Register Login

SAP Security Baseline: An insight

Updated May 18, 2018

The regulation that governs the security pre-requisites that are essentially required for any kind of SAP system implementation in an organization is popularly known as the SAP Security Baseline

The term ‘Baseline’ can be defined as the pre-requisites that must be fulfilled before implementation of Sap systems. An organization willing to implement SAP systems must ensure that these requirements are in place even if other forms of risk assessments have already been performed earlier. 

With the help of the right kind of assessments all the security prerequisites beyond this defined security baseline can be easily outlined.

For example: Systems with special configurations need an added risk analysis so that the potential risks can be duly identified and issues eliminated on time.

The following resources can be referred to in order to identify the SAP Security Baseline:

  • SAP security services like the security chapter of the EarlyWatch Alert or the SAP Security Optimization Service recommended by SAP. 
  • Security Guides or Security Whitepapers or Security Notes published by SAP.
  • Company specific IT Security Policies and guidelines.
  • Other forms of risk factors as identified by expert teams.

With these set of diagrams a typical approach has been explained:

Taking the help of the SAP security programs like the chapter on security from the Early Watch Alert or the SAP Security Optimization Service systems can be compared to identify the gap between SAP recommendations and corresponding general requirements.

Certain key decision made by an organization, security policies laid out in general as well as company specific protocols help in deriving the SAP system specific guidelines and prerequisites.

Companies build specific SAP Security baselines with the help of recommendations from SAP and internal resources.

The to-be-status for SAP systems can then be documented by compiling all the regulations into a single protocol document. In the SAP Solution Manager’s application Configuration Validation these protocols have to be adhered by the "Target Systems".

By using the application Configuration Validation tool, the SAP systems can be effectively checked to ensure that they adhere to the protocols laid down in the SAP Security Baseline.

This also helps with a cross system overview on components like security configuration or critical authorization. Risk Management tools like SAP GRC Process Control, SAP Solution Manager based dashboards, the Monitoring and Alerting Infrastructure in Solution Manager etc. can also use this tool to check for any security breaches.

What is comprises of the SAP Security Baseline Template?

SAP publishes a template document that has all the SAP Security Baseline points specific to an organization for quick reference and this defined as the SAP Security Baseline Template. This template comprises of all the requirements and cut off values for the security baseline as preferred by SAP. 

The following path can be followed to find the most updated SAP Security Baseline Template: Portal in support.sap.com/sos → Media Library → SAP Security Baseline Template. 

Creating an SAP Security Baseline with the help of the Template

The template can be used in two significant ways in order to derive the SAP Security Baseline.

First: The Template can simply be modified as per individual needs with values changed accordingly. Contents and other prerequisites based on individual needs can also be added or deleted while modifying the document. 

Second: Create a detailed document for yourself in which all the changes, modifications and differences that you desire for your own SAP landscape are explicitly outlined. On doing this you will have the convenience of referring to two notes, one being the Baseline template and the other will be the modifications doc and this practice has the following advantages:

Detailed notes about the changes in the Baseline that has been jointly decided by the organization.

It is also the best way to limit the number of deviations from the original SAP security Baseline laid down by the company.

Having two separate documents makes it easy for organizations to adapt to new versions of the SAP Security Baseline whenever one is rolled out.

Using Configuration Validation to ensure compliance with an SAP Security Baseline?

As has been explained earlier, the Configuration Validation tool can be used for different SAP system landscapes to ensure that they are adhering to thegiven technical prerequisites. SAP makes the implementation of this Configuration Validation tool easy by publishing files that be easily uploaded. These files along with explicit configuration instruction scan be easily found at the SAP Support Portal following the path: inhttp://support.sap.com/sos → Media Library → SAP Security Baseline Template.

Company specific changes can then also be added to the structure of the Configuration Validation to ensure complete adherence to the SAP Security Baseline. 

Read Here for More SAP Security Tutorials


×