Show TOC

Background documentationSAP System Security When Using Windows Trusted Domains

 

In the standard installation procedures, especially in large system configurations, we recommend that you establish separate domains for your company data and your SAP system. We also recommend that you use the Windows trusted domain concept as certain SAP-specific features and Windows-specific services require trusted relationships between domains.

There are certain services that require a uni-directional trust relationship only (for example, network printing with the Print Manager or file transfer batches with operating system commands such as xcopy or move).

There are also services that require a bi-directional trust relationship, for example, Single Sign-On using Microsoft's LAN Manager Security Service Provider Interface (NTLMSSPI).

When installing the SAP system, the installation tool SAPinst, automatically performs all steps that are relevant for protecting the system against unauthorized access. For example, it creates the required user accounts and groups and protects the most important directories.

  • SAPinst creates the following domain users:

    • <sapsid>adm

      This is the SAP system administrator account that enables interactive administration of the system. It is a member of the local administrator's group.

    • SAPService<SAPSID>

      This is the virtual user account that is required to start the SAP system. It has the local user right to log on as a service.

  • SAPinst creates the domain group SAP_<SAPSID>_GlobalAdmin.

  • SAPinst creates the local group SAP_<SAPSID>_LocalAdmin and includes the domain group SAP_<SAPSID>_GlobalAdmin.

  • SAPinst creates the local administrator group SAP_<SAPSID>_LocalAdmin on the transport host. Members of the group have full control over the transport directory \usr\sap\trans that allows transports to take place between systems. The SAP_<SAPSID>_GlobalAdmin group is added to the SAP_LocalAdmin group.

  • SAPinst configures the SAP directories \usr, \usr\sap, \usr\sap\trans, \usr\sap\<sapsid>, and its subdirectories by only granting Full control access rights for the Administrators and SAP_<SAPSID>_LocalAdmin groups.

  • Eliminate any Full control rights for Everyone to shares on the SAP system servers.

  • For enhanced security reasons, you can eliminate the dynamically created Windows root shares on the SAP system server. The server can then only be accessed from the network over manually created shares.

  • If you have installed other software on the application server, make sure that the access rights for their directories and files are also set properly.

  • These rights apply specifically for SAP system resources. For details applying to the database files and directories, see the security instructions from your database supplier.