SAP BASIS

SAP BASIS Overview

SAP BASIS is a set of middleware programs and tools that provide the necessary environment for SAP applications to run. It is essentially the “technical foundation” of the SAP system, providing communication between SAP applications and the underlying hardware and database. BASIS administrators ensure that SAP systems run smoothly and are correctly configured. They manage system installation, configuration, upgrades, and performance tuning.

Key Components of SAP BASIS:

  1. System Installation and Configuration:

    • Installation of SAP software on the appropriate operating systems (Unix, Linux, Windows, etc.)
    • Configuration of the SAP instances, like the Database Instance (DB), Central Instance (CI), and Application Server Instance (AS).

  2. User Administration:

    • Creation, modification, and deletion of SAP users.
    • Assigning authorizations, roles, and permissions to users.
    • Managing user groups and profiles.

  3. System Monitoring and Performance Tuning:

    • Monitoring SAP instances for system health (using tools like SAP Solution Manager, ST03N, ST06, etc.).
    • Performance tuning of database, application, and network layers.

  4. Transport Management System (TMS):

    • Facilitates the transfer of configurations, programs, and objects from one SAP system to another (e.g., from development to testing to production).
    • Manages transport directories and transport routes.

  5. Backup and Recovery:

    • Implementing a backup strategy for the SAP database and application data.
    • Regularly performing system backups and verifying restore procedures.

  6. Patch Management and System Upgrades:

    • Applying support packages and enhancement packs.
    • Performing system upgrades and managing system landscapes (e.g., ECC, S/4HANA, BW).

  7. SAP Kernel Management:

    • Upgrading or patching the SAP kernel to ensure system stability and compatibility.

  8. Database Administration:

    • Managing the SAP database (e.g., Oracle, HANA, SQL Server).
    • Performance tuning, query optimization, and ensuring database integrity.

  9. SAP License Management:

    • Ensuring that SAP licenses are compliant with the licensing model.

  10. SAP System Landscape Management:

  • Managing the system landscape, including development, quality assurance (QA), and production systems.

Common SAP BASIS Transactions:

  • RZ10/RZ11: Profile management.
  • SM37: Monitor background jobs.
  • SM51: Manage application servers.
  • ST22: Dump analysis.
  • DB02: Database performance and analysis.
  • ST03N: Performance analysis for transactions.

SAP Security (Authorization and Authentication)

SAP Security focuses on protecting the SAP system from unauthorized access while ensuring the appropriate level of access to legitimate users. This includes managing user authentication, authorization roles, and profiles. It is critical for maintaining the integrity of SAP data and ensuring regulatory compliance.

Key Components of SAP Security:

  1. User Authentication:

    • Ensuring users can authenticate securely using methods like SAP’s built-in password authentication, Single Sign-On (SSO), or integration with external authentication systems (e.g., LDAP, Active Directory).

  2. Authorization Management:

    • Roles & Profiles: SAP security is primarily based on roles and profiles. Each role contains a collection of permissions that define what actions a user can perform. These roles can be assigned to users, and profiles are generated automatically based on the assigned roles.
      • Single Roles: Contain specific permissions for an individual task or transaction.
      • Composite Roles: Collection of single roles grouped together for a particular type of user (e.g., for a particular department).
    • Authorization Objects: SAP authorizations are controlled via authorization objects, which consist of fields and values that specify access restrictions (e.g., the user can access a particular transaction only for certain company codes).

  3. Authorization Profiles:

    • Generated from roles, profiles define the authorization values assigned to users. Profile generation ensures that users are granted permissions that correspond to their roles.

  4. User Management:

    • Creating, modifying, and deleting users.
    • Assigning roles to users based on their job functions and responsibilities.
    • Managing user master records to track user activity and authorization.

  5. Segregation of Duties (SoD):

    • Ensuring that no individual has conflicting roles (e.g., someone who can create a vendor and approve payments). This prevents fraud and errors.
    • SoD violations can be detected using tools like SAP GRC (Governance, Risk, and Compliance).

  6. Audit and Compliance:

    • SAP systems must comply with regulatory standards (e.g., SOX, GDPR).
    • Continuous monitoring of user activities and system changes is necessary to detect suspicious activities.
    • Audit logs and trace files can be analyzed to investigate system access and detect security breaches.

  7. Secure Communication:

    • Use of SSL encryption for secure communication between SAP clients, application servers, and databases.
    • SAP also supports encryption of sensitive data at rest (e.g., passwords, credit card numbers).

  8. Password Policies:

    • Defining rules for password complexity (e.g., length, characters, expiry).
    • Locking users after a specified number of failed login attempts.

  9. Audit Logs & Traces:

    • SAP provides tools like the ST01 (Authorization Trace) and SM20 (Security Audit Log) for capturing and analyzing security-related activities.

SAP Security Transactions:

  • SU01: User administration.
  • PFCG: Role and authorization management.
  • SU53: Authorization check analysis.
  • ST01: Authorization trace.
  • SM20: Security audit logs.
  • SM19: Configure the Security Audit Log.

SAP Security Best Practices:

  1. Role Design and Segregation of Duties (SoD):

    • Carefully plan and design roles to avoid excessive access privileges.
    • Implement strict SoD policies to mitigate risk.

  2. Minimal User Access:

    • Follow the principle of least privilege by granting users only the minimum level of access needed to perform their tasks.

  3. Regular Audits:

    • Conduct regular audits of user roles, profiles, and system access to ensure compliance with internal policies and external regulations.

  4. Implement Secure Password Policies:

    • Enforce strong password policies (e.g., requiring complex passwords and regular password changes).

  5. Monitor User Activities:

    • Continuously monitor system access and actions performed by users, especially those with elevated privileges.

  6. Apply Security Patches Regularly:

    • Keep the SAP system up-to-date by applying security patches and updates as soon as they are released.

  7. Integration with External Security Systems:

    • Use tools like SAP Identity Management (IDM) and SAP GRC for improved control over user access.

SAP Security Tools

  1. SAP GRC (Governance, Risk, and Compliance):

    • Provides a comprehensive solution for managing user access, mitigating SoD conflicts, and ensuring compliance with internal and external policies.

  2. SAP Identity Management (SAP IDM):

    • Automates user provisioning, role management, and access governance across the entire enterprise.

  3. SAP Audit and Log Monitoring:

    • The Security Audit Log captures events related to system access, user activities, and other critical events.
    • SAP Solution Manager can be used to monitor system activities and perform security checks.

  4. SAP Enterprise Threat Detection (ETD):

    • Detects and analyzes suspicious behavior in real-time, identifying potential threats based on patterns and activities.

Conclusion

SAP BASIS and SAP Security are two essential areas of SAP system administration. BASIS focuses on ensuring the SAP system is technically sound, operational, and secure, while SAP Security focuses on managing user access, ensuring data integrity, and preventing unauthorized access. Together, they ensure that an SAP system is efficient, compliant, and secure from a technical and user access standpoint.