We have been up on SAP for a couple of years now (4.5B) and mainly use IDoc processing within the EDI initiatives with Purchase Orders and Invoicing. We are starting to develop the payment transaction using IDocs as well. What is your recommendation for which security level to give to the dialog user established to process all of the IDocs created?
The IDoc dialog user should be defined as CPIC user, so that nobody can logon with this user in dialog mode from a SAPGUI. I also recommend to define a single individual user for every distinct application, mainly for traceability. It would also be good to limit the authorization profile for the user to the very minimum necessary to post the IDocs from the IDoc handler. Post-processing of erroneous IDocs is done anyway by a fully authorized application user (a human).
Generally, your worries should mainly concentrate on an abuse of the CPIC user by some other departments or developers who use the CPIC user for other purposes than originally intended. A potential security risk from abuse by intruders is low as you process the IDocs from behind your company firewall anyway, so the standard security mechanisms should have absolute priority and responsibility.
One general remark on security:
The very moment I disclose a security mechanism principle on a Web site it is already contaminated. A security strategy is the better the more abstruse and unconventional it is. E.g. it is a very effective way to secure your Windows workstation against intruders by renaming your Windows system directory WINDOWS, e.g. by calling it LOOSE or JAVA instead. And most intruders would give up very soon if you labeled your USERID field as PASSWORD and the PASSWORD field as USERNAME. The fewer people know about the way a security mechanism is implemented, the more unlikely it is hacked.
Dig Deeper on SAP security
Related Q&A from Axel Angeli
An SAP user wants to know how to upload data into SAP R/3 when SAP Scripting is not enabled. Continue Reading
An SAP user is receiving an error message while integrating SAP iDoc PORDCR1 for a purchase order. Continue Reading
An SAP user is having difficulty with PERNR iDoc while transporting data from SAP to an external system. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.