In November, we wrote a blog about the “7 types of privileged accounts you should know” to highlight potential privilege-related security risks. Today, we are spotlighting five powerful user accounts frequently found in SAP environments. These accounts are all created during the installation process when using SAP NetWeaver Application Server for ABAP and/or Java. The accounts can be centrally secured and managed by the CyberArk Privileged Access Security Solution.
- SAP*: Also known as SAP system super users, these accounts have sweeping access across SAP systems and are created in all clients immediately upon installation. These accounts need to be manually deactivated in all clients and added to a “SUPER” group, so that only authorized administrators can make changes. CyberArk helps to vault related credentials in an encrypted repository, making sure that even those authorized to make changes to this super group are indeed the only ones able to do so. If these credentials aren’t locked down, malicious actors can potentially achieve unlimited access to the data stored in the system.
- DDIC (Data Dictionary): DDIC users have special authorizations for installation, software logistics and the ABAP dictionary. The SAP installer assigns the default password for DDIC users that is designated as the master password during installation. In order to make sure that things run smoothly, DDIC requires authorizations for SAP_ALL during an installation or upgrade and is then locked afterwards. To account for human error, the CyberArk Privileged Access Security Solution allows for automatic rotation of vaulted accounts and can change passwords immediately upon use, removing the required manual authorization process.
- EarlyWatch: EarlyWatch is an automatic service that monitors essential administrative areas of an SAP system and is most effective when activated for all SAP components in the stack. Because of the sweeping access that these accounts require, it is crucial to detect, analyze, and when necessary, remediate attempts to access these accounts, something that CyberArk Privileged Threat Analytics can help with. These accounts also need to be provisioned in the SUPER group, so that only authorized users can change the passwords. With a central repository to manage and secure privileged credentials, SAP admins can dramatically reduce risks of privileged credential compromise.
- SAPCPIC (Common Programming Interface for Communications): CPIC accounts are used for remote connections to legacy SAP systems (4.5 and older). These accounts are mostly leveraged in Electronic Data Interchanges and have access to the S_A.CPIC profile. Malicious users can remotely execute Request for Comments or create dialog users with any privileges to enter the system and obtain unlimited amounts of information. These accounts can be deleted if unneeded, but additional actions need to be taken if the account is also necessary to change the default password. In this case, access is only granted if required — and related policies can be easily configured out of box with the CyberArk Privileged Access Security solution.
- TMSADM: During installation, a master password is set for TMSADM users for Transport Management Systems. This password is automatically set as a default, and it needs to be manually changed. SAP’s recommended best practice is to change the default password for TMASDM users, but this again requires levels of manual attention that can be forgotten or bypassed. The CyberArk Privileged Access Security Solution can also be leveraged to vault these accounts, automatically create complex passwords and rotate them based on policy.
Only CyberArk enables this level of comprehensive discovery, onboarding and management of privileged SAP accounts and credentials. For example, it’s a best practice to require the powerful users in SAP environments to verify their identities in order to access these accounts, and CyberArk can be used to validate and rotate credentials to ensure appropriate access. SAP has a set of security best practices specific to their applications and systems that organizations utilize, and with this certified integration, enterprises can be confident that this critical layer of security – privileged access security — is extended throughout the network.