2) :
login=true
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
92/130
181
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAPR3 (AIX with DB2) :
NOCHECK must be set in /etc/security/passwd.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
93/130
182
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAP (AIX with DB2) :
May be the DB2 owner of SAP database.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
94/130
183
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP. The
password of these ids may be shared among the System
Administrative group supporting the SAP instance provided
that individual accountability is maintained. The Provider of
Service must define the controls surrounding this access. Any
additional AIX privileged userids in support of Bolt on
applications must be identified and documented. Support
personnel must use SUDO from their personal id to connect to
any shared AIX userids :
SAP (AIX with DB2) :
Userid cannot connect / sign on to DB2 and is not a DB2 user.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
95/130
184
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAP (AIX with DB2) :
rlogin=true
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
96/130
185
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAP (AIX with DB2) :
login=true
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
97/130
186
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAP (AIX with DB2) :
NOCHECK must be set in /etc/security/passwd.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
98/130
187
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAPDB (AIX with DB2) :
May be the DB2 owner of SAP database.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
99/130
188
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP. The
password of these ids may be shared among the System
Administrative group supporting the SAP instance provided
that individual accountability is maintained. The Provider of
Service must define the controls surrounding this access. Any
additional AIX privileged userids in support of Bolt on
applications must be identified and documented. Support
personnel must use SUDO from their personal id to connect to
any shared AIX userids :
SAPDB (AIX with DB2) :
Userid cannot connect / sign on to DB2 and is not a DB2 user.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
100/130
189
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAPDB (AIX with DB2) :
rlogin=true
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
101/130
190
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAPDB (AIX with DB2) :
login=true
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
102/130
191
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
SAPDB (AIX with DB2) :
NOCHECK must be set in /etc/security/passwd.
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
103/130
192
5.2 System and security administrative authority
AIX provider of service shared userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
cstore :
rlogin=false
Is this the case ?
N/A
7/22/2019 Itcs104 Fmc
104/130
193 194
5.2 System and security administrative authority5.2 System and security administrative
authority
AIX provider of service shared userids
zOS/OS390 provider of service shared
userids
The following ids are required for the operation of SAP.
The password of these ids may be shared among the
System Administrative group supporting the SAP instance
provided that individual accountability is maintained. The
Provider of Service must define the controls surrounding
this access. Any additional AIX privileged userids in
support of Bolt on applications must be identified and
documented. Support personnel must use SUDO from
their personal id to connect to any shared AIX userids :
cstore :
login=false
Is this the case ?
The following ids are required for the
operation of SAP. The password of these ids
may be shared among the System
Administrative group supporting the SAP
instance provided that individual
accountability is maintained. The Provider of
Service must define the controls surrounding
this access :
General:
RACF logging must be enabled.
Is this the case ?
N/A N/A
7/22/2019 Itcs104 Fmc
105/130
195 196
5.2 System and security
administrative authority
5.2 System and security
administrative authority
zOS/OS390 provider of service
shared userids
zOS/OS390 provider of service
shared userids
The following ids are required for the
operation of SAP. The password of
these ids may be shared among the
System Administrative group
supporting the SAP instance provided
that individual accountability is
maintained. The Provider of Service
must define the controls surrounding
this access :
SAPR3 (RACF group) :
Must not be an operating system
userid.
Is this the case ?
The following ids are required for
the operation of SAP. The
password of these ids may be
shared among the System
Administrative group supporting
the SAP instance provided that
individual accountability is
maintained. The Provider of
Service must define the c