field data capture for upstream allocations with sap mii 2 · pdf filesecurity guide document...

Security GuideDocument Version: 3.0 – 2016-08-10

CUSTOMER

Field Data Capture for Upstream Allocations withSAP MII 2.0

2CUSTOMER© 2016 SAP AG or an SAP affiliate company. All rights reserved.

Field Data Capture for Upstream Allocations with SAP MII 2.0Typographic Conventions

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,pushbuttons labels, menu names, menu paths, and menu options.Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,transaction codes, table names, and key concepts of a programming language when theyare surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,names of variables and parameters, source text, and names of installation, upgrade anddatabase tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as theyappear in the documentation.

<Example> Variable user entry. Angle brackets indicate that you replace these words and characterswith appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .

Field Data Capture for Upstream Allocations with SAP MII 2.0Document History

CUSTOMER© 2016 SAP AG or an SAP affiliate company. All rights reserved. 3

Document History

Version Date Change

3.0 2016-08-10 Final Version


Field Data Capture for Upstream Allocations with SAP MII 2.0Table of Contents

Table of Contents

1 Introduction ..............................................................................................................................................6

2 Before You Start ......................................................................................................................................9

3 Technical System Landscape ................................................................................................................. 11

4 Security Aspects of Data, Data Flow and Processes ........................................................................... 13

5 User Administration and Authentication .............................................................................................. 145.1 User Management ................................................................................................................................................. 155.2 User Data Synchronization ................................................................................................................................... 165.3 Integration into Single Sign-On Environments ................................................................................................... 17

6 Authorizations ........................................................................................................................................ 18

7 Session Security Protection ................................................................................................................. 20

8 Network and Communication Security ................................................................................................. 218.2 Communication Channel Security ....................................................................................................................... 228.3 Network Security ................................................................................................................................................... 238.4 Communication Destinations ............................................................................................................................... 24

9 Internet Communication Framework Security ..................................................................................... 25

10 Application-Specific Virus Scan Profile (ABAP) ................................................................................. 26

11 Data Storage Security ........................................................................................................................... 27

12 Data Protection ..................................................................................................................................... 2912.1 Deletion of Personal Data .................................................................................................................................... 3012.2 Read Access Logging ............................................................................................................................................ 31

Field Data Capture for Upstream Allocations with SAP MII 2.0Table of Contents


13 Security for Additional Applications .................................................................................................... 32

14 Dispensable Functions with Impacts on Security ................................................................................ 33

15 Enterprise Services Security ................................................................................................................ 34

16 Other Security-Relevant Information ................................................................................................... 35

17 Security-Relevant Logging and Tracing ...............................................................................................36

18 Services for Security Lifecycle Management ....................................................................................... 37

19 Appendix .................................................................................................................................................39


Field Data Capture for Upstream Allocations with SAP MII 2.0Introduction

1 Introduction

CautionThis guide does not replace the administration or operation guides that are available for productiveoperations.

Target Audience

· Technology consultants· Security consultants· System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical OperationManuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereasthe Security Guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands onsecurity are also on the rise. When using a distributed system, you need to be sure that your data and processessupport your business needs without allowing unauthorized access to critical information. User errors,negligence, or attempted manipulation of your system should not result in loss of information or processing time.These demands on security apply likewise to the Field Data Capture for Upstream Allocations with SAP MII 2.0(FDC). To assist you in securing the FDC, we provide this Security Guide.

About this Document

The Security Guide provides an overview of the security-relevant information that applies to the application FieldData Capture for Upstream Allocations with SAP MII 2.0 part of the scenario Upstream Operations Management.For using the overall scenario Upstream Operations Management you refer to the following Security Guides:Security Guide for NetWeaver 7.3 at http://service.sap.com/securityguide > SAP NetWeaver > SAP NetWeaver7.3Security Guide for Oil & Gas EHP 7 at http://service.sap.com/securityguide > Industry Solutions > SAP for Oil &Gas and SAP for MiningSecurity Guide for SAP MII 12.2 or higher at http://service.sap.com/securityguide > SAP Business SuiteApplications > SAP ManufacturingSecurity Guide for PCo 2.1 or higher at http://service.sap.com/securityguide > SAP Business Suite Applications >SAP Manufacturing

http://service.sap.com/securityguide






Overview of the Main Sections

The Security Guide comprises the following main sections:· Before You Start

This section contains information about why security is necessary, how to use this document, and referencesto other Security Guides that build the foundation for this Security Guide.

· Technical System LandscapeThis section provides an overview of the technical components and communication paths that are used by theFDC.

· Security Aspects of Data, Data Flow and ProcessesThis section provides an overview of security aspects involved throughout the most widely-used processeswithin the FDC.

· User Administration and AuthenticationThis section provides an overview of the following user administration and authentication aspects:o Recommended tools to use for user managemento User types that are required by the FDCo Standard users that are delivered with FDCo Overview of the user synchronization strategy, if several components or products are involvedo Overview of how integration into Single Sign-On environments is possible

· AuthorizationsThis section provides an overview of the authorization concept that applies to the FDC.

· Session Security ProtectionThis section provides information about activating secure session management, which prevents JavaScript orplug-ins from accessing the SAP logon ticket or security session cookie(s).

· Network and Communication SecurityThis section provides an overview of the communication paths used by the FDC and the security mechanismsthat apply. It also includes our recommendations for the network topology to restrict access at the networklevel.

· Internet Communication Framework SecurityThis section provides an overview of the Internet Communication Framework (ICF) services that are used bythe FDC.

· Application-Specific Virus Scan Profile (ABAP)This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profilesare activated.

· Data Storage SecurityThis section provides an overview of any critical data that is used by the FDC and the security mechanismsthat apply.

· Data ProtectionThis section provides information about how the FDC protects personal or sensitive data.



· Security for Third-Party or Additional ApplicationsThis section provides security information that applies to third-party or additional applications that are usedwith the FDC.

· Dispensable Functions with Impacts on SecurityThis section provides an overview of functions that have impacts on security and can be disabled or removedfrom the system.

· Enterprise Services SecurityThis section provides an overview of the security aspects that apply to the enterprise services delivered withthe FDC.

· Security-Relevant Logging and TracingThis section provides an overview of the trace and log files that contain security-relevant information, forexample, so you can reproduce activities if a security breach does occur.

· Services for Security Lifecycle ManagementThis section provides an overview of services provided by Active Global Support that are available to assistyou in maintaining security in your SAP systems on an ongoing basis.

· AppendixThis section provides references to further information.

Field Data Capture for Upstream Allocations with SAP MII 2.0Before You Start


2 Before You Start

Fundamental Security Guides

The Field Data Capture for Upstream Allocations with SAP MII is built from the senario Upstream OperationsManagement. The application is developed using SAP MII 12.2 or higher and also interacts with the data historians.Therefore, the corresponding Security Guides also apply to the application FDC.Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.

Relevant Security Guides

Scenario, Application or Component Security Guide

Security Guide for SAP MII 12.2 athttp://service.sap.com/securityguide SAP

Business Suite Applications SAP ManufacturingSecurity Guide SAP MII 12.2

Security Guide for NetWeaver 7.3 athttp://service.sap.com/securityguide SAP

NetWeaver SAP NetWeaver 7.3

Security Guide for PCo 2.1 athttp://service.sap.com/securityguide SAP

Business Suite Applications SAP ManufacturingSecurity Guide Plant Connectivity 2.1

Security Guide for Oil & Gas EHP 7 athttp://service.sap.com/securityguide Industry

Solutions SAP for Oil & Gas and SAP for Mining

For a complete list of the available SAP Security Guides, see SAP Service Marketplace athttp://service.sap.com/securityguide.

Important SAP Notes

Refer to SAP MII 12.2 and higher and NetWeaver 7.3 Security Guides for more details.For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace athttp://service.sap.com/securitynotes.

Configuration

You can find a summary of the configuration steps for implementing security for Field Data Capture for UpstreamAllocations with SAP MII in the Installation Guide. See http://service.sap.com/securityguide > SAP Business Suite






http://service.sap.com/securitynotes



Field Data Capture for Upstream Allocations with SAP MII 2.0Before You Start

Applications > SAP Manufacturing > SAP MII-based Manufacturing Products > Field Data Capture for UpstreamAllocations with SAP MII > Installation Guide FDC 2.0

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

Content Quick Link on SAP Service Marketplace or SCN

Security http://scn.sap.com/community/security

Security Guides http://service.sap.com/securityguide

Related SAP Notes http://service.sap.com/noteshttp://service.sap.com/securitynotes

Released platforms http://service.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP NetWeaver http://scn.sap.com/community/netweaver

http://scn.sap.com/community/security


http://service.sap.com/notes


http://service.sap.com/pam


http://service.sap.com/solutionmanager

http://scn.sap.com/community/netweaver

Field Data Capture for Upstream Allocations with SAP MII 2.0Technical System Landscape


3 Technical System Landscape

Use

The figure below shows an overview of the technical system landscape for the Field Data Capture for UpstreamOperations Management for SAP MII 2.0 (FDC).

Figure 1: System Landscape

For more information about the technical system landscape, see the resources listed in the table below.

Topic Guide/Tool Quick Link on SAP Service Marketplace orSCN

Technical description for FDCand the underlying componentssuch as SAP NetWeaver

Master Guide http://service.sap.com/instguides

High availability See applicable documents http://scn.sap.com/docs/DOC-7848

Technical landscape design See applicable documents http://scn.sap.com/docs/DOC-8140

Security See applicable documents http://scn.sap.com/community/security

FDC uses several inbound and outbound communication channels.External systems interact with FDC through the following channels:· HTTP(S)· Web Services

http://service.sap.com/instguides

http://scn.sap.com/docs/DOC-7848

http://scn.sap.com/docs/DOC-8140



Field Data Capture for Upstream Allocations with SAP MII 2.0Technical System Landscape

· RFCAll user interaction with FDC is handled in HTTP or HTTPS and is authenticated by the SAP NetWeaver usermanagement engine.

Caution

For security reasons, we recommend you always use HTTPS.For communication with SAP ERP, you use the SAP Java Resource Adapter (SAP JRA) or Web services.For communication with shop floor systems, you use the SAP MII and PCo data servers. Communication betweenSAP MII and PCo is based on TCP/IP and uses a proprietary binary protocol.

Field Data Capture for Upstream Allocations with SAP MII 2.0Security Aspects of Data, Data Flow and Processes


4 Security Aspects of Data, Data Flow andProcesses

This section is not applicable for Field Data Capture for Upstream Allocations with SAP MII 2.0.


Field Data Capture for Upstream Allocations with SAP MII 2.0User Administration and Authentication

5 User Administration and Authentication

The Field Data Capture for Upstream Allocations with SAP MII (FDC) uses the user management andauthentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaverApplication Server Java. Therefore, the security recommendations and guidelines for user administration andauthentication as described in the SAP NetWeaver Application Server ABAP Security Guide [SAP Library] andSAP NetWeaver Application Server Java Security Guide [SAP Library] also apply to the FDC.In addition to these guidelines, we include information about user administration and authentication thatspecifically applies to the FDC in the following topics:· User Management [Page 15]

This topic lists the tools to use for user management, the types of users required, and the standard users thatare delivered with the FDC.

· User Data Synchronization [Page 16]NA

Refer to the Security Guide for NetWeaver 7.3 at http://service.sap.com/securityguide SAP NetWeaverSAP NetWeaver 7.3 .

· Integration into Single Sign-On Environments [Page 17]This topic describes how the FDC supports Single Sign-On mechanisms.




5.1 User Management

Use

User management for the application Field data capture for upstream allocations with SAP MII (FDC) uses themechanisms provided with the SAP NetWeaver Application Server Java. FDC does not support the SAPNetWeaver technical user concept as this is not supported by the underlying SAP MII Component.For more information, see SAP MII 12.2 Security Guide at http://service.sap.com/securityguide > SAP BusinessSuite Applications > SAP Manufacturing > Security Guide SAP MII 12.2.

User Administration Tools

Refer to the SAP MII 12.2 Security Guide.

User Types


Standard Users





5.2 User Data Synchronization

Use

Refer to the Security Guide for NetWeaver 7.3 at http://service.sap.com/securityguide > SAP NetWeaver > SAPNetWeaver 7.3.This section applies if your scenario, component, or application shares user information with othersources, for example, with a directory service. If you use SAP user management, which includes central useradministration (CUA), then you only need to include any known restrictions, for example, if you store extra userinformation somewhere that cannot be distributed using CUA. If you rely completely on SAP user management,you can omit this section.




5.3 Integration into Single Sign-On Environments

Use

The application Field data capture for upstream allocations with SAP MII (FDC) supports the Single Sign-On(SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines foruser administration and authentication as described in the SAP NetWeaver Security Guide [External] also apply toFDC.For more information, see the SAP MII 12.2 Security Guide at http://service.sap.com/securityguide SAPBusiness Suite Applications SAP Manufacturing Security Guide SAP MII 12.2.


Field Data Capture for Upstream Allocations with SAP MII 2.0Authorizations

6 Authorizations

Use

The application Field data capture for upstream allocations with SAP MII (FDC) uses the authorization conceptprovided by the SAP NetWeaver AS Java. Therefore, the recommendations and guidelines for authorizations asdescribed in the SAP NetWeaver AS Security Guide Java also apply to the application FDC.For more information, see SAP MII 12.2 or higher Security Guide at http://service.sap.com/securityguide > SAPBusiness Suite Applications > SAP Manufacturing

NoteFor more information about how to create roles, see Role Administration [SAP Library].

Role and Authorization Concept for FDC

Standard Roles

The table below shows the standard roles that are used by the FDC.

Standard Roles

Role Description

SAP_FDC_Administrator The user assigned to this prepackaged role has fullaccess to all the applications in FDC.The user assigned to this role must also have therole SAP_XMII_User.In addition, an SAP MII Administrator mustmanually add the following SAP NetWeaver UMEactions to the role:· XMII_DataServer_RW· XMII_CredentialStore_all· XMII_ScheduleEditor_RW· XMII_Schedule_control· XMII_MessageListenerConfig_all· XMII_MessageListenerCleanupRules_all· XMII_MessageListenerRules_all· XMII_MessageListenerMonitor_RWD

SAP_FDC_PRODUCTIONENGINEER The users assigned to this prepackaged role has fullaccess the Monitoring and Validation application


Field Data Capture for Upstream Allocations with SAP MII 2.0Authorizations


Role Description

but have read-only access to the Design-Time-Mapping and Configuration applications in FDC.The user assigned to this role must also have therole SAP_XMII_User.In addition, an SAP MII Administrator mustmanually add the following SAP NetWeaver UMEactions to the role:· XMII_MessageListenerMonitor_RWD· XMII_ScheduleEditor_R· XMII_Schedule_R

SAP_FDC_PRODUCTIONMANAGER The users assigned to this prepackaged role havefull access to all the applications except theConfiguration applications in FDC.The user assigned to this role must also have therole SAP_XMII_User.In addition, an SAP MII Administrator mustmanually add the following SAP NetWeaver UMEactions to the role:· XMII_MessageListenerMonitor_RWD· XMII_ScheduleEditor_R· XMII_Schedule_R

Standard Authorization Objects

Not Applicable.


Field Data Capture for Upstream Allocations with SAP MII 2.0Session Security Protection

7 Session Security Protection

To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommendactivating secure session management.We also highly recommend using SSL to protect the network communications where these security-relevantcookies are transferred.

Session Security Protection on the AS ABAP

To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommendactivating secure session management. We also highly recommend using SSL to protect the networkcommunications where these security-relevant cookies are transferred.

Session Security Protection on the AS Java

In the Configuration tool, edit the following properties for the Web Container service, which control security-related aspects of HTTP sessions:

Property Recommended Value

SessionIdRegenerationEnabled True

SystemCookiesDataProtection True

SystemCookiesHTTPSProtection True

For more information, see SAP MII 12.2 or higher Security Guide at http://service.sap.com/securityguide > SAPBusiness Suite Applications > SAP Manufacturing


Field Data Capture for Upstream Allocations with SAP MII 2.0Network and Communication Security


8 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support thecommunication necessary for your business needs without allowing unauthorized access. A well-defined networktopology can eliminate many security threats based on software flaws (at both the operating system level andapplication level) or network attacks such as eavesdropping. If users cannot log on to your application or databaseservers at the operating system or database layer, then there is no way for intruders to compromise the machinesand gain access to the backend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network), they cannot exploit well-known bugs and security holes in network services onthe server machines.The network topology for the Field Data Capture for Upstream Allocations with SAP MII is based on the topologyused by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in theSAP NetWeaver Security Guide also apply to the FDC. Details that specifically apply to the FDC are described inthe following topics:· Communication Channel Security []

This topic describes the communication paths and protocols used by the FDC.· Network Security [Page 23]

This topic describes the recommended network topology for the FDC. It shows the appropriate networksegments for the various client and server components and where to use firewalls for access protection.

· Communication Destinations [Page 24]This topic describes the information needed for the various communication paths, for example, which usersare used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:· Network and Communication Security [SAP Library]· Security Guides for Connectivity and Interoperability Technologies [SAP Library]



8.2 Communication Channel Security

Use

The table below shows the communication channels used by the application Field data capture for upstreamallocations with SAP MII (FDC), the protocol used for the connection, and the type of data transferred.

Communication Path Protocol Used Type of DataTransferred

Data Requiring SpecialProtection

Application server tothird-party application

TCP/IP and uses aproprietary binaryprotocol

Tag retrieval from shopfloor systems

Plant Connectivity(PCo) logon credentialswhile creating theconnector

PCo to applicationserver SAP MII

TCP/IP and uses aproprietary binaryprotocol

Event notification

SAP ERP to SAP MIIapplication server

Web services Application data(network hierarchy,reason codes, task list)

ERP logon credentialsmaintained in the SAPMII credential stores

SAP MII applicationserver to SAP ERP

Web services Application data(design time map, welltest data, notificationcreation)


SAP MII applicationserver to SAP ERP

RFC SAP Java ResourceAdapter (SAP JRA)

Application data(measurementdocuments)


Third party toapplication server

HTTPS PRODML XML SAP MII logoncredentials required

The following Energistics (C) products were used in the creation of this work: PRODML Data SchemaSpecifications – Version 1.2.

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connectionsare protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web servicessecurity.

RecommendationWe strongly recommend using secure protocols (SSL, SNC) whenever possible.

For more information, see Transport Layer Security [SAP Library] and Web Services Security [SAP Library] in theSAP NetWeaver Security Guide.



8.3 Network Security

Use

Ports

The Field Data Capture for Upstream Allocations with SAP MII (FDC) runs on SAP NetWeaver and uses the portsfrom the AS ABAP or AS Java. For more information, see the topics for AS ABAP Ports [SAP Library] and AS JavaPorts [SAP Library] in the corresponding SAP NetWeaver Security Guides. For other components, for example,SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP Applications,which is located on SAP Developer Network at http://scn.sap.com/community/security under InfrastructureSecurity ® Network and Communications Security.For more information, see the following guides:· Security Guide for SAP MII 12.2 or higher at http://service.sap.com/securityguide > SAP Business Suite

Applications > SAP Manufacturing· Security Guide for NetWeaver 7.3 at http://service.sap.com/securityguide > SAP NetWeaver > SAP

NetWeaver 7.3






8.4 Communication Destinations

Use

The application Field data capture for upstream allocations with SAP MII does not deliver preconfigured RFC orJCo destinations or ports.

Field Data Capture for Upstream Allocations with SAP MII 2.0Internet Communication Framework Security


9 Internet Communication FrameworkSecurity



Field Data Capture for Upstream Allocations with SAP MII 2.0Application-Specific Virus Scan Profile (ABAP)

10 Application-Specific Virus Scan Profile(ABAP)


Field Data Capture for Upstream Allocations with SAP MII 2.0Data Storage Security


11 Data Storage Security

Use

The application specific data is stored in application specific tables in the NetWeaver schema. The user does nothave direct access to the data. All access (read, write, delete, and update) to the data is through the UI screens ofUOM relevant SAP MII content. UOM relevant SAP MII content does not store any user related data or passwords.All such information is either configured in SAP MII or in NetWeaver Java (for SAP JRA).:


Field Data Capture for Upstream Allocations with SAP MII 2.0Data Storage Security

Activating the Validation of Logical Path and File Names

These logical paths and file names, as well as any subdirectories, are specified in the system for thecorresponding programs. For downward compatibility, the validation at runtime is deactivated by default. Toactivate the validation at runtime, maintain the physical path using the transactions FILE (client-independent) andSF01 (client-specific). To find out which paths are being used by your system, you can activate the correspondingsettings in the Security Audit Log.For more information, see:· Logical File Names [SAP Library]· Protecting Access to the File System [SAP Library]· Security Audit Log [SAP Library]

Field Data Capture for Upstream Allocations with SAP MII 2.0Data Protection


12 Data Protection

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliancewith general data privacy acts, it is necessary to consider compliance with industry-specific legislation in differentcountries. This section describes the specific features and functions that SAP provides to support compliancewith the relevant legal requirements and data privacy.This section and any other sections in this Security Guide do not give any advice on whether these features andfunctions are the best method to support company, industry, regional or country-specific requirements.Furthermore, this guide does not give any advice or recommendations with regard to additional features thatwould be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.

NoteIn the majority of cases, compliance with data privacy laws is not a product feature.SAP software supports data privacy by providing security features and specific data-protection-relevantfunctions such as functions for the simplified blocking and deletion of personal data.SAP does not provide legal advice in any form. The definitions and other terms used in this guide are nottaken from any given legal source.

Glossary

Term Definition

Personal data Information about an identified or identifiable natural person.

Business purpose A legal, contractual, or in other form justified reason for the processing of personaldata. The assumption is that any purpose has an end that is usually already definedwhen the purpose starts.

Blocking A method of restricting access to data for which the primary business purpose hasended.

Deletion Deletion of personal data so that the data is no longer usable.

Retention period The time period during which data must be available.

End of purpose (EoP) A method of identifying the point in time for a data set when the processing ofpersonal data is no longer required for the primary business purpose. After theEoP has been reached, the data is blocked and can only be accessed by users withspecial authorization.

Some basic requirements that support data protection are often referred to as technical and organizationalmeasures (TOM). The following topics are related to data protection and require appropriate TOMs:· Access control: Authentication features as described in section User Administration and Authentication

[Page 14] .· Authorizations: Authorization concept as described in section Authorizations [Page 18].· Read access logging: as described in section Read Access Logging [Page 31] .



· Transmission control / Communication security: as described in section Network and CommunicationSecurity [Page 21] and Security Aspects of Data, Data Flow and Processes [Page 13].

· Input control / Change logging: Change logging is described in the application-specific documentation <linkto application-specific documentation>.

· Availability control as described in:o Section Data Storage Security [Page 27]o SAP NetWeaver Database Administration [SAP Library] documentationo SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-Oriented

Viewà Solution Life Cycle Managementà SAP Business Continuity· Separation by purpose: Is subject to the organizational model implemented and must be applied as part of

the authorization concept.

CautionThe extent to which data protection is ensured depends on secure system operation. Network security,security note implementation, adequate logging of system changes, and appropriate usage of the systemare the basic technical requirements for compliance with data privacy legislation and other legislation.

Configuration of Data Protection Functions

Certain central functions that support data protection compliance are grouped in Customizing for Cross-Application Components under Data Protection.Additional industry-specific, scenario-specific or application-specific configuration might be required.For information about the application-specific configuration, see the application-specific Customizing in SPRO.

12.1 Deletion of Personal Data

Not Applicable.

End of Purpose Check (EoP)

Not Applicable.

Where-Used Check (WUC)

Not Applicable.

Integration with Other Solutions

Not Applicable.



Relevant Application Objects and Available Deletion Functionality

Not Applicable.

Relevant Application Objects and Available EoP/WUC functionality

Not Applicable.

Configuration: Simplified Blocking and Deletion

You configure the settings related to the blocking and deletion of business partner master data in Customizing forCross-Application Components under Data Protection.· Define the settings for authorization management in under Data Protectionà Authorization Management. For

more information, see the Customizing documentation.· Define the settings for blocking in Customizing for Cross-Application Components under Data Protectionà

Blocking and Unblockingà Business Partner.· …

You configure the settings related to the blocking and deletion of customer and vendor master data inCustomizing for …· Logistics - Generalà Business Partnerà Deletion of Customer and Vendor Master Data.· Financial Accountingà Accounts Receivable and Accounts Payableà Deletion of Customer and Vendor

Master Data.· Financial Accounting (New)à Accounts Receivable and Accounts Payableà Deletion of Customer and Vendor

Master Data.

12.2 Read Access Logging

Use

If no trace or log is stored that records which business users have accessed data, it is difficult to track theperson(s) responsible for any data leaks to the outside world. The Read Access Logging (RAL) component can beused to monitor and log read access to data and provide information such as which business users accessedpersonal data, for example, of a business partner, and in which time frame.In RAL, you can configure which read-access information to log and under which conditions.For more information about RAL, Read Access Logging [SAP Library] in the documentation for SAP NetWeaver.


Field Data Capture for Upstream Allocations with SAP MII 2.0Security for Additional Applications

13 Security for Additional Applications

This section is not applicable for Field Data Capture for Upstream Allocation with SAP MII 2.0.

Field Data Capture for Upstream Allocations with SAP MII 2.0Dispensable Functions with Impacts on Security


14 Dispensable Functions with Impacts onSecurity

This section is not applicable for Field Data Capture for Upstream Allocation with SAP MII 2.0.


Field Data Capture for Upstream Allocations with SAP MII 2.0Enterprise Services Security

15 Enterprise Services Security

The following sections in the SAP NetWeaver Security Guide and documentation are relevant for all enterpriseservices delivered with Field data capture for upstream allocations with SAP MII (FDC):· Web Services Security [SAP Library]· Recommended WS Security Scenarios [SAP Library]· SAP NetWeaver Process Integration Security Guide [SAP Library]

Field Data Capture for Upstream Allocations with SAP MII 2.0Other Security-Relevant Information


16 Other Security-Relevant Information

Use

Configure the virus scan interface whenever you upload files to the application.For more information, see SAP Help Portal at http://help.sap.com > System Security > Virus Scan Interface >Architecture of the Virus Scan Interface.

http://help.sap.com/


Field Data Capture for Upstream Allocations with SAP MII 2.0Security-Relevant Logging and Tracing

17 Security-Relevant Logging and Tracing

Use

The application manages logs in two ways:Logs in FDC application databaseThe field data validation logs and the SAP ERP integration logs are saved in the application database itself. Theselogs can be seen when you display the individual document in the Monitoring and Validation application.Logs in NetWeaver LogAll the messages generated during any process in the application are logged in the SAP NetWeaver log. You canview these logs from the SAP MII portal using the path System Management > Log Viewer.The configuration for FDC is maintained in the Configuration application. Here you maintain the requiredconfiguration for all the supported scenarios.Since most of the configuration is saved in the shared memory, the log of changes in the shared memory is loggedby SAP MII in the audit log of SAP NetWeaver. You can view these logs from SAP MII portal using the path SystemManagement > Log Viewer. Filter the logs based on the location com.sap.xmii.Illuminator.logging.AuditLog.For more information, see the SAP MII 12.2 or higher Security Guide at http://service.sap.com/securityguide >SAP Business Suite Applications > SAP Manufacturing


Field Data Capture for Upstream Allocations with SAP MII 2.0Services for Security Lifecycle Management


18 Services for Security LifecycleManagement

The following services are available from Active Global Support to assist you in maintaining security in your SAPsystems on an ongoing basis.

Security Chapter in the EarlyWatch Alert (EWA) Report

This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:· Whether SAP Security Notes have been identified as missing on your system.

In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAPNotes, the report should be able to help you decide on how to handle the individual cases.

· Whether an accumulation of critical basis authorizations has been identified.In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,correct the situation. If you consider the situation okay, you should still check for any significant changescompared to former EWA reports.

· Whether standard users with default passwords have been identified on your system.In this case, change the corresponding passwords to non-default values.

Security Optimization Service (SOS)

The Security Optimization Service can be used for a more thorough security analysis of your system, including:· Critical authorizations in detail· Security-relevant configuration parameters· Critical users· Missing security patches

This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-siteservice. We recommend you use it regularly (for example, once a year) and in particular after significant systemchanges or in preparation for a system audit.

Security Configuration Validation

The Security Configuration Validation can be used to continuously monitor a system landscape for compliancewith predefined settings, for example, from your company-specific SAP Security Policy. This primarily coversconfiguration parameters, but it also covers critical security properties like the existence of a non-trivial Gatewayconfiguration or making sure standard users do not have default passwords.


Field Data Capture for Upstream Allocations with SAP MII 2.0Services for Security Lifecycle Management

Security in the RunSAP Methodology / Secure Operations Standard

With the E2E Solution Operations Standard Security service, a best practice recommendation is available on howto operate SAP systems and landscapes in a secure manner. It guides you through the most important securityoperation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.

More Information

For more information about these services, see:· EarlyWatch Alert: http://service.sap.com/ewa· Security Optimization Service / Security Notes Report: http://service.sap.com/sos· Comprehensive list of Security Notes: http://service.sap.com/securitynotes· Configuration Validation: http://service.sap.com/changecontrol· RunSAP Roadmap, including the Security and the Secure Operations Standard:

http://service.sap.com/runsap (See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3)

http://service.sap.com/ewa

http://service.sap.com/sos


http://service.sap.com/changecontrol

http://service.sap.com/runsap

Field Data Capture for Upstream Allocations with SAP MII 2.0Appendix


19 Appendix

www.sap.com/contactsap

© 2016 SAP AG or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in anyform or for any purpose without the express permission of SAP AG.The information contained herein may be changed without priornotice.Some software products marketed by SAP AG and its distributorscontain proprietary software components of other softwarevendors.National product specifications may vary.These materials are provided by SAP AG and its affiliatedcompanies (“SAP Group”) for informational purposes only, withoutrepresentation or warranty of any kind, and SAP Group shall not beliable for errors or omissions with respect to the materials. The onlywarranties for SAP Group products and services are those that areset forth in the express warranty statements accompanying suchproducts and services, if any. Nothing herein should be construed asconstituting an additional warranty.SAP and other SAP products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks ofSAP AG in Germany and other countries. Please seewww.sap.com/corporate-en/legal/copyright/index.epx#trademarkfor additional trademark information and notices.

Material Number: NA

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

field data capture for upstream allocations with sap mii 2 · pdf filesecurity guide document...

Documents