What are the best practices for internal security standards in companies with large SAP investments?

Question

I work in a large company, and I'm interested in best practices for internal security standards. We have a large ($500 million +) investment in SAP, and we also have .Net and a bit of Java EE in our internal environment.

I've found some documentation from MS and SAP, but it's outdated and not very specific.

So far, it looks like we could end up using Active Directory as the standard user store for all non-SAP applications, and SAP CUA / Portal for SAP applications.

Some concerns I have about AD are:

• Being able to aggressively time-out for applications on shared computers (A small number of our applications run in remote offices in rural areas with a limited number of shared machines. In these cases, a supervisor with "power user" privilages could use an application, and then a clerk who should have only basic privaleges could use the same machine immediately after)

• Being able to force the user to enter a username and password instead of just having the credentials read from the user's workstation - Because it's pulling the same credentials for the desktop and email, it won't currently ask users to log in. This is a concern for applications on shared computers as well. (See the explanation in the previous bullet)

  As far as synchronization between AD and CUA is concerned, I want to approach this very carefully. We have a limited budget, and I want to make sure that if we end up putting something in place to synchronize the stores, that it's rock sold and provides excellent value. If we can't find something like this, I'd be comfortable coming back with a recommendation that the stores remain independent. SSO would be ideal, but I've worked with trying to get an SSO application up before SAML, and it wasn't pretty.

Acronyms:

• SSO: Single Sign-On SAML: Security

• Assertion Markup Language

• CUA: Central User Administration (For SAP)

Answer 1

Why is it a problem if users don't have to log in? Wouldn't that be more convenient for users? And wouldn't it give them further incentive to log out of the application?

The project I'm working on now uses AD, and we have a mapping table inside of SAP to map AD accounts and SAP accounts. Syncronisation is manual, which may or may not work for you, but there's no real technical risk.

I wish I could give you more information, but I haven't been very involved with that side of things. I can look into it,though.

Answer 2

You might want to look at OpenSSO - it has agents for SAP and it will integrate with AD as the user store. It's also pretty solid - Verizon use it for 40 million customers to log in to their web site.

Answer 3

IMHO. This is not good solution to use different users in one windows session. Especially users authenticated in AD. Usually it will be going that USER1 running sap client without closing , and work another USER2. You get non-personified users. And don't forget users don't like perform all instructions.

We used thin client like citrix and SSO. It is full split data and authorization between users. And you have to use different sessions for users on workstation. The good think is no critical data store on workstation.

Not good idea and not secure but you can use run as different users
application in Windows environment in same session. But it is not secure solution for big company.