Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Technology Overview
Edit page

Technology Overview

Overview

The SAP ABAP Platform is the core application server and development environment used to build, run, and manage business-critical applications in SAP systems such as SAP S/4HANA. It provides a complete runtime, development model, and infrastructure for developing both standard and custom business logic using the ABAP programming language.

Three‑Tier Client‐Server Architecture

The ABAP Platform is built as a classic three-tier setup:

  • Presentation layer: SAP GUI, Fiori Launchpad, SAP Business Client; the front-end where users interact with the system.
  • Application (Server) layer: Where ABAP code executes, transaction processing, business rules, communication. Multiple application server instances may exist, identified by a System Identifier (SID) and instance number.
  • Database layer: The persistent store for all ABAP data. For S/4HANA underlying database is SAP HANA. For ERP systems you can find different database technologies (DB2/LUW, Oracle, MS-SQL…).

Important Terminologies

  • Client: In SAP, a “client” refers to a logical partition of the SAP system that is used to separate data and configuration settings for different departments, organizations or subsidiaries within a company. Each client has its own set of master data, transactional data, and customizing settings. From a penetration tester’s perspective, it is important to know that each client comes with its own set of user accounts. Clients are differentiated by a 3-digit nummer (classical client 000 is always delivered via default install). Typyically a ccustomer will add additional client numbers (just making the numbers up but giving you an example: 100, 200, 300…) to separate business users/legal entities leading to a system with several user bases (inlcuding default users to check on).

Default SAP Clients (ABAP Systems)

ClientPurpose / DescriptionNotes
000SAP Standard / Reference ClientContains all SAP standard configuration and system users (SAP*, DDIC). Used as the template for creating new clients and for system maintenance (e.g., SPAM/SAINT updates).
001Demo / Copy of 000 (with company data)Used for training or testing; typically contains sample company data and basic configuration copied from 000.
066EarlyWatch ClientReserved for SAP EarlyWatch and Solution Manager service connections; not used for business or customizing.

Common Custom Clients (Typical Landscape)

ClientTypical Usage
100Development (DEV)
200Quality Assurance (QAS)
300Training or Sandbox
400+Production (PRD) or specialized clients (e.g., Test, GRC)

SAP Instance:

An SAP instance is identified by an SAP System ID (SAP-SID). This refers to a physical installation of the SAP software and its associated database on a specific host or server, representing one technical system within the wider SAP landscape. One SAP instance can support multiple clients, but each client can only reside in one instance. Side information: HANA Databases come with their own instance name (HANA-SID).

Naming convention for instances with the SAP-SID

The SAP System ID (SAP-SID, or SID) is a unique, three-character, alphanumeric identifier consisting of uppercase letters and digits (A–Z and 0–9). The first character must be a letter and the SID defines the system’s technical identity across the SAP landscape (e.g. it is used in hostnames, directories and RFC destinations). [Examples: F66, K11, W44 e.g.]

ConceptLevelDescription
Instance (SAP-SID)PhysicalA physical installation of the SAP software, identified by a three-character SID (e.g., PRD, DEV).
Client (Client Number)LogicalA logical partition within an SAP system (e.g., 100, 200, 300). Each client has its own master data and user base.

⚠️ Important: A client is a logical partition within an SAP system,
while an instance (SAP-SID) is a physical installation of the SAP software.

For each SAP instance:

  • Separate directories are defined on the OS (you could even install each instance on a complete unique os)
  • Shared file systems between instances can be used
  • Entries are created in operating system configuration files (/etc/services, /etc/sapconfig…)
  • Communication entries are created in the host
  • Start and system profiles are created
  • Operating system users and groups are added

References