SAP Financial Consolidation Security Guide

Security Guide | CONFIDENTIALSAP Financial ConsolidationDocument Version: 10.1 Support Package 09 – 2021-10-12

SAP Financial Consolidation Security Guide

© 2

021 S

AP S

E or

an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Security Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1 Business Objects Enterprise Platform Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62.2 LDAP / Active Directory Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 User Administration and Authentication in Financial Consolidation. . . . . . . . . . . . . . . . . . . . . . 83.1 Using security in SAP Financial Consolidation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.2 Managing users using BusinessObjects Enterprise XI authentication. . . . . . . . . . . . . . . . . . . . . . . . . 83.3 Importing and exporting users in the BusinessObjects Enterprise XI platform and the SAP

BusinessObjects User Management System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Exporting users with CMSExport. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Importing users with ImportFromCMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.4 Connecting to SAP Financial Consolidation using Single Sign On between EPM Web Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.5 Connecting to SAP Financial Consolidation using Single Sign On. . . . . . . . . . . . . . . . . . . . . . . . . . .20Connecting to SAP Financial Consolidation HTML5 Web Client using Single Sign On. . . . . . . . . . .21Connecting to the SAP Financial Consolidation Windows Client using Single Sign On. . . . . . . . . . 22Connecting to SAP Financial Consolidation Excel Link (Web) using Single Sign On. . . . . . . . . . . . 23

3.6 Connecting to SAP Financial Consolidation Using SAML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Connecting to the SAP Financial Consolidation HTML5 Web Client Using SAML. . . . . . . . . . . . . .24Connecting to the SAP Financial Consolidation Windows Client Using SAML. . . . . . . . . . . . . . . . 30

3.7 Managing the "Enable Excel Pivot Table" Right . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4 User Administration and Authentication in Cube Designer. . . . . . . . . . . . . . . . . . . . . . . . . . . . 334.1 User Security Implementation Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334.2 User Implementation Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344.3 Configuring Cube Designer Security into the BOE Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Creating User Groups in the Central Management Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Creating Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Configuring the EPM Connection Manager Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Configuring the EPM Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Configuring Web Intelligence Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Configuring Access Rights on BI Launch Pad Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42User Rights Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

4.4 Connecting to SSAS Cubes with Third Party Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.5 Connecting to Cube Designer using Single Sign On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5 Securing the Financial Consolidation Web Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

2 CONFIDENTIALSAP Financial Consolidation Security Guide

Content

5.1 Configuring SAP Financial Consolidation Web with Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring DCOM for firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.2 Configuring HTTP Strict Transport Security in IIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.3 Configuring IIS for Custom Error Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.4 Removing Unexpected HTTP Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

5.5 Modifying the Cache-Control HTTP Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

5.6 Protecting Web Sites against Clickjacking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

5.7 Disabling the Unnecessary HTTP Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

5.8 Avoiding HTTP Host Header Injections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

5.9 Denying Access to Specific File Names Extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

6 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576.1 Displaying the Personal Information of a User from the SAP Financial Consolidation HTML5 web

client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6.2 Displaying the Personal Information of a User from the SAP Financial Consolidation Windows Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6.3 Displaying the Personal Information of a User from the Legacy Web Client. . . . . . . . . . . . . . . . . . . . 58

6.4 Displaying the Personal Information of a User from the SAP Financial Consolidation Excel (Web) Link. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

6.5 Displaying the Personal Information of a User from the SAP Financial Consolidation Excel Link. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.6 Displaying the Personal Information of a User from Cube Designer. . . . . . . . . . . . . . . . . . . . . . . . . 59

6.7 Deleting Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.8 Personal Data Portability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.9 Logging Changes to Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

7 Restrictions on Uploading Attachments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

8 DCOM configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .648.1 Checking the default DCOM configuration defined by the SAP Financial Consolidation setup. . . . . . . 65

8.2 Specific DCOM configuration with different domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

8.3 Configuring Internet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

9 Encrypting the settings of the web.config file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70

10 Installing X.509 certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7210.1 Installing the X.509 certificate for Cube Deployer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

10.2 Installing the X.509 certificate for BFC Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

11 EPM Add-in for Microsoft Office Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7511.1 User Rights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

11.2 Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

SAP Financial Consolidation Security GuideContent CONFIDENTIAL 3

1 Document History

The following table provides an overview of the most important document changes.

NoteTo find out more about the new features of SAP BusinessObjects Financial Consolidation 10.1, see https://help.sap.com/viewer/p/SAP_BUSINESSOBJECTS_FINANCIAL_CONSOLIDATION.

Version Date Description

SAP Financial Consolidation 10.1 SP05 June, 2017 New chapter about Data Protection and Privacy:

Data Protection and Privacy [page 57]

SAP Financial Consolidation 10.1 SP05 June, 2017 Information added in the Securing the Financial Consolidation Web Sites [page 45] chapter:

● Configuring HTTP Strict Transport Security in IIS [page 51]

● Configuring IIS for Custom Error Pages [page 52]

● Removing Unexpected HTTP Headers [page 52]

SAP Financial Consolidation 10.1 SP06 November, 2017 Information added on Single Sign On connections: Connecting to SAP Financial Consolidation using Single Sign On [page 20]

SAP Financial Consolidation 10.1 SP06 November, 2017 Information added in the Data Protection and Privacy chapter:

Data Protection and Privacy [page 57]

SAP Financial Consolidation 10.1 SP08 March, 2019 Avoiding HTTP Host Header Injections [page 55]

SAP Financial Consolidation 10.1 SP08 Patch 1

May, 2019 You can now use SAML to authenticate users when connecting to the SAP Financial Consolidation HTML5 web client: Connecting to the SAP Financial Consolidation HTML5 Web Client Using SAML [page 24]


June, 2019 You can now use SAML to authenticate users when connecting to the SAP Financial Consolidation Windows client: Connecting to the SAP Financial


Document History

https://help.sap.com/viewer/p/SAP_BUSINESSOBJECTS_FINANCIAL_CONSOLIDATION

https://help.sap.com/viewer/p/SAP_BUSINESSOBJECTS_FINANCIAL_CONSOLIDATION

Version Date Description

Consolidation Windows Client Using SAML [page 30]


October, 2021 You can now use Single Sign On to authenticate users when connecting to SAP Financial Consolidation Excel Link (Web): Connecting to SAP Financial Consolidation Excel Link (Web) using Single Sign On [page 23]

SAP Financial Consolidation Security GuideDocument History CONFIDENTIAL 5

2 Security Overview

EPM applications manages rights within each application, but authentication management is centralized in the BusinessObjects Enterprise XI (BOE) platform.

When you deploy the Financial Consolidation platform, authentication is therefore managed within the BusinessObjects Enterprise (BOE) platform.

NoteThe internal authentication mode of the Financial Consolidation application is deprecated and therefore, it is strongly recommended to use the BOE authentication. If you want to use Financial Consolidation and Cube Designer components, the internal authentication mode will not function.

You must install one of the following component:

● BusinessObjects Enterprise XI 4 (BOE XI 4)For more information on how to install it, see the SAP web site: http://help.sap.com.

● Or SAP BusinessObjects Information Platform Services 4For more information on how to install it, see the SAP BusinessObjects Information Platform Services Installation Guide and the SAP web site: http://help.sap.com.

The SAP BusinessObjects Information Platform Services implements the BusinessObjects Enterprise XI user management sub system. It allows Enterprise Performance Management Solutions to use the BOE authentication without having to install a full BusinessObjects Enterprise XI platform.

The BOE platform is the core component of EPM applications. You can use this component as follows, depending on your environment configuration:

● The Central Management Console (CMC) allows you to configure all BOE applications, and also allows end-users to manage their passwords.

● The SAP Business Objects Cube Designer application in the BOE platform (also called SAP BusinessObjects EPM Solutions Connection Manager) allows you to manage the Cube Designer application (objects like cubes connections names)

● The BI Launch Pad application allows you to publish reports in a web portal.

NoteThe BI Launch Pad application is not available with SAP BusinessObjects Information Platform Services.

The use of these different applications depends on the acquired licenses for the EPM Suite; different packages or license keys can be necessary depending on the technical architecture of your environment.

2.1 Business Objects Enterprise Platform Overview

When using the Financial Consolidation application, the following BOE components are also used:


Security Overview

http://help.sap.com

http://help.sap.com

● EPM Connection Manager Application: this component manages connectivity, security and authentication between the platform components at a global level.

● EPM Connections: this component manages connectivity, security and authentication between the platform components at the level of each "couple" Financial Consolidation database / SSAS database or Financial Consolidation database / NetWeaverBW database, or at the level of EPM Cube Designer used with Profitability and Cost Management and Planning and Consolidation datasources.

● BI Launch Pad : this component manages access to the web portal used to store EPM Add-in for Microsoft Office work books.

● Public folders: this component manages access rights to folders storing reports that you access via BI Launch Pad.

● Universes: this component enables access to universes that are automatically created when deploying solutions.

● Universes Connections: this component enables access to universes connections that are automatically created when deploying solutions.

NoteBy default, you cannot see in the CMC the components specifically used by Financial Consolidation Cube Designer. You must install a plug-in (the EPM Connection Manager) to access those components. Once the EPM Connection Manager is installed, the EPM Connections menus will appear in the CMC.

2.2 LDAP / Active Directory Connectivity

When you connect the BOE platform to LDAP or Active Directory, you are also connecting several domains. However, there are some limitations:

● All applications must connect to the BOE platform.● The BOE platform must connect to the Win/AD directory using Kerberos protocol to manage aliases.● A "main" domain must be defined. The main domain users will then use their Windows login and other

users will have to use a login like "DOMAIN\User".● It is strongly recommended to configure an SSL protocol, so that Active Directory or LDAP passwords

cannot be seen. We recommend that you setup an SSL Protocol on HTTP connections so that Active Directory or LDAP passwords do not appear when a user is logging on to the network.

SAP Financial Consolidation Security GuideSecurity Overview CONFIDENTIAL 7

3 User Administration and Authentication in Financial Consolidation

3.1 Using security in SAP Financial Consolidation

SAP Financial Consolidation enables you to manage users and user security within the BusinessObjects Enterprise XI 4 platform. The security is managed by two settings in the Administration console:

● The InternalAuthentificationConfigString key:○ This key enables you to manage integrated security: users and passwords are managed directly by and

in SAP Financial Consolidation.

CautionYou should use this parameter only in one case: when initializing a new empty database, that only contains the ADMIN user but no BusinessObjects Enterprise XI 4 users.

When security is internaly managed by Financial Consolidation, passwords are stored into the database and are encrypted with an RC2 algorythm from the Microsoft API.

● The ExternalAuthentificationConfigString key:○ This key manages the BOE (BusinessObjects Enterprise) Authentication: the users are managed by

the BOE XI 4 platform.

CautionSAP recommands you to use the External authentication mode as the Internal authentication is now deprecated.

3.2 Managing users using BusinessObjects Enterprise XI authentication

Context

You must configure BusinessObjects Enterprise XI user authentication in the External authentication dialog box when creating a new data source or directly in the External authentication config string setting in the Configuration page of the administration console.

If authentication is managed by the Business Objects Enterprise XI platform, you must choose between the two following options:


User Administration and Authentication in Financial Consolidation

● Standard external authentication through the Business Objects Enterprise XI platform: you must select the BusinessObjects Enterprise XI authentication option and enter the name of the Central Management Server (CMS) of your BusinessObjects Enterprise XI platform in the CMS server name field.

● CautionThis option is now deprecated ; we recommend that you use the Web Service as indicated below. However, for the Financial Consolidation legacy web client only, you can still use this option.

● External authentication through the BusinessObjects Enterprise XI web service: you must select the BusinessObjects Enterprise XI authentication (Web Service) option and enter the complete web service name in the CMS server name field, as follows: http://CMS-SERVER-NAME:8080/dswsbobje/services/session.

CautionThis option is mandatory for all other authentication types included those using the BusinessObjects Enterprise XI platform.

If you want to use Single Sign On between EPM applications installed with the same BusinessObjects Enterprise platform, select Activate SSO for Web EPM Suite. When you select this option, a session will be kept open on the CMS during the entire Financial Consolidation session for each Financial Consolidation user. Therefore, you must make sure that your Business Objects Enterprise XI license is for a sufficient number of users.

CautionThe following authentication modes are no longer supported by SAP BusinessObjects Financial Consolidation. The only reason they are avalaible is to ensure compatibility with previous versions. You must always use the Business Objects Enterprise authentication, unless you are migrating from a previous SAP BusinessObjects Financial Consolidation version, and your authentication mode must remain the same.

● Active Directory / LDAP authentication● LDAP authentication● Script authentication● Plug-in authentication

CautionIf you want to use the LDAP or Active Directory authentication, you must do it into the BusinessObjects Enterprise XI Central Management Console. Additional authentication modes like SAP NetWeaver are also supported through the BOE XI platform.

NoteIf your BOE platform uses a CMS cluster, then you need to indicate, in the CMS server URL field, all the complete web services names of the cluster, one by one, separated by a coma.

SAP Financial Consolidation Security GuideUser Administration and Authentication in Financial Consolidation CONFIDENTIAL 9

Procedure

1. Enter the fields in this dialog box as shown in the example below:

2. Configure external authentication: select the Business Objects XI authentication.3. CMS server URL: enter the URL of the Central Management Server (CMS).

For example:

http://CMS-SERVER-NAME:8080/dswsbobje/services/session

Once you have defined BusinessObjects Enterprise XI as the authentication provider in the Administration console, you should create SAP Financial Consolidation users corresponding to the BusinessObjects Enterprise XI users.

You create users in SAP Financial Consolidation as follows:4. In the Users view, create a new user and select the Authentication tab.5. Select Use external authentication and the BOE user name in the Login field.

NoteIf you want to use Single Sign On with the EPM Add-in for Microsoft Office or other EPM applications, you must create users in SAP Financial Consolidation as mentioned above, and add the following information in the Authentication tab: in the Alias area, enter the same alias as the one provided in the properties of the BusinessObjects Enterprise XI user, as indicated below:



Once you have saved this user in SAP Financial Consolidation, he/she will only be able to connect using the BusinessObjects Enterprise XI login and password or to connect directly to the application if Single Sign On has been configured.

NoteBy default, error messages from the BI platform/IPS are displayed only in English, even if the language settings of the Financial Consolidation clients are set to other languages. If you want to add other languages, you must follow the procedure described in this SAP Note: 2548916 .

3.3 Importing and exporting users in the BusinessObjects Enterprise XI platform and the SAP BusinessObjects User Management System

With the CMS tool, you can export SAP Financial Consolidation users to the Central Management Server (CMS) of the BOE XI platform or the SAP BusinessObjects User Management System, and you can import CMS users to SAP Financial Consolidation.


http://help.sap.com/disclaimer?site=https://launchpad.support.sap.com/#/notes/ 2548916

3.3.1 Exporting users with CMSExport

The CMSExport Tool enables you to export the users created in SAP Financial Consolidation to the CMS (Central Management Server) of the BOE platform (Business Objects Enterprise XI) or the SAP BusinessObjects Information Platform Services.

NoteThis version only takes into account Financial Consolidation in integrated security mode, with the login and password managed by SAP Financial Consolidation. Users with LDAP, Active Directory or Windows HTML authentication will be considered in a future version.

This tool is composed of:

● An XML configuration file: CMSExportConfiguration.xml● An .exe file: CMSExport.exe

Once this tool is executed:

● All users of the selected member profiles are taken into account and migrated into the CMS.● For each migrated user, a corresponding user with the same login and a new randomly generated password

(except if one already exists) is created in the CMS.● The existing Financial Consolidation users are associated with the new CMS logins created in the platform.● Each new CMS user will also be associated with a specific group, depending on the Financial Consolidation

functional profiles defined in the configuration file of the tool.

CautionIt is the responsability of the BOE administrator to set the relevant functional rights. The tool will NOT apply any functional rights to the migrated users and groups. The rights must be set manually.

3.3.1.1 Structure of the XML file

The file is located at the root of the SAP Financial Consolidation installation folder. By default, C:\Program Files (x86)\SAP\Financial Consolidation.

<?xml version="1.0" encoding="utf-8"?> <CMSExportConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://xml.sap.com/2010/08/EPM/BFC/User/CMSExport"> <FinanceFonctionalProfiles> <Profile>MyFP1</Profile> <Profile>MyFP2</Profile> <Profile>MyFP3</Profile> </FinanceFonctionalProfiles> <FinanceDataSource BrokerName="BROKER_MACHINE" DataSourceName="DATASOURCE_NAME" /> <PasswordLength>8</PasswordLength> <ForcePasswordRenewal>false</ForcePasswordRenewal> <CMSGroupName>FinancialConsolidation</CMSGroupName> <LogFile>exportusers2CMS.log</LogFile> <OutputFile>CreatedUsers.csv</OutputFile> <UserConnectionType>Named</UserConnectionType>



</CMSExportConfig>

This file is composed of the following XML tags:

FinanceFonctionalProfiles

This parameter corresponds to the Financial Consolidation functional profiles that will be processed by the export tool. By default, if empty, all Financial Consolidation users are migrated.

(not Windows et not admin)

FinanceDataSource

This parameter must be filled in with the Financial Consolidation datasource and datasource manager (CtrBroker) names.

PasswordLength

This parameter must be filled in with the password length you want to generate. By default, this is set to eight characters.

ForcePasswordRenewal

This parameter enables you to force the user to change the password at the first connection after migration. It must be filled in with the False or True option. By default, it is set to <False>.

CMSGroupName

This parameter must be filled in with the CMS group name. It corresponds to the User Group created in the CMS where all the migrated users are imported. By default, this group is named FinancialConsolidation.

LogFile

This parameter corresponds to the log file that will be generated after execution of the tool. By default, it is named exportusers2CMS.log.


OutputFile

This parameter corresponds to the .csv file generated after the migration and indicating the CMS login names and randomly generated passwords that have been created. By default, the file is named CreatedUsers.csv.

UserConnectionType

This parameter corresponds to two different user types: Named or Concurrent. It depends on the type of license you are using within the BOE platform. By default, this parameter is set to Named.

3.3.1.2 Migration procedure

3.3.1.2.1 Requirements before executing the migration

CautionBefore migrating users, make sure that no users are connected and working in the SAP Financial Consolidation application.

1. In the SAP Financial Consolidation administration console, set the external authentication parameter to BusinessObjects XI authentication.

2. Enter a login in the XML file which is an SAP Financial Consolidation user defined as an administrator in his user profile and configured with the external authentication and with administration rights on the BOE platform.

TipIt is recommended that you create a user to execute the migration. Do not use the Financial Consolidation ADMIN login.

3.3.1.2.2 Migration steps

Procedure

1. Execute the tool from the server where the Data Source Manager is located (where the CtBroker.exe process runs).

2. Edit the XML file.3. Complete the XML file with the relevant parameters, depending on the configuration of your SAP Financial

Consolidation and Cube Designer applications.



4. Save the file.5. Open the Command Prompt selecting Run as dministrator.6. From the Financial Consolidation installation folder, execute the following command line: CMSExport.exe

CMSExportConfiguration.xm FC_USER_NAME [FC_USER_PASSWORD]

FC_USER_NAME: this parameter corresponds to the login name that is used to connect to Financial Consolidation and to the CMS.

FC_USER_PASSWORD: this parameter corresponds to the user login above. If there is no password associated to the login, you can skip this parameter in the command line.

CautionThis user must have administrator rights on the Financial Consolidation platform AND on the Central Management Server of the BOE platform or Information Platform Services. Do not use the Financial Consolidation ADMIN login.

7. Verify that all users have been properly deployed to the CMS.8. Set the relevant functional rights in the Central Management Console, depending on the user groups you

want to define.

CautionA user with multiple functional rights in Financial Consolidation will probably be deployed into several different user groups in the CMS.

3.3.2 Importing users with ImportFromCMS

The ImportFromCMS Tool enables you to import users created in the Central Management Server (CMS) of the BOE platform (Business Objects Enterprise XI) or SAP BusinessObjects Information Platform Services to SAP Financial Consolidation.

NoteThis version only takes into account Financial Consolidation in integrated security mode, with the login and password managed by SAP Financial Consolidation.

This tool is composed of:

● An XML configuration file: ImportFromCMSConfiguration.xml● An .exe file: ImportFromCMS.exe

Once this tool is executed:

● The CMS group is processed. All CMS user members of the CMS group are taken into account and migrated into SAP Financial Consolidation.

● Each user is attributed a Financial Consolidation user login and password as specified in the XML configuration file.

● For each migrated user, a corresponding Financial Consolidation broker and data source, level, owner group, functional profile and data access group is attributed, a specified in the XML configuration file.


● Each new user has a status of either active or inactive.● A log file is created, detailing all of the operations.● A .csv file is created, listing all of the users migrated to Financial Consolidation and the associated CMS

login names.

3.3.2.1 Structure of the XML file

The file is located at the root of the SAP Financial Consolidation installation folder. By default, C:\Program Files (x86)\SAP\Financial Consolidation.

<?xml version="1.0"?> <ImportFromCMSConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://xml.sap.com/2010/08/EPM/BFC/User/ImportFromCMS"> <FinanceFonctionalProfiles> <Profile>MyFP1</Profile> <Profile>MyFP2</Profile> </FinanceFonctionalProfiles> <FinanceDataSource BrokerName="BROKER_MACHINE" DataSourceName="DATASOURCE_NAME" /> <CMSGroup>CMSUsersGroup</CMSGroup> <FinanceDataAccessGroup>FDAG</FinanceDataAccessGroup> <FinanceUserActive>true</FinanceUserActive> <FinanceLevel>Standard</FinanceLevel> <LogFile>ImportFromCMS.log</LogFile> <OutputFile>CreatedUsers.csv</OutputFile> <FinanceGroups> <Group>FCGroup</Group> </FinanceGroups> </ImportFromCMSConfig>

This file is composed of the following XML tags:

FinanceFonctionalProfiles

This parameter corresponds to the Financial Consolidation functional profiles that will be processed by the import tool. This parameter is mandatory.

FinanceDataSource

BrokerName: Financial Consolidation broker computer name. This parameter is mandatory.

DataSourceName: Financial Consolidation data source name. This parameter is mandatory.



CMSGroup

This parameter corresponds to the CMS group name containing the CMS users to take into account. This parameter is mandatory

FinanceDataAccessGroup

This parameter corresponds to the name of the Financial Consolidation Data Access group to set for the created user. This parameter is mandatory.

FinanceUserActive

This parameter specifies if the user created will be active or inactive. The default value is "True".

FinanceLevel

This parameter must be filled in with the Financial Consolidation user level for the newly created Financial Consolidation users. The default value is "Standard".

LogFile

This parameter corresponds to the log file that will be generated after execution of the tool. The default value is ImportFromCMS.log.

OutputFile

This parameter corresponds to the .csv file generated after the migration and indicating the Financial Consolidation login names and randomly generated passwords that have been created. The default value is CreatedUsers.csv.

Group

This parameter must be filled in with the Financial Consolidation owner group name. This parameter is mandatory.


3.3.2.2 Migration procedure

3.3.2.2.1 Requirements before executing the migration

The SAP Financial Consolidation data source must have external authentication set to Business Objects, with a valid CMS specified.

The Financial Consolidation user that executes the migration must have SAP Financial Consolidation user administration rights.

Users created in SAP Financial Consolidation using the import tool are created with options defined in the XML configuration file.

3.3.2.2.2 Migration steps

Procedure

1. Execute the tool from the server where the Data Source Manager is located (where the CtBroker.exe process runs).

2. Edit the XML file.3. Complete the XML file with the relevant parameters, depending on the configuration of your SAP Financial

Consolidation and Cube Designer applications.4. Save the file.5. Open the Command Prompt selecting Run as dministrator.6. From the Financial Consolidation installation folder, execute the following command line:

ImportFromCMS.exe ImportfromCMSConfiguration.xml FC_USER_NAME [FC_USER_PASSWORD]

FC_USER_NAME: this parameter corresponds to the login name that is used to connect to Financial Consolidation and to the CMS.

FC_USER_PASSWORD: this parameter corresponds to the user login above. If there is no password associated to the login, you can skip this parameter in the command line.

CautionThis user must have administrator rights on the Financial Consolidation platform AND on the Central Management Server of the BOE platform or Information Platform Services. Do not use the Financial Consolidation ADMIN login.

7. Verify that all users have been properly migrated to SAP Financial Consolidation.



3.3.2.3 Importing Active Directory Users from the BOE Platform

If the users you want to import from the BOE platform are configured with Active Directory syntax, you must take into account the following:

Active Directory can be used with two syntaxes:

● Domain\user or● username@domainname

If the BOE platform uses the second syntax, when importing users, the import tool will retrieve this syntax. Since this second syntax is not recognized by the Financial Consolidation application, you must manually change users passwords once the users have been imported into Financial Consolidation database.

3.4 Connecting to SAP Financial Consolidation using Single Sign On between EPM Web Applications

EPM for Finance applications introduce a Single Sign On (SSO) mechanism between web applications.

SSO allows a user to sign on to one EPM for Finance web application and then use other EPM web applications without having to enter his credentials.

For example, a user enters his credentials to connect to the SAP BusinessObjects InfoView web portal and he receives a BusinessObjects Enterprise XI session cookie. From SAP BusinessObjects InfoView, he goes to the SAP Financial Consolidation web application with the same browser session, and does not need to re-enter his credentials, he is logged on automatically. His BusinessObjects Enterprise XI session cookie is reused automatically.

A reverse proxy server can be mandatory if you are using single sign-on (SSO).

For SSO to work, follow these prerequisites:

● The SAP BusinessObjects Business Intelligence platform must be integrated with the Windows Active Directory. To find out more, see the Business Intelligence Platform Administrator Guide, chapter Windows AD authentication.

● You need to activate the Kerberos delegation inside the domain where the different components are installed.

● Use the SAP BusinessObjects authentication with the same SAP BusinessObjects Enterprise platform for all EPM for Finance applications

● Use the same URL domain name for all EPM for Finance applications web sites:○ Either all EPM for Finance applications web servers must be installed on the same physical server,○ or each web application is installed on separated servers and all URLs are published on the same

reverse proxy server.

NoteTo enable the connection on several IE windows instead of on several tabs within the same IE window:


1. Open Internet Explorer.2. Click Tools button (or press Alt + X ).3. Click Compatibility View settings.4. In Change Compatibility View Settings dialog box, copy and paste the SAP Financial Consolidation web

URL in Add this web site box and click Add.5. Click Close.6. Close Internet Explorer.

If you are using a multiple web server configuration with a NLB (Network Load Balancing) device, configure the NLB URL in the reverse proxy.

For example, with the Apache application as Reverse Proxy and a Financial Consolidation web application deployed on MyServer, the httpd.conf configuration file would have the following lines:

ProxyPass /FinancialConsolidation http://MyServer/Finance ProxyPassReverse /FinancialConsolidation http://MyServer/Finance

3.5 Connecting to SAP Financial Consolidation using Single Sign On

Prerequisites

To connect to SAP Financial Consolidation using SSO, the following prerequisites are necessary:

● The SAP BusinessObjects Business Intelligence platform must be integrated with the Windows Active Directory. To find out more, see the Business Intelligence Platform Administrator Guide, chapter Windows AD authentication, including the section regarding Single Sign-On setup.

● You need to activate the Kerberos delegation inside the domain where the different components are installed.

● You need to configure the external authentication in the administration console, by selecting the Business Objects Enterprise XI Authentication (Web Service) and the Activate SSO for Web EPM Suite option.

CautionIt is recommended to install all the SAP Financial Consolidation components on different machines, therefore, if all the components are installed on the same machine, the SSO authentication mechanism will not function properly.



3.5.1 Connecting to SAP Financial Consolidation HTML5 Web Client using Single Sign On

Prerequisites

You must register a service principal name (SPN) for Kerberos connections to HTTP/IIS_Server.my.domain.com.

Context

To connect to SAP Financial Consolidation HTML5 Web Client using SSO, you must follow the procedure below:

Procedure

1. On the web server, open IIS, select the HTML5 Web Site, and open the Authentication feature.

CautionYou must perform this configuration at the HTML5 web site level, not at the default web site level.

2. you must deactivate the following features:

○ Anonymous Authentication○ ASP.NET Impersonation (not needed as we are using delegation)

3. And activate the Windows Authentication.4. In the Windows Authentication feature, select Advanced Settings and uncheck the Enable Kernel-mode

authentication option (not needed as we have set a SPN on a custom domain account).5. Then select Providers.6. In the Providers dialog box, select the Negociate and then the NTLM providers and add them to the list of

enabled providers.

NoteThe Negociate provider must appear as the first available provider in the list.

7. You must then configure the application pool corresponding to the Financial Consolidation HTML5 web site with the same windows account as the one you registered as service principal name (SPN).

8. On the HTML5 web client, you must configure your brower with the "Automatic logon only in Intranet zone" option.

9. On the Windows client, when creating the corresponding user, you must select the Use external authentication option and enter the login (without the domain name). The Alias will be automatically


displayed once the user has connected to the application. The prefix of this alias is secWinAD when using the Active Directory authentication.

10. Finally, when configuring the external authentication in the adminstration console, you must select the Business Objects Enterprise XI Authentication (Web Service) and the Activate SSO for Web EPM Suite option.

3.5.2 Connecting to the SAP Financial Consolidation Windows Client using Single Sign On

Context

To connect to SAP Financial Consolidation Windows Client using SSO, you must follow the procedure below:

Procedure

1. Select Start All Programs SAP Financial Consolidation

The User Identification dialog box opens.

2. Select the Windows option.3. Click OK.



3.5.3 Connecting to SAP Financial Consolidation Excel Link (Web) using Single Sign On

Context

To connect to SAP Financial Consolidation Excel Link (Web) using SSO, you must follow the procedure below:

Procedure

1. Open Microsoft Excel and select the Add-Ins tab.

2. Select Financial Consolidation Connect .

The User Identification dialog box opens.


3. In the Data source area, enter the URL of the legacy web site.4. Select the Windows option.5. Click OK.

3.6 Connecting to SAP Financial Consolidation Using SAML

The following sections will guide you through the process of using the SAML2 protocol with SAP Financial Consolidation.

CautionSAML2 protocol is not supported with the following components:

● Legacy Web Client● Excel Link (Web)● Import Export Tool● Cube Designer● Archiving Tool

Related Information

Connecting to the SAP Financial Consolidation HTML5 Web Client Using SAML [page 24]Connecting to the SAP Financial Consolidation Windows Client Using SAML [page 30]

3.6.1 Connecting to the SAP Financial Consolidation HTML5 Web Client Using SAML

The SAML 2.0 protocol can be used to authenticate users when connecting to the SAP Financial Consolidation HTML5 web client. Only IdP Post Responses are supported.

CautionThis authentication mode is supported only as of SAP Financial Consolidation 10.1 SP08 Patch 1.

NoteYou can only use SAML with the HTML5 web client and the Windows client, it is not supported by the legacy web client.



3.6.1.1 Business Intelligence Platform Prerequisites

Context

Before enabling SAML protocol for the SAP Financial Consolidation HTML5 web client, you must perform the following configuration prerequisites on the BI platform:

1. Install and configure Trusted Authentication based on X509 certificate.2. Secure Trusted Authentication.

Related Information

Installing and Configuring Trusted Authentication Based on the X509 Certificate [page 26]Securing Trusted Authentication [page 27]


3.6.1.1.1 Installing and Configuring Trusted Authentication Based on the X509 Certificate

Context

To install and configure Trusted Authentication based on the X509 certificate on the Central Management Console of the BI platform, follow the procedure below:

Procedure

1. Enable and configure Trusted Authentication on the Central Management Console of the BI platform, as indicated in the Business Intelligence Platform RESTful Web Service Developer Guide, in the following chapter: https://help.sap.com/viewer/db6a17c0d1214fd6971de66ea0122378/4.2.4/en-US/ec5348346fdb101497906a7cb0e91070.html.

2. When selecting the Retrieving Method in step 7 of the procedure above, you must:

○ Select either HTTP_HEADER or QUERY_STRING,○ Set the User Name Parameter to X-SAP-TRUSTED-USER.

3. To customize the Business Intelligence platform RESTful web service, you must:

○ Set the Retrieving_Method to QUERY_STRING or HTTP_HEADER○ Set the User_Name_Parameter to X-SAP-TRUSTEDUSER in the biprws.properties file located

under <INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\biprws\WEB-INF\config\custom\.

NoteIf you changed the default location of the TrustedPrincipal.conf file in step 1, make sure to add in the biprws.properties file the shared secret key in the Trusted_Auth_Shared_Secret parameter.

4. Verify that you are able to retrieve a logon token by using the .../biprsw/logon/trusted/ API, as indicated in the Business Intelligence Platform RESTful Web Service Developer Guide, in the following chapter: https://help.sap.com/viewer/db6a17c0d1214fd6971de66ea0122378/4.2.4/en-US/ec3bebdd6fdb101497906a7cb0e91070.html



https://help.sap.com/viewer/db6a17c0d1214fd6971de66ea0122378/4.2.4/en-US/ec5348346fdb101497906a7cb0e91070.html




3.6.1.1.2 Securing Trusted Authentication

Context

The Trusted API will read the username based on the setting you configured in the Central Management Console of the BI platform in the previous section (HTTP_HEADER or QUERY_STRING). The application would have therefore no means to know the veracity of the source of this request, in other words, there is a possibility of impersonation if Trusted Authentication is not configured correctly.

To secure Trusted Authentication, follow the procedure below:

Procedure

1. Log on to the Central Management Console of the BI platform, and navigate to Servers Servers ListWACS (WebApplicationContainerServer) Properties .

2. In the HTTPS Configuration section, check the Enable HTTPS option.3. Configure the keystore details generated earlier as indicated in the Business Intelligence Platform

Administrator Guide, in the following chapter: https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.2.4/en-US/469a2b9f6e041014910aba7db0e91070.html.

4. Add the X509 certificate under: <INSTALLDIR>\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjectsEnterprise XI 4.0\win64_x64\.

5. Under <INSTALLDIR>\tomcat\webapps\BOE\WEB-INF\config\custom\, edit the global.properties file and modify the following parameters:

Parameter Value

trusted.auth.user.enablex509 True

trusted.auth.user.enablex509.certname Certificate name you generated on the BI platform server

6. Restart Tomcat.

NoteTo find out more, you can consult the following blogs: https://blogs.sap.com/2017/06/06/trusted-x509-authentication-support-in-sap-businessobjects-platform-rest-sdk-part-1/ and https://blogs.sap.com/2017/06/06/trusted-x509-authentication-support-in-sap-businessobjects-platform-rest-sdk-part-2/ .


https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.2.4/en-US/469a2b9f6e041014910aba7db0e91070.html

https://help.sap.com/viewer/2e167338c1b24da9b2a94e68efd79c42/4.2.4/en-US/469a2b9f6e041014910aba7db0e91070.html

http://help.sap.com/disclaimer?site=https%3A%2F%2Fblogs.sap.com%2F2017%2F06%2F06%2Ftrusted-x509-authentication-support-in-sap-businessobjects-platform-rest-sdk-part-1%2F





3.6.1.2 Activating SAML for SAP Financial Consolidation HTML5 Web Client

Prerequisites

It is recommended that you configure IIS so that any request to the client certificate .p12 extension will be denied, as indicated in Denying Access to Specific File Names Extensions [page 56].

Procedure

1. On the SAP Financial Consolidation web server, in the deployment folder of your SAP Financial Consolidation HTML5 web site, open the Certificates folder.

2. Rename the X509 Client Certificate that you installed on your BI platform (see previous chapter) to client.p12.

CautionIt is mandatory to rename the client certificate to client.p12.

3. In the deployment folder of your SAP Financial Consolidation HTML5 web site, rename the saml.config.template file to saml.config.

4. Open the saml.config file to edit the following code syntax:

<?xml version="1.0" encoding="utf-8"?> <appSettings>  <add key="SamlEndpoint" value="https://idp.ims.local/adfs/ls/" />  <add key="X.509_Cert" value="MIIC3jCCAcagAwIBAgIQZIVqw7/ayo5ElW3r6zSmbjANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDEw1JRFAuaW1zLmxvY2FsMB4XDTE4MTIwNTE2NTUwOFoXDTE5MTIwNTAwMDAwMFowGDEWMBQGA1UEAxMNSURQLmltcy5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOao5MZukmbsYKY6Ja4Dt303iN1u5V6pFpkFLhXlXhZs4/Pjr4qvxBGvdKSmp0Q0xqXfq2uUmaB4C+BNWTpyIvjF3q1jio8HipfB+XA7xRYgRDpI9YSvfMYShIMISxV6OsXktBI7gkuYoaskS9Y2Toodgdx0LsZUMCGLWpw6q2H9n71f5eMxkpsaFFTzENXwi/jGRhp+ujKyAT/wXFKbxGXHSjJWQY9ezpleMXDrtGMD6gZMt0qimM28C0hjTPovFgCtRbuApZT8x3aCxQxL3qiAoo6QsURLjWdK7IBlo3inm3FGV/srvv522e9zLx+6acu45Qfg5W4jtkw5odjuoeUCAwEAAaMkMCIwCwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQBSKrkqbrVUrbQtYxcr8g3gvFrhpW8OorCX7hQ2xuX8fKKr7hPra8SjkIWOssxzCUzwB+NOHVSSEwYKja2jCRShggGKUT9H0wDCNdWPBFTkIa9K9CcYhAnyT6NRAbRBC0B20ShCTDjhnWGY7bi50r7FSs0K+CKf+LQvQbSdVUVbRC3dkFgIwJKLwGoEOX+XRArYHi6rf4CyJ1n1+uCGPIonu9NkcYC0yaibk5qR6vfY6A8/sk3xDAWzswQ0dANIDGL4BrbL5VPEekNI0HdwE18lPIJQmDYZf6VYcJLxm1Nyc0cHHUj2f69L0VSZ2L4CBai08bU4Df2MIZM2yM8Cmmjf" />  <add key="AppId" value="http://localhost/WebUI5/Saml" />  <add key="ConsumerUrl" value="https://localhost/WebHTML5/SamlConsume" /> 



<add key="biprws" value="https://10.208.195.176/biprws" />  <add key="CertificatePassword" value="Password1" /> </appSettings>

5. Modify the values of the following keys:

Key Value

SamlEndpoint Enter the SAML Identity Provider to activate the Log on with SAML option on the log on page of the SAP Financial Consolidation HTML5 web client.

X.509_Cert Enter the name of the X509 certificate you installed on the IdP (Identity Provider) of the BI Platform server.

AppId Enter the Financial Consolidation unique ID that you entered in the IdP.

ConsumerUrl Modify the following URL: https://<your_web_server>/WebHTML5/SamlConsume with the name of the Financial Consolidation application deployed in your environment.

biprws Enter the BI Platform Rest Services Endpoint of the CMC (Central Management Console).

CautionHTTPS protocol is mandatory.

CertificatePassword Enter the client certificate password (password of the client.p12 file)

6. Save the file.7. Open the web.config file located in the deployment folder of your application.8. In the <configuration> section, add the "saml.config" parameter to the existing <appSettings>

tag.

<configuration> <appSettings file="saml.config">

9. Open the SAP Financial Consolidation administration console and verify that the BOE XI Authentication (Web Services) is selected in the External Authentication parameter of the data source.

10. If you want to use SAML to connect to the Financial Information Management application, you must also check the Activate SSO for Web EPM option.

11. If you want to allow specific users to connect using the standard authentication and not the SAML authentication, you can add the following command at the end of the HTML5 web site URL: NoSso=true. For example, https://localhost/WebHTML5/login?NoSso=true.


12. To encrypt the <appSettings> section of the saml.config file, you must execute the following command:

aspnet_regiis -pef "appSettings" \<INSTALLDIR>\inetpub\wwwroot\WEBHTML5

NoteIf you want to decrypt, you can use:

aaspnet_regiis -pdf "appSettings" \<INSTALLDIR>\inetpub\wwwroot\WEBHTML5

13. You must then configure your IdP with the following single sign on URL (the location where the SAML assertion is sent): https://<your_web_server>/WebHTML5/SamlConsume.

3.6.2 Connecting to the SAP Financial Consolidation Windows Client Using SAML

Prerequisites

CautionThe SAP Financial Consolidation HTML5 web application must be deployed in your environment if you want to enable the SAML protocol for the Windows client. You must then perform the SAML configuration for the HTML5 web client, as described in the Activating SAML for SAP Financial Consolidation HTML5 Web Client [page 28] chapter.

Procedure

1. In the SAP Financial Consolidation Administration Console, open the Configuration section.2. In the Configuration page, edit the External authentication configuration string parameter.3. Enter the SAML HTML5 web server URL as follows: https://<your_web_server>/WebHTML5/SAML

(where <WebHTML5> is the name of the SAP Financial Consolidation application deployed in your environment).



4. Select the Enable SAML authentication option.5. Restart the data source.6. Open the samlwindows.html and samlexcel.html files located in the folder where the HTML5

application is deployed.7. Modify the following line with the name and the URL of your web server:

popup = window.open('http://<your_web_server>/FCWebHTML5/SAML'); setTimeout(wait, 5000); 8. You can also modify the setTimeout parameter to increase the delay of 5000 ms corresponding to the

waiting time of the login screen.9. You must then configure your IdP with the following additional single sign on URL (the location where the

SAML assertion is sent to): https://<your_web_server>/WebHTML5/SamlWindows.

10. If you want to connect to SAP Excel Link with SAML, you must also add the following URL to your IdP: https://<your_web_server>/WebHTML5/SamlExcelConsume.

Results

The SAML option appears in the Windows client User Authentication dialog box.


Related Information

Connecting to the SAP Financial Consolidation HTML5 Web Client Using SAML [page 24]

3.7 Managing the "Enable Excel Pivot Table" Right

To use the Excel Links, the user must be granted the "Enable Excel Links" functional right.

In order to create pivot tables inside Excel Links, the user must be granted This right authorizes the Excel Links connect to the database, and therefore to retrieve the database connection information.

CautionWhen this right is enabled, the user has full access to the database, so proceed with caution.



4 User Administration and Authentication in Cube Designer

4.1 User Security Implementation ProcedureUsing the second scenario in chapter "Users Implementation Scenarios", the following steps are required:

First step: Configure the EPM Connection Manager security in the BusinessOjects platform.

1. Create the three user groups below:○ CD_Admins○ CD_Designers○ CD_Viewers

2. Create the users you want to assign to these groups.3. Assign rights and access levels to the EPM Connection Manager, for each group of users. To find out more

about those rights, see Configuring the EPM Connection Manager Application [page 37].4. Assign access levels to the EPM connections that allow users to access the specific Cube Designer objects.

To find out more about those rights, see Configuring the EPM Connections [page 39].

CautionBy default, if access rights are not configured, you cannot see any specific folders or objects concerning BOE Cube Designer in the CMC.

Second step: configure security in each relevant EPM application.

1. Define the corresponding rights in the Financial Consolidation application.Before version 7.5, rights were defined in Financial Consolidation. This is now done in the BOE platform.Cube Designer users must be granted the following rights:○ in the Financial Consolidation application: Analysis > Analytics > Administration.○ In the BOE platform: Design Cubes

NoteIf you want to grant a Cube Designer user administration rights, this user must also be granted the Full Control access level.

NoteIn the Financial Consolidation application, you manage rights on data via data access groups as in previous versions.

NoteIf you are migrating from a previous version of Cube Designer, the CMSExport Tool enables you to export the users created in Consolidation to the BOE platform. This tool will also migrate the Cube Designer rights from Financial Consolidation to the platform. To find out more about this tool, see

SAP Financial Consolidation Security GuideUser Administration and Authentication in Cube Designer CONFIDENTIAL 33

2. Configure the user authentication in the Financial Consolidation administration console.3. Configure user accounts in Financial Consolidation.

4.2 User Implementation Scenarios

As it is complex to manage access rights to different applications for each user, we recommended that you assign access rights to groups, and then to assign users to those groups.

NoteIt is possible to assign a user to several groups.

Examples of user implementations are:

Scenario 1

● Everyone:Those users can log on to the Business Objects Enterprise platform, but have no rights on applications deployed into the platform. It can be used for users connecting to EPM applications, with Business Objects Enterprise authentication.

● Designers (CubeDesignerDesign):This user group can create and deploy cubes into Designer.

● Publishers (CubeDesignerPublish) :This user group can connect to BI Launch Pad and to publish Excel spreadsheets in public folders.

● Analysts (CubeDesignerAnalyze):This user group can connect to BI Launch Pad and use the EPM-Addin for Microsoft Office but not to modify documents that are published into public folders.

Scenario 2

● Admin (CD_Admins):This user group has full rights.

● Designers (CD_Designers):This user group has the rights to publish, analyze and design cubes in Designer.

● Viewers (CD_Viewers):This user group can connect to BI Launch Pad and publish Excel workbooks in public folders.

NoteBusiness Objects Enterprise system administrators have full control over the platform. It is possible to allow this for for other user groups, depending on the security implementation. It is also possible to manage user rights at each user level.


User Administration and Authentication in Cube Designer

NoteIn the following procedure, we will use the second scenario.

4.3 Configuring Cube Designer Security into the BOE Platform

4.3.1 Creating User Groups in the Central Management Console

Context

You can create groups and then assign users to those groups, so that you manage security for one group instead of many users. If you want to use the previous scenario, create the following groups:

● CD_Admins● CD_Designers● CD_Viewers

Procedure

1. Log on to the Central Management Console and click Users and Groups.2. Click Manage > New > New Group.3. Enter a group name, in our example "CD_Designers" and a description.4. Click OK.5. Create groups named "CD_Viewers" and "CD_Admins" following the same steps.

4.3.2 Creating Users

Context

Once the groups are created, you add the users. In this section, "CD_User_1" will be created and assigned to the CD_Designers group.


Procedure

1. Log on to the Central Management Console and in the Organize section, click Users and Groups.2. Select Manage > New > New User and create a new user. For our example, this user is named "CD_User_1".3. Select the following User role: BI Analyst User.4. Click Save and close.5. In the User List, right-click this new user and select Join Group.

The Join Group: CD_User_1 window opens.6. Click Join Group.7. In the Group List, select CD_Designers and add it to the Destination Group(s) by clicking >.

NoteYou can select several users once a time by using the Ctrl or Shift / Caps.

8. Click OK.9. Repeat the same steps to create other users. For this example, you need to add all the users of your

environment to the three groups created before:

○ CD_Admins



○ CD_Designers○ CD_Viewers

NoteWhen migrating, the CMSExport Tool enables you to automatically export the users created in Financial Consolidation to the CMS (Central Management Server) of the BOE platform.

4.3.3 Configuring the EPM Connection Manager Application

Context

This chapter explains how to assign rights and access levels to the EPM Connection Manager application in the BOE.

When using scenario 2, provided in this documentation, the following rights must be granted:

● CD_Viewers:○ Standard rights: View

● CD_Designers:○ Standard rights: View○ Advanced rights: Design Cube, Publish

● CD_Admins: Full control

Procedure

1. Log on to the Central Management Console and in the Manage section, click Applications.2. Right-click the EPM Connection Manager application and select User Security.3. Click Add Principals.4. Select the "CD_Designers" group and add it to the right panel.5. Click Add and Assign Security.

The Assign Security window opens.6. In the Access Levels tab, add the View right.7. Click the Advanced tab.8. Click the Add/Remove Rights link.9. In the left pane, select the EPM Connection Manager application and in the right pane, select the Design

Cube and Publish rights.


10. Click Apply and OK.Back in the Access Levels tab, you can see the rights that have been assigned to the user.



11. Repeat the same steps for the "CD_Viewers" but assign to the group the View right and then the Publish and Analyze advanced rights.

12. Repeat the same steps for the "CD_Admins" but assign to the group the Full Control right.13. Click Close.

4.3.4 Configuring the EPM Connections

Context

By default, the CMC only displays objects to which you have access, so you do not see the EPM connections.

This chapter explains how to define access rights to the folder containing connections. This enables you to define who will have rights to access or create connections to the BOE Cube Designer application.

A connection is a "correspondance" between an SSAS database or a Netweaver database, a Datapump URL to access this database, and a Financial Consolidation database identified through a web service.

For scenario 2 example provided in this documentation, the following rights must be granted:

● CD_Viewers: View● CD_Designers: Full Control● CD_Admins: Full control


Procedure

1. Log on to the Central Management Console and in the Organize section, click EPM Connections.2. Click Manage > Security > EPM Connection Folder Rights.

3. Click Add Principals.4. Select the "CD_Designers" group and add it to the right panel.5. Click Add and Assign Security.

The Assign Security window opens.6. In the Access Levels tab, add the Full control right.7. Click Apply, then OK.8. Repeat the same steps for the "CD_Admins".9. Repeat the same steps for the "CD_Viewers" group but assign this group the View right.

Results

You can then customize security for each single connection.

4.3.5 Configuring Web Intelligence Connections

Context

When installing the EPM Connection Manager with IPS (Information Platform Services), Web Intelligence and Universes are not available. The following chapter is intended only for a Cube Designer platform using the full BOE environment, and not for a platform using the IPS (Information Platform Services).



Procedure

1. Log on to the Central Management Console and in the Organize section, click Universes.2. Select Manage > Top-Level Security and click All Universes.

A warning message opens.3. Click OK.

The User Security: Universes window opens.4. Click Add Principals.5. Select the "CD_Viewers" group and add it to the right panel.6. Click Add and Assign Security.

The Assign Security window opens.7. In the Access Levels tab, add the View right.

8. Click Apply, then OK.9. Repeat the same steps for "CD_Designers" and "CD_Admins" but assign them the Full Control right.10. Go back to the Home page and in the Organize section, click Connections.11. Select Manage > Top-Level Security and click All Connections.


The User Security: Connections window opens.13. Click Add Principals.14. Select the "CD_Viewers" group and add it to the right panel.15. Click Add and Assign Security.

The Assign Security window opens.16. In the Access Levels tab, add the View right.17. Click Apply, then OK.18. Repeat the same steps for "CD_Designers" and "CD_Admins" but assign them the Full Control right.


4.3.6 Configuring Access Rights on BI Launch Pad FoldersContext

If you want user groups to consult EPM Add-in workbooks via BI Launch Pad, you must configure access rights on the BI Launch Pad folders. By default, these folders cannot be accessed or seen.

You can grant the standard right "View" to all user groups, to enable users to connect to the web portal.

Using scenario 2, you create a sub-folder named Analytics, and grant those three user groups the "Full Control" right.

Procedure

1. Log on to the Central Management Console and in the Organize section, click Folders.2. Select Manage > Top-Level Security and click All Folders.


The User Security: Root Folder window opens.4. Click Add Principals.5. Select the "CD_Viewers" group and add it to the right panel.6. Click Add and Assign Security.

The Assign Security window opens.7. In the Access Levels tab, add the View right.



8. Click Apply, then OK.9. Repeat the same steps for "CD_Designers" and "CD_Admins" groups.

4.3.7 User Rights Table

The following table summarize the access rights that should be defined for each type of user group:

Access in...

Groups BI Launch Pad Public folders EPM connections EPM Connection Manager application

Everyone No access Non applicable Non applicable Non applicable

CD_Viewers ● Standard rights: View

● Standard rights: View

● Advanced rights: (modifying and deleting objects forbidden)

● Standard rights: View ● Standard rights: View

CD_Designers

● Standard rights: View

● Standard rights: Full Control

● Standard rights: View ● Standard rights: View

● Advanced rights: Design Cube, Publish

CD_Admins Full control Full control Full control Full control

4.4 Connecting to SSAS Cubes with Third Party Tools

You can connect to SSAS cubes that are deployed through Financial Consolidation with third party tools.

To do so, you must perform the following configuration:

● You must connect with users from a Windows Active Directory database● The management of BOE users can only be Active Directory● In the Financial Consolidation application, this user must be configured with the "use external

authentication" option and the login must be set with the DOMAIN\USER syntax.

4.5 Connecting to Cube Designer using Single Sign On

To connect to Cube Designer using Single Sign On mode, the following is required:

1. Follow the steps provided in the Managing users using BusinessObjects Enterprise XI authentication [page 8] chapter of this guide:


○ In the Financial Consolidation Administration Console, configure the external authentication and select the Business Objects XI authentication.

○ In the Financial Consolidation application, create the users corresponding to the BusinessObjects Enterprise XI users in the Alias area, enter the exact same alias as the one provided in the properties of the BusinessObjects Enterprise XI user.

2. In the Cube Designer application, you must then set to TRUE the following key in the Cartesis.InformationDelivery.Workbench.exe.config file:

<add key="IsSSOActivated" value="true" />

NoteNote that for now, all the accounts created in Financial Consolidation for SSO authentication needs, function only if the 'Use Windows Account' option is selected in the Financial Consolidation login screen. If the two steps above have been completed, when an end-user logs in to his computer, then launches Cube Designer, the logon dialog box still opens but the authentication information is already filled in. The user only needs to select the EPM Connection.



5 Securing the Financial Consolidation Web Sites

CautionThe financial consolidation web sites are designed for working on an intranet; we therefore highly recommend that you do not expose them to the Internet.

5.1 Configuring SAP Financial Consolidation Web with Firewalls

SAP Financial Consolidation uses the following objects to communicate via the network using various protocols. Each of the executable processes requires at least one IP port.

SAP Financial Consolidation objects communicate using the following protocols:

This component ... Calls using…. Is called with... ... this component

CtBroker DCOM CtControler

DCOM CtServer

DCOM Financial Consolidation Web Administration Console

HTTP / HTTPS DCOM Financial Consolidation Web Site

DCOM Financial Consolidation Web Service

DCOM Financial Consolidation

DCOM Financial Consolidation Excel Link

CtServer DCOM CtBroker

DCOM Financial Consolidation

RDBM client Financial Consolidation Database

DCOM Financial Consolidation Web Site

DCOM Financial Consolidation Web Service

DCOM Excel

SAP Financial Consolidation Security GuideSecuring the Financial Consolidation Web Sites CONFIDENTIAL 45

CMS protocol BusinessObjects Enterprise

CtControler DCOM CtBroker

Finance DCOM CtBroker

DCOM CtServer

FC Web Site DCOM CtBroker

DCOM CtServer

FC Web ServiceDCOM CtBroker

DCOM CtServer

Fc Web Admin DCOM CtBroker

Excel DCOM CtBroker

CtServer

SSAS HTTP / HTTPS Financial Consolidation Web Service

RDBM Client Financial Consolidation Database

SSAS protocol Datapump

SSAS protocol BusinessObjects Enterprise

SSAS protocol Deployer

Deployer HTTP / HTTPS Financial Consolidation Web Service

NW protocol NetWeaver BW

RDBM client Star Schema database

SSAS protocol SSAS

Designer HTTP / HTTPS BusinessObjects Enterprise

HTTP / HTTPS Deployer

HTTP / HTTPS Financial Consolidation Web Service Web Service

EPM Add-in HTTP / HTTPS Datapump

NW Protocol NetWeaver BW protocol

The protocols described in the table above use the following ports:

● HTTP / HTTPS protocol: default port is 80, 443. It can use any other ports if you have modified the default settings.

● RDBM client: depends on your RDBM provider: for example: 1433 (for SQL), 1434 UDP (for SQL), 1521 (for Oracle). Refer to the RDBM documentation to find out more about the appropriate configuration for firewalls.

● DCOM: see the next chapter to find out more information about DCOM configuration with firewalls. Configuring DCOM for firewalls [page 47].

● SSAS: by default, port 2383. Refer to the SSAS documentation to find out more about the appropriate configuration for firewalls.


Securing the Financial Consolidation Web Sites

● NW protocol: by default, port 3300. Refer to the NetWeaver BW documentation to find out more about the appropriate configuration for firewalls.

● CMS protocol: it is based on CORBA, uses the 6400 port and dynamic ports. Refer to the BusinessObjects Enterprise documentation to find out more about the appropriate configuration for firewalls.

5.1.1 Configuring DCOM for firewalls

Because DCOM allocates IP ports dynamically by default to each executable process serving DCOM objects on a computer, it is "firewall-unfriendly". If you want to use a firewall, you should configure the DCOM objects to use a specific range of IP ports. You will then be able to identify which port will be called and configure the firewall accordingly.

Clients discover the port associated with a particular object by connecting to and using the services provided by DCOM's Service Control Manager (SCM). The DCOM Service Control Manager always operates at a fixed network port on every computer, i.e. port 135.

Because DCOM uses dynamic IP ports, you must change the configuration of SAP Financial Consolidation objects so that they use a specific range of ports and SAP Financial Consolidation can pass the firewalls.

In the case of SAP Financial Consolidation, DCOM objects used may be configured to use specific IP ports. The only object that cannot be configured is the SAP Financial Consolidation Web connector, because this object is just a DCOM client, and not a DCOM server. It will therefore not be called up by an external program via DCOM.

You are not required to define a range of ports for Finance.exe and Excel because they are not DCOM servers and will not be called up by objects.

To use DCOM through firewalls, you must ensure that all of the computers can reach each other using DNS queries (with both IP addresses and Fully Qualified Domain Names recognized in both directions). For example, the Web server must be able to reach (ping) the application server by entering its full name e.g. fcserver.sap.com and vice versa.

To provide name resolution of network names to IP addresses, you may be required to modify the following files on each of the computers:

● LMHOSTS (Windows Name Resolution ou WINS),● HOSTS file (DNS resolution FQDN)

You should open these files and add a row for each server you want to reach only if you encounter problems with the name resolution of the computers.

NoteAll the port numbers indicated in this chapter are example, you can use any number from 1024 to 65535.

NoteThe DCOM protocol does not work when address translation is used.

TipTo find out more about using DCOM with firewalls, go to the following URL: http://www.microsoft.com/com/wpaper/dcomfw.asp .


http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.microsoft.com%2Fcom%2Fwpaper%2Fdcomfw.asp

http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.microsoft.com%2Fcom%2Fwpaper%2Fdcomfw.asp

5.1.1.1 Specifying the recommended configuration

Context

The simplest way of setting up a firewall with SAP Financial Consolidation is to specify the range of ports on the computers hosting the SAP Financial Consolidation servers. Contrary to previous versions of SAP Financial Consolidation, you no longer have to change the client computers' DCOM configuration.

5.1.1.2 Specifying a range of ports in DCOM

Procedure

1. Run the dcomcnfg utility and select the Default Protocols tab.

The following dialog box appears.

2. Select the TCP/IP protocol and click Properties.3. The Properties for COM Internet Services dialog box appears.4. Click on Add.




5. Enter a range of ports between 1024 and 65535, then click OK.

Results

The range of ports will depend on the number of objects run on each computer.

Each DCOM object instance requires one port to run.

The CtBroker.exe and CtController.exe processes therefore use one port each. On the other hand, several CtServer.exe processes can run at the same time, either because an application is being recycled (one server is stopping and the other starting to replace the first one) or because several applications are hosted on the same server. Because of recycling mechanism, you need to consider 3 ports per CtServer (or Finance instance) running.

The following rule can be applied to determine the range of ports:

● CtBroker.exe: 1 port.● CtController.exe: 1 port.● CtServer.exe: 3 ports per application hosted on the server.● Finance.exe: 1 port on the client computer.

Example: A server acting as the data source manager and the application server hosting three SAP Financial Consolidation applications will use 14 ports:

● 1 for CtBroker.exe.● 1 for CtController.exe.● 3 X 4 = 12 for CtServer.exe.

TipA standard configuration deployed in production for many clients is to allow a 100 ports wide range on all servers.


5.1.1.3 Diagram of the network traffic between the different components

5.1.1.4 Example of a firewall in use

In the example below, the HTTP server is installed on a DMZ (demilitarized zone) host.



The firewall connected to the HTTP server will accept inbound and outbound traffic through port 80 (HTTP).

The firewall located between the HTTP server and the other servers will accept:

● inbound and outbound traffic through port 135.● traffic flowing towards the HTTP server through port 80.● traffic flowing towards the data source manager through port 5000.● traffic flowing towards the application servers through ports 5000-5100.

In the example above, there is no DNS server. The IP names and addresses of the different computers have therefore been added to the HOSTS files of the HTTP server, data source manager and application servers.

5.2 Configuring HTTP Strict Transport Security in IIS

Context

To protect your web sites against protocol downgrade attacks and cookie hijacking it is recommended to configure the HTTP Strict Transport Security.


Procedure

1. In the IIS Manager administration console, open the HTTP Response Headers section.2. Click Add.

The Add Custom HTTP Response Header opens.3. In the Name field, add "Strict-Transport-Security".

4. In the Value field, add "max-age=31536000" (this corresponds to a one year period validity).

5. Click OK.

5.3 Configuring IIS for Custom Error Pages

To avoid disclosing information about the IIS web server, it is recommended to create custom error pages.

These pages can be created from the IIS Manager administration console.

To find out more, you can refer to IIS Microsoft documentation for further information.

5.4 Removing Unexpected HTTP Headers

Context

If you want to remove unexpected headers (Server and X-AspNet-Version headers) for each web application you deployed:

● the Financial Consolidation web administration console,● the Financial Consolidation legacy web site,● the Financial Consolidation HTML5 web site.

you must follow the procedures below:

Procedure

1. To remove Server headers in IIS:a. You can install and configure a tool such as "Microsoft IIS URL Rewrite".

2. To remove X-AspNet-Version headers from all the web sites except the HTML5:



a. Open the web.config file located in the deployment folder of your application (WebAdmin, legacy WebSite and webservices).

b. In the <system.web> section, add or modify the following lines:

<httpRuntime requestValidationMode="2.0" enableVersionHeader="false" />

3. To remove X-AspNet-Version headers from the HTML5 web client only:a. Open the web.config file located in the deployment folder of your application (HTML5 WebSite).b. In the <system.web> section, add or modthe following lines:

<httpRuntime enableVersionHeader="false" targetFramework="4.5" maxRequestLength="65536" />

4. Save the web.config files and restart the corresponding applications.

5.5 Modifying the Cache-Control HTTP Headers

Context

To modify the cache-control HTTP headers for:

● the Financial Consolidation web administration console,● the Financial Consolidation legacy web site,● the Financial Consolidation HTML5 web site,

follow the procedure below:

Procedure

1. In the IIS Manager administration console, navigate to the web site you want to manage.2. Open the Features view and select the HTTP Respond Headers feature.3. In the Actions panel, click Add.4. The Add Custom HTTP Response Header dialog box opens.5. Enter the following values:

○ In the Name field, enter cache-control.○ In the Value field, enter no-store, must-revalidate.

6. Click OK.7. Save the web.config files and restart the corresponding applications.


5.6 Protecting Web Sites against Clickjacking

Context

To protect your web sites against clickjacking, it is recommended to configure your web site with the following:

Procedure

1. In the IIS Manager administration console, open the HTTP Response Headers feature.2. Click Add.

The Add Custom HTTP Response Header opens.3. In the Name field, add "X-Frame-Options".

4. In the Value field, add "SAMEORIGIN.

5. Click OK.

5.7 Disabling the Unnecessary HTTP Methods

Context

To disable the unnecessary HTTP verbs, you must configure your web sites by following the procedure below:

Procedure

1. In the IIS Manager administration console, open the Request Filtering feature.2. Select the HTTP Verbs tab and click Deny Verb.3. Block the following HTTP verbs:

○ OPTIONS○ TRACE

4. Click OK.



5.8 Avoiding HTTP Host Header Injections

Context

You can avoid HTTP Host Header injections, such that if someone changes the host header, it will not reach your web site in IIS.

To do so, you must configure the right binding setting in your IIS, even if you’re hosting one or multiple web sites with your IIS, as explained below:

Procedure

1. In the IIS Manager administration console, right click on your web site and click Edit Bindings.2. In the Edit Site Bindings window, select the following options:

○ Type: http○ IP address: All Unassigned○ Port: 80○ Host name: localhost.

3. Click OK and restart IIS.


5.9 Denying Access to Specific File Names Extensions

Context

If you want to deny access to specific file names extensions, for example to prevent any access to certificate files, the following IIS configuration is required:

Procedure

1. Open Internet Information Services (IIS) Manager.2. In the Request Filtering pane, click the File Name Extensions tab.3. Click Deny File Name Extension.4. In the Deny File Name Extension dialog box, add the extension name you want to deny access to, for

example the .p12 extension.

To find out more, you can consult the following Microsoft page: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/fileextensions/



http://help.sap.com/disclaimer?site=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fsecurity%2Frequestfiltering%2Ffileextensions%2F

http://help.sap.com/disclaimer?site=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fiis%2Fconfiguration%2Fsystem.webserver%2Fsecurity%2Frequestfiltering%2Ffileextensions%2F

6 Data Protection and Privacy

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy.

This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.

NoteIn the majority of cases, compliance with data privacy laws is not a product feature. SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data. SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.

SAP Financial Consolidation Security GuideData Protection and Privacy CONFIDENTIAL 57

6.1 Displaying the Personal Information of a User from the SAP Financial Consolidation HTML5 web client

From the SAP Financial Consolidation HTML5 web client, if you want to access the personal information of a user stored within the application, you must follow the procedure described in the "Displaying your Personal Information" chapter from the SAP Financial Consolidation Web HTML5 User Guide.

6.2 Displaying the Personal Information of a User from the SAP Financial Consolidation Windows Client

From the SAP Financial Consolidation Windows client, if you want to access the personal information of a user stored within the application, you must follow the procedure described in the "Displaying your Personal Information" chapter from the SAP Financial Consolidation User Guide.

6.3 Displaying the Personal Information of a User from the Legacy Web Client

From the SAP Financial Consolidation Legacy Web client, if you want to access the personal information of a user stored within the application, you must follow the procedure described in the "To display your personal information" chapter from the SAP Financial Consolidation Web User Guide.

6.4 Displaying the Personal Information of a User from the SAP Financial Consolidation Excel (Web) Link

From the SAP Financial Consolidation Excel (Web) Link application, if you want to access the personal information of a user stored within the application, you must follow the procedure described in the "To display your personal information" chapter from the SAP Financial Consolidation Excel Link (Web) User Guide.


Data Protection and Privacy

6.5 Displaying the Personal Information of a User from the SAP Financial Consolidation Excel Link

From the SAP Financial Consolidation Excel Link application, if you want to access the personal information of a user stored within the application, you must follow the procedure described in the "To display your personal information" chapter from the SAP Financial Consolidation Excel Link User Guide.

6.6 Displaying the Personal Information of a User from Cube Designer

From SAP Financial Consolidation Cube Designer, if you want to access the personal information of a user stored within the application, you must follow the procedure described in the "Displaying your Personal Information" chapter from the SAP Financial Consolidation Cube Designer User Guide.

6.7 Deleting Personal Data

Context

You can delete personal data when all applicable retention periods have expired.

NoteThe product administrator is responsible for setting up the procedures related to the retention period. The SAP Financial Consolidation application does not manage this feature.

You can delete the following data:

● Personal data related to a user.● User codes contained in Trace Reports.

NoteSAP Financial Consolidation technical log files may contain personal data. Therefore, we recommend that you implement a policy to delete these files on a regular basis. To find out more about technical logs, see the SAP Financial Consolidation Administrator's Guide, chapter "SAP Financial Consolidation Technical Log".


To delete this data, you must do the following:

Procedure

1. To remove personal data related to a user.

NoteBecause users are managed in the Windows client, you can delete them only from the Windows client.

a. From the Windows client, open the Security domain, and the Users view.b. In the Users list, select the users for whom you want to delete personal data.c. Right-click those users and select Block user.

CautionYou must block a user before you can delete its personal data.

d. Right-click these users and select Delete Personal Information.

NoteYou must be granted the Delete personal information access right to perform this operation.

e. Click Yes.

NoteAfter deletion, the user code and the login field will contain a randomized string.

NoteAfter deletion, entries related to these users in the Trace Report will be also permanently deleted.

If you delete a user, the entries regarding this user that have been modified are deleted from the Trace Report. However, the system keeps track of the actions executed by this user, following SOX (Sarbanes-Oxley) compliance.

For example, if the user SMITH is deleted:○ ADMIN has modified the email address of user SMITH: the entry is deleted.○ SMITH has modified the report "REPORT1": the entry is kept.

2. To remove personal data contained in Trace Reports:

NoteFor compliance reasons with the Sarbanes-Oxley law, the trace report logs must be kept during a retention period.

a. From the Windows client, open the General options.b. In the Trace Reports tab, you can archive items older than a defined date. All items older than this date

are definitely deleted from the database. We recommend that you implement a policy to delete the archive files after the applicable retention period.


Data Protection and Privacy

6.8 Personal Data Portability

You can export all the personal data of a user using the User Import Export Tool.

This tool allows you to export or import users and all user-related objects between SAP Financial Consolidation and different types of flat files. The User Import Export Tool setup is included in the SAP Financial Consolidation installation folder; however, you must install the tool before using it.

To find out more about how to use this tool, you can consult the following chapter "16.2 Exporting Users with the User Import Export Tool" from the SAP Financial Consolidation Administrator's Guide.

6.9 Logging Changes to Personal Data

Context

You can consult logs of the changes made to your personal data. By viewing or downloading this log, you can check which changes were made to which personal data, who made the changes, and when the changes were made.

Procedure

1. From anywhere within the SAP Financial Consolidation Windows client, click Tools General Options .2. Click the Trace Reports tab ans select the Enable the trace report function to activate the logs.3. Click Select modules.

4. In the Modules to be Audited window, select the Administration Security - user information option.

Results

You can then consult the logs of the modules you've activated by selecting File Display Trace Report from anywhere within the application. To find out more about the Trace Report, you can consult the "Trace reports in SAP Financial Consolidation" chapter of the SAP Financial Consolidation User Guide.


7 Restrictions on Uploading Attachments

To ensure security, you can specify whether end users are allowed to upload certain file types and if a virus scanning application (if installed) can perform a virus-scan on these file attachments.

In the Financial Consolidation installation folder, the AllowedExtension.txt file enables you to configure a blacklist or a whitelist and also contains the Virus scanning parameter.

################################################# # In this file, you can specify which file types can be uploaded to the server.# You can choose between two authorization types:# Blacklist - blocks all extensions defined in the following string.# Whitelist - authorizes only the extensions defined in the following string.##WhiteList=.CSV;.DOC;.DOCX;.PDF;.RTF;.ODT;.TXT;.DOT;.DOTX;.XLS;.XLSX;.XLSB;.ODS;.PPT;.PPTX;.PPS;.PPSX;.ODP;.JPG;.JPEG;.PNG;.BMP;.GIF;.TIF;.TIFF;##BlackList=.ade;.adp;.app;.asa;.ashx;.asmx;.asp;.bas;.bat;.cdx;.cer;.chm;.class;.cmd;.com;.config;.cpl;.crt;.csh;.dll;.exe;.fxp;.hlp;.hta;.htr;.htw;.ida;.idc;.idq;.ins;.isp;.its;.js,.jse;.ksh;.lnk;.mad;.maf;.mag;.mam;.maq;.mar;.mas;.mat;.mau;.mav;.maw;.mda;.mdb;.mde;.mdt;.mdw;.mdz;.msc;.msh;.msh1;.msh1xml;.msh2;.msh2xml;.mshxml;.msi;.msp;.mst;.ops;.pcd;.pif;.prf;.prg;.printer;.pst;.reg;.rem;.scf;.scr;.sct;.shb;.shs;.shtm;.shtml;.soap;.stm;.url;.vb;.vbe;.vbs;.ws;.wsc;.wsf;.wsh# # The Virus scanning parameter enables you to specify if all the attached files uploaded to the server # must be scanned by the anti-virus installed on this server.Virus scanning=true

You configure these two parameters as follows:

● The whitelist parameter is activated by default. The extension list is populated by default and can be modified.Each list can be activated by removing the # at the beginning of the line.

CautionOnly one list can be activated.

The restrictions apply to both the Windows and Web clients for attachments in packages, manual journal entries, consolidations and so on.

● The Virus scanning parameter is activated by default. If you want to deactivate the virus-scan on file attachments, you must set it to false or comment this parameter.

NoteThis parameter is only taken into account only if an antivirus application is installed. In that case, Financial Consolidation will automatically connect to it. If no antivirus is installed on the machine, the parameter will be ignored.

62 CONFIDENTIALSAP Financial Consolidation Security GuideRestrictions on Uploading Attachments

NoteAfter modifying AllowedExtension.txt, you must restart the CtServer.

SAP Financial Consolidation Security GuideRestrictions on Uploading Attachments CONFIDENTIAL 63

8 DCOM configuration

This chapter describes how you should configure the DCOM protocol in order to connect the client workstation to the application server. Configuring DCOM enables you to choose the mode of authentication between the workstations and the server. Otherwise it is not possible to establish communication between a workstation and the application server.

The DCOM protocol is based on Windows NetBIOS components. For DCOM to work, NetBIOS must therefore be able to run. The NetBIOS connection can be established between two computers only if the required access rights have been assigned. The connection must therefore be established with a Windows account that has certain rights. Both computers must recognize the logins used for the connection. If the computers are in the same domain and the account used to establish the connection is a domain account, the connection is authorized.

If the computers are not in the same domain or the account used to establish the connection is a local account on one of the computers, the same account (with the same login) must also exist locally on the other computer.

From Windows 2003 and Windows XP SP2, the concept of anonymous accounts was introduced. If an anonymous account is used and the DCOM objects are configured correctly, the two computers can communicate even though they are not in the same domain and do not have a common login.

CautionIf you use the anonymous settings for DCOM configuration, DCOM communications will no longer be encrypted.

Authorizing the "Everyone" group enables any account recognized by the computer to connect.

TipTo test that this works, try to connect one server to the other via a shared folder. The connection opened will use the current Windows session and simply checks if a connection is possible.

You must therefore define the user accounts that will be used to configure the SAP Financial Consolidation objects' DCOM properties and ensure that they can be used.

By default, the setup configures DCOM so that the application can function correctly when the Windows session is closed on the server. However, if you encounter problems, you may need to check that the DCOM settings are as indicated in the chapters below.

By default, the setup configures DCOM in encrypted communication mode. By default, communication will work only between servers that are part of the same domain forest.


DCOM configuration

8.1 Checking the default DCOM configuration defined by the SAP Financial Consolidation setup

Context

If you want to verify the DCOM configuration defined by the SAP Financial Consolidation setup, you should verify that your settings correspond to the table below.

1. Select Run in the Windows Start menu.2. Enter dcomcnfg.exe and click on OK3. Select one of the applications belonging to SAP Financial Consolidation to verify their properties (CtBroker,

CtServer, CtController or Financial Consolidation).

Process Tab Options to select

CtServer General Packet Privacy

Location Run application on this computer (if the option is not greyed out)

Security For the Launch and Activation Permissions and for the Access Permissions, select the Customize option and click Edit: allow all Permissions for the Everyone and the ANONYMOUS LOGON users.

CautionDo not modify the Configuration Permissions

Endpoints Leave default settings

Identity This user: the DCOM account you indicated during the setup

CtController General Packet Privacy

Location Run application on this computer




Identity The system account

CtBroker General Packet Privacy


SAP Financial Consolidation Security GuideDCOM configuration CONFIDENTIAL 65




Identity This user: the DCOM account you indicated during the setup

Financial Consolidation

General Packet Privacy





Identity The interactive user

Import Export Users.exe

General Packet Privacy





Identity The interactive user

8.2 Specific DCOM configuration with different domains

Context

CautionThis section explains you how to configure DCOM with different domains, but it will deactivate DCOM encryption. This configuration is not recommended.


DCOM configuration

The Windows default security settings prohibit remote non-authenticated DCOM access. As authentication between two computers which are not in the same domain is not possible, the launch permissions must be changed so that they include the ANONYMOUS login. There is no need, however, to change the computer access permissions as they include the login by default.

Procedure

1. Run the secpol.msc command.

The following window displays the local security settings.

2. Select the security policy called: DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.

3. Right-click on this line and click on Properties.4. Click on Edit Security.

The Launch Permission dialog box appears.5. Click on Add.



6. Enter ANONYMOUS LOGON in the text box and click on Check Names and then OK.

The login has been added.7. Check all the Allow options for this login and then click OK.

NoteYou must then add the ANONYMOUS LOGON account tot the CtServer and CtBroker processes.

8. Run the dcomcnfg.exe command.

The Component Services window appears.9. Select the CtBroker process and right-click on it to edit its properties.10. In the CtBroker Properties dialog box, select the Security tab.11. In the Launch and Activation Permissions groupbox, select the Customize option and click on the Edit

button.

The Lauch Permission dialog box appears.12. Click on Add.



DCOM configuration

13. Enter ANONYMOUS LOGON in the text box and click on Check Names and then OK.

The login has been added.14. Check all the Allow options for this login and then click OK.15. Also add the ANONYMOUS LOGON account in the Access Permissions groupbox.

NoteYou must not change the Configuration Permissions groupbox options.

16. Repeat the same procedure for the CtServer process.17. For all Financial Consolidation processes, you must then configure all objects as indicated in the Checking

the default DCOM configuration defined by the SAP Financial Consolidation setup [page 65], but in the General tab, you must select None from the Authentication Level drop-down menu instead of Packet Privacy.

8.3 Configuring Internet Explorer

Procedure

1. Start Internet Explorer and select Tools > Internet Options.2. Select the Advanced tab.3. Under the Security heading, check the Allow active content to run in files on My Computer option.

NoteThis configuration is necessary on the Businessobjects Finance server application and on the client with a Terminal Services configuration.

NoteThis configuration is linked to the user's Windows profile. If working with Terminal Services, it must be configured for each SAP Financial Consolidation user. For the server, the configuration should be performed on the profile corresponding to the account that runs the CtServer.exe process.


9 Encrypting the settings of the web.config file

Context

To enhance security, you can encrypt the login and password given in web.config files used in the different SAP Financial Consolidation applications. This is the method recommended by Microsoft for ASP.NET applications.

Procedure

1. Download the aspnet_setreg.exe file which is available at the following Microsoft address: http://download.microsoft.com/download/2/9/8/29829651-e0f0-412e-92d0-e79da46fd7a5/aspnet_setreg.exe

.2. Run the following command: aspnet_setreg.exe - k:SOFTWARE\Business Objects

\MyWebService - u:"your_domain_name\your_user_name" -p:"your_password"

NoteThe registry key name given here can have a different value from Reporter, depending on the application you are deploying.

This command will create 2 keys named username and password in the registry tree mentioned in the command line, and will store your login and password in encrypted form.

NoteThe aforementioned tree depends on your applications. If you want to encrypt several logins and passwords for several applications, you must create the appropriate registry keys.

3. Edit the web.config file and search for the following rows:

<add key="DefaultLogin" value="your_domain_name\your_user_name" /> <add key="DefaultPassword" value="your_password" /> 4. Change these rows as shown below:

<add key="DefaultLogin" value="registry:HKLM\SOFTWARE\BusinessObjects\MyWebService\ASPNET_SETREG,username" /><add key="DefaultPassword" value="registry:HKLM\SOFTWARE\BusinessObjects\MyWebService\ASPNET_SETREG,password" />

Next, you must authorize the account that runs the .NET framework to access these new registry keys if your operating system is Windows Server 2003.

5. Open the Registry Editor.


Encrypting the settings of the web.config file

http://help.sap.com/disclaimer?site=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F2%2F9%2F8%2F29829651-e0f0-412e-92d0-e79da46fd7a5%2Faspnet_setreg.exe



6. Select the HKEY_LOCAL_MACHINE\SOFTWARE\BusinessObjects\MyWebService\ ASPNET_SETREG registry key and right-click Permissions.

7. Click Add and select the account that runs the ASP.NET framework and assign the Read permission to this account.

NoteIn Windows Server 2003, this account is called Network service by default.

8. Close the Registry Editor.

NoteTo find out more, please see the official Microsoft documentation at the following address: http://support.microsoft.com/default.aspx?scid=kb;en-us;329290#5 .

SAP Financial Consolidation Security GuideEncrypting the settings of the web.config file CONFIDENTIAL 71

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3Ben-us%3B329290%235

http://help.sap.com/disclaimer?site=http%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3Ben-us%3B329290%235

10 Installing X.509 certificates

Context

The SAP Financial Consolidation setup installs and uses two default X.509 certificates. With these default X.509 certificates, you can use the application in a test or a development configuration. If you are running SAP Financial Consolidation and SAP BusinessObjects Cube Designer in a production environment, it is recommended that you get a certificate from a commercial or free certification authority.

By default, these certificates are not activated. You must activate them in order to communicate with other products.

These two X.509 certificates are the following:

● The first one is used to sign communications between SAP Financial Consolidation and SAP BusinessObjects Cube Designer components.

● The second one is used to sign communications between application servers if you want to use the BFC Monitoring service, that enables you to open performance counters through the Windows Performance Monitor.

10.1 Installing the X.509 certificate for Cube Deployer

Context

SAP Financial Consolidation Cube Designer uses standard public key encryption to support authentication. This is a reliable way to establish a disconnected trust relationship between different modules in order to provide federated authentication.

In this respect, the Cube Deployer plays the role of a Security Token Server. Thus, the Cube Deployer component will generate and sign the security token. In order to do so, it uses the private key of an X.509 certificate installed on Cube Deployer. The corresponding certificate could be either a corporate certificate or a generated self-signed one.

To install X.509 certificate for the Cube Deployer component, the following steps are required:

Procedure

1. Install the public key of your certificate on the server hosting the CtBroker.2. Install the private key of your certificate on the server hosting the Deployer component.3. Assign the correct access rights on the certificate to the account that will run the CtBroker.


Installing X.509 certificates

4. In the SAP Financial Consolidation installation folder, edit the CtBroker.config file.5. Uncomment the parameter Certificate subjectName. If you want to use another certificate than the one

installed by default, enter the parameters of your own certificate.

<?xml version="1.0" encoding="utf-8"?> <configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.sap.com/2008/09/15/CtBroker/Configuration"> <SharedTrustedCertificates>     </SharedTrustedCertificates> <DataSources> </DataSources> </configuration>

6. Save and close the file.7. Restart the CtBroker service.8. On the Deployer server, open the web.config file and locate the following section:

<Certificate subjectName="CN=Extended Analytics Deployer, O=BOBJ, C=FR" store="My" /> </SharedTrustedCertificates> </configuration>

9. Enter the distinguish name of the certificate and save the file.

10.2 Installing the X.509 certificate for BFC Monitoring

Context

To install X.509 certificate for the BFC Monitoring component, the following steps are required:

Procedure

1. Install the public key on the server where the CtBroker component is installed.2. Install the private key on the machine where the BFC Monitoring Service is installed.3. Assign the correct access rights on the certificate to the account that will run the CtBroker.4. In the SAP Financial Consolidation installation folder, edit the CtBroker.config file.

SAP Financial Consolidation Security GuideInstalling X.509 certificates CONFIDENTIAL 73

5. Uncomment the parameter Certificate subjectName. If you want to use another certificate than the one installed by default, enter the parameters of your own certificate.

<?xml version="1.0" encoding="utf-8"?> <configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.sap.com/2008/09/15/CtBroker/Configuration"> <SharedTrustedCertificates>     </SharedTrustedCertificates> <DataSources> </DataSources> </configuration>

6. Save and close the file.7. Restart the CtBroker service.8. On the machine where the BFC Monitoring Service is installed , open the web.config file and locate the

following section:

<Certificate subjectName="CN=Extended Analytics Deployer, O=BOBJ, C=FR" store="My" /> </SharedTrustedCertificates> </configuration>

9. Enter the distinguish name of the certificate and save the file.


Installing X.509 certificates

11 EPM Add-in for Microsoft Office Security Settings

11.1 User Rights

When the EPM add-in is executed from the BI Launch Pad, the user has the ability to publish Microsoft Office document on the BOE server. This action is available only if the user has a publication right. This right is defined of the BusinessObjects Enterprise server.

11.2 Connections

When connecting to a source defined on the BusinessObjects Enterprise server, the EPM Add-in for Microsoft Office client retrieves a security token from the BOE server that is transmitted to the data source provider as an additional parameter (custom data) in the connection string.

When connecting directly to the EPM Add-in for Microsoft Office client, the system first checks the credentials against the BOE server and if successful retrieves a security token that will be used as described above.

In both cases, the credentials are used to determine user rights concerning data and meta data. Only allowed meta data will be visible to the user, and only allowed data will be returned from queries.

SAP Financial Consolidation Security GuideEPM Add-in for Microsoft Office Security Settings CONFIDENTIAL 75

Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free LanguageSAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders, and abilities.


Important Disclaimers and Legal Information

SAP Financial Consolidation Security GuideImportant Disclaimers and Legal Information CONFIDENTIAL 77

www.sap.com/contactsap

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

https://www.sap.com/about/legal/trademark.html

Documents

SAP Financial Consolidation Security Guide