Security Guide for SAP S/4HANA 2021

1 PUBLICD ocument Version: 2022-05-25 Security Guide for SAP S/4 HANA 2021 2022 SAP SE or an SAP affiliate company. All rights BEST RUN Content1 Before You User Administration and User Fiori Fiori User Data Role Integration into Single Sign-On System Hardening with SAP Security SAP S/4 HANA System Landscape Network and Communication Communication Channel Network Communication ICF and Session File System Access Virus Virus Scanning in File General Recommendations for Virus Scan Further Protection Against Active Additional System Hardening Data Protection and Read Access Deletion of Personal Information Consent SAP S/4 HANA Cross Application Data Security in SAP Security in SAP ILM System Guide for SAP S/4 HANA 2021 ContentUsers and Authorizations in SAP of Stored Data in SAP in SAP Payment Card You ..41 Data Storage Up Encryption Software ..43 Making Settings for Payment Card Security .

2 43 Relevant SSF Applications ..45 Generating Keys ..45 Migration of Payment Card Data Stored in Unencrypted Form ..46 Migration of Payment Card Data on SAP Business to SSF Application PAYCRV ..47 Migration to Current Key Version ..47 Deleting a Key Version ..48 Security -Relevant Logging and Implementation Steps .. Data Security in Behavioral and SAP S/4 HANA Enterprise Business Asset , Risk and Compliance for and Revenue Innovation Estate S/4 HANA Financial Closing Human Logging and HR and Guide for SAP S/4 HANA 2021 ContentPUBLIC3 Talent and Attendance Execution for Discrete Execution for Process Manufacturing Management and , Health and R&D / Safety and Portfolio and Project Product Development for Discrete Lifecycle Management ..475 Product Development for Discrete Force and Contract Administration in Communication Framework Security (ICF) in Access of Personal Data in UI Field Service Management Response Management Order Sourcing and Storage Security -Relevant of Personal Read Access Log Network Guide for SAP S/4 HANA 2021 ContentSupplier Supply and Order Analytics Performance Enterprise Data Contract Enablement Data SAP S/4 HANA & Natural of Personal Data in Business Access Logging for Electronic Read Access Log Business Network Security Aspects for Connectivity Direct Connectivity: SAP S/4 HANA as Direct Connectivity: SAP S/4 HANA as Roles and Authorizations (Ariba Network).

3 Roles and Authorizations (SAP Fieldglass)..852 Security Guide for SAP S/4 HANA 2021 ContentPUBLIC5 Document 13, 2021 First published version for SAP S/4 HANA 23, 2022 First published version for SAP S/4 HANA 2021 25, 2022 First published version for SAP S/4 HANA 2021 FPS026 PUBLICS ecurity Guide for SAP S/4 HANA 2021 Document History1 IntroductionTarget Audience Technology consultants Security consultants System administratorsThis document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Migration Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle Is Security Necessary?With the increasing use of distributed systems and the Internet for managing business data, the demands on Security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information.

4 User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on Security apply likewise to SAP assist you in securing SAP S/4 HANA, we provide this Security this DocumentThe Security Guide provides an overview of the Security -relevant information that applies to SAP S/4 HANA in general. In particular it comprises general considerations regarding the system access via SAP Fiori Apps. In case there are specific aspects for the underlying scenarios or applications these are described in an area-specific Guide for SAP S/4 HANA 2021 IntroductionPUBLIC72 Before You StartFundamental Security GuidesSAP S/4 HANA is based on ABAP Platform and the SAP HANA Platform. With respect to SAP Fiori apps, SAP Gateway plays a fundamental role as well. This means that the corresponding Security Guides are also applicable for SAP other guides are relevant, an appropriate reference is included in the documentation for the individual solution areas in the specific part of this consider the following fundamental Security whitepapers found on : Secure Configuration of SAP NetWeaver Application Server Using ABAP SAP Security Recommendations: Securing Remote Function Calls (RFC) Protecting SAP Applications Against Common AttacksApproach for "Secure By Default"SAP applies "secure by default" settings during system installation, system copies and system conversion from SAP ERP.

5 Depending on the SAP S/4 HANA release, the "secure by default" scope might vary. Overall, settings affect the profile parameters, ABAP platform configurations and HANA Installations and System Copies You have the choice to skip the activation of the secure profile parameters. Due to the nature of the settings, ABAP platform configurations and HANA auditing will always be enabled for new installations and system Conversions You have the choice to skip the activation of the secure profile parameters. ABAP platform configurations and HANA auditing will only be enabled in case the source system does not have a customer configuration for the respective topic. For example, SAP Security Audit Log configuration is only enabled with "secure by default" settings in case the source system does not have any SAP Security audit log detailed information on "secure by default" settings, see SAP Note SAP Notes SAP Note 1956820 contains information about saving temporary files when using Adobe Acrobat Reader in SAP Guide for SAP S/4 HANA 2021 Before You Start SAP Note 138498 contains information on single sign-on solutions.

6 SAP Notes relating to Security for the subcomponents of SAP S/4 HANA are referenced in the documentation for the individual components in this Guide . For a list of additional Security -relevant SAP Hot News and SAP Notes, see the SAP Support Portal at Guide for SAP S/4 HANA 2021 Before You StartPUBLIC93 User Administration and AuthenticationOverviewSAP S/4 HANA generally relies on the user management and authentication mechanisms provided with ABAP Platform, in particular the Application Server ABAP and the SAP HANA Platform. Therefore, the Security recommendations and guidelines for user administration and authentication as described in the Application Server ABAP Security Guide and SAP HANA Platform documentation more information, see: Go to , enter Application Server ABAP Security Guide into the search bar, press Enter, and open the search result with that title. SAP HANA Security Guide at the SAP Help Portal under under SecurityIn addition to these guidelines, you can find information about user administration and authentication that specifically applies to SAP S/4 HANA in the following topics: User Management [page 10]This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with SAP S/4 HANA.

7 User Data Synchronization [page 13]SAP S/4 HANA can share user data with other components. This topic describes how the user data is synchronized with these other sources. Role Administration [page 13] Integration into Single Sign-On Environments [page 13] User Non-SAP Fiori TechnologyUser management for SAP S/4 HANA uses the mechanisms provided with the Application Server ABAP, such as tools, user types, and password concept. For an overview of how these mechanisms apply for SAP S/4 HANA, see the sections below. In addition, we provide a list of the standard users required for operating SAP Administration ToolsThis table shows the tools available for user management and Guide for SAP S/4 HANA 2021 User Administration and AuthenticationToolDescriptionUser maintenance for ABAP-based systems (transaction SU01)For more information about the authorization objects pro vided by the subcomponents of SAP S/4 HANA, see the ap plication-specific maintenance with the profile generator for ABAP-based systems (PFCG)For more information about the roles provided by the sub components of SAP S/4 HANA, see the application-specific general information, go to , enter User and Role Administration of Ap plication Server ABAP into the search bar, press Enter, and open the search result with that User Administration (CUA)

8 For the maintenance of multiple ABAP-based systemsFor central administrative tasksUser TypesIt is often necessary to specify different Security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. The user types that are required for SAP S/4 HANA Individual users Dialog users - used for SAP GUI for Windows Internet users - used for Web Applications Technical users Service users are dialog users who are available for a large set of anonymous users Communication users are used for dialog-free communication between systems Background users are used for processing in the backgroundFor more information about these user types, go to , enter Application Server ABAP Security Guide into the search bar, press Enter, and open the search result with that UsersThis section describes the standard users necessary for operating SAP S/4 HANA NoteEnsure you change the passwords and IDs of users that were created automatically during the Guide for SAP S/4 HANA 2021 User Administration and AuthenticationPUBLIC11 SystemUser IDTypePasswordAdditional Informa tionABAP Platform<sapsid>admSAP system adminis tratorMandatoryApplication Server ABAP Security GuideABAP PlatformSAP Service <sapsid>SAP system adminis tratorMandatoryApplication Server ABAP Security GuideABAP PlatformTMSADMSAP system adminis tratorMandatoryApplication Server ABAP Security GuideABAP PlatformSAP Standard ABAP Users (SAP*, DDIC, EARLYWATCH, SAPCPIC)See ABAP Platform Security GuideOptionalABAP Platform Secur ity GuideNote that EARLY WATCH and SAPCPIC may not be needed in your system land scape.

9 See note below this table for ECCSAP UsersDialog usersMandatoryThe number of users depends on the area of operation and the busi ness data to be proc essed NoteIn most cases, the user EARLYWATCH is not used anymore. We recommend checking if this is the case in your landscape. If the user is not needed, it should be deleted to minimize the attack surface. For more information, see user SAPCPIC is sometimes used in legacy RFC scenarios or with EDI. We recommend checking if SAPCPIC is needed in your landscape. If the user is not needed, it should be deleted to minimize the attack SAP Fiori TechnologyFor details on the user management and authorization concepts used in SAP Fiori apps, go to , enter SAP Fiori Overview into the search bar, press Enter, and open the search result with that Guide for SAP S/4 HANA 2021 User Administration and User Data SynchronizationBy synchronizing user data, you can reduce effort and expense in the user management of your system landscape.

10 Since SAP S/4 HANA is based on ABAP Platform, you can use all of the mechanisms for user synchronization in ABAP Platform more information, go to , enter ABAP Platform Security Guide into the search bar, press Enter, and open the search result with that Role AdministrationBusiness roles in SAP S/4 HANA represent the central object used to structure users access on the frontend more information, go to and proceed as follows: General information on role maintenance in systems based on Application Server ABAP:Enter Configuration of User and Role Administration into the search bar, press Enter and open the search result with that title. Role maintenance for access based on SAP Fiori launchpad:Enter SAP Fiori Launchpad into the search bar, press Enter, open the search result with that title and then navigate to one of the following entries: Administration GuideInitial Setup of the Launchpad Security Aspects Authorization concepts and role maintenance for custom development:Enter From the Programmed Authorization Check to a Role into the search bar, press Enter and open the search result with that title.