SAP Anywhere Security Guide

Similar documents
Afaria Document Version: Windows Phone Enterprise Client Signing

SAP Workforce Performance Builder 9.5

SAP Vora - AWS Marketplace Production Edition Reference Guide

Security Guide SAP Supplier InfoNet

System Requirements and Technical Prerequisites for SAP SuccessFactors HCM Suite

SAP Enable Now What s New. WHAT S NEW PUBLIC Version 1.0, Feature Pack SAP Enable Now What s New. Introduction PUBLIC 1

SAP Workforce Performance Builder 9.5

Creating RFC Destinations

SAP Enable Now. Desktop Components (Cloud Edition)

ATTP Settings for ATTP to ATTP Connection

Non-SAP Backend System Readiness Check

Configuring Client Keystore for Web Services

SAP IoT Application Enablement Reuse Components and Templates

VERSION 1.0, FEATURE PACK What s New SAP Enable Now

1704 SP2 CUSTOMER. What s New SAP Enable Now

SAP Workforce Performance Builder

ADDITIONAL GUIDES Customer SAP Enable Now System Requirements Customer

Master Guide for SAP HANA Smart Data Integration and SAP HANA Smart Data Quality

Configuring the Web Service Runtime for ATTP

PUBLIC DQM Microservices Blueprints User's Guide

SAP Enable Now. System Requirements

Development Information Document Version: CUSTOMER. ABAP for Key Users

PUBLIC SAP Vora Sizing Guide

CUSTOMER SAP Afaria Overview

CUSTOMER Upgrade: SAP Mobile Platform SDK for Mac OS

Manual 1704 Document Version: SAP SE or an SAP affiliate company. All rights reserved. PUBLIC. SAP Enable Now.

PUBLIC Rapid Deployment Guide

How-to Guide for Exercise Access the Demo Appliance Landscape (Week 1, Unit 6, Part 1)

What's New in SAP HANA Smart Data Streaming (Release Notes)

SAP Workforce Performance Builder 9.5

SAP Enable Now. Desktop Assistant

SAP Global Track and Trace Onboarding Guide

Configuring the SAP Cryptolibrary on the ABAP Application Server

Advanced Reporting in the Online Report Designer Administration Guide

The SAP Concur mobile app (Android / iphone / ipad)

Salesforce1 Mobile Security White Paper. Revised: April 2014

Projectplace: A Secure Project Collaboration Solution

SIMSme Management Cockpit Documentation

Security Information for SAP Asset Strategy and Performance Management

An Oracle White Paper September Security and the Oracle Database Cloud Service

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Xerox Connect App for Blackboard

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

edocument for Italy - SAP Cloud Platform Integration Guide

VSP16. Venafi Security Professional 16 Course 04 April 2016

Water ExChange Customer Manual

Partner Center: Secure application model

Box Competitive Sheet January 2014

October J. Polycom Cloud Services Portal

SAP IoT Application Enablement Best Practices Authorization Guide

Water Exchange Customer Manual

Sophos Mobile Control startup guide. Product version: 7

edocument for Hungary Invoice Registration - SAP Cloud Platform Integration Guide (SAP S/ 4HANA Cloud)

This paper introduces the security policies, practices, and procedures of Lucidchart.

Anchor User Guide. Presented by: Last Revised: August 07, 2017

DSS User Guide. End User Guide. - i -

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

SAP Single Sign-On 2.0 Overview Presentation

Secure Login for SAP Single Sign-On Sizing Guide

Mozy. Administrator Guide

SECURITY & PRIVACY DOCUMENTATION

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Sophos Mobile Control Administrator guide. Product version: 5.1

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Sync User Guide. Powered by Axient Anchor

Sophos Mobile. startup guide. Product Version: 8.1

Oracle Mobile Application Framework

Colligo Briefcase. for Good Technology. Administrator Guide

DreamFactory Security Guide

Mobile ios Configuration Guide

Mobile ios Configuration Guide

End User Manual. December 2014 V1.0

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

IAM. Shopping Cart. IAM Description PM OM CM IF. CE SC USM Common Web CMS Reporting. Review & Share. Omnichannel Frontend...

NotifyMDM Device Application User Guide Installation and Configuration for Android

Security Specification

Administrator Guide. Find out how to set up and use MyKerio to centralize and unify your Kerio software administration.

System Administrator s Guide Login. Updated: May 2018 Version: 2.4

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite

Awareness Technologies Systems Security. PHONE: (888)

Beam Technologies Inc. Privacy Policy

SAP Security in a Hybrid World. Kiran Kola

Gmail Integration for Salesforce and Dynamics 365

A company built on security

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Bechtel Partner Access User Guide

Oracle Taleo Cloud for Midsize (Taleo Business Edition)

One Identity Manager 8.0. Administration Guide for Connecting to a Universal Cloud Interface

LiveEngage Secure Form. Document Version: 1.2 June 2018

I, J, K. Lightweight directory access protocol (LDAP), 162

Salesforce Classic Guide for iphone

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

1.1. HOW TO START? 1.2. ACCESS THE APP

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

SAP Jam Communities What's New 1808 THE BEST RUN. PUBLIC Document Version: August

WebSphere Puts Business In Motion. Put People In Motion With Mobile Apps

Creating Application Definitions in Hana Cloud Platform Mobile Services

GRS Enterprise Synchronization Tool

Bring Your Own Device

Transcription:

SAP Anywhere Security Guide

1. Document history Version Date Change 1.0 2017-06-21 Initial version for SAP Anywhere 1707 2.0 2018-03-08 Added Personal Data Protection Information for SAP Anywhere 1803 2. Introduction 2.1. About this Document The Security Guide provides an overview of the security-relevant information that applies to SAP Anywhere. 2.2. Why is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, demands on security are also on the rise. When using a distributed system, you must ensure that your business processes do not permit unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These security requirements apply equally to SAP Cloud solutions. To assist you in ensuring the security of your SAP Cloud solution, we provide this Security Guide. 2.3. Document Structure The Security Guide contains the following sections: Technical System Landscape This section describes the technical components and communication paths that are used in the solutions. User administration and Authentication This section describes the user administration tools, and the system access and authentication concept that applies to the solutions. Authorization This section describes the authorization concept of the solution. Mobile Applications This section describes mobile applications. Front-End Security This section describes the security mechanisms that apply to the front end. Security of Data Storage and Data Centers This section describes critical data that is used by the solutions, and the security mechanisms that apply. Other Security-Relevant Information This section contains information about service composition security, and internal and external audits. Security-Relevant Logging and Tracing This section describes trace and log files that contain security-relevant information, allowing you to reproduce activities if a security breach occurs.

3. Technical System Landscape SAP Anywhere solution is hosted in AWS US for US and UK customers, and China Telecom data center for CN customers. All data centers serving for SAP Anywhere are ANSI/TIA/EIA- 942 Tier III or Tier III+ rated facilities, and certified by ISO 9001 and ISO 27001. They provide a solid foundation to SAP Anywhere by plenty of WAN/LAN connection bandwidths and redundancies, and shield against electrical power fault, fire, natural disasters and whether shifts. They are also guarded by CCTV and access control system, ensuring unauthorized people not being able to touch computers used by SAP Anywhere. Since SAP Anywhere deal with business data from your core business processes, Sap adheres to the highest security and quality requirements, as follows: The business data is stored securely in world class data centers. Customers share physical hardware, but their data is separated into tenants. Users who require access to the business data must authenticate themselves, and their identity must be verified by user and access management. Customer data always belongs to the customers. You can access your SAP Anywhere tenant in the following ways: Desktop computer: browser-based Internet access from any network with internet access Portable computer: browser-based Internet access from any network with internet access Mobile devices: Native Apps (for details please refer to chapter 7). Industry best practices and state-of-the-art open cryptographic standards secure and protect communications between customer devices and the system landscapes of your SAP Anywhere solution in the cloud. 4. Security Aspects of Data, Data Flow and Processes 4.1 Communication Channels The table below shows the communication channels used by SAP Anywhere solutions, the protocol used for the connection, and the type of data transferred. Communication Path Web browser acting as frontend client to access the hosted SAP Anywhere system File based import and export of master data and transactional data Protocol Used HTTPS Technology Used OData & REST services Type of Data Transferred Application data HTTPS File transformation Master data, e.g. products, customers, vendors, price lists, etc. Data Requiring Special Protection User IDs, passwords Personal information on customers, vendors, etc.

Apple ipad applications (SAP Anywhere for ipad and SAP Anywhere Show and Sell), iphone application (SAP Anywhere Activity Stream) Email API based communication and application integration HTTPS OData & REST services Transactional data, e.g. sales orders, purchase orders, inventory counting, etc. Application data Business details on sales, purchase, etc. User IDs, passwords, application data SMTP, Email APIs SMTP server, Email APIs Application data Confidential data HTTPS REST services Application data Application data and API access token Note SAP Anywhere solutions use port 443 for HTTPS connectivity. 4.2 API based Communication and Application Integration API based communication and application integration refers to the exchange of businessrelated data across administrative domains. SAP Anywhere API enables you to configure the application data exchange between your tenant and a communication partner, who can be a business partner in a B2B/B2C communication scenario or an external system that is used for application integration. SAP Anywhere API provides communication scenarios for both inbound and outbound. Inbound communication defines how business documents are received from a communication partner, whereas outbound communication defines how business documents are sent to a communication partner. SAP Anywhere APIs relies on industry-standard OAuth 2.0 protocol for authentication and authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phone and living room devices.

The access token should be generated and included in the HTTP request header to access SAP Anywhere API. OAuth 2.0 access token has a validity period and expire at a defined point in time, as is 12 hours in SAP Anywhere. Note For more information about OAuth 2.0, please see https://oauth.net/2/. 4.2.1 Integration with Private App Private app is the integration channel, that allows you to interact with SAP Anywhere API representing your own tenant. Before using application data exchange for business process, you must create a private app for corresponding communication scenario. To authenticate with SAP Anywhere API using a private app, you need to generate the app with API key, API secret and the refresh token in Apps -> Private Apps page of the backend console, and exchange for the access token according to the guideline. The access token has a validity period of 12 hours. Before expiration, they must be renewed with above credentials. It s the customer s responsibility to protect the access token of the private app, since it reflects the specific details of their integrations scenarios and business data. Note The refresh token of the private app will expire in 3 years, which means you need to create a new app to support your business integration. 4.2.2 Integration with Public Apps Public apps are the out of the box integration applications built by 3 rd party partners, that re published to SAP Anywhere App Center. Public apps provide extensive integration scenarios to benefit customers business, interacting with SAP Anywhere API for both outbound and inbound communication. You can grant a public app to access your business data via API, by clicking the Install button upon the app to authorize; the public app will exchange for an access token with your authorization and the API key, API secret assigned to it. You can also choose to uninstall a public app in Apps -> Public Apps page, to revoke its access to your application data via API. 4.3 Emails You can use this function for e-mail communication between your system and your customers, in email scenarios provided by SAP (for example, order confirmation, online shop registration). In Communication -> Predefined Email Templates page, you can specify which email scenarios you want to use and customized the email templates sent to your customers. The SMTP settings or API connection to your email service should be configured in advance, in Communication -> Transactional Emails page. For SMTP settings, you should provide the SMTP server address, port, username and password of your email service, enabling SAP Anywhere to send emails from your address. You can also authorize SAP Anywhere to connect to your email provider API with OAuth protocol as a more secure approach, without inputting your email credentials to SAP Anywhere. If SMTP is used, try to use TLS communication protocol which is much secure than PLAIN protocol.

5. User Administration and Authentication 5.1 User management User management for SAP Anywhere is in the Users and Roles tab. The following table provides an overview of all activities related to user administration that you can perform as tenant administrator. View Subview Activity Roles & Create and delete roles Authorizations Define access rights in roles Setting (SAP Anywhere) Users and Roles (SAP Anywhere) Users Create and delete users Lock and unlock users Change user password Assign business roles to users Make user be and not be administrator Make user be and not be technical support user 5.2 User Type SAP Anywhere provide the following user types: User Type Description Key User The first user of a tenant, who is responsible for managing the tenant s configuration and user/role etc. Normal User A user type for normal business operation. Key user is able to create normal user as per business needs. Normal users must change their initial password during the first logon. The complexity of the password is determined by the assigned security policy. Support User A user type temporarily used by SAP Support team to access the system as part of incident processing. This kind of user can only be created from SAP Anywhere cloud operation console, and will be expired in 4 hours by default. By default support user has only readonly permission in the tenant. 5.3 User management Every user type must authenticate itself to SAP Anywhere for regular browser-based frontend access, as well as for electronic data exchange, such as Business-to-Business communication. SAP Anywhere does not support anonymous access. When a new user is created in your SAP Anywhere tenant, for example, during the hiring process of a new employee, a user ID is created. The user ID is usually the email address of the new user, as SAP Anywhere will send an activation mail to the email address, and new user is prompted to set logon password to SAP Anywhere.

5.4 Logon Using User ID and Password Users log on to SAP Anywhere with their email and password. By default, users must set their initial password during the first logon. You as an tenant key user can set an initial password per the security requirements of your company. If a user has forgotten the password, he or she can request a new one by using the forgot password on the logon screen. A dialog box is displayed where the user must enter the email address. Provided email address has already been entered for corresponding employee in your tenant, an email containing a reset password link is sent to this email address. The system then allows user to reset password after clicking the link in the email. The password reset link can only be used once. 6. Authorizations 6.1 Authorization Assignment Key user can assign authorizations to each normal user in same tenant of SAP Anywhere. Normal users are assigned to different roles defined by key user. The roles determine functions that the user can use. Based on these functions, business object views are proposed for the users. Some business processes require approval from employees with specific roles. If you work as a key user, you have full functions in SAP Anywhere solution. 6.2 Access Restriction key user can define whether a role has read or write access to a business object, and even create/delete new roles in role setting view. Roles have to be assigned to users in user view so that users get the authorizations. 6.3 Approval process Key user can define approval process in user and roles view. In sales order, purchase order and channel account creation process, key user can define at which stage and how to trigger approval, also who is able to approve the process of the documents. 7. Mobile Applications 7.1 General Information The following table provides information about the mobile devices on which you can run SAP Anywhere. SAP Anywhere Apps SAP Anywhere for ipad SAP Anywhere Show and Sell Device/Operating System iphone/ipad BlackBerry Android Windows Phone Y only for ipad N N N N Y only for ipad N N N Y Offline Support

SAP Anywhere Activity Stream Y only for iphone N N N Y Show and Sell app and Activity Stream app support offline mode on ios devices With SAP Anywhere mobile apps, you can access many of the functions that have been tailored to business on-the-run. Changes made on mobile apps are automatically updated in the system over the internet, online, and in real time. Mobile apps connect to the SAP Anywhere solutions in the same way as personal computers do. 7.2 Mobile Apps You can download the mobile apps for SAP Anywhere solutions from the itunes Store. A notification will be displayed on-device when a new version of the app is available for download. 7.3 Authorizations When you use SAP Anywhere mobile apps, you use the same backend system and logon credentials as for desktop applications. In the Settings -> Users and Roles -> Roles & Authorizations page, ensure that the permissions on relative business objects are assigned to the mobile app users, for example: Show and Sell app: Customers, Sales Orders Price Lists, Products, etc. Activity Stream app: Opportunities, Customers, Leads, Products, etc. For more information, see the Managing Roles and Authorizations in the help document center. 7.4 Secure System Access and Authentication Access from mobile devices via the native mobile apps or the device browser(html5) is enabled by connecting to the backend system using HTTPS and the same user and password authentication used for connection from a personal computer. The offline mode for Show and Sell app and Activity Stream app is enabled by default, that no extra configuration is required. You should set up a PIN (personal identification number) code of 4 digits for Show and Sell app and SAP Anywhere for ipad app, and a pattern lock for Activity Stream app after logon using your user name and password, to accelerate your access to the apps without entering your full credentials. 7.5 Change and Reset of Password, PIN Code and Pattern Lock You can only change your password from web browser. Change password: Enter your current password firstly and create a new one in Profile page. Rest password: If you forgot your password, you must reset it using your logon email for verification by clicking Forgot password link in the logon page. Password expiration: Your password will expire in 180 days, and you need to create a new one as promoted during logon process.

Please note that in above cases, your logon credentials in the apps are deleted; you must enter the updated password and reset the PIN code/pattern lock to use SAP Anywhere mobile apps. Your user name and password will not be persisted in the mobile apps for security concern, instead a security token is generated once your credentials are verified. The security token is stored in the apps and will be valid for 4 weeks; you need to input your user name, password and set up the PIN code or pattern lock again after it s expired. 7.6 Special Considerations Unlike stationary personal computers, mobile devices are at greater risk of being lost or stolen. Therefore, we recommend that you use the security features provided by your mobile device platform. For example: Use an additional, sufficiently long, PIN (personal identification number) to lock the device. Enable remote management software that allows you to lock the device remotely, or wipe data from it. For information on how to operate your mobile device, refer to the device manufacturer s documentation. 7.7 Data Storage The mobile apps for SAP Anywhere store 3 types of data on the mobile device, as outlined below. 7.7.1 Credentials Retention When logging on to SAP Anywhere from a mobile app, the user is required to provide the user ID and system password. The mobile apps do not store this data, and instead a security token is generated from the backed once the credentials are verified, representing the user s logon session. The security token is encrypted and stored on the mobile device, using the secure storage features provided by the operating system of that device. The security token will be valid for 4 weeks, and user is required to input his user name and password again after it s expired. PIN code or pattern lock will be set up by users after logon, which are also encrypted and stored in secure storage of the mobile devices. 7.7.2 Cache Files It is sometimes possible to upload pictures and other files from the mobile device to SAP Anywhere mobile apps, for example, pictures captured on a mobile phone s camera. The pictures captured within the apps will not be stored in album of the mobile device; but the files uploaded from the album or the storage of the device are not managed through the SAP mobile apps. To protected sensitive or confidential data that such files may contain, we recommend that you take extra precautions appropriate for the specific mobile device in use. For more information, see the device manufacturer s documentation. 7.7.3 Offline Mode and Data Encryption For Show and Sell app and Activity Stream app on which offline mode is supported, data is stored on the device and encrypted using SQLCipher. Once the device is online, data is synchronized with the backend system.

8. Front-End Security SAP Anywhere front ends consist of Web application user interfaces based on HTML5 technology. HTML is a markup language for the Web. HTML allows you to format text, add graphics, create links, input forms, frames and tables, and save it all in a text file that any browser can read and display. The following features that HTML5 supports are used in SAP Anywhere: X-Frame-options response header to avoid clickjacking attacks Cross-site request forgery (CSRF) protection Cross-site scripting (XSS) protection during rendering For more information, see the security information for HTML5. 9. Other Security-Relevant Information 9.1 Security Management and Continuous Improvement of Security Security Management at SAP Cloud Solutions aims towards the continual improvement of the information security framework. SAP conducts several external audits to make sure that these aims are reached. Certificate/Report Interval Conducted By External penetration test Once a year Third-party security company Internal validation Quarterly SAP security validation Code Scan Daily Industry standard scanning tools PCI DSS Level 1 Once a year Accredited auditing company 10. Personal Data Protection Information 10.1 What is Personal Data? Personal data shall mean any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is one who can be identified, directly or indirectly, according to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity. Personal data in the SAP Anywhere solution is configured on the Customizing Business Objects page (Settings -> Setup -> Customizing Business Objects). To categorize a field as personal data, in the CRM area, select the relevant module (Lead, Contact, or Customer) and click Fields. In the list of fields, click the relevant field, and in the Edit System Field page, indicate if the particular field contains personal data or not. Only fields with Text type can be marked as personal data. This functionality is available only to Key Users. 10.2 Identifying a Natural Person in the System The Search functionality can be used to identify a natural person in the system. The functionality is available to all system users. The search is performed on the following fields across all business objects: First Name

Last Name Remark Phone Cellphone Fax Email Website Created By / Updated By When searching for a natural person, additional information such as the date of the specific order and amount on the specific order can help narrow down the search. For further actions, the customer identifier that can be found in the Customers page is required. 10.3 Maintaining Personal Data in the CRM Menu Personal data of leads, customers, and contacts can be maintained in the CRM menu, in the following modules: Leads Contacts Customers The fields in these modules allow you to update personal data, such as the delivery address or mobile phone number, based on a customer request. Personal data can also be deleted by leaving the field blank. Documents already issued retain the personal data that was valid at the time of document creation. The association between the customer and document is maintained even after the personal data is deleted. 10.4 Reports on Personal Data According to the data protection initiative, a natural person should be able to obtain a report of all the personal data related to the natural person stored in the system. In SAP Anywhere, this information is provided in the Personal Data Report, which displays all personal data stored in business objects with fields marked as personal data. The report is accessible to Key Users only and can be found in Settings -> Customer Service -> Customer Personal Data Reports. Created reports can also viewed in the Personal Data Reports page. After opening the report, personal data can then be erased. 10.5 Personal Data Retention Period The retention period on a business object specifies how long the business objects will retain the personal data after the data is deleted from the CRM menu. If a natural person initiates the deletion of personal data, the data will be retained until the retention period for the business object expires. The retention period setting can be found in Settings > Customer Service -> Customer Personal Data Retention Rule. The feature is accessible to Key Users only. The retention period is specified in days in numeric format and the default value is 0 days for all business objects. The retention period can be set for the following business objects: Credit Memo Invoice Payment Prepayment Sales Delivery Sales Order

Sales Return Shipment 11. Important Disclaimers on Legal Aspects This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence. Accessibility The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. Gender-Neutral Language As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the thirdperson singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: http:// help.sap.com/disclaimer.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback