security information for sap predictive maintenance · pdf filesecurity information for sap...
TRANSCRIPT
Security Information PUBLIC
SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02Document Version: 1.08 – 2017-04-07
Security Information for SAP Predictive Maintenance and Services, on-premise edition
Content
1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1 Role Templates for SAP Predictive Maintenance and Service, on-premise edition. . . . . . . . . . . . . . . . . . 8
3.2 Password Policy Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 User-Provided Services for SAP Predictive Maintenance and Service, on-premise edition. . . . . . . . . . . . 11
3.4 Roles for Working with the Data Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1 Deleting Personal Data from Data Science Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2 Deleting Personal Data from AHCC and AHFS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Retrieve the Workspace ID of a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Retrieve a CSRF Token. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Delete the Workspace of a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Delete a User and a Workspace Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.3 Deleting Data from the Data Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.4 Deleting Personal Data from Key Figures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5 Communication Channels and Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
6 Operational Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.1 Whitelist of URLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7 Auditing and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
8 Application and Product Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
9 Deinstallation of Software Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
10 Firewall Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Content
1 Document History
CautionBefore you read this document, make sure you have the latest version of this document. You can find the latest version at the following location: https://uacp2.hana.ondemand.com/doc/97cbab0f1c184d54adad4a6aea170ac1/1.0%20FP02/en-US/Security_Information_for_SAP_Predictive_Maintenance_and_Services_on_premise_edition.pdf
TipYou might need to refresh your browser to see the latest version of this document.
The following table provides an overview of the most important document changes:
Table 1:
Version Date Description
1.08 2017-04-05 Updated:
● Password Policy Information [page 11]
1.07 2017-04-04 Updated:
● Whitelist of URLs [page 23]
1.06 2017-01-03 Updated:
● Deleting Data from the Data Model [page 19]
1.05 2016-12-08 Updated:
● Authorizations [page 8]● Role Templates for SAP Predictive
Maintenance and Service, on-premise edition [page 8]
● Deleting Personal Data from AHCC and AHFS [page 15]
● Retrieve the Workspace ID of a User [page 16]
● Delete the Workspace of a User [page 17]
● Delete a User and a Workspace Mapping [page 18]
● Deleting Data from the Data Model [page 19]
● Deleting Personal Data from Key Figures [page 20]
Security Information for SAP Predictive Maintenance and Services, on-premise editionDocument History P U B L I C 3
Version Date Description
1.04 2016-12-06 Updated:
● User Administration and Authentication [page 5]
● Firewall Configuration [page 29]
1.03 2016-12-05 Updated:
● Deleting Data from the Data Model [page 19]
1.02 2016-11-11 Added:
● Deleting Data from the Data Model [page 19]
● Deleting Personal Data from Key Figures [page 20]
1.01 2016-09-29 Updated:
● Link to this document
1.0 2016-09-28 Initial Version
4 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Document History
2 User Administration and Authentication
SAP Predictive Maintenance and Service, on-premise edition uses the user management and authentication mechanisms provided with the SAP HANA platform and the SAP HANA XS Advanced runtime. Therefore, the security recommendations and guidelines for user administration and authentication as described in the following security guides also apply to SAP Predictive Maintenance and Service, on-premise edition:
● SAP HANA Security Guide (1.0 SPS12)To access the guide, download the SAP HANA Platform 1.0 SPS 12 documentation set.
In addition to these guidelines, we include information about user administration and authentication that specifically applies to SAP Predictive Maintenance and Service, on-premise edition, in the following topics:
● User Management [page 5]This topic lists the tools to use for user management, and the types of users required for SAP Predictive Maintenance and Service, on-premise edition.
● Integration into Single Sign-On Environments [page 7]This topic describes how SAP Predictive Maintenance and Service, on-premise edition supports Single Sign-On mechanisms.
2.1 User Management
User management for SAP Predictive Maintenance and Service, on-premise edition uses the mechanisms provided with the SAP HANA platform and the SAP HANA XS Advanced runtime, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for SAP Predictive Maintenance and Service, on-premise edition, see the sections below.
User Management Tools
The table below shows the tools to use for user management and user administration with SAP Predictive Maintenance and Service, on-premise edition.
Security Information for SAP Predictive Maintenance and Services, on-premise editionUser Administration and Authentication P U B L I C 5
Table 2: User Management Tools
Tool Detailed Description Prerequisites
● SAP HANA studio● SAP HANA cockpit
https://help.sap.com/hana_platform : Security SAP
HANA Security Guide
System privilege USER ADMIN is assigned.
NoteThe SYSTEM database user is the default user created when SAP HANA is installed.
Application role builder (SAP HANA XS Advanced)
http://help.sap.com/hana_platform/ : System
Administration SAP HANA
Administration Guide
Role collection XS_AUTHORIZATION_ADMIN is assigned.
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.
The user types that are required for SAP Predictive Maintenance and Service, on-premise edition include the following:
● Individual users○ Database users are required for access to the SAP HANA database.○ Administration users are required for installing and configuring the components of SAP Predictive
Maintenance and Service, on-premise edition and maintaining users.○ Business users are required for access to the Asset Health Control Center.○ Users for data science services are required for model management, model learning, and model training.
● Technical users○ Technical users required by the insight providers for working with the Insight Provider Catalog.
Related Information
SAP Help Portal: SAP HANA PlatformAuthorizations [page 8]
6 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
User Administration and Authentication
2.2 Integration into Single Sign-On Environments
SAP Predictive Maintenance and Service, on-premise edition supports the Single Sign-On (SSO) mechanisms provided by SAP HANA. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP HANA Security Guide also apply to SAP Predictive Maintenance and Service, on-premise edition. For more information about the available authentication mechanisms, see https://help.sap.com/hana_platform : Security SAP HANA Security Guide
Related Information
SAP Help Portal: SAP HANA Platform
Security Information for SAP Predictive Maintenance and Services, on-premise editionUser Administration and Authentication P U B L I C 7
3 Authorizations
SAP Predictive Maintenance and Service, on-premise edition uses the authorization concept provided by SAP HANA. Therefore, the recommendations and guidelines for authorizations as described in the following security guides also apply to SAP Predictive Maintenance and Service, on-premise edition:
● https://help.sap.com/hana_platform : Security SAP HANA Security Guide
● http://help.sap.com/hana_platform/ : System Administration SAP HANA Administration Guide
● https://help.sap.com/hana_options_eim : System Administration, Security, and Maintenance Information SAP HANA Enterprise Information Management Administration Guide
The SAP HANA authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the Application Role Builder tool (SAP HANA XS Advanced) and the SAP HANA Administration Console in SAP HANA.
For more information about how to use the Application Role Builder tool and the required XSA roles, see http://help.sap.com/hana_platform/ : System Administration SAP HANA Administration Guide .
For more information about how to use the SAP HANA Administration Console, see http://help.sap.com/hana_platform/ : System Administration SAP HANA Administration Guide .
NoteFor more information about how to create and assign role collections, see the chapter Maintaining Role Collections and Users in SAP HANA in the guide Installation of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.
Related Information
SAP Help Portal: SAP HANA PlatformSAP Help Portal: SAP HANA Enterprise Information Management
3.1 Role Templates for SAP Predictive Maintenance and Service, on-premise edition
The table below shows the XS Advanced roles that are delivered with SAP Predictive Maintenance and Service, on-premise edition.
8 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Authorizations
Table 3: XS Advanced Role Templates
Application Name (in Application Role Builder tool)
Role Template Name (in Application Role Builder tool)
Description
pdms ConfigUser Role template used to configure insight providers and access the Asset Health Control Center
Consists of the following scopes:
● ConfigAccess: Scope that gives permission to configure insight providers and the Insight Provider Catalog
● AppAccess: Scope that gives permission to read the configuration of insight providers and the Insight Provider Catalog, and to read and write to insight providers and application data
pdms ExecutorUser Role template to schedule tasks for data replication
Consists of the following scopes:
● ExecutorAccess: Scope that gives permission to schedule tasks for data replication
pdms ThingModeler Role template to maintain IoT application services: Configuration services and Thing services
Consists of the following scopes:
● ThingModelAccess: Scope that gives permission to read and write to IoT application services
pdms ThingReader Role template to read Thing instances from the Thing model
Consists of the following scopes:
● ThingRead: Scope that gives permission to read Thing instances of IoT application services
Security Information for SAP Predictive Maintenance and Services, on-premise editionAuthorizations P U B L I C 9
Application Name (in Application Role Builder tool)
Role Template Name (in Application Role Builder tool)
Description
pdms ThingWriter Role template to read Thing instances from the Thing model
Consists of the following scopes:
● ThingWrite: Scope that gives permission to write to Thing instances of IoT application services
pdms AHCCUser Role template to access the Asset Health Control Center application
Consists of the following scopes:
● AppAccess: Scope that gives permission to read the configuration of insight providers and the Insight Provider Catalog, and to read and write to insight providers and application data
● AHCCAccess: Scope that gives permission to access the Asset Health Control Center application
pdms DataScienceUser Role template to access data science models and algorithms
Consists of the following scopes:
● DataScienceAccess: Scope that gives permission to read and write to data science models and algorithms
For more information about how to use the Application Role Builder tool and the required XSA roles, see http://help.sap.com/hana_platform/ : System Administration SAP HANA Administration Guide .
NoteFor more information about how to create and assign role collections, see the chapter Maintaining Role Collections and Users in SAP HANA in the guide Installation of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.
Related Information
SAP Help Portal: SAP HANA Platform
10 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Authorizations
3.2 Password Policy Information
Password Expiration Time
If technical users are locked because of an expired password, for example, SAP Predictive Maintenance and Service, on-premise edition will not work as desired. You therefore need to make sure that password expiration times for technical users allow users to work in SAP Predictive Maintenance and Service, on-premise edition for as long as is needed.
You can set the expiration time of passwords of technical users of SAP HANA as described in https://help.sap.com/hana_platform : Security SAP HANA Security Guide SAP HANA Authentication and Single Sign-On Password Policy .
Related Information
SAP Help Portal: SAP HANA Platform
3.3 User-Provided Services for SAP Predictive Maintenance and Service, on-premise edition
The following user-provided services are created to make a user-provided service instance available to the software components. The following user-provided services are created when installing SAP Predictive Maintenance and Service, on-premise edition
Table 4: User-Provided Services for SAP Predictive Maintenance and Service, on-premise edition
User-Provided Service Description
service-catalog-ups User-provided service to configure the location of an instance of the Insight Provider Catalog, and user credentials
data-access-ups User-provided service for data access
fusion-view-ups User-provided service to display merged data in the asset health control center and on the asset health fact sheet.
datascience-ups User-provided service for data science services
executor-service-ups User-provided service to schedule data replication
Security Information for SAP Predictive Maintenance and Services, on-premise editionAuthorizations P U B L I C 11
3.4 Roles for Working with the Data Model
To load data to SAP Predictive Maintenance and Service, on-premise edition 1.0, and to work with and build insight providers, certain roles are required
The following roles are automatically available to you after you have installed SAP Predictive Maintenance and Service, on-premise edition 1.0:
Table 5: Roles
Role Description
com.sap.pdms.sdm::DATA.Consumer This role has SELECT privileges on all tables or views delivered with SAP Predictive Maintenance and Service, on-premise edition 1.0.
com.sap.pdms.sdm::DATA.Consumer# This role has SELECT privileges grantable to other users on all tables or views delivered with SAP Predictive Maintenance and Service, on-premise edition 1.0.
com.sap.pdms.sdm::DATA.Provider This role has SELECT, INSERT, UPDATE, and DELETE privileges on all tables or views delivered with SAP Predictive Maintenance and Service, on-premise edition 1.0.
com.sap.pdms.sdm::DATA.Provider# This role has SELECT, INSERT, UPDATE, and DELETE privileges grantable to other users on all tables or views delivered with SAP Predictive Maintenance and Service, on-premise edition 1.0.
These roles need to be assigned to users in SAP HANA studio by a SYSTEM user.
12 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Authorizations
4 Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes concepts to support compliance with the relevant legal requirements and data privacy.
SAP Predictive Maintenance and Service, on-premise edition uses the data protection mechanisms provided with SAP HANA, and SAP IQ. Therefore, the security recommendations and guidelines for data protection described in the following security guides also apply to SAP Predictive Maintenance and Service, on-premise edition:
● https://help.sap.com/hana_platform : Security SAP HANA Security Guide
Handling of Users and Passwords
Users created for SAP Predictive Maintenance and Service, on-premise edition should each have different passwords, and only as many roles assigned as needed.
Deletion of Personal Data
SAP Predictive Maintenance and Service, on-premise edition offers REST APIs to delete personal data, for example. For an overview of the REST APIs, see the guide Configuration of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.
For detailed deletion procedures, see the following chapters:
● Deleting Personal Data from Data Science Services [page 14]● Deleting Personal Data from AHCC and AHFS [page 15]● Deleting Data from the Data Model [page 19]● Deleting Personal Data from Key Figures [page 20]
Related Information
SAP Help Portal: SAP HANA PlatformRole Templates for SAP Predictive Maintenance and Service, on-premise edition [page 8]
Security Information for SAP Predictive Maintenance and Services, on-premise editionData Protection P U B L I C 13
4.1 Deleting Personal Data from Data Science Services
Deleting personal data stored when using data science services.
Context
The user ID of the user who created a data mining model is stored. The data is stored in the table MODEL_MASTER in the HDI schema of the data science services. To edit this data, proceed as follows:
Procedure
1. Find the name of the schema where the services are deployed. You find this information in the xs environment of the datascience-db application.
a. Log on to the xsa server and execute the command xs env datascience-db.
This command returns all the variables set for the datascience-db application.b. In the output, look for the container that is called datascience-hdi and extract the values for user,
password and schema from there.2. In SAP HANA studio, configure access to the HANA system where SAP Predictive Maintenance and Service,
on-premise edition is deployed using the user name and password that you just extracted.3. Go to the schema whose name you just extracted for the table MODEL_MASTER4. In the table MODEL_MASTER, look for the field CREATED_BY.
This field contains the user ID of the user who created a specific model.5. You can modify this information using the following statement:
Sample Code
update "<password>"."MODEL_MASTER" set CREATED_BY='<new_value>' where CREATED_BY='<user_id>'
This statement removes the user ID and replaces it with a new value at all instances where the user ID is entered as creator ID. As <new_value> you can enter UNKNOWN, for example.
6. (Optional) If you need to delete all data science models that were created by a user, execute the following statement:
Sample Code
delete from "<password>"."MODEL_MASTER" where CREATED_BY='<user_id>'
14 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Data Protection
4.2 Deleting Personal Data from AHCC and AHFS
Prerequisites
The following roles are assigned to your user:
● <pdms-tech>● <ahcc-user-role>
For more information about role collections, see the chapters Maintaining Roles and Users in SAP HANA and Role Templates for SAP Predictive Maintenance and Service, on-premise edition in the guide Installation of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.
Context
You can use REST APIs to delete users, theirs workspaces, and their workspace mappings from the Asset Health Control Center and the Asset Health Fact Sheet. To delete personal data, proceed as follows:
Procedure
1. Retrieve the workspace ID mapped to a user as described in the chapter Retrieve the Workspace ID of a User [page 16].
This REST endpoint works with form-based authentication.
After this REST call, you have retrieved the <user_worksapce_ID> of a user for LOCATION='controlcenter' (Asset Health Control Center).
2. Retrieve a csrf token for URI 1 as described in the chapter Retrieve a CSRF Token [page 17].
3. Delete the workspace of a user using the <user_worksapce_ID> as described in the chapter Delete the Workspace of a User [page 17].
After this REST call, you have deleted the workspace of a user.4. Retrieve a csrf token for URI 2 as described in the chapter Retrieve a CSRF Token [page 17].
5. Delete a user and the workspace mapping to this user as described in the chapter Delete a User and a Workspace Mapping [page 18].
After this REST call, you have deleted a user and the workspace mapping to this user for LOCATION='controlcenter' (Asset Health Control Center).
6. Repeat the steps 1 to 3 using LOCATION='factsheet' (Asset Health Fact Sheet).
You have now also deleted a user, the workspace of this user, and the workspace mapping to this user for the Asset Health Fact Sheet.
Security Information for SAP Predictive Maintenance and Services, on-premise editionData Protection P U B L I C 15
Related Information
Role Templates for SAP Predictive Maintenance and Service, on-premise edition [page 8]
4.2.1 Retrieve the Workspace ID of a User
Request
NoteThis REST endpoint works with form-based authentication.
Format: JSON
URI: http://<hostname>:<router port>/app/ahcc/api/v1/odata/Workspace(USER_ID='<user_ID>',LOCATION='controlcenter')
HTTP Method: GET
Permission: Role collection <ahcc-user-role>
Response
Response Example
{ "d": { "__metadata": {…}, "USER_ID": "<user_ID>", "LOCATION": "controlcenter", "WORKSPACE_ID": "<user_worksapce_ID>" }}
Related Information
Deleting Personal Data from AHCC and AHFS [page 15]
16 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Data Protection
4.2.2 Retrieve a CSRF Token
Request
Format: JSON
URI 1: http://<hostname>:<router port>/workspace-management/api/v1/admin/workspaces
URI 2: http://<hostname>:<router port>/app/ahcc/api/v1/odata
HTTP Method: GET
NoteAs the REST end points used for the deletion of users, their workspaces, and their workspace mappings are protected against cross site request forgery (CSRF), you need to retrieve the CSRF token first before the REST calls can be made to delete personal data. Extract the value for x-csrf-token from the response headers.
Related Information
Deleting Personal Data from AHCC and AHFS [page 15]
4.2.3 Delete the Workspace of a User
Request
Format: JSON
URI: http://<hostname>:<router port>/workspace-management/api/v1/admin/workspaces/<user_worksapce_ID>
HTTP Method: DELETE
Permission: Role collection <pdms-tech>Before you send the DELETE call, enter the x-csrf-token that you just retrieved in the header section of your REST API call.
Examplekey = x-csrf-token
Security Information for SAP Predictive Maintenance and Services, on-premise editionData Protection P U B L I C 17
value = <CSRF token that you retrieved with the previous GET call>
You can then go ahead with the DELETE call.
Response
NoteWhen no content is displayed after you have sent the REST call, the user workspace is deleted.
Response Status and Error Codes
Table 6:
Category Code Description
Not found 204 No user workspace with the specified ID exists.
Related Information
Deleting Personal Data from AHCC and AHFS [page 15]
4.2.4 Delete a User and a Workspace Mapping
Request
NoteThis REST endpoint works with form-based authentication.
Format: JSON
URI: http://<hostname>:<router port>/app/ahcc/api/v1/odata/Workspace(USER_ID='<user_ID>',LOCATION='controlcenter')
HTTP Method: DELETE
Permission: Role collection <pdms-tech>Before you send the DELETE call, enter the x-csrf-token that you just retrieved in the header section of your REST API call.
18 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Data Protection
Examplekey = x-csrf-token
value = <CSRF token that you retrieved with the previous GET call>
You can then go ahead with the DELETE call.
Response
NoteWhen no content is displayed after you have sent the REST call, the user and the workspace mapping are deleted.
Response Status and Error Codes
Table 7:
Category Code Description
Not found 204 No user with the specified ID exists.
Related Information
Deleting Personal Data from AHCC and AHFS [page 15]
4.3 Deleting Data from the Data Model
Prerequisites
The role com.sap.pdms.sdm::DATA.Provider is assigned to your user with which you log on to SAP HANA studio.
Security Information for SAP Predictive Maintenance and Services, on-premise editionData Protection P U B L I C 19
Context
Proceed as described in the following steps to delete data from the data model that is described in the installation guide of SAP Predictive Maintenance and Service, on-premise edition.
Procedure
1. Log on to SAP HANA studio.2. Delete data from tables and views using the DELETE statement as explained in the chapter DELETE
Statement (Data Manipulation) in the SAP HANA SQL and System Views Reference.a. The following SQL statement is an example of how to delete data from the READINGS_T table.
Sample Code
DELETE FROM READINGS_T WHERE Thing = '<ThingId>';
After executing the above statement, the rows containing the specified <ThingId> are deleted from the READINGS_T table.
a. The following SQL statement is an example of how to delete data from the WORKACTIVITY table.
Sample Code
DELETE FROM "SAP_PDMS_DATA"."com.sap.pdms.sdm::DATA.WORKACTIVITY_T" WHERE "AssignedTo" = '<User_ID>' OR "ReportedBy" = '<User_ID>';
After executing the above statement, the rows containing the specified <User_ID> are deleted from the WORKACTIVITY table.
4.4 Deleting Personal Data from Key Figures
Prerequisites
The role com.sap.pdms.sdm::DATA.Provider is assigned to your user with which you log on to SAP HANA studio.
20 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Data Protection
Context
You can delete data from the data model that is described in the installation guide of SAP Predictive Maintenance and Service, on-premise edition.
NoteDeletion operations on the views and tables of the data model need to be preceded by the following SQL statement:
set schema "SAP_PDMS_DATA";
Procedure
1. In the XSA system where the insight provider for key figures is running, execute the comand xs env key-figures-ipro-backend.
2. Note down the value of the environment variables user, password, and schema contained under VCAP_SERVICES.hana.credentials.
3. Logon to the HANA system with the user name and password you just noted down.4. Below you user, locate the table KEY_FIGURE_TABLE in the schema you just noted down.
5. To find a certain person who has configured key figures or key figure sets, execute the command select "value" from <SCHEMA>."KEY_FIGURE_TABLE" where "attribute" = 'metadata.modifiedBy'.
6. To delete information about a certain person, execute the command delete from "0F0F1A9A994F469B80261BAA53B6E9C1"."KEY_FIGURE_TABLE" where "attribute" = 'metadata.modifiedBy' and "value" = '<USER>'.
Related Information
Data Protection [page 13]
Security Information for SAP Predictive Maintenance and Services, on-premise editionData Protection P U B L I C 21
5 Communication Channels and Interfaces
22 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Communication Channels and Interfaces
6 Operational Security
6.1 Whitelist of URLs
SAP Predictive Maintenance and Service, on-premise edition needs several URLs to connect to the application and insight providers, the data platform, and data science services.
The data platform and the application, together with the insight providers, are accessed using the host and port of the pdms router. The following example depicts a URL for connecting to these components:
Examplehttp(s)://<host.of.pdms.router>:<port of pdms router>/<URLsuffix/correspondingto/component>/<endpoint>
The data science services are accessed using the host and port of the data scienc app router. The following example depicts a URL for connecting to data science services:
Examplehttp(s)://<host.of.datasci-approuter>:<port of datasci-approuter>/<URLsuffix_corresponding_to_algorithm>/api/<endpoint>
Table 8: URL Whitelist
Destination URL URL Suffix
UI5 library http(s)://<host.of.pdms.router>:<port of pdms router>
/lib/ui5/
pdms app container http(s)://<host.of.pdms.router>:<port of pdms router>
/lib/sap-pdms-appcontainer/
Insight provider catalog http(s)://<host.of.pdms.router>:<port of pdms router>
/platform/service-catalog/
Insight provider: 2D chart http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/twod-viz/
Back end of insight provider: Key figures http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/key-figures-backend/
Security Information for SAP Predictive Maintenance and Services, on-premise editionOperational Security P U B L I C 23
Destination URL URL Suffix
UI of insight provider: Key figures http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/key-figures-ui/
Insight provider: Work activity http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/work-activity/
Insight provider: Map http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/geospatial/
Insight provider: 3D chart http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/threed-viz/
Insight provider: Asset Explorer http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/asset-explorer/
Insight provider: Derived signals http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/derived-signals/
Insight provider: Filter
NoteThis insight provider is consumed by the Asset Explorer.
http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/filter/
Insight provider: Components http(s)://<host.of.pdms.router>:<port of pdms router>
/ipro/components/
Asset Health Control Center http(s)://<host.of.pdms.router>:<port of pdms router>
/app/ahcc/
Administration launchpad http(s)://<host.of.pdms.router>:<port of pdms router>
/app/launchpad/
Data science service: Anomaly Detection with Principal Component Analysis
http(s)://<host.of.pdms.router>:<port of pdms router>
/datasci_pca
Data science service: Distance-Based Failure Analysis Using Earth Mover’s Distance
http(s)://<host.of.pdms.router>:<port of pdms router>
/datasci_emd
Data science service: Remaining Useful Life Prediction Using Weibull
http(s)://<host.of.pdms.router>:<port of pdms router>
/datasci_wbl
Table 9: URL Endpoints
Endpoint Description
/index.html Welcome file
24 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Operational Security
Endpoint Description
/router/plugins Plugin metadata
/logout Logout
/<api>/<endpoint> REST APIs of the individual microservices
NoteFor more information about which REST APIs are provided with SAP Predictive Maintenance and Service, on-premise edition, see the guide Configuration of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.
Security Information for SAP Predictive Maintenance and Services, on-premise editionOperational Security P U B L I C 25
7 Auditing and Logging
SAP Predictive Maintenance and Service, on-premise edition uses the concepts for auditing and logging provided by SAP HANA. Therefore, the recommendations and guidelines for auditing and logging as described in the following security guides also apply to SAP Predictive Maintenance and Service, on-premise edition:
● https://help.sap.com/hana_platform : Security SAP HANA Security Guide
● https://help.sap.com/hana_options_eim : System Administration, Security, and Maintenance Information SAP HANA Enterprise Information Management Administration Guide
Related Information
SAP Help Portal: SAP HANA PlatformSAP Help Portal: SAP HANA Enterprise Information Management
26 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Auditing and Logging
8 Application and Product Security
Cookies
SAP Predictive Maintenance and Service, on-premise edition 1.0 relies on cookies created by underlying platforms like the XSA router and XSA runtimes.
For more information about cookies, please refer to the security information of the underlying platforms.
Example● SAP HANA Security Guide
Security Information for SAP Predictive Maintenance and Services, on-premise editionApplication and Product Security P U B L I C 27
9 Deinstallation of Software Components
To deinstall the software components of SAP Predictive Maintenance and Service, on-premise edition 1.0, manual steps are required. These steps are described in the installation guide in the chapter Uninstalling Components of SAP Predictive Maintenance and Service, on-premise edition in the installation guide of SAP Predictive Maintenance and Service, on-premise edition 1.0.
28 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Deinstallation of Software Components
10 Firewall Configuration
To access SAP Predictive Maintenance and Service, on-premise edition 1.0 using VPN, the following ports need to be opened across the firewall:
● Port on which the PDMS router is run. For more information, see the chapter Installing SAP Predictive Maintenance and Service, on-premise edition 1.0 in the installation guide of SAP Predictive Maintenance and Service, on-premise edition 1.0.
● Port on which the User Account and Authentication service (UAA) is run. For more information, see the SAP HANA Security Guide (1.0 SPS12 or 2.0 SP00)To access the guide, download the SAP HANA Platform 1.0 SPS 12 documentation set.
Security Information for SAP Predictive Maintenance and Services, on-premise editionFirewall Configuration P U B L I C 29
Important Disclaimers and Legal Information
Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.
AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).
30 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition
Important Disclaimers and Legal Information
Security Information for SAP Predictive Maintenance and Services, on-premise editionImportant Disclaimers and Legal Information P U B L I C 31
go.sap.com/registration/contact.html
© 2017 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.