In the standard installation procedures, especially in large system configurations, we recommend that you establish separate domains for your company data and your SAP system. We also recommend that you use the Windows trusted domain concept as certain SAP-specific features and Windows-specific services require trusted relationships between domains.
There are certain services that require a uni-directional trust relationship only (for example, network printing with the Print Manager or file transfer batches with operating system commands such as xcopy
or move
).
There are also services that require a bi-directional trust relationship, for example, Single Sign-On using Microsoft's LAN Manager Security Service Provider Interface (NTLMSSPI).
When installing the SAP system, the installation tool SAPinst, automatically performs all steps that are relevant for protecting the system against unauthorized access. For example, it creates the required user accounts and groups and protects the most important directories.
SAPinst creates the following domain users:
<sapsid>adm
This is the SAP system administrator account that enables interactive administration of the system. It is a member of the local administrator's group.
SAPService<SAPSID>
This is the virtual user account that is required to start the SAP system. It has the local user right to log on as a service.
SAPinst creates the domain group SAP_<SAPSID>_GlobalAdmin
.
SAPinst creates the local group SAP_<SAPSID>_LocalAdmin
and includes the domain group SAP_<SAPSID>_GlobalAdmin
.
SAPinst creates the local administrator group SAP_<SAPSID>_LocalAdmin
on the transport host. Members of the group have full control over the transport directory \usr\sap\trans
that allows transports to take place between
systems. The SAP_<SAPSID>_GlobalAdmin
group is added to the SAP_LocalAdmin
group.
SAPinst configures the SAP directories \usr
, \usr\sap
, \usr\sap\trans
, \usr\sap\<sapsid>
, and its subdirectories by only granting Full control
access
rights for the Administrators
and SAP_<SAPSID>_LocalAdmin
groups.
Eliminate any Full control
rights for Everyone
to shares on the SAP system servers.
For enhanced security reasons, you can eliminate the dynamically created Windows root shares on the SAP system server. The server can then only be accessed from the network over manually created shares.
If you have installed other software on the application server, make sure that the access rights for their directories and files are also set properly.
These rights apply specifically for SAP system resources. For details applying to the database files and directories, see the security instructions from your database supplier.