SAP NetWeaver Security Guide

This guide does not replace the daily operations handbook that we recommend you create for specific productive operations.

Target Audience

·        Technical consultants

·        System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all time frames.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security apply likewise to the SAP NetWeaver platform. To assist you in securing your SAP NetWeaver platform and products, we provide this SAP NetWeaver Security Guide.

About This Document

The SAP NetWeaver Security Guide provides an overview of the security-relevant information that applies to SAP NetWeaver. It contains an overall overview of security with SAP NetWeaver as well as links to the individual guides for each of the usage types, standalone engines, connectivity and interoperability technologies, database and operating system platforms and the various scenarios.

See the tables below:

Introduction to Security with the SAP NetWeaver Platform



Technical System Landscape

Technical System Landscape

User Administration and Authentication

User Administration and Authentication

Network and Transport Layer Security

Network and Communication Security

Security Guides for SAP NetWeaver According to Usage Types

Usage Type


Application Server (AS)

SAP NetWeaver Application Server ABAP Security Guide

SAP NetWeaver Application Server Java Security Guide

Interactive Forms based on Adobe Software Security Guide

Internet Transaction Server Security

SAP Knowledge Warehouse Security Guide

Virus Protection and SAP GUI Integrity Checks

EP Core (EPC)

Portal Security Guide

Enterprise Portal (EP)

Knowledge Management Security Guide

Collaboration Security Guide

Security Guide for Guided Procedures

SAP NetWeaver Visual Composer Security Guide

Universal Worklist

PDK for .NET Security Guide

Business Information (BI)

SAP Business Information Warehouse Security Guide

Development Infrastructure (DI)

Security Aspects for Usage Type DI and Other Development Technologies

Mobile Infrastructure (MI)

SAP Mobile Infrastructure Security Guide

Process Integration (PI)

SAP NetWeaver Process Integration Security Guide

Security Guides for Standalone Engines



Search and Classification (TREX)

Search and Classification (TREX) Security Guide

SAP Content Server

SAP Content Server Security Guide

SAP Web Dispatcher

Security Information SAP Web Dispatcher

J2EE Adapter Engine

SAP NetWeaver Process Integration Security Guide

The security aspects to consider when using the non-central version of the J2EE Adapter Engine are the same as for the central version. These aspects are described in detail in the SAP NetWeaver PI Security Guide.

J2SE Adapter Engine

SAP NetWeaver Process Integration Security Guide

The Plain J2SE Adapter Engine is only supported for compatibility reasons. It hosts only a subset of the adapter functionality and does not support standard security features as security logs or integrated user management. You should only use the Plain J2SE Adapter Engine if it is a precondition in your environment.

Security Guides for Connectivity and Interoperability Technologies



Remote Function Calls (RFC) or Internet Communication Framework (ICF)

RFC/ICF Security Guide

Application Link Enabling (ALE)

Security Guide ALE (ALE Applications)

Connectivity with the J2EE Engine

Security Guide for Connectivity with the J2EE Engine

Web services

Web Services Security

Business Communication Broker (BCB), which is part of the Integrated Communication Interfaces (ICI)

Security Guide Communication Interfaces

Security Guides for Operating System and Database Platforms

OS Platform



SAP System Security Under UNIX/LINUX


SAP System Security Under Windows

DB Platform



Oracle Under UNIX

Oracle Under Windows

Microsoft SQL Server

Microsoft SQL Server Under Windows

IBM DB2 Universal Database for UNIX and Windows

IBM DB2 UDB for UNIX and Windows under UNIX

IBM DB2 UDB for UNIX and Windows under Windows


MySQL MaxDB Security Guide

IBM DB2 Universal Database for iSeries

IBM DB2 Universal Database for iSeries

IBM DB2 Universal Database for z/OS

SAP Security Guide for IBM DB2 UDB for z/OS


Informix Under UNIX

Informix Under Windows

Security Aspects for System Management

Topic / Product


Solution Manager Diagnostics

Security Guide for the Solution Manager Diagnostics

SAP NetWeaver Administrator

SAP NetWeaver Administrator Security Roles

Computing Center Management System (CCMS)

Background Processing

Print and Output Management

Alert Management (ALM)

Central Monitoring with CCMS

SAP System Landscape Directory (SLD)

Security Guide for the SAP System Landscape Directory

Software Lifecycle Manager (SLM)

SLM Security Roles


Security Guide for ADK-Based Data Archiving

Security Guide for XML-Based Data Archiving

Auditing and Logging

Auditing and Logging

Security Guides for SAP NetWeaver Scenarios

The security aspects and recommendations for the SAP NetWeaver scenarios primarily use the information provided with the above security guides. To determine which of these guides apply in particular for each scenario, see Security Guides for the SAP NetWeaver Scenarios.

Meeting Your Own Security Requirements: Security Policy

Your security requirements are not limited to the SAP NetWeaver platform, but apply to your entire system landscape. Therefore, we recommend establishing a security policy that reflects the security issues that apply at a company-wide level. Your security policy should cover aspects such as:

?      User authentication

?      Authorizations

?      Data integrity

?      Privacy

?      Auditing and Logging

Once you have established your security policy, use this guide to implement and enforce security for those products that you use within the SAP NetWeaver platform.