Master Guide SAP Asset Strategy and Performance Management Document Version: 1.0 2017-11-30 Security Information for SAP Asset Strategy and Performance Management
Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Textual cross-references to other documents. Example EXAMPLE Example Example <Example> EXAMPLE Emphasized words or expressions. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER. 2 2017 SAP SE or an SAP affiliate company. All rights reserved. Typographic Conventions
Document History Version Date Change 3.9 <2016-11-22> Review and updated Document History 2017 SAP SE or an SAP affiliate company. All rights reserved. 3
Table of Contents 1 Introduction... 6 1.1 Overview of the Main Sections... 6 2 Before You Start... 8 3 Security Aspects of Data, Data Flow and Processes... 10 4 User Administration and Authentication... 11 5 Data Storage Security... 12 6 Other Security-Relevant Information... 13 7 Data Protection... 14 4 2017 SAP SE or an SAP affiliate company. All rights reserved. Table of Contents
Introduction 2017 SAP SE or an SAP affiliate company. All rights reserved. 5
1 Introduction The Security Guide provides an overview of the security-relevant information that applies to SAP Asset Strategy and Performance Management from a System Administrator perspective. Note: This guide does not replace the administration or operation guides that are available for productive operations. Target Audience System Administrators This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases. Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to SAP Asset Strategy and Performance Management. To assist you in securing the SAP Asset Strategy and Performance Management, we provide this Security Guide. 1.1 Overview of the Main Sections The Security Guide comprises the following main sections: Before You Start This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide. Security Aspects of Data, Data Flow and Processes This section provides an overview of security aspects involved throughout the most widely-used processes within SAP Asset Strategy and Performance Management. User Administration and Authentication This section provides an overview of the following user administration and authentication aspects: o Recommended tools to use for user management o Standard users that are delivered with SAP Asset Strategy and Performance Management o Overview of how integration into Single Sign-On environments is possible Data Storage Security 6 2017 SAP SE or an SAP affiliate company. All rights reserved. Introduction
This section provides an overview of any critical data that is used by the SAP Asset Strategy and Performance Management and the security mechanisms that apply. Data Protection This section provides information about how SAP Asset Strategy and Performance Management protects personal or sensitive data. Introduction 2017 SAP SE or an SAP affiliate company. All rights reserved. 7
2 Before You Start SAP Asset Strategy and Performance Management is built on top of SAP HANA Cloud Platform (HCP) using SAP UI5 as user interface technology as well as SAP ID Service as Identity and Access Management solution. Table 1: Fundamental Security Information Security-Related Material Description SAP HANA Cloud Solution Brief SAP HANA Cloud Solution Overview SAP Data Center Data center home page with focus on security and certification SAP Security Certificates General SAP IT Security Certifications For a complete list of the available SAP Security Guides, see SAP Service Marketplace at http://service.sap.com/securityguide. Additional Information For more information about specific topics, see the Quick Links as shown in the table below. Content Quick Link on SAP Service Marketplace or SCN Security http://scn.sap.com/community/security Security Guides http://service.sap.com/securityguide Related SAP Notes http://service.sap.com/notes http://service.sap.com/securitynotes Released platforms http://service.sap.com/pam Network security http://service.sap.com/securityguide SAP Solution Manager http://service.sap.com/solutionmanager 8 2017 SAP SE or an SAP affiliate company. All rights reserved. Before You Start
Content Quick Link on SAP Service Marketplace or SCN SAP NetWeaver http://scn.sap.com/community/netweaver Before You Start 2017 SAP SE or an SAP affiliate company. All rights reserved. 9
3 Security Aspects of Data, Data Flow and Processes The following general security measures are in place, and are applicable to all scenarios: Encrypted connection through HTTPS User and role mapping with functional restrictions Access control lists limiting access to data only to permitted roles, companies and users The table below shows the security aspect to be considered for the process step and what mechanism applies. Step Description Security Measure User authentication The user logs on to the system. Authentication process based on SAML 2.0 Standard takes place. Access credentials are not stored on site. Invalid session IDs and cookies are intercepted. Document upload Users can upload documents, including Microsoft Excel files, images, VDS files etc. Virus scanning is in place for all uploaded documents. MIME Type check in place to prevent malicious uploads. User administrative tasks Administrators can add and remove user accounts, and change the role assignments of user accounts Division of responsibilities ensures that only company Administrators can carry out the listed user administrative tasks. 10 2017 SAP SE or an SAP affiliate company. All rights reserved. Security Aspects of Data, Data Flow and Processes
4 User Administration and Authentication SAP Asset Strategy and Performance Management uses the authentication mechanisms provided by SAP ID Service. The user management itself is specific to SAP Asset Strategy and Performance Management and does not rely on any external tools. Information about user administration and authentication that specifically applies to SAP Asset Strategy and Performance Management is provided in the following topics: User Management This topic lists the tools to use for user management in SAP Asset Strategy and Performance Management. Integration into Single Sign-On Environment This topic describes how SAP Asset Strategy and Performance Management supports Single Sign-On mechanisms. User Management User management for SAP Asset Strategy and Performance Management uses the SAP HANA Cloud Platform as well as making use of SAP ID Service facilities. For an overview of how these mechanisms apply to SAP Asset Strategy and Performance Management, see the sections below. User Administration Tools SAP Asset Strategy and Performance Management uses the user administration provided by the SAP HANA Cloud Platform to manage Users. System Administrators can add, remove and edit users. They can also provide/revoke multiple pre-defined roles to users. SAP Asset Strategy and Performance Management Provides three predefined roles per application: READ Provides read authorizations to the selected user on selected application. EDIT Provides read and write authorizations to the selected user on selected application. DELETE Provides read, write and delete authorizations to the selected user on selected application. Integration into Single Sign-On Environments SAP Asset Strategy and Performance Management supports the Single Sign-On (SSO) mechanisms provided by SAP HANA Cloud Platform in conjunction with SAP ID Service. SAP Asset Strategy and Performance Management also allows customer trust accounts to be integrated with SAP HANA Cloud Platform to facilitate SSO using their own trust system. User Administration and Authentication 2017 SAP SE or an SAP affiliate company. All rights reserved. 11
5 Data Storage Security SAP Asset Strategy and Performance Management saves data in a dedicated database provided by SAP HANA Cloud Platform. Access to the database comes preconfigured with the infrastructure environment. The database contains personal data (user profiles and company profiles), operational business data, and preferences and configurations. Information is updated continuously upon change. Documents, such as media files and PDFs, are stored in the SAP HANA Cloud document management system. Data Protection SAP Asset Strategy and Performance Management complies with data privacy and protection regulations. SAP Asset Strategy and Performance Management supports the following functionality: helps customers delete personal data stored on the network using the user management application. supports sharing personal data of a person whose details have been stored on SAP Asset Strategy and Performance Management when the user requests for it. maintains audit trial information such as the name of person who changed the personal data, time and date of the data changed or data deleted. 12 2017 SAP SE or an SAP affiliate company. All rights reserved. Data Storage Security
6 Other Security-Relevant Information SAP Asset Strategy and Performance Management is an SAP UI5-based application, and as such makes use of HTML5 and JavaScript. Active content (at least HTML5 and JavaScript) has to be enabled. This is mandatory, as SAP Asset Strategy and Performance Management will not work without it. Session Security Protection SAP Asset Strategy and Performance Management is restricted to operating with Secure Socket Layer (SSL) and activated cookie handling in the browser only. Security Lifecycle Management SAP Asset Strategy and Performance Management is hosted and operated by SAP. The Cloud Operations, Business Operations, and Development Team continuously monitor security-relevant issues and keep the system and software up to date. Other Security-Relevant Information 2017 SAP SE or an SAP affiliate company. All rights reserved. 13
7 Data Protection Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy. This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-bycase basis and under consideration of the given system landscape and the applicable legal requirements. Note: In most cases, compliance with data privacy laws is not a product feature. SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data. SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source. Table 3: Glossary DPP requirement Implementation Status Personal data Whenever an admin performs changes to the user s personal data, the logs should be reflected mentioning which personal data has been changed. Currently, SAP Asset Intelligence Network performs the following steps. For each data set being subject to logging, the log stores the following information in SAP Asset Intelligence Network specific logging tables: 1. The user who is changing the data 2. The date and time of change 3. The data set's identifying keys and their values 4. The heading name for the attribute that has been changed Consent As SAP Asset Intelligence Network, does not collect any person data non-interactively (such as address book, geographic location, microphone, camera, documents or photos) explicit user consent is not required for SAP Asset Intelligence Network. 14 2017 SAP SE or an SAP affiliate company. All rights reserved. Data Protection
Table 3: Glossary DPP requirement Implementation Status Consent is given by organization to store his user's data while signing the contract with SAP Asset Intelligence Network. So, SAP Asset Intelligence Network doesn t need to take a consent explicitly with each user. Read Access Logging For sensitive personal data, which shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, tradeunion membership, health or sex life and bank account data, the customer shall be able to log successful and unsuccessful attempts to this data using read access logging tools. As SAP Asset Intelligence Network, doesn t have any sensitive personal data stored with it, this requirement is not relevant for SAP Asset Intelligence Network. Deletion Personal Data needs to be destroyed if there is no valid business purpose anymore for which the personal data is required. Currently, SAP Asset Intelligence Network supports the soft deletion of the user, that is, deletion flag will be set to true for that user and this user s info is nowhere displayed in SAP Asset Intelligence Network. SAP Asset Intelligence Network doesn t support retention periods concept and so blocking is not supported (Blocking means to restrict access to personal data) Information SAP Asset Intelligence Network does not provide any report or display function which can be used to inform the data subjects (users) about the personal data stored about them. Protect sensitive data As SAP Asset Intelligence Network, does not store any sensitive personal data, this requirement is not relevant for SAP Asset Intelligence Network. Data Protection 2017 SAP SE or an SAP affiliate company. All rights reserved. 15
Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). The following topics are related to data protection and require appropriate TOMs: Access control: Authentication features as described in section User Administration and Authentication Authorizations: Authorization concept as described in section Roles Availability control: As described in section Data Storage Security Separation by purpose: Is subject to the organizational model implemented and must be applied as part of the authorization concept. Caution The extent to which data protection is ensured depends on secure system operation. Network security, security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation. Related Information Roles 16 2017 SAP SE or an SAP affiliate company. All rights reserved. Data Protection
www.sap.com/contactsap 2017 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Material Number: