The global and independent platform for the SAP community.

Security in technical SAP clients

In security concepts for productive SAP systems, often only the production client is considered. However, the other clients, especially client 000, must also be included in the security consideration.
Thomas Tiede, IBS
October 11, 2018
It Security
avatar
This text has been automatically translated from German to English.

The SAP_ALL profile is still frequently used in security considerations instead of specific roles. Access to productive data is also possible from other clients.

If sensitive data is processed (personal data, conditions, production data, etc.), access must be secured in the same way as in the production client.

For access to productive data, for example, the DBA Cockpit can be used, which can be called up with over 50 different transactions.

This contains the SELECT editor or SQL editor, with which data can be displayed directly in the database and (with the SQL editor) also changed. Since the client concept is a logic within the Abap stack, the database does not know any clients.

Therefore, when accessing a table, all data records of all clients are always read. For example, table PA0008 (base salaries in SAP HCM) does not contain any data records in client 000.

However, if it is called up there via the DBA Cockpit, all data records of all clients are displayed, thus also the salary data in the productive client. This also applies to all other tables.

For example, to hack the passwords of users from the production client, all that is required is to access the USR02 table, where the hash values of the passwords are stored. These can then be exported and hacked with appropriate tools.

Other functions also allow access to data from other clients. For example, the function module SE16N_INTERFACE offers the possibility to display tables across clients.

In addition, the table editing mode can be activated here at the same time, so that tables that cannot be changed by default can be changed in the production client.

Another option for accessing productive data is the printer spool. This can be used to display print jobs from other clients.

If sensitive data is printed in the productive client, it can be viewed in client 000. In addition to access to productive data, authorizations can also be used to violate applicable laws.

This applies in particular to elements of application development and the deletion of logs that must be retained. Application development is cross-client, so it is prohibited in a production system in all clients.

Many logs are also cross-client (e.g. the table change logs), so deleting these logs from all clients is prohibited. These authorizations are therefore also not to be assigned in client 000.

System settings can also be maintained from all clients. Therefore, the authorizations in all clients must be secured. However, the authorizations for the data center can also be set up here.

A classic data center operation requires authorizations exclusively in client 000, since all system settings can be made from here, such as setting system changeability and maintaining system parameters and trusted systems.

The security concept must specify which authorizations may and may not be assigned for system settings in client 000.

The security of the system can be significantly influenced by means of these authorizations. The security of an SAP system is therefore not only dependent on the protection of the production clients.

The technical clients, in particular client 000, also represent essential aspects of system security. Protection is much less complex than for the production client, since only the cross-client components need to be considered. This protection must always be included in a security concept.

avatar
Thomas Tiede, IBS

Thomas Tiede is managing director of IBS Schreiber.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.