Problem solve Get help with specific problems with your technologies, process and projects.

Security levels for dialog users

We have been up on SAP for a couple of years now (4.5B) and mainly use IDoc processing within the EDI initiatives with Purchase Orders and Invoicing. We are starting to develop the payment transaction using IDocs as well. What is your recommendation for which security level to give to the dialog user established to process all of the IDocs created?

The IDoc dialog user should be defined as CPIC user, so that nobody can logon with this user in dialog mode from a SAPGUI. I also recommend to define a single individual user for every distinct application, mainly for traceability. It would also be good to limit the authorization profile for the user to the very minimum necessary to post the IDocs from the IDoc handler. Post-processing of erroneous IDocs is done anyway by a fully authorized application user (a human).

Generally, your worries should mainly concentrate on an abuse of the CPIC user by some other departments or developers who use the CPIC user for other purposes than originally intended. A potential security risk from abuse by intruders is low as you process the IDocs from behind your company firewall anyway, so the standard security mechanisms should have absolute priority and responsibility.

One general remark on security:
The very moment I disclose a security mechanism principle on a Web site it is already contaminated. A security strategy is the better the more abstruse and unconventional it is. E.g. it is a very effective way to secure your Windows workstation against intruders by renaming your Windows system directory WINDOWS, e.g. by calling it LOOSE or JAVA instead. And most intruders would give up very soon if you labeled your USERID field as PASSWORD and the PASSWORD field as USERNAME. The fewer people know about the way a security mechanism is implemented, the more unlikely it is hacked.

Dig Deeper on SAP security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.