SAP Security Parameters OverviewSAP Security Parameters OverviewSAP Security Parameters OverviewSAP Security Parameters Overview
  • News
  • Products & Services
    • SAP GRC Products
    • smartGRC
    • GDPR compliance
    • Dedicated training
    • SAP Security & Authorizations
    • SAP FCM
  • Blog
  • Company
  • Career
  • Contact
  • Career
    • Job offers
    • Apply
English
  • Polish
✕
  • Home
  • Blog
  • Expert's blog
  • SAP Security Parameters Overview

SAP Security Parameters Overview

9 February 2023

Infrastructure in the area of ​​IT enterprises and the constantly growing number of cyber threats are one of the main factors that have a direct influence on the security of the organization. The recently growing trend of transitioning companies to mass remote or hybrid work has put even greater emphasis on monitoring the security of systems used by employees located all around the world. The security of central ERP systems, such as SAP, should be a priority for all companies which include them in their workspace. A comprehensive understanding of SAP system security is crucial for software optimization and additional data security obligations for each user. 

 

A common way to learn about the SAP security methodology is to read the technical documentation provided by the manufacturer. However, it is often a solution much too time-consuming for many people, especially without direct contact with SAP Security and the security terminology of SAP systems. What other solutions to consider in such case? An overview of the most important aspects of SAP security is a good start. What aspects ensure the security of the SAP system? What exactly does SAP security mean?

SAP Security & Authorizations is a system that protects SAP data and applications against unauthorized access and use. SAP provides various security controls to ensure that important data is always protected. SAP systems store confidential information about customers, business partners, and the company itself. Regular audits of SAP systems are essential to ensure full data integrity and security. This also applies to processes and Segregation of Duties (SoD).

One of the key elements of SAP Security that allows the assessment of the current state of the system is the verification of security configuration for areas related to the broadly understood parameters included in BASIS and SAP. It is necessary to focus on a thorough analysis and diagnose the level of their security. It will also allow the organization to identify and eliminate possible imperfections in the system configuration. By detecting and eliminating these elements, each organization is prepared for cyclical security and financial statements audits taking place in companies based on the SAP system.

The previously mentioned security parameters are inclusive components of SAP System Profiles. They are responsible for determining or identifying how to run the instance and configure numerous variables that define how the SAP instance and the system will operate.

There are two types of SAP Profiles:

Default profile – consists of global parameters for all instances in SAP

Instance profile – consists of profile data specific to a particular instance

Terminology and issues related to SAP security parameters are dealt with by the SAP Security team, which publishes an official SAP document called Security Baseline Template.

What is Security Baseline at its core? It is a set of good practices, specifying the security prerequisites that are basically required for any kind of SAP system implementation in an organization, being widely known as the SAP security benchmark. The term “Baseline” can be defined as preconditions that must be met before implementing SAP systems in the organization.

The idea behind the “Security Baseline” also defines all the security measures that are considered “essential” without further analysis within the enterprises.

The last version was updated on November 16, 2021. The documentation is regularly checked and revised by an authorized team that releases new versions now and again.

In the previously mentioned SAP Security Baseline Template article, the parameters were classified into 3 levels of security standards:

  • Critical
  • Standard
  • Extended

 

All configuration parameters proposed in the publication are recommendations based on best practices, which are not binding system settings. Depending on your individual needs, you can freely change, add or remove security performance requirements at your discretion. However, it is important to make informed decisions and be aware of the risks and the level of security that may result from your own interpretation of the “Security Baseline” version.

 

In particular, the proposed regulations marked as “Extended” require a broader review. They go beyond critical and standard requirements and extend security standards to higher levels of protection or further areas. Therefore, they may not fit every environment and should be tailored to your internal policies and organization, overall IT landscape, and security needs.

The best practice recommended by the SAP Security team is to start with a fixed but limited set of key requirements and increase the level of SAP security gradually over time, starting with critical and standard requirements, and gradually implementing extended ones in the future.

Security parameters and their values apply to different platforms or technologies used when configuring SAP systems in an enterprise. One of the most common are ABAP, Java and HANA. There are also solutions such as Web Dispatcher or RFC Gateway.

The tables below present a detailed summary of the majority of the previously mentioned SAP security parameters included in the SAP Security Baseline Template (version 2.3).

They were ranked according to priority, starting with critical, then standard and extended.

The columns describe the parameter name, parameter description, risk level, platform/technology, default value and value recommended by the Security Baseline Template (SBT).

 

Table 1. Critical Parameters

Parameter Parameter description Risk

level

Platform

or Technology

Default value SBT recommended value
ms/acl_info File with access control list for message server Critical ABAP /usr/sap/GDA/SYS/global/ms_acl_info no “dummy” entries like: host=*
ms/acl_info File with access control list for message server Critical JAVA /usr/sap/GDA/SYS/global/ms_acl_info no “dummy” entries like: host=*
listeninterface Section parameter of the global.ini file on single host systems Critical HANA .local .local
listeninterface Section parameter of the global.ini file on single host systems Critical HANA .local .internal
indexserver.ini/sqltrace/level SQL trace level parameter in the indexserver.ini file Critical HANA – <> ALL_WITH_RESULTS
login/no_automatic_user_sapstar Control of the automatic login user SAP* Critical ABAP 1 1
login/min_password_lng Minimum Password Length Critical ABAP 6 >=8
MIN_PASSWORD_LENGTH Minimum Password Length Critical ABAP 6 >=8
login/password_max_idle_initial Maximum #days a password (set by the admin) can be unused (idle)  Critical ABAP 0 between 1 and 14
MAX_PASSWORD_IDLE_INITIAL Maximum #days a password (set by the admin) can be unused (idle) Critical ABAP 0 between 1 and 14
login/password_expiration_time Dates until password must be changed Critical ABAP 0 365
PASSWORD_CHANGE_INTERVAL Dates until password must be changed Critical ABAP 0 365
login/password_downwards_compatibility Password downwards compatibility (8 / 40 characters, case-sensitivity) Critical ABAP 0 0
ume.logon.security_policy.password_min_length Minimum Password Length Critical JAVA 1 >=8
minimal_password_length Minimum Password Length Critical HANA 8 >=8
maximum_unused_initial_password_lifetime Maximum #days a password (set by the admin) can be unused (idle) Critical HANA 14 <=14
secinfo RFC gateway access control list item Critical ABAP $(DIR_DATA)/secinfo restrict access to RFC servers to expected sources
reginfo RFC gateway access control list item Critical ABAP $(DIR_DATA)/reginfo restrict access to RFC servers to expected sources
gw/sec_info External security filename for gateway Critical ABAP /usr/sap/GDA/SYS/global/secinfo set to filenames of secinfo access control list files
gw/reg_info External security filename for gateway Critical ABAP /usr/sap/GDA/D30/data/reginfo set to filenames of reginfo access control list files
gw/reg_no_conn_info Security options Critical ABAP 1 at least bit 1,2,3 and 4 must be set (bit 1 as of Kernel 7.40); must contain one of the values 15,31,47,63,79,95,111,127,143,159,175,191,207,223,239,255 (respectively 1, 65, 129, 193 as of Kernel 7.40)
gw/acl_mode Mode for non existing ACL file Critical ABAP 1 1
gw/monitor Enables or disables monitor commands Critical ABAP 1 1
gw/sim_mode Start simulation mode for reg_info and sec_info Critical ABAP 0 0
secinfo RFC gateway access control list item Critical JAVA $(DIR_DATA)/secinfo restrict access to RFC servers to expected sources
reginfo RFC gateway access control list item Critical JAVA $(DIR_DATA)/reginfo restrict access to RFC servers to expected sources
gw/sec_info External security filename for gateway Critical JAVA /usr/sap/GDA/SYS/global/secinfo set to filenames of secinfo access control list files
gw/reg_info External security filename for gateway Critical JAVA /usr/sap/GDA/D30/data/reginfo set to filenames of reginfo access control list files
gw/reg_no_conn_info Security options Critical JAVA 1 at least bit 1,2,3 and 4 must be set (bit 1 as of Kernel 7.40); must contain one of the values 15,31,47,63,79,95,111,127,143,159,175,191,207,223,239,255 (respectively 1, 65, 129, 193 as of Kernel 7.40)
gw/acl_mode Mode for non existing ACL file Critical JAVA 1 1
gw/monitor Enables or disables monitor commands Critical JAVA 1 1
gw/sim_mode Start simulation mode for reg_info and sec_info Critical JAVA 0 0
secinfo RFC gateway access control list item Critical RFC Gateway $(DIR_DATA)/secinfo restrict access to RFC servers to expected sources
reginfo RFC gateway access control list item Critical RFC Gateway $(DIR_DATA)/reginfo restrict access to RFC servers to expected sources
gw/sec_info External security filename for gateway Critical RFC Gateway /usr/sap/GDA/SYS/global/secinfo set to filenames of secinfo access control list files
gw/reg_info External security filename for gateway Critical RFC Gateway /usr/sap/GDA/D30/data/reginfo set to filenames of reginfo access control list files
gw/reg_no_conn_info Security options Critical RFC Gateway 1 at least bit 1,2,3 and 4 must be set (bit 1 as of Kernel 7.40); must contain one of the values 15,31,47,63,79,95,111,127,143,159,175,191,207,223,239,255 (respectively 1, 65, 129, 193 as of Kernel 7.40)
gw/acl_mode Mode for non existing ACL fileyb dla nieistniejącego pliku ACL Critical RFC Gateway 1 1
gw/monitor Enables or disables monitor commands Critical RFC Gateway 1 1
gw/sim_mode Start simulation mode for reg_info and sec_info Critical RFC Gateway 0 0
global_auditing_state Part of the HANA audit trail Critical HANA TRUE TRUE

 

Table 2. Standard parameters

Parameter Parameter description Risk

level

Platform

or Technology

Default value SBT recommended value
rec/client Activate profile parameter to create customizing table logs Standard ABAP OFF <> OFF
TLOGOCHECK Activate transport parameter to validate the content of transport files Standard ABAP TRUE TRUE
login/show_detailed_errors Show detailed login error messages Standard ABAP 1 0
is/HTTP/show_server_header Should the HTTP header contain the server entry Standard ABAP FALSE FALSE
is/HTTP/show_detailed_errors Form of HTTP error pages (short or detailed)Manager (ICM). Standard ABAP FALSE FALSE
icm/SMTP/show_server_header Prohibits information disclosure by the Internet Communication Manager (ICM) Server Header Standard ABAP FALSE FALSE
is/HTTP/show_server_header Information disclosure for Web Dispatcher and Internet Communication Manager (ICM) must be prohibited by setting profile parameters Standard Web Dispatcher FALSE FALSE
is/HTTP/show_detailed_errors Information disclosure for Web Dispatcher and Internet Communication Manager (ICM) must be prohibited by setting profile parameters Standard Web Dispatcher FALSE FALSE
icm/SMTP/show_server_header Prohibits information disclosure by the Internet Communication Manager (ICM) Server Header Standard Web Dispatcher FALSE FALSE
wdisp/permission_table Text file describing URI permission table (SAP Web Dispatcher) Standard Web Dispatcher – D /sap/public/icman/*
wdisp/permission_table Text file describing URI permission table (SAP Web Dispatcher) Standard Web Dispatcher – D /sap/public/ping
wdisp/permission_table Text file describing URI permission table (SAP Web Dispatcher) Standard Web Dispatcher – D /sap/public/icf_info/*
wdisp/permission_table Text file describing URI permission table (SAP Web Dispatcher) Standard Web Dispatcher – D /sap/wdisp/information
icm/HTTP/admin_<num> Configuration of the web administration interface Standard Web Dispatcher icm(HTTP/admin_0 = PREFIX=/sap/admin, DOCROOT=$(DIR_ICMAN_ROOT)/admin, AUTHFILE=$(icm/authfile) contains

CLIENTHOST

icm/HTTP/error_templ_path The directory where error templates can be found Standard Web Dispatcher /usr/sap/GDA/D30/data/icmandir/error_templ /usr/sap/<SID>/<Instance>/data/icmerror
rdisp/TRACE_HIDE_SEC_DATA Set the stealth mode for developer tracking Standard Web Dispatcher ON ON
icm/trace_secured_data Showing encrypted data in ICM trace file dev_icm Standard Web Dispatcher FALSE FALSE
icm/accept_forwarded_cert_via_http Accepting the X.509 client certificate passed over HTTP Standard Web Dispatcher FALSE FALSE
icm/trusted_reverse_proxy_<num> Configure multiple trusted reverse proxies Standard Web Dispatcher – no wildcards for SUBJECT or ISSUER
abap/path_normalization ABAP profile parameter Standard ABAP OFF <> OFF
rdisp/msserv_internal
Internal port for communication with the server
Standard ABAP 3931 >0000; This port must be blocked by all firewalls between the server network and the client network so that no client can connect to this internal Message Server port
ms/monitor Turn on/off the external monitor Standard ABAP 0 0
ms/admin_port Administration port for external clients Standard ABAP – 0
rdisp/msserv_internal
Internal port for communication with the server
Standard JAVA 3931 This port must be blocked by all firewalls between the server network and the client network so that no client can connect to this internal Message Server port
ms/monitor Turn on/off the external monitor Standard JAVA 0 0
ms/admin_port Administration port for external clients Standard JAVA 0 0
auth/rfc_authority_check Option to perform an RFC permission check Standard ABAP 1 1 or 6
rfc/callback_security_method Rejecting an RFC callback using a whitelist Standard ABAP 1 3
rfc/selftrust Trusted RFC connection Standard ABAP 1 0
/sap/bc/bsp/sap/bsp_veri/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/certmap/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/gui/sap/its/CERTMAP/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/certreq/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/gui/sap/its/CERTREQ/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/echo/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/error/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/FormToRfc/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/icf/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/srt/Idoc/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/idoc_xml/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/report/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/soap/rfc/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/webrfc/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/xrfc/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/xrfc_test/ ICF services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/bsp_model/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/htmlb_samples/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/it00/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/it01/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/it02/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/it03/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/it04/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/it05/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/itmvc2/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/itsm/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/sbspext_htmlb/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/sbspext_phtmlb/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/sbspext_table/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/sbspext_xhtmlb/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/system_private/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
/sap/bc/bsp/sap/system_public/ Critical services as elements of the Business Server Page (BSP) Standard ABAP – disabled if they exist in the current version (and not used in business scenarios)
ixml/dtd_restriction Limitation of DTD processing for iXML Standard ABAP Expansion Expansion or prohibited
login/disable_cpic Disable incoming CPIC communication Standard ABAP 0 1
wdisp/add_xforwardedfor_header Including the IP address in the x-forwarded-for header field Standard ABAP FALSE TRUE
HttpOnly/SystemCookiesDataProtection HTTP service property Standard Java FALSE TRUE
SystemCookiesHTTPSProtection  HTTP service property Standard Java TRUE TRUE
dynp/checkskip1screen Activate/deactivate start check transaction with “skip first screen” option Standard ABAP OFF ALL
dynp/confirmskip1screen Activate/deactivate user confirmation to start transaction with “skip first screen” Standard ABAP OFF ALL
auth/check/calltransaction Permission control behavior during call transaction Standard ABAP 2 2 or 3
auth/no_check_in_some_cases Activating the Profile Generator Standard ABAP Y Y
auth/object_disabling_active The value ‘N’ prohibits disabling authorization objects Standard ABAP Y N
rdisp/gui_auto_logout Maximum idle time for SAP GUI connections Standard ABAP 0 <=2 hours
rdisp/vbdelete Delete old update requests Standard ABAP 50 500
ume.logon.selfreg Self-registration of the portal Standard JAVA FALSE FALSE
snc/enable Enable SNC (secure network communication) Standard ABAP 1 1
snc/data_protection/min Minimum data protection requirements for incoming calls Standard ABAP 3 3
snc/data_protection/max Secure Network Comm data protection limit. Standard ABAP 3 3
snc/data_protection/use Data protection level for R/3 initiated connections Standard ABAP 3 3 or 9
icm/server_port_<num> The service or port to be used by the protocol Standard Web Dispatcher – PROT=HTTPS
icm/HTTP/admin_<num> Configuration of the web administration interface Standard Web Dispatcher icm(HTTP/admin_0 = PREFIX=/sap/admin, DOCROOT=$(DIR_ICMAN_ROOT)/admin, AUTHFILE=$(icm/authfile) PORT=HTTPS_PORT
login/password_compliance_to_current_policy Enforce compliance of password with current password policy Standard ABAP 0 1
PASSWORD_COMPLIANCE_TO_CURRENT_POLICY Enforce compliance of password with current password policy Standard ABAP 0 1
icf/reject_expired_passwd Avoid logging in with initial or expired user accounts Standard ABAP 0 1
rfc/reject_expired_passwd Prevents login with initial or expired password via RFC Standard ABAP 0 1
force_first_password_change Force password change on first login Standard HANA TRUE TRUE
login/ticket_only_by_https Generate a request that will only be sent over https Standard ABAP 0 1
login/ticket_only_to_host The request will only be sent back to the creating host Standard ABAP 0 1
icf/set_HTTPonly_flag_on_cookies Set only the HTTP flag for cookies Standard ABAP 3 <> 1 or 3
rsau/enable Enable security audit log Standard ABAP 0 1
rsau/integrity Enable integrity file format Standard ABAP 0 1
rsau/log_peer_address Log peer address instead of terminal Standard ABAP 0 1
rsau/selection_slots The number of selection sites for the security audit Standard ABAP 2 >=10
rsau/user_selection Defines the user selection method used in kernel functions Standard ABAP 0 1
icm/HTTP/logging_0 HTTP logging specification Standard ABAP – PREFIX=/,LOGFILE=http_%y_%m.log,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF
=month, LOGFORMAT=%t %a %u1 \”%r\” %s %b %Lms %{Host}i %w1 %w2
icm/HTTP/logging_client_0 HTTP login control in ICM (or network dispatcher) if ICM is running as server Standard ABAP – PREFIX=/,LOGFILE=http_client_%y_%m.log,MAXFILES=2,MAXSIZEKB=50000,S
WITCHTF=month, LOGFORMAT=%t %a %u1 \”%r\” %s %b %Lms %{Host}i
icm/security_log Configuration of the ICM security log Standard ABAP LOGFILE=dev_icm_sec,MAXSIZEKB=10000 LOGFILE=dev_icm_sec_%y_%m,LEVEL=3,MAXFILES=2,MAXSIZEKB=50000,SWITCH
TF=month
ms/HTTP/logging_0 Specify HTTP logging to the message server Standard ABAP PREFIX=/, LOGFILE=dev_ms_logging, LOGFORMAT=SAPMSG PREFIX=/,LOGFILE=$(DIR_LOGGING)/ms-http-%y-%m-%d.log%o,MAXFILES=7,MAXSIZEKB=10000,SWITCHTF=day,LOGFORM
AT=%t %a %u %r %s %b %{Host}i
ms/http_logging Dynamic HTTP logging changes Standard ABAP 0 1

 

 

Table 3. Extended parameters

Parameter Parameter description Risk

level

Platform

or Technology

Default value SBT recommended value
RECCLIENT Parameter in transport profile (used by R3trans) Extended ABAP OFF Defined and not set to OFF
VERS_AT_EXP A transport parameter for creating versions of repository objects within transports Extended ABAP TRUE Use NO_T respective TRUE, YES, ON, or 1 for development systems
VERS_AT_IMP A transport parameter for importing objects that are moved without being reassigned to a new package Extended ABAP NEVER Always (for productive systems)
TP_RELEASE Transport parameter element Extended ABAP – >= 380.44.90
TP_VERSION Transport parameter element Extended ABAP 0 >= 380
sapgui/nwbc_scripting Protect the application against possible attacks via scripting. Extended ABAP FALSE FALSE
sapgui/user_scripting Enable or disable user scripts in the UI. Extended ABAP FALSE FALSE
sapgui/user_scripting_disable_recording Disabling recording in SAP GUI Scripting Extended ABAP FALSE TRUE
sapgui/user_scripting_force_notification Prevent users from turning off SAP GUI Scripting notifications. Extended ABAP FALSE TRUE
sapgui/user_scripting_per_user Checking user permission to determine if user scripts should be enabled. Extended ABAP FALSE TRUE
sapgui/user_scripting_set_readonly Enable or disable the read-only version of the SAP GUI scripts. Extended ABAP FALSE TRUE
snc/accept_insecure_gui Accept unsecured SAPGUI logins to a server that supports SNC Extended ABAP 1 U (or 0)
snc/accept_insecure_rfc Accept insecure RFC connections to a server that supports SNC Extended ABAP 1 U (or 0)
snc/only_encrypted_gui Enforce encrypted SAPGUI connections Extended ABAP 0 1
snc/only_encrypted_rfc Enforce encrypted RFC connections Extended ABAP 0 1
snc/log_unencrypted_rfc Security Audit logging for unencrypted RFC connections Extended ABAP 0 2
system/secure_communication SSL configuration for internal system communication Extended ABAP ON ON
ssl/ciphersuites Default SSL/TLS server cipher suites (and flags) Extended ABAP 135:PFS:HIGH::EC_P256:EC_HIGH 135:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites Default SSL/TLS client cipher suites (and flags) Extended ABAP 150:PFS:HIGH::EC_P256:EC_HIGH 150:PFS:HIGH::EC_P256:EC_HIGH
login/min_password_digits Minimum number of digits in passwords Extended ABAP 0 >=1
MIN_PASSWORD_DIGITS Minimum number of digits in passwords Extended ABAP 1 >=1
login/min_password_letters Minimum number of letters in passwords Extended ABAP 0 >=1
MIN_PASSWORD_LETTERS Minimum number of letters in passwords Extended ABAP 1 >=1
login/min_password_lowercase Minimum number of lowercase letters in passwords Extended ABAP 0 >=1
MIN_PASSWORD_LOWERCASE Minimum number of lowercase letters in passwords Extended ABAP 1 >=1
login/min_password_uppercase Minimum number of capital letters in passwords Extended ABAP 0 >=1
MIN_PASSWORD_UPPERCASE Minimum number of capital letters in passwords Extended ABAP 1 >=1
login/min_password_specials Minimum number of special characters in passwords Extended ABAP 0 1
MIN_PASSWORD_SPECIALS Minimum number of special characters in passwords Extended ABAP 0 1
login/min_password_diff The minimum number of characters that differ between the old and new password Extended ABAP 1 >=3
MIN_PASSWORD_DIFFERENCE The minimum number of characters that differ between the old and new password Extended ABAP 1 >=3
login/disable_password_logon Disable password-based login Extended ABAP 0 not empty
DISABLE_PASSWORD_LOGON Disable password-based login Extended ABAP 0 not empty
DISABLE_TICKET_LOGON Security policy attribute for logging into applications Extended ABAP 0 not empty
login/fails_to_user_lock The number of failed login attempts until the user is locked out Extended ABAP 5 <=5
MAX_FAILED_PASSWORD_LOGON_ATTEMPTS The number of failed login attempts until the user is locked out Extended ABAP 5 <=5
login/failed_user_auto_unlock Enable automatic unblocking of a blocked user at midnight Extended ABAP 0 0
PASSWORD_LOCK_EXPIRATION Enable automatic unblocking of a blocked user at midnight Extended ABAP 0 0
login/password_max_idle_productive Maximum number of days when a password (set by the user) can be unused (idle) Extended ABAP 0 >=1 and <=180
MAX_PASSWORD_IDLE_PRODUCTIVE Maximum number of days when a password (set by the user) can be unused (idle) Extended ABAP #N/D! >=1 and <=180
login/password_change_waittime Password change possible after X days (from the last change) Extended ABAP 1 not empty
MIN_PASSWORD_CHANGE_WAITTIME Password change possible after X days (from the last change) Extended ABAP 1 not empty
login/password_change_for_SSO Support for forced password changes in single sign-on situations Extended ABAP 1 3
PASSWORD_CHANGE_FOR_SSO Support for forced password changes in single sign-on situations Extended ABAP 1 1
login/password_history_size Liczba rekordów, które mają być przechowywane w historii haseł Extended ABAP 5 >=5
PASSWORD_HISTORY_SIZE Liczba rekordów, które mają być przechowywane w historii haseł Extended ABAP 15 >=5
login/password_hash_algorithm Encoding and hashing algorithm used for new passwords Extended ABAP encoding=RFC2307, algorithm=iSSHA-1, iterations=1024, saltsi encoding=RFC2307, algorithm=iSSHA – 512, iterations=15000, saltsize=256
ume.logon.security_policy.userid_in_password_allowed The minimum number of digits in the user login ID Extended JAVA FALSE FALSE
ume.logon.security_policy.oldpass_in_newpass_allowed Specifies whether the old password can be part of the new password Extended JAVA FALSE FALSE
ume.logon.security_policy.password_alpha_numeric_required Minimum number of alphabetic and numeric characters in passwords Extended JAVA 1 Individually defining rules
ume.logon.security_policy.password_mix_case_required Minimum number of uppercase and lowercase letters in passwords  Extended JAVA 0 Individually defining rules
ume.logon.security_policy.password_special_char_required Minimum number of special characters in passwords Extended JAVA 0 Individually defining rules
gw/rem_start Gateway area parameter to specify the start of a remote CPIC program Extended ABAP REMOTE_SHELL DISABLED or SSH_SHELL
gw/rem_start Gateway area parameter to specify the start of a remote CPIC program Extended JAVA REMOTE_SHELL DISABLED or SSH_SHELL
gw/rem_start Gateway area parameter to specify the start of a remote CPIC program Extended RFC Gateway REMOTE_SHELL DISABLED or SSH_SHELL
ume.logon.security.enforce_secure_cookie Secure cookie user management property Extended JAVA TRUE TRUE
ume.logon.httponlycookie Browser cookie parameter that prevents client-side scripts from accessing data Extended JAVA FALSE TRUE
login.ticket_lifetime Validity period of login requests Extended JAVA 8 <=8
enable.xml.hardener Enabling XML Hardener for Application Server Java Extended JAVA TRUE TRUE

 

There are, of course, many more broadly understood parameters in the SAP environment and they go beyond the scope of the discussed Security Baseline material. In this article, we focused mainly on those responsible for the understood spectrum of the system’s “security”.

In conclusion, a general awareness of SAP security parameter terminology and related background information is an important prerequisite for achieving the expected level of system security. Of course, not everyone has to be a security expert, but it’s worth being involved and keeping track of SAP Security updates. This will allow you to identify threats and assess when the help of experts in verifying security settings may be necessary. Ignoring, avoiding or even trying to circumvent the security mechanisms may pose a threat to the entire SAP environment. Transparency and simplicity are the keys to successful implementation of security parameters.

It is also worth remembering that SAP security is not a one-time approach, but a continuous process of improvement.

SAP also provides dedicated tools that allow you to monitor security parameters such as SAP Focused Run, Enterprise Threat Detection or SAP Access Control. If you are interested in their operation, please visit our website www.grcadvisory.com and follow our blog grc.ninja.

Related posts

8 June 2025

Case study: How a chemical company achieved a double-digit reduction in SAP license costs through FUE analysis before migration


Read more
25 May 2025

SAP RISE FUE Is not just a new metric—It’s a whole new way to price license in SAP


Read more
19 May 2025

How can a Segregation of Duties Audit in SAP be effectively conducted?


Read more

SEARCH ON THE BLOG

✕

LAST POSTS

  • 0
    Case study: How a chemical company achieved a double-digit reduction in SAP license costs through FUE analysis before migration
    8 June 2025
  • 0
    SAP RISE FUE Is not just a new metric—It’s a whole new way to price license in SAP
    25 May 2025
  • 0
    How can a Segregation of Duties Audit in SAP be effectively conducted?
    19 May 2025
  • 0
    AI meets smartGRC – intelligent risk and compliance just got real
    12 May 2025

FACEBOOK

GRC Advisory

GRC ADVISORY

Headquarters:
GRC Advisory Sp. z o.o.

Strzegomska 140A Street
54-429 Wrocław
Branch:
Sołtysa Dytmara 3/25 Street
30-126 Kraków


 kontakt@grcadvisory.com
 +48 12 352-11-35
 +48 71 726 24 87

GRC ADVISORY

Headquarters:
GRC Solutions Sp. z o.o.

Strzegomska 140A Street
54-429 Wrocław

_
_


 kontakt@grcsolutions.pl
 +48 12 352-11-35
 +48 71 726 24 87

COMPANY

  • News
  • Products & Services
  • Career
  • Privacy Policy
  • Contact

SHORTCUTS

10lat archer GRC Bezpieczeństwo SAP Controler cyberbezpieczeńśtwo cybersrcurity emergency access ERP Firefigther GDPR GRC GRCAdvisory GRCSolutions IAM Privileged access SAP SAP Access Control 12.0 SAP ECC SAP GRC SAP HANA SAP S4/HANA SAP Security SoD UAR Zarządzanie ryzykiem

BLOG

  • 0
    Case study: How a chemical company achieved a double-digit reduction in SAP license costs through FUE analysis before migration
    8 June 2025
  • 0
    SAP RISE FUE Is not just a new metric—It’s a whole new way to price license in SAP
    25 May 2025
  • 0
    How can a Segregation of Duties Audit in SAP be effectively conducted?
    19 May 2025
© 2018 Deluxe Pens International
powered by:  greenlogic
English
  • Polish
  • English