Security Information for SAP Asset Strategy and Performance Management

Transcription

1 Master Guide SAP Asset Strategy and Performance Management Document Version: Security Information for SAP Asset Strategy and Performance Management

2 Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Textual cross-references to other documents. Example EXAMPLE Example Example <Example> Emphasized words or expressions. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAM PLE Keys on the keyboard, for example, F2 or EN TER SAP SE or an SAP affiliate company. All rights reserved. Typographic Conventions

3 Document History Version Date Change 1.0 November 2017 Created for 1711 release 2.0 February 2018 Updated for 1802 release. Included Data Privacy and Protection topics Document History 2018 SAP SE or an SAP affiliate company. All rights reserved. 5

4 Table of Contents 1 Introduction Overview of the Main Sections Before You Start Security Aspects of Data, Data Flow and Processes User Administration and Authentication Data Storage Security Other Security-Relevant Information Data Privacy and Protection Introduction Glossary Read Access Logging Information Report SAP SE or an SAP affiliate company. All rights reserved. Table of Contents

5

6 1 Introduction The Security Guide provides an overview of the security-relevant information that applies to SAP Asset Strategy and Performance Management from a System Administrator perspective. Note: This guide does not replace the administration or operation guides that are available for productive operations. Target Audience System Administrators This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases. Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to SAP Asset Strategy and Performance Management. To assist you in securing the SAP Asset Strategy and Performance Management, we provide this Security Guide. 1.1 Overview of the Main Sections The Security Guide comprises the following main sections: Before You Start This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide. Security Aspects of Data, Data Flow and Processes This section provides an overview of security aspects involved throughout the most widely-used processes within SAP Asset Strategy and Performance Management. User Administration and Authentication This section provides an overview of the following user administration and authentication aspects: o Recommended tools to use for user management o Standard users that are delivered with SAP Asset Strategy and Performance Management o Overview of how integration into Single Sign-On environments is possible Data Storage Security SAP SE or an SAP affiliate company. All rights reserved. Introduction

7 This section provides an overview of any critical data that is used by the SAP Asset Strategy and Performance Management and the security mechanisms that apply. Data Protection This section provides information about how SAP Asset Strategy and Performance Management protects personal or sensitive data.

8 2 Before You Start SAP Asset Strategy and Performance Management is built on top of SAP HANA Cloud Platform (HCP) using SAP UI5 as user interface technology as well as SAP ID Service as Identity and Access Management solution. Table 1: Fundamental Security Information Security-Related Material Description SAP HANA Cloud Solution Brief SAP HANA Cloud Solution Overview SAP Data Center Data center home page with focus on security and certification SAP Security Certificates General SAP IT Security Certifications For a complete list of the available SAP Security Guides, see SAP Service Marketplace at Additional Information For more information about specific topics, see the Quick Links as shown in the table below. Content Quick Link on SAP Service Marketplace or SCN Security Security Guides Related SAP Notes Released platforms Network security SAP Solution Manager SAP SE or an SAP affiliate company. All rights reserved. Before You Start

9 Content Quick Link on SAP Service Marketplace or SCN SAP NetWeaver

10 3 Security Aspects of Data, Data Flow and Processes The following general security measures are in place, and are applicable to all scenarios: Encrypted connection through HTTPS User and role mapping with functional restrictions Access control lists limiting access to data only to permitted roles, companies and users The table below shows the security aspect to be considered for the process step and what mechanism applies. Step Description Security Measure User authentication The user logs on to the system. Authentication process based on SAML 2.0 Standard takes place. Access credentials are not stored on site. Invalid session IDs and cookies are intercepted. Document upload Users can upload documents, including Microsoft Excel files, images, VDS files etc. Virus scanning is in place for all uploaded documents. MIME Type check in place to prevent malicious uploads. User administrative tasks Administrators can add and remove user accounts, and change the role assignments of user accounts Division of responsibilities ensures that only company Administrators can carry out the listed user administrative tasks SAP SE or an SAP affiliate company. All rights reserved. Security Aspects of Data, Data Flow and Processes

11 4 User Administration and Authentication SAP Asset Strategy and Performance Management uses the authentication mechanisms provided by SAP ID Service. The user management itself is specific to SAP Asset Strategy and Performance Management and does not rely on any external tools. Information about user administration and authentication that specifically applies to SAP Asset Strategy and Performance Management is provided in the following topics: User Management This topic lists the tools to use for user management in SAP Asset Strategy and Performance Management. Integration into Single Sign-On Environment This topic describes how SAP Asset Strategy and Performance Management supports Single Sign-On mechanisms. User Management User management for SAP Asset Strategy and Performance Management uses the SAP HANA Cloud Platform as well as making use of SAP ID Service facilities. For an overview of how these mechanisms apply to SAP Asset Strategy and Performance Management, see the sections below. User Administration Tools SAP Asset Strategy and Performance Management uses the user administration provided by the SAP HANA Cloud Platform to manage Users. System Administrators can add, remove and edit users. They can also provide/revoke multiple pre-defined roles to users. SAP Asset Strategy and Performance Management Provides three predefined roles per application: READ Provides read authorizations to the selected user on selected application. EDIT Provides read and write authorizations to the selected user on selected application. DELETE Provides read, write and delete authorizations to the selected user on selected application. Integration into Single Sign-On Environments SAP Asset Strategy and Performance Management supports the Single Sign-On (SSO) mechanisms provided by SAP HANA Cloud Platform in conjunction with SAP ID Service. SAP Asset Strategy and Performance Management also allows customer trust accounts to be integrated with SAP HANA Cloud Platform to facilitate SSO using their own trust system.

12 5 Data Storage Security SAP Asset Strategy and Performance Management saves data in a dedicated database provided by SAP HANA Cloud Platform. Access to the database comes preconfigured with the infrastructure environment. The database contains personal data (user profiles and company profiles), operational business data, and preferences and configurations. Information is updated continuously upon change. Documents, such as media files and PDFs, are stored in the SAP HANA Cloud document management system. Data Protection SAP Asset Strategy and Performance Management complies with data privacy and protection regulations. SAP Asset Strategy and Performance Management supports the following functionality: helps customers delete personal data stored on the network using the user management application. supports sharing personal data of a person whose details have been stored on SAP Asset Strategy and Performance Management when the user requests for it. maintains audit trial information such as the name of person who changed the personal data, time and date of the data changed or data deleted SAP SE or an SAP affiliate company. All rights reserved. Data Storage Security

13 6 Other Security-Relevant Information SAP Asset Strategy and Performance Management is an SAP UI5-based application, and as such makes use of HTML5 and JavaScript. Active content (at least HTML5 and JavaScript) has to be enabled. This is mandatory, as SAP Asset Strategy and Performance Management will not work without it. Session Security Protection SAP Asset Strategy and Performance Management is restricted to operating with Secure Socket Layer (SSL) and activated cookie handling in the browser only. Security Lifecycle Management SAP Asset Strategy and Performance Management is hosted and operated by SAP. The Cloud Operations, Business Operations, and Development Team continuously monitor security-relevant issues and keep the system and software up to date.

14 7 Data Privacy and Protection 7.1 Introduction Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy regulation, it is necessary to consider compliance with industry specific legislation in different countries. SAP provides specific features and functions to support compliance with regards to relevant legal requirements, including data protection. SAP does not give any advice on whether these features and functions are the best method to support company, industry, regional, or country specific requirements. Furthermore, this information does not give any advice or recommendation in regards to additional features that would be required in particular IT environments; decisions related to data protection must be made on a casebycase basis, under consideration of the given system landscape and the applicable legal requirements. Note: In the majority of cases, compliance with applicable data protection and privacy laws will not be covered by a product feature. SAP software supports data protection compliance by providing security features and specific data protection-relevant functions, such as simplified blocking and deletion of personal data. SAP does not provide legal advice in any form. Definitions and other terms used in this document are not taken from any given legal source. 7.2 Glossary Term Definition Blocking A method of restricting access to data for which the primary business purpose has ended. Consent The action of the data subject confirming that the usage of his or her personal data shall be allowed for a given purpose. A consent functionality allows the storage of a consent record in relation to a specific purpose and shows if a data subject has granted, withdrawn, or denied consent. Data subject An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person SAP SE or an SAP affiliate company. All rights reserved. Data Privacy and Protection

15 Term Definition Deletion Deletion of personal data so that the data is no longer available. End of business Date where the business with a data subject ends, for example, the order is completed, the subscription is canceled, or the last bill is settled. End of purpose (EoP) End of purpose and start of blocking period. The point in time when the primary processing purpose ends, for example, a contract is fulfilled. End of purpose (EoP) check A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization, for example, tax auditors. Personal data Any information relating to an identified or identifiable natural person (a data subject). Purpose The information that specifies the reason and the goal for the processing of a specific set of personal data. As a rule, the purpose references the relevant legal basis for the processing of personal data. Residence period The period of time between the end of business and the end of purpose (EoP) for a data set during which the data remains in the database and can be used in case of subsequent processes related to the original purpose. At the end of the longest configured residence period, the data is blocked or deleted. The residence period is part of the overall retention period. Retention period The period of time between the end of the last business activity involving a specific object (for example, a business partner) and the deletion of the corresponding data, subject to applicable laws. The retention period is a combination of the residence period and the blocking period. Sensitive personal data A category of personal data that usually includes the following type of information: Special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation. Personal data subject to professional secrecy Personal data relating to criminal or administrative offenses Personal data concerning insurances and bank or credit card accounts

16 Term Definition Where-used check (WUC) A process designed to ensure data integrity in the case of potential blocking of business partner data. An application's where-used check (WUC) determines if there is any dependent data for a certain business partner in the database. If dependent data exists, this means the data is still required for business activities. Therefore, the blocking of business partners referenced in the data is prevented. 7.3 Read Access Logging Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be categorized as sensitive by law, by external company policy, or by internal company policy. These common questions might be of interest for an application that uses Read Access Logging: Who accessed the data of a given business entity, for example a bank account? Who accessed personal data, for example of a business partner? Which employee accessed personal information, for example religion? Which accounts or business partners were accessed by which users? These questions can be answered using information about who accessed particular data within a specified time frame. Technically, this means that all remote API and UI info structures (that access the data) must be enabled for logging. SAP Asset Strategy and Performance Management does not store any sensitive data. 7.4 Information Report To retrieve a list of the information stored about a user, you can search for the user in the Data Privacy and Protection app SAP SE or an SAP affiliate company. All rights reserved. Data Privacy and Protection