How to secure an SAP installation with disaster recovery

A SearchSAP.com reader wants to know how to secure an SAP installation using disaster recovery, and if there is a way to verify and implement SAP security guidelines.

There are two crucial questions which every SAP technical consultant or administrator should ask and answer regularly. How do I keep my SAP implementation safe from unauthorized access, and what should I do in case that happens?

Network Security
SAP security reaches many things. You will need to talk to your networking team for the securing of the network. Next is the operating system and database access on which the SAP system is running. For this, consult your system and database administrator. The most common mistake is leaving standard passwords of the SAP database schema users.

Finally, there is SAP. Books have been written on SAP roles and authorizations. Many SAP customers have dedicated authorization administrators who spend their entire day modifying and assigning the proper authorizations and roles to the correct people. The best starting point would be the Security pages in the Service Marketplace. How-to guides with SAP security guidelines exist for almost all SAP components.

For more detailed information on SAP roles and authorizations, I warmly recommend SAP Security and Authorizations and The SAP Authorization System, both published by SAP-PRESS.

Disaster Recovery
If you do not have a suitable backup strategy, external factors, physical errors, and logical errors can cause system downtime and may lead to data loss. If data is lost due to external factors such as water damage to your hardware, physical errors such as hardware failure, or logical errors such as an unintentionally deleted table, you must recover the database up to the point in time when the database crashed. If a full recovery is possible, only the data of uncommitted transactions before the error will be lost.

Your backup strategy must be designed according to the needs of your company. To ensure the availability of your SAP R/3 system, your backup strategy must be carefully tested before the R/3 system goes live, and after any changes to your backup strategy.

Consider the following when you set up your backup strategy:

  • Consider how long you can afford to shut down the SAP R/3 system for each of the above scenarios.

  • Consider how much production data you can afford to lose. This determines the point-in-time recovery needed.

To ensure that the correct actions are performed for each of the scenarios, create a document containing organizational descriptions of procedures and an escalation plan. This document must be approved by management and understood by the person who performs the database restore and recovery.

You should evaluate and implement the most suitable backup type and method for your company. SAP recommends a 28-day backup cycle. In my experience, every company should define its own.

For a starting point, have a look at the system management pages on the SAP Service Marketplace and the backup/recovery section in the SAP NetWeaver documentation.

Dig Deeper on SAP Basis