Security Best Practices in SAP CAR – What Do We See as Best Practices while Configuring SAP CAR for a Large Multi-store Implementation?

4 Mins read

A SAP report talks about the increasing number of cyber-attackers exploiting security vulnerabilities to steal confidential data and compromise various SAP applications.  According to the report, for every 1,500 cyberattacks recorded between the middle of 2020 to March 2021, 300 exploits were successful.

With the growing deployment of distributed systems for data management in large multi-store setups, there is an increasing demand for tools like SAP CAR. The SAP Customer Activity Repository (SAP CAR) helps in collecting and cleansing customer and transactional data obtained from various applications and in different formats.

How to keep these security threats at bay? Let’s explore some best practices.

6 best security practices for SAP CAR solutions

When it comes to SAP security, most organizations including multi-stores cannot always afford to invest in “expensive” security audits or penetration testing solutions. Nor is there a need to, as it happens. The reality is that most security-related issues in SAP environments are caused by manual errors or incorrect configuration.

Here is a look at the 6 best security practices that can help organizations using SAP CAR solutions:

  1. User authentication

User authentication and management in the SAP Customer Activity Repository follow the same mechanism as in the SAP NetWeaver tool. For instance, it uses the same security tools, user types, and password management.

Here is how the SAP CAR tool ensures efficient user management and authentication practices:

  • By configuring different security-related policies for individual and technical users. While individual users performing interactive tasks need to change their passwords regularly, users working on background processing tasks do not need to.
  • By integrating into Single Sign-On (SSO) environments provided by SAP NetWeaver and following the same security recommendations and guidelines.
  • SAP CAR also uses the same user authorizations as provided by the SAP NetWeaver application server, which assigns authorization to the user based on their roles.
  • Data from SAP HANA for SAP CAR is secured using the access control mechanisms used in the SAP HANA database.
  1. Session security protection

Secure session management is essential for any multi-store SAP implementation. This practice can prevent unauthorized access to SAP logon tickets and security session cookies. Another recommended practice is to enable Secure Socket Layer or SSL to secure network-based communications where cookies are transferred.

Session security can be easily activated on the application server by configuring the correct profile parameters.

  1. Network security

Well-defined network topology for SAP CAR applications can eliminate multiple security threats at the software and operating system level. As authorized users are unable to log into application or database servers, it is highly unlikely that cyber-intruders will succeed at compromising machines and gain unauthorized access to the backend database.

The network topology used by SAP CAR applications is again based on the topology that is used by the SAP NetWeaver platform. Incorrect user configurations and authorizations for connection destinations can lead to security flaws. Connection destination in SAP CAR is of particular importance for connecting to incoming data sources and outgoing destinations.

As SAP CAR does not provide any predefined RFC destinations, they need to be created by customers. This includes connection-related information like username, password, and connection type.

  1. Data protection

Ensuring data protection and security is also about complying with legal requirements and privacy regulations. Even multi-store operations need to comply with general data regulations and privacy norms. On its part, SAP tools provide specific features that can support compliance with the relevant laws.

The SAP Customer Activity Repository tool provides both data transfer and auditing features including analytics on various activities like sales reports and inventory management. Besides, the SAP CAR tool does not directly support any user-driven consent management.

Even though this tool has no specific focus on personal data, retail stores can provide their customer data based on their business requirements. Any data provided to SAP CAR solution is assumed to have been obtained with user consent.

  1. Payment card security

Aimed to protect payment card users, the Payment Card Industry’s Data Security Standard (PCI-DSS) was developed to create a common set of industry requirements and a compliance standard for companies processing credit card data.

Considering credit card use, the SAP CAR tool is an integral part of store connectivity, with each connection containing PCI-DSS data. Similarly, SAP CAR can support any sales audit transaction for reviewing credit card settlements. Effectively, this tool can serve as the transaction-based repository where transactional data including credit card information can be forwarded for processing to other systems including SAP CRM or NetWeaver.

  1. Omnichannel article availability (OAA)

For enterprises using omnichannel article availability and sourcing, they must be cognizant of their security risk and have the right mitigations in ATP calculation and temporary reservations.

For instance, a high number of added sources to the sourcing network can increase the number of article and source combinations that need to be processed in the parallel ATP run. This can result in a rise in system load and a decline in the system performance used for the parallel ATP execution. For generating and replicating any ATP snapshot, the SAP CAR tool retrieves the available data by calling an RFC function in the backend SAP HANA or SAP Retail system.


With SAP tools being used as the core foundational system for many enterprises, more secure and data-centric best practices are needed to protect sensitive customer data. For distributed platforms like SAP CAR, enterprises must look to restrict unauthorized access to sensitive customer data.

With years of technical experience as an SAP technology partner, Groupsoft can help reinvent your multi-store retail business and unlock the potential of industry-standard tools like SAP, AWS, and Snowflake.

Do you have a lot of queries regarding how to secure your investment in SAP technologies? Contact us today.

2 posts

About author
Arun Ganeshan is the lead SAP CAR Consultant at Groupsoft. He plays a crucial role in defining, developing, documenting, and maintaining architectural blueprints of SAP. With his end-to-end SAP CAR implementation or rollout experience, he encompasses the software development life cycle for retail clients.
Related posts

How SAP SuccessFactors Can Help Retailers Overcome Hiring Challenges

4 Mins read
After two years of the pandemic, the retail industry is slowly bouncing back to normalcy. Despite the lockdown extensions and the general…

Conversion of ECC System to S4 HANA

4 Mins read
SAP S/4HANA offers an array of benefits to retail CxOs looking to effectively manage their sales, procurement, and finance and accounts functions….

How CPG Players are Transforming Themselves Through SAP with RISE 

4 Mins read
Over the past few years, the consumer has firmly assumed a position in the driver’s seat. Businesses are now compelled to proactively…