Expand +



SAP System Security for the Intranet and Internet

by Dr. Jurgen Schneider | SAPinsider

April 1, 2001

by Dr. Jurgen Schneider, SAP AG SAPinsider - 2001 (Volume 2), April (Issue 2)

To protect SAP systems and applications from misuse and attack, a number of powerful security functions are included in the standard product delivery (see Figure 1). These security functions must be deployed in combination with appropriate measures for the network infrastructure, operating systems, and database installations. The ultimate goal is to leave no vulnerabilities in any of these layers, because even a single security hole could be enough for an intruder to sneak in and do damage.

Figure 1 System Layers and Security Services

Secure Communications

A well-designed network features different protection zones and only a very few well-known and protected transitions between these zones (see Figure 2). To get from one zone to another, communication traffic has to pass through a firewall system. Nowadays, everybody expects a firewall between a company's intranet and the public Internet. Fewer people recognize the value of firewalls inside the corporate network, separating mission-critical SAP applications and database servers from the hundreds and thousands of PCs and user workstations in the client network.

Figure 2 Network Protection Zones

     How sure are you about the intentions of your internal users, and the nature and modification status of the software installed on their PCs? Just as you set up "Demilitarized Zones" (DMZs) at the border between the Internet and your intranet, and place Web servers and proxies between an external and an internal firewall, inside your corporate network you need well-configured network routers, address and port filters, and so on. A secure network can also be complemented nicely by VPNs (Virtual Private Networks) extending your extranet to customers and partners.

     With such a network setup, there are only a few doors left vulnerable to penetration by intruders. Your firewalls do have these doors (otherwise you couldn't go in yourself), so you must put guards in place. These guards include strong authentication and access control, as well as encrypted communications.

     All commercial Web servers, and the SAP product components they host today, support the Internet standard protocol Secure Sockets Layer (SSL) and can run HTTP over SSL (called HTTPS). With HTTPS, you ensure that clients and servers can be authenticated to one another via strong cryptography, and that they exchange strong encryption key information to protect all their communications from eavesdropping and message tampering. For the classical SAP communication protocols (DIAG, RFC), the same level of protection is achieved using SAP's Secure Network Communications (SNC) option and the SAProuter software as an application-level gateway.

User Management

An important prerequisite for the security of an information processing system is to know who is using it. Therefore, each SAP system includes a user management service. For each user of the system, a user master record is created, which contains the required data about the user's identity, status, authentication, and authorization information.

     SAP user management can be done centrally from one system for the whole SAP system landscape, and can also be integrated with Directory Services using the Lightweight Directory Access Protocol (LDAP). In the future, SAP will lay increasing emphasis on managing user and authorization data via LDAP and Directories.

TIP: For a comprehensive discussion on securing the multiple layers of an SAP infrastructure, refer to the article, "Is It Time To Revisit Your SAP Security Infrastructure?" in the September/ October 2000 issue of the SAP Professional Journal.

Authentication and Single Sign-On

To authenticate users when they access SAP applications, several mechanisms are supported (depending on security requirements and the SAP product release used). Everybody understands the concept of passwords, along with their advantages (easy to use, remember, and carry around) and drawbacks (weak passwords can be guessed, you may need several to access different systems, and the danger of wiretapping).

     With SAP's SNC option, you can switch off passwords and achieve Single Sign-On from a separate security infrastructure deployed in your company. This can be your Windows NT or Windows 2000 network, or other security infrastructures as provided by SAP partner products. It is also possible to equip your users with digital certificates according to the X.509 standard and use them for SAP logon (with or without smartcards).

     With HTTPS and SSL client authentication, digital certificates can be used for logon to SAP systems from a standard Web browser over the SAP Internet Transaction Server (ITS). A painless certificate enrollment procedure is provided with mySAP Workplace using the SAP Trust Center Service.

     To allow even more options for flexible and secure user authentication and Single Sign-On, SAP recently introduced the SAP Logon Ticket mechanism. Using Pluggable Authentication Services (PAS), customers can install their favorite authentication service (for example, NT logon, LDAP logon, RADIUS, etc.) on the ITS and use it for the initial authentication to the first SAP application, such as the mySAP Workplace enterprise portal shown in Figure 3.

     Upon successful authentication, an SAP Logon Ticket, which is valid for a limited period of time (typically a few hours), is created for the user and stored in the browser's main memory. This ticket is then used to access other SAP and non-SAP applications without additional user intervention.

Figure 3 mySAP Workplace Single Sign-On


Each service and application accessed by a user in an SAP system is controlled by the SAP Authorization Concept. Users are assigned roles, which are defined by the application developers and managed by system administrators. The roles contain lists of services and objects that can be accessed by role owners. Sophisticated tool support (SAP Profile Generator) is available to generate the technical authorization objects and profiles required for good performance at runtime from the abstract role definitions.

     With mySAP Workplace, SAP is currently extending and generalizing its role concept into the world of non-SAP applications as well. Ultimately, mySAP Workplace provides a central tool for managing user authorizations in the application landscape of the enterprise.

Integrity, Confidentiality, and Non-Repudiation

With the SAP Transaction and Authorization Concept it is not easy for an attacker to read or manipulate data, or access services without permission. To achieve an even higher level of security, as required, for example, in the course of high-volume business transactions, some SAP applications are using digital signatures and document encryption as provided over SAP's Secure Store and Forward (SSF) functionality. With SSF, users' digital certificate and private key information is used to create unforgeable cryptographic seals under certain data (digital signatures), or encrypt documents so that they can only be decrypted by the intended recipients. This functionality requires SAP applications to work with an existing Public-Key Infrastructure (PKI), which is achieved via SSF.

Auditing and Logging

Think no one will detect your unauthorized actions in an SAP system? Behind all business transaction processing, the Security Audit Log (SAL) is active to record security-relevant actions in log files. These log files provide the necessary data for security administrators and auditors to verify the health of your SAP system and analyze activities in the event of security incidents or hacking attempts.

Additional Information

For more information on security and SAP, visit (see Reliable Operations -> Security), or visit the SAP Service Marketplace for customers and partners at

Dr. Jurgen Schneider has been involved in the design and implementation of SAP security functions since 1996. Since 1998, he has been the Development Manager for Security in SAP's Technology Development. He can be reached at

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!