Enterprise resource planning (ERP) systems are the digital fortresses of a company. From financial data to customer information, from production secrets to strategic plans — the most valuable assets are safeguarded behind these fortress walls. And at the heart of this fortress lies the key: SAP systems. But how strong are these digital walls? In most cases, the greatest threats aren’t complex cyberattacks from the outside, but security vulnerabilities and basic mistakes left unnoticed within.
SAP system security is no longer just the responsibility of an IT department. It has become a critical business continuity and reputation risk that must be addressed at the board level. A security breach can lead not only to millions of dollars in financial loss but also to damaged customer trust and irreparable harm to corporate reputation.
In this article, we will examine the most common and often overlooked critical security mistakes in the SAP Basis layer. More importantly, we will clearly explain the right approaches you should take to prevent these mistakes and fortify your SAP infrastructure like armor.
1. Default and Weak Password Policies
This is the most basic yet dangerous mistake. Failing to change default passwords that come with an SAP installation (such as for DDIC or SAP* users) is like leaving the door wide open for uninvited guests. Likewise, allowing users to create easily guessable passwords like “123456” or “companyname1” — without enforcing password complexity, minimum length, or regular password changes — leaves your system vulnerable even to the simplest brute-force attacks.
✅ The Right Approach:
Use system profile parameters (RZ10/RZ11) to define mandatory security policies for all users.
Examples of key parameters:
Adjust parameters such as login/min_password_lng (minimum password length), login/password_expiration_time (password validity period), and login/password_history_size (restrict reuse of old passwords) according to your corporate standards.
Extra Security:
Wherever possible, integrate Multi-Factor Authentication (MFA/2FA) solutions to add an additional layer of protection.
2. Granting Excessive Privileges to Unnecessary Users
User authorization is one of the cornerstones of security in SAP systems. In many cases, emergency fixes or the need to quickly provide access to a new user result in the temporary assignment of SAP_ALL or SAP_NEW profiles — and unfortunately, these profiles often become permanent. These profiles give users unrestricted rights to view, modify, and delete any data in the system. This not only poses an incredible risk if exploited by a malicious attacker, but also opens the door to potential misuse by internal users. Such scenarios could lead to data leaks, financial fraud, or even sabotage of the system.
💡 Example:
Granting an account executive access to the accounting system could compromise data integrity and violate corporate policies.
✅ The Right Approach:
Never grant a user more privileges than necessary to perform their job.
- Manage authorizations according to the Principle of Least Privilege.
- Ensure each user has only the permissions relevant to their job role. Achieve this by carefully designing composite and single roles. Although role redesign can be time-consuming, it offers one of the highest returns on your security investment.
- Use SAP GRC (Governance, Risk, and Compliance) tools to perform authorization reviews.
- For emergencies, implement controlled and logged temporary superuser access mechanisms such as Firefighter.
- Regularly review user role assignments to ensure compliance with security policies.
3. Leaving High-Risk Standard Users Unprotected
Every SAP system includes standard users like SAP*, DDIC, and EARLYWATCH — accounts that are well-known and thoroughly documented. If their passwords aren’t changed and these accounts aren’t locked, they become prime targets for attackers. In particular, under certain misconfigurations, the SAP* account could allow access to the system even without knowing its password.
✅ The Right Approach:
Step 1: Immediately after installation, change the default passwords of users like SAP* and DDIC to complex, strong passwords.
Step 2: Lock these accounts and regularly monitor their lock status and any login attempts.
Disable special SAP* behavior by setting the login/no_automatic_user_sapstar parameter to 1.
4. Keeping User Accounts Permanently Active
User accounts created for projects or temporary assignments often remain active even after the task is complete. These uncontrolled accounts can provide easy entry points for malicious access.
✅ The Right Approach:
- Set time limits for user accounts where appropriate.
- Regularly deactivate or delete unused accounts.
- Enforce automatic session timeouts to minimize the risk from unattended sessions.
- Generate and review last login reports to identify and manage inactive accounts.
5. Failing to Change Default System Settings
Many SAP systems continue operating with default settings after installation and before moving into production. This creates significant vulnerabilities, particularly regarding system access and password policies.
✅ The Right Approach:
- Disable or secure default user accounts (such as SAP* and DDIC) with strong, unique passwords.
- Customize password policies to align with your corporate security standards.
- Ensure that development, testing, and production environments are clearly separated and managed independently.
6. Neglecting System Updates and Security Patches
SAP regularly releases Security Notes and patches to address discovered vulnerabilities. However, many IT teams postpone applying these updates due to concerns about disrupting a functioning system or scheduling constraints. This results in unpatched systems that become easy targets for attackers.
✅ The Right Approach:
- Monitor SAP Security Notes consistently and apply critical updates without delay.
- Test patches in a sandbox or staging environment before deploying to production.
- Define maintenance windows for updates and communicate this schedule across the organization.
- Use SAP Solution Manager or similar tools to efficiently manage the update process.
7. Insufficient Logging and Monitoring
“If you can’t see it, you can’t stop it.” The SAP Security Audit Log (SM19/SM20) is often disabled by default or poorly configured. Without tracking who accessed what, when, and how — whether assigning SAP_ALL privileges, downloading customer data, or changing system parameters — it’s nearly impossible to detect security breaches or conduct post-incident analysis. As a result, many companies only discover security incidents well after the damage has been done.
✅ The Right Approach:
- Enable the SAP Security Audit Log.
- Record activities such as access attempts, failed logins, and user changes.
- Integrate these logs with central SIEM solutions so your security teams can monitor them in real time.
- Set up alert mechanisms for abnormal activities.
💡 Example:
Failing to detect a user logging in outside of business hours — such as on a weekend — can expose your system to insider threats.
8. Failing to Secure the Transport System
The SAP transport system — used to move developments between environments — is often overlooked in security controls. Unauthorized users could potentially exploit it to make unapproved changes directly in production.
✅ The Right Approach:
- Define special authorization groups for transport operations.
- Ensure only designated users can execute transport tasks.
- Monitor transport logs and implement an approval workflow for transport requests.
9. Making Authorization Changes Without Documentation or Controls
Workforce changes, project demands, or urgent requests often result in on-the-fly modifications to user authorizations. Unfortunately, these changes are frequently made without documentation or formal records.
✅ The Right Approach:
- Establish a formal change request management process for all authorization modifications.
- Ensure every change is documented and approved by the relevant manager.
- Set up logging systems that enable retrospective audits of authorization changes.
10. Insecure RFC Connections
SAP systems communicate with each other and with external systems via Remote Function Call (RFC) connections. By default, these connections are unencrypted. This means that an attacker monitoring network traffic could easily intercept critical information such as user credentials, passwords, or sensitive business data exchanged between systems.
✅ The Right Approach:
Activate Secure Network Communications (SNC) for all critical RFC connections. This encrypts data flows between systems and protects against man-in-the-middle attacks.
11. Overlooking the Security of Custom ABAP Code
Custom ABAP code (commonly referred to as Z-code) developed to meet specific business needs often bypasses thorough security reviews. Poorly written ABAP code may lack proper authority checks, allow command injection, or even contain backdoors — rendering your standard security measures ineffective.
✅ The Right Approach:
Code Scanning: Use static code analysis tools such as SAP Code Vulnerability Analyzer to scan all custom ABAP developments for security flaws before deploying to production, and remediate any issues.
Awareness: Provide your ABAP developers with regular training on secure coding practices.
Conclusion: Be Proactive to Ensure a Secure SAP Basis Environment
SAP Basis security is like a chain — only as strong as its weakest link. It requires more than just technical safeguards; it demands a corporate culture of security, process discipline, and ongoing awareness. The issues we’ve highlighted in this article represent the most common vulnerabilities in SAP systems. Fortunately, with the right configurations, robust control mechanisms, and regular audits, these risks can be significantly reduced.
Remember: The strength of your SAP system is defined by its security. Leaving SAP security to chance is like gambling with your most valuable corporate assets.
Would you like to identify potential security risks and blind spots in your SAP systems through expert analysis?
Contact us today for a comprehensive SAP Security Health Check conducted by our expert team — and let’s make your digital fortress impenetrable.