access management S/4 Hana [shutterstock: 1478625473, Nick Beer]
[shutterstock: 1478625473, Nick Beer]
Blog Security

SAP Access Management: Beyond The Application Layer

With the vast majority of SAP user activity taking place at the application level, it stands to reason that security professionals should focus their access management efforts in this domain. Yet in doing so, they often neglect the infrastructure on which those applications run - despite the fact that all data stored in the programme layer is equally available via this infrastructure.

An organisation’s underlying infrastructure is a complex web of operating systems, databases, network connections, servers and interfaces, all pushing and pulling data around the business. As such, it represents an almost infinite array of access points that, without proper access management, pose significant risk. In many cases though, these risks are overlooked, with infrastructure managed purely for performance, not security.

While SAP security experts take care of the application layer, infrastructure is often passed off to operational teams with more limited knowledge of SAP security and access management best practices. These teams are usually tasked with just one key goal: to keep SAP up and running. As a result, while access may be managed appropriately at the application level, access to infrastructure often remains wide open.

At the very least, this puts the organisation at significant risk of regulatory compliance breaches because today’s key legislation covers all places where data is stored, processed and transmitted.

Auditors, too, are increasingly looking beyond application controls and into infrastructure, providing more cause for concern for organisations failing to cover both bases. In addition, there is the potential downtime and disruption that would be caused by an actual incident, the likelihood of which also naturally increases with poor access management provisions.

S/4 Hana – a further complication for access management?

As more and more SAP customers migrate to SAP S/4 Hana, the security challenge arguably intensifies further.

S/4 Hana allows multiple different ways of accessing databases, meaning more connections to infrastructure that could theoretically be compromised. What’s more, some S/4 Hana users are creating end users on the database itself, giving rise to further issues around secure permissions.

More user accounts mean more avenues of attack, abuse or mistake, as it’s no longer just the DBA or Unix administrators who have access. With S/4 Hana, anyone who manages one of the connected applications has access too – extending the requirement for greater control.

Gaining control over infrastructure

Rising levels of threat and legislation mean it’s time for all organisations to take firmer control on their infrastructure – taking access management beyond the application layer – regardless of whether they are migrating to S/4 Hana.

Addressing the following four key questions will determine current levels of control:

  1. Who has access to the organisation’s infrastructure?

It should be straightforward. In an ideal world, only the basis team, database administrators, backup administrators and some Unix administrators or operating system administrators should have access at infrastructure level.

But more often than not, access extends much further. There may be old accounts still in existence, left behind from team members or third parties who have since moved on. In most instances, these accounts would not be closed automatically.

Depending on the validation protocols, password sharing could also be taking place, spreading the network of access further still.

  1. Are users’ changes being logged appropriately?

Enabling logging functionality is essential to maintain visibility on who’s accessing the organisation’s infrastructure and what they’re doing. It will enable critical changes, system restarts or any other significant events to be monitored, and any instances of inappropriate use to be detected.

However, in order for the logging to be effective and insightful, it’s crucial that users are logging in with their own identifiable credentials. More often than not, that isn’t the case – they’re using shared accounts, or accounts that are incompatible with the enterprise’s naming conventions.

  1. Is the access appropriate?

Once it has been ascertained who has access to the infrastructure, the organisation also needs to know if that access is appropriate in every case.

Why do the individuals in question require the access they have? Who are they, what is their job role, and what part of that role makes access a necessity? Are they even using their access? Without this kind of insight on users, it’s impossible for the business to know if its permissions are appropriate.

Ultimately, the key question to answer here is what access should a user have, as opposed to what access do they have? Even if access has historically been given (with justification) to certain roles, it may not be necessary for every individual in that position – and unnecessary access is simply unnecessary risk.

  1. How quickly could the organisation act in the event of an incident?

While assessing how the infrastructure access is secured and controlled, it’s important to take the worst case scenario into consideration. If controls were to fail and the database went down, how quickly would the organisation be able to act? How soon before it could get its systems back online? Beyond that – how quickly and easily could it find out what happened and who caused it? Could any of this be proved?

Regardless of how fast a business might be able to get up and running again, it’s these final two points that will ensure disaster doesn’t strike twice.


While SAP security professionals focus heavily on access management across the application layer, securing access to the underlying infrastructure is often something of an afterthought. Yet all the data stored within the application itself is also available via the infrastructure – and the risk of malicious data access or internal misuse at this level is often just as high.

Organisations must, therefore, start to take firmer control on infrastructure access management, starting by addressing the four key questions above to define their current status. For those unable to answer in a satisfactory fashion, a more thorough investigation into infrastructure access will be required to ascertain the risks, and tighten the lock on business data’s back-door.


About the author

Andrew Morris, Turnkey

Andrew Morris is Managing Consultant at Turnkey Consulting.

Add Comment

Click here to post a comment

Sign up for e3zine´s biweekly newsbites

Please do not use administrative mail adresses like "noreply@..", "admin@.." or similar as these may get blocked for security reasons.

We use rapidmail for dispatching our newsletter. By signing up, you agree that the data you have entered will be transmitted to rapidmail. Please take note of their terms and conditions and privacy policy.termsandconditions.

Our Authors