Security Guide PUBLIC
SAP Enterprise Project ConnectionDocument Version: 3.0 FP01 Version 2 – 2017-10-27
SAP Enterprise Project Connection 3.0 Security Guide
Content
1 SAP Enterprise Project Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide
Content
Document History
The following table provides an overview on the most important document changes.
CautionBefore you start the implementation, make sure that you have the latest version of this document. You can find the latest version at http://help.sap.com.
Table 1:
Version Date Description
3.0 2016-04-30 Initial version
3.0 FP01 2017-06-15 New document template and template-related adaptions
Chapters User Management and Network and Communication Security revised
3.0 FP01 Version 2 2017-10-27 New chapter Data Protection
SAP Enterprise Project Connection 3.0 Security GuideDocument History P U B L I C 3
1 SAP Enterprise Project Connection
With the increased use of distributed systems and the Internet for managing business data, the demands on security are on the rise. When using a distributed system, you must ensure that your data and processes support your business needs without enabling unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system cannot result in loss of information or processing time. These demands on security apply to SAP Enterprise Project Connection.
SAP Enterprise Project Connection has a Java component that runs on SAP NetWeaver AS Java 7.5. The corresponding SAP NetWeaver 7.5 security guides apply to SAP Enterprise Project Connection. SAP Enterprise Project Connection has an ABAP component that runs on SAP ERP 6.0 and SAP S/4HANA, on-premise, so the security guide for SAP ERP 6.0 and SAP S/4HANA, on-premise applies to SAP Enterprise Project Connection.
For a complete list of the available SAP Security Guides, see SAP Service Marketplace at http://service.sap.com/securityguide .
NoteSAP Enterprise Project Connection 3.0 supports SAP ERP as well as SAP S/4HANA, on-premise edition. In this document, SAP ERP implies SAP S/4HANA, on-premise edition.
Technical System Landscape
For information, see the following table:
Table 2:
Topic URL
Technical description for SAP Enterprise Project Connection and the underlying SAP NetWeaver AS Java components
http://service.sap.com/instguides
High availability http://sdn.sap.com/irj/sdn/ha
Technical landscape design http://sdn.sap.com/irj/sdn/landscapedesign
Security http://sdn.sap.com/irj/sdn/security
http://service.sap.com/securityguide
SAP Notes http://service.sap.com/notes
Released platforms http://service.sap.com/pam
4 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide
SAP Enterprise Project Connection
User Administration and Authentication
SAP Enterprise Project Connection uses the user management and authentication mechanisms provided with the SAP NetWeaver platform. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver AS ABAP Security Guide and SAP NetWeaver AS Java Security Guide apply to the SAP Enterprise Project Connection.
User Management
User management for the SAP Enterprise Project Connection uses mechanisms provided with the SAP NetWeaver AS ABAP and Java, for example, tools, user types, and password policies. In addition, we provide a list of the standard users required for operating the SAP Enterprise Project Connection.
User Administration Tools
The following table shows the tools to use for user management and user administration with the SAP Enterprise Project Connection.
Table 3:
Tool Use
User management engine with SAP NetWeaver AS Java This is the tool with which the SAP NetWeaver AS Java user is created and managed.
User and role maintenance with SAP ERP 6.0 or SAP S/4HANA, on-premise
This is the tool with which the RFC user and RFC user role are created and managed.
User Types
It is necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.
The user types required for SAP Enterprise Project Connection are the following:
● Individual○ Dialog users are used for SAP GUI and RFC connections○ Administrators run the SAP Enterprise Project Connection configuration scenario in SAP NetWeaver AS
Java● Technical
○ Service users are used to communicate from SAP NetWeaver AS Java to SAP ERP and are managed by the service user transaction
○ Communication users are used to communicate from to SAP NetWeaver AS Java and are managed by SAP NetWeaver AS Java Administrator
○ Third-party integration users are used for application-specific APIs. Those users are dedicated technical users that are used as a proxy users for communication with end point systems such as Oracle Primavera and Microsoft Project Server.
SAP Enterprise Project Connection 3.0 Security GuideSAP Enterprise Project Connection P U B L I C 5
RecommendationAvoid using a person’s real credentials for use as a technical user.
For more information about user types, see http://help.sap.com/nw Security Guide .
Standard Users
The following table illustrates the standard users necessary to operate SAP Enterprise Project Connection:
Table 4:
System ID Password Description
SAP NetWeaver AS Java EPCRESTUSER Determined during installation; user has an initial password that is required to be changed upon first connection
Created in SAP NetWeaver AS Java after deploying SAP Enterprise Project Connection; used for HTTP communications from SAP ERP to SAP NetWeaver AS Java
SAP ERP SAPGUI EPCINTERFACE Determined during installation
Created in SAP ERP; used for communication from SAP NetWeaver AS Java to SAP ERP
Oracle Primavera P6 EPPM User-selected Determined during Oracle Primavera P6 Integration API installation
Created in Oracle Primavera P6 EPPM System; used for communication with Oracle Primavera P6 Integration API and/or SOAP Web Services
Microsoft Project Server User-selected in form: Domain-Name\User-Name
Determined during Microsoft Project Server installation
Created in Microsoft Project Sever interface used for communication with Microsoft Project Server and SOAP Web Services
Authorizations
SAP Enterprise Project Connection uses the authorization concept provided by SAP ERP and SAP NetWeaver AS Java; they assign authorizations to role-based users. For role maintenance required for SAP Enterprise Project Connection, see the Installation Guide for SAP Enterprise Project Connection.
Standard Roles
The following table summarizes the standard roles SAP Enterprise Project Connection uses.
6 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide
SAP Enterprise Project Connection
Table 5:
Role Description
SAP NetWeaver administrator Required to log into the SAP NetWeaver AS Java Administrator console to run the configuration scenario for SAP Enterprise Project Connection
EPCINTERFACE_ROLE Created in SAP ERP during installation using the corresponding transaction and applied to EPCINTERFACE when creating the RFC connection to SAP ERP system from SAP NetWeaver AS Java
Datapath-rest-access Applied to EPCRESTUSER in SAP NetWeaver AS Java, which authenticates the SAP GUI ABAP destination to make HTTP rest calls to the SAP NetWeaver AS Java
Standard Objects
For a list of Standard Authorization Objects needed in the SAP ERP system, see the Installation Guide for SAP Enterprise Project Connection.
Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookies, we recommend activating secure session management. We also recommend using SSL to protect the network communications where these security-relevant cookies are transferred.
Session Security Protection on SAP NetWeaver AS ABAP
To activate session security on SAP NetWeaver AS ABAP, set the corresponding profile parameters and activate the session security for the clients using the corresponding transaction.
For more information, see Activating HTTP Security Session Management on AS ABAP.
Session Security Protection on SAP NetWeaver AS Java
For more information, see Protecting Sessions Security.
Network and Communication Security
Your network infrastructure is important in protecting your system. Your network must support the necessary communication for your business needs without enabling unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at the operating system level and application level) or network attacks, such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, there is no way for intruders to compromise the machines and gain access to the back-end system’s database or files. Additionally, if users are unable to connect to the LAN, they cannot exploit well-known bugs and security holes in network services on the server machines.
SAP Enterprise Project Connection 3.0 Security GuideSAP Enterprise Project Connection P U B L I C 7
The network topology for the SAP Enterprise Project Connection is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP Enterprise Project Connection.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security● Security Guides for Connectivity and Inoperability Technologies
Communication Channel Security
The following table illustrates the communication channels used by the SAP Enterprise Project Connection, the protocol used for the connection, and the type of data transferred.
Table 6:
Communication Path Protocol Data Type
SAP ERP to SAP Enterprise Project Connection
HTTP; HTTPS XML
SAP NetWeaver AS Java to SAP ERP RFC ABAP request
SAP Enterprise Project Connection to
Oracle Primavera P6 EPPM System
API - Oracle Primavera Integration API client library
XML
SAP Enterprise Project Connection to Oracle Primavera P6 EPPM System
SOAP Web Services over HTTP/HTTPS SOAP envelope
SAP Enterprise Project Connection to Microsoft Project Server
SOAP Web Services over HTTP/HTTPS SOAP envelope
DIAG and RFC connections are protected using SNC; HTTP connections are protected using SSL protocol; SOAP connections are protected with Web services security.
RecommendationWe recommend using secure protocols whenever possible.
For more information, see Transport Layer Security and Web Services Security in the SAP NetWeaver Security Guide.
Network Security
For more information, see Network Security and Security Aspects for Database Connections sections in the SAP NetWeaver Security Guide.
Data Storage Security
All the application data for SAP Enterprise Project Connection, including transmission results, jobs, connection configurations, uploaded integration solutions and jar files, are stored in SAP NetWeaver AS Java database. The passwords, as part of user credentials for connections, are encrypted and stored in SAP NetWeaver AS Java database.
8 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide
SAP Enterprise Project Connection
When SAP Enterprise Project Connection is installed as DEVELOPMENT type, the integration solutions are stored in the file system, with the solution home path specified by the user during the installation. The authorization with read and write permission to those files of integration solutions is provided to the user during the customized integration solution development.
Security for Additional Applications
You follow the security requirement for Oracle Primavera P6 EPPM System when running integration solution with Oracle Primavera P6 EPPM System.
You follow the security requirement for Microsoft Project Server when running integration solution with Microsoft Project Server.
Security-Relevant Logging and Tracing
SAP Enterprise Project Connection security-relevant logging is found in the standard SAP Java log view under category /Applications/CA-EPC and in the SAP default trace view under message component CA-EPC.
SAP Virus Scan Interface
SAP Enterprise Project Connection 3.0 integrates the SAP Virus Scan Interface (SAP VSI) to protect the server from malicious content. Perform a virus scan before uploading files or importing documents. See SAP Note 817623 . SAP NetWeaver integrates external malware products via certified interface, NW-VSI. A list of the certified products for the interface is available on SAP Service Marketplace at http://service.sap.com/securitypartners . See SAP Note 786179 .
Configuration
To configure SAP VSI, see SAP NetWeaver 7.5 application help at http://help.sap.com/saphelp_nw75/helpdata/en/4e/0ac1ca085c570ae10000000a42189e/frameset.htm .
If the SAP VSI setup is incomplete, SAP Enterprise Project Connection cannot scan viruses when uploading files. If the virus scan provider service is not active in the server, a warning appears in the log file. If the virus scan profile, Z_EPCPROFILE, is not created or activated in the server, a warning appears in the log file.
Data Protection
Introduction to Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP Enterprise Project Connection
SAP Enterprise Project Connection 3.0 Security GuideSAP Enterprise Project Connection P U B L I C 9
provides to support compliance with the relevant legal requirements and data privacy. This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape, implemented custom integration scenario and the applicable legal requirements.
NoteCompliance with data privacy laws is not a product feature. SAP software supports data privacy by providing security features and specific functions relevant to data protection, such as functions for restricting access to personal data and deletion of personal data. SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.
Table 7: Glossary
Term Definition
Personal Data Information about an identified or identifiable natural person
Business purpose A legal, contractual, or in other form justified reason for the processing of personal data
Deletion Deletion of personal data so that the data is no longer usable
Retention period The time period during which data must be available
SAP Enterprise Project Connection approach to Data Protection
Many data protection requirements for the SAP Enterprise Project Connection depend on how the integration scenario is defined and implemented. A custom implementation of the integration scenario using SAP Enterprise Project Connection integration platform may process and store (as a result of the execution of the data integration scenario) data that may contain personal data. The developer of the custom integration solution should be aware of it and take additional steps to protect such data from unauthorized access.
NoteUsing capabilities to communicate with other project and portfolio management systems, like Microsoft Project Server and Oracle Primavera, SAP Enterprise Project Connection may also be used to access and process personal data that is read form those systems.
10 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide
SAP Enterprise Project Connection
SAP Enterprise Project Connection provides several security-related features to implement general security requirements that are also required for data protection and privacy:
Table 8: Features
Aspect of Data Protection and Privacy SAP EPC 3.0 Feature
Access Control ● Authentication● Authorization● Data Encryption (for example, all credentials used for
communication with external project and portfolio management systems like Microsoft Project Server or Oracle Primavera are encrypted)
Access logging and tracing Audit logging
Transmission Control/Communication Security SAP EPC supports secure communication (SSL) with external project and portfolio management systems like Microsoft Project Server or Oracle Primavera, and supports encrypted communication with Oracle Primavera EPPM Web Service
Data Deletion SAP EPC Configuration Scenario (CTC) supports Clear Database Tables that allow EPC Administrators to delete outdated or not relevant results of executed integration scenarios.
SAP EPC CTC provides functionality for deletion of SAP EPC log files and traces. Those files may contain personal data based on the custom integration scenario implementation.
For more information about data protection, see 2536145 .
SAP Enterprise Project Connection 3.0 Security GuideSAP Enterprise Project Connection P U B L I C 11
Important Disclaimers and Legal Information
Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.
AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).
12 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide
Important Disclaimers and Legal Information
SAP Enterprise Project Connection 3.0 Security GuideImportant Disclaimers and Legal Information P U B L I C 13
go.sap.com/registration/contact.html
© 2017 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.