Security in technical SAP clients

The SAP_ALL profile is still frequently used in security considerations instead of specific roles. Access to productive data is also possible from other clients.

If sensitive data is processed (personal data, conditions, production data, etc.), access must be secured in the same way as in the production client.

For access to productive data, for example, the DBA Cockpit can be used, which can be called up with over 50 different transactions.

This contains the SELECT editor or SQL editor, with which data can be displayed directly in the database and (with the SQL editor) also changed. Since the client concept is a logic within the Abap stack, the database does not know any clients.

Therefore, when accessing a table, all data records of all clients are always read. For example, table PA0008 (base salaries in SAP HCM) does not contain any data records in client 000.

However, if it is called up there via the DBA Cockpit, all data records of all clients are displayed, thus also the salary data in the productive client. This also applies to all other tables.

For example, to hack the passwords of users from the production client, all that is required is to access the USR02 table, where the hash values of the passwords are stored. These can then be exported and hacked with appropriate tools.

Other functions also allow access to data from other clients. For example, the function module SE16N_INTERFACE offers the possibility to display tables across clients.

In addition, the table editing mode can be activated here at the same time, so that tables that cannot be changed by default can be changed in the production client.

Another option for accessing productive data is the printer spool. This can be used to display print jobs from other clients.

If sensitive data is printed in the productive client, it can be viewed in client 000. In addition to access to productive data, authorizations can also be used to violate applicable laws.

This applies in particular to elements of application development and the deletion of logs that must be retained. Application development is cross-client, so it is prohibited in a production system in all clients.

Many logs are also cross-client (e.g. the table change logs), so deleting these logs from all clients is prohibited. These authorizations are therefore also not to be assigned in client 000.

System settings can also be maintained from all clients. Therefore, the authorizations in all clients must be secured. However, the authorizations for the data center can also be set up here.

A classic data center operation requires authorizations exclusively in client 000, since all system settings can be made from here, such as setting system changeability and maintaining system parameters and trusted systems.

The security concept must specify which authorizations may and may not be assigned for system settings in client 000.

The security of the system can be significantly influenced by means of these authorizations. The security of an SAP system is therefore not only dependent on the protection of the production clients.

The technical clients, in particular client 000, also represent essential aspects of system security. Protection is much less complex than for the production client, since only the cross-client components need to be considered. This protection must always be included in a security concept.