1. No category

SAP Energy and Environmental Intelligence

SAP Energy and Environmental Intelligence
Document Version: 1.0.1 - 2013-12-16
SAP Energy and Environmental
Intelligence Security Guide
Table of Contents
1
About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2
Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1
Fundamental Security Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2
Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
2.3
Additional Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3
Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
4
Security Aspects of Data, Data Flow and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5
User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1
User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.2
User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.3
User Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.4
Password Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
5.5
Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.6
Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6
Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.1
Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2
Role and Authorization Concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2.1
Define Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.3
Standard Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.4
Password Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7
Storage and Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
8
Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
9
Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
9.1
Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
9.2
Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
10
Data Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
11
Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
11.1
Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
11.2
Securing SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2
11.2.1
Authentication at the Schema Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
11.2.2
Restricted Port Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
11.2.3
Restricted Protocol Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
11.2.4
Restricted Origination IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Table of Contents
12
Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
13
Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
SAP Energy and Environmental Intelligence Security Guide
Table of Contents
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
3
1
About this Document
With the increasing use of distributed systems and the Internet for managing business data, the demands on
security are also on the rise.
When using a distributed system, you need to be sure that your data and processes support your business needs
without allowing unauthorized access to critical information. These demands on security apply likewise to the SAP
Energy and Environmental Intelligence (EEI) application, powered by SAP HANA®. This security guide will assist
you in securing the SAP EEI application.
4
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
About this Document
2
Before You Start
2.1
Fundamental Security Guides
Other SAP security guides can be used as a resource for SAP Energy and Environmental Intelligence (EEI)
SAP Energy and Environmental Intelligence is comprised of the following components:
●
SAP HANA
●
Extended Application Services (HANA XS)
●
SAP EEI add-in for Microsoft Office Excel
Table 1: Fundamental Security Guides
Scenario, Application or Component Security Guide
Most Relevant Sections or Specific Restrictions
SAP HANA Security Guide
N/A
For a complete list of the available SAP Security Guides, see the SAP Service Marketplace
2.2
.
Important SAP Notes
Before installing the required components make sure that you have all relevant information about the prerequisites and the latest version of each SAP Note, found on the SAP Service Marketplace. The following SAP
Notes are relevant for your implementation:
Table 2:
Title
SAP Note
Supported Configurations and Installation
Prerequisites
See SAP Energy and Environmental Intelligence
Installation and Configuration Guide
Release Restriction Note
Note 1844313
2.3
Additional Information
See the listed Quick Links for more information about specific security-related topics.
Table 3:
Content
Quick Link on SAP Service Marketplace or SDN
Security
http://sdn.sap.com/irj/sdn/security
SAP Energy and Environmental Intelligence Security Guide
Before You Start
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
5
Content
Quick Link on SAP Service Marketplace or SDN
Security Guides
http://service.sap.com/securityguide
Related SAP Notes
http://service.sap.com/notes
http://service.sap.com/securitynotes
Released platforms
http://service.sap.com/pam
Network security
http://service.sap.com/securityguide
SAP Solution Manager
http://service.sap.com/solutionmanager
SAP Energy and Environmental Intelligence Service
Marketplace
http://service.sap.com/eem10
6
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Before You Start
3
Technical System Landscape
The figure below shows an overview of the technical system landscape for the SAP Energy and Environmental
Intelligence application.
SAP Energy and Environmental Intelligence Security Guide
Technical System Landscape
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
7
4 Security Aspects of Data, Data Flow and
Processes
The figures below shows an overview of the security aspects of the SAP Energy and Environmental Intelligence
(EEI) application.
8
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Security Aspects of Data, Data Flow and Processes
Table 4: The table below shows the security aspects to be considered for the each process and what
mechanism applies.
Step
Description
Security Measure
1
User clicks on simulate or save
SAP EEI add-on sends request through HTTPS
2
Authentication
HANA XS (XS) checks if the user is logged on
3
Convert from XML/JSON
Validates input and converts from XML/JSON
4
Runs simulate calculation in HANA
Control access per user to key figures and master
data for planning (using visibility filters). For more
information about roles and visibility filters, see the
online help. Visibility filters also apply to:
●
Saving as only values that have been read into
the planning session can be changed and then
saved
●
Master data access and to adding new
combinations
.
SAP Energy and Environmental Intelligence Security Guide
Security Aspects of Data, Data Flow and Processes
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
9
5
User Administration and Authentication
5.1
User Management
Each user of SAP Energy and Environmental Intelligence (EEI) has their own landscape, and users of each
customer are managed in SAP HANA user management.
SAP EEI uses SAP HANA mechanisms (for example, roles and password policies) and provides a web client
application that enables administrators to add, remove, or update SAP EEI users.
5.2
User Types
There are two user types provided for SAP Energy and Environmental Intelligence (EEI).
The user types that ship with SAP Energy and Environmental Intellience include:
●
The administrative user EERMADM has ALL_INCLUSIVE permissions for all administrative tasks in User
Management including creating users and roles and granting permissions.
●
The default BASIC_USER can view analytics such as charts and dashboards.
5.3
User Creation
Users with Manage Users and Roles permissions can create and edit users.
New users must change their initial password when logging on for the first time (a restriction that is enforced by
SAP HANA). When a user does not know or cannot recall their logon information, then users with Manage Users
and Roles permissions can define a new password, or they can lock or unlock a password for any other user by:
●
Creating a user in SAP EEI, defining a password for the user, and manually emailing the user the logon
information.
●
Creating a user and having the system generate a random initial password for the user.
5.4
Password Reset
There are two options for resetting a password in SAP Energy and Environmental Intelligence.
The following options are available for resetting the user password:
●
10
A user can change their password in Settings
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
User Administration and Authentication
●
The user‘s administrator can reset the password for any user (who has the same permissions or lower)
5.5
Authentication
Authentication is based on multiple forms of credentials.
These credentials are:
●
User chosen ID
●
User chosen password
●
User permissions that are defined in roles and visibility filters to control access to the data
5.6
Integration into Single Sign-On Environments
Integration into SAP Single Sign-On environments is not supported in this release.
SAP Energy and Environmental Intelligence Security Guide
User Administration and Authentication
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
11
6
Authorizations
6.1
Use
The SAP HANA authorization concept is based on assigning authorizations to users through their roles and
individual visibility filters.
Note
It is the customer administrator’s responsibility to validate the consistency of the authorization models in the
application.
Administrators manage users and their permissions in the web client application using the User Management
interface.
6.2
Role and Authorization Concept
The administrator of the application can create new roles with any combination of permissions.
Administrators manage roles and authorizations in the web client application using the User Management
interface.
Related Information
Define Roles [page 12]
6.2.1
Define Roles
Roles determine which permissions your users have in the application and in the add-in for Microsoft Excel. If you
do not assign any roles, by default all users can view analytics (charts and dashboards) with at least one visibility
filter applied. The predefined ALL-INCLUSIVE role has predetermined permissions that cannot be edited.
You can also control the key figures that are visible to and/or editable for different users.
1.
Choose Roles and Permissions.
2.
To create a new role, choose + Add New Role.
3.
Enter a name (required) and a description (optional) for the role.
4.
Select the check boxes for the Permissions to include in this role. The following table lists the permissions that
are shipped with the product:
12
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Authorizations
Table 5: User Permissions
5.
Permission
Description
Manage Users and Roles
Determines what operations users can perform by creating and assigning
roles. Determines what data users can view by creating and assigning
visibility filters.
Manage Dashboards
Allows users to create, edit, and delete dashboards.
Manage Charts
Allows users to create, edit, and delete charts.
Manage Scenarios
Allows scenario planning such as promoting scenarios to baseline,
reinitializing (copying) the baseline to the scenario, and viewing status in the
add-in for Microsoft Excel.
Manage Planning View
Templates
Allows adding, updating, and deleting planning view templates in the add-in
for Microsoft Excel. Assign this permission only to template administrators,
not to end users. For more information, see “Templates” in the help for the
add-in for Microsoft Excel.
Model Configuration
Allows model configuration functions such as creating, copying, and
activating new data models in the web client.
Data Import
Allows data import into the application using a .zip file containing your
manifest (.xml) and data files (.csv) in the add-in for Microsoft Excel.
Add Attribute Combinations
Allows adding new combinations of attribute values to a planning view in the
add-in for Microsoft Excel. For more information, see “New Combinations” in
the help for the add-in for Microsoft Excel.
Delete Attribute
Combinations
Allows deleting new combinations of attribute values to a planning view in the
add-in for Microsoft Excel. For more information, see “New Combinations” in
the help for the add-in for Microsoft Excel.
Threshold
Allows users to create, delete, or view thresholds.
Select key figures for this role.
a) Select Edit Key Figures.
b) Select the approppriate planning area from the drop-down list.
c) Select the key figure to assign, click the right arrow to move it to the Selected Key Figures pane, and
repeat as necessary. You can also use SHIFT_click or CTRL-click to move multiple objects.
d) To include the key figures in a role and to enable a user to only view the key figures, select the relevant
View check boxes. To include the key figures in a role and to enable a user to edit them, select the relevant
Edit check boxes.
6.
Select the check boxes for the Reason Codes you want this role to include. Reason codes are used to indicate
why a user made changes to a planning view. When they save the data, users select a reason code and can
enter a comment. Customers define their own reason codes.
7.
When you are done adding roles, choose Save.
SAP Energy and Environmental Intelligence Security Guide
Authorizations
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
13
Related Information
Add Users and Assign Roles and Visibility Filters [page 14]
Reset Passwords [page 15]
Edit User Details [page 15]
Create Visibility Filters [page 16]
Visibility filters control what master data is visible to a user for a particular planning area.
Deactivate Users [page 19]
Deactivation blocks a user's access to the application.
6.2.1.1
Add Users and Assign Roles and Visibility Filters
Prerequisites
●
You have Manage Users and Roles permissions.
●
At least one role is defined.
To add users and assign roles and visibility filters:
1.
Choose User Management.
2.
Choose + Add New User.
3.
In the dialog box, enter the user information.
Fields marked with an asterisk are required.
In general passwords should be at least 8 characters long and contain at least one uppercase letter, one
lowercase letter, and one number. Note that user name and password requirements can be configured in SAP
HANA Studio. For details about password requirements, see “Password Policy” in the SAP HANA Security
Guide.
4.
Select the role(s) to assign to the user by clicking Assign Roles. In the resulting dialog box, select the role to
assign, click the right arrow to move it to the Selected Roles pane, repeat as necessary, and click Save.
5.
Select the visibility filter(s) to assign to the user by clicking Assign Visibility Filter. In the resulting dialog box,
select the filter to assign, click the right arrow to move it to the Selected Filters pane, repeat as necessary, and
choose Save.
6.
Choose Save.
Related Information
Create Visibility Filters [page 16]
Visibility filters control what master data is visible to a user for a particular planning area.
Define Roles [page 12]
Edit User Details [page 15]
Reset Passwords [page 15]
Deactivate Users [page 19]
Deactivation blocks a user's access to the application.
14
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Authorizations
6.2.1.2
Reset Passwords
Users can reset their own passwords in the Settings control panel:
1.
In the upper-right corner of the web client window, under the drop-down arrow choose Settings.
2.
Under Reset password, enter the current password, type a new password, and retype it to confirm.
3.
Choose Save.
If a user exceeds the maximum number of incorrect user or password combinations before a successful (correct)
logon, the account will be locked. An administrator with Manage Users and Roles permissions can unlock the
user's account. The administrator should then reset the user's password as follows and inform the user of their
new password.
Note
Using SAP HANA studio, you can use the SQL command ALTER USER <user_name> RESET CONNECT
ATTEMPTS to reset the number of invalid attempts to 0 and enable the user to connect immediately.
1.
Choose User Management.
2.
Select the required user from the list.
3.
Choose Reset password.
4.
Enter a new password, reenter to confirm it, and choose Reset.
5.
Call or send the user a secure e-mail informing them of the new password.
The user will be required to change the password upon logging in.
For information about password policies, see “Password Policy” in the SAP HANA Security Guide.
Related Information
Add Users and Assign Roles and Visibility Filters [page 14]
Define Roles [page 12]
Edit User Details [page 15]
Create Visibility Filters [page 16]
Visibility filters control what master data is visible to a user for a particular planning area.
Deactivate Users [page 19]
Deactivation blocks a user's access to the application.
6.2.1.3
Edit User Details
After creating a user, you can edit user information, roles, and visibility filters.
1.
Choose User Management.
A list of users and their information displays.
2.
To view or change a user's details, select the user's name from the list.
SAP Energy and Environmental Intelligence Security Guide
Authorizations
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
15
User Detail
Description
General
Edit basic user information such as a name and an email address.
information
Active User: Activate or deactivate the user by selecting or clearing the check box. This control is also
available in the User Management user list.
Locked User: When this check box is selected, the user has been locked by the system due to too
many incorrect log on/password combinations. Clear the check box to unlock the user and reset the
password. Then notify the user either through secured email or with a phone call to indicate they will
need to reset their password upon log-in.
Reset Password
If the user forgot or wants to change their password, choose Reset password. Enter and confirm the
new password and choose Reset. Notify the user either through secured email or with a phone call to
indicate they will need to reset their password upon logging in.
Roles
Select the roles with the associated permissions you want to assign to the user. To add roles, see
Define Roles [page 12].
Visibility Filters
Select the visibility filters you want to assign to the user. Visibility filters determine what the user can
see and access in a planning view. To add visibility filters, see Create Visibility Filters [page 16].
3.
Choose Save.
Related Information
Add Users and Assign Roles and Visibility Filters [page 14]
Reset Passwords [page 15]
6.2.1.4
Create Visibility Filters
Visibility filters control what master data is visible to a user for a particular planning area.
Prerequisites
●
An understanding of master data types and how they are used by your planning area
●
Familiarity with your master data
The Visibility Filters interface lets you create, edit, and delete filters. At least one visibility filter must be assigned
to users in order for them to be able to view data.
●
●
16
A visibility filter defines a set of attribute combinations that are visible to the user:
○
If there is no condition for an attribute, all values are allowed.
○
Conditions for different attributes within a visibility filter are combined with AND (intersection).
○
Conditions for the same attribute within a visibility filter are combined with OR (union).
Different visibility filters are combined so that the user has access to the union of the sets of attribute
combinations that each of them allows.
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Authorizations
The product ships with the predefined visibility filter View All Data for all of the planning areas. This filter enables
the user to see all of the data in the application from all of the planning areas (and supercedes any other filter(s)
that have been applied).
Visibility filters are dependent on the model configured in the Configuration interface. When you activate a
planning area in Configuration, a View All Data filter is created for the specific planning area.
You cannot edit or delete the View All Data filter. If there is more than one visibility filter assigned to a user, there is
an OR relationship between them (union).
1.
Choose Visibility Filters.
2.
To create a new visibility filter, choose + Add New Visibility Filter. To edit a filter, click its name.
You can sort the list by clicking any column name and selecting Sort Ascending, Sort Descending, or enter a
value in the Filter box to search for a specific entry.
3.
Enter a name (required) and a description (optional) for the filter.
The name and description must be 3-20 alphanumeric characters in length.
4.
In Planning Area, choose a planning area.
5.
Under Filter Rules, choose a filter attribute.
If you define a filter that uses the same attribute more than once, there is an OR relationship between them:
Table 7: Example One
Attribute
Operator
Value
Customer ID
equal
Company ABC
Customer ID
equal
Company XYZ
Result: You can view data for either Customer ID Company ABC OR Customer ID Company XYZ.
If you define a filter that uses two or more different attributes, there is an AND relationship between them:
Table 8: Example Two
Attribute
Operator
Value
Customer ID
equal
Company ABC
Customer ID
equal
Company XYZ
Location Region
equal
USA
Result: You can view locations in the USA for (AND) either Customer ID Company ABC OR Customer ID
Company XYZ.
6.
Choose an operator.
Table 9: Description of Operators
Operator
Description
Example
equal
The result is equal to the value
Rule: Customer ID equal Company
ABC
Result: You can view the details of
the specific customer Company
ABC.
greater than
SAP Energy and Environmental Intelligence Security Guide
Authorizations
The result is greater than the value
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
17
Operator
Description
Example
greater than or equal to
The result is greater than or equal
to the value
less than
The result is less than the value
less than or equal to
The result is less than or equal to
the value
between
The result is between the selected
values
contains pattern
The result matches the pattern
defined. You can use the wildcards
* and ? as follows:
○
* can be substituted for any
other multiple characters in a
string
○
? can be substituted for any
single character in a string
Rule: Customer ID equal
Company*
Result: You can view the details of
Company ABC, Company 9000,
or any other suffix.
Rule: Customer ID equal
Company?
Result: You can view the details of
a company with a single
character, for example Company
A or Company Z.
has no value
The attribute value is empty (is
null)
has some value
The attribute has any value (is not
null)
nodes and descendants
This operator is available if an
Rule: Asset ID nodes and
attribute is hierarchical. Therefore, descendants Baker plant
the result includes the selected
Result: You can view the details of
node and all of its decendents.
the Baker plant and all of its
decendants (for example
Buildings 1, 2, and 3).
7.
Enter a value.
8.
To add additional rules to the filter, choose the plus icon (Add Filter Rule).
9.
Choose Save.
Note: Changing the planning area clears the filter rules.
The new filter appears in the Visibility Filters list. You can now assign this filter to a user.
Related Information
Add Users and Assign Roles and Visibility Filters [page 14]
Define Roles [page 12]
18
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Authorizations
6.2.1.5
Deactivate Users
Deactivation blocks a user's access to the application.
To deactivate a user:
1.
Choose User Management .
A list of users and their information appears.
2.
For the user to deactivate, clear the User Activated check box.
Or, open the user's detail window by clicking the user's name and clear the Active User check box.
Related Information
Add Users and Assign Roles and Visibility Filters [page 14]
Define Roles [page 12]
Reset Passwords [page 15]
Edit User Details [page 15]
Create Visibility Filters [page 16]
Visibility filters control what master data is visible to a user for a particular planning area.
6.3
Standard Roles
There are two roles that are delivered with the application.
Role
Description
ALL_INCLUSIVE
User role that executes all operations in the
application.
BASIC_USER
This role is hidden. Minimum permissions are required
to log in to the application and change the password.
Assigned by default to all users and used for viewing
only.
Users can have additional roles and permissions. The administrator defines the roles and assigns them to users.
6.4
Password Policies
SAP Energy and Environmental Intelligence (EEI) uses a "Strong Password" scheme as mandated by SAP product
standards.
SAP Energy and Environmental Intelligence Security Guide
Authorizations
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
19
SAP standards, controlled by SAP HANA, require password value compliance and password expiration policies.
For more information, see SAP HANA Security Guide.
20
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Authorizations
7
Storage and Network Security
Network and storage security are vital considerations with any implementation.
SAP Energy and Environmental Intelligence Security Guide
Storage and Network Security
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
21
8
Communication Channel Security
The table below shows the communication channels, the protocol used for the connection, and the type of data
transferred.
Table 10: Communication Channels
Communication Path
Protocol Used
Type of Data Transferred Data Requiring Special
Protection
Upload data from OP
Systems (ERP)
HTTPS
All application data
SAP EEI add-in for
Microsoft Excel
JSON over HTTPS
All application data
Administration and User
configuration user
interface
JSON over HTTPS
All application data
22
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
N/A
SAP Energy and Environmental Intelligence Security Guide
Communication Channel Security
9
Data Storage Security
9.1
Data Storage
Most data on the server side is stored in the SAP HANA database.
The only exception is when importing data from On Premise (OP) systems. In case of data stored in the SAP
HANA database, data is protected by authorization rules defined by the customer’s administrator.
9.2
Data Protection
Application data is protected by SAP HANA tools.
Some of these tools are SAP HANA user management, SAP HANA Studio, *DBC drivers, and XS Engine. Microsoft
Excel documents on the user’s computer also store some portion of the data.
Note
In order to protect this data we suggest limiting access to these files to relevant users and using data
encryption tools.
SAP Energy and Environmental Intelligence Security Guide
Data Storage Security
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
23
10 Data Privacy
The customer should define appropriate data privacy and protection measures and check the respective local
legal and privacy requirements before using or implementing certain scenarios in the application.
Parts or all of the master data, as well as application data, can be regarded as sensitive data. Application data can
contain customer, product, sales, production plans, and revenue plans, so it must be properly protected against
unauthorized access or evaluation. All personal data stored or accessed by the application should be kept to the
necessary minimum. In addition, it is suggeested you only import the minimum amount of data required to
support the use cases in which you are interested.
24
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Data Privacy
11
Other Security-Relevant Information
11.1
Use
The web client application is developed using SAP UI 5 technology which is based on JavaScript.
The web client application will not work properly on any browser that does not support the running of java scripts.
11.2
Securing SAP HANA
There are many ways to secure SAP HANA, including restricted access and required authentication.
11.2.1
Authentication at the Schema Level
Every SAP EEI application instance makes use of multiple schemas on one SAP HANA database.
These schemas are protected with SAP HANA access control. Data from different customers resides in separate
SAP HANA instances.
11.2.2
Restricted Port Access
There are specific ports opened to the SAP HANA server and all other ports are set with “deny” access control by
default.
11.2.3
Restricted Protocol Access
The SAP HANA server does not expose protocols other than ODBC, SSH and other administrative related
protocols.
11.2.4
Restricted Origination IP
The SAP HANA server does not access and accept connections to or from unknown origination points. Sockets
can only be opened from a restricted set of servers.
SAP Energy and Environmental Intelligence Security Guide
Other Security-Relevant Information
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
25
12
Security-Relevant Logging and Tracing
Web client application logon attempts are saved in the HANA logs.
Logon attempts are audited by SAP HANA. For more information, refer to the SAP HANA Security Guide.
SAP HANA tables containing the information on users, roles, and permission assignments also have auditing
fields that log the modifications of these tables.
26
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
SAP Energy and Environmental Intelligence Security Guide
Security-Relevant Logging and Tracing
13
Frequently Asked Questions
SAP HANA provides security for all aspects of the application.
Table 11:
Question
Answer
How is stored data protected?
●
KeyStoreSecure vaults (keystores) are used to
store sensitive information and keys. All keystores
are passphrase protected and are not stored along
with the data.
●
Data Isolation data is stored in separate SAP HANA
instances or schemas so that every access from
one domain to another validates user credentials
against the local identity store, adding the required
isolation.
How are configuration, user, password files, and so on
managed?
The SAP solution authenticates the user. It is often
necessary to specify different security policies for
different types of users. The user types include named
users, who represent real persons and are used for
daily work with the SAP HANA database. These users
are created by the user administrator. Passwords
follow the policy described above.
How does SAP HANA facilitate identifying suspicious
activity?
There are monitoring tools in place.
Is the hosted client environment secure and separated
from other company environments?
Every customer has a dedicated production server,
therefore each is physically separated for the
application.
Is security of data traffic over the public internet
provided?
Data sent over the internet is encrypted. For more
information, see Communication Channel Security
[page 22].
SAP Energy and Environmental Intelligence Security Guide
Frequently Asked Questions
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
27
www.sap.com/contactsap
© 2013 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are
set forth in the express warranty statements accompanying such
products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks
of SAP AG in Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/
index.epx for additional trademark information and notices.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz