Full Stack SAP Security

Security specialty in the SAP world has always been an odd one. What do these people even do, and why do we need them? That’s an unspoken question in the heads of many other SAP consultants.

As Security expert Otto Gold wrote in this incisive post, “SAP Security is now officially so vast and complicated, that it no longer has much of a meaning.” If you still think this is just about assigning roles, the list of subjects in this post will make it very clear that there is way, way more to it.

Even for ABAP developers, security-related subjects have been multiplying like bunnies in spring. Weird words like SSO or OAuth are not just for Basis or Security folks anymore. When interviewing some developers recently, I realized it’s not clear what “security” even means in the web service context, for example. It might also be news to many that, by having access to an OData service, anyone could simply manipulate the URL in the browser to retrieve any exposed data. (Tobias Hoffmann has done quite a bit of that with SAP services - sometimes with alarming results. You don’t want to end up in his blog.)

When “security” means everything and nothing at the same time, how can we have intelligent discussions around it? Next time you speak about the subject, consider being more precise. JP