SAP NetWeaver Application Server ABAP Security Guide

Purpose

This guide is to provide you with an overview of the security aspects and recommendations when using the SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP for your applications.

Integration

There is also a SAP NetWeaver Application Server Java Security Guide.

Constraints

This guide does not describe the administration or development functions for security on the SAP NetWeaver AS ABAP. Such information is provided in the corresponding documentation. It only provides the additional information that applies to specific application types.

How to Use This Guide

This guide is divided into the following sections:

·        User Authentication

This section describes security aspects involved with user authentication, for example, logon security, password rules and preventing unauthorized logons. In addition, it describes how to protect the standard users SAP*, DDIC, and EARLYWATCH.

·        SAP Authorization Concept

This section provides a brief overview of the SAP authorization concept and how you can use it to protect your applications from misuse.

·        Network Security for SAP NetWeaver AS ABAP

This section provides an overview of the protocols used by the SAP NetWeaver AS ABAP and the mechanisms to use to provide security for connections at the network transport layer.

·        Protecting Your Productive System (Change & Transport System)

This section describes how to prevent undesirable changes from being made in your productive system by using the Change and Transport System (CTS) and the Transport Management System (TMS).

·        Secure Store & Forward Mechanisms (SSF) and Digital Signatures

This section describes the security aspects involved when using public-key technology for digital signature and encryption functions.

·        Special Topics

Security aspects that apply to additional topics are also included. Such topics are:

Ў        Executing logical operating system commands in SAP systems

Ў        Batch input

Ў        Preventing disclosure of the SAPconnect RFC user

Ў        Internet Graphics Service security

In addition, see the topic Security Aspects for BSP and Security Aspects for Web Dynpro for ABAP in the Security Aspects for Usage Type DI and Other Development Technologies section of the SAP NetWeaver Security Guide: