SAP Security - Windows Platform

You need to create different users and groups in the Windows Platform to run your SAP system securely. To ease the user management task, it is suggested to add all WIN NT users to user group with correct access rights at OS level. In the Window Operating System, there are different group levels −

  • Global Groups
  • Local Groups
New Global Group

Global Groups

Global Groups in WIN are available at domain level and can be used to assign users from multiple servers. Global groups are available to all servers in one domain.

You can select the name of Global Groups as per your convenience. However, it is recommended to use naming conventions as per the SAP R/3 System Installation, which is the standard Global Group for SAP System Administrators and it is defined as SAP_<SID>_GlobalAdmin.

In the Window Platform, there are various commonly created Global Groups that can be used to run a SAP System −

  • SAPadmin − This group contains a list of all SAP System Administrators.

  • SAPusers − This group contains a list of all SAP Application Users.

  • SAPservices − This group contains a list of all SAP System Programs.

  • Domain Admin − This group contains a list of all administrators from all domains.

Local Groups

Local groups in Windows Platform are limited to one server in a domain. During the installation, rights are assigned to individual users and not groups. However, it is recommended that you assign access rights to local groups instead of single users.

Local groups are used to increase the security of the Windows environment in shared domains. You can further assign global users and global groups to a local group. You can create a local group with any name, but it is recommended that you use the local group name as: SAP_<SID>_LocalAdmin.

You can define various relations between users, local groups and global groups −

  • A single user can be a part of a global group and a local group as well.
  • You can also include a global group to a local group.

Standard Users in a Windows Platform

When you run SAP system on a Windows platform, there are standard users that should be carefully managed. The following are some of the standard users in Windows −

Window NT User

  • Administrator − Administrator accounts with access to all the resources.

  • Guest − Only guest access to all the resources in system.

SAP System User

  • <SID>ADM SAP − System Administrator with full access on all SAP resources.

  • SAPService<SID> − Special user responsible to run SAP services.

Database Users

  • <DBService> − To run database specific services in Window platform.

  • <DBuser> − Database user to perform general DB operations.

Also, note that the Administrator and Guest users are created during the installation process and are used to perform Window specific tasks. All these users should be protected in a Window platform.