Show TOC

Securing the Transport DirectoryLocate this document in the navigation structure

To store the data files between transports, special transport directories are used. If you have multiple SAP systems they can use separate transport directories or share a common transport directory. Depending on the role of the SAP system and the security requirements for the systems you must decide how you want to set up the transport directories in your landscape. We recommend that you configure them as shown in the following figure.

In this figure, the development system and the quality assurance system have a common transport directory. The production system has its own transport directory. This means, systems with lower security requirements can share a transport directory (development and quality systems). Systems with higher security requirements (production system) use a separate transport directory.

When transport requests are released in the development system the data files of the transport requests are written to the transport directory, together with the corresponding control files and log files. In the shared transport directory, the data files are available for import into the quality assurance system.

To import transport requests into the production system that has a separate transport directory, the data files need to be transferred to the transport directory of the production system. Transfer between different transport directories is carried out using RFC connections. The data files are loaded into the quality assurance system. They are transferred to the production system using RFC connections and then stored in the transport directory of the production system. For more information on transferring transport directory content, see Special Features when Using Multiple Transport Directories. For more information on the RFC connections used in the Change and Transport System, see CTS Communication Destinations.

Whether you want to share a transport directory or use separate ones is a question of balance between comfort and security. If you use separate transport directories you increase security by making it harder for unauthorized persons to access and change transport directory content. On the other hand, you limit access to export and import logs since the logs are also not shared between the systems.

To protect the integrity, validity, and consistency of the data being transported, consider the following points:

  • If you share a transport directory between systems, it is generally mounted using NFS mount (UNIX) or Windows share. To prevent misuse, place those systems that share the transport directory in a separate secure network area.

    For more information, see Network and Communication Security in the SAP NetWeaver Security Guide.

  • Configure every transport directory in a secure way, for example make it visible and accessible for authorized people only.
  • Restrict access to the application servers of the SAP systems of the same transport group.
  • Limit the number of the people who are allowed to execute imports by granting the corresponding authorizations to only few people.
  • Archive the data in the transport directories so that you can review the transport activities if necessary. To clean up the transport directory, see  Cleaning Up the Transport Directory.
  • Secure all SAP systems in such a way that no users can have unauthorized access to the transport directory. Grant authorizations in such a way that only those users have access to the transport directory who really need the authorization.

More information

CTS Roles and Authorizations