You are well-connected, Julius

I can honestly recommend them to you. But the authors would have more to say about it and why they wrote their books, that is why I pinged them.

I haven't written a book yet. Only planted a few trees

Cheers,

Julius

Turns out that only one of them is released in English so far, but the others are in translation.

[The Developeru2019s Guide to SAP NetWeaver Security|http://www.sap-press.de/1656] (Available in English)

[Authorizations in SAP Software: Design and Configuration|http://www.sap-press.de/2316] (Can be ordered in English, but available in June 2010).

[Secure ABAP Programming|http://www.sap-press.de/2037] (Currently available in German - not sure about English release date).

Cheers,

Julius

Julius, those books look quite interesting. I think the second one (Authorizations in SAP Software: Design and Configuration) seems to me more in line with what I had in mind. Seeing the lack of replies to this thread, I am proceeding to mark it as answered. Thanks again for your help and contribution.

Jörg, I actually saw that same book at an online bookstore as well but do not own it yet. Having browsed through the table of contents, I can say it also interests me and seems to be somewhat like the one recommended by Julius above. What are you feelings on the content? I see, for example, that they cover both the ABAP and Java stacks as well so it seems quite up-to-date and a slight departure from the regular "transaction code manuals" and "SU01/PFCG how-to guides" =).

Hi Benjamin,

A few thoughts on some of the books I have read

http://www.amazon.com/Security-Data-Protection-SAP-Systems/dp/0201734974

A good explanation of the "why" we do security more than the "how".  Very good book in my opinion once the main security concepts have been grasped.

http://www.amazon.com/SAP-Security-Authorizations-M-Linkies/dp/1592290620/ref=sr_1_fkmr1_1?ie=UTF8&q...

A good "reference" book.  Spends a fair amount of time on risk aspects which is useful.

http://www.amazon.com/SAP-Authorization-System-Implementation-Enterprise/dp/1592290167/ref=sr_1_1?ie...

More a "how to" guide.  OK if it's your first implementation but I found the LInkies/Off book to be much more useful

http://www.sap-press.com/products/Authorizations-in-SAP-ERP-HCM.html

Excellent reference for HR auths from the perspective of a newbie in the area.  I thought it was clear and concise.

I've not read this one: http://www.sap-press.com/products/Surviving-an-SAP-Audit.html

But I have attended a few conference sessions run by Steve Biskie and he talks sense.  If the book is anything like the sessions then it will be a useful reference.

http://www.amazon.co.uk/Developer-27s-Guide-NetWeaver-Security-Package/dp/1592291805/ref=sr_1_8?ie=U...

I've not used this in anger yet but looks like a useful reference.  Gets pretty technical quite early so best to get an overview of the NW concepts first IMO.

http://www.amazon.co.uk/SAP-Security-Essentials/dp/1933804025/ref=pd_sim_b_5

I had a browse of this and I didn't feel there was any content that was worth investing in.  For a newbie I think it could be a useful introduction or reference for the first couple of projects.

A bit of an update:

Authorizations in SAP Software: Design and Configuration - http://www.amazon.co.uk/Authorizations-SAP-Software-Design-Configuration/dp/1592293425

Good book.  Covers what you would expect but also gives some background on GRC Access Controls & IdM.  CRM coverage is particularly good and the SRM, BW and HR sections provide good introduction to those.

There is a bit of padding in there like some explanations of standard SAP roles but that's possibly due to editorial requirements and definitely not a reason to put you off.  A useful addition to the library.

SAP Security Configuration and Deployment: The IT Administrator's Guide to Best Practices

http://www.amazon.com/SAP-Security-Configuration-Deployment-Administrators/dp/1597492841

A bit of a mixed bag.  The authors clearly know what they are talking about and there is lots of "hands on" examples in many areas but is frustratingly vague in other areas like GRC which appears to be in there as an afterthought.  It's also nice to see things like OS and DB security in there.

Topic coverage is broad but I don't feel that the structure or flow is good.  Technically I would say in general it is quite good, Editorially it is way off the standard of the competition which is a shame as the authors have good things to say in my opinion.

Another Update....

http://www.sap-press.com/products/100-Things-You-Should-Know-About-Authorizations-in-SAP.html

Nicely formatted & presented but the book reads like a collated and edited set of questions & answers from SCN, SAPFans & ITToolbox.

Edited by: Alex Ayers on Oct 8, 2010 10:00 AM

I have added this to the FAQ and Usefull threads sticky at the top of the forum.

Also don't forget the SAP Security Guides on service.sap.com and help.sap.com. Not much of a story-line to them, but technically interesting none-the-less - and official literature

Cheers,

Julius

Hi Jorg,

That book sounds interesting from your review however I am automatically suspicious of the following claims:

• The most comprehensive coverage of the essentials of SAP security currently available: risk and control management, identity and access management, data protection and privacy, corporate governance, legal and regulatory compliance.

• This book contains information about SAP security that is not available anywhere else to help the reader avoid the "gotchas" that may leave them vulnerable during times of upgrade or other system changes

From your experience of reading the book do you agree with these very bold claims?

@Jörg:

Thanks for getting back. It seems that from your description that SAP Security Configuration and Deployment is generally a great overview and introduction to many topics which can stem into further research. I like that as books which grant a broad overview of the subject area tends to help in a lot in determining what to look into next.

@Alex:

That's a very comprehensive (and impressive) list! I have to admit that the rating on amazon for Security and Data Protection for SAP Systems first turned me away but looking again at the table of contents, and your recommendation I definitely believe this one is worth a try as I am very interested more in the "why" than the "how".

The second book SAP Security and Authorizations is also very attractive as it seems to discuss many aspects of the SAP system in Part 2 that I have never seen discussed anywhere else including HCM, BI, MDM, CRM, SRM, SCM, Sol Man, etc. Most books I have seen just discuss SAP authorizations at a very basic level within the "core" Netweaver system, and having at least a basic overview of something like HCM and Sol Man really helps in directing research further.

The third book SAP Authorization System: Design and Implementation of Authorization concepts for SAP R/3 and SAP Enterprise Portals caught my attention as it seems to have some information on Enterprise Portals. As EP is becoming much more prevalent now that SAP is pushing users away from the traditional SAPGUI and towards the Portal for literally everything, literature should focus more on this aspect as well since Portal presents additional security outside of the "standard" back-end system. Many books still view security as encompassing the backend system only and ignore the Portal interface.

Lastly, I couldn't help laughing when I read the title Surviving an SAP Audit (especially after seeing the book cover with a lifesaver above the water). It's so true, I was once audited by several parties at a client within a small time frame - can get very hectic and you sound like a robot after a while explaining the same things over and over to different people.

Great work, I'm very glad this thread turned out to be productive...

Hi Jörg,

Thanks for the info - I missed the part about you still reading it, sorry!

When you have finished it, I would be interested to know your thoughts. Decent books being available can only be a good thing to supplement the standard documentation.