SAP AGNeurottstr. 16D-69190 WalldorfR/3 SecurityR/3 Security Guide: VOLUME IAn Overview of R/3 Security ServicesVersion 2.0a : EnglishMarch 22, 1999

An Overview of R/3 Security ServicesCopyrightCopyright Copyright 1999 SAP AG. All rights reserved.No part of this documentation may be reproduced or transmitted in any form or for any purpose withoutthe express permission of SAP AG.SAP AG further does not warrant the accuracy or completeness of the information, text, graphics, linksor other items contained within these materials. SAP AG shall not be liable for any special, indirect,incidental, or consequential damages, including without limitation, lost revenues or lost profits, whichmay result from the use of these materials. The information in this documentation is subject to changewithout notice and does not represent a commitment on the part of SAP AG in the future.Some software products marketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendors.Microsoft , WINDOWS , NT and EXCEL and SQL-Server are registered trademarks ofMicrosoft Corporation.IBM , OS/2 , DB2/6000 , AIX , OS/400 and AS/400 are a registered trademark of IBMCorporation.OSF/Motif is a registered trademark of Open Software Foundation.ORACLE is a registered trademark of ORACLE Corporation, California, USA.INFORMIX -OnLine for SAP is a registered trademark of Informix Software Incorporated.UNIX and X/Open are registered trademarks of SCO Santa Cruz Operation.ADABAS is a registered trademark of Software AG.SECUDE is a registered trademark of GMD-German National Research Center for InformationTechnology.SAP , R/2 , R/3 , RIVA , ABAP , SAPoffice , SAPmail , SAPaccess , SAP-EDI , SAPArchiveLink , SAP EarlyWatch , SAP Business Workflow , R/3 Retail are registered trademarksof SAP AG.SAP AG assumes no responsibility for errors or omissions in these materials.All rights reserved.SAP AGVersion 2.0a : March 22, 1999i

R/3 Security Guide: VOLUME ICopyrightiiVersion 2.0a : March 22, 1999SAP AG

An Overview of R/3 Security ServicesTable of ContentsTable of ContentsCHAPTER 1: INTRODUCTION . 1-1CHAPTER 2: SECURITY ASPECTS. 2-1Authentication.2-1Authorization .2-2Integrity.2-2Privacy .2-3Obligation (non-repudiation) .2-3Auditing and Logging .2-3CHAPTER 3: THE R/3 SECURITY SERVICES. 3-1User Authentication. 3-2R/3 Password Rules .3-2Single Sign-On / Smart Card Authentication.3-3Retributing Unauthorized Logon Attempts.3-4R/3 Authorization Concept . 3-5Authority Checks .3-5Profile Generator.3-6Authorization Infosystem.3-7Network Communications . 3-8SAProuter.3-8Secure Network Communications (SNC) .3-9Secure Store & Forward (SSF) Mechanisms and Digital Signatures . 3-11Public-Key Technology .3-11Auditing and Logging. 3-15The Audit Info System (AIS).3-15The Security Audit Log.3-16R/3 Internet Applications Security. 3-17CHAPTER 4: CUSTOMER SERVICES . 4-1Security Consulting Team.4-1SAP Audit User Group .4-3Feedback Services.4-3SAP AGVersion 2.0a : March 22, 1999iii

R/3 Security Guide: VOLUME ITable of FiguresTable of FiguresFigure 4-1: An Overview of R/3 Security Services. 3-1Figure 4-2: Passwords . 3-2Figure 4-3: Single Sign-On . 3-3Figure 4-4: Generating Profiles using the Profile Generator. 3-6Figure 4-5: The Authorization Infosystem. 3-7Figure 4-6: SAProuter . 3-8Figure 4-7: Network Area Protected with SNC . 3-10Figure 4-8: Digital Signature . 3-12Figure 4-9: Digital Envelope. 3-13Figure 4-10: The Internet Transaction Server. 3-17Figure 4-11: Providing ITS Security . 3-18ivVersion 2.0a : March 22, 1999SAP AG

An Overview of R/3 Security ServicesHow to Use the R/3 Security GuideHow to Use the R/3 Security GuideThe R/3 Security Guide consists of three separate volumes, with different levels of detail:R/3 Security Guide VOLUME I : An Overview of R/3 Security ServicesR/3 Security Guide VOLUME II : R/3 Security Services in DetailR/3 Security Guide VOLUME III : ChecklistsR/3 Security Guide VOLUME I : An Overview of R/3 Security ServicesThe R/3 Security Guide VOLUME I provides a general overview of the security services that we offer inR/3. With VOLUME I, you can familiarize yourself with these services, for example, before establishinga security policy or before installing an R/3 System.R/3 Security Guide VOLUME II : R/3 Security Services in DetailThis part of the R/3 Security Guide concentrates on the technical measures involved with R/3 Systemsecurity. It contains descriptions of the tasks involved, as well as our recommendations for the variouscomponents of the R/3 System. Use VOLUME II once you have established a security policy and areready to implement it for your R/3 System.R/3 Security Guide VOLUME III : ChecklistsThe third part of the R/3 Security Guide complements VOLUME II with checklists. You can use thesechecklists to record those measures that you have taken and for assistance when reviewing andmonitoring them.UpdatesWe will also publish updates to the guide as necessary. These updates will also be available overSAPNet in regular intervals.Valid ReleasesThis version of the R/3 Security Guide applies to R/3 Releases 3.0, 3.1, and 4.0. Where applicable,references to other releases are explicitly indicated.SAP AGVersion 2.0a : March 22, 1999v

R/3 Security Guide: VOLUME IHow to Use the R/3 Security GuideTypographical Information and Standard NotationsThe following tables explain the meanings of the various formats, symbols, and standard notations usedin the guide.Table 1: Typographical Information Used in this GuideThis text formathelps you identifyScreen Textwords or characters you see on the screen (this includes systemmessages, field names, screen titles, menu names, and menu items).User Entryexact user input. These are words and characters you type on thekeyboard exactly as they are in the documentation. Variable User Entry variable user input. Pointed brackets indicate that you replace thesevariables with appropriate keyboard entries.ALL CAPITALSreport names, program names, transaction codes, table names, ABAPlanguage elements, file names, and directories.Book Titlecross-references to other books or references.KEY namekeys on your keyboard. Most often, function keys (for example, F2 and theENTER key) are represented this way.Technical Object Namenames of technical objects outside of the R/3 System (for example, UNIX orWindows NT filenames or environment variables).This iconhelps you identifyExamplevian Example. Examples help clarify complicated concepts or activities.Notea Note. Notes can contain important information like special considerationsor exceptions.Cautiona Caution. Cautions help you avoid errors such as those that could lead todata loss.Version 2.0a : March 22, 1999SAP AG

An Overview of R/3 Security ServicesChapter 1: IntroductionChapter 1: IntroductionWith the increasing use of distributed systems to manage business data, the demands on security arealso on the rise. When using a distributed system, you need to be sure that your data and processessupport your business needs without allowing unauthorized access to critical information. User errors,negligence, or attempted manipulation on your system should not result in loss of information orprocessing time. These demands on security apply likewise to the SAP R/3 System. Therefore, at SAP,we offer a number of services to meet the security demands on the R/3 System.However, to effectively use our services, you need to make your own contribution as well. You need todetermine which security demands apply specifically to your system. We encourage you to carefullyanalyze your requirements on system security and define priorities. Where are you most vulnerable?What information do you consider critical? Where is critical information stored or transferred? Whatsecurity options are available to protect your critical data and communications?We recommend you establish a security policy that reflects these requirements and priorities. Yoursecurity policy needs to be supported and encouraged from upper management as well as from youremployees. It should be practiced company-wide and cover your entire IT-infrastructure, to include yourR/3 System. It should encompass all security aspects that are important to your system. Securityaspects that you could consider include: User Authentication Authorization Protection Integrity Protection Privacy Protection Proof of Obligation (non-repudiation) Auditing and LoggingTo enforce your security policy and meet your security requirements on the R/3 System, we offer avariety of R/3 Security Services based on these aspects. Our services include: User Authentication-R/3 Password Rules-Single Sign-On / Smart Card Authentication-Retributing Unauthorized Logon Attempts R/3 Authorization Concept-Authority Checks-Profile Generator-Authorization Infosystem Network Communications-SAProuter-Secure Network Communications (SNC)SAP AGVersion 2.0a : March 22, 19991-1

R/3 Security Guide: VOLUME IChapter 1: Introduction Secure Store & Forward (SSF) Mechanisms and Digital Signatures Auditing and Logging-The Audit Info System (AIS)-The Security Audit Log R/3 Internet Applications SecurityWe have designed our services to give you an individual and flexible approach to R/3 security.Depending on your priorities, you may decide to use some or all of these services.We provide the R/3 Security Guide to assist you when using our services with the R/3 System. In thisvolume of the guide you receive an overview of our services that relate to security. See the R/3 SecurityGuide VOLUME II: R/3 Security Services in Detail for a detailed description on how to configure andadminister the various components of the R/3 System that are relevant to security. VOLUME IIIcomplements VOLUME II with checklists.Keep in mind that the most important factor in providing system security is your own security policy! Thisguide is intended to assist you when implementing a security policy, but it cannot replace your owninvestment of time and assets. We recommend you dedicate sufficient time and allocate ampleresources to implement your security policy and to maintain the level of security that you desire.1-2Version 2.0a : March 22, 1999SAP AG

An Overview of R/3 Security ServicesChapter 2: Security AspectsChapter 2: Security AspectsWhen establishing your security policy, you need to decide what information or processes you considercritical. You need to decide what type of protection you need for this information. Your security policyshould encompass aspects such as: AuthenticationIt is important to only allow legitimate usersaccess to your system and prevent users frombeing impersonated! AuthorizationSecurity AspectsAuthenticationAuthenticationIt is important that users can only perform tasksfor which they are grity IntegrityIt is important that data cannot be changedwithout tion PrivacyIt is important to protect data or communicationsfrom unauthorized viewing or eavesdropping! Obligation (non-repudiation)It is important to be able to ensure liability andlegal obligation!cyilPoyrituSecAuditingAuditing && LoggingLogging Auditing and LoggingIt is important to record activities and events for future references (for example, audits)!We describe these aspects in more detail below.AuthenticationA basic, necessary security task is to make sure that users and information in a system are authentic.You need to know that the users who operate within your system are known users and that they cannotbe impersonated. We offer several mechanisms in R/3 to protect user accounts from being misused. Asa standard practice, R/3 authenticates its users by using passwords. The R/3 System has a number ofbuilt-in password rules that you can also expand on to meet your needs. For example, you can forceusers to regularly change their passwords, or you can prohibit certain words or character combinations.R/3 also locks users and sessions after a number of unsuccessful logon attempts to preventunauthorized users from gaining access to the system. If you have additional requirements, you can useour Secure Network Communications (SNC) to provide authentication outside of the R/3 System. Forexample, with SNC you can establish a Single Sign-On environment or use smart cards forauthentication. (For more information, see the section titled User Authentication.)SAP AGVersion 2.0a : March 22, 19992-1

R/3 Security Guide: VOLUME IChapter 2: Security AspectsAuthorizationIt is important that users can only perform those tasks for which they are authorized. A typical companyhas various roles in its organization, and the personnel who fill these roles perform certain tasks. Dataand processes should not be accessible by roles where they are not needed. For example, a worker inthe personnel department needs access to payroll processes and employee data. This informationshould not be accessible to workers in other departments such as manufacturing or sales.The R/3 authorization concept provides for protection against unauthorized access. Users can only usethose transactions and programs that they are explicitly allowed to access. When a user attempts to runa transaction or program, R/3 performs an authority check before allowing access to the user. If the userdoes not have the proper authorizations, then R/3 denies the user's access request to thecorresponding programs or transactions.The Profile Generator and the Authorization Infosystem are available to assist you when workingwith the R/3 authorization concept. The Profile Generator provides a top-down approach to assigningauthorizations and the Authorization Infosystem provides you with an easily accessible overview aboutyour authorizations and their assignments.IntegrityYou need to protect the information that you process on a daily basis from unauthorized changes, eitherthrough error or deliberate acts. If a user processes a transaction (for example, makes a payment on anaccount), he or she needs to be sure that the information remains consistent throughout processing.When a user accesses data, he or she needs to be sure that it is the data that was last saved. Thehardware and software must operate according to expectations, without executing undefined orunwanted actions. This process must function so well that the system as a whole can function withoutproblems or without corrupting the data.The following are examples of some of the mechanisms used or available in R/3 to provide integrityprotection: R/3 protects data integrity at the database level using a locking mechanism. The presentation software performs an integrity check on itself to make sure that it does not containviruses. Digital signatures are available with the Secure Store and Forward (SSF) mechanisms and are usedby certain applications. Digital signatures not only prove the identity of the 'signer', but can also beused to verify the integrity of a signed data packet. You can use SNC and an external security product with R/3 to provide integrity protection for datacommunications between R/3 components. R/3 also logs all imports and exports to and from the system.2-2Version 2.0a : March 22, 1999SAP AG

An Overview of R/3 Security ServicesChapter 2: Security AspectsPrivacyIt has always been necessary to protect sensitive and private information from viewing by unauthorizedparties. For example, when you exchange personal information, you mark it as "confidential". Employersare obligated to keep contracts and employee information secret. Data protection laws prohibitdistributing personal information. Company and customer information, or product and prototypeinformation are kept in a company safe. This protection also applies to data that is saved on orcommunicated over electronic media.The R/3 authorization concept makes sure that users are only allowed to access the data that theyneed. To apply privacy protection to the R/3 data communications, you can use SNC to encrypt the datathat is transferred between R/3 components. Our SSF mechanisms also use encryption to "wrap" datain secure formats, called digital envelopes, before the data is transmitted or saved.Obligation (non-repudiation)The proof of obligation (non-repudiation) in reference to electronically saved or transmitted data isindispensable in electronic commerce. A message is considered obligatory if you can guarantee whothe creator of the message is, as well as the correctness of the message. Only so can electroniccommerce establish itself in today's business world. For example, before closing an electronic(paperless) contract, you want to be sure that the contract is obligatory and proof-worthy. Therefore, itmust be possible to prove the authenticity of the sender of the document, as well as the actuality of itscontents.Using the SSF mechanisms, certain applications in R/3 use digital signatures to enforce nonrepudiation. In these application areas, handwritten signatures are replaced with digital signatures,automating the work processes while maintaining one-to-one identification of the signer at the time ofsigning. The following are examples of applications that currently use SSF to produce digital signatures(as of Release 4.0): Quality Management Product Data Management Production Planning for Process IndustriesAuditing and LoggingIt is also important to record events and activities for future reference. It is not only necessary to savecertain information for legal purposes logs and audits can also prove to be indispensable in monitoringthe security of your system and tracking events in case of problems. R/3 keeps a variety of logs forsystem administration, monitoring, problem solving and auditing purposes. The Audit Info System andthe Security Audit Log are the auditing tools that we include as part of the R/3 security services.Additional logs include the system log, statistic records in CCMS (Computing Center ManagementSystem), change documents for business objects, and application logging.SAP AGVersion 2.0a : March 22, 19992-3

R/3 Security Guide: VOLUME IChapter 2: Security Aspects2-4Version 2.0a : March 22, 1999SAP AG

An Overview of R/3 Security ServicesChapter 3: The R/3 Security ServicesChapter 3: The R/3 Security ServicesIn the last chapter, we described the security aspects of authentication, authorization, integrity, privacy,non-repudiation, and auditing and logging. Our R/3 security services are available to provide protectionbased on these aspects. Figure 3-1 shows an overview of our R/3 security services.R/3 InternetApplicationsSecurityUserUser Language********PasswordsRetributing Unauthorized Logon AttemptsSingle Sign-On / Smart Card AuthenticationR/3R/3 AuthorizationAuthorization ConceptConceptSAPguiAuthority ChecksProfile GeneratorInfosystem AuthorizationsFire- Webwall ServerSAPlpdINTERNETSAP RFCFile orWeb ServerSecureSecure StoreStore && ForwardForwardMechanismsMechanismsSAP GatewaySAProuterLoggingLogging andand AuditingAuditingNetworkNetwork CommunicationsCommunicationsSAProuterSecure Network Communications ***********************************Audit Info SystemSecurity Audit LogFigure 3-1: An Overview of R/3 Security ServicesThe individual services are described in more detail in the sections that follow.SAP AGVersion 2.0a : March 22, 19993-1

R/3 Security Guide: VOLUME IChapter 3: The R/3 Security ServicesUser AuthenticationThe R/3 System comes with its own user management service. For each user, the R/3 Systemmaintains an individual account, called a user master record, that contains all of the information that isspecific to the user (for example, user-id, password, and authorizations).To authenticate its users, the R/3 System uses passwords as its standard mechanism. You can alsouse an external security product with R/3 to provide for authentication outside of the R/3 System. Byusing an external product with R/3, you can use features such as Single Sign-On or smart cardauthentication. In addition, R/3 retributes unauthorized logon attempts with user and session locks.These mechanisms are described in more detail below.R/3 Password RulesWe provide a set of standard rules for passwords in R/3. You can adjust many of these rules in profileparameters to meet your own security policy requirements.The standard passwords rules include: First time dialog users receive an initial password that theymust change when used for the first time. The default minimum length for passwords is 3. (You canincrease this value in a profile parameter.) The maximum length is 8. The first character cannot be '?' or '!'. The first three characters cannot appear in the same order aspart of the user name. The first three characters cannot all be the same. The first three characters cannot include space characters. The password cannot be PASS or SAP*. You cannot reuse the last five passwords. A user can only change his or her password when logging on. You can force users to have to change their passwords ona regular basis. You can prohibit certain words or character patterns.Figure 3-2: Passwords3-2Version 2.0a : March 22, 1999SAP AG

An Overview of R/3 Security ServicesUser AuthenticationSingle Sign-On / Smart Card AuthenticationIf you use our Secure Network Communications and an external security product (see the section titledNetwork Communications), you can make use of a Single Sign-On environment. The Single Sign-Onenvironment must be established by an external security product; SNC uses this environment.With Single Sign-On, your users only have to authenticate themselves once, even if they work onseveral systems. They logon to an external security product; the security product creates "credential"information for the users that it then provides to further systems such as R/3. When a user accesses asystem that is protected by the security product, for example an R/3 System, he or she is automaticallylogged on to the system based on the authentication information that it receives from the product (seeFigure 3-3). The product does not send any password information over the network; it sends averification that it has authenticated the user.ClientSecurityProduct Single Sign-OnFigure 3-3: Single Sign-OnSNC provides more than just Single Sign-On; it also provides additional integrity and privacy protectionfor data communications. To provide its protection, SNC requires the use of a SAP-certified externalsecurity product. For a "Single Sign-On only" environment under Windows NT, you can use theMicrosoft NTLMSSP (NT LAN Manager Security Support Provider) as the security provider. With thissolution, you do not need to purchase a SAP-certified product. See OSS Note 138498 [2] and the SNCUser's Guide [10] for more information.Depending on the security product that you use with SNC, you may also be able to use smart cards forauthentication purposes. (You need an external security product to be able to use smart cards, and notall security products support them.) With smart cards, the user's authentication information is stored onhis or her personal card. Such cards are also often protected with a PIN (Personal IdentificationNumber). Because the user has possession of the card as well as knowledge of the PIN, the chanceof someone copying or confiscating the information is greatly reduced. Once again, with smart cardauthentication, it is no longer necessary to transfer password information over the network.NoteAlthough authentication takes place outside of the R/3 System with Single Sign-On,authorization protection still occurs within R/3.SAP AGVersion 2.0a : March 22, 19993-3

R/3 Security Guide: VOLUME IChapter 3: The R/3 Security ServicesRetributing Unauthorized Logon AttemptsIn addition to authenticating users at logon, R/3 retributes unauthorized logon attempts with thefollowing mechanisms. You can also adjust most of these mechanisms in profile parameters to meetyour own security policy requirements. R/3 terminates the session if a number of unsuccessful logon attempts occurs under a single user-id. R/3 locks a user-id after a number of unsuccessful logon attempts. R/3 can automatically log-off idle users.For additional protection, we suggest that you: Require your users to use screen savers with passwords. Regularly monitor your system and check for unauthorized logon attempts.3-4Version 2.0a : March 22, 1999SAP AG

An Overview of R/3 Security ServicesR/3 Authorization ConceptR/3 Authorization ConceptThe R/3 authorization concept protects transactions and programs from unauthorized use. R/3 does notallow users to execute transactions or programs for which they do not have explicitly definedauthorizations. You decide which programs and transactions users are allowed to call and assign themthe appropriate authorizations in the user master records. When a user starts a program or calls atransaction, R/3 performs authority checks to make sure that the user has the proper authorizations.To assist you in working with the R/3 authorization concept, we also offer the Profile Generator and theAuthorization Infosystem as part of our R/3 security services.Authority ChecksTo enforce the R/3 authorization concept, R/3 performs authority checks when users attempt to executeprograms or transactions. In the authority checks, R/3 makes sure that the user has the appropriateauthorizations in his or her user master record before allowing the user to proceed. There are varioustypes of authority checks which include: R/3 Start Transaction Aut

An Overview of R/3 Security Services How to Use the R/3 Security Guide SAP AG Version 2.0a : March 22, 1999 v How to Use the R/3 Security Guide The R/3 Security Guide consists of three separate volumes, with different levels of detail: R/3 Security Guide VOLUME