Enterprise Security Architecture for SAP Landscapes: Complete Technical Guide

Sarah Chen, Lead SAP Architect — SAPExpert.AI Weekly Deep Research Series

Executive Summary (≈150 words)

Enterprise SAP security is no longer a “Basis hardening + PFCG roles” problem—it is a multi-layer, identity-centric architecture spanning workforce IAM, service identities, network segmentation, application authorization, database controls, and security operations. Mature programs standardize on: (1) centralized SSO with MFA/conditional access, (2) governed provisioning + SoD + PAM, (3) DMZ entry patterns with end-to-end TLS, (4) least-privilege role engineering across ABAP/Fiori/HANA, (5) hardened integration standards (OAuth2/mTLS/SNC), and (6) continuous monitoring with SAP-to-SIEM detections.

Key recommendations:

• Treat SAP as multiple trust boundaries (browser/UI, APIs, RFC, batch, DB) and design explicit controls per boundary.
• Adopt “golden paths” for SSO, RFC/API authentication, certificate lifecycle, technical user ownership, and emergency access.
• Build detection engineering for SAP-specific events (Firefighter, trusted RFC creation, mass role changes, ICF activation).
• Automate drift control using baselines + configuration compliance + patch SLAs driven by SAP Security Notes/HotNews (SAP Security Notes and News).

Technical Foundation (≈400–500 words)

1) The core reality: SAP security is multi-layer

SAP landscapes are ecosystems: ABAP, HANA, Web Dispatcher, Identity Providers, BTP services, API gateways, RFC/IDoc interfaces, batch schedulers, and admin channels. The strongest authorization design fails if:

• A technical RFC user is shared and never rotated.
• A DMZ Web Dispatcher forwards to internal services over plaintext.
• A HANA role grants CATALOG READ broadly.
• ICF services are activated “temporarily” and never closed.

Architectural principle: model SAP security as interlocking “planes” with explicit trust boundaries.

2) Reference architecture planes (practitioner view)

1. Identity Plane (workforce + service identities, SSO, MFA)
2. Access Governance Plane (request/provision/review, SoD, emergency access, PAM)
3. Network & Connectivity Plane (DMZ patterns, segmentation, admin access)
4. Application Plane (ABAP, Fiori/Gateway, Java where applicable, BTP runtimes)
5. Data Plane (HANA encryption/audit, masking/ILM, backup security)
6. Operations Plane (patching, logging, SIEM, incident response)

SAP’s own product guidance reinforces this layered approach:

• SAP HANA security features (auditing, encryption, privileges): SAP HANA Security Guide (SAP HANA Platform)
• SAP BTP security model and account isolation concepts: Security on SAP BTP
• SAP Cloud Identity Services (IAS/IPS) as the SAP cloud identity bridge: SAP Cloud Identity Services – Identity Authentication and Identity Provisioning

3) Threat model baseline (what actually gets exploited)

In 2025-era hybrid SAP programs, the highest-frequency enterprise risks are:

• Identity drift: mismatched identifiers (UPN vs SAP user), “shadow” local passwords, stale external users.
• Privileged access sprawl: excessive admins, uncontrolled debug/RFC/role maintenance.
• Interface sprawl: unknown RFC destinations, expiring certificates, shared integration users.
• Change-introduced exposure: new Fiori catalogs, activated OData/ICF services, expanded authorizations after upgrades.
• Insufficient detection: logging exists but no SAP-specific alert logic.

4) Prerequisites and non-negotiables

• Supported versions + patch discipline driven by SAP’s security note cadence (SAP Security Notes and News).
• Time synchronization (NTP) across app/DB/proxies for forensic correlation.
• Authoritative ownership model: IAM owns identity, Basis owns platform hardening, Security owns controls/monitoring, App teams own roles and business risk acceptance.

Implementation Deep Dive (≈800–1000 words)

A) Identity Plane: SSO, MFA, and service identities

Workforce SSO “golden path”

Target: corporate IdP (e.g., Microsoft Entra ID) → SAP Cloud Identity Services (IAS) → SAP apps.

• Browser-based apps (Fiori, WebGUI, BTP apps): SAML 2.0, enforce MFA and conditional access upstream.
• Intranet thick-client SSO: Kerberos/SPNEGO where appropriate; keep as a controlled exception.

Operational guidance for IAS is well-documented; use it as the stable SAP-side integration point:

• SAP Cloud Identity Services – Identity Authentication

Implementation pattern (high-value detail): attribute contract Define a single “person key” used everywhere (commonly immutable HR personnel number or Entra employeeId) and map it consistently:

• IAS subject / NameID strategy
• ABAP user name mapping (where feasible)
• GRC/IAG identity keys
• SIEM identity correlation

This reduces false positives in SoD and accelerates incident response (you can reliably answer “who did this?”).

Service-to-service identities: stop using shared technical users

Prefer modern token-based methods where SAP supports them:

• OAuth 2.0 Client Credentials for APIs via SAP BTP/API Management/Integration Suite.
• mTLS for strong workload identity (especially DMZ-to-internal or partner APIs).
• SNC (Kerberos/X.509) for RFC where feasible; minimize password-based RFC users.

BTP security controls and trust configuration are foundational here:

• Security on SAP BTP

Practical rule: if an interface can’t support OAuth/mTLS/SNC, then the compensating controls are mandatory:

• vault the secret (no spreadsheets),
• rotate on a defined SLA,
• restrict source IPs,
• restrict authorizations to the exact RFC function group/BAPI set,
• alert on logon failures + unusual call volume.

B) Access Governance Plane: SoD + provisioning + PAM (make it auditable)

SoD: design for remediation, not just detection

SoD programs fail when they only produce violations without operational escape routes. The architecture pattern that works:

1. Baseline role redesign (task-based roles + derived roles)
2. Risk-based SoD ruleset aligned to business processes
3. Emergency access for real work continuity
4. Continuous monitoring for “temporary” access that becomes permanent

If your program is transitioning to cloud governance, IAG is often part of the target stack:

• SAP Identity Access Governance (Documentation)

PAM and emergency access (Firefighter done correctly)

Separation of identities:

• Named admin account for daily operations (MFA, least privilege)
• Break-glass account for emergencies (time-bound, workflow-approved, logged)

What “done correctly” adds beyond basics (often missed):

• Firefighter IDs have no dialog access unless a ticket exists.
• Firefighter usage triggers SIEM alerts and post-session review.
• OS/DB privileged sessions are recorded in the PAM tool and correlated with SAP Firefighter logs.

C) Network & Connectivity Plane: DMZ entry + admin isolation

DMZ reference pattern (internet-facing Fiori)

flowchart LR
  U[User Browser] --> WAF[WAF / Reverse Proxy]
  WAF --> WD[SAP Web Dispatcher (DMZ)]
  WD --> APP[ABAP App Server (Internal Zone)]
  APP --> HDB[(HANA DB Zone)]
  SOC[(SIEM/SOC)] <-- Logs --> WAF
  SOC <-- Logs --> WD
  SOC <-- Logs --> APP
  SOC <-- Audit --> HDB

Hard requirements:

• TLS from client→WAF, WAF→Web Dispatcher, Web Dispatcher→ICM (no “TLS only at the edge”).
• Deny-by-default firewalling; DMZ cannot initiate DB connections.
• Separate admin plane: jump hosts, device posture checks, MFA, session recording.

SAP Web Dispatcher security configuration should follow SAP’s guidance and be managed like code (profile under version control, changes via controlled pipeline):

• SAP Web Dispatcher (SAP NetWeaver) – Documentation

D) Application Plane: ABAP, Fiori/Gateway, and secure runtime configuration

ABAP authorization: engineer for least privilege and upgrade resilience

Role build pattern

• Single roles (task) → derived roles (org-level fields) → composite roles (job)
• Avoid “stuffing” auth objects directly in production to fix tickets.

ABAP code pattern: explicit authorization checks Use explicit checks for custom objects and sensitive actions—don’t rely purely on UI-based authorization.

DATA: lv_bukrs TYPE bukrs VALUE '1000'.

AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
  ID 'BUKRS' FIELD lv_bukrs
  ID 'ACTVT' FIELD '03'.  "Display

IF sy-subrc <> 0.
  MESSAGE e398(00) WITH 'Not authorized to display company code' lv_bukrs.
ENDIF.

Advanced practice (not common, high impact): “negative authorization testing” For each critical business role, maintain automated test cases that verify:

• expected access works,
• unexpected access fails (e.g., posting where only display is allowed).

This catches SU24 proposal changes and new authorization checks introduced by support packs before production.

Fiori/Gateway: control catalogs and services

Many breaches are not “role issues”—they’re service exposure issues. Controls to standardize:

• OData services activated only via approved change (not ad-hoc).
• Catalog governance: limit who can publish catalogs/spaces/pages.
• Monitor /IWFND/MAINT_SERVICE and ICF activation changes as high-risk events.

SAP Fiori authorization concepts are documented, but the operational gap is governance:

• SAP Fiori for SAP S/4HANA – Security and Authorizations

ABAP security-relevant parameters (baseline snippet)

Maintain a baseline per AS ABAP release and enforce drift control. Examples (illustrative—validate per release/support pack):

# Password & logon hardening
login/min_password_lng = 14
login/min_password_digits = 1
login/min_password_letters = 1
login/min_password_specials = 1
login/fails_to_user_lock = 5
login/password_expiration_time = 90

# Disable insecure legacy where possible
login/disable_password_logon = 1   # when SSO is fully implemented

# SNC for SAP GUI/RFC where implemented
snc/enable = 1
snc/identity/as = p:CN=PRD_S4, OU=SAP, O=ExampleCorp, C=US
snc/data_protection/use = 3
snc/data_protection/min = 2

# TLS hygiene (review ICM parameters per kernel)
icm/HTTPS/verify_client = 1

For authoritative, version-aligned parameter guidance, anchor to SAP’s ABAP security documentation:

• SAP NetWeaver AS ABAP – Security Guide

E) Data Plane: HANA least privilege, auditing, and encryption

HANA roles: separate duties and avoid SYSTEM sprawl

Implement:

• Admin roles for DBAs (restricted, controlled, logged)
• App schema roles (minimal object privileges)
• Analytic privileges for data access in reporting scenarios

Example: create a least-privilege reporting role:

CREATE ROLE Z_FIN_REP_READ;

GRANT SELECT ON SCHEMA S4FIN TO Z_FIN_REP_READ;
-- Avoid broad system privileges unless required
-- GRANT CATALOG READ, DATA ADMIN, etc. only to controlled admin roles

HANA auditing: treat as a security product, not a checkbox

Example audit policy:

CREATE AUDIT POLICY "Z_AUDIT_PRIVILEGE_CHANGES"
  AUDITING SUCCESSFUL GRANT, REVOKE, CREATE ROLE, DROP ROLE
  LEVEL INFO
  TRAIL TYPE SYSLOG;

ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM')
  SET ('auditing configuration','global_auditing_state') = 'true'
  WITH RECONFIGURE;

Use SAP guidance for exact syntax and supported trails/targets:

• SAP HANA Security Guide (Auditing)

Encryption & key management

Enable:

• TLS for all HANA client connections
• encryption at rest (data volume) where required
• encrypted backups with controlled key access (KMS/HSM integration when mandated)

Reference:

• SAP HANA Security Guide (Data Encryption)

F) Operations Plane: patching, logging, and SAP-specific detection engineering

Patch discipline

Define SLAs by severity:

• SAP HotNews: 72 hours (or less in regulated environments)
• High: 14 days
• Medium: 30–60 days

Use SAP’s own security note process as the control anchor:

• SAP Security Notes and News

Logging-to-SIEM: prioritize high-signal SAP events

Minimum high-value sources:

• ABAP Security Audit Log (SM19/SM20)
• ICM and Web Dispatcher access/error logs
• Gateway logs (OData failures, activation changes)
• HANA audit logs
• OS auth logs + EDR telemetry

Detection ideas that consistently catch real incidents:

• Emergency access activation (Firefighter) outside change windows
• New/changed trusted RFC relationships
• Mass role changes in PFCG
• New RFC destinations or changed targets
• New ICF service activations in productive clients
• Background jobs scheduled by unusual users or outside patterns

If you use SAP’s threat-focused tooling, align it with these use-cases:

• SAP Enterprise Threat Detection – Documentation

Advanced Scenarios (≈500–600 words)

1) Zero Trust admin access for SAP (beyond “use a jump server”)

A robust Zero Trust admin pattern includes:

• Dedicated admin workstations (hardened, monitored)
• Conditional access (device compliance + location + risk)
• Bastion/jump hosts in a separate admin subnet
• Per-session privilege elevation (no standing access)
• Session recording for OS/DB + correlation to SAP change tickets
• Just-in-time firewall rules (time-bound openings)

Novel insight: correlate SAP privileged actions to infrastructure privileged sessions. Most programs record PAM sessions but can’t answer: “Which SAP change was executed during this root session?” Fix by enforcing ticket ID entry at PAM session start and propagating it to SAP change documentation.

2) Integration security standard: one table that prevents 80% of interface risk

Create an Interface Registry with mandatory fields:

• Owner (business + technical), data classification
• Protocol (RFC/IDoc/HTTP/OData/Event)
• Auth method (SNC/mTLS/OAuth/password)
• Secret/cert location (vault, keystore), rotation SLA, last rotation date
• Network path (zones crossed, firewall rules, allowlists)
• Monitoring (what logs, what alerts, what thresholds)

Enforcement pattern: no interface goes live until:

• registry entry exists,
• secrets are vaulted,
• monitoring is enabled,
• incident response steps are documented.

For OAuth-centric patterns in BTP, standardize flows per integration type:

• machine-to-machine: OAuth client credentials
• principal propagation: OAuth JWT bearer / SAML bearer (where supported) SAP BTP guidance:
• SAP BTP Destination Service – Security
• SAP Integration Suite – Security

3) Transport & change security: move from “approved transports” to “trusted pipelines”

Common gap: CTS approvals exist, but the pipeline itself isn’t secured (shared transport organizer accounts, unreviewed emergency changes, lack of segregation between developers and production deployers).

Advanced pattern:

• Use CI-style gates for ABAP changes (ATC checks, forbidden statements, security checks).
• Restrict who can import to production; use named deployer accounts with MFA.
• Implement tamper-evidence: signed commits and traceability for gCTS-managed artifacts where applicable.

SAP transport tooling reference:

• CTS+ (Change and Transport System Plus) – Documentation

4) HANA + ABAP “two-layer authorization” without chaos

A frequent architecture mistake is duplicating access rules in ABAP roles and HANA roles inconsistently. A workable approach:

• ABAP remains the primary authorization system for transactions and business actions.
• HANA privileges are minimized to schema/object needs; analytic privileges are used deliberately for reporting models.
• Any direct DB access (BI tools) is treated as a separate product with its own access governance and SoD controls.

Real-World Case Studies (≈300–400 words)

Case 1: Global manufacturer — killing “immortal” RFC users

Problem: Hundreds of plant-floor RFC destinations used shared users with passwords unchanged for years. No ownership; audit findings recurring.

Implementation:

• Built an interface registry and assigned owners per destination.
• Migrated critical RFCs to SNC with Kerberos where feasible; remaining password-based users moved to a vault with 30-day rotation.
• Reduced RFC authorizations to a whitelist of required function modules/BAPIs; removed broad objects.
• SIEM alerts added for: failed RFC logons, new destinations, destination target changes.

Outcome: audit findings closed; incident response improved because each destination had an owner and a runbook.

Case 2: Retail S/4HANA + Fiori — stopping “accidental app exposure”

Problem: Post-upgrade, new Fiori catalogs and activated OData services expanded access unexpectedly.

Implementation:

• Treated OData service activation and catalog publishing as security-controlled changes.
• Implemented “negative authorization tests” for key business roles in pre-prod.
• Added monitoring for /IWFND/MAINT_SERVICE changes and ICF service activation in productive clients.

Outcome: prevented repeat incidents; change teams gained a reliable pre-prod signal before go-live.

Case 3: Regulated pharma — audit-grade privileged access

Problem: SOX/GxP required immutable audit trails for privileged actions across SAP and HANA.

Implementation:

• Firefighter with mandatory reason code + post-review.
• PAM session recording for OS/HANA admin tasks.
• HANA auditing enabled with syslog forwarding; ABAP Security Audit Log forwarded to SIEM.
• Quarterly drills validated break-glass and IR steps.

Outcome: passed audits with evidence quality improvements; reduced privileged standing access.

Strategic Recommendations (≈200–300 words)

1. Publish an SAP Security Reference Architecture (SRA) using the six planes. Include trust boundaries, standard entry patterns, and approved authentication methods per interface type. Make it the design authority for projects.
2. Standardize “golden paths” that engineers can follow without debate:
   • SSO pattern (SAML/OIDC via IAS where appropriate)
   • RFC security pattern (SNC or tightly controlled technical users)
   • API pattern (OAuth2 + mTLS; API management)
   • Certificate lifecycle (inventory + automated renewal + ownership)
3. Move from annual controls to continuous controls monitoring (CCM):
   • detect role/RFC/service activation drift,
   • enforce patch SLAs tied to SAP HotNews,
   • continuously reconcile technical users, owners, and rotations.
4. Invest in SAP-specific detection engineering: build SOC playbooks for “disable RFC destination”, “revoke cert”, “lock user”, “deactivate ICF service”, “remove trusted RFC”, and “contain app server”.
5. Plan for cryptographic agility: certificate rotation at scale, TLS policy modernization, and key management integration—because outages and weak crypto are now among the most common SAP security failures.

Resources & Next Steps (≈150 words)

Official SAP documentation (anchor set)

• Identity and SSO foundation:
  • SAP Cloud Identity Services – Identity Authentication
  • SAP Cloud Identity Services – Identity Provisioning
• Platform and data security:
  • SAP NetWeaver AS ABAP – Security Guide
  • SAP Web Dispatcher – Documentation
  • SAP HANA Security Guide
• Cloud and integration:
  • Security on SAP BTP
  • SAP Integration Suite – Security
• Security patch anchor:
  • SAP Security Notes and News

Immediate action items (2-week sprint)

• Inventory: privileged users, RFC destinations, active ICF services, expiring certificates.
• Define: approved auth methods per interface class; patch SLAs.
• Implement: SIEM alerts for Firefighter, trusted RFC changes, mass role changes, ICF/OData activation.