C 4 C Security Guide
C 4 C Security Guide
1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
7 Front-End Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
This guide provides an overview of the security-relevant information that applies to SAP Cloud for Customer.
With the increasing use of distributed systems and the Internet for managing business data, the demands
on security are also on the rise. When using a distributed system, you need to be sure that your data and
processes support your business needs without allowing unauthorized access to critical information. User
errors, negligence, or attempted manipulation of your system should not result in loss of information or
processing time. While it is primarily the customer's responsibility to ensure their data security and proper user
management, SAP supports security by providing relevant features and functions. SAP is also responsible for
managing the lifecycle of the application for security improvement.
To assist you in securing SAP Cloud for Customer, we provide this Security Guide.
SAP data centers provide the highest-quality security measures while still allowing integration and flexible
access to their cloud data.
SAP Cloud solutions are hosted in data centers around the world. Customers can choose in which data center
they want their solution to run.
The solutions provide optional integration with many SAP solutions, such as a full Enterprise Resource
Planning (ERP) and Customer Relationship Management (CRM) suite, including the associated server
landscape and system maintenance.
Since SAP Cloud solutions deal with business data from your core business processes, SAP adheres to the
highest security and quality requirements, as follows:
• The business data is stored securely in SAP data centers. In addition, SAP Cloud native solutions are
hosted in Amazon Data Centers and operated by SAP. You, as a customer, can select the data center region
that best fit your needs.
• Customers share physical hardware, but their data is separated into tenants.
• Users who require access to the business data must authenticate themselves, and their identity must be
verified by user and access management.
• Customer data always belongs to the customer.
You can access your SAP Cloud solution in the following ways:
• Desktop computer: browser-based Internet access from any network with internet access
• Portable computers: browser-based Internet access from any network with internet access
• Mobile devices: native apps
Industry best practices and state-of-the-art open cryptographic standards secure and protect communications
between customer devices and the system landscapes of your SAP Cloud solution in the SAP data center.
The following diagram summarizes the technical system landscape for standard access:
To access SAP Cloud solutions, you must enter a unique, customer-specific URL.
The Reverse Proxy is the SAP Web Dispatcher, which is developed and maintained by SAP Cloud Support.
The communication channels that require mutual authentication are secured by using standard Transport
Layer Security (TLS) protocols. For more information about connectivity, see the Technical Connectivity
Guide for SAP Cloud Applications, on the SAP Help Portal: https://help.sap.com/cloud4customer.
The communication channels for monitoring and maintaining instances of your SAP Cloud solution instances
in the SAP data center network are also encrypted and authenticated.
Related Information
To protect your SAP Cloud for Customer instance and data, you need to make sure that only authorized parties
have access. A key step to securing SAP Cloud for Customer is implementing secure authentication.
There must be a clear definition of roles and duties within the administrator user group itself. For example: you
have dedicated administrators for screen adoptions, but these team members can't change authorizations.
Note
Personalizing any part of the UI doesn’t change or add any security settings, because personalization
is part of extensibility, which allows you to display/hide fields based on user/business roles, screen
adaptations and so on. For example: even if you remove the edit button from the UI, the edit option is
still available via OData APIs.
Recommendation
We recommend using SSO for basic security. To protect accounts further, configure the identity provider
(IdP) of the SSO solution to provide enhanced security, such as multifactor authentication (MFA),
geofencing, and other additional security features.
The following table provides an overview of all activities related to user administration that you can perform as
an administrator:
Support and Technical Users View all support and technical users
available in the system
Administrator Common Tasks Edit Security Policies Specify security policies for user pass-
words
Edit Certificate Trust List Edit trust list of certificates used for
communication arrangements
Note
The list of trusted certification au-
thorities is available on the Web
dispatcher. Certificates with which
users logon must be issued by one
of these certification authorities.
You use business roles to assign access rights to multiple business users who carry out the same activities. You
can also define access restrictions for a business role.
Procedure
Tip
View A and view B both contain activity C. For view A, a user has unrestricted read and write access, but
for view B, the same user has read-only access. Because unrestricted access rights override restricted
access rights, the user will actually have both read and write access to both views. Checking
consistency will help you to identify these views and activities.
6. If there are activities displayed on the Check Access Rights Consistency screen, the access rights are
inconsistent. Check whether you need to redefine the access rights.
7. When finished, click on Assigned Users Activate User to save the edits you have made to the
business role and the users.
Note
You can also restrict the access rights of a technical user if you want them to only have read access.
Read
Business User A user type for normal interactive users resulting from hiring
an employee or creating a service agent. Business users al-
ways have to change their initial password at first logon. The
properties of the passwords are determined by the assigned
security policy.
Note
Service agents are used for external users, for example,
partners or partner contacts. Apply specific security
policies and use specific roles to keep internal and ex-
ternal employees separated. We also recommend that
you lock external users as soon as they are no longer
needed.
Support User A user type for interactive support users used by SAP Cloud
Services to access the system as part of incident processing.
Note
If support users recieve a ticket and realize that they
have to access the customer system in order to ana-
lyze the problem (for example, if they were not able
to replicate and solve the issue in the internal test or
development systems), they use the Cloud Access Man-
ager (CAM) tool that generates temporary access to the
corresponding customer system. Support users are not
allowed to share these details. The CAM tool keeps a
log of which user generated which support user at what
date and time. So it is always possible to link a generic
support user back to the real person.
It is often necessary to specify different security policies for different users. For example, your policy may
mandate that individual users who perform tasks interactively change their passwords on a regular basis.
You can only specify security policies for the Business User.
When a new user is created in your SAP Cloud solution, for example, during the hiring process of a new
employee, a user ID is created.
To log on your SAP Cloud solution, the following authentication mechanisms are supported:
• Logon using SAML 2.0 assertion for front-end Single Sign-On (SSO)
• Logon using client certificate (X.509) as logon certificate
• Logon using user ID and password
Recommendation
We recommend using SSO for basic security. To protect accounts further, configure the identity provider
(IdP) of the SSO solution to provide enhanced security, such as multifactor authentication (MFA),
geofencing, and other additional security features.
Administrator SEODADMINWCF
The users assigned to these work centers are power users and have access to admin-type features.
The MFA feature is provided by most of the Identity Providers such as SAP’s Identity Access Service (IAS)
as an optional feature and must be enabled. For more information about enabling MFA see Configure SAP
Authentication 365 in Administration Console
Your solution supports SSO based on Security Assertion Markup Language 2.0 (SAML 2.0). To use this
function, your system landscape requires the following components:
The use of an SAML 2.0. enabled identity provider is mandatory. If you have no identity provider, it is
recommended that you use SAP Cloud Platform Identity Authentication - IAS (former Cloud Identity).
The mutual trust between service provider and IdP is established by the exchange of certificates and additional
metadata.
It is recommended you disable username and password based access for users who use SSO to log in. As the
users would use SSO, they wouldn’t be aware if their passwords get changed. IdPs could also provide extra
security features such as two-factor authentication, which would not be effective in case the username and
password option is still available.
For more information, see the Front-End Single Sign-On document in the Help Center and the SAP Identity
Provider documentation on SAP Help Portal at http://help.sap.com/netweaver SAP NetWeaver Identity
Management <release> Application Help .
Prerequisites
You’ve downloaded the XML file of the metadata of your identity provider (IdP).
Context
You can configure SSO in your system using the Configure Single Sign-On common task, which is
available under Administrator Common Tasks .
Procedure
1. Choose My System.
2. Under General Download Metadata , depending on the type of metadata acceptable to your identity
provider, choose either of the following: SP Metadata (Service Provider Metadata) or STS Metadata
(Security Token Service Metadata).
3. Save the XML file for upload into the IdP.
Note
Some IdPs can upload all information from the metadata XML file. Others require manual entry of the
information contained in the file.
• Unspecified
Maps the NameID attribute from the IdP configuration with the alias (username for logon) in the SAP
solution.
• E-Mail Address
Maps the NameID attribute from the IdP configuration with the e-mail address of the user in the SAP
solution.
Note
This option requires that an e-mail address is only associated with one user in the SAP solution.
The SAP solution traces the e-mail address to one employee defined in the SAP solution, and then
to the corresponding user.
7. Once you’ve configured your IdP, activate SSO in your cloud solution. To do so, click Activate Single
Sign-On.
8. Save your changes.
Upgrade the SAML certificates to have SHA256 RSA signing algorithm and 2048 bits key
If your tenants have the SAML certificates with SHA1 RSA signing algorithm and key length 1024 bits, we
recommend that you upgrade the SAML certificates to have SHA256 RSA signing algorithm and 2048 bits key.
This helps you to comply with the security requirements as per current industry standards.
Note
Once executed successfully, the system displays the Upgrade SAML Certificates successful message, and the
Upgrade SAML Certificates button is hidden from the user interface.
• The administrators are notified via a notification task with the subject, SAML certificates have been
upgraded by <user technical ID>. To get the notification, you must have scoped the business option
Business Task Management with the scoping question, Do you want to use e-mail to notify business users
about Business Task Management items?, in the Business Configuration work center.
• The existing integration scenarios relying on the SAML metadata stops working. This impacts, for example,
Single Sign-On, OAuth, and so on. As a next step, you must download the new SP or the STS metadata
from the Configure Single Sign-On screen, and upload the required information to the relevant applications.
Users can also log on with a client certificate to complete authentication. To do so, users can choose between
the following options:
• If users already possess a suitable client certificate from a trusted Certification Authority, then they can
map the client certificate to their user ID.
• If no suitable client certificate is available, then users can request a client certificate from within the SAP
Cloud solution. In response, an SAP Certification Authority will provide the requested certificate. This
request can be repeated on any other device you use to access SAP Cloud solutions. You cannot use the
same certificate to log on with multiple users.
We strongly recommend that you never store the X.509 client certificate in an unprotected keystore. The
download also contains the corresponding private key. Therefore, the downloaded file should be protected with
a sufficiently strong passphrase of the user’s choice.
The following table contains the trusted certification authorities for client certificates:
CA Display
Name
Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any
Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any
Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any
OU=See
www.en-
trust.net/legal-
terms, O=En-
trust, Inc.,
C=US
Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any
CPS_2048 in-
corp. by ref.
(limits liab.),
O=Entrust.net
Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any
Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any
Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any
Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any
Class 3 Public
Primary Certifi-
cation Author-
ity_MD2.cer
Users log on to SAP Cloud solutions with their assigned user ID and password.
By default, a strong security policy for passwords is preconfigured in your solution, based on SAP’s product
security standard. You as an administrator can set an initial password and edit and create security policies
according to the security requirements of your company.
For more information, see Security Policy Quick Guide [page 36].
If a user has forgotten the password, that person can request a new one by using the password self-service on
the logon screen. A dialog box is displayed where the user has to enter the workplace e-mail address. Provided
this workplace e-mail address has already been entered for corresponding employee or service agent in your
solution, an e-mail containing a security code is sent to this e-mail address.
The system then displays a dialog box where the user can enter this security code. Note that the security code
is only valid in this dialog box. If the security code has been entered correctly, the system generates a new
temporary password with which the user can log on to the system. The system immediately displays another
dialog box requiring the user to change this temporary password.
We recommend that you implement some security parameters for password protection:
You can enable HTTPS security for outbound phone calls made from your solution. To fully enable this feature,
you need to create a security certificate. This example uses Windows PowerShell.
Context
To make outbound calls, you must have a CTI provider such as Sinch Contact Center (previously SAP Contact
Center) or other third-party product.
After you complete this process, users will be able to call customers directly from the solution without having
to navigate to another system.
Follow these steps to create a security authority and a security certificate from Windows PowerShell.
Procedure
1. Create a root certificate authority by opening PowerShell and entering the following commands
(replacing CODCTI Authority with your desired name):
2. Create a server certificate signed by the previously created authority with these commands, again
replacing CODCTI Authority with your desired name.
In the following commands, replace $port with your desired port, $certThumbprint with the thumbprint of
the server certificate (which you can find using the certificate manager), and $appId with the appid of the
CTI Client Adapter.
$certThumbprint = $cert.Thumbprint
$appId = "{7e46cd40-39c6-4813-b414-019ad22e55b2}"
$port = 36731
netsh http add sslcert ipport=0.0.0.0:$port certhash=$certThumbprint
appid=$appId
As an administrator, you can increase the security level, if desired, by editing and enhancing the security policy,
for example, by changing the complexity and validity for all passwords, in accordance with your company´s
security requirements.
You can access the Edit Security Policies common task under Administrator Common Tasks .
You can also define the length of time after which mobile users must reenter the app password to log on to the
system from a mobile device and the maximum number of times in succession a user can enter an incorrect
password before mobile app data is deleted from the mobile device as well as other properties regarding the
complexity of the password.
You have the option of choosing a flag to enforce password change requested by the administrator. Navigate to
Administrator Common Tasks Edit Security Policies , and set the Password Logon Enabled toggle button
to Yes. In the Admin Password Change Enforcement dropdown, you can choose Enforce or Ignore.
For more information about the app password, see Secure System Access and Authentication [page 50].
A security policy is a set of rules that defines password complexity, such as including numerical digits and
password validity, like requiring a password change after a certain period of time.
Procedure
Note
To create a new security policy similar to an existing one, select an existing security policy and click
Copy.
You can define multiple security policies because work areas or departments of a company may have
different password security requirements.
Procedure
Remember
You cannot change policies that begin with S_ . These are default security policies delivered by SAP.
2. Change the complexity and validity rules for passwords assigned to the security policy.
3. Save your changes.
Remember
If a user's password does not comply with the changed password rules, the user is prompted to change
the password with the next system logon.
You can assign a security policy to multiple business users at one time.
Procedure
1. In the Business User subview, click Actions and select Assign Security Policy.
2. Select one or more users that you need to assign a security policy to.
3. Click Assign Business Role and select the security policy that you would like to assign to the selected
business users.
4. Click OK to save the assignment.
When a business user is created, the system automatically assigns the default security policy to the business
user.
Context
Procedure
1. In the Default column, set the check box for the security policy for the security policy you want to define
as the default security policy.
2. Save your changes.
Note
You can change the security policy assignment in the Business Users view. .
Procedure
Note
• If you have selected a security policy beginning with S_, the Remove button is deactivated, as the
deletion of a default security policy delivered by SAP is not permitted.
• If you have selected a security policy that is currently assigned to users, you cannot delete it.
2. Click Remove.
3. Save your changes.
As an administrator, you can define security settings that are applicable for all users, or a selected business
role.
For security reasons, users are automatically logged off of the system if they’ve been inactive in the system for
a certain period of time. If you leave this option empty, inactive users will be logged off of the system after 1
hour.
You can set the auto logoff time for all users in your company. To do so, proceed as follows:
Note
Certificate Pinning
Enabling the certificate pinning feature allows secure communication between the app. and the SAP Cloud for
Customer server. Your administrator would have to enable that feature.
3.2 Authorization
Note
Personalizing any part of the UI does not change/add any security settings, as this is part of extensibility
which allows you to display or hide fields based on user/business roles, screen adaptations and so on. For
Example: If you remove the edit button from the UI, the edit option is still available via OData APIs.
You can assign authorizations to each employee who has a user ID in your solution.
Employees are assigned to org units within organizational management. The assigned org unit determines the
functions that the employee can use.
Based on these functions, work centers and work center views are proposed for the users. Some business
processes require that a work center view can only be assigned together with one or more other work center
views. If you as an administrator assign such a work center view to a user, then your solution automatically
assigns these additional views to the user.
In SAP Cloud for Customer, you can enable partner contacts to access your SAP system by creating a user
ID separate from employees in your solution. Partner contacts are service agents, being used to give external
employees system access. Partner contacts should be assigned with their own business roles to maintain
limited access to your SAP system.
Caution
Creating user IDs for your business partners will allow outside access to your system.
You can define whether a particular user has read or write access to data in a work center view.
Your SAP Cloud solution provides the user with access to all of the business documents and Business Task
Management items in that work center view.
You can restrict access to specific data on the basis of the access context assigned to the work center view in
which the data appears.
Caution
It is important to be aware of the following dependencies when you assign work centers and views directly
to users:
• Each work center view contains specific activities that can be carried out by a user with the necessary
access rights for the view. When you assign a view or work center directly to a user, rather than
assigning these through a business role, by default the user will have unrestricted read and write
access to all the functions associated with the work center view.
• Additionally, in some cases the same activities can be carried out in multiple views. When you grant
access rights, you should be aware that if there is a conflict, unrestricted access rights override any
Recommendation
We recommend that you handle access rights by assigning business roles to users rather than by assigning
work centers views directly to users. The advantages of assigning access rights through business roles are
considerable:
• It eliminates the risk of a user accidently having authorizations to read or edit data to which he or she
should not have unrestricted access.
• There is much less maintenance effort involved when you have to edit access rights, for example, after
an upgrade. You only have to edit the access rights associated with the business role and not the
individual user’s access rights.
In SAP Cloud for Sales, the ability to grant and restrict authorizations is supported for most work center views,
such as Accounts, Employees, Products, Activities, or Opportunities.
Views are assigned through a work center to business roles. Authorizations for certain views can be restricted
either to employees or territories associated to the specific item within a view, or through an assignment of the
employee to an organizational unit.
Access contexts bundle context-specific restriction rules that are assigned to various work center views and
you as an administrator can choose a business role level which restriction rule will be used for which view.
You will find a selection of applicable restriction rules when you set at least the Write Access to Restricted.
For example:
Access Context ID
Access context IDs are only appearing in the context of access rights on the business user level and you can
find the IDs of employees, business users, org units, territories, and sales channels. The following objects and
access context IDs are available:
• Employee: Employee ID
• Territories: Territory ID
• Org center: Org center ID
• Sales chain: Org center ID plus distribution channel
Procedure
1. In the Administrator work center, choose General Settings Users Business Roles and create a
business role. The business role defines a set of work centers and its associated views, including its
restriction rules.
2. Assign work centers and views under Work Center and View Assignments. Select views applicable for the
business role.
3. Under Access Restrictions restrict the access for the work center views as appropriate by setting at least
the Write Access to Restricted or No Access. In case a view offers specific rules, you can select it from the
Restriction Rule drop-down box.
If you like to have different rules for write and read access for the same view, you need to create two
business roles with the same view assignment. One business role should get specific read access and write
restriction to No Access and the second business role should get the same view with both read and write
access.
4. Under Fields & Actions you can restrict the access for all extension fields and selected business fields and
actions.
5. Save your work and choose Actions Activate to activate your role.
6. In the Administrator work center, choose Users Employees and create an employee. Note that you
can create an employee only when you do not use external integration with, for example, SAP ERP.
7. Choose Users Business Users and open the created employee as a business user and choose Edit
Access Rights .
8. Under Business Role Assignment, assign the created business role to the user.
Under Access Restrictions you can restrict the access on a user-level only if you haven't assigned a
business role. For this, change at least the Write Access to Restricted. Now the restrictions on the
Results
Note that the value Unrestricted is only relevant if the a user is assigned to more than one business role.
If a business field occurs in one of the business roles with access restriction Unrestricted, then the user has
no restriction even if there is another business role restricting the business field. If the business field does not
occur in a business role, but is restricted in another business role, then the user is restricted accordingly.
To reduce the effort for the maintenance of authorizations, administrators should avoid using the specific
restriction 99 within a particular access context.
The other access restrictions rules are binding for the overall master data, meaning that you do not need to
need to change user restrictions seperately, or create new business roles. Rather, you, as an administrator, can
specify a restriction rule within a business role, and then assign that business role to multiple users. With this
approach, authorizations are automatically derived from the exisitng master data.
Note
If employee's organizational or territory assignment changes occur after the initial assignment of a
restriction to a business role, then you, as a business administrator, must update your business users,
to ensure that these changes are considered:
Whenever you, as an administrator, maintain the authorizations of business users, we recommend you assign
business roles to these users in concert with restriction rules.
Access context 1015 (Employee or Territory) can be applied accounts, contacts, leads, sales leads,
opportunities, and sales quotes. Two restriction rules, described below, are delivered for this access context:
Authorizations for employees, fields, and actions can also be restricted on the basis of the territory that it is
automatically determined or maintained for that item.
Note
By editing the access group ID Territories, you, as an administrator, can grant authorizations to the business
users that are associated with the territories. If you modify the authorization of a business user in relation
to a territory, then that user can view or update the items that are assigned to that territory, or to any
corresponding territory.
For example, if you assign authorization to an employee to view or update items that are related to a certain
territory, for example, the United States, then that employee can also view or update items that are related to
subordinate territories, such as California or Florida.
By editing the access group ID Employees, you, as an administrator, can grant authorizations to employees to
see items of their own, or of other employees.
Employees who have been granted the appropriate authorizations can see or update each item, as follows:
• Provided that they belong to the account team or territory team, meaning that they are directly or
indirectly associated with an account by means of any role (including a customer-derived one). Authorized
employees can view or updated accounts.
• Provided that they belong to the account team of an account that is associated with a contact, authorized
employees can view or update contacts.
• Provided that they are assigned as an involved party or sales team in a document such as activity, lead,
sales quote, or opportunity, authorized employees can view or update them.
Note
Items for which no employee or territory has been assigned to can be accessed by all employees.
If you choose to modify authorizations in relation to a particular organizational unit, then the authorization
changes will be applied to all employees who belong to that organizational unit, or to any subordinate unit. At a
later date, you can also modify the authorizations of individual employees on this organizational unit, if desired.
This section describes authorization issues that you, as an administrator, may encounter, and how you can
resolve them.
Authorization for a certain user has been restricted for a particular item, but the user can still view or edit
the item.
The organizational or territory assignment of an employee or manager has changed, but the user cannot
access the items that relate to the new assignment.
If master data changes occur, then you, as the administrator, must update your business users as follows:
This action is especially important if you change, for example, the managerial responsibility for organizational
centers within the organizational hierarchy, or if you modify the assignment of employees to territories.
Allowing employees to edit tickets gives an employee the ability to engage with customers.
In SAP Cloud for Service, you can limit the employee access to tickets to ensure that only qualified employees
engage with customers. You can limit the access of a single employee or group of employees. You can also limit
access for partners and partner contacts.
Procedure
1. Create the organization that will contain the employees that you assign to this group.
2. After you have created the organization, create routing rules to define which tickets are assigned to the
organization.
3. Create a role. A role contains permissions that are inherited by each employee assigned to the role.
a. In the Access Restrictions tab, restrict read and write access for Tickets and Queue in the Assigned
Work Center Views list. Assign access rights to users according to your business needs.
b. To restrict employee access to the employee's organization, open the Detailed Restrictions list and
ensure that the check boxes for Read Access and Write Access are checked only for the employee's
organization.
c. To allow employees to read tickets in other organizations, open the Detailed Restrictions list and ensure
that the Read Access and Write Access check boxes list are checked for the employee's organization.
Select Read Access to allow the employee to read the tickets of the selected organization.
4. Assign the role to all applicable employees.
In a company with a global workforce, it is important to have administrators for global work tasks as
well as local administrators that cover subsidiary tasks. Therefore, the company should have a few global
administrators with expansive rights and many more local administrators with more restrictive rights.
Context
Additionally, these global and local administrators can edit access rights for business users by assigning
business roles with local scope to the users.
Tip
You company's headquarters are located in Paris and you have subsidiaries in Chicago, Tokyo, and New
Delhi. If issues happen in the subsidiaries the workforce there can't wait until the administrators in Paris are
working again because they are in different time zones. So it would be better if you can create roles for local
administrators that are enabled to manage the local issues but without access to other data outside their
local organization.
1. As global administrator you need to generally restrict access of your local administrators for views
they will be able to access and to assign them to the users of their sales organization. For this, select
Administrator General Settings Users Work Center View Restrictions for Local Administrators .
The views must either be Allowed or Partially Allowed. We recommend that you un-restrict at least the
Employees and Business Users views.
2. Create a business role for the local administrators. The role for the local administrators should have
all Allowed and Partially Allowed views that you defined in tWork Center View Restrictions for Local
Administrators, and especially Employees and Business Users. Take care that the access for the Employees
and Business Users views are restricted to the sales organization of the users.
Only business roles with the scope Local can be assigned to business users by local administrators. A
business user is Global, if at least one view is either Not Allowed or Partially Allowed, but not restricted with
a restriction rule (besides restriction rule 99).
3. Now you can create business roles for local administrators with the allowed and partially allowed views you
defined in Work Center View Restrictions for Local Administrators.
• You can only create local roles for views that you defined in Work Center View Restrictions for Local
Administrators view as Partially Allowed or Allowed. In case one view is marked as Not Allowed, the role
isn't visible for the local administrator.
• Local administrators are disabled to assign global roles to local business users.
• If you un-restrict a view in Access Restrictions that is set as Partially Allowed in Work Center View
Restrictions for Local Administrators, the entire role switches to Global and disappears for the local
administrator.
• Local administrators can only use roles with scope Local.
4. On the Fields & Actions tab of your local administrator role, under Business Restrictions, you can also
restrict that the local administrator can be the only one to edit access rights or attributes of other users.
If the user has been assigned to multiple work centers, your SAP Cloud solution checks whether the assigned
views conflict with the segregation of duties.
Segregation of duties is designed to minimize the risk of errors and fraud, and to protect company assets, such
as data or inventories.
The appropriate assignment of access rights distributes the responsibility for business processes and
procedures among several users.
For example, suppose that your company requires that two employees be responsible for the payment process.
This requirement ensures that the responsibility for managing company finances is shared by two employees.
A segregation of duties conflict occurs when a user has access to a set of work center views that could enable
him or her to make an error or commit fraud, thereby damaging company assets. If the application detects a
conflict, it indicates that conflict in the user interface and proposes possible solutions.
Based on this information, you can alert business process owners to existing conflicts, so that they can
implement process controls to mitigate them.
With the SAP Cloud mobile solutions, you can access many of the functions that have been tailored to business
on-the-run.
Changes made on mobile apps are automatically updated in the system over the internet, online, and in real
time. Mobile solutions connect to the SAP Cloud solution in the same way as personal computers do.
The following table provides information about the mobile devices on which you can run SAP Cloud solutions:
iPhone/iPad Yes
Android Yes
Offline Support
Note
If you disable the device pin on an Android device, then the offline encryption is also disabled.
The following devices support the SAP Cloud for Customer hybrid apps with SAML2 based SSO:
Hybrid Apps
Supported Devices
Recommendation
For set up information, refer to Log on Using SAML 2.0 Assertion for Front-End Single Sign-On (SSO) [page
13].
For the Single Sign On (SSO) option we recommend disabling the username and password access. However,
ensure that you maintain updated and accurate e-mail addresses for the users, as this is required in case
of a problem with the Single Sign On. The username and password options could be used as a fallback.
Administrators might have to send out initial passwords or users would have to reset password via self-service.
Both options require updated, correct e-mail addresses.
Access from mobile devices is enabled by connecting to the back-end system using HTTPS and the same user
and password authentication used for connection from a personal computer.
Note
SAP Cloud for Customer solution now supports certificate pinning in the extended edition for the following
apps:
• iOS apps
• Android apps
Android Credential Storage requires maintaining secure settings on the screen lock feature.
For SAP Cloud for Customer, extended edition for Android, it is mandatory for the user to have a screen lock to
be able to use the application. The application uses the Android Credential Storage to securely store sensitive
information and this requires the user to enable the screen lock.
Administrators can enforce this policy if the device is managed under MDM, otherwise, they have to inform the
users that a screen lock is mandatory. Earlier, it was possible for a user to create a logon profile, login and work
normally with the app. With 1811 the app can be installed but no logon profile can be created if the screen lock is
not enabled.
Caution
Removing the screen lock will result in data loss (logon profiles will have to be re-created; unsynced offline
data will be lost).
Enabling the certificate pinning feature allows secure communication between the app. and the SAP Cloud for
Customer server. Your administrator would have to enable the feature.
Go to Administrator General Settings Mobile Settings and in the Certificate Pinning field, select
Activate.
With the feature enabled, users cannot communicate with our server with a false or forged certificate. However,
the feature is disabled by default, but customers have the option to enable it via mobile configuration. When
you enable the feature, the mobile application performs the check.
Note
For our forthcoming releases, we will enable the certificate pinning feature by default.
Unlike stationary personal computers, mobile devices are at greater risk of being lost or stolen. Therefore, we
recommend that you use the security features provided by your mobile device platform.
For example:
• Use an additional, sufficiently long, PIN (personal identification number) to lock the device.
• Enable remote management software that allows you to lock the device remotely, or wipe data from it.
Stored data may contain potentially sensitive information. Ensure adequate protection for your business data
by using a strong password for device access. As an additional security measure, the stored data is also
encrypted with a Passcode.
The Passcode has a minimum length of 8 characters, with a longer length making for a stronger password.
Caution
Currently, when you edit the security policy for the extended apps, the Mobile App Password Complexity
settings are not considered. The mobile app password, known as passcode has to comply to a fixed
complexity rule defined by the extended app .
For information on how to operate your mobile device, refer to the device manufacturer's documentation.
This section describes the types of data stored on the mobile device.
The mobile apps for SAP Cloud solutions store three types of data on the mobile device, as outlined below.
User Name
On providing the login information, the user name will be masked to ensure the user's security.
Passcode
The passcode feature applies to the extended apps only, and is turned on by default. It is possible to enable
Touch ID as an alternative option for passcode if the device supports iOS and Android apps. However, the
administrator has the ability to disable the passcode for the user. The administrator can make this change in
the administration settings area of the solution. Refer to the Administrator Guide for more details on how to do
this.
SAP recommends having a device passcode in place for security reasons. The administrator has the ability
to make this feature optional for users.
Encryption
We recommend you keep the devices and apps as secure as possible by encrypting all data. However, if the
customer wants to increase the usability they need to be aware of the risk and must ensure there are other
protections (for example: strong device lock) in place.
All extended apps use AES 256 encryption to protect the offline data storage. The only exception are the
Android devices, where the device pin has to be enabled to enable encryption.
To obtain support for a technical error within the mobile app, you may be requested to activate the app’s
error-logging functionality. When error logging is active and the technical error is reproduced, files containing
technical data are created. These files enable SAP Cloud Support representatives to resolve the error. Delete
the log files once they are no longer required.
To improve the mobile app’s performance, metadata is stored on your mobile device. The cached information
contains technical data that describes the user interface. The cache files can be deleted.
For device-specific instructions on how to set the password expiration, enable logging, or delete logs and cache
files, refer to the mobile app’s documentation.
It is sometimes possible to upload pictures and other files from the mobile device to the SAP Cloud solution,
for example, pictures captured on a mobile phone’s camera. Such files are not managed through the SAP
mobile app. When files are uploaded to the solution, they are not deleted from the mobile device. To protect any
sensitive or confidential data that such files may contain, we recommend that you take extra precautions
For device-specific instructions on how to set the password expiration, enable logging, or delete logs and cache
files, refer to the mobile app’s documentation.
You can upload pictures and other files from the mobile device to the SAP Cloud solution, for example, pictures
captured on a mobile phone’s camera. Such files are not managed through the SAP mobile app. When files are
uploaded to the solution, they are not deleted from the mobile device. To protect any sensitive or confidential
data that such files may contain, we recommend that you take extra precautions appropriate for the specific
mobile device in use. For information on how such files are secured and stored on your mobile device, refer to
the device manufacturer’s documentation.
To enable this, start the app and setup passcode, and enter system URL, username and password. During the
setup, the user has to enter a passcode that is different from the system password. The local application data
has been encrypted with a key derived from the app password. Authentication is required to switch between
online and offline mode
For mobile apps, once the device is online, data is sent to the back-end system and synchronized from the
mobile device.
When you set up a passcode for container apps for storing data in the offline mode, remember the following
points:
Note
If you disable the device pin on an Android device, then the offline encryption is also disabled.
Use the Data Protection and Privacy Work Center to manage personal and sensitive personal data of
employees, individual customers, and contacts. As an employee responsible for data protection and privacy
regulation compliance in an organization, you can use the Work Center to disclose as well as remove data on
request.
Data processing systems store master data or transactional data used to perform business processes and to
document them. In many cases, it involves the personal data of employees, individual customers, and contacts.
In many countries/regions, the storage, disclosure, and removal of such personal data from data storage
systems must be in accordance with statutory data protection laws. One requirement in many countries/
regions is that the personal data can only be stored if a clear business reason for this data retention exists.
Most data protection legislation orders fixed retention periods, defining how long data can be stored in data
systems, after which it must be deleted. In addition, legislation in many countries/regions stipulates that the
data protection officer must disclose the personal data of individuals, when they expressly request it.
The Data Protection and Privacy Work Center allows those responsible for data protection functions in an
organization to respond to requests to fulfill the following requirements:
Note
In this document, employees, individual customers, and contacts are collectively referred to as business
partners.
Features
There are a number of key features of Data Protection and Privacy in SAP Cloud for Customer. These are
outlined as follows:
A key principle in data protection and privacy is the Obligation to Disclose. This is an obligation set in
legislation in many countries/regions where data protection regulation has been adopted. As an administrator
responsible for data protection regulation compliance, you can disclose personal data of employees, individual
customers, and contacts. You can display a summary of all data associated with these business partners
stored in the SAP Cloud for Customer system. You can also access the detailed records.
This second data protection and privacy principle refers to the requirement of organizations to delete personal
data held on its business partners that is kept in an identifiable form, and retain this data for no longer than
Certain categories of personal data are considered sensitive due to their criticality and importance. You can
activate tracking of read access to such personal data. You have to carefully review the groups of such personal
data available and activate read access logging for those groups which are processed by your organization. In
the SAP Cloud for Customer, you can also add custom fields and mark them for read access logging.
A log is created whenever there is a change in personal data. You can view the change records for a specific
business object in the respective Changes tab.
If you are an administrator, you can restrict access to the change logs by removing access to the Changes tab
for regular users. You can then create a new layout that includes the Changes tab and assign this layout to
authorized users.
The change logs are not available via regular APIs. You can build the retreival using the SAP Cloud Applications
Studio.
A change log is removed only when an object is completely depersonalized. This means that a log remains
unchanged even if personal data is removed from an active object.
In large organizations, employees with the designated role (Data Protection Officer, for example) are
responsible for ensuring that data protection and privacy principles are followed, and that the organization
complies with all data protection and privacy legislation in force within the country/region (or countries/
regions) it operates. However, these tasks can be delegated to other authorized employees, for example,
designated Human Resources administrators.
Authorization
The Data Protection and Privacy Work Center is only available to authorized employees or Data Privacy officers
in your organization. It is therefore strongly recommended this Work Center assignment is only given to those
employees directly responsible for data protection and privacy regulation compliance in your organization.
Usage Block
This is the point in time for a data set when the processing of personal data is no longer required for the
primary business purpose. After the End of Purpose has been reached, the data is blocked and can only be
accessed by users with special authorization, for example, tax auditors. In SAP Cloud for Customer, we have
the following solution:
• You can set a business process to end-of-purpose via an API call, which helps support integration. It
prevents the business process from displaying value helps, so you cannot use it to create new transactions.
There is however no standard access restriction. Any user can still search for the business process and
open it.
• You can delete or depersonalize data. If the data is still required for later audits. you can export it using the
OData APIs.
Note
Employees, such as Data Protection officers with responsibility for data protection have full access rights
for the Data Protection and Privacy Work Center. These access rights allow an authorized user to access
Disclose personal data of employees, individual customers, and contacts in the Data Protection and Privacy
Work Center.
As an administrator responsible for data protection regulation compliance, you can disclose the personal data
of employees, individual customers, and contacts. You can display a summary of all data associated with these
business partners stored in the SAP Cloud for Customer system. You can also access the detailed records.
Note
In this document, employees, individual customers, and contacts are collectively referred to as business
partners.
Procedure
1. In the Data Protection and Privacy Work Center, open the Personal Data Disclosure view.
2. To display the disclosure-relevant data for the business partners, select the relevant option from the
dropdown. For example: If you want to disclose an employee’s data, select All Employees.
3. Select the desired business partner from the list and click Disclose Data. A new overview screen opens that
displays all the disclosed data for the selected business partner.
Note
Before the overview screen is loaded, a dialog box appears informing you that your access to this
screen is logged. Confirm this message to proceed.
4. Click Expand all to view all individual records that are to be disclosed. Click the expand and collapse
triangle icons to view individual data record summaries for the selected entity.
5. Click the links for the individual records, for example, General Data or transactional data, such as Leads or
Opportunities, to navigate to the actual data record held in the SAP Cloud for Customer system.
Note
The figure shown in the Records column represents the number of discreet data records (for example,
Sales Orders) of the selected type assigned to the employee in the SAP Cloud for Customer system. A
zero indicates that no records of this type exist for the selected employee.
Note
In addition to the above, you can use the following methods for data disclosure:
• Data workbench: If you want to disclose more personal details, you can use the data workbench to
export full datasets for employees and contacts of individual customers. The data workbench export
functions allows you to specify one or more persons to be processed. It also allows you to select the
fields you would like to export, for example, ignore technical IDs, don't export business addresses. For
more information, see Data Workbench
• OData APIs: You can use APIs to build custom processes to export exactly what you need for your use
cases, including all the personal data of the business partner, linked transactions, and other related
data. The APIs can be called using custom logic, from excel spreadsheets, and so on. For more details,
see SAP Cloud for Customer OData API v2 Reference
Delete personal data of employees, individual customers, and contacts on their request in the Data Protection
and Privacy Work Center.
Once the end of purpose has been reached for personal data (e.g. business partners, transactions), it has to
be removed. SAP Cloud for Customer offers business partner driven removal (this will delete the person and all
the related data/transactions), or transaction driven removal (this targets individual transactions that are no
longer needed).
It is now possible for you, as an administrator responsible for data protection regulation compliance, to delete
personal data of employees, individual customers, and contacts on their request, at a time in the Personal Data
Removal view of the Data Protection and Privacy Work Center.
Note
In this document, employees, individual customers, and contacts are collectively referred to as business
partners.
Prerequisite
You have defined the retention periods relevant for your country/region in your system configuration. Navigate
to Business Configuration Overview and search for the following fine-tuning activities:
Note
Users with authorization to access the Data Protection and Privacy Work Center can perform all data
protection and privacy functions within this Work Center, including the disclosure and deletion of personal
data. Access to this Work Center is granted in the Administrator Work Center. Ensure that only employees
with authorization to disclose or delete personal data are granted access to the Data Protection and Privacy
Work Center.
Procedure
1. In the Data Protection and Privacy Work Center, open the Personal Data Removal view.
2. To display data for removal of employees, individual customers, and contacts, select the relevant option
from the drop-down. For example: If you want to remove an employee’s data, select All Employees. If you
want to delete the data for multiple employees, click the Show Advanced Filter icon. In the Employee ID
field, click the More Options icon. In the Employee ID dialog box that opens, enter the employee IDs or
employee names in the Value field and click Go.
Caution
If there is a legal requirement to keep a business partner information in the system, click Block Removal
to block the entity from being depersonalized. Click Unblock Removal once the blocking need no longer
exists.
When a business partner is blocked for removal, it is not possible to trigger a personal data removal
run from the Data Protection and Privacy Work Center. During scoping, you can prevent the deletion
of transactions that are assigned to a blocked business partner. To enable this option, navigate to
Business Configuration Implementation Projects . Select your project and navigate to Edit
Project Scope Questions Built-in Services and Support System Management Security Data
Privacy and select the related option.
In SAP Cloud for Customer, there shouldn’t be any standard use cases which would require enhanced
blocking support. Data will be deleted from SAP Cloud for Customer when requested by you. If the data
is subject to legal and/or internal retention periods (e.g. for audit needs), the data must be stored in
the leading systems that owns the transactions for the corresponding period and not in SAP Cloud for
Customer. For example, sales quotes can be replicated to SAP S/4 to complete the business process –
in this case, the audits have to happen in SAP S/4.
In cases where SAP Cloud for Customer data is not replicated to other systems/ data bases (e.g. SAP
S/4) and would need to be kept past its initial purpose, the system offers an “export and delete” based
approach. This means any data that should not be accessible in the system (blocked), but might still be
needed for potential audits has to be exported and safely stored, before it is deleted in the system. To
know more about how data can be exported, see the Related Information section.
Note
• The data removal process is local in Cloud for Customer and is not replicated to any external system
such as SAP CRM, SAP S/4HANA, or SAP ERP. In an integrated landscape, we presume that the
backend systems are the leading system, which governs the life cycle of the customer record because
the back end solution ideally has financial documents such as invoices.
As an alternative you can mark the customer record as obsolete and let the automated removal run
take care of triggering the removal. Once you mark the records as obsolete, the change is replicated to
the connected systems where each of these systems handle the customer records locally.
• If an individual account is deleted, all appearances in any party role for this instance in transactional
documents are depersonalized unless it is blocked for deletion.
Caution
Removal of employees and contact persons lead to different results for different transactions. For
example, activities might be deleted completely, but other transactions have their descriptions removed
or scrambled, or attachments deleted. During scoping, you can choose to retain the transactional data
that are assigned to contacts and employees. To enable this option, navigate to Business Configuration
Implementation Projects . Select your project and navigate to Edit Project Scope Questions Built-in
Services and Support System Management Security Data Privacy and select the following question:
During personal data removal, do you want to retain the transactional data and remove only the personal
data of contacts and employees?
Result
You have successfully removed all work agreements (and associated application data) and availability
calendars from the system for the selected unblocked entities. You can verify this removal by starting the
Administer Data Removal Runs common task, and selecting Successful Removal Runs in the Show field.
Note
In addition to the above, you can use the following methods for data removal:
• Data workbench: If you want to remove more personal details, you can use the data workbench to
export employees and contacts of individual customers. The data workbench export feature allows you
to filter one or more persons to be exported. Then using the update feature unwanted records can be
deleted. For more information, see Data Workbench
• OData APIs: You can use OData APIs to build custom apps to remove desired personal data. The APIs
can be called using custom logic, from excel spreadsheets, and so on. For more details, see SAP Cloud
for Customer OData API v2 Reference
Related Information
The processing of personal data is subject to applicable laws related to the deletion of this data when the
specified, explicit, and legitimate purpose for processing this personal data has expired. If there's no longer a
legitimate purpose that requires the use of personal data, it must be removed. When removing data in a data
set, all referenced objects related to that data set must be removed as well.
As an administrator with responsibility for data protection functions, you've the ownership to decide when a
document loses its business purpose. In the SAP Cloud for Customer system, you can delete or depersonalize
a document based on the following conditions:
• Delete: Documents that don't provide any value after personal data is removed, are deleted. They're no
longer available in the system.
• Depersonalize: Documents that have business value, even if no personal data is available, are
depersonalized. The system removes all the personal data, but retains the business data. The documents
are still in the system and an authorized person can access them. However, these documents can no longer
be changed.
Since depersonalization removes all personal information, the processed objects are no longer available
with the My <business object> filter. Some data in a depersonalized document is replaced by XXXX, and
others, such as, attachments, are deleted. The transaction itself remains, but the personal data is either
removed completely, or replaced with XXXX.
Transaction Removal
opportunity), select the object, and from the actions list , click Delete, or Depersonalize. If there are
no blockers (either because an involved Business Partner being blocked for deletion, or because the object
still being active), the selected objects are depersonalized.
If you're required to keep data without purpose longer because conflicting laws or regulations, you
must export it using archiving, data workbench, or the corresponding OData API before you delete or
depersonalize it from the system. For more information, see the reference in the Related Information
section at the end of this document.
• Automated Removal
Enable automated removal using the Archiving functionality. You can schedule to remove transactions
based on different criteria. If the criteria are met and no vetoes are triggered, the archiving functionality
removes the transaction from the system. For more information, see Archiving.
In the Data Protection and Privacy Work Center, under Personal Data Removal, it's possible to block person-
based business partners from being deleted.
During the depersonalization run, the system checks to ensure that none of the involved business partners
have been blocked from deletion. It continues with the depersonalization of the business partners only if
they'ren't blocked for deletion. The same settings also prevent the deletion of transactions that are linked to a
business partner who has the deletion block set.
When you mark a document for deletion or depersonalization, the system ignores any defined retention
periods since the customer is in full control over what should be deleted or exported.
Blocking access to personal data follows an export and delete approach. This means any data that shouldn't
be accessible in the system (blocked), but might still be needed for potential audits has to be exported and
safely stored, before it's deleted in the system. To know more about how data can be exported, see the Related
Information section below.
The following table gives an overview of all the objects that can either be deleted or depersonalized.
Appointments Yes
Tasks Yes
Visits Yes
Routes Yes
Plans Yes
Promotions Yes
Invoice Yes
Payments Yes
In addition to the objects in the table, there are some special objects that are handled differently:
• Surveys: Surveys aren't intended to collect personal data and are therefore not deleted during a
depersonalization run.
• Routing Rules, Tours, and Routes: Routing rules, tours, and routes are configuration settings and aren't
depersonalized. These objects are directly deleted if they're no longer needed.
• Territory: Territory isn't part of document driven deletion. If necessary, Business Partners can be removed
from it.
• Sales Target Plan and Sales Forecast: Sales target plan and forecast doesn't have an OData based export.
It's possible to export planning data as an excel in the OWL.
• Sales Price Specifications: Sales Price Specifications are replicated from ERP to Cloud for Customer. This
data is read-only in SAP Cloud for Customer and can't be changed. If this information must be removed, it
must be deleted in the system that owns those records and then replicated into Cloud for Customer.
Related Information
Archiving
If the purpose for which you acquired data is not valid anymore, but you must retain it for audit purposes, you
can export the data before deleting it from the system.
SAP Cloud for Customer supports this data retention requirement with the following options:
• Archiving: Data no longer needed can be removed from the SAP Cloud for Customer system and placed in
an archive with limited access. This way, regular users can no longer access the data, but it would still be
possible for auditors to review the data. For more information, see Archiving
Archiving removes data solely based on the retention periods defined per object. If you need more
detailed retention criteria, we recommend that you use OData APIs to remove your data.
• Data workbench: You can use the data workbench to export full datasets for employees and contacts of
individual customers. The data workbench export functions allows you to specify one or more persons to
be processed. It also allows you to select the fields you would like to export, for example, ignore technical
IDs, don't export business addresses. For more information, see Data Workbench
• OData APIs: You can use APIs to build custom processes to export exactly what you need for your use
cases, including all the personal data of the business partner, linked transactions, and other related data.
The APIs can be called using custom logic, from excel spreadsheets, and so on. For more details, see SAP
Cloud for Customer OData API v2 Reference
Check the status of all data removal runs performed in the background.
Removal of personal data in the Data Protection and Privacy work center is performed automatically in a
separate background process. The Administer Data Removal Runs common task provides you with an overview
of planned, current and completed data removal runs, the ability to reschedule failed runs, mark runs as
obsolete, and delete runs.
Data removal runs are triggered by users in the Personal Data Removal view and executed by the system in the
background. Within the Personal Data Removal screen from which the process is started, the user receives no
direct feedback on the status of the removal run that has been triggered. You check the outcome of all data
removal runs in the system using the Administer Data Removal Runs common task.
Features
The Administer Data Removal Runs common task provides you with an entry point to check the status of all
background data removal runs performed by the system.
Schedule Job
Select an existing removal run and click Schedule on the initial Administer Data Removal Runs screen. Allows
you to reschedule runs that have previously failed.
Select an existing removal run and click Actions Set to Obsolete . This is useful in situations when, for
example, technical issues mean there is no point in retrying the run in question at this point in time.
Delete Run
Select an existing failed removal run with the status Obsolete and click Delete . The removal run is deleted from
the system. You can also delete successfully completed removal runs.
Information about the removal run itself is stored by the system in the Removal Log if you are deleting a
previously successful removal run. However, the deletion of failed removal runs is not logged.
You access this log in the Common Tasks section of the Personal Data Removal view.
You can also access the Job Monitor by selecting an existing removal run and clicking View Jobs on the initial
Administer Data Removal Runs screen. The monitor displays the status for individual removal run jobs that
have commenced in the system and can provide more information as to why a particular job has failed, the
actual status of the job in the system (for example, Pending), or if there is an error in the job itself.
Accessed by clicking the Application Log ID for a given job in the Details section of the initial Administer Data
Removal Runs screen. Each instance of the Application Log consists of three different tab sections that group
the messages posted to the log itself:
• Overview
Displays an aggregation of the removal run data collected in Results.
• Settings
Contains information on the parameters and settings of the business objects in the system background:
log parameters, selection criteria used to create the log data, and any relevant data derived from
configuration settings.
• Results
Provides detailed information and status of the removal run, including any error messages generated
during execution.
Example
As the Human Resources administrator, responsible for employee data protection and privacy in Akron
Heating, Oliver Adams must remove personal data for an employee who has requested its removal. The
statutory retention period for this data is completed, so Oliver can now remove this data from the system.
Oliver triggers removal of the employee's data on the Remove Employee screen and receives a message that
the data removal process for this employee has started in the background. Oliver now checks on the status of
the removal run he has triggered as follows:
1. He opens the Administer Data Removal Runs common task and in the Show field, he selects All Removal
Runs.
2. He sees from the Removal Failed column that the removal run he triggered was not successful.
3. He decides to reattempt this removal run, so clicks Schedule and opens the Schedule Job screen for his
selected run and selects the Start Immediately radio button.
4. This removal run unfortunately fails for a second time. Oliver decides therefore to abandon this particular
removal run and seek support from colleagues. He sets the run as obsolete and then clicks Delete to
remove all data about this failed run from the system. As the run failed and no personal data was removed
for the employee on this occasion, there is no entry made in the Removal Log by the system.
As a data protection officer, you can schedule automated deletion of obsolete business partners, such as,
contacts, employees, and customer with different roles, such as, individual customers and prospects.
In the Administer Obsolete Business Partner Removal Runs view, you can create a batch job to schedule
deletion runs. You can schedule the runs immediately, or set a recurrence to continuously purge obsolete
business partners from the system. The system selects all the business partners that have been set as
obsolete before a certain cut-off date. This is required to account for deletion vetoes if a business partner can't
be deleted. Once the selection is done, the system creates one data removal run per business partner.
Prerequisite
You can enable mass-setting of the obsolete status for Business Partners using one of the following:
• End-of-purpose APIs that have been provided for integration scenarios. For more information, see Web
Services for Business Partner End-of-Purpose [page 67]
• Custom development using the SAP Cloud Applications Studio
• oData APIs or Data Workbench using the following steps:
1. Export set of Business Partners based on selection criteria
2. Run further checks if needed, and then update the status flag to Obsolete
3. Import the Business Partners back into the system and update the records
Procedure
1. Navigate to Data Protection and Privacy Common Tasks and click Administer Obsolete Business
Partner Removal Runs.
2. Click New to open the Schedule Deletion Run screen.
3. Enter a Run ID and description. The Run ID must be a unique ID with no spaces or special characters.
4. Enter the Date Offset period. For example, if you enter the date offset period as 30 days, one of the
following things will happen:
• Contacts and customers with different roles, such as, individual customers and prospects are removed
from the system 30 days after they are set to obsolete.
• Employees are removed from the system 30 days after they are terminated.
that the
5. Choose a Business Partner Type.
To include business partners that are replicated from other systems to the SAP Cloud for Customer
system, select the Include Business Partners with ID Mapping checkbox.
If you do not select the checkbox, the system excludes the business partners that are replicated from
other external systems such as SAP S/4HANA, and ERP, and only triggers removal for business partners
available locally in the SAP Cloud for Customer system.
In the Deletion Runs overview screen, select your run to see the details in the table below. Click the Application
Log ID hyperlink to open the screen with details of your run. In the Results tab, the system displays the status of
all the individual removal runs for each business partner, and the corresponding Run ID, if already scheduled.
Note
• The green icon indicates that the removal run has been already scheduled. This does not mean that the
removal is successful. To check the status of the obsolete business partner removal runs performed in
the background, navigate to the Administer Data Removal Runs view and search by the Run ID.
• The red icon indicates that the system failed to trigger a removal run.
Related Information
Determine if you need to retain business partner data in your system when that data has already been deleted
from an integrated external system.
The following graphic describes process flow to determine the End-of-Purpose for your business partner data.
You can use web services or manually block such business partners in your system using blocking reasons.
For business partners blocked using the below-mentioned interfaces, data cannot be retrieved in list views
in Work Centers, value help in related fields, values selectors, analytics, duplicate checks and web service or
oData queries in the application.
II_BUPA_EOP_MAINTAIN_IN Use this interface to set the End-of-Purpose flag for business
partners. If this flag is set, then the business partner data
is hidden in corresponding Work Centers and value helps
and is not visible to users. Note that the data can be viewed
by administrators in the Data Protection and Privacy Work
Center.
II_BUPA_ERP_REPL_IN New attribute has been added in element structure for the
existing interface. Set the indicator for business completed /
End-of-Purpose flag. If this flag is set, then the business
partner data is hidden in corresponding Work Centers and
value helps and is not visible to users. Note that the data
can be viewed by administrators in the Data Protection and
Privacy Work Center.
Context
Caution
This action is irreversible, and the business partner can no longer be viewed.
In the Administer Business Partner End of Purpose Runs view, you can create a batch job to schedule end of
purpose runs. You can schedule the runs immediately or set a recurrence to continuously set the status of the
business partners to End of Purpose. The system selects all the business partners that have not been used
in any transactions before a certain cut-off date. Once the selection is done and the status is set, the system
removes the data during the Automated Business Partner Removal Run.
Note
During the run, only local business partners are considered. If triggered by SAP S/4HANA, business
partners that are present via integration from an S/4HANA system will be considered too.
Procedure
1. Navigate to Data Protection and Privacy Common Tasks and click Administer Business Partner End of
Purpose Runs.
2. Click New to open the Schedule Business Partner End of Purpose Run screen.
3. Enter a Run ID and Run Description.
4. Enter the Date Offset period.
In the case of contact persons and customers, if you choose the offset date to 1 Month(s), it means the
business partner must not have been changed within the last month. Here, the system checks against the
last changed date which is called Changed On within the contact.
In the case of employees, when it is set to 1 Month(s), it means the employee must have been terminated
one month ago. Here, the system checks against the termination date which is validTo in the employee UI.
Caution
By using the simulation mode, you can verify the number of business partners for which the status is going
to be changed, prevent the status of the business partners from changing, and see any errors that can
occur during the run.
8. Select the run option to either start the run immediately or schedule a recurring run.
9. Click Save and Close.
In the End of Purpose Runs overview screen, select your run to see the details in the table below. Click the
Application Log ID hyperlink to open the screen with the details of your run. In the Results tab, the system
displays the number of business partners for which the status has been changed, and the corresponding
Run ID, if already scheduled.
In the General tab, you can see the summarized messages if the run was in simulation mode and in the
Settings tab, you can see the parameters that were set for the executed run.
Note
Summarized Messages
Message 1: Simulation run scheduled for 10235 Business Partners of type Contact Person.
Meaning 1: This indicates the number of business partners picked up for the run.
Meaning 2: The number of business partners that are active and referenced in transactions.
Note
• The green icon indicates that the end of purpose run has been already scheduled. This does not
mean that the run is successful. To check the status of the end of purpose business partner runs
performed in the background, navigate to the Administer Business Partner End of Purpose Runs
view and search by the Run ID.
• The red icon indicates that the system failed to trigger an end of purpose run.
Use Read Access Logging (RAL) to log and monitor read-access to sensitive personal data such as bank data.
You can identify and track who has accessed critical information and when.
In the SAP Cloud for Customer system, you can monitor the access to sensitive personal data in the Log
Display view under the Data Protection and Privacy Work Center.
Whenever sensitive personal data fields are viewed by a user, a Read Access Log (RAL) entry is created. These
entries form different RAL field groups in the system.
If the field that you have marked as sensitive personal data is part of a field group that is already active, the
system takes one day to start reading the access log for the same. To start read access logging immediately,
activate or deactivate the corresponding field group.
Note
• You can add sensitive personal data fields only to Business Partner extensions.
• You can’t add sensitive personal data fields to object worklists, value selections, enterprise search, or
extension scenarios.
• You can’t use sensitive personal data fields as placeholders in workflow rules.
The standard Read Access Logging enabled field along with the corresponding Field Group is listed in the
following table:
Business Partner Tax number and Type Business Partner Tax Data
Note
The Field Group configuration is shared between Business by Design and SAP Cloud for Customer. It
therefore contains several other field groups that are not relevant for SAP Cloud for Customer. The
corresponding functionalities exist only in Business by Design.
The following table gives you a list of the objects that support RAL enabled custom document type
attachments:
Promotion Purpose
• Data Workbench: Access to files stored in the Data Workbench can be enabled for read access logging.
• Key User Tools Extension Fields: This field group contains all custom fields added via the adaptation
mode and marked as sensitive personal data. This group is activated or deactivated after each change to
the custom field classification
• Output Management Data: Data that leaves the system via the Output Management (for example
printing) can be tracked via this group.
• Web Service Message: The Web service monitoring provides access to the payloads of the processed Web
service calls. Because of its potentially sensitive nature, this feature is restricted to administrators.
• SAP Cloud Applications Studio: Sensitive personal data custom fields added via the SAP Cloud
Applications Studio are controlled via field groups that correspond to their project name.
Note
You are not allowed to debug or trace the SAP Cloud Applications Studio solution in the production
system, if RAL is scoped and any RAL field group is active. However, if you want to debug the solution,
your administrator must assign your user to the Production Debugging Authorization work center view.
After the debugging is complete, it is recommended that the authorization is removed.
• You have selected the scoping question Do you want to switch on the Read Access Logging for sensitive
personal data? To find this question, navigate to Business Configuration Implementation Project Edit
Project Scope Questions Built-in Services and Support System Management Security .
• You have defined customer document types for attachments using the following steps:
1. Navigate to Business Configuration Implementation Project and click Open Activity List.
2. Search and select the Customer-defined document types for attachments activity.
3. Under Customer-Defined Document Types, click Add Row, and then define your document type.
4. Select the relevant usage, and click Save and Close.
If you select the applicable usage on both the documents, attachments are copied to a follow-up
document.
To view changes to the field group, click Changes and enter the date range for which you want to see the
changes.
Click Actions Show Read Access Log to go directly to the Read Access Log screen.
Click Actions Generate Field Group Configurations to add a new field group to the list of Field Groups
whenever it is available in the system.
You can also download the RAL data via Web service QueryReadAccessLogIn. To enable this service, navigate
to Administrator Integration , and create a new Communication Scenario and a new Communication
Arrangement.
• Ensure that the CRM system is at least on SAP CRM EHP3 SP05.
• In the SAP Cloud for Customer system, ensure the following:
• In the Business Configuration work center, navigate to your project and click Edit Project Scope. Under
Questions Communication and Information Exchange Integration with External Applications and
Solutions Integration of Master Data , select the Do you want to check and maintain end of purpose
of a business partner from an external application? business option.
• In the Administration work center, navigate to General Settings Integration Communication
Arrangement and configure the Business Partner End of Purpose Check from SAP Business Suite
communication scenario.
• In the SAP Cloud Applications Studio, implement the CheckBusinessPartnerEndOfPurpose
BAdI in the http://sap.com/xi/AP/Common/Global namespace. You can implement end of purpose
checks in this BAdI and raise a VETO check .
• If you are using the SAP NetWeaver Process Integration (PI):
• Download the following PI content versions:
• CRMCOD01 IC 700 – SP25
• SAP BYD 2.40 – SP26
• CRMPCD01 700 – SP25
• Configure the following operation mapping:
• CRM_COD_BusinessPartnerEndOfPurposeCheck
• CRM_COD_BusinessPartnerEndOfPurposeSet.
• If you are using the Cloud Platform Integration:
• Download the 1805 version of SAP Cloud for Customer Integration with SAP CRM
• Configure the following iFlows:
• Check End of Purpose of Business Partners from SAP Business Suite
• Maintain End of Purpose of Business Partners from SAP Business Suite
• To see how you can control the blocking and deletion of personal data in SAP CRM, refer to the SAP Help
Portal for SAP CRM: http://help.sap.com/crm. Choose the relevant release, and navigate to Application
• Ensure that the ERP system is at least on SAP ERP 6.0 EhP7 SP05.
• In the SAP Cloud for Customer system, ensure the following:
• In the Business Configuration work center, navigate to your project and click Edit Project Scope. Under
Questions Communication and Information Exchange Integration with External Applications and
Solutions Integration with SAP ERP , select the Do you want to integrate with the end of purpose
check of SAP ERP? business option.
Your SAP ERP or SAP S/4HANA system can contain various identification numbers, such as tax ID numbers or
social security numbers. Some of these identification numbers can be sensitive information and special data
protection policies could apply to them. To safeguard such information, you must filter out this information so
that these numbers aren't replicated to SAP Cloud for Customer.
Restriction
While data encryption is addressed in SAP Cloud for Customer in secure communication channels and
at rest, there’s no specific masking or additional encryption. Therefore, you must filter out sensitive
information, such as personal identification numbers, before replicating.
To learn how to set up these filters for SAP ERP, see Business Partner Tax Code.
For instructions on how to set up these filters for SAP S/4HANA, see Restricting Sensitive Tax Number.
For instructions on how to set up these filters for SAP S/4HANA Cloud, see the section on Restricting
Sensitive Tax Number in the document: Setting Up Opportunity-to-Order with SAP Cloud for Customer (1VP).
The following terms are general to SAP products. Not all terms may be relevant for this SAP product.
Term Definition
Consent The action of the data subject confirming that the usage
of his or her personal data shall be allowed for a given
purpose. A consent functionality allows the storage of a con-
sent record in relation to a specific purpose and shows if
a data subject has granted, withdrawn, or denied consent.
The legal, contractual, or in other form justified reason for
the processing of personal data to complete an end-to-end
business process. The personal data used to complete the
process is predefined in a purpose, which is defined by the
data controller. The process must be defined before the per-
sonal data required to fulfill the purpose can be determined.
End of business Defines the end of active business and the start of residence
time and retention period.
End of purpose (EoP) End of purpose and start of blocking period. The point in
time when the primary processing purpose ends, for exam-
ple, a contract is fulfilled.
End of purpose (EoP) check A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization, for example, tax auditors.
Purpose The information that specifies the reason and the goal for
the processing of a specific set of personal data. As a rule,
the purpose references the relevant legal basis for the proc-
essing of personal data.
Residence period The period of time between the end of business and the
end of purpose (EoP) for a data set during which the data
remains in the database and can be used in case of sub-
sequent processes related to the original purpose. At the
end of the longest configured residence period, the data is
blocked or deleted. The residence period is part of the over-
all retention period.
Retention period The period of time between the end of the last business
activity involving a specific object (for example, a business
partner) and the deletion of the corresponding data, subject
to applicable laws. The retention period is a combination of
the residence period and the blocking period.
Sensitive personal data A category of personal data that usually includes the follow-
ing type of information:
Technical and organizational measures (TOM) Some basic requirements that support data protection and
privacy are often referred to as technical and organizational
measures (TOM). The following topics are related to data
protection and privacy and require appropriate TOMs, for
example:
Where-used check (WUC) A process designed to ensure data integrity in the case of
potential blocking of business partner data. An application's
where-used check (WUC) determines if there is any depend-
ent data for a certain business partner in the database. If
dependent data exists, this means the data is still required
for business activities. Therefore, the blocking of business
partners referenced in the data is prevented.
The data centers that support SAP Cloud solutions incorporate multiple safeguards for physical data security
and integrity. They also provide high availability of your business data, using redundant networks and power
systems.
SAP follows operating best practices for data centers by deploying computation and storage parts of the
solution over separated fire-safe areas to support disaster recovery in the event of a fire.
For data backup and recovery purposes, a redundant hardware storage system performs regular backups. To
provide enhanced data integrity, your SAP Cloud solution uses an advanced database management solution to
store customer data and securely isolate each customer’s business information in its own database instance.
SAP data centers maintain multiple connections to several power companies, making a complete power outage
highly unlikely. Even if the local power grid were to fail, the data centers supporting your SAP Cloud solution
have an uninterruptible power supply for short-term outages, and a diesel generator backup power supply for
longer-term outages. Therefore, power interruptions or outages are unlikely to affect customer data or solution
access.
SAP data centers, located in the United States of America and Germany, are logically separated and staffed
around the clock, 365 days a year. A biometrics security system permits access only to authorized personnel,
Auditing and logging allow you to monitor and record specific events and actions performed in SAP Cloud for
Customer.
Most business objects and every business partner object displays their detailed change logs in the Change
Logs tab. For example: Contacts, Individual Customer. If you are unable to see the tabs, then you have to enable
it using personalization; or have your administrator enable it for you.
The Business Partners Work Center provides access to changes for all Business Partners such as: accounts,
employees, contacts, or individual customers. Different users can filter on their role to view and check on the
changes applicable to their activities. The Business Partner Changes tab, makes the change logs available to
a business partner. Access to the change log for the Business Partners tab should be restricted to users who
require it.
Go to Administrator Flexibility Change Log to view the custom changes applied to the system.
You can restrict access to the Change Logs tab using adaptation, based on the user role. This helps control
access to private information for all users.
Monitoring and alerting is a shared responsibility in which SAP focuses on infrastructure level events and
customers focus on the application level events.
Logs under SAP’s responsibility will be sent to monitoring systems located in the US or Europe. These logs are
protected and the access is limited to personnel on a need-to-know basis.
These logs contain usernames, IP addresses, and query strings for API calls.
The solution offers a set of reports that provide insight into the system´s behavior. Depending on your
authorizations, not all of these reports may be accessible.
The following reports have security-relevant information and are available under Business Analytics Design
Reports :
Also under Administration, you can find a list of IT control processes that allows you to monitor service provider
access to your solution. IT control processes are IT-related changes made in your system, such as software
updates or processes involving incident analysis.
Security-relevant information is captured in data sources. As an administrator you can use reports that are
based on these data sources.
These data sources can also be accessed via the OData API to enable the extraction of security- relevant
information. You can extract the following data sources with the relevant OData APIs under Business
Analytics Design Data Sources Build OData Queries :
Suspicious user cre- User - Current Status Details Several users are getting created (creation time-
ation or change
stamps)
Suspicious logon User Logon Details A user is logging on during non-business hours
times
Logon via suspi- User Logon Details User connects via an Android device and Firefox de-
cious client types spite company policy to only use Apple devices and
and/or device type Chrome
Suspicious user User - Current Status Details Users are being locked/unlocked over a certain
lock/unlock
threshold
Password brute User Logon Details Number of failed logon attempts is spiking over sev-
force attempts
eral users or outside of business hours
Authorization User - Access Rights Change Documents Users getting access rights outside their area of re-
changes sponsibility (e.g. users belonging to lead qualification
get access to sales orders and contracts)
Suspicious Security User Logon Details The security policy controls password complexity, if
Policy used in logon
username/password authentication is allowed at all
Assignment of ad- User - Access Rights Change Documents List of administration related work center is available
ministrator rights
under Authentication Mechanisms
Related Information
Use Read Access Logging (RAL) to log and monitor read-access to sensitive personal data such as bank data.
You can identify and track who has accessed critical information and when.
Note
The following table provides an overview of the error codes for outbound errors and recommendations on how
to solve the errors.
Connectivity errors can occur on the client or on the server side. Errors that occur on the client side usually
mean that it is not possible to establish the technical HTTP(S) connection to the server on the network level.
Errors that occur on the server side are usually reported through an HTTP error code.
Outbound Errors
Error Code Reasons and Recommended Actions
ICM_HTTP_SSL_ERROR SSL error. This error may occur for several reasons. Depending on the
reason, proceed as follows:
Reason: The server name or the server name pattern contained in the
server's certificate does not match the host name of the server.
Action: Contact the person responsible for the server and ask for the
server certificate setup to be checked and corrected if necessary. Note
that if the server is set up correctly, this error may indicate a man-in-
the-middle attack.
Secure the customer interactions made through SAP Cloud for Customer.
The SAP Cloud solutions front ends consist of Web application user interfaces that support the following
features:
Communication Security
SAP relies on encryption technology that uses HTTPS to prevent unauthorized parties from intercepting
network traffic. The encryption is based on the Transport Layer Security (TLS) protocol. The required
encryption software is a standard component of up-to-date client operating systems and Web browsers.
Network Security
The network for your SAP Cloud solution employs a number of several security technologies. The multilayered,
partitioned, proprietary network architecture permits only authorized access to the data centers that support
your SAP Cloud solution, with features that include:
• A Web dispatcher farm that hides the network topology from the outside world
• Multiple Internet connections to minimize the impact of distributed denial-of-service (DDoS) attacks
• An advanced intrusion detection system that continuously monitors solution traffic for possible attacks
• Multiple firewalls that divide the network into protected segments and shield the internal network from
unauthorized Internet traffic
• Third-party audits performed throughout the year to support early detection of any newly introduced
security issues
Learn about the different communication channels used by SAP Cloud solutions.
The table shows the communication channels used by SAP Cloud solutions, the protocol used for the
connection, and the type of data transferred.
Web browser acting as HTTPS REST services Application data User IDs, passwords
front-end client to access
the hosted SAP Cloud
solution system
Apple® iPad® applica- HTTPS REST services Application data User IDs, passwords,
tion, Apple® iPhone®, application data
BlackBerry® player, An-
droid™(SAP Cloud for
Customer)
Cryptographic Protocols
Inbound Communications
For all inbound communications, TLS 1.2 is required. The following list shows a subset of supported cipher
suites, in server-preferred order:
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Note
SAP Cloud for Customer solutions use port 443 for HTTPS connectivity.
Every Cloud for Customer tenant is provisioned with a tenant certificate issued by the SAP Passport CA. The
validity period of the tenant certificate is one year.
For the functioning of the communications relying on the tenant certificate, it is mandatory to upload the valid
certificate after renewal every year to the relevant target systems.
You can view the tenant certificate from Administrator Common Tasks Edit Certificate Trust List View
Tenant Certificate .
You can download the tenant certificate from Administrator Communication Certificates Download
Tenant Certificate .
Prerequisite
To access the View Tenant Certificate and the Communication Certificates screens, you must be assigned to the
Communication Certificates view, under the Administrator work center.
The system checks the validity of the tenant certificate on the first day of every month through a background
process.
If the tenant certificate is about to expire within the next three months, the system sends a Tenant Certificate
About to Expire Within Three Months notification to all the administrators.
If the tenant certificate is about to expire within the next two months, the system attempts to renew the same.
On successful renewal, the system sends a Tenant Certificate Renewed notification to all the administrators.
If the customer cannot wait for the automatic renewal, you, as an administrator, can manually renew the same.
Navigate to View Tenant Certificate and click Renew Tenant Certificate if the certificate is going to expire within
the next 3 months. On successful renewal, the system sends a Tenant Certificate Renewed notification to all
the adminsitrators.
Note
Communication arrangements enable you to configure the electronic data exchange between your solution
and a communication partner. A communication partner can be a business partner in a B2B communication
scenario or an external communication system that is used for application integration, for example, external
time recording or master data systems.
Your SAP Cloud solution provides communication scenarios for inbound and outbound communication
that you can use to create communication arrangements. Inbound communication defines how business
documents are received from a communication partner, whereas outbound communication defines how
business documents are sent to a communication partner.
Before you can use electronic data exchange for a particular business process, you must configure and
activate a communication arrangement for the corresponding communication scenario. You can do so during
your solution configuration or, after configuration is complete, under Administrator General Settings
Integration Communication Arrangements .
You can find the list of trusted certification authorities for server certificates under Administrator General
Settings Common Tasks Edit Certificate Trust List .
Security configuration for electronic data exchange is conducted at the communication arrangements level,
where you can configure the authentication method and communication security.
Like end user authentication, B2B communication and application integration can be authenticated by two
mechanisms: user ID plus password, and the X.509 client certificate. For inbound communication, you can
upload the communication partner’s client certificate in the configuration user interface, and map it to the
communication user.
Caution
You can download an X.509 key pair from your SAP Cloud solutions. These key pairs are only intended
for communication with the SAP Cloud solution and must not be used for other communication. This is
because the corresponding certificate can be blocked in the solution and you can make the key pair invalid
for logging on to the client but you cannot invalidate its other uses.
Certificates have a validity period and expire at a defined point in time. Before expiration, they must be
renewed; if the client certificate’s Subject or Issuer has changed, then the upload and mapping process must
be repeated. Communication arrangements are the customer’s responsibility, since their configuration
reflects the specific details of their business partner. As a result, expiring certificates cannot be replaced
automatically by SAP; this action must be performed by the customer.
A good security concept also includes mandatory periodic password changes. These changes must be
performed synchronously by both parties involved. If an expired client certificate is renewed with the same
attributes, the certificate information can be exchanged asynchronously.
Recommendation
We recommend authentication using Single-Sign on with SAML 2.0 for browser-based access. Please
ensure that the passwords used are strong enough.
Communication arrangements help you to configure the electronic data exchange between the solution and a
communication partner.
Communication arrangements can be set up for multiple business documents and communication methods.
The solution provides communication scenarios for inbound and outbound communication that you can use to
create communication arrangements. Inbound communication defines how business documents are received
from a communication partner, whereas outbound communication defines how business documents are sent
to a communication partner.
The Communications Arrangements view enables administrators to create and edit communication
arrangements that your company has set up with a communication partner.
You can access this view from the Administrator work center, under General Settings Integration .
In the Communication Arrangements view, the following communication types are supported:
• Business-to-business (B2B)
This communication type defines an electronic data exchange with a business partner.
• Application integration
This communication type defines an electronic data exchange with a communication system.
Note
Some communication arrangements are automatically created in your solution configuration. This is
indicated by the selected Predefined check box in the worklist of the Communication Arrangements view.
For predefined communication arrangements with inbound communication, you only have to define the
communication account.
Procedure
1. Open the New Communication Arrangement guided activity in the Communication Arrangements view by
clicking New.
2. In the Select Scenarios step, select the communications scenario for which you want to create a
communication arrangement and click Next.
Based on the communication scenario you selected, the system presets the fields in the next steps with
default values. Where possible, you can change the values, if necessary.
3. In the Define Business Data step, enter business data. The entry fields on the screen are dependent on the
communication type of the selected communication scenario.
a. If you have selected a B2B scenario, enter the ID of the business partner and select the associated
Identification Type. If necessary, you can also enter the ID of the contact person at the business
partner. If you have selected an application integration scenario, enter the System Instance ID of the
communication system with which you want to set up a communication arrangement. Note that before
you set up a communication arrangement, you need to create a communication system.
b. In the My Communication Data section, check the default values and make changes if necessary. Enter
the company that communications with your communication partner. By default, the Company ID is
preset with the company to which you are assigned. If you use a B2B scenario, you must also enter a
valid identification type.
c. If a communication arrangement contains a service interface that supports code list mapping, the
Code List Mapping field is displayed. In this field you can choose the relevant code list mapping group
for the communication scenario that you are using.
d. Click Next.
4. In the Define Technical Data step, define the technical settings for inbound and outbound communication.
a. Select the Communication Method you want to use for the communication arrangement. To
communicate with your business partner, you can either establish a direct connection or you can
use a collaboration service provider that provides services for B2B communication.
b. If you use inbound communication, select the Application Protocol and Authentication Method in the
Inbound Communication: Basic Settings section.
c. In the User ID field, click Edit Credentials.
Depending on the chosen authentication method, you need to define the credentials of the
communication user as described in the following table. The user ID of the communication user is
created automatically.
SSL client certificate If you use this authentication method, you need to upload the public key
certificate that has been provided by your communication partner. If your
communication partner cannot provide a certificate, you can create and
download a PKCS#12 key pair file. The PKCS#12 key pair file is password
encrypted and contains a public key certificate and a private key. You need to
provide the PKCS#12 file to your communication partner.
1. Choose Certificate.
2. Click Upload Certificate and choose the relevant certificate.
3. Click OK.
Note
• You have to provide your communication partner with the PKCS#12
file and the corresponding password.
• To import the PKCS#12 key pair file to a third party tool, see the SAP
Cloud for Customer Administration Guide.
User ID and password If you use this authentication method, you need to define a password as
follows:
1. Choose Change Password.
2. Enter a password.
Note that you have to provide your communication partner with the user
ID and password.
3. Click OK.
d. If you use outbound communication, select the Application Protocol, Authentication Method and enter
the Host Name in the Outbound Communication: Basic Settings section. Depending on the chosen
authentication method, you need to define the relevant settings as defined in the following table.
SSL client certificate SAP system key If you use this authentication, the relevant certificate must be
pair known to the communication partner. Therefore, you need to
download the certificate as follows:
1. In the Authentication field, click Download.
2. Choose a location to save the certificate.
3. Provide your communication partner with the downloaded
certificate.
Trusted third party If you use this authentication, you need to upload the PKCS#12
key pair key pair file provided by your communication partner. The
PKCS#12 file is password-encrypted and contains a public key
certificate and a private key.
1. In the Authentication field, clickEdit Key Pair.
2. Click Upload Key Pair and choose the PKCS#12 file you want
to upload.
3. Enter the required password and click OK.
User ID and password If you use this authentication method, you need to enter the user
ID and password that is used by the communication partner for
the same communication arrangement.
1. In the User ID field, click Edit Credentials.
2. Enter the User ID and Password.
3. Click OK.
e. If necessary, you can individually configure each service that is used in the configuration scenario in
the advanced settings.
The service URLs for outbound communication are calculated from the protocol, port, host name, and
path. If you use SAP NetWeaver XI or IDoc, you do not need to change anything in the advanced settings
since the path is preset. However, if you use Web Services Reliable Messaging, you have to enter the path
for each service in the advanced settings.
a. To edit the advanced settings, click Edit Advanced Settings. Select the service you want to configure.
b. In the Details section, deselect the Use Basic Settingscheck box and change the relevant settings.
c. Click Next.
5. In the Review step, review the data you entered in the previous steps.
a. To ensure that all data is correct, click Check Completeness. You also see the service URLs for inbound
and outbound communication. If you use an inbound scenario, you must provide your communication
partner with the URLs for inbound communication since it is that address to which messages should
be sent.
b. To create and activate your communication arrangement in the system, click Finish. You can also save
an inactive version of the communication arrangement by clicking Save as Draft.
6. If you have created a communication arrangement for a B2B outbound scenario, you have to activate the
outbound channel for the business document that is used in the scenario.
Results
The system now uses electronic data exchange for the configured communication scenario.
Multiple communication arrangements can be created for an on-premise integration through a guided activity.
Context
Instead of repeating common information each time you create a communication arrangement, you can enter
common information once and create communication arrangements in bulk.
You can access this from the Administrator Create Communication Arrangement for On-Premise
Integration common task.
Note
Procedure
1. To open the New Communication Arrangement guided activity in the Communication Arrangements view,
click New.
2. In the Select Communication System step, enter business data.
a. Under Integration Details select the system you want to Integrate with and the relevant Integration
Middleware you want to use.
Note
If PI is selected as the middleware, fill in the system details in the field PI Business System.
b. Under Communication System enter the System Instance ID of the communication system with which
you want to set up a communication arrangement.
Note
Before you create a communication arrangement, you need to create a communication system.
See the SAP Cloud for Customer Administrator Guide for more detail.
With this action, the Communication System, User ID (Inbound Communication Credentials) and Host
Name are automatically populated.
If a communication arrangement contains a service interface that supports code list mapping, the
Code List Mapping field is displayed. In this field you can choose the relevant code list mapping group
for the communication scenario that you are using.
a. If you use inbound communication, select the Authentication Method in the Inbound Communication
Credentials section. Depending on the chosen authentication method, you need to define the
SSL client certificate If you use this authentication method, you need to upload the public key
certificate that has been provided by your communication partner. If your
communication partner cannot provide a certificate, you can create and
download a PKCS#12 key pair file. The PKCS#12 file is password encrypted
and contains a public key certificate and private key. You need to provide the
PKCS#12 file to your communication partner.
1. Choose Certificate.
2. Click Upload Certificate and choose the relevant certificate.
3. Click OK.
Note that you have to provide your communication partner with the PKCS#12
file and the corresponding password.
User ID and password If you use this authentication method, you need to define a password as
follows:
1. Choose Change Password.
2. Enter a password.
Note
It is important to select a strong password and change the password
periodically. You have to provide your communication partner with
the user ID and password.
3. Click OK.
If you use outbound communication, select the Authentication Method. Depending on the chosen
authentication method, you need to define the relevant settings as described in the following table:
Authentication
Method Authentication Settings
SSL client certificate SAP system key pair If you use this authentication, the relevant certificate must be
known to the communication partner. Therefore, you need to
download the certificate as follows:
1. In the Authentication field, click Download.
2. Choose a location to save the certificate.
3. Provide your communication partner with the downloaded
certificate.
Trusted third-party key If you use this authentication, you need to upload the PKCS#12
pair key pair file provided by your communication partner. The
PKCS#12 file is password encrypted and contains a public key
certificate and private key.
1. In the Authentication field, click Edit Key Pair.
2. Click Upload Key Pair and choose the PKCS#12 file you
want to upload.
3. Enter the required password and click OK.
User ID and password If you use this authentication method, you need to enter the
user ID and password that is used by the communication part-
ner for the same communication arrangement.
1. In the User ID field, click Edit Credentials.
2. Enter the User ID and Password.
3. Click OK.
Note
Status Interpretation
Create This status indicates that you have selected a communication scenario to be
created for the relevant communication arrangement.
Not Created This status indicates that the communication scenario has not yet been created
and the check box is unchecked.
Already Exists This status indicates that a communication scenario has been created already
and the check box will be disabled.
4. The Inbound and Outbound tabs are displayed, depending on the selected Communication Scenario. For
example, if a communication arrangement has only an inbound service interface, then the Inbound tab is
displayed.
5. Perform the following actions under the Inbound tab as necessary:
To check the information on the inbound service, click Check Service. Perform the following functions on
the Outbound tab as necessary.
Results
A success message is shown once the communication arrangement has been created successfully.
Procedure
1. To open the Edit Communication Arrangement quick activity in the Communication Arrangements view,
select the relevant communication arrangement and click Edit.
Note
This task is only relevant for predefined communication arrangements with inbound communication.
Procedure
1. In the Communication Arrangements view, select the relevant communication arrangement. Predefined
communication arrangements are indicated by the selected Predefined check box.
2. Click Edit Credentials.
SSL client certificate If you use this authentication method, you need to
upload the public key certificate that has been provided
by your communication partner. If your communication
partner cannot provide a certificate, you can create and
download a PKCS#12 key pair file. The PKCS#12 key
file is password encrypted and contains a public key
certificate and a private key. You need to provide the
PKCS#12 file to your communication partner.
Note
• You have to provide your communication partner
with the PKCS#12 file and the corresponding
password.
• To import the PKCS#12 key pair file to a
third party tool, see Create a Communication
Arrangement [page 93] in the Related Links
section.
User ID and password If you use this authentication method, you need to define
a password. The user ID is automatically predefined.
Perform the following steps:
1. Choose Change Password.
2. Enter a password. Note that you have to provide
your communication partner with the user ID and
password.
4. Click OK.
Related Information
Procedure
Note
8.4 E-Mail
SAP Cloud solutions enable you to encrypt outgoing e-mails and check the signature of incoming e-mails by
using the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard.
You can use this function for e-mail communication between your system and your employees, in e-mail
scenarios provided by SAP (for example, self-service or approval scenarios). You can specify which e-mail
scenarios you want to use in Business Configuration.
Caution
We strongly recommend that you only send encrypted mails and accept only signed e-mails.
The system uses the same certificate for signature check and e-mail encryption, which means that the same
private key is used for signing and decrypting an e-mail to or from an employee.
The following MIME types are supported for e-mail communication with the system:
• .gif
• .jpg/.jpeg
• .pdf
• .tif/.tiff
• .png
Caution
When you use S/MIME, ensure that the data is encrypted. Please note that e-mail header data, for
example, the subject line, is not encrypted. The sensitivity setting for password e-mails is set by default to
private.
Business e-mails are e-mail messages sent to Cloud for Customer through tickets, accounts, appointment,
visits, sales quote, workflow notification, etc.
SAP Cloud for Customer routes business mails using services of Cisco.
Note
Mail relay path for inbound business mails: Sender CES Servers (CISCO Cloud) CISCO Mail Device
(SAP Network) SAP Cloud for Customer (SAP Network)
Mail relay path for outbound business mails: (SAP Network) CISCO Mail Device (SAP Network)
Recipients
Bulk e-mails are e-mail messages sent through marketing or campaign channels from/to the customer.
SAP Cloud for Customer uses the services of Episerver to route bulk e-mails.
Note
Mail relay path for inbound bulk e-mails: Sender CES Servers (CISCO Cloud) CISCO Bulk Mail Device
(SAP Network) SAP Cloud for Customer (SAP Network)
Mail relay path for outbound bulk e-mails: Episerver Bulk Mail Service Recipients
To add encryption security to e-mail channels, you can enable S/MIME to your solution.
Procedure
To enable e-mail notifications, you must also upload the CA certificates in this area for the generic business
task management e-mail address for all involved employees and managers.
Procedure
1. Choose Configure S/MIME in the Administrator work center under Common Tasks.
2. On the Incoming E-Mail tab, upload the CA certificates from all involved employees for the generic incoming
e-mail addresses Business Task Management E-Mail Notifications.
3. On the Outgoing E-Mail tab, install the system CA certificate in the e-mail client of the involved employee as
follows:
a. Click on Link to SAP CA and open the site SAP Trust Center Service Root Certificates .
b. Click on SAP Passport CA Certificate. A pop-up opens.
c. Click Install Certificate and follow the wizard by clicking Next.
d. Select Place all certificates in the following store and click Browse.
e. Select Trusted Root Certification Authorities and click OK and then Next. Now the CA from the system
is installed locally.
4. Now activate the S/MIME. On the Activate S/MIME tab, select the options:
a. Check Signature of Incoming E-Mails
b. Encrypt Outgoing E-Mails (optional)
c. Signing Outgoing E-Mails
• E-Mail Notifications: Ensure that the involved employees are business users and have valid e-mail
addresses, and that the CA certificates from the employees are uploaded to the system for outgoing
e-mails.
• E-Mail Notifications: Each involved employee must subscribe to the e-mail notifications by opening the
Notifications view and choosing Subscribe to E-Mail.
• E-Mail Notifications: Check that the e-mail clients of the involved employees have enabled the receipt
of encrypted e-mails.
For outbound e-mail, SAP offers Sender Policy Framework (SPF) as a security measure and supports Domain
Keys Identified Mail (DKIM) keys by request.
Sender Policy Framework (SPF) is an e-mail authentication technique that is used to prevent spammers from
sending messages on behalf of your domain.
This gives you the ability to specify which e-mail servers are permitted to send email on behalf of your domain.
SAP creates an SPF record for all SAP Cloud for Customer tenants using the CISCO mail device.
Note
SAP enables SPF automatically for outbound e-mails. SPF records are updated on the technical from/Mail
From/Envelop-From addresses. The addresses are as follows:
• dsn@myXXXXXX.mail.crm.ondemand.com
• dsn@myXXXXXX.mail.c4c.saphybriscloud.cn
Domain Keys Identified Mail (DKIM) is a signature based e-mail authentication technique involving a digital
signature that allows the receiver to check that an e-mail was sent and authorized by the owner of that domain.
DKIM signature is a header that is added to the message and is secured with encryption. SAP recommends
that sender domains used in your SAP solution are DKIM signed. Administrators must explicitly request a
unique DKIM key from SAP.
You can use external tools to check the SPF record or check the DKIM key of adomain.
Related Information
For outbound e-mail, SAP provides certain e-mail security measures automatically, such as the Sender Policy
Framework (SPF). To add Domain Keys Identified Mail (DKIM) authentication, administrators must follow the
procedure below. Further information can be found in the topic Enable DKIM for Business E-mails.
Context
Administrators must follow the process below to enable the DKIM keys provided by SAP.
Note
For scenarios that generate mass e-mails, such as marketing or campaign execution, follow the procedure
to activate mass e-mail instead.
1. Link the provided DKIM keys through DNS server CNAME records.
2. Create an incident to provide your domain details to SAP.
3. SAP activates the DKIM key for your solution and closes the incident.
Results
The DKIM key is activated for your domain and can be used in both test and productive tenants.
Related Information
Setup DKIM for all sending domains to ensure that your emails are delivered without disruptions to third party
e-mail accounts such as Gmail or Yahoo.
Context
To ensure the security of your sender identity and improve email deliverability, it is essential to configure SPF
(Sender Policy Framework) and DKIM for all sending domains. The initial records for DKIM keys pertaining to
your tenant provided by SAP are as follows:
• c4c-busi-my<123456>-1._domainkey.c4cdkim.crm.ondemand.com
• c4c-busi-my<123456>-2._domainkey.c4cdkim.crm.ondemand.com
• c4c-busi-my<123456>-3._domainkey.c4cdkim.crm.ondemand.com
If the domain of your tenant's URL differs from the one stated above, you can locate your public domain key on
a similar URL, but with a different ending such as:
1. Replace <123456> in the above-mentioned records with your <Tenant ID> from your normal login domain.
2. Identify all the domains and subdomains you use for sending out emails with SAP Sales and Service Cloud.
This includes all domains used as the From: address in your SAP Sales and Service Cloud emails. For
example, if you send emails from user@example.com, user@test.example.com, and user@sample.com,
your list of domains would be: example.com, test.example.com, and sample.com.
3. Create CNAME entries for each selector and domain in your DNS server.
4. Replace the placeholders with your <Tenant ID> and validate the entries with your network admin before
applying them to your DNS Server:
Related Information
DMARC is an e-mail validation system designed to protect your company’s e-mail domain from being used for
e-mail spoofing, phishing scams, and other cybercrimes.
DMARC leverages the existing e-mail authentication techniques such as Sender Policy Framework (SPF) and
Domain Keys Identified Mail (DKIM). A message sent without DKIM or SPF can be considered suspicious by the
different e-mail analysis tools.
DMARC adds an important function, reporting. When a domain owner publishes a DMARC record into their
DNS record, they will gain insights on who is sending the e-mail on behalf of their domain. This information
can be used to get detailed information about the e-mail channel. Domain owners can use this information get
control over the e-mail sent on their behalf.
DMARC helps e-mail receivers determine if the purported message aligns with what the receiver knows about
the sender. If not, DMARC includes guidance on how to handle the non-aligned messages.
Note
SAP Cloud for Customer does not provide alignment between the from domain (customer domain) and
envelope-from domain(myXX.mail.crm.ondemand.com). Hence, e-mails are not DMARC enforced. As a
result, if your domains have DMARC SPF policy enabled with aspf = s or aspf = r, but not setup DKIM
signing for the header.from domain, then the outbound mails sent from your SAP Cloud for Customer
tenants are bounced/rejected/quarantined. However, if the DMARC/DKIM alignment for your domain
passes, the complete email is treated as DMARC pass.
Setup DMARC for e-mail authentication to ensure that your bulk e-mails are delivered to third party email
accounts such as Gmail or Yahoo.
Context
1. Create TXT records in your DNS Servers for DMARC and align them with your network and security
experts. Following are examples of a non-impacting DMARC entry on your DNS Server for all used
domains:
Note
You need to adjust the above mentioned DNS entries to match your specific values, such as domain
names, email addresses, and other DMARC parameters.
2. Ensure that the email addresses specified in the DMARC statement behind "rua=" (reporting URI) are
valid and monitored by your organization. These addresses will receive DMARC reports from receiving mail
servers.
3. Before applying the DMARC records to your DNS Servers, validate the above suggestions with your
network administrator to ensure they align with your network infrastructure and security requirements.
4. Once you have confirmed the accuracy of the DMARC records, apply them to your DNS Server. This will
enable DMARC protection for your domains.
Related Information
The current e-mail paths for the domain myXXXXXX.mail.crm.ondemand.com are mx1.cmail-
sap.c3s2.iphmx.com and mx2.cmail-sap.c3s2.iphmx.com.
10 mx1.cmail-sap.c3s2.iphmx.com 216.71.136.226
10 mx2.cmail-sap.c3s2.iphmx.com 216.71.136.226
The maximum allowed size limit for an inbound e-mail is 25MB including attachments.
Inbound e-mails with the following attachment file types (extensions) fall into the category of dangerous
attachments.
ade, adp, app, asp, bas, bat, bhx, cab, ceo, chm, cmd, com, cpl, crt, csr, der, exe, fxp, hlp, hta, inf, ins, isp, its,
js, jse, lnk, mad, maf, mag, mam, mar, mas, mat, mde, mim, msc, msi, msp, mst, ole, pcd, pif, reg, scr, sct, shb,
shs, vb, vbe, vbmacros, vbs, vsw, wmd, wmz, ws, wsc, wsf, wsh, xxe, docm, xlsm.
This also applies if attachments with these extensions are found in the following (password-protected)
archives: arj, cab, jar, lha, rar, tar, zip, gzip.
Such mails will have these attachments truncated, but the body of the mail will still be allowed into the SAP
Cloud for Customer system.
SAP Cloud for Customer supports within incoming e-mails all HTML tags except <iframe>.
E-mails having http URLs (example: https://testtest.com) in the mail body are checked for the reputation score
at CISCO servers.
URLs having a low web reputation score are removed by the CISCO server and sent to SAP Cloud for Customer.
Example: If the URL https://testtest.com is classified with a low web reputation, then this URL will not be
clickable from SAP Cloud for Customer even when you hover over the URL. You cannot copy the URL, instead
it would be shown as an image. If you want to access the link, you must manually type the URL in your browser
and access it.
No. SAP Cloud for Customer does not currently support this feature.
No. SAP Cloud for Customer does not currently support this feature.
The size of the entire outbound e-mail message from SAP Cloud for Customer including the content, inline
images (if any), and any attachments can be up to, but not exceed 35 MB.
For an inbound e-mail message, the size cannot exceed 26 MB. This is due to the e-mail size getting bloated by
company e-mail servers before it is forwarded to SAP.
Yes, e-mails are relayed securely with TLSv1.2 protocol by default, and if the recipient e-mail infra doesn't
support TLSv1.2 protocol, a fallback protocol is used.
Note
It is currently recommended to ensure that your mail servers support TLSv1.2 protocol because TLSv1.0
and TLSv1.1 are disabled for both outbound and inbound e-mails.
The list of IP addresses is available in the Knowledgw Base Article under the section IP Ranges for Mail
Traffic.
The retry attempt starts with a one-minute interval, doubles until the first hour. For the next 3 days, there will
be an attempt made every hour after which a hard bounce e-mail will be sent if the e-mail still cannot be relayed
to the recipient.
DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to check if an
e-mail was indeed sent and authorized by the owner of that domain.
1. Navigate to https://dkimcore.org/tools/keycheck.html.
2. Provide the details of the selector and domain.
3. Click Check.
Check the e-mail headers header.i, header.s, and header.from of the received e-mail in the Authentication-
Results section. You can see the domain and selector details of the DKIM key here.
No, an explicit request must be raised to create a DKIM key for your sender's domain that is used to relay
business e-mails from your SAP Cloud for Customer tenant.
No, emails sent from this domain are not signed with a DKIM key. All other e-mails are DKIM signed.
No, a standard and unique selector is provided for each customer's domain. It is not possible to deliver DKIM
keys with custom selectors that are requested by customers.
DKIM key generation and activation is a one-time activity. Customers can request to generate a single key for
multiple domains. The same can be used for all their tenants (production and test).
Maintain the same selector and key for all tenants. Please do not alter the selector based on your tenant.
Outbound business e-mails will still be sent out from their SAP Cloud for Customer system. It is recommended
to use DKIM signed sender domains in their SAP Cloud for Customer system. This prevents emails from going
into junk, spam, or rejected folders
DKIM keys cannot be created for the following domains: gmail.com, yahoo.com, hotmail.com, outlook.com, and
sap.com.
Sender Policy Framework (SPF) is an e-mail-authentication technique which is used to prevent spammers from
sending messages on behalf of your domain.
1. Navigate to https://mxtoolbox.com/SuperTool.aspx.
2. Provide the technical sender address/domain as myXXXXXX.mail.crm.ondemand/
myXXXXXX.mail.c4c.saphybriscloud.cn.
3. Click on the SPF Record Lookup button.
If the old IP address is maintained in the SPF record, a new entry with the new IP address should be created.
Checks are done at the recipient mail server. E-mails sent from SAP Cloud for Customer application have
headers.
SPF check is done on the Envelop-From address. Envelope-From address in SAP Cloud for Customer is as
follows: dsn@myXXXXXX.mail.crm.ondemand.com/dsn@myXXXXXX.mail.c4c.saphybriscloud.cn
DKIM Check is done on the From Address in the sender's domain (example: test.com, abc.uk).
The Envelope-From address for outbound e-mails will always be the technical address (i.e.:
myXXXXXX.mail.crm.ondemand.com) and the from address will always be customer domain address. As of
now, SAP Cloud for Customer does not provide alignment between the from domain (customer domain) and
envelope-from domain(myXX.mail.crm.ondemand.com).
Hence, e-mails are not DMARC enforced. As a result, if the customer domains have DMARC SPF policy enabled
with aspf = s or aspf = r, but has not setup DKIM signing for their header.from domain, then the
outbound mails sent from their SAP Cloud for Customer tenants are bounced/rejected/quarantined. However,
if the DMARC/DKIM alignment for their domain passes, the complete email is treated as DMARC pass.
9.1 Cookies
In this section, you can find a list of cookies and their functions in SAP Cloud for Customer.
SAP Cloud for Customer uses the following cookies to exchange information between the client and server.
This information may include session IDs, load-balancing information, or performance indicators, for example.
To protect the information contained in the cookies, SAP Cloud for Customer requires secure communication
channels (HTTPS) and sets the Secure and HttpOnly flags for all cookies.
Sap-usercontext Language and client number Created as a browser session cookie ev-
ery time a new user successfully logs on
to SAP Cloud for Customer.
Sap_c4c_logon_record GUID to link requests that belong to one Created as a browser session cookie ev-
logon session (for performance analy- ery time a new user successfully logs on
sis) to SAP Cloud for Customer.
Saplb<systemname> Load balancing, system name, tenant Created as a browser session cookie ev-
number ery time a new user successfully logs on
to SAP Cloud for Customer.
SAP offers a set of additional software components that you can install, on desktop computers, for printing and
additional functionality.
All additional applications of SAP Cloud solutions that are delivered for download are digitally signed. To
confirm the signature, proceed as follows:
When you execute the installation of a file, a popup appears, indicating the Verified publisher. In this case, SAP
AG is indicated as well.
SAP front-end components never share an existing authentication session on SAP Cloud solutions, for
example, within a Web browser or with another front-end component. Dedicated authentication is always
required to build a confidential communication channel, secured via the Secure Sockets Layer (SSL) protocol,
to your SAP Cloud solution.
If you log on to the system from a desktop computer with a user ID and password, you are asked whether you
want to store the password locally for subsequent authentication purposes. The password is encrypted, and
not stored as plain text. It is stored using the available protection mechanisms of the operating system, and
can be reused only by the operating system user who is currently logged on. If you do elect to use this function,
then you should activate it on your device only, and never on public computers.
Ensure that your SAP Cloud for Customer configuration is secure and remains secure.
Here you can find security recommendations for end-user devices such as PCs, and laptops for windows and
apple products.
Since you can download data to your local devices, it’s important that you follow strict security protocols to
protect your data from getting compromised.
SAP Cloud for Customer offers many data-extraction features such as Data Workbench, OData APIs, Microsoft
Excel downloads, and so on.
Caution
We strongly recommend that you use secure protocols to prevent security breaches of confidential data.
We recommend to:
Related Information
Mashups and service composition entail cross-domain communication between various internet domains.
Content from different domains – especially active content, such as JavaScript – is always domain-separated
in the Web browser.
A same origin security policy common in Web browsers, prohibiting access to content across domain
separations, is activated, if necessary.
Both partners and administrators can create URL mashups to perform the following tasks:
You can open these items from an SAP Cloud solution screen by configuring the URL with dynamic parameters
that are derived from the screen out-port interface of your SAP Cloud solution.
Caution
Some URLs may pass your business data to an external application provided by a third-party organization,
for example, account data passed to a search engine when performing a reverse lookup in an online
address book. Therefore, before you use the URL mashup, we recommend that you confirm that it
conforms with your company’s security and data privacy policies.
Some Web browser settings, for example, popup blockers, may prevent the new browser window from
appearing in the URL mashup. We therefore recommend that you review your browser settings to
determine whether popups are allowed.
Both partners and administrators can create HTML mashups to embed an HTML-based Web page or a
resource that can be rendered in a Web browser – for example, a Microsoft Office or Adobe PDF document,
or an Adobe Flash or multimedia video file – into an SAP Cloud solution screen by configuring the URL with
dynamic parameters that are derived from the SAP Cloud solution screen out-port interface.
Caution
Certain URLs may pass your business data to an external application provided by a third-party
organization, for example, account or contact data passed to a social media Web site when displaying
Bing Maps Web service communication takes place directly between the user’s Web browser and the
service provider via the Secure Sockets Layer (SSL), with the dedicated API key applied for each SAP
Cloud solution. Bear in mind that the Bing Map Web service provider may monitor the Bing Maps Web
service API usage in accordance with the terms of licensing. Therefore, before you use the map mashup, we
recommend that you review the API usage and licensing details with the Bing Maps Web service provider.
SAP Cloud solutions use Microsoft® Bing Maps™ as a built-in map service provider. Both administrators and end
users can configure the map mashup usage on an SAP Cloud solution screen to display the visual location or
route information on a map. Before Bing Maps mashups can be used, you as an administrator must activate
them by entering the Application Programming Interface (API) key for Bing Maps usage under Administrator
Mashup Authoring . For more information about the Bing Maps Web service partner, and to apply for an API
key, visit the SAP Cloud solutions communities.
Caution
Bear in mind that the map mashup may convey business data of yours to the Bing Maps Web service
provider. For example, ship-to and bill-to addresses are transferred to the Bing Maps Web service provider
when displaying the related visual location on the map. Therefore, before you use the map mashup, we
recommend that you confirm that it conforms with your company’s security and data privacy policies.
Bing Maps Web service communication takes place directly between the user’s Web browser and the
service provider via the Secure Sockets Layer (SSL), with the dedicated API key applied for each SAP
Cloud solution. Bear in mind that the Bing Map Web service provider may monitor the Bing Maps Web
service API usage in accordance with the terms of licensing. Therefore, before you use the map mashup, we
recommend that you review the API usage and licensing details with the Bing Maps Web service provider.
Both partners and administrators can create data mashups for composing Web services (provided by third-
party Web service providers) with business data derived from the SAP Cloud solutions. You can use the
integrated authoring tool, the Data Mashup Builder, to transform or merge external Web services with internal
business data, using industry-standard Web service protocols, for example, RSS/Atom, REST or SOAP Web
services.
Create Web services in your SAP Cloud solution before creating the Web service composition in the Data
Mashup Builder. API keys can be specified for the Web service security by means of industry-standard or Web
service specific authentication methods, for example, basic authentication, REST body credentials, or SOAP
service parameter credentials. The API keys entered by partners and administrators are stored in an isolated
secure storage of the your SAP Cloud solution back end, which is never exposed to end users.
Certain Web services may transfer business data of yours to an external Web service provider from a
third-party organization. For example, account or address data is transferred to a data quality Web service
provider when data quality cleansing operations in Cloud applications are performed. Therefore, before
you use the mashup, we recommend that you confirm that the Web service conforms to your company’s
security and data privacy policies.
Web service communication in data mashups does not take place directly between the user’s Web browser
and the Web service provider. Rather, as a result of the cross-domain access policy restriction, it is tunneled
using the SAP Cloud solution system back-end Web service proxy. Only the Web service endpoints that
have been confirmed with acknowledgement by partners and administrators can be accessed by the SAP
Cloud solution system back-end Web service proxy by all end users of a customer. Therefore, before you
confirm that a Web service is added to your SAP Cloud solution, we recommend that you ensure that it
conforms to your company’s and country’s security policies.
Use the information in this table to secure the configuration and operation of SAP Cloud for Customer.
Remember
As part of the cloud shared responsibility model (restricted access), you're responsible for determining if
any of these recommendations are relevant for your environment and to what extent.
The security recommendations are provided as a courtesy, without a warranty, and may be subject to
change. For more information, see the disclaimer.
Security Recommendations
Co Last
mp Pri- Secure Up-
one or- Opera- Ti- More In- dat In-
nt ity tions Map tle Default Setting or Behavior Recommendation formation e dex
SAP Crit- Authenti- Stro Default authentication Enable SAML 2.0 Assertion for Log on Us- C4C
ing SAML
Sale ical cation and ng method basic authentication Front-End Single Sign-On and dis- -IAS
2.0 Asser-
s Single au- with Username/Password able the default username/pass- -00
tion for
and Sign-On then word authentication method (C4C- Front-End 01
Ser tica- IAS-0002). Single
vice tion Sign-On
Clo (SSO)
[page 13]
ud
SAP Crit- Authenti- Stro Non-SSO URL is configured SSO URL to be configured. 2595989 C4C
Sale ical cation and ng by default as the one sent -IAS
s Single au- to employees, allowing to by- -00
and Sign-On then pass SSO. 02
Ser tica-
vice tion
Clo
ud
SAP Crit- Authenti- Stro Password access is not disa- Disable password access for all Log On C4C
Using
Sale ical cation and ng bled by default users working with SSO. -IAS
User ID
s Single au- -00
and Pass-
and Sign-On then word 03
Ser tica- [page 34]
vice tion
Clo
ud
SAP Crit- Authenti- Only sample password poli- If password authentication is used Security C4C
Policy
Sale ical cation and cies are configured to show- (which is not recommended, refer -IAS
Quick
s Single case the options, but are not to C4C-IAS-0001) a separate pass- -00
Guide
and Sign-On strong enough for productive word security policy needs to be [page 36] 04
Ser use. configured for administrators with
vice stricter rules.
Clo
ud
SAP Crit- Roles and Ac- SAP Cloud for Customer Configure a reasonable minimal Restrict- C4C
ing Access
Sale ical Authoriza- cess does not ship default roles. privileges concept for different -AU
Roles
s tions con- Initial user have to create ad- roles and users. Provide write ac- T-0
[page 10]
and trol mins and all the other roles cess only to users who need it to 001
Ser operate.
vice
Clo
ud
SAP Ad- Authenti- Stro Inactive users will be logged Review the time after which the Security C4C
Settings
Sale van cation and ng off of the system after 1 hour users will be log out and configure -IAS
[page 39]
s ced Single au- to your preference. -00
and Sign-On then 05
Ser tica-
vice tion
Clo
ud
SAP Ad- Authenti- Stro On by default in current re- Review the setting and enable the Certificate
Pinning
Sale van cation and ng lease certificate pinning in case it is disa-
[page 50]
s ced Single au- bled (upgrades from older releases
and Sign-On then will not change the setting).
Ser tica-
vice tion
Clo
ud
Mo-
bile
SAP Rec- System En- Email encryption is disabled Enable and configure S/MIME. Enabling
S/MIME
Sale om- hardening cryp by default
Security
s men tion
[page 103]
and ded
Ser
vice
Clo
ud
SAP Rec- System Ema Domain Keys Identified Mail Request DKIM Key for Sender Do- DKIM
Sale Keys for
om- hardening il (DKIM) authentication is dis- mains.
s Sender
men au- abled by default
and Domains
Ser ded then [page 106]
vice tica-
Clo tion
ud
SAP Rec- System File Default MIME types Review the list of allowed MIME Configure
Upload
Sale om- hardening up- types and keep it as minimal as
Controls
s men load possible.
[page
and ded con- 131]
Ser trol
vice
Clo
ud
SAP Ad- Data Pro- Per- No feedback on personal It is recommended to check the Adminis- C4C
ter Data
Sale van tection so- data removal runs status of data removal runs since -DP
Removal
s ced and Pri- nal the user triggering one receives no P-0
Runs
and vacy data direct feedback. [page 64] 001
Ser re-
vice mov
Clo al
ud
SAP Ad- Data Pro- Dat Nothing enabled by default, It is recommended to review data Data Re- C4C
tention
Sale van tection a re- initial values are set to 99 retention and backup/archive your -DP
[page 63]
s ced and Pri- ten- years. data/logs as per your specific regu- P-0
and vacy tion lation. 002
Ser
vice
Clo
ud
SAP Rec- Security Monitoring and alerting is a Security-relevant reports to be re- Security- C4C
Relevant
Sale om- monitor- shared responsibility in which viewed regularly. -MO
Reports
s men ing SAP focuses on infrastruc- N-0
[page 83]
and ded ture level events and custom- 001
Ser ers focus on the application
vice level events
Clo
ud
SAP Ad- Data Pro- Ob- As a data protection officer, It is recommended to create your Automate C4C
Removal
Sale van tection sol- you can schedule automated own scheduled runs. -DP
of Obso-
s ced and Pri- ete deletion of obsolete business P-0
lete Busi-
and vacy part partners, such as, contacts, ness Part- 003
Ser ner employees, and individual ners [page
vice re- customers 66]
Clo mov
ud al
SAP Ad- Data Pro- Personal Data removal de- Based on your specific require- Remove C4C
Personal
Sale van tection letes everything like associ- ments, the scope of Personal Data -DP
Data
s ced and Pri- ated activities, transactions, removal has to be configured to P-0
[page 57]
and vacy attachments by default avoid deletion of data to be kept. 004
Ser
vice
Clo
ud
SAP Rec- API If currently a business user is It is recommended to use the SAP Cloud C4C
for Cus-
Sale om- being used for technical inte- OData Services and it's integration -API
tomer
s men gration user. -00
OData API
and ded 01
Ser
vice
Clo
ud
SAP Rec- API Custom features of OData 'No Authorization Checks' toggle SAP Cloud C4C
for Cus-
Sale om- isn't available in case 'No has to be set to 'No'. -API
tomer
s men Authorization Checks' is ena- -00
OData API
and ded bled 02
Ser
vice
Clo
ud
SAP Ad- Authoriza- As an administrator, you It is recommended to set the visibil- Scope and C4C
Configure
Sale van tion can restrict relationship intel- ity based on who needs to be able -AU
Relation-
s ced ligence insights by specify- to access it. T-0
ship Intel-
and ing the business roles that ligence 002
Ser can have authorization to ac-
vice counts.
Clo
ud
SAP Crit- Mobile Se- Mobile Store Delivery list Mobile app should only be down- Mobile C4C
App Up-
Sale ical curity contains trusted sources loaded from the official sources. -MD
dates
s M-0
and 001
Ser
vice
Clo
ud
SAP Crit- Mobile Se- t Mobile device security man- General recommendations, such as Mobile De- C4C
vices
Sale ical curity agement screen lock, strong pin, etc., to -MD
[page 48]
s be followed and enforced via MDM M-0
and (Mobile Device Management) solu- 002
Ser tion.
vice
Clo
ud
The name Defines the The Secure A topic is a Describes Defines our A link to Date of the A stable
of the com- criticality of Operations short de- the usage recommen- documen- last signifi- unique ref-
ponent to the recom- Map is a ref- scription or of the se- dation for tation that cant erence to
which the mendation. erence a general curity set- this config- explains change. identify the
setting be- model to heading to ting, includ- uration. how you recommen-
Critical Ex-
longs. structure find similar ing any con- can achieve dation.
poses
thethe broad topics text, or de- the recom-
sys-area of se- across serv- fault setting mendation.
temcurity
to for ices. behavior (if
signifi-
content, available).
cant
discus- No
risk or te
sions, and
threat-
as a basis
ens Please
sys-for a 360° expect
temview on se- change
curity.
relia-
s here.
bility.
For more in-
Recom- Im-formation
mended proves
about the
the se-
Secure Op-
curity
erations
of the
Map, see
land-
scape
Security
andOverview
signifi-
as part
cantly
of the SAP
re-
Security
duces
theOptimiza-
at-
tacktion Serv-
sur-ices Portfo-
face.
lio.
Ad- Ex-
vanced tends
the
rec-
om-
men-
dation
to a
higher
stand-
ard.
The
rec-
om-
men-
dation
either
ex-
tends
the se-
curity
stand-
ards
to
higher
level
of pro-
tec-
tion or
to ad-
di-
tional
areas,
such
as
your
organ-
iza-
tion-
spe-
cific
re-
quire-
ments.
You must ensure the secure operation of your SAP Cloud for Customer instance to protect the confidentiality,
integrity, and availability of the information it processes
Define the allowed file types for attachments and discover how to handle temporary files.
This section describes the steps to specify the allowed file types.
Context
The Multipurpose Internet Mail Extensions (MIME) type configuration controls the files you can add to the
SAP Cloud for Customer system. These file types include attachment uploads as well as files sent via e-mail
attachments.
You can upload attachment files to your SAP Cloud solution in several application scenarios, for example in
billing, in data migration, or image files of your travel expense receipts. Regularly updated anti-virus software
checks the uploaded files for viruses and other types of malicious software.
Recommendation
In addition to this anti-virus software, we recommend that our customers also use anti-virus software.
In Business Configuration, you can define which file types can be uploaded to your solution. Note that file-
name extensions can be changed to disguise the actual file format of the file.
We recommend that you start with a minimal MIME list, as you've the option of adding more later. Choose from
the list of allowed MIME types for uploading documents that are specific for your project.
Procedure
1. Navigate to Business Configuration Implementation Projects Open Activity List and open the
Allowed MIME Types for Document Upload fine-tuning activity.
2. In the new screen, select your project relevant MIME types.
Your browser saves temporary files as you work. Use your browser tools to delete cached information.
On PCs and laptops, the IndexedDB of the browser is used to cache information, such as:
• Recent history
• Basic search (recent search entries)
• Value help (recent search entries)
• Home page (title information and data)
Recommendation
SAP Cloud for Customer doesn't delete these types of temporary entries. To remove cached data, we
recommend using the appropriate features of your browser.
Security Management at SAP Cloud for Customer aims towards the continual improvement of the information
security framework.
Compliance
SAP conducts several external audits every year for various certificates and attestations such as ISO, C5, SOC,
and so on.
You can find the current list of certifications in SAP Trust Center under the Compliance tab. Filter with SAP
Cloud for Customer to find the right compliance documents for your business needs including certifications,
attestations, and SOC reports.
SAP conducts external penetration tests for product and infrastructure at least once a year. In addition, a
number of internal tests and security validations are performed by dedicated teams throughout the year.
Vulnerability scans with internal and external scope are performed on an ongoing basis.
You can find more details about scope and frequencies in the SOC2/C5 reports.
Code Scans
The complete code base is covered with static code scans. For the non-ABAP code base, SAP carries out
additional checks to look for open source vulnerabilities and ensures license compliance. Used open source
components are monitored for newly disclosed vulnerabilities.
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using
such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.