Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress: The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. Unique Passcode 84730685 PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 SAP Security Configuration and Deployment The IT Administrator’s Guide to Best Practices Copyright © 2009 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in s database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN 13: 978-1-59-749-284-3 Publisher: Laura Colantoni Page Layout and Art: SPI Acquisitions Editor: Andrew Williams Copy Editor: Christina Solstad Technical Editor: Leslie Wun-Young Indexer: SPI Developmental Editor: Gary Byrne Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email [email protected]. Library of Congress Cataloging-in-Publication Data Application Submitted Technical Editor Leslie Wun-Young is a senior SAP security specialist. She has conducted several SAP full life-cycle implementations and delivered superior solutions in high-pressure environments with tight timelines for companies such as the Walt Disney Company, IBM, and NBC Universal. Her specialties include security architecture, strategy, and design, plus SOD evaluation and GRC management. Leslie’s background includes positions as a senior developer for the American International Group, Inc. (AIG) and as a technical team lead for the Science Applications International Corporation (SAIC). Leslie holds a master’s degree in computer science and information systems from City College of New York/CUNY, and she is a member of the Multicultural Radio Broadcasting Association. v Lead Author Joey Hirao (SAP Technical Certified Consultant; SAP NetWeaver Certified Consultant Enterprise Portals; Oracle OCP 8i,9i,10g; SUN Certified Solaris Administrator, Microsoft MCSE) is a senior Basis consultant for Group Basis (www.groupbasis.com), a firm specializing in SAP Basis and security solutions. He has over 11 years’ experience providing SAP Basis solutions for customers worldwide. Joey is the author of SAP R/3 Administration for Dummies (IDG Books Worldwide Inc., 1999). He has also presented at SAPAdmin and written many articles for SAPtips.com. I dedicate this book to my fabulous duo, Julianna and Sofia. They make every day brighter and more beautiful. vi Contributing Authors Jeanmarie Hirao (CPA) is a senior SAP consultant with Group Basis. She has over 10 years of SAP experience, ranging from system auditor to project management. Her background includes positions as an external auditor for a Big Four accounting firm, an internal auditor for a multinational computer distribution company, and a consultant on SAP internal audits and FICO projects. She holds a master’s degree in accountancy from San Diego State University, California. I dedicate this book to my amazing husband, who is the reason for my happiness. Mimi Choi is a Basis consultant with over 7 years’ experience in SAP Basis. She currently works as a freelance consultant and provides technical consulting to a variety of large enterprise customers. Mimi previously worked as an advisory SAP technical consultant within the IBM Business Consulting Services team in Sydney, Australia. She is a certified SAP technology consultant. Mimi holds a bachelor’s degree in commerce from the University of New South Wales, Australia. She is currently based in London, U.K. Perry Cox is the managing partner of P. W. Cox Consulting, L.P. with over 25 years’ experience in the IT industry, including three years as an adjunct faculty member teaching both undergraduate and graduate business students about IT. He has specialized in SAP security solutions for the past 12 years, implementing SAP for clients and instructing them on how to maintain their own SAP security environment. He is currently associated with Group Basis as a senior security consultant and holds an MBA from Indiana Wesleyan University. Steven L. Passer is a senior manager in Accenture’s SAP Consulting Practice. He recently joined Accenture from NASA, where he was the lead SAP systems architect responsible for operations and engineering vii on the program. While with NASA Steve was responsible for the technical services revolving around NASA’s implementation, including SAP NetWeaver, new releases, landscape, capacity planning, performance, and operations across all NASA instances, including SAP NetWeaver Portal, SAP Contract Management, SAP Business Information Warehouse, SAP Service and Asset Management, and SAP Solution Manager. Steven has over 14 years of SAP implementation experience in pharmaceutical, automotive, and federal organizations. viii Chapter 1 Introduction Solutions in this chapter: NetWeaver Web Application Server ■ ABAP WEB AS 7.0 ■ J2EE WEB AS 7.0 ■ Backend UNIX/Oracle ■ Governance, Risk, and Compliance (GRC) ■ ˛ Summary ˛ Solutions Fast Track ˛ Frequently Asked Questions 1 2 Chapter 1 • Introduction Introduction When you consider the changes in SAP over the years, it’s an evolution that is both amazing and inspiring. The vision of R/3 back in 1993 compared to where it is today, 15 years later, highlights its initial purpose. That purpose was to enable business to be more efficient, effective, and integrated. Those of us that studied process engineering and realized that the decentralized information technology (IT) culture and islands of automation we had in the 1980s and early 1990s were ineffective in helping business evolve, understood this need for an integrated enterprise solution. Rudy Puryear1 of Accenture Consulting discusses the evolution of IT systems from the 1970s to today. He describes three phases of an electronically driven economy. These phases are about how organizations develop and execute business strategy enabled by IT. The first era was data processing, next came information systems, and finally knowledge management. One sees how this evolution aligns with SAP’s continuous improvement program. The desired outcome for IT to improve business efficiency has stayed consistent through the years. However, the delivery of value- producing systems has not been easy to achieve until we finally reached this knowledge management era. The state of art at the time R/3 was being developed was not in keeping with that early vision. Now, we fast forward to today and can see that our vision goes beyond enabling business and sees IT as an almost equal partner in effecting business efficiency. Today’s worker is now a knowledge worker enabled by Web-based flexible tools and technologies. These tools provide nearly instant information about the business problems they are working with. But with the incredible efficiency SAP can provide comes a heavy burden on infrastructure complexity. The systems requirements for SAP are significant in terms of IT architecture, development architecture, and security infrastructure. In fact, I would maintain that embedded into every aspect of the infrastructure is now a component of security specification that must be addressed. Unfortunately, we still see many occasions where security is the appendix of the infrastructure plan. Security is often relegated to an after-thought that only gets emergency attention when an event occurs, a question of senior management is asked, or an audit drives a specific change. It is the rare organization that has an embedded active security-thinking culture. Security infrastructure as an embedded part of the IT culture has yet to be recognized in the mainstream. However, when you consider the initiatives being Introduction • Chapter 1 3 addressed in corporations, institutions, and governments throughout the world, you begin to understand the strategic intent in evolving security. In nearly every conference on technology in the SAP and out of the SAP space there is a topic on security. And, now, SAP NetWeaver technology has evolved to include the major SAP components necessary to implement the full life cycle of security infrastructure. While IT enables business, security enables IT, and hence security is the underlying foundation to the business enablement. With IT organizations yet to adapt to this mind-set, the challenges are even greater. Most IT organizations are classically stove-piped and hence the skills and training associated with these stovepipes are yet to evolve. Even worse, often an organization creates project teams that may tax the stove-piped security group with a part-time representative. When I speak with young engineers across the organization, however, they seem to realize the change that’s happening and are struggling to help their leaders make the right investments and reorganize to face the change. I challenge management to bring these facets out in the open and create enabling organizations that put the security mind-set at the forefront. It’s no longer a cliché to say that security is everyone’s responsibility. SAP has laid a foundation for this. In each aspect of SAP’s NetWeaver use-case scenarios lies a security layer. SAP describes these as usage types, which determine the intended purpose of a system or sub-system. They are available by installing and configuring collections of software components. Figure 1.1 presents NetWeaver as a collection of components that meet different needs up and down the integration stack.2 It is important to recognize that today SAP NetWeaver is more than just a collection of components; it is an open technology platform which offers a comprehensive set of technologic capabilities that are natively integrated to support the needs of IT organizations worldwide. By reviewing the full gamut of capabilities one arrives at IT Scenarios and IT Practices that I refer to as use-cases. 4 Chapter 1 • Introduction Figure 1.1 SAP NetWeaver Usage Type Component Collection IT Scenarios identify how one uses SAP NetWeaver to solve specific business problems. This is accomplished through deployment of the integrated IT scenarios in a way that does not disrupt existing business operations. IT practices look at the overall SAP NetWeaver platform as a strategic investment. One views the usage framework vertically and determines the options to focus on critical business issues rather then specific business problems addressed by tactical scenarios. This flexibility is the power of SAP NetWeaver.
Description: