KEMBAR78
C 4 C Security Guide | PDF | Computer Security | Security
0% found this document useful (0 votes)
99 views136 pages

C 4 C Security Guide

The SAP Cloud for Customer Security Guide provides comprehensive information on security measures, identity and access management, personal data protection, and application security. It covers various aspects such as user administration, data retention, and secure communication channels. This document serves as a resource for ensuring the security and compliance of SAP Cloud for Customer services.

Uploaded by

Jiang Clyde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
99 views136 pages

C 4 C Security Guide

The SAP Cloud for Customer Security Guide provides comprehensive information on security measures, identity and access management, personal data protection, and application security. It covers various aspects such as user administration, data retention, and secure communication channels. This document serves as a resource for ensuring the security and compliance of SAP Cloud for Customer services.

Uploaded by

Jiang Clyde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 136

PUBLIC

SAP Cloud for Customer


Document Version: CLOUD – 2024-02-20

SAP Cloud for Customer Security Guide


SAP Cloud for Customer
© 2024 SAP SE or an SAP affiliate company. All rights reserved.

THE BEST RUN


Content

1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8


3.1 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authentication Mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Security Policy Quick Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.2 Authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Authorization Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Access Restriction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Segregation of Duties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.3 Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
SAML2 Based SSO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
SSO Recommendation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Secure System Access and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Special Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Offline Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4 Personal Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54


4.1 Disclose Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.2 Remove Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
4.3 Depersonalize Transactional Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
4.4 Data Retention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.5 Administer Data Removal Runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.6 Automate Removal of Obsolete Business Partners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Web Services for Business Partner End-of-Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.7 Automate End of Purpose for Business Partners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.8 Enable Read Access Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.9 Prerequisites for Usage Block Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.10 Tax Numbers in SAP Cloud for Customer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.11 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

5 Security of Data Storage and Data Centers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

SAP Cloud for Customer Security Guide


2 PUBLIC Content
6 Auditing and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6.1 Change Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
6.2 Security Monitoring and Alerting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Security-Relevant Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Security-Relevant Data Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Security-Relevant Log APIs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
6.3 Connectivity Errors - Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

7 Front-End Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

8 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88


8.1 Communication Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
8.2 Renewal of Tenant Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
8.3 Business-To-Business Communication and Application Integration. . . . . . . . . . . . . . . . . . . . . . . . . 91
Communication Arrangements Quick Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
8.4 E-Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Business E-Mails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Bulk E-Mails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Enabling S/MIME Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configuring S/MIME Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Security Measures for E-Mail Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Inbound E-Mails FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Outbound E-Mails FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

9 Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118


9.1 Cookies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
9.2 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

10 Secure Delivery, Configuration, and Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . 120


10.1 Security for End-User Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
10.2 Service Composition Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
URL Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
HTML Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Map Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Data Mashups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
10.3 Security Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Explanation of Table Headings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

11 Operational Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131


11.1 File and Attachment Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Configure Upload Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Temporary Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
11.2 Security Management and Continual Improvement of Security. . . . . . . . . . . . . . . . . . . . . . . . . . . 132

SAP Cloud for Customer Security Guide


Content PUBLIC 3
1 Security Guide

This guide provides an overview of the security-relevant information that applies to SAP Cloud for Customer.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands
on security are also on the rise. When using a distributed system, you need to be sure that your data and
processes support your business needs without allowing unauthorized access to critical information. User
errors, negligence, or attempted manipulation of your system should not result in loss of information or
processing time. While it is primarily the customer's responsibility to ensure their data security and proper user
management, SAP supports security by providing relevant features and functions. SAP is also responsible for
managing the lifecycle of the application for security improvement.

To assist you in securing SAP Cloud for Customer, we provide this Security Guide.

Identity and Access Management

• Identity and Access Management [page 8]

Data Protection and Privacy

• Personal Data Protection and Privacy [page 54]


• Security of Data Storage and Data Centers [page 80]

SAP Cloud for Customer Security Guide


4 PUBLIC Security Guide
Securing Your System

• Auditing and Logging [page 82]


• Front-End Security [page 87]
• Network and Communication Security [page 88]
• Application Security [page 118]
• Secure Delivery, Configuration, and Change Management [page 120]
• Operational Security [page 131]

SAP Cloud for Customer Security Guide


Security Guide PUBLIC 5
2 Technical System Landscape

SAP data centers provide the highest-quality security measures while still allowing integration and flexible
access to their cloud data.

SAP Cloud solutions are hosted in data centers around the world. Customers can choose in which data center
they want their solution to run.

The solutions provide optional integration with many SAP solutions, such as a full Enterprise Resource
Planning (ERP) and Customer Relationship Management (CRM) suite, including the associated server
landscape and system maintenance.

Since SAP Cloud solutions deal with business data from your core business processes, SAP adheres to the
highest security and quality requirements, as follows:

• The business data is stored securely in SAP data centers. In addition, SAP Cloud native solutions are
hosted in Amazon Data Centers and operated by SAP. You, as a customer, can select the data center region
that best fit your needs.
• Customers share physical hardware, but their data is separated into tenants.
• Users who require access to the business data must authenticate themselves, and their identity must be
verified by user and access management.
• Customer data always belongs to the customer.

You can access your SAP Cloud solution in the following ways:

• Desktop computer: browser-based Internet access from any network with internet access
• Portable computers: browser-based Internet access from any network with internet access
• Mobile devices: native apps

Industry best practices and state-of-the-art open cryptographic standards secure and protect communications
between customer devices and the system landscapes of your SAP Cloud solution in the SAP data center.

The following diagram summarizes the technical system landscape for standard access:

To access SAP Cloud solutions, you must enter a unique, customer-specific URL.

SAP Cloud for Customer Security Guide


6 PUBLIC Technical System Landscape
Communication is carried out via the Reverse Proxy (RP) component in the SAP data center.

The Reverse Proxy is the SAP Web Dispatcher, which is developed and maintained by SAP Cloud Support.

The communication channels that require mutual authentication are secured by using standard Transport
Layer Security (TLS) protocols. For more information about connectivity, see the Technical Connectivity
Guide for SAP Cloud Applications, on the SAP Help Portal: https://help.sap.com/cloud4customer.

The communication channels for monitoring and maintaining instances of your SAP Cloud solution instances
in the SAP data center network are also encrypted and authenticated.

Related Information

SAP Data Center Locations


Integration with SAP Solutions

SAP Cloud for Customer Security Guide


Technical System Landscape PUBLIC 7
3 Identity and Access Management

To protect your SAP Cloud for Customer instance and data, you need to make sure that only authorized parties
have access. A key step to securing SAP Cloud for Customer is implementing secure authentication.

User Administration and Authentication [page 8]


User management for SAP Cloud for Customer is located in the Administrator work center.

Authorization [page 39]


For access rights, you must maintain necessary authorizations.

Mobile Devices [page 48]


With the SAP Cloud mobile solutions, you can access many of the functions that have been tailored to
business on-the-run.

3.1 User Administration and Authentication


User management for SAP Cloud for Customer is located in the Administrator work center.

User Management [page 8]


The solution allows you to limit administrative authorizations to users who perform the administrative
functions.

User Types [page 11]


Learn about the different user types available in the solution.

Authentication Mechanisms [page 12]


Every user type must authenticate itself to SAP Cloud solutions for regular browser-based front-end
access, as well as for electronic data exchange, such as Business-to-Business communication. SAP
Cloud solutions don’t support anonymous access.

Security Policy Quick Guide [page 36]


As an administrator, you can increase the security level, if desired, by editing and enhancing the
security policy, for example, by changing the complexity and validity for all passwords, in accordance
with your company´s security requirements.

Security Settings [page 39]


As an administrator, you can define security settings that are applicable for all users, or a selected
business role.

3.1.1 User Management


The solution allows you to limit administrative authorizations to users who perform the administrative
functions.

There must be a clear definition of roles and duties within the administrator user group itself. For example: you
have dedicated administrators for screen adoptions, but these team members can't change authorizations.

SAP Cloud for Customer Security Guide


8 PUBLIC Identity and Access Management
Use the available standard reports to regularly monitor users with administration rights, and track the changes
made to the user access rights.

For access rights, you must maintain necessary authorizations.

 Note

Personalizing any part of the UI doesn’t change or add any security settings, because personalization
is part of extensibility, which allows you to display/hide fields based on user/business roles, screen
adaptations and so on. For example: even if you remove the edit button from the UI, the edit option is
still available via OData APIs.

 Recommendation

We recommend using SSO for basic security. To protect accounts further, configure the identity provider
(IdP) of the SSO solution to provide enhanced security, such as multifactor authentication (MFA),
geofencing, and other additional security features.

The following table provides an overview of all activities related to user administration that you can perform as
an administrator:

User Administration Activities


View Subview Activity

Administrator Business Users Lock and unlock users

Change user password

Edit the validity of a user

Assign security policies to users

Assign access rights to users for Work


Centers and Work Center views

Restrict read and write access for users


to specific data

Assign business roles to users

Support and Technical Users View all support and technical users
available in the system

Business Roles Define access rights in business roles

Administrator Communication Arrangements Create technical users for electronic


data exchange

Communication Certificates Manage certificates that you use for


electronic data exchange

Administrator Common Tasks Edit Security Policies Specify security policies for user pass-
words

Configure Single Sign On Download service provider metadata,


upload IdP metadata, and activate SSO

Configure S/MIME Configure and activate e-mail commu-


nication with S/MIME

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 9
View Subview Activity

Edit Certificate Trust List Edit trust list of certificates used for
communication arrangements

 Note
The list of trusted certification au-
thorities is available on the Web
dispatcher. Certificates with which
users logon must be issued by one
of these certification authorities.

3.1.1.1 Restricting Access Roles

You use business roles to assign access rights to multiple business users who carry out the same activities. You
can also define access restrictions for a business role.

Procedure

1. From the Administrator Work Center, click on Business Roles.


2. If you want to edit the read and write access for users to whom any of the business roles are assigned, click
on any of the business roles listed and then click Edit. Next, click the Access Restrictions tab.
3. Select the view for which you want to restrict access rights and choose the corresponding access
restriction in the Read Access and Write Access column. You can choose between the following settings
for access restrictions:
• No Access (Only available as a restriction for write access)
The user has no write access.
• Unrestricted
The user has access to all business data related to the view.
• Restricted
The user only has access to specific business data, depending on the access context. If you select
Restricted, you can restrict read and write access on the basis of predefined restriction rules that you
can choose from the Restriction Rule drop-down list.
If you choose the Define Specific Restrictions restriction rule, another list appears in which you can
restrict access to specific data, which is defined by the access group. For example, if a view has the
Site access context, you can restrict write access in this view for business documents that belong to a
specific site.
To do so, choose Detailed Restrictions and select or deselect the corresponding check box in the Read
Access or Write Access column.
4. If you want to grant the user access to data that is no longer in use, choose Historic Restrictions. Select or
deselect the corresponding check box in the Read Access or Write Access column.
5. To check whether the access rights are consistent, click Actions and choose Access Rights Consistency.

SAP Cloud for Customer Security Guide


10 PUBLIC Identity and Access Management
Each view contains specific activities that can be carried out by a user with the necessary access rights for
the view. Note that some activities can be carried out in multiple views. Therefore, when you grant access
rights, you should be aware that if there is a conflict, unrestricted access rights override any restrictions
you have defined.

 Tip

View A and view B both contain activity C. For view A, a user has unrestricted read and write access, but
for view B, the same user has read-only access. Because unrestricted access rights override restricted
access rights, the user will actually have both read and write access to both views. Checking
consistency will help you to identify these views and activities.

6. If there are activities displayed on the Check Access Rights Consistency screen, the access rights are
inconsistent. Check whether you need to redefine the access rights.

7. When finished, click on Assigned Users Activate User to save the edits you have made to the
business role and the users.

 Note

You can also restrict the access rights of a technical user if you want them to only have read access.
Read

3.1.2 User Types

Learn about the different user types available in the solution.

SAP Cloud solutions provide the following user types:

User Type Description

Business User A user type for normal interactive users resulting from hiring
an employee or creating a service agent. Business users al-
ways have to change their initial password at first logon. The
properties of the passwords are determined by the assigned
security policy.

 Note
Service agents are used for external users, for example,
partners or partner contacts. Apply specific security
policies and use specific roles to keep internal and ex-
ternal employees separated. We also recommend that
you lock external users as soon as they are no longer
needed.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 11
User Type Description

Technical User A user type for non-interactive usage, either predefined by


SAP for technical operations or resulting from the creation of
communication arrangements. Technical users either do not
have passwords or have password but do not have to change
them.

Support User A user type for interactive support users used by SAP Cloud
Services to access the system as part of incident processing.

 Note
If support users recieve a ticket and realize that they
have to access the customer system in order to ana-
lyze the problem (for example, if they were not able
to replicate and solve the issue in the internal test or
development systems), they use the Cloud Access Man-
ager (CAM) tool that generates temporary access to the
corresponding customer system. Support users are not
allowed to share these details. The CAM tool keeps a
log of which user generated which support user at what
date and time. So it is always possible to link a generic
support user back to the real person.

Support users follow the pattern SAP_*.

It is often necessary to specify different security policies for different users. For example, your policy may
mandate that individual users who perform tasks interactively change their passwords on a regular basis.

You can only specify security policies for the Business User.

3.1.3 Authentication Mechanisms


Every user type must authenticate itself to SAP Cloud solutions for regular browser-based front-end access, as
well as for electronic data exchange, such as Business-to-Business communication. SAP Cloud solutions don’t
support anonymous access.

When a new user is created in your SAP Cloud solution, for example, during the hiring process of a new
employee, a user ID is created.

To log on your SAP Cloud solution, the following authentication mechanisms are supported:

• Logon using SAML 2.0 assertion for front-end Single Sign-On (SSO)
• Logon using client certificate (X.509) as logon certificate
• Logon using user ID and password

 Recommendation

We recommend using SSO for basic security. To protect accounts further, configure the identity provider
(IdP) of the SSO solution to provide enhanced security, such as multifactor authentication (MFA),
geofencing, and other additional security features.

SAP Cloud for Customer Security Guide


12 PUBLIC Identity and Access Management
As an additional security mechanism, we recommend that you enable multi-factor-authentication for users
who are assigned to any of the following workcenters:

Work Center Work Center ID

Administrator SEODADMINWCF

Application and User Management ITS_APPLICATIONUSERMANAGEMENT

Business Configuration BC_BUSINESSCONFIGURATION

Business Analytics ANA_BUSINESSANALYTICS

Data Workbench COD_DATALOADER_WCF

Data Cleansing COD_DATACLEANSING_WCF

Data Integration DATA_INTEGRATION

Data Protection and Privacy DATAPRIVACY

Developer Tools OFFLINE_DEV_TOOLS_WOC

E-Mail Integration GROUPWARE_INTEGRATION_WCF

Partner Access – Multi-Customer Solution PARTNER DEVELOPMENT FOR MCS

Partner Development PDI_PARTNER_DEVELOPMENT

Service Control Center CI_CUSTOMER_CONTROL_CENTER

Organizational Management MOM_ORGANIZATIONALMANAGEMENT

The users assigned to these work centers are power users and have access to admin-type features.

The MFA feature is provided by most of the Identity Providers such as SAP’s Identity Access Service (IAS)
as an optional feature and must be enabled. For more information about enabling MFA see Configure SAP
Authentication 365 in Administration Console

3.1.3.1 Log on Using SAML 2.0 Assertion for Front-End


Single Sign-On (SSO)

Your solution supports SSO based on Security Assertion Markup Language 2.0 (SAML 2.0). To use this
function, your system landscape requires the following components:

• An SAML 2.0 enabled identity provider (IdP)


• At least one local service provider, for example, your solution or a Web-based 3rd-party product
• A browser client

The use of an SAML 2.0. enabled identity provider is mandatory. If you have no identity provider, it is
recommended that you use SAP Cloud Platform Identity Authentication - IAS (former Cloud Identity).

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 13
When a user connects to the service provider by using the corresponding URL, the browser redirects the
authentication request to the IdP. If the user is not yet logged on, they are prompted to log on to the IdP. After
that the browser redirects the connection back to the original URL and the user is automatically logged on to
the service provider. This process flow is always the same for all server providers.

The mutual trust between service provider and IdP is established by the exchange of certificates and additional
metadata.

It is recommended you disable username and password based access for users who use SSO to log in. As the
users would use SSO, they wouldn’t be aware if their passwords get changed. IdPs could also provide extra
security features such as two-factor authentication, which would not be effective in case the username and
password option is still available.

For more information, see the Front-End Single Sign-On document in the Help Center and the SAP Identity
Provider documentation on SAP Help Portal at http://help.sap.com/netweaver SAP NetWeaver Identity
Management <release> Application Help .

3.1.3.1.1 Configure Your Solution for Single Sign-On


This topic describes how to set up your solution to use front end single sign-on (SSO).

Prerequisites

You’ve downloaded the XML file of the metadata of your identity provider (IdP).

Context

You can configure SSO in your system using the Configure Single Sign-On common task, which is
available under Administrator Common Tasks .

Procedure

1. Choose My System.

2. Under General Download Metadata , depending on the type of metadata acceptable to your identity
provider, choose either of the following: SP Metadata (Service Provider Metadata) or STS Metadata
(Security Token Service Metadata).
3. Save the XML file for upload into the IdP.

 Note

Some IdPs can upload all information from the metadata XML file. Others require manual entry of the
information contained in the file.

SAP Cloud for Customer Security Guide


14 PUBLIC Identity and Access Management
4. Specify, whether the employee can manually choose between logging on with a user ID and password, or
with SSO by using the Manual Identity Provider Selection toggle button.
5. In the Single Sign-On URL Handling section, specify which URL employees must use to log on to the
system. In the URL Sent to Employee drop-down list you can choose from the following options:
a. Non-SSO URL: The system sends only the normal system URL to the employee. The employee can’t
log on using SSO and must use a password or a certificate instead.
b. SSO URL: The system sends only the SSO URL to the employee. The employee can log on using SSO.
The authentication request is redirected through the IdP.
c. Automatic Selection: If SSO isn't active, the system sends the normal system URL to the employee. If
SSO is active, the system checks whether the employee has a password. If the password is available,
both SSO URL and non-SSO URL are sent to the employee. However, if the employee has no password,
only the SSO URL is sent to the employee.
6. Choose Identity Provider.
a. Click New Identity Provider and select the metadata XML file that you’ve downloaded from your IdP.
By importing the metadata, the system automatically uploads the required signature certificate and
encryption certificate.
b. If you have multiple identity providers configured and you haven’t selected the Manual Identity Provider
Selection check box in the previous step, you must select the default IdP, which is automatically
selected when logging on to the system. To do so, select the corresponding IdP and click Actions, then
choose Set to Default.
c. If necessary, you can specify the Alias, which defines the displayed name of the IdP that appears on
the logon screen.
d. If your IdP requires the element Assertion Consumer Service URL in the SAML request, select
the Include Assertion Consumer Service URL check box.
e. The name ID format gives you two ways to map the IdP configuration to your SAP solution. Define the
name ID format that you want to use as the default:

• Unspecified
Maps the NameID attribute from the IdP configuration with the alias (username for logon) in the SAP
solution.
• E-Mail Address
Maps the NameID attribute from the IdP configuration with the e-mail address of the user in the SAP
solution.

 Note

This option requires that an e-mail address is only associated with one user in the SAP solution.
The SAP solution traces the e-mail address to one employee defined in the SAP solution, and then
to the corresponding user.

7. Once you’ve configured your IdP, activate SSO in your cloud solution. To do so, click Activate Single
Sign-On.
8. Save your changes.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 15
3.1.3.2 Upgrade SAML Certificates

Upgrade the SAML certificates to have SHA256 RSA signing algorithm and 2048 bits key

If your tenants have the SAML certificates with SHA1 RSA signing algorithm and key length 1024 bits, we
recommend that you upgrade the SAML certificates to have SHA256 RSA signing algorithm and 2048 bits key.
This helps you to comply with the security requirements as per current industry standards.

You can upgrade the SAML certificates by following these steps:

1. Go to Administrator Common Tasks Configure Single Sign-On .


2. Click Upgrade SAML Certificates.
3. Click Confirm on the modal dialog Upgrade SAML Certificates.

 Note

Upgrade SAML Certificates is a onetime activity and is an irreversible action.

Once executed successfully, the system displays the Upgrade SAML Certificates successful message, and the
Upgrade SAML Certificates button is hidden from the user interface.

After the certificates are upgraded, the following things happen:

• The administrators are notified via a notification task with the subject, SAML certificates have been
upgraded by <user technical ID>. To get the notification, you must have scoped the business option
Business Task Management with the scoping question, Do you want to use e-mail to notify business users
about Business Task Management items?, in the Business Configuration work center.
• The existing integration scenarios relying on the SAML metadata stops working. This impacts, for example,
Single Sign-On, OAuth, and so on. As a next step, you must download the new SP or the STS metadata
from the Configure Single Sign-On screen, and upload the required information to the relevant applications.

3.1.3.3 Logon Using Client Certificate (X.509)

Users can also log on with a client certificate to complete authentication. To do so, users can choose between
the following options:

• If users already possess a suitable client certificate from a trusted Certification Authority, then they can
map the client certificate to their user ID.
• If no suitable client certificate is available, then users can request a client certificate from within the SAP
Cloud solution. In response, an SAP Certification Authority will provide the requested certificate. This
request can be repeated on any other device you use to access SAP Cloud solutions. You cannot use the
same certificate to log on with multiple users.

We strongly recommend that you never store the X.509 client certificate in an unprotected keystore. The
download also contains the corresponding private key. Therefore, the downloaded file should be protected with
a sufficiently strong passphrase of the user’s choice.

The following table contains the trusted certification authorities for client certificates:

SAP Cloud for Customer Security Guide


16 PUBLIC Identity and Access Management
Approved Root CAs

CA Display
Name

Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any

1 Comodo RSA CN=COMODO 4c aa f9 ca db af e5 d2 44 a8 01-19-2038 COMODO RSA


Certification RSA Certifica- 63 6f e0 1f f7 4e d1 19 42 30 ff Certification
Authority tion Authority, d8 5b 03 86 9d 47 9f e2 f8 97 Authority.cer
O=COMODO bb cd 7a 8c b4
CA Limited,
L=Salford,
SP=Greater
Manchester,
C=GB

2 Starfield Class OU=Starfield 00 ad 7e 1c 28 b0 06-29-2034 Starfield Class


2 Certification Class 2 Certifi- 64 ef 8f 60 03 2 CA.cer
Authority cation Author- 40 20 14 c3 d0
ity, O=Starfield e3 37 0e b5 8a
Technologies,
Inc., C=US

3 Starfield Serv- CN=Starfield 00 92 5a 8f 8d 2c 01-01-2038 Starfield Serv-


ices Root Certif- Services Root 6d 04 e0 66 5f
ices Root CA
icate Authority - Certificate Au- 59 6a ff 22 d8
G2.cer
G2 thority - G2, 63 e8 25 6f 3f
O=Starfield Additionally,
Technologies,
cross-certified
Inc., L=Scotts-
by “Starfield
dale, S=Ari-
zona, C=US Class 2 Certifi-
cation Author-
ity”

4 SAP Cloud Root CN=SAP Cloud 18 77 0f be 65 6d 80 92 77 4a 02-13-2039 SAP Cloud Root


CA Root CA, 06 6b bf 4c ea f2 d5 ed ae 3a CA.cer
O=SAP SE, 93 38 d9 b1 85 5c 99 d6 56 93
L=Walldorf, 62 1c 21 97 a9 50
C=DE

5 SAP Global CN=SAP Global 5d 03 d9 3d 31 0a b6 2a f4 7f 04-26-2032 SAP Global


Root CA Root CA, 61 5d 8f 48 8b e5 59 84 7d 79 Root CA.cer
O=SAP AG, 39 70 c7 8f 1b 8a 1f c4 e1 7f 67
L=Walldorf, 99 fd 7e 82 4c
C=DE

6 SAP Internet of CN=SAP Inter- 00 45 53 d3 f2 22 07-18-2040 SAP Internet of


Things CA net of Things 58 fe 35 59 b1 Things CA.cer
CA, O=SAP IoT 84 9f 27 3b 8c
Trust Commun- 69 c2 4c fa 15
ity II, C=DE

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 17
CA Display
Name

Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any

7 Baltimore Cy- CN=Baltimore 02 00 00 b9 d4 de 20 d0 5e 05-13-2025 Baltimore Cy-


berTrust Root CyberTrust 66 fc 53 fe a 50 berTrust
Root, OU=Cy- 88 2c 78 db 28 Root.cer
berTrust, 52 ca e4 74
O=Baltimore,
C=IE

8 Certum CA CN=Certum 01 00 20 62 52 dc 40 f7 06-11-2027 Certum CA.cer


CA, O=Unizeto 11 43 a2 2f de
Sp. z o.o., C=PL 9e f7 34 8e 06
42 51 b1 81 18

9 COMODO Cer- CN=COMODO 20 a4 c4 7f dd ee 86 93 87 ff fd 01-01-2031 COMODO Cer-


tification Au- Certification df e1 c7 53 63 83 49 ab 5a d1 tification Au-
thority Authority, 07 13 88 77 60 43 22 58 87 89 thority.cer
O=COMODO 12 a4 57 b0 12
CA Limited,
L=Salford,
SP=Greater
Manchester,
C=GB

10 DigiCert As- CN=DigiCert 0c e7 e0 e5 17 05 63 b8 63 0d 11-10-2031 DigiCert As-


sured ID Root Assured ID d8 46 fe 8f e5 62 d7 5a bb c8 sured ID Root
CA Root CA, 60 fc 1b f0 30 ab 1e 4b df b5 CA.cer
OU=www.digi- 39 a8 99 b2 4d 43
cert.com,
O=DigiCert Inc,
C=US

11 DigiCert Global CN=DigiCert 08 3b e0 56 90 a8 98 5d 3a 65 11-10-2031 DigiCert Global


Root CA Global Root CA, 42 46 b1 a1 75 e5 e5 c4 b2 d7 Root CA.cer
OU=www.digi- 6a c9 59 91 c7 d6 6d 40 c6 dd
cert.com, 4a 2f b1 9c 54 36
O=DigiCert Inc,
C=US

12 DigiCert Global CN=DigiCert 03 3a f1 e6 a7 df 3c 24 f9 bf 01-15-2038 DigiCert Global


Root G2 Global Root G2, 11 a9 a0 bb 28 d6 66 76 1b 26 Root G2.cer
OU=www.digi- 64 b1 1d 09 fa 80 73 fe 06 d1
cert.com, e5 cc 8d 4f 82 a4
O=DigiCert Inc,
C=US

SAP Cloud for Customer Security Guide


18 PUBLIC Identity and Access Management
CA Display
Name

Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any

13 DigiCert High CN=DigiCert 02 ac 5c 26 6a 5f b7 ee 06 33 11-10-2031 DigiCert High


Assurance EV High Assurance 0b 40 9b 8f 0b e2 59 db ad 0c Assurance EV
Root CA EV Root CA, 79 f2 ae 46 25 4c 9a e6 d3 8f Root CA.cer
OU=www.digi- 77 1a 61 c7 dc 25
cert.com,
O=DigiCert Inc,
C=US

14 Entrust Root CN=Entrust 4a 53 8c 28 8c f4 27 fd 79 12-07-2030 Entrust Root


Certification 0c 3a d1 66 06 Certification
Root Certifica-
Authority - G2 8d e8 1e 57 ef Authority -
tion Authority -
bb 93 22 72 d4 G2.cer
G2, OU=(c)
2009 Entrust,
Inc. - for author-
ized use only

OU=See
www.en-
trust.net/legal-
terms, O=En-
trust, Inc.,
C=US

15 Entrust Root CN=Entrust 45 6b 50 54 b3 1e b1 b7 40 11-27-2026 Entrust Root


Certification Root Certifica- e3 6c 84 02 da Certification
Authority tion Authority, dc 37 d4 4d f5 Authority.cer
OU=(c) 2006 d4 67 49 52 f9
Entrust, Inc.,
OU=www.en-
trust.net/CPS
is incorporated
by reference,
O=Entrust, Inc.,
C=US

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 19
CA Display
Name

Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any

16 Entrust.net Cer- CN=Entrust.net 38 63 de f8 50 30 06 09 1d 07-24-2029 Entrust.net Cer-


tification Au- Certification 97 d4 f5 ae 39 tification Au-
thority (2048) Authority f7 cb e7 92 7d thority
(2048), OU=(c) 7d 65 2d 34 31 (2048).cer
1999 En-
trust.net Lim-
ited,
OU=www.en-
trust.net/

CPS_2048 in-
corp. by ref.
(limits liab.),
O=Entrust.net

17 GlobalSign Root CN=GlobalSign, 04 00 00 00 d6 9b 56 11 48 03-18-2029 GlobalSign Root


CA - R3 O=GlobalSign, 00 01 21 58 53 f0 1c 77 c5 45 CA - R3 .cer
OU=GlobalSign 08 a2 78 c1 09 26 df
Root CA - R3 5b 85 69 76 ad

18 GlobalSign Root CN=GlobalSign 04 00 00 00 b1 bc 96 8b d4 01-28-2028 GlobalSign Root


CA Root CA, 00 01 15 4b 5a f4 9d 62 2a a8 CA.cer
OU=Root CA, c3 94 9a 81 f2 15 01
O=GlobalSign 52 a4 1d 82 9c
nv-sa, C=BE

19 Go Daddy Class OU=Go Daddy 00 27 96 ba e6 3f 06-29-2034 Go Daddy Class


2 Certification Class 2 Certifi- 18 01 e2 77 26 2 Certification
Authority cation Author- 1b a0 d7 77 70 Authority.cer
ity, O=The Go 02 8f 20 ee e4
Daddy Group,
Inc., C=US

20 Go Daddy Root CN=Go Daddy 00 47 be ab c9 22 01-01-2038 Go Daddy Root


Certificate Au- Root Certificate ea e8 0e 78 78 Certificate Au-
thority - G2 Authority - G2, 34 62 a7 9f 45 thority - G2.cer
O=GoD- c2 54 fd e6 8b
addy.com, Inc.,
L=Scottsdale,
S=Arizona,
C=US

SAP Cloud for Customer Security Guide


20 PUBLIC Identity and Access Management
CA Display
Name

Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any

21 USERTrust RSA CN=USERTrust 01 fd 6d 30 fc 2b 8f 1b 57 33 01-19-2038 USERTrust RSA


Certification RSA Certifica- a3 ca 51 a8 1b 0d bb a2 d0 7a
Certification
Authority tion Authority, bc 64 0e 35 03 6c 51 f7 0e e9
Authority.cer
O=The USER- 2d 0d da b9 ad 8e
TRUST Net- There is also a
work, L=Jersey
crossed-signed
City, S=New
(intermediate)
Jersey, C=US
certificate
signed by “Add-
Trust External
CA Root”

22 QuoVadis Root CN=QuoVadis 44 57 34 24 5b 09 3c 61 f3 8b 01-12-2042 QuoVadis Root


CA 2 G3 Root CA 2 G3, 81 89 9b 35 f2 8b dc 7d 55 df
CA 2 G3.cer
O=QuoVadis ce b8 2b 3b 5b 75 38 02 05 00
Limited, C=BM a7 26 f0 75 28 e1 25 f5 c8 36 DigiCert pur-
chased QuoVa-
dis, on Jan 17th
2019

23 QuoVadis Root CN=QuoVadis 05 09 ca 3a fb cf 12 11-24-2031 QuoVadis Root


CA 2 Root CA 2, 40 36 4b 44 b2
CA 2.cer
O=QuoVadis 16 20 88 80 48
Limited, C=BM 39 19 93 7c f7 DigiCert pur-
chased QuoVa-
dis, on Jan 17th
2019

24 SwissSign Gold CN=SwissSign 00 bb 40 1c 43 d8 c5 38 8a b7 10-25-2036 SwissSign Gold


CA - G2 Gold CA - G2, f5 5e 4f b0 30 1b 1b 6e d4 CA - G2.cer
O=SwissSign 7a e6 45 25 3a
AG, C=CH 6f 9f 1a 27 61

25 SwissSign Plati- CN=SwissSign 4e b2 00 67 0c 56 e0 fa c0 3b 10-25-2036 SwissSign Plati-


num CA - G2 Platinum CA - 03 5d 4f 8f 18 23 55 18 num CA -
G2, O=Swiss- e5 d3 11 ca e8 G2.cer
Sign AG, C=CH c2 43 31 ab 66

26 SwissSign Sil- CN=SwissSign 4f 1b d4 2f 54 9b aa e5 9f 56 10-25-2036 SwissSign Sil-


ver CA - G2 Silver CA - G2, bb 2f 4b ee 21 cb 43 5a ver CA - G2.cer
O=SwissSign be 25 93 df a7
AG, C=CH f0 40 d1 1d cb

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 21
CA Display
Name

Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any

27 Amazon Root CN=Amazon 06 6c 9f cf 99 8d a7 f9 65 ec 01-17-2038 Amazon Root


CA 1 Root CA 1, bf 8c 0a 39 e2 5e fc 37 91 0f 1c CA 1.cer
O=Amazon, f0 78 8a 43 e6 6e 59 fd c1 cc
C=US 96 36 5b ca 6a 6e de 16

28 T-TeleSec Glob- CN=T-TeleSec 01 59 0d 2d 7d 88 10-02-2033 T-TeleSec Glob-


alRoot Class 2 GlobalRoot 4f 40 2e 61 7e alRoot Class
Class 2, OU=T- a5 62 32 17 65 2.cer
Systems Trust cf 17 d8 94 e9
Center, O=T-
Systems Enter-
prise Services
GmbH, C= DE

29 ISRG Root X1 CN = ISRG Root 00 82 10 cf b0 ca bd 2a 79 a1 06-04-2035 isrgrootx1.cer


X1, O = Internet d2 40 e3 59 44 07 6a 31 f2 1d
Security Re- 63 e0 bb 63 82 25 36 35 cb 03
search Group, C 8b 00 9d 43 29 a5 e8
= US

30 Atos Trusted- CN = Atos 5c 33 cb 62 2c 2B B1 F5 3E 55 01-01-2031 Atos Trusted-


Root 2011 TrustedRoot 5f b3 32 0C 1D C5 F1 D4 Root 2011.cer
2011, O = Atos, E6 B7 6A 46 4B
C = DE 55 06 02 AC 21

31 GlobalSign Root OU = Global- 02 03 e5 7e f5 6b a0 b0 98 e1 01-19-2038 GlobalSign ECC


R4 Sign ECC Root 3f 93 fd a5 09 71 ef 5a ad fe 48
Root CA -
CA - R4, O = 21 b2 a6 15 80 77 10 f4
R4.cer
GlobalSign, CN bd 6f 0b 28
= GlobalSign “GlobalSign
Root R4” was
sold to Google
in August 2016.

32 GTS Root R1 C = US, O = 02 03 e5 93 6f e5 8c 1c c4 91 06-22-2036 GTS Root R1.cer


Google Trust 31 b0 13 49 88 3b 38 63 4b e9
Services LLC, 6b a2 17 10 6e e3 ad 8e
CN = GTS Root 6b 9d d9 81 4a
R1

33 GTS Root R2 C = US, O = 02 03 e5 ae c5 9a 44 49 76 32 06-22-2036 GTS Root


Google Trust 8d 04 25 1a ab db de fa d0 bc R2.cer
Services LLC, 11 25 aa fb 5a 7b 17 bd
CN = GTS Root 9e 56 09 24 94
R2

SAP Cloud for Customer Security Guide


22 PUBLIC Identity and Access Management
CA Display
Name

Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any

34 GTS Root R3 C = US, O = 02 03 e5 b8 82 ed e5 71 80 2b 06-22-2036 GTS Root


Google Trust eb 20 f8 25 27 c8 92 b9 5b 83 R3.cer
Services LLC, 6d 3d 66 3c d2 32 68 3f
CN = GTS Root 09 cd a0 1e 46
R3

35 GTS Root R4 C = US, O = 02 03 e5 c0 68 77 d3 03 67 b5 06-22-2036 GTS Root


Google Trust ef 63 1a 9c 72 e0 0c 15 f6 0c R4.cer
Services LLC, 90 50 52 38 61 df 7c e1
CN = GTS Root 3b 92 46 4d 47
R4

36 COMODO ECC CN = COMODO 1f47afaa62007 9f744e9f2b4db 01-19-2038 COMODO ECC


Certification ECC Certifica- 050544c019e9 aec0f312c50b6 Certification
Authority tion Authority, b63992a 563b8e2d93c3 Authority.cer
O = COMODO 11
CA Limited, L =
Salford, S =
Greater Man-
chester, C = GB

37 ISRG Root X2 CN = ISRG Root 41d29dd172eae bdb1b93cd597 09-17-2040 ISRG Root


X2, O = Internet ea780c12c6ce9 8d45c6261455f X2.cer
Security Re- 2f8752 8db95c75ad15
search Group, C 3af
= US

38 certSIGN ROOT OU = certSIGN 200605167002 fab7ee3697266 07-04-2031 certSIGN ROOT


CA ROOT CA, O = 2fb2db02af6bf CA.cer
certSIGN, C = 03fde87c4b2f9
RO b

39 DigiCert As- CN = DigiCert 0b 93 1c 3a d6 a1 4b 48 d9 43 01-15-2038 DigiCert As-


sured ID Root Assured ID 39 67 ea 67 23 ee 0a 0e 40 90 sured ID Root
G2 Root G2, OU = bf c3 af 9a f4 4b 4f 3c e0 a4 c0 G2.cer
www.digi- 91 93 51 5d 3f
cert.com, O =
DigiCert Inc, C
= US

40 DigiCert As- CN = DigiCert 0b a1 5a fa 1d df f5 17 a2 4f 9a 01-15-2038 DigiCert As-


sured ID Root Assured ID a0 b5 49 44 af 48 c6 c9 f8 a2 sured ID Root
G3 Root G3, OU = cd 24 a0 6c ec 00 26 9f dc 0f G3.cer
www.digi- 48 2c ab 30 89
cert.com, O =
DigiCert Inc, C
= US

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 23
CA Display
Name

Limited Appro-
val File name of
Expiry Date certificate
MM-DD-YYYY, Fingerprint comments, if
No. opt Subject Serial Number SHA-1 MM-DD-YYYY any

41 DigiCert Global CN = DigiCert 05 55 56 bc f2 7e 04 de 89 6a 01-15-2038 DigiCert Global


Root G3 Global Root G3, 5e a4 35 35 c3 3e 66 6d 00 e6 Root G3.cer
OU = www.digi- a4 0f d5 ab 45 87 d3 3f fa d9
cert.com, O = 72 3b e8 3d 34 9e
DigiCert Inc, C
= US

Disapproved Root CAs


File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

1 AP1-Connectivi- OU=SAP Cloud 73 a9 5f 1f 97 25 ac 31 d4 02-27-2029 Disapproved by


tyCA Platform, 98 3c 35 f0 32
IT Security
O=SAP SE, a5 4e 94 e0 7c
1.2.840.113549. be 75 7b 20 22 AP1-Connectivi-
1.9.20=SAP tyCA.cer
SCP Connectiv-
ity AP1 CA, De-
scription=Cer-
tification Au-
thority for SAP
SCP AP1 Con-
nectivity Serv-
ice, C=AU,
CN=AP1-Con-
nectivityCA

2 GTE CyberTrust CN=GTE Cyber- 01 A5 97 81 79 50 d8 08-14-2018 Expired


Global Root-CA Trust Global 1c 96 70 cc 34
Root, OU=GTE d8 09 cf 79 44 GTE CyberTrust
CyberTrust Sol- 31 36 7e f4 74 Global Root.cer
utions, Inc.,
O=GTE Corpo-
ration, C=US

3 Equifax Root- OU=Equifax Se- 35 de f4 cf d2 32 09 ad 23 08-22-2018 Expired and re-


CA cure Certificate d3 14 23 21 74
tired by Geo-
Authority, e4 0d 7f 9d 62
Trust
O=Equifax, 13 97 86 63 3a
C=US Equifax Secure
Certificate Au-
thority.cer

SAP Cloud for Customer Security Guide


24 PUBLIC Identity and Access Management
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

4 Comodo RSA CN=COMODO 36 82 5e 7f b5 10 4c 63 d2 54 02-12-2029 Untrusted Inter-


Domain Valida- RSA Domain a4 81 93 7e f6 6b 80 21 dd 10
mediate CA
tion Secure Validation Se- d1 73 6b b9 3c 5e 9f ba 5a 8d
Server CA cure Server CA, a6 78 16 9f 6b 32 Comodorsa-
O=COMODO organization-
CA Limited,
validation-
L=Salford,
secureser-
ST=Greater
Manchester, verca.crt
C=GB

5 Deutsche Tele- CN=Deutsche 24 9e 6c eb 17 91 07-10-2019 Retired by Tele-


kom Root CA 1 Telekom Root 85 a2 9e c6 06
kom
CA 1, OU=T-Tel- 0c a5 3e 19 74
eSec Trust Cen- af 94 af 59 d4 Deutsche Tele-
ter, O=Deut- kom Root CA
sche Telekom
1.cer
AG, C=DE

6 Entrust.net Cli- CN=Entrust.net 38 03 91 ee da 79 c1 71 11 10-12- 2019 Retired by En-


ent Certifica- Client Certifica- 50 c2 34 39 aa
trust
tion Authority tion Authority, 2b 0b 0c 62 fd
OU=(c) 1999 55 b2 f9 f5 80 Entrust.net Cli-
Entrust.net ent Certifica-
Limited,
tion Author-
OU=www.en-
ity.cer
trust.net/
Client_CA_Info/
CPS incorp. by
ref. limits liab.,
O=Entrust.net,
C=US

7 Entrust.net Se- CN=Entrust.net 37 4a d2 43 99 a6 9b e6 1a 05-25-2019 Retired by En-


cure Server Secure Server fe 88 6b 4d 2b
trust
Certification Certification 82 00 7c b8 54
Authority Authority, fc 31 7e 15 39 Entrust.net Se-
OU=(c) 1999 cure Server
Entrust.net
Certification
Limited,
Authority.cer
OU=www.en-
trust.net/CPS
incorp. by ref.
(limits liab.),
O=Entrust.net,
C=US

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 25
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

8 TC TrustCenter CN=TC Trust- 2e 6a 00 01 00 ae 50 83 ed 7c 12-31-2025 Root CA is re-


Class 2 CA II Center Class 2 02 1f d7 52 21 f4 5c bc 8f 61
tired
CA II, OU=TC 2c 11 5c 3b c6 21 fe 68 5d
TrustCenter 79 42 21 15 6e TC TrustCenter
Class 2 CA, Class 2 CA
O=TC Trust-
II.cer
Center GmbH,
C=DE

9 TC TrustCenter CN=TC Trust- 1d a2 00 01 00 6b 2f 34 ad 89 12-31-2025 Root-CA is re-


Universal CA I Center Univer- 02 ec b7 60 80 58 be 62 fd b0
tired
sal CA I, OU=TC 78 8d b6 06 6b 5c ce bb 9d
TrustCenter d9 4f 4e 39 f3 TC TrustCenter
Universal Universal CA
CA,O=TC Trust-
I.cer
Center GmbH,
C=DE

10 EMAIL=certifi- EMAIL=certifi- 02 da c0 59 0b 0d 12-31-2005 Expired


cate@trustcen- cate@trustcen- 94 fc 15 d7 15
ter.de ter.de, OU=TC 2e b6 79 70 03 EMAIL=certifi-
TrustCenter 5b 8d b9 f5 2b cate@trustcen-
Class 1 CA, ter.de.cer
O=TC Trust-
Center for Se-
curity in Data
Networks
GmbH, L=Ham-
burg, SP=Ham-
burg, C=DE

11 Thawte Per- EMAILAD- 12 3d f0 e7 da e6 18 83 ae 84 01-01-2021 Retired by


sonal Freemail DRESS=per- 2a 22 47 a4 38 ca c1 c1 cd 52
Thawte
CA sonal-free- 89 e0 8a ee c9 ad e8 e9 25 2b
mail@thawte.co 67 45 a6 4f b7 e2 Thawte Per-
m, CN=Thawte sonal Freemail
Personal Free-
CA.cer
mail CA,
OU=Certifica-
tion Services
Division,
O=Thawte Con-
sulting, L=Cape
Town, ST=West-
ern Cape, C=ZA

SAP Cloud for Customer Security Guide


26 PUBLIC Identity and Access Management
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

12 Thawte Pre- EMAILAD- 36 12 22 96 c5 E0 AB 05 94 20 01-02-2021 Retired by


mium Server DRESS=pre- e3 38 a5 20 a1 72 54 93 05 60
Thawte
CA mium- d2 5f 4c d7 09 62 02 36 70 F7
server@thawte. 54 CD 2E FC 66 66 Thawte Pre-
com, mium Server
CN=Thawte
CA.cer
Premium
Server CA,
OU=Certifica-
tion Services
Division,
O=Thawte Con-
sulting cc,
L=Cape Town,
ST=Western
Cape, C=ZA

13 Thawte Server EMAILAD- 34 a4 ff f6 30 af 9F AD 91 A6 CE 01-01-2021 Retired by


CA DRESS=server- 4c a5 3c 33 17 6A C6 C5 00 47
Thawte
certs@thawte.c 42 a1 94 66 75 C4 4E C9 D4 A5
om, 0D 92 D8 49 79 Thawte Server
CN=Thawte CA.cer
Server CA,
OU=Certifica-
tion Services
Division,
O=Thawte Con-
sulting cc,
L=Cape Town,
ST=Western
Cape, C=ZA

14 Class 3 Public OU=Class 3 70 ba e4 1d 10 74 2c 31 92 e6 08-03-2028 Digest algo-


Primary Certifi- Public Primary d9 29 34 b6 38 07 e4 24 eb 45
rithm: md2
cation Authority Certification ca 7b 03 cc ba 49 54 2b e1 bb
Authority, bf c5 3e 61 74 e2 Retired by Digi-
O=VeriSign, Cert
Inc., C=US
The certificate
is revoked.

Class 3 Public
Primary Certifi-
cation Author-
ity_MD2.cer

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 27
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

15 VeriSign Trust OU=VeriSign 32 88 8e 9a d2 0b 77 be bb cb 08-02-2028 Retired by Digi-


Network Class Trust Network, f5 eb 13 47 f8 7f 7a a2 47 05 de
Cert
4 OU=(c) 1998 c4 20 37 25 f8 cc 0f bd 6a 02
VeriSign, Inc. - fc 7a bd 9b 52 VeriSign Trust
For authorized Network Class
use only,
4.cer
OU=Class 4
Public Primary
Certification
Authority - G2,
O=VeriSign,
Inc., C=US

16 VeriSign Class 4 CN=VeriSign 00 ec a0 a7 8b c8 ec 8c 87 92 07-17-2036 Retired by Digi-


Public Primary Class 4 Public 6e 75 6a 01 cf 69 cb 4b ab 39
Cert
Certification Primary Certifi- c4 7c cc 2f 94 e9 8d 7e 57 67
Authority - G3 cation Authority 5e d7 f3 14 95 73 9d VeriSign Class 4
- G3, OU=(c) Public Primary
1999 VeriSign,
Certification
Inc. - For au-
Authority -
thorized use
only, OU=Veri- G3.cer
Sign Trust Net-
work, O=Veri-
Sign, Inc., C=US

17 Class 2 Public OU=Class 2 unknown 67 82 AA E0 ED 08-02-2028 Digest algo-


Public Primary EE E2 1A 58 39
Primary Certifi- rithm: md2
Certification D3 C0 CD 14 68
cation Authority
Authority, 0A 4F 60 14 2A Replaced by
(see also row O=VeriSign, new Root CA
Inc., C=US
#20 with differ-
Certificate not
ent serial no
available
and hash)

18 Class 1 Public OU=Class 1 00 cd ba 7f 56 90 ae a2 69 85 08-02-2028 Replaced by


Public Primary f0 df e4 bc 54 ff 14 80 4c 43
Primary Certifi- new Root CA
Certification fe 22 ac b3 72 49 52 ec e9 60
cation Authority
Authority, aa 55 84 77 af 55 6f Digest algo-
(see also row O=VeriSign, rithm: md2
Inc., C=US
#19 with differ-
Class 1 Public
ent serial no
Primary Certifi-
and hash)
cation Author-
ity.cer

SAP Cloud for Customer Security Guide


28 PUBLIC Identity and Access Management
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

19 Class 1 Public OU=Class 1 3f 69 1e 81 9c ce 6a 64 a3 09 08-02-2028 Certificate not


Public Primary f0 9a 4a f3 73 ff e4 2f bb d9 85
Primary Certifi- available
Certification b9 48 a2 e4 dd 1c 45 3e 64 09
cation Authority
Authority, ea e8 7d 60 f1 Legacy Syman-
disapproved O=VeriSign, tec Root CA
Inc., C=US
since
04-30-2019

20 Class 2 Public OU=Class 2 0a ba 1e 00 62 57 f0 3d ce fb 08-02-2028 Class 2 Public


Public Primary 32 e8 b4 36 26 45 69 4c 1c 25
Primary Certifi- Primary Certifi-
Certification 5d 1f 7c cd 89 e6 ee a0 2c 43
cation Authority cation Author-
Authority, 66 d7 52 38 d3 c4
O=VeriSign, ity.cer
disapproved
Inc., C=US
since Legacy Syman-
04-30-2019 tec Root CA

21 Class 3 Public OU=Class 3 3c 91 31 cb 1f f6 a1 db 63 93 91 08-03-2028 Class 3 Public


Public Primary d0 1b 0e 9a b8 6f 17 e4 18 55
Primary Certifi- Primary Certifi-
Certification d0 44 bf 12 be 09 40 04 15 c7
cation Authority cation Author-
Authority, 02 40 b0 ae 6b
O=VeriSign, ity.cer
disapproved
Inc., C=US
since Legacy Syman-
04-30-2019 tec Root CA

22 VeriSign Class 1 CN=VeriSign 00 8b 5b 75 56 20 42 85 dc f7 07-17-2036 VeriSign Class 1


Class 1 Public 84 54 85 0b 00 eb 76 41 95 57
Public Primary Public Primary
Primary Certifi- cf af 38 48 ce 8e 13 6b d4 b7
Certification Certification
cation Authority b1 a4 d1 e9 8e 46 a5
Authority - G3 - G3, OU=(c) Authority -
1999 VeriSign, G3.cer
disapproved
Inc. - For au-
since Legacy Syman-
thorized use
04-30-2019 only, OU=Veri- tec Root CA
Sign Trust Net-
work, O=Veri-
Sign, Inc., C=US

23 VeriSign Class 2 CN=VeriSign 61 70 cb 49 8c 61 ef 43 d7 7f ca 07-17-2036 VeriSign Class 2


Class 2 Public 5f 98 45 29 e7 d4 61 51 bc 98
Public Primary Public Primary
Primary Certifi- b0 a6 d9 50 5b e0 c3 59 12 af
Certification Certification
cation Authority 7a 9f eb 63 11
Authority - G3 - G3, OU=(c) Authority -
1999 VeriSign, G3.cer
disapproved
Inc. - For au-
since Legacy Syman-
thorized use
04-30-2019 only, OU=Veri- tec Root CA
Sign Trust Net-
work, O=Veri-
Sign, Inc., C=US

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 29
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

24 VeriSign Trust OU=VeriSign 4c c7 ea aa 98 27 3e e1 24 57 08-02-2028 VeriSign Trust


Trust Network, 3e 71 d3 93 10 fd c4 f9 0c 55
Network Class 1 Network Class
OU=(c) 1998 f8 3d 3a 89 91 e8 2b 56 16 7f
1.cer
disapproved VeriSign, Inc. - 92 62 f5 32 e5 47
since 0 For authorized Legacy Syman-
use only,
4-30-2019 tec Root CA
OU=Class 1
Public Primary
Certification
Authority - G2,
O=VeriSign,
Inc., C=US

25 VeriSign Trust OU=VeriSign 00 b9 2f 60 cc b3 ea c4 47 76 08-02-2028 VeriSign Trust


Trust Network, 88 9f a1 7a 46 c9 c8 1c ea f2
Network Class Network Class
OU=(c) 1998 09 b8 5b 70 6c 9d 95 b6 cc a0
2 2.cer
VeriSign, Inc. - 8a af 08 1b 67 ec 9d
disapproved For authorized Legacy Syman-
use only,
since tec Root CA
OU=Class 2
04-30-2019
Public Primary
Certification
Authority - G2,
O=VeriSign,
Inc., C=US

26 VeriSign Trust OU=VeriSign 7d d9 fe 07 cf 85 37 1c a6 e5 08-02-2028 VeriSign Trust


Trust Network, a8 1e b7 10 79 50 14 3d ce 28
Network Class Network Class
OU=(c) 1998 67 fb a7 89 34 03 47 1b de 3a
3 3.cer
VeriSign, Inc. - c6 09 e8 f8 77 0f
disapproved For authorized Legacy Syman-
use only,
since 0 4-30- tec Root CA
OU=Class 3
2019
Public Primary
Certification
Authority - G2,
O=VeriSign,
Inc., C=US

27 Cisco Umbrella CN = Cisco Um- 516ea5de461e5 c5091132e9adf 06-28-2036 Cisco Umbrella


Root CA brella Root CA, 4c1 8ad3e33932ae Root CA used to
O = Cisco 60a5c8fa939e8 proxy and de-
24 crypt HTTPS
traffic

28 SSO_CA CN=SSO_CA, 01 00 00 00 4d 11 61 08 30 08-31-2023 SAP


O=SAP-AG, d7 b3 1c 62 87 SSO_CA.cer
disapproved C=DE 19 8e 95 d5 5f
since 3e 8f 05 e4 0b
06-01-2020

SAP Cloud for Customer Security Guide


30 PUBLIC Identity and Access Management
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

29 AddTrust Exter- CN=AddTrust 01 02 fa f3 e2 91 05-30-2020 Expired


External CA 43 54 68 60 78
nal CA Root
Root, OU=Add- 57 69 4d f5 e4 AddTrust Exter-
Expired since Trust External 5b 68 85 18 68 nal CA Root.cer
05-31-2020 TTP Network,
O=AddTrust
AB, C=SE

30 SAP Passport CN=SAP Pass- 08 00 00 01 10 bd 99 32 e8 04-01-2021 SAP Passport


port CA, O=SAP 3a 01 cd c4 4f CA .cer
CA
Trust Commun- 56 10 05 47 30
disapproved ity, C=DE a8 73 18 16 6d
since
12-30-2020

31 SAP Cloud Root CN=SAP Cloud 5c 63 be 45 49 05 a0 64 f7 16 08-30-2036 SAP Cloud Root


Root CA 01, 87 7b ff 50 62 e3 6c ae 5a bb
CA 01 CA 01.cer
O=SAP SE, 88 32 b2 f0 52 dd e2 17 42 72
disapproved C=DE 7d 56 ea d8 b4 a7 Managed CA
since operated by
01-30-2021 DigiCert

32 GeoTrust Uni- CN=GeoTrust 01 e6 21 f3 35 43 03-04-2029 GeoTrust Uni-


Universal CA, 79 05 9a 4b 68
versal CA versal CA.cer
O=GeoTrust 30 9d 8a 2f 74
disapproved Inc., C=US 22 15 87 ec 79 Legacy Syman-
since tec Root CA
12-31-2020

33 thawte Primary CN=thawte Pri- 35 fc 26 5c d9 aa db bc 22 23 01-19-2038 thawte Primary


mary Root CA - 84 4f c9 3d 26 8f c4 01 a1 27
Root CA - G2 Root CA -
G2, OU=(c) 3d 57 9b ae d7 bb 38 dd f4 1d
G2.cer
disapproved 2007 thawte, 56 db 08 9e f0 12
since Inc. - For au- Legacy Syman-
thorized use
12-31-2020 tec Root CA
only, O=thawte,
Inc., C=US

34 VeriSign Class 3 CN=VeriSign 2f 80 fe 23 8c 22 d5 d8 df 8f 01-19-2038 VeriSign Class 3


Class 3 Public 0e 22 0f 48 67 02 31 d1 8d f7
Public Primary Public Primary
Primary Certifi- 12 28 91 87 ac 9d b7 cf 8a 2d
Certification Certification
cation Authority b3 64 c9 3f 6c 3a
Authority - G4 - G4, OU=(c) Authority -
2007 VeriSign, G4.cer
disappproved
Inc. - For au-
since Legacy Syman-
thorized use
04-31-2021 only, OU=Veri- tec Root CA
Sign Trust Net-
work, O=Veri-
Sign, Inc., C=US

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 31
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

35 GeoTrust Pri- CN=GeoTrust 18 ac b5 6a fd 32 3c 11 8e 1b 07-17-2036 GeoTrust Pri-


Primary Certifi- 69 b6 15 3a 63 f7 b8 b6 52 54
mary Certifica- mary Certifica-
cation Author- 6c af da fa c4 a1 e2 e2 10 0d d6
tion Authority tion Author-
ity, O=GeoTrust 02 90 37 f0 96
Inc., C=US ity.cer
disapproved
since Legacy Syman-
07-31-2021 tec Root CA

36 GeoTrust Pri- CN=GeoTrust 15 ac 6e 94 19 03 9e ed b8 0b 12-02-2037 GeoTrust Pri-


Primary Certifi- b2 79 4b 41 f6 e7 a0 3c 69 53
mary Certifica- mary Certifica-
cation Authority 27 a9 c3 18 0f 1f 89 3b 20 d2 d9
tion Authority - tion Authority -
- G3, OU=(c) 32 3a 4c 2a fd
G3 2008 GeoTrust G3.cer
Inc. - For au-
disapproved Legacy Syman-
thorized use
since tec Root CA
only, O=Geo-
07-31-2021 Trust Inc.,
C=US

37 thawte Primary CN=thawte Pri- 60 01 97 b7 46 f1 8b 53 8d 1b 12-02-2037 thawte Primary


mary Root CA - a7 ea b4 b4 9a e9 03 b6 a6 f0
Root CA - G3 Root CA -
G3, OU=(c) d6 4b 2f f7 90 56 43 5b 17 15
G3.cer
disapproved 2008 thawte, fb 89 ca f3 6b f2
since Inc. - For au- Legacy Syman-
thorized use
07-31-2021 tec Root CA
only, OU=Certif-
ication Services
Division,
O=thawte, Inc.,
C=US

38 thawte Primary CN=thawte Pri- 34 4e d5 57 20 91 c6 d6 ee 3e 07-17-2036 thawte Primary


mary Root CA, d5 ed ec 49 f4 8a c8 63 84 e5
Root CA Root CA.cer
OU=(c) 2006 2f ce 37 db 2b 48 c2 99 29 5c
disapproved thawte, Inc. - 6d 75 6c 81 7b 81 Legacy Syman-
since For authorized tec Root CA
use only,
07-31-2021
OU=Certifica-
tion Services
Division,
O=thawte, Inc.,
C=US

SAP Cloud for Customer Security Guide


32 PUBLIC Identity and Access Management
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

39 VeriSign Class 3 CN=VeriSign 00 9b 7e 06 49 13 2d 0d 45 53 07-17-2036 VeriSign Class 3


Class 3 Public a3 3e 62 b9 d5 4b 69 97 cd b2
Public Primary Public Primary
Primary Certifi- ee 90 48 71 29 d5 c3 39 e2 55
Certification Certification
cation Authority ef 57 76 60 9b 5c c6
Authority - G3 - G3, OU=(c) Authority -
1999 VeriSign, G3.cer
disapproved
Inc. - For au-
since Legacy Syman-
thorized use
07-31-2021 only, OU=Veri- tec Root CA
Sign Trust Net-
work, O=Veri-
Sign, Inc., C=US

40 VeriSign Class 3 CN=VeriSign 18 da d1 9e 26 4e b6 d5 78 49 07-17-2036 VeriSign Class 3


Class 3 Public 7d e8 bb 4a 21 9b 1c cf 5f 58 1e
Public Primary Public Primary
Primary Certifi- 58 cd cc 6b 3b ad 56 be 3d 9b
Certification Certification
cation Authority 4a 67 44 a5 e5
Authority - G5 - G5, OU=(c) Authority -
2006 VeriSign, G5.cer
disapproved
Inc. - For au-
since Legacy Syman-
thorized use
07-31-2021 only, OU=Veri- tec Root CA
Sign Trust Net-
work, O=Veri-
Sign, Inc., C=US

41 VeriSign Univer- CN=VeriSign 40 1a c4 64 21 36 79 ca 35 66 12-02-2037 VeriSign Univer-


Universal Root b3 13 21 03 0e 87 72 30 4d 30
sal Root Certifi- sal Root Certifi-
Certification bb e4 12 1a c5 a5 fb 87 3b 0f
cation Authority cation Author-
Authority, 1d a7 7b b7 0d 54
OU=(c) 2008 ity.cer
disapproved
VeriSign, Inc. -
since Legacy Syman-
For authorized
07-31-2021 tec Root CA
use only,
OU=VeriSign
Trust Network,
O=VeriSign,
Inc., C=US

42 DST Root CA CN=DST Root 44 af b0 80 d6 da c9 02 4f 54 09-30-2021 DST Root CA


CA X3, O=Digi- a3 27 ba 89 30 d8 f6 df 94 93
X3 X3.cer
tal Signature 39 86 2e f8 40 5f b1 73 26 38
Expired since Trust Co. 6b ca 6a d7 7c 13 Expired
09-30-2021

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 33
File name of
Expiry Date certificate
CA Display Fingerprint comments, if
No. Name Subject Serial Number SHA-1 MM-DD-YYYY any

43 GlobalSign Root CN=GlobalSign, 04 00 00 00 75 e0 ab b6 13 12-15-2021 GlobalSign-


O=GlobalSign, 00 01 0f 86 26 85 12 27 1c 04
R2 RootCA-R2.cer
OU=GlobalSign e6 0d f8 5f dd de 38
Expired since Root CA - R2 e4 b7 24 2e fe “GlobalSign
12-15-2021 Root R2” was
sold to Google
in August 2016.

44 GeoTrust Global CN=GeoTrust 02 34 56 de 28 f4 a4 ff e5 05-21-2022 GeoTrust Global


Global CA, b9 2f a3 c5 03
CA CA.cer
O=GeoTrust d1 a3 49 a7 f9
disapproved Inc., C=US 96 2a 82 12 Legacy Syman-
since tec Root CA
04-01-2022

45 GeoTrust Pri- CN=GeoTrust 3c b2 f4 48 0a 8d 17 84 d5 37 01-19-2038 GeoTrust Pri-


Primary Certifi- 00 e2 fe eb 24 f3 03 7d ec 70
mary Certifica- mary Certifica-
cation Authority 3b 5e 60 3e c3 fe 57 8b 51 9a
tion Authority - tion Authority -
- G2, OU=(c) 6b 99 e6 10 d7 b0
G2 2007 GeoTrust G2.cer
Inc. - For au-
disapproved Legacy Syman-
thorized use
since tec Root CA
only, O=Geo-
04-01-2022 Trust Inc.,
C=US

3.1.3.4 Log On Using User ID and Password

Users log on to SAP Cloud solutions with their assigned user ID and password.

By default, a strong security policy for passwords is preconfigured in your solution, based on SAP’s product
security standard. You as an administrator can set an initial password and edit and create security policies
according to the security requirements of your company.

For more information, see Security Policy Quick Guide [page 36].

If a user has forgotten the password, that person can request a new one by using the password self-service on
the logon screen. A dialog box is displayed where the user has to enter the workplace e-mail address. Provided
this workplace e-mail address has already been entered for corresponding employee or service agent in your
solution, an e-mail containing a security code is sent to this e-mail address.

The system then displays a dialog box where the user can enter this security code. Note that the security code
is only valid in this dialog box. If the security code has been entered correctly, the system generates a new
temporary password with which the user can log on to the system. The system immediately displays another
dialog box requiring the user to change this temporary password.

SAP Cloud for Customer Security Guide


34 PUBLIC Identity and Access Management
Password Security

We recommend that you implement some security parameters for password protection:

• Enforce strict password rules.


• Increase minimum requirement for password length, and encourage introduction of complexity.
• Validate password use and history to prevent repetition and reuse of same password.
• For administrative users, passwords should be at least 12 characters long.
• To reduce the risk of brute force attacks, keep the number of failed password attempts to less than five.

3.1.3.5 Create a Security Certificate for HTTPS-Enabled


Computer Telephony Integration (CTI)

You can enable HTTPS security for outbound phone calls made from your solution. To fully enable this feature,
you need to create a security certificate. This example uses Windows PowerShell.

Context

To make outbound calls, you must have a CTI provider such as Sinch Contact Center (previously SAP Contact
Center) or other third-party product.

After you complete this process, users will be able to call customers directly from the solution without having
to navigate to another system.

Follow these steps to create a security authority and a security certificate from Windows PowerShell.

Procedure

1. Create a root certificate authority by opening PowerShell and entering the following commands
(replacing CODCTI Authority with your desired name):

New-SelfSignedCertificate -DnsName "CN=CODCTI Authority" -CertStoreLocation


"Cert:\LocalMachine\Root" -KeyAlgorithm RSA -KeyLength 2048 -HashAlgorithm
SHA256 -NotAfter (Get-Date).AddYears(10)

2. Create a server certificate signed by the previously created authority with these commands, again
replacing CODCTI Authority with your desired name.

These commands generate a server certificate for localhost.

$rootCert = Get-Item -Path "Cert:\LocalMachine\Root\CODCTI Authority"


$cert = New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation
"Cert:\LocalMachine\My" -Signer $rootCert -KeyAlgorithm RSA -KeyLength 2048
-HashAlgorithm SHA256 -NotAfter (Get-Date).AddYears(1)

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 35
3. Configure the SSL binding using the generated certificate.

In the following commands, replace $port with your desired port, $certThumbprint with the thumbprint of
the server certificate (which you can find using the certificate manager), and $appId with the appid of the
CTI Client Adapter.

$certThumbprint = $cert.Thumbprint
$appId = "{7e46cd40-39c6-4813-b414-019ad22e55b2}"
$port = 36731
netsh http add sslcert ipport=0.0.0.0:$port certhash=$certThumbprint
appid=$appId

3.1.4 Security Policy Quick Guide

As an administrator, you can increase the security level, if desired, by editing and enhancing the security policy,
for example, by changing the complexity and validity for all passwords, in accordance with your company´s
security requirements.

You can access the Edit Security Policies common task under Administrator Common Tasks .

You can also define the length of time after which mobile users must reenter the app password to log on to the
system from a mobile device and the maximum number of times in succession a user can enter an incorrect
password before mobile app data is deleted from the mobile device as well as other properties regarding the
complexity of the password.

You have the option of choosing a flag to enforce password change requested by the administrator. Navigate to
Administrator Common Tasks Edit Security Policies , and set the Password Logon Enabled toggle button
to Yes. In the Admin Password Change Enforcement dropdown, you can choose Enforce or Ignore.

For more information about the app password, see Secure System Access and Authentication [page 50].

3.1.4.1 Create a Security Policy

A security policy is a set of rules that defines password complexity, such as including numerical digits and
password validity, like requiring a password change after a certain period of time.

Procedure

1. To create a new security policy, click Add Row.


The system creates a new security policy and generates the associated policy ID.

 Note

To create a new security policy similar to an existing one, select an existing security policy and click
Copy.

SAP Cloud for Customer Security Guide


36 PUBLIC Identity and Access Management
2. If necessary, change the Policy ID.
3. Enter a Policy Name and Description for the new security policy.
4. Save your changes.

You can define multiple security policies because work areas or departments of a company may have
different password security requirements.

3.1.4.2 Edit an Existing Security Policy

Use this procedure to edit an existing security policy.

Procedure

1. Choose the security policy you need to edit.

 Remember

You cannot change policies that begin with S_ . These are default security policies delivered by SAP.

2. Change the complexity and validity rules for passwords assigned to the security policy.
3. Save your changes.

 Remember

If a user's password does not comply with the changed password rules, the user is prompted to change
the password with the next system logon.

3.1.4.3 Assign Security Policies

You can assign a security policy to multiple business users at one time.

Procedure

1. In the Business User subview, click Actions and select Assign Security Policy.
2. Select one or more users that you need to assign a security policy to.
3. Click Assign Business Role and select the security policy that you would like to assign to the selected
business users.
4. Click OK to save the assignment.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 37
3.1.4.4 Define the Default Security Policy

When a business user is created, the system automatically assigns the default security policy to the business
user.

Context

To define the default security policy, perform the following steps:

Procedure

1. In the Default column, set the check box for the security policy for the security policy you want to define
as the default security policy.
2. Save your changes.

 Note

You can change the security policy assignment in the Business Users view. .

3.1.4.5 Delete an Existing Security Policy

Use this procedure to delete an existing security policy.

Procedure

1. Choose the security policy you need to delete.

 Note

• If you have selected a security policy beginning with S_, the Remove button is deactivated, as the
deletion of a default security policy delivered by SAP is not permitted.
• If you have selected a security policy that is currently assigned to users, you cannot delete it.

2. Click Remove.
3. Save your changes.

SAP Cloud for Customer Security Guide


38 PUBLIC Identity and Access Management
3.1.5 Security Settings

As an administrator, you can define security settings that are applicable for all users, or a selected business
role.

Auto Sign Out

For security reasons, users are automatically logged off of the system if they’ve been inactive in the system for
a certain period of time. If you leave this option empty, inactive users will be logged off of the system after 1
hour.

You can set the auto logoff time for all users in your company. To do so, proceed as follows:

1. Navigate to the user menu, and click Settings Company


2. Under Define Settings for , select one the following:
• Company: To apply settings for all users
• Role: To apply settings for a selected role.
3. In the Auto sign out tab, open the dropdown list, and select the preferred time duration when inactive users
will be automatically logged off the system.
4. Click Save.

 Note

This is currently only supported in browsers.

Certificate Pinning

Enabling the certificate pinning feature allows secure communication between the app. and the SAP Cloud for
Customer server. Your administrator would have to enable that feature.

3.2 Authorization

For access rights, you must maintain necessary authorizations.

 Note

Personalizing any part of the UI does not change/add any security settings, as this is part of extensibility
which allows you to display or hide fields based on user/business roles, screen adaptations and so on. For
Example: If you remove the edit button from the UI, the edit option is still available via OData APIs.

Authorization Assignment [page 40]


You can assign authorizations to each employee who has a user ID in your solution.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 39
Access Restriction [page 40]
You can define whether a particular user has read or write access to data in a work center view.

Segregation of Duties [page 47]


If the user has been assigned to multiple work centers, your SAP Cloud solution checks whether the
assigned views conflict with the segregation of duties.

3.2.1 Authorization Assignment

You can assign authorizations to each employee who has a user ID in your solution.

Employees are assigned to org units within organizational management. The assigned org unit determines the
functions that the employee can use.

Based on these functions, work centers and work center views are proposed for the users. Some business
processes require that a work center view can only be assigned together with one or more other work center
views. If you as an administrator assign such a work center view to a user, then your solution automatically
assigns these additional views to the user.

In SAP Cloud for Customer, you can enable partner contacts to access your SAP system by creating a user
ID separate from employees in your solution. Partner contacts are service agents, being used to give external
employees system access. Partner contacts should be assigned with their own business roles to maintain
limited access to your SAP system.

 Caution

Creating user IDs for your business partners will allow outside access to your system.

3.2.2 Access Restriction

You can define whether a particular user has read or write access to data in a work center view.

Your SAP Cloud solution provides the user with access to all of the business documents and Business Task
Management items in that work center view.

You can restrict access to specific data on the basis of the access context assigned to the work center view in
which the data appears.

 Caution

It is important to be aware of the following dependencies when you assign work centers and views directly
to users:

• Each work center view contains specific activities that can be carried out by a user with the necessary
access rights for the view. When you assign a view or work center directly to a user, rather than
assigning these through a business role, by default the user will have unrestricted read and write
access to all the functions associated with the work center view.
• Additionally, in some cases the same activities can be carried out in multiple views. When you grant
access rights, you should be aware that if there is a conflict, unrestricted access rights override any

SAP Cloud for Customer Security Guide


40 PUBLIC Identity and Access Management
restrictions you have defined. For example, view A and view B both contain activity C. For view A, a user
has unrestricted read and write access but for view B, the same user has read-only access. Because
unrestricted access rights override restricted access rights, the user will actually have both read and
write access to both views.

 Recommendation

We recommend that you handle access rights by assigning business roles to users rather than by assigning
work centers views directly to users. The advantages of assigning access rights through business roles are
considerable:

• It eliminates the risk of a user accidently having authorizations to read or edit data to which he or she
should not have unrestricted access.
• There is much less maintenance effort involved when you have to edit access rights, for example, after
an upgrade. You only have to edit the access rights associated with the business role and not the
individual user’s access rights.

3.2.2.1 Sales: Setting up User Access Rights and


Restrictions

In SAP Cloud for Sales, the ability to grant and restrict authorizations is supported for most work center views,
such as Accounts, Employees, Products, Activities, or Opportunities.

Views are assigned through a work center to business roles. Authorizations for certain views can be restricted
either to employees or territories associated to the specific item within a view, or through an assignment of the
employee to an organizational unit.

Access Contexts and Restriction Rules

Access contexts bundle context-specific restriction rules that are assigned to various work center views and
you as an administrator can choose a business role level which restriction rule will be used for which view.

You will find a selection of applicable restriction rules when you set at least the Write Access to Restricted.

For example:

• 1015: Employee or territory:


• 1: Assigned territories or/and employees (for managers)
This rule implies that data can be accessed through direct employee assignment independent of the
employee role or through territory assignment. In case the rule applies to a manager, data is accessible
through employee and territorial hierarchy.
• 2: Assigned territories and employee of user
This rule implies that data can only be accessed through direct employee assignment independent of
the employee role or through territory assignment.
• 3: Assigned territories
This rule implies that data can only be accessed through territory assignment.
• 99: Define specific restrictions
This rule should apply only if the above rules do not satisfy the access needs. Note that the restriction
rule 99 likely requires the set up of different business roles.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 41
• 2001: Business object product:
• 1: Sales organization of user
This rule implies that data can be accessed through the organizational assignment of the employee.
• 99: Define specific restrictions
This rule should only apply if the above rules do not satisfy the access needs. Note that the restriction
rule 99 likely requires the set up of different business roles.

Access Context ID

Access context IDs are only appearing in the context of access rights on the business user level and you can
find the IDs of employees, business users, org units, territories, and sales channels. The following objects and
access context IDs are available:

• Employee: Employee ID
• Territories: Territory ID
• Org center: Org center ID
• Sales chain: Org center ID plus distribution channel

3.2.2.1.1 Sales: Setting up Business Roles and Users

Procedure

1. In the Administrator work center, choose General Settings Users Business Roles and create a
business role. The business role defines a set of work centers and its associated views, including its
restriction rules.
2. Assign work centers and views under Work Center and View Assignments. Select views applicable for the
business role.
3. Under Access Restrictions restrict the access for the work center views as appropriate by setting at least
the Write Access to Restricted or No Access. In case a view offers specific rules, you can select it from the
Restriction Rule drop-down box.
If you like to have different rules for write and read access for the same view, you need to create two
business roles with the same view assignment. One business role should get specific read access and write
restriction to No Access and the second business role should get the same view with both read and write
access.
4. Under Fields & Actions you can restrict the access for all extension fields and selected business fields and
actions.

5. Save your work and choose Actions Activate to activate your role.

6. In the Administrator work center, choose Users Employees and create an employee. Note that you
can create an employee only when you do not use external integration with, for example, SAP ERP.

7. Choose Users Business Users and open the created employee as a business user and choose Edit
Access Rights .
8. Under Business Role Assignment, assign the created business role to the user.
Under Access Restrictions you can restrict the access on a user-level only if you haven't assigned a
business role. For this, change at least the Write Access to Restricted. Now the restrictions on the

SAP Cloud for Customer Security Guide


42 PUBLIC Identity and Access Management
Detailed Restrictions tab are changeable and you can change the access on the Access Group ID level.
We recommend to restrict through the business role assignment only.
9. Save the changes.

Results

The authorization is set up for the corresponding business user.

3.2.2.1.2 Sales: Restricting Authorizations by Fields and


Actions

Note that the value Unrestricted is only relevant if the a user is assigned to more than one business role.

If a business field occurs in one of the business roles with access restriction Unrestricted, then the user has
no restriction even if there is another business role restricting the business field. If the business field does not
occur in a business role, but is restricted in another business role, then the user is restricted accordingly.

3.2.2.1.3 Sales: Recommended Rules for Authorization


Restrictions

To reduce the effort for the maintenance of authorizations, administrators should avoid using the specific
restriction 99 within a particular access context.

The other access restrictions rules are binding for the overall master data, meaning that you do not need to
need to change user restrictions seperately, or create new business roles. Rather, you, as an administrator, can
specify a restriction rule within a business role, and then assign that business role to multiple users. With this
approach, authorizations are automatically derived from the exisitng master data.

 Note

If employee's organizational or territory assignment changes occur after the initial assignment of a
restriction to a business role, then you, as a business administrator, must update your business users,
to ensure that these changes are considered:

• Choose Administrator Business Roles .


• Find the relevant business role.
• Choose Actions Update Business Users .

Whenever you, as an administrator, maintain the authorizations of business users, we recommend you assign
business roles to these users in concert with restriction rules.

Example: Using Restriction Rules in Access Context 1015

Access context 1015 (Employee or Territory) can be applied accounts, contacts, leads, sales leads,
opportunities, and sales quotes. Two restriction rules, described below, are delivered for this access context:

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 43
• Assigned Territories and Employees (for Managers):
This restriction rule grants authorization for:
• The employee him- or herself
• All employees within the line of organization of the employee, if the employee is a manager
• All territories to which the employee is assigned, and all territories beneath the employee
• Assigned Territories and Employees of User
This restriction rule grants authorization for:
• The employee him- or herself
• All territories to which the employee is assigned, and all subterritories beneath the employee

3.2.2.1.4 Sales: Restricting Authorizations by Territories

Authorizations for employees, fields, and actions can also be restricted on the basis of the territory that it is
automatically determined or maintained for that item.

 Note

Several territories can be assigned to an account at a given time.

By editing the access group ID Territories, you, as an administrator, can grant authorizations to the business
users that are associated with the territories. If you modify the authorization of a business user in relation
to a territory, then that user can view or update the items that are assigned to that territory, or to any
corresponding territory.

For example, if you assign authorization to an employee to view or update items that are related to a certain
territory, for example, the United States, then that employee can also view or update items that are related to
subordinate territories, such as California or Florida.

3.2.2.1.5 Sales: Restricting Authorizations by Employees

By editing the access group ID Employees, you, as an administrator, can grant authorizations to employees to
see items of their own, or of other employees.

Employees who have been granted the appropriate authorizations can see or update each item, as follows:

• Provided that they belong to the account team or territory team, meaning that they are directly or
indirectly associated with an account by means of any role (including a customer-derived one). Authorized
employees can view or updated accounts.
• Provided that they belong to the account team of an account that is associated with a contact, authorized
employees can view or update contacts.
• Provided that they are assigned as an involved party or sales team in a document such as activity, lead,
sales quote, or opportunity, authorized employees can view or update them.

 Note

Items for which no employee or territory has been assigned to can be accessed by all employees.

SAP Cloud for Customer Security Guide


44 PUBLIC Identity and Access Management
Within User Management, employees can be displayed either in simple list format or in the corresponding
organizational hierarchy, which indicates the employees responsible for each organizational unit. You, as an
administrator, can therefore choose to modify either the authorizations of the employee or of the employees
who are assigned to the relevant organizational unit.

If you choose to modify authorizations in relation to a particular organizational unit, then the authorization
changes will be applied to all employees who belong to that organizational unit, or to any subordinate unit. At a
later date, you can also modify the authorizations of individual employees on this organizational unit, if desired.

3.2.2.1.6 Sales: User Authorization Troubleshooting

This section describes authorization issues that you, as an administrator, may encounter, and how you can
resolve them.

Authorization for a certain user has been restricted for a particular item, but the user can still view or edit
the item.

This issue commonly occurs for the following reasons:

• No employee or territory is assigned to an account, lead, opportunity, activity, or sales quote.


• No sales organization is assigned to the product.
• Employee is not assigned to a sales org unit.
• The restricted item appears in two work center views, but you did not restrict the user's authorization in
the same way in each view.
For example, if opportunities are not restricted under Analysis Pipeline and Analysis Forecast
in the same way, then users who are restricted from seeing opportunities in the sales pipeline may
nonetheless see opportunities in the forecast opportunity list, and vice versa.

The organizational or territory assignment of an employee or manager has changed, but the user cannot
access the items that relate to the new assignment.

If master data changes occur, then you, as the administrator, must update your business users as follows:

1. Choose Administrator Business Roles .


2. Find the relevant business role.
3. Choose Actions Update Business Users .

This action is especially important if you change, for example, the managerial responsibility for organizational
centers within the organizational hierarchy, or if you modify the assignment of employees to territories.

3.2.2.2 Service: Setting up User Access Rights and


Restrictions

Allowing employees to edit tickets gives an employee the ability to engage with customers.

In SAP Cloud for Service, you can limit the employee access to tickets to ensure that only qualified employees
engage with customers. You can limit the access of a single employee or group of employees. You can also limit
access for partners and partner contacts.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 45
It is recommended that you use roles to enable access restriction. Assigning access using roles allows you to
create one set of access definitions that can be copied to multiple users.

3.2.2.2.1 Service: Defining User Access for a Group

Procedure

1. Create the organization that will contain the employees that you assign to this group.
2. After you have created the organization, create routing rules to define which tickets are assigned to the
organization.
3. Create a role. A role contains permissions that are inherited by each employee assigned to the role.
a. In the Access Restrictions tab, restrict read and write access for Tickets and Queue in the Assigned
Work Center Views list. Assign access rights to users according to your business needs.
b. To restrict employee access to the employee's organization, open the Detailed Restrictions list and
ensure that the check boxes for Read Access and Write Access are checked only for the employee's
organization.
c. To allow employees to read tickets in other organizations, open the Detailed Restrictions list and ensure
that the Read Access and Write Access check boxes list are checked for the employee's organization.
Select Read Access to allow the employee to read the tickets of the selected organization.
4. Assign the role to all applicable employees.

3.2.2.3 Restricting Access for Local Administrators

In a company with a global workforce, it is important to have administrators for global work tasks as
well as local administrators that cover subsidiary tasks. Therefore, the company should have a few global
administrators with expansive rights and many more local administrators with more restrictive rights.

Context

Additionally, these global and local administrators can edit access rights for business users by assigning
business roles with local scope to the users.

 Tip

You company's headquarters are located in Paris and you have subsidiaries in Chicago, Tokyo, and New
Delhi. If issues happen in the subsidiaries the workforce there can't wait until the administrators in Paris are
working again because they are in different time zones. So it would be better if you can create roles for local
administrators that are enabled to manage the local issues but without access to other data outside their
local organization.

SAP Cloud for Customer Security Guide


46 PUBLIC Identity and Access Management
Procedure

1. As global administrator you need to generally restrict access of your local administrators for views
they will be able to access and to assign them to the users of their sales organization. For this, select
Administrator General Settings Users Work Center View Restrictions for Local Administrators .
The views must either be Allowed or Partially Allowed. We recommend that you un-restrict at least the
Employees and Business Users views.
2. Create a business role for the local administrators. The role for the local administrators should have
all Allowed and Partially Allowed views that you defined in tWork Center View Restrictions for Local
Administrators, and especially Employees and Business Users. Take care that the access for the Employees
and Business Users views are restricted to the sales organization of the users.
Only business roles with the scope Local can be assigned to business users by local administrators. A
business user is Global, if at least one view is either Not Allowed or Partially Allowed, but not restricted with
a restriction rule (besides restriction rule 99).
3. Now you can create business roles for local administrators with the allowed and partially allowed views you
defined in Work Center View Restrictions for Local Administrators.
• You can only create local roles for views that you defined in Work Center View Restrictions for Local
Administrators view as Partially Allowed or Allowed. In case one view is marked as Not Allowed, the role
isn't visible for the local administrator.
• Local administrators are disabled to assign global roles to local business users.
• If you un-restrict a view in Access Restrictions that is set as Partially Allowed in Work Center View
Restrictions for Local Administrators, the entire role switches to Global and disappears for the local
administrator.
• Local administrators can only use roles with scope Local.
4. On the Fields & Actions tab of your local administrator role, under Business Restrictions, you can also
restrict that the local administrator can be the only one to edit access rights or attributes of other users.

3.2.3 Segregation of Duties

If the user has been assigned to multiple work centers, your SAP Cloud solution checks whether the assigned
views conflict with the segregation of duties.

Segregation of duties is designed to minimize the risk of errors and fraud, and to protect company assets, such
as data or inventories.

The appropriate assignment of access rights distributes the responsibility for business processes and
procedures among several users.

For example, suppose that your company requires that two employees be responsible for the payment process.
This requirement ensures that the responsibility for managing company finances is shared by two employees.

A segregation of duties conflict occurs when a user has access to a set of work center views that could enable
him or her to make an error or commit fraud, thereby damaging company assets. If the application detects a
conflict, it indicates that conflict in the user interface and proposes possible solutions.

Based on this information, you can alert business process owners to existing conflicts, so that they can
implement process controls to mitigate them.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 47
3.3 Mobile Devices

With the SAP Cloud mobile solutions, you can access many of the functions that have been tailored to business
on-the-run.

Changes made on mobile apps are automatically updated in the system over the internet, online, and in real
time. Mobile solutions connect to the SAP Cloud solution in the same way as personal computers do.

The following table provides information about the mobile devices on which you can run SAP Cloud solutions:

Supported Mobile Devices

Device/Operating System Supported

iPhone/iPad Yes

Android Yes

Windows Tablet Yes

Windows Phone Yes

Offline Support

SAP Cloud Solution iPad/iPhone Android Tablet/Phone Windows Tablet

Offline Support Yes Yes Yes

 Note

If you disable the device pin on an Android device, then the offline encryption is also disabled.

SAML2 Based SSO [page 49]


List of SAML2 based SSO supported mobile devices.

SSO Recommendation [page 49]


The following is our recommendation for the users.

Secure System Access and Authentication [page 50]


Access from mobile devices is enabled by connecting to the back-end system using HTTPS and the
same user and password authentication used for connection from a personal computer.

Special Considerations [page 51]


Unlike stationary personal computers, mobile devices are at greater risk of being lost or stolen.
Therefore, we recommend that you use the security features provided by your mobile device platform.

Data Storage [page 51]


This section describes the types of data stored on the mobile device.

Offline Mode [page 53]


For working offline, data is stored on the device and encrypted.

SAP Cloud for Customer Security Guide


48 PUBLIC Identity and Access Management
Related Information

About Mobile Options


Mobile Device Requirements

3.3.1 SAML2 Based SSO

List of SAML2 based SSO supported mobile devices.

The following devices support the SAP Cloud for Customer hybrid apps with SAML2 based SSO:

Hybrid Apps

• SAP Cloud for Customer, extended edition for Android


• SAP Cloud for Customer, extended edition for iOS
• SAP Cloud for Customer, extended edition for Windows

Supported Devices

• Apple (iPhone and iPad)


• Android (Phone and Tablet)
• Microsoft Windows (Phone and Tablet)

 Recommendation

For set up information, refer to Log on Using SAML 2.0 Assertion for Front-End Single Sign-On (SSO) [page
13].

3.3.2 SSO Recommendation

The following is our recommendation for the users.

For the Single Sign On (SSO) option we recommend disabling the username and password access. However,
ensure that you maintain updated and accurate e-mail addresses for the users, as this is required in case
of a problem with the Single Sign On. The username and password options could be used as a fallback.
Administrators might have to send out initial passwords or users would have to reset password via self-service.
Both options require updated, correct e-mail addresses.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 49
3.3.3 Secure System Access and Authentication

Access from mobile devices is enabled by connecting to the back-end system using HTTPS and the same user
and password authentication used for connection from a personal computer.

 Note

SAP Cloud for Customer solution now supports certificate pinning in the extended edition for the following
apps:

• iOS apps
• Android apps

3.3.3.1 SAP Cloud for Customer for Android

Android Credential Storage requires maintaining secure settings on the screen lock feature.

For SAP Cloud for Customer, extended edition for Android, it is mandatory for the user to have a screen lock to
be able to use the application. The application uses the Android Credential Storage to securely store sensitive
information and this requires the user to enable the screen lock.

Administrators can enforce this policy if the device is managed under MDM, otherwise, they have to inform the
users that a screen lock is mandatory. Earlier, it was possible for a user to create a logon profile, login and work
normally with the app. With 1811 the app can be installed but no logon profile can be created if the screen lock is
not enabled.

 Caution

Removing the screen lock will result in data loss (logon profiles will have to be re-created; unsynced offline
data will be lost).

3.3.3.2 Certificate Pinning

Enabling the certificate pinning feature allows secure communication between the app. and the SAP Cloud for
Customer server. Your administrator would have to enable the feature.

Go to Administrator General Settings Mobile Settings and in the Certificate Pinning field, select
Activate.

With the feature enabled, users cannot communicate with our server with a false or forged certificate. However,
the feature is disabled by default, but customers have the option to enable it via mobile configuration. When
you enable the feature, the mobile application performs the check.

 Note

For our forthcoming releases, we will enable the certificate pinning feature by default.

SAP Cloud for Customer Security Guide


50 PUBLIC Identity and Access Management
3.3.4 Special Considerations

Unlike stationary personal computers, mobile devices are at greater risk of being lost or stolen. Therefore, we
recommend that you use the security features provided by your mobile device platform.

For example:

• Use an additional, sufficiently long, PIN (personal identification number) to lock the device.
• Enable remote management software that allows you to lock the device remotely, or wipe data from it.

Stored data may contain potentially sensitive information. Ensure adequate protection for your business data
by using a strong password for device access. As an additional security measure, the stored data is also
encrypted with a Passcode.

The Passcode has a minimum length of 8 characters, with a longer length making for a stronger password.

The Passcode feature is available only for Mobile apps.

 Caution

Currently, when you edit the security policy for the extended apps, the Mobile App Password Complexity
settings are not considered. The mobile app password, known as passcode has to comply to a fixed
complexity rule defined by the extended app .

For information on how to operate your mobile device, refer to the device manufacturer's documentation.

3.3.5 Data Storage

This section describes the types of data stored on the mobile device.

The mobile apps for SAP Cloud solutions store three types of data on the mobile device, as outlined below.

User Name

On providing the login information, the user name will be masked to ensure the user's security.

Passcode

The passcode feature applies to the extended apps only, and is turned on by default. It is possible to enable
Touch ID as an alternative option for passcode if the device supports iOS and Android apps. However, the
administrator has the ability to disable the passcode for the user. The administrator can make this change in
the administration settings area of the solution. Refer to the Administrator Guide for more details on how to do
this.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 51
 Note

SAP recommends having a device passcode in place for security reasons. The administrator has the ability
to make this feature optional for users.

Encryption

We recommend you keep the devices and apps as secure as possible by encrypting all data. However, if the
customer wants to increase the usability they need to be aware of the risk and must ensure there are other
protections (for example: strong device lock) in place.

All extended apps use AES 256 encryption to protect the offline data storage. The only exception are the
Android devices, where the device pin has to be enabled to enable encryption.

Support Log Files [page 52]


To obtain support for a technical error within the mobile app, you may be requested to activate the
app’s error-logging functionality. When error logging is active and the technical error is reproduced,
files containing technical data are created. These files enable SAP Cloud Support representatives to
resolve the error. Delete the log files once they are no longer required.

Cache Files [page 52]


To improve the mobile app’s performance, metadata is stored on your mobile device. The cached
information contains technical data that describes the user interface. The cache files can be deleted.

Local Application Data Storage [page 53]


SAP Cloud for Customer supports local application data storage.

3.3.5.1 Support Log Files

To obtain support for a technical error within the mobile app, you may be requested to activate the app’s
error-logging functionality. When error logging is active and the technical error is reproduced, files containing
technical data are created. These files enable SAP Cloud Support representatives to resolve the error. Delete
the log files once they are no longer required.

3.3.5.2 Cache Files

To improve the mobile app’s performance, metadata is stored on your mobile device. The cached information
contains technical data that describes the user interface. The cache files can be deleted.

For device-specific instructions on how to set the password expiration, enable logging, or delete logs and cache
files, refer to the mobile app’s documentation.

It is sometimes possible to upload pictures and other files from the mobile device to the SAP Cloud solution,
for example, pictures captured on a mobile phone’s camera. Such files are not managed through the SAP
mobile app. When files are uploaded to the solution, they are not deleted from the mobile device. To protect any
sensitive or confidential data that such files may contain, we recommend that you take extra precautions

SAP Cloud for Customer Security Guide


52 PUBLIC Identity and Access Management
appropriate for the specific mobile device in use. For more information, see the device manufacturer’s
documentation.

For device-specific instructions on how to set the password expiration, enable logging, or delete logs and cache
files, refer to the mobile app’s documentation.

You can upload pictures and other files from the mobile device to the SAP Cloud solution, for example, pictures
captured on a mobile phone’s camera. Such files are not managed through the SAP mobile app. When files are
uploaded to the solution, they are not deleted from the mobile device. To protect any sensitive or confidential
data that such files may contain, we recommend that you take extra precautions appropriate for the specific
mobile device in use. For information on how such files are secured and stored on your mobile device, refer to
the device manufacturer’s documentation.

3.3.5.3 Local Application Data Storage

SAP Cloud for Customer supports local application data storage.

To enable this, start the app and setup passcode, and enter system URL, username and password. During the
setup, the user has to enter a passcode that is different from the system password. The local application data
has been encrypted with a key derived from the app password. Authentication is required to switch between
online and offline mode

3.3.6 Offline Mode

For working offline, data is stored on the device and encrypted.

For mobile apps, once the device is online, data is sent to the back-end system and synchronized from the
mobile device.

When you set up a passcode for container apps for storing data in the offline mode, remember the following
points:

• The passcode should be at least eight characters long.


• There must be at least one numeral and one uppercase alphabet.
• You are allowed upto a maximum of eight failed attempts to logon. After which, you will need to reset the
passcode that will delete all information from the database.

 Note

If you disable the device pin on an Android device, then the offline encryption is also disabled.

SAP Cloud for Customer Security Guide


Identity and Access Management PUBLIC 53
4 Personal Data Protection and Privacy

Use the Data Protection and Privacy Work Center to manage personal and sensitive personal data of
employees, individual customers, and contacts. As an employee responsible for data protection and privacy
regulation compliance in an organization, you can use the Work Center to disclose as well as remove data on
request.

Data processing systems store master data or transactional data used to perform business processes and to
document them. In many cases, it involves the personal data of employees, individual customers, and contacts.
In many countries/regions, the storage, disclosure, and removal of such personal data from data storage
systems must be in accordance with statutory data protection laws. One requirement in many countries/
regions is that the personal data can only be stored if a clear business reason for this data retention exists.
Most data protection legislation orders fixed retention periods, defining how long data can be stored in data
systems, after which it must be deleted. In addition, legislation in many countries/regions stipulates that the
data protection officer must disclose the personal data of individuals, when they expressly request it.

The Data Protection and Privacy Work Center allows those responsible for data protection functions in an
organization to respond to requests to fulfill the following requirements:

• Disclose personal data of all employees, individual customers, and contacts.


• Remove personal data once the retention period for all relevant data is expired.
• Monitor and manage background data removal processes using an application log.
• Display log data detailing each access made to the Personal Data Disclosure and Personal Data Removal
overview screens containing personal data.

 Note

In this document, employees, individual customers, and contacts are collectively referred to as business
partners.

Features

There are a number of key features of Data Protection and Privacy in SAP Cloud for Customer. These are
outlined as follows:

Data Disclosure — Obligation to Disclose

A key principle in data protection and privacy is the Obligation to Disclose. This is an obligation set in
legislation in many countries/regions where data protection regulation has been adopted. As an administrator
responsible for data protection regulation compliance, you can disclose personal data of employees, individual
customers, and contacts. You can display a summary of all data associated with these business partners
stored in the SAP Cloud for Customer system. You can also access the detailed records.

Data Removal — Deletion on Request

This second data protection and privacy principle refers to the requirement of organizations to delete personal
data held on its business partners that is kept in an identifiable form, and retain this data for no longer than

SAP Cloud for Customer Security Guide


54 PUBLIC Personal Data Protection and Privacy
necessary. Where specified, organizations must delete all such personal data after the relevant data retention
period has elapsed.

Read Access Logging

Certain categories of personal data are considered sensitive due to their criticality and importance. You can
activate tracking of read access to such personal data. You have to carefully review the groups of such personal
data available and activate read access logging for those groups which are processed by your organization. In
the SAP Cloud for Customer, you can also add custom fields and mark them for read access logging.

Change Log for Personal Data

A log is created whenever there is a change in personal data. You can view the change records for a specific
business object in the respective Changes tab.

If you are an administrator, you can restrict access to the change logs by removing access to the Changes tab
for regular users. You can then create a new layout that includes the Changes tab and assign this layout to
authorized users.

The change logs are not available via regular APIs. You can build the retreival using the SAP Cloud Applications
Studio.

A change log is removed only when an object is completely depersonalized. This means that a log remains
unchanged even if personal data is removed from an active object.

Data Protection Roles

In large organizations, employees with the designated role (Data Protection Officer, for example) are
responsible for ensuring that data protection and privacy principles are followed, and that the organization
complies with all data protection and privacy legislation in force within the country/region (or countries/
regions) it operates. However, these tasks can be delegated to other authorized employees, for example,
designated Human Resources administrators.

Authorization

The Data Protection and Privacy Work Center is only available to authorized employees or Data Privacy officers
in your organization. It is therefore strongly recommended this Work Center assignment is only given to those
employees directly responsible for data protection and privacy regulation compliance in your organization.

Usage Block

This is the point in time for a data set when the processing of personal data is no longer required for the
primary business purpose. After the End of Purpose has been reached, the data is blocked and can only be
accessed by users with special authorization, for example, tax auditors. In SAP Cloud for Customer, we have
the following solution:

• You can set a business process to end-of-purpose via an API call, which helps support integration. It
prevents the business process from displaying value helps, so you cannot use it to create new transactions.
There is however no standard access restriction. Any user can still search for the business process and
open it.
• You can delete or depersonalize data. If the data is still required for later audits. you can export it using the
OData APIs.

 Note

Employees, such as Data Protection officers with responsibility for data protection have full access rights
for the Data Protection and Privacy Work Center. These access rights allow an authorized user to access

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 55
personal data for the selected business partner in all SAP Cloud for Customer Work Centers where such
data exists. Because of the ability for an individual user to access large volumes of personal employee data
across many Work Centers, the access log is provided to allow transparency and traceability of user access
to personal data. The log does not contain detailed personal data, but rather a summary of the types of
data accessed, when, and by whom it was accessed.

4.1 Disclose Personal Data

Disclose personal data of employees, individual customers, and contacts in the Data Protection and Privacy
Work Center.

As an administrator responsible for data protection regulation compliance, you can disclose the personal data
of employees, individual customers, and contacts. You can display a summary of all data associated with these
business partners stored in the SAP Cloud for Customer system. You can also access the detailed records.

 Note

In this document, employees, individual customers, and contacts are collectively referred to as business
partners.

Procedure

1. In the Data Protection and Privacy Work Center, open the Personal Data Disclosure view.
2. To display the disclosure-relevant data for the business partners, select the relevant option from the
dropdown. For example: If you want to disclose an employee’s data, select All Employees.
3. Select the desired business partner from the list and click Disclose Data. A new overview screen opens that
displays all the disclosed data for the selected business partner.

 Note

Before the overview screen is loaded, a dialog box appears informing you that your access to this
screen is logged. Confirm this message to proceed.

4. Click Expand all to view all individual records that are to be disclosed. Click the expand and collapse
triangle icons to view individual data record summaries for the selected entity.
5. Click the links for the individual records, for example, General Data or transactional data, such as Leads or
Opportunities, to navigate to the actual data record held in the SAP Cloud for Customer system.

 Note

The figure shown in the Records column represents the number of discreet data records (for example,
Sales Orders) of the selected type assigned to the employee in the SAP Cloud for Customer system. A
zero indicates that no records of this type exist for the selected employee.

6. Click Close to return to the Personal Data Disclosure view.

SAP Cloud for Customer Security Guide


56 PUBLIC Personal Data Protection and Privacy
You have successfully extracted a summary of all personal data required for disclosure to an individual who
requests it.

 Note

In addition to the above, you can use the following methods for data disclosure:

• Data workbench: If you want to disclose more personal details, you can use the data workbench to
export full datasets for employees and contacts of individual customers. The data workbench export
functions allows you to specify one or more persons to be processed. It also allows you to select the
fields you would like to export, for example, ignore technical IDs, don't export business addresses. For
more information, see Data Workbench
• OData APIs: You can use APIs to build custom processes to export exactly what you need for your use
cases, including all the personal data of the business partner, linked transactions, and other related
data. The APIs can be called using custom logic, from excel spreadsheets, and so on. For more details,
see SAP Cloud for Customer OData API v2 Reference

4.2 Remove Personal Data

Delete personal data of employees, individual customers, and contacts on their request in the Data Protection
and Privacy Work Center.

Once the end of purpose has been reached for personal data (e.g. business partners, transactions), it has to
be removed. SAP Cloud for Customer offers business partner driven removal (this will delete the person and all
the related data/transactions), or transaction driven removal (this targets individual transactions that are no
longer needed).

It is now possible for you, as an administrator responsible for data protection regulation compliance, to delete
personal data of employees, individual customers, and contacts on their request, at a time in the Personal Data
Removal view of the Data Protection and Privacy Work Center.

 Note

In this document, employees, individual customers, and contacts are collectively referred to as business
partners.

Prerequisite

You have defined the retention periods relevant for your country/region in your system configuration. Navigate
to Business Configuration Overview and search for the following fine-tuning activities:

• Data Retention Rule for Employees


If you configure this activity, the system runs a query for the employee validity dates. It then checks these
validity dates against the retention period configuration, which is similar to private accounts, sales orders
and quotes that raise vetoes. It also checks if any sales order or sales quote exists against the retention
period configuration, and then proceeds with the data removal process.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 57
• Data Retention Rule for Private Accounts
If you configure this activity, the system checks if any sales order or sales quote exists against the retention
period configuration. If yes, the system uses the validity period end date for sales quotes and the last
change date for sales orders to check the data retention period.
Additionally, you can also delete private accounts if sales orders and sales quotes are depersonalized.
Note that even if there is no retention period setup for contacts, they can only be removed if linked sales
quotes or sales orders are in status Complete.

 Note

Users with authorization to access the Data Protection and Privacy Work Center can perform all data
protection and privacy functions within this Work Center, including the disclosure and deletion of personal
data. Access to this Work Center is granted in the Administrator Work Center. Ensure that only employees
with authorization to disclose or delete personal data are granted access to the Data Protection and Privacy
Work Center.

Procedure

1. In the Data Protection and Privacy Work Center, open the Personal Data Removal view.
2. To display data for removal of employees, individual customers, and contacts, select the relevant option
from the drop-down. For example: If you want to remove an employee’s data, select All Employees. If you
want to delete the data for multiple employees, click the Show Advanced Filter icon. In the Employee ID
field, click the More Options icon. In the Employee ID dialog box that opens, enter the employee IDs or
employee names in the Value field and click Go.

 Caution

If there is a legal requirement to keep a business partner information in the system, click Block Removal
to block the entity from being depersonalized. Click Unblock Removal once the blocking need no longer
exists.

When a business partner is blocked for removal, it is not possible to trigger a personal data removal
run from the Data Protection and Privacy Work Center. During scoping, you can prevent the deletion
of transactions that are assigned to a blocked business partner. To enable this option, navigate to
Business Configuration Implementation Projects . Select your project and navigate to Edit
Project Scope Questions Built-in Services and Support System Management Security Data
Privacy and select the related option.

In SAP Cloud for Customer, there shouldn’t be any standard use cases which would require enhanced
blocking support. Data will be deleted from SAP Cloud for Customer when requested by you. If the data
is subject to legal and/or internal retention periods (e.g. for audit needs), the data must be stored in
the leading systems that owns the transactions for the corresponding period and not in SAP Cloud for
Customer. For example, sales quotes can be replicated to SAP S/4 to complete the business process –
in this case, the audits have to happen in SAP S/4.

In cases where SAP Cloud for Customer data is not replicated to other systems/ data bases (e.g. SAP
S/4) and would need to be kept past its initial purpose, the system offers an “export and delete” based
approach. This means any data that should not be accessible in the system (blocked), but might still be
needed for potential audits has to be exported and safely stored, before it is deleted in the system. To
know more about how data can be exported, see the Related Information section.

SAP Cloud for Customer Security Guide


58 PUBLIC Personal Data Protection and Privacy
3. Select the desired business partner from the list and click Remove Data. A new overview screen opens that
displays all the data that can be deleted.
4. To delete personal data of individual customers, and contacts, click Delete.
To delete employee data, follow these steps:
1. Select the Marked for Deletion checkbox for each work agreement (and associated documents) and
availability calendars you wish to set for later removal from the system
2. Click Delete to trigger the removal of all work agreements, availability calendars, and associated
application data marked for deletion from your system.
3. Confirm that you still wish to continue with this irreversible deletion of the selected records. If you
are removing the last remaining work agreement held for an employee, the system warns you that
continuing with this process removes the employee record from the SAP Cloud for Customer system.
4. Confirm that you wish to continue with the removal or cancel it.
After clicking Delete for all records marked for deletion, the Marked for Deletion checkbox is disabled,
while the remainder of the removal process is performed by the system in the background. After the
deletion process is successfully completed, for the affected work agreements, the Marked for Deletion
checkbox is disabled and Retention Period Completion status changes to No or No available data. The
start dates for these records also change .
5. Click Close to return to the Personal Data Removal screen.

 Note

• The data removal process is local in Cloud for Customer and is not replicated to any external system
such as SAP CRM, SAP S/4HANA, or SAP ERP. In an integrated landscape, we presume that the
backend systems are the leading system, which governs the life cycle of the customer record because
the back end solution ideally has financial documents such as invoices.
As an alternative you can mark the customer record as obsolete and let the automated removal run
take care of triggering the removal. Once you mark the records as obsolete, the change is replicated to
the connected systems where each of these systems handle the customer records locally.
• If an individual account is deleted, all appearances in any party role for this instance in transactional
documents are depersonalized unless it is blocked for deletion.

 Caution

Removal of employees and contact persons lead to different results for different transactions. For
example, activities might be deleted completely, but other transactions have their descriptions removed
or scrambled, or attachments deleted. During scoping, you can choose to retain the transactional data
that are assigned to contacts and employees. To enable this option, navigate to Business Configuration
Implementation Projects . Select your project and navigate to Edit Project Scope Questions Built-in
Services and Support System Management Security Data Privacy and select the following question:
During personal data removal, do you want to retain the transactional data and remove only the personal
data of contacts and employees?

Result

You have successfully removed all work agreements (and associated application data) and availability
calendars from the system for the selected unblocked entities. You can verify this removal by starting the
Administer Data Removal Runs common task, and selecting Successful Removal Runs in the Show field.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 59
Your access to the data removal overview has been logged.

 Note

In addition to the above, you can use the following methods for data removal:

• Data workbench: If you want to remove more personal details, you can use the data workbench to
export employees and contacts of individual customers. The data workbench export feature allows you
to filter one or more persons to be exported. Then using the update feature unwanted records can be
deleted. For more information, see Data Workbench
• OData APIs: You can use OData APIs to build custom apps to remove desired personal data. The APIs
can be called using custom logic, from excel spreadsheets, and so on. For more details, see SAP Cloud
for Customer OData API v2 Reference

Related Information

Data Retention [page 63]


If the purpose for which you acquired data is not valid anymore, but you must retain it for audit purposes,
you can export the data before deleting it from the system.

4.3 Depersonalize Transactional Data

Delete or depersonalize data from all transactional documents.

The processing of personal data is subject to applicable laws related to the deletion of this data when the
specified, explicit, and legitimate purpose for processing this personal data has expired. If there's no longer a
legitimate purpose that requires the use of personal data, it must be removed. When removing data in a data
set, all referenced objects related to that data set must be removed as well.

As an administrator with responsibility for data protection functions, you've the ownership to decide when a
document loses its business purpose. In the SAP Cloud for Customer system, you can delete or depersonalize
a document based on the following conditions:

• Delete: Documents that don't provide any value after personal data is removed, are deleted. They're no
longer available in the system.
• Depersonalize: Documents that have business value, even if no personal data is available, are
depersonalized. The system removes all the personal data, but retains the business data. The documents
are still in the system and an authorized person can access them. However, these documents can no longer
be changed.
Since depersonalization removes all personal information, the processed objects are no longer available
with the My <business object> filter. Some data in a depersonalized document is replaced by XXXX, and
others, such as, attachments, are deleted. The transaction itself remains, but the personal data is either
removed completely, or replaced with XXXX.

Transaction Removal

You can trigger the removal in the following ways:

SAP Cloud for Customer Security Guide


60 PUBLIC Personal Data Protection and Privacy
• Manual Removal
To delete or depersonalize a document, navigate to any object worklist (For example: Appointment, lead,

opportunity), select the object, and from the actions list , click Delete, or Depersonalize. If there are
no blockers (either because an involved Business Partner being blocked for deletion, or because the object
still being active), the selected objects are depersonalized.
If you're required to keep data without purpose longer because conflicting laws or regulations, you
must export it using archiving, data workbench, or the corresponding OData API before you delete or
depersonalize it from the system. For more information, see the reference in the Related Information
section at the end of this document.
• Automated Removal
Enable automated removal using the Archiving functionality. You can schedule to remove transactions
based on different criteria. If the criteria are met and no vetoes are triggered, the archiving functionality
removes the transaction from the system. For more information, see Archiving.

Blocked for Deletion

In the Data Protection and Privacy Work Center, under Personal Data Removal, it's possible to block person-
based business partners from being deleted.

During the depersonalization run, the system checks to ensure that none of the involved business partners
have been blocked from deletion. It continues with the depersonalization of the business partners only if
they'ren't blocked for deletion. The same settings also prevent the deletion of transactions that are linked to a
business partner who has the deletion block set.

When you mark a document for deletion or depersonalization, the system ignores any defined retention
periods since the customer is in full control over what should be deleted or exported.

Blocking access to personal data follows an export and delete approach. This means any data that shouldn't
be accessible in the system (blocked), but might still be needed for potential audits has to be exported and
safely stored, before it's deleted in the system. To know more about how data can be exported, see the Related
Information section below.

The following table gives an overview of all the objects that can either be deleted or depersonalized.

Business Objects Delete Depersonalize More Information

Activity Lists Yes

Appointments Yes

Phone Calls Yes Remove Personal Data in


Communication Channels

Tasks Yes

Visits Yes

Chats Yes Remove Personal Data in


Communication Channels

Routes Yes

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 61
Business Objects Delete Depersonalize More Information

Plans Yes

Deal Registration Yes Configure Depersonalization


in Deal Registration

Sales Lead Yes

Leads Yes Configure Depersonalization


in Leads

Opportunities Yes Configure Depersonalization


in Opportunities

Sales Forecast Yes Configure Depersonalization


in Forecasts

Sales Target Plan Yes

Sales Territories Yes

Promotions Yes

Invoice Yes

Payments Yes

Partner Application Yes

Contracts Yes Remove Personal Data in


Contracts

Customer Orders Yes

Customer Quotes Yes

Sales POD Yes Depersonalization in Con-


tract Account and Sales POD

Installation Point Yes Remove Personal Data in In-


stallation Point

Installed Base Yes Remove Personal Data in In-


stalled Base

Maintenance Plan Yes

Registered Product Yes Remove Personal Data in


Registered Products

SAP Cloud for Customer Security Guide


62 PUBLIC Personal Data Protection and Privacy
Business Objects Delete Depersonalize More Information

Tickets Yes Remove Personal Data in


Tickets

Time Entry Yes Remove Personal Data in


Time Entry and Time Reports

Time Reports Yes Remove Personal Data in


Time Entry and Time Reports

In addition to the objects in the table, there are some special objects that are handled differently:

• Surveys: Surveys aren't intended to collect personal data and are therefore not deleted during a
depersonalization run.
• Routing Rules, Tours, and Routes: Routing rules, tours, and routes are configuration settings and aren't
depersonalized. These objects are directly deleted if they're no longer needed.
• Territory: Territory isn't part of document driven deletion. If necessary, Business Partners can be removed
from it.
• Sales Target Plan and Sales Forecast: Sales target plan and forecast doesn't have an OData based export.
It's possible to export planning data as an excel in the OWL.
• Sales Price Specifications: Sales Price Specifications are replicated from ERP to Cloud for Customer. This
data is read-only in SAP Cloud for Customer and can't be changed. If this information must be removed, it
must be deleted in the system that owns those records and then replicated into Cloud for Customer.

Related Information

Data Retention [page 63]


If the purpose for which you acquired data is not valid anymore, but you must retain it for audit purposes,
you can export the data before deleting it from the system.

Archiving

4.4 Data Retention

If the purpose for which you acquired data is not valid anymore, but you must retain it for audit purposes, you
can export the data before deleting it from the system.

SAP Cloud for Customer supports this data retention requirement with the following options:

• Archiving: Data no longer needed can be removed from the SAP Cloud for Customer system and placed in
an archive with limited access. This way, regular users can no longer access the data, but it would still be
possible for auditors to review the data. For more information, see Archiving

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 63
 Note

Archiving removes data solely based on the retention periods defined per object. If you need more
detailed retention criteria, we recommend that you use OData APIs to remove your data.

• Data workbench: You can use the data workbench to export full datasets for employees and contacts of
individual customers. The data workbench export functions allows you to specify one or more persons to
be processed. It also allows you to select the fields you would like to export, for example, ignore technical
IDs, don't export business addresses. For more information, see Data Workbench
• OData APIs: You can use APIs to build custom processes to export exactly what you need for your use
cases, including all the personal data of the business partner, linked transactions, and other related data.
The APIs can be called using custom logic, from excel spreadsheets, and so on. For more details, see SAP
Cloud for Customer OData API v2 Reference

4.5 Administer Data Removal Runs

Check the status of all data removal runs performed in the background.

Removal of personal data in the Data Protection and Privacy work center is performed automatically in a
separate background process. The Administer Data Removal Runs common task provides you with an overview
of planned, current and completed data removal runs, the ability to reschedule failed runs, mark runs as
obsolete, and delete runs.

Data removal runs are triggered by users in the Personal Data Removal view and executed by the system in the
background. Within the Personal Data Removal screen from which the process is started, the user receives no
direct feedback on the status of the removal run that has been triggered. You check the outcome of all data
removal runs in the system using the Administer Data Removal Runs common task.

Features

The Administer Data Removal Runs common task provides you with an entry point to check the status of all
background data removal runs performed by the system.

Three key features of this common task are summarized below:

Schedule Job

Select an existing removal run and click Schedule on the initial Administer Data Removal Runs screen. Allows
you to reschedule runs that have previously failed.

Set Run To Obsolete

Select an existing removal run and click Actions Set to Obsolete . This is useful in situations when, for
example, technical issues mean there is no point in retrying the run in question at this point in time.

Delete Run

Select an existing failed removal run with the status Obsolete and click Delete . The removal run is deleted from
the system. You can also delete successfully completed removal runs.

SAP Cloud for Customer Security Guide


64 PUBLIC Personal Data Protection and Privacy
 Note

Information about the removal run itself is stored by the system in the Removal Log if you are deleting a
previously successful removal run. However, the deletion of failed removal runs is not logged.

You access this log in the Common Tasks section of the Personal Data Removal view.

You can also access the Job Monitor by selecting an existing removal run and clicking View Jobs on the initial
Administer Data Removal Runs screen. The monitor displays the status for individual removal run jobs that
have commenced in the system and can provide more information as to why a particular job has failed, the
actual status of the job in the system (for example, Pending), or if there is an error in the job itself.

Application Log Detailed View

Accessed by clicking the Application Log ID for a given job in the Details section of the initial Administer Data
Removal Runs screen. Each instance of the Application Log consists of three different tab sections that group
the messages posted to the log itself:

• Overview
Displays an aggregation of the removal run data collected in Results.
• Settings
Contains information on the parameters and settings of the business objects in the system background:
log parameters, selection criteria used to create the log data, and any relevant data derived from
configuration settings.
• Results
Provides detailed information and status of the removal run, including any error messages generated
during execution.

Example

As the Human Resources administrator, responsible for employee data protection and privacy in Akron
Heating, Oliver Adams must remove personal data for an employee who has requested its removal. The
statutory retention period for this data is completed, so Oliver can now remove this data from the system.
Oliver triggers removal of the employee's data on the Remove Employee screen and receives a message that
the data removal process for this employee has started in the background. Oliver now checks on the status of
the removal run he has triggered as follows:

1. He opens the Administer Data Removal Runs common task and in the Show field, he selects All Removal
Runs.
2. He sees from the Removal Failed column that the removal run he triggered was not successful.
3. He decides to reattempt this removal run, so clicks Schedule and opens the Schedule Job screen for his
selected run and selects the Start Immediately radio button.
4. This removal run unfortunately fails for a second time. Oliver decides therefore to abandon this particular
removal run and seek support from colleagues. He sets the run as obsolete and then clicks Delete to
remove all data about this failed run from the system. As the run failed and no personal data was removed
for the employee on this occasion, there is no entry made in the Removal Log by the system.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 65
4.6 Automate Removal of Obsolete Business Partners

As a data protection officer, you can schedule automated deletion of obsolete business partners, such as,
contacts, employees, and customer with different roles, such as, individual customers and prospects.

In the Administer Obsolete Business Partner Removal Runs view, you can create a batch job to schedule
deletion runs. You can schedule the runs immediately, or set a recurrence to continuously purge obsolete
business partners from the system. The system selects all the business partners that have been set as
obsolete before a certain cut-off date. This is required to account for deletion vetoes if a business partner can't
be deleted. Once the selection is done, the system creates one data removal run per business partner.

Prerequisite

The business partners are already marked as obsolete.

You can enable mass-setting of the obsolete status for Business Partners using one of the following:

• End-of-purpose APIs that have been provided for integration scenarios. For more information, see Web
Services for Business Partner End-of-Purpose [page 67]
• Custom development using the SAP Cloud Applications Studio
• oData APIs or Data Workbench using the following steps:
1. Export set of Business Partners based on selection criteria
2. Run further checks if needed, and then update the status flag to Obsolete
3. Import the Business Partners back into the system and update the records

Procedure

1. Navigate to Data Protection and Privacy Common Tasks and click Administer Obsolete Business
Partner Removal Runs.
2. Click New to open the Schedule Deletion Run screen.
3. Enter a Run ID and description. The Run ID must be a unique ID with no spaces or special characters.
4. Enter the Date Offset period. For example, if you enter the date offset period as 30 days, one of the
following things will happen:
• Contacts and customers with different roles, such as, individual customers and prospects are removed
from the system 30 days after they are set to obsolete.
• Employees are removed from the system 30 days after they are terminated.
that the
5. Choose a Business Partner Type.
To include business partners that are replicated from other systems to the SAP Cloud for Customer
system, select the Include Business Partners with ID Mapping checkbox.
If you do not select the checkbox, the system excludes the business partners that are replicated from
other external systems such as SAP S/4HANA, and ERP, and only triggers removal for business partners
available locally in the SAP Cloud for Customer system.

SAP Cloud for Customer Security Guide


66 PUBLIC Personal Data Protection and Privacy
To further filter, and include only business partners that are not blocked for removal, select the Only
Business Partners marked as End of Purpose checkox.
6. Select the run option to either start the run immediately or schedule a recurring run.
7. Click Save and Close.

In the Deletion Runs overview screen, select your run to see the details in the table below. Click the Application
Log ID hyperlink to open the screen with details of your run. In the Results tab, the system displays the status of
all the individual removal runs for each business partner, and the corresponding Run ID, if already scheduled.

 Note

• The green icon indicates that the removal run has been already scheduled. This does not mean that the
removal is successful. To check the status of the obsolete business partner removal runs performed in
the background, navigate to the Administer Data Removal Runs view and search by the Run ID.
• The red icon indicates that the system failed to trigger a removal run.

Related Information

Web Services for Business Partner End-of-Purpose [page 67]


Determine if you need to retain business partner data in your system when that data has already been
deleted from an integrated external system.

4.6.1 Web Services for Business Partner End-of-Purpose

Determine if you need to retain business partner data in your system when that data has already been deleted
from an integrated external system.

The following graphic describes process flow to determine the End-of-Purpose for your business partner data.
You can use web services or manually block such business partners in your system using blocking reasons.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 67
Web service interfaces and enhanced interfaces are enabled to support blocking of business partners. Use
these services in scenarios where integrated external systems block or delete business partner data in their
system landscape. These interfaces allow the external systems to query and maintain the End-of-Purpose
for business partners. Since the definition of what constitutes the end-of-purpose for a business partner is
subjective to the external system, these interfaces are empty CHECK interfaces to allow you to create custom
queries.

For business partners blocked using the below-mentioned interfaces, data cannot be retrieved in list views
in Work Centers, value help in related fields, values selectors, analytics, duplicate checks and web service or
oData queries in the application.

Web Services for Business Partner End-of-Purpose

Web Service Description

II_BUPA_EOP_CHECK_IN This interfaces uses enhancement spot


ES_BUPA_EOP_CHECK to provide a business add-in hook in
SAP Cloud Application Studio. Use this hook to create cus-
tom query for setting end-of-purpose information.

II_BUPA_EOP_MAINTAIN_IN Use this interface to set the End-of-Purpose flag for business
partners. If this flag is set, then the business partner data
is hidden in corresponding Work Centers and value helps
and is not visible to users. Note that the data can be viewed
by administrators in the Data Protection and Privacy Work
Center.

II_BUPA_ERP_EOP_CHECK_IN This interface uses enhancement spot


ES_BUPA_ERP_EOP_CHECK to provide a business add-in
hook in SAP Cloud Application Studio. Use this hook to cre-
ate custom query for setting end-of-purpose information.

II_BUPA_ERP_REPL_IN New attribute has been added in element structure for the
existing interface. Set the indicator for business completed /
End-of-Purpose flag. If this flag is set, then the business
partner data is hidden in corresponding Work Centers and
value helps and is not visible to users. Note that the data
can be viewed by administrators in the Data Protection and
Privacy Work Center.

SAP Cloud for Customer Security Guide


68 PUBLIC Personal Data Protection and Privacy
4.7 Automate End of Purpose for Business Partners
As a data protection officer, you can schedule end of purpose run for business partners, such as, contact
persons, employees, and customers. When the run is over, the system automatically updates the status to End
of Purpose.

Context

 Caution

This action is irreversible, and the business partner can no longer be viewed.

In the Administer Business Partner End of Purpose Runs view, you can create a batch job to schedule end of
purpose runs. You can schedule the runs immediately or set a recurrence to continuously set the status of the
business partners to End of Purpose. The system selects all the business partners that have not been used
in any transactions before a certain cut-off date. Once the selection is done and the status is set, the system
removes the data during the Automated Business Partner Removal Run.

 Note

During the run, only local business partners are considered. If triggered by SAP S/4HANA, business
partners that are present via integration from an S/4HANA system will be considered too.

Procedure

1. Navigate to Data Protection and Privacy Common Tasks and click Administer Business Partner End of
Purpose Runs.
2. Click New to open the Schedule Business Partner End of Purpose Run screen.
3. Enter a Run ID and Run Description.
4. Enter the Date Offset period.

In the case of contact persons and customers, if you choose the offset date to 1 Month(s), it means the
business partner must not have been changed within the last month. Here, the system checks against the
last changed date which is called Changed On within the contact.

In the case of employees, when it is set to 1 Month(s), it means the employee must have been terminated
one month ago. Here, the system checks against the termination date which is validTo in the employee UI.

 Caution

Ensure you don't create recurrent schedules with high frequency.

5. Choose a Business Partner Type.


6. Optional: If you want the run to only consider business partners assigned to a particular country, select a
Country/Region.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 69
7. Optional: Toggle On the Simulation Mode switch, if needed. It is advised to execute a simulation run before
a real-time end of purpose run.

By using the simulation mode, you can verify the number of business partners for which the status is going
to be changed, prevent the status of the business partners from changing, and see any errors that can
occur during the run.
8. Select the run option to either start the run immediately or schedule a recurring run.
9. Click Save and Close.

In the End of Purpose Runs overview screen, select your run to see the details in the table below. Click the
Application Log ID hyperlink to open the screen with the details of your run. In the Results tab, the system
displays the number of business partners for which the status has been changed, and the corresponding
Run ID, if already scheduled.

In the General tab, you can see the summarized messages if the run was in simulation mode and in the
Settings tab, you can see the parameters that were set for the executed run.

 Note

Summarized Messages

Message 1: Simulation run scheduled for 10235 Business Partners of type Contact Person.

Meaning 1: This indicates the number of business partners picked up for the run.

Message 2: Number of Business Partners that are still referenced: 6441

Meaning 2: The number of business partners that are active and referenced in transactions.

Message 3: Number of Business Partners where end of purpose is set: 3794

Meaning 3: The number of business partners that could be updated.

 Note

• The green icon indicates that the end of purpose run has been already scheduled. This does not
mean that the run is successful. To check the status of the end of purpose business partner runs
performed in the background, navigate to the Administer Business Partner End of Purpose Runs
view and search by the Run ID.
• The red icon indicates that the system failed to trigger an end of purpose run.

4.8 Enable Read Access Logging

Use Read Access Logging (RAL) to log and monitor read-access to sensitive personal data such as bank data.
You can identify and track who has accessed critical information and when.

In the SAP Cloud for Customer system, you can monitor the access to sensitive personal data in the Log
Display view under the Data Protection and Privacy Work Center.

Read access logging is enabled for the following channels:

• User Interface (UI)

SAP Cloud for Customer Security Guide


70 PUBLIC Personal Data Protection and Privacy
• Attachments
• Web Services
• OData Services
• Data workbench
• Change Log
• Analytics
• Excel Download
• Output Management
• Business Task Management

Whenever sensitive personal data fields are viewed by a user, a Read Access Log (RAL) entry is created. These
entries form different RAL field groups in the system.

If the field that you have marked as sensitive personal data is part of a field group that is already active, the
system takes one day to start reading the access log for the same. To start read access logging immediately,
activate or deactivate the corresponding field group.

 Note

• You can add sensitive personal data fields only to Business Partner extensions.
• You can’t add sensitive personal data fields to object worklists, value selections, enterprise search, or
extension scenarios.
• You can’t use sensitive personal data fields as placeholders in workflow rules.

Standard RAL Field Group

The standard Read Access Logging enabled field along with the corresponding Field Group is listed in the
following table:

Business Object Field Field Group

Business Partner Tax number and Type Business Partner Tax Data

 Note

The Field Group configuration is shared between Business by Design and SAP Cloud for Customer. It
therefore contains several other field groups that are not relevant for SAP Cloud for Customer. The
corresponding functionalities exist only in Business by Design.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 71
Field Groups for Attachments

The following table gives you a list of the objects that support RAL enabled custom document type
attachments:

Business Objects Field Group

Activity Activity Attachment

Business partner Business Partner Attachment

Contract Contract Attachment

Lead Lead Attachment

Opportunity Opportunity Attachment

Promotion Purpose

Sales Document Sales Document Attachments

Service Request Service Request Attachment

Other Field Groups

The following list provides an overview of other available field groups:

• Data Workbench: Access to files stored in the Data Workbench can be enabled for read access logging.
• Key User Tools Extension Fields: This field group contains all custom fields added via the adaptation
mode and marked as sensitive personal data. This group is activated or deactivated after each change to
the custom field classification
• Output Management Data: Data that leaves the system via the Output Management (for example
printing) can be tracked via this group.
• Web Service Message: The Web service monitoring provides access to the payloads of the processed Web
service calls. Because of its potentially sensitive nature, this feature is restricted to administrators.
• SAP Cloud Applications Studio: Sensitive personal data custom fields added via the SAP Cloud
Applications Studio are controlled via field groups that correspond to their project name.

 Note

You are not allowed to debug or trace the SAP Cloud Applications Studio solution in the production
system, if RAL is scoped and any RAL field group is active. However, if you want to debug the solution,
your administrator must assign your user to the Production Debugging Authorization work center view.
After the debugging is complete, it is recommended that the authorization is removed.

SAP Cloud for Customer Security Guide


72 PUBLIC Personal Data Protection and Privacy
Prerequisites

• You have selected the scoping question Do you want to switch on the Read Access Logging for sensitive
personal data? To find this question, navigate to Business Configuration Implementation Project Edit
Project Scope Questions Built-in Services and Support System Management Security .
• You have defined customer document types for attachments using the following steps:
1. Navigate to Business Configuration Implementation Project and click Open Activity List.
2. Search and select the Customer-defined document types for attachments activity.
3. Under Customer-Defined Document Types, click Add Row, and then define your document type.
4. Select the relevant usage, and click Save and Close.
If you select the applicable usage on both the documents, attachments are copied to a follow-up
document.

Field Group Configuration

1. Navigate to Data Protection and Privacy Field Group Configuration .


The system displays a list of field groups that are available for the limited set of standard fields, as well as
for any documents that support sensitive custom document types. There is also a specific field group to
include all extension fields.
2. Select a field group from the available list and click Activate. The data for this field group is now enabled for
read access logging.
Click Deactivate, if you do not want read access to that field group information to be included in the log.

To view changes to the field group, click Changes and enter the date range for which you want to see the
changes.

Click Actions Show Read Access Log to go directly to the Read Access Log screen.

Click Actions Generate Field Group Configurations to add a new field group to the list of Field Groups
whenever it is available in the system.

Download Log Data

To download log data manually, follow these steps:

1. Navigate to Data Protection and Privacy Log Display .


2. Click the Advanced Search icon and select your date range.
3. Select the desired record and click Download.
The downloaded log entries are available in the XML format. The XML log lists the information about where
the data has been accessed, who has viewed the data, when the data was accessed, and what has been
accessed.

You can also download the RAL data via Web service QueryReadAccessLogIn. To enable this service, navigate
to Administrator Integration , and create a new Communication Scenario and a new Communication
Arrangement.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 73
 Note

• Read access logs are deleted automatically after 14 days.


• The data is stored in a safe place, which is accessible to only a few authorized people.

4.9 Prerequisites for Usage Block Integration


When a business partner is blocked in an SAP CRM, SAP S/4HANA, or ERP system, you must ensure that the
usage block is retained when you integrate these systems with the SAP Cloud for Customer system. To do that,
you must follow specific guidelines for each system.

Prerequisites for SAP CRM system

• Ensure that the CRM system is at least on SAP CRM EHP3 SP05.
• In the SAP Cloud for Customer system, ensure the following:
• In the Business Configuration work center, navigate to your project and click Edit Project Scope. Under
Questions Communication and Information Exchange Integration with External Applications and
Solutions Integration of Master Data , select the Do you want to check and maintain end of purpose
of a business partner from an external application? business option.
• In the Administration work center, navigate to General Settings Integration Communication
Arrangement and configure the Business Partner End of Purpose Check from SAP Business Suite
communication scenario.
• In the SAP Cloud Applications Studio, implement the CheckBusinessPartnerEndOfPurpose
BAdI in the http://sap.com/xi/AP/Common/Global namespace. You can implement end of purpose
checks in this BAdI and raise a VETO check .
• If you are using the SAP NetWeaver Process Integration (PI):
• Download the following PI content versions:
• CRMCOD01 IC 700 – SP25
• SAP BYD 2.40 – SP26
• CRMPCD01 700 – SP25
• Configure the following operation mapping:
• CRM_COD_BusinessPartnerEndOfPurposeCheck
• CRM_COD_BusinessPartnerEndOfPurposeSet.
• If you are using the Cloud Platform Integration:
• Download the 1805 version of SAP Cloud for Customer Integration with SAP CRM
• Configure the following iFlows:
• Check End of Purpose of Business Partners from SAP Business Suite
• Maintain End of Purpose of Business Partners from SAP Business Suite
• To see how you can control the blocking and deletion of personal data in SAP CRM, refer to the SAP Help
Portal for SAP CRM: http://help.sap.com/crm. Choose the relevant release, and navigate to Application

SAP Cloud for Customer Security Guide


74 PUBLIC Personal Data Protection and Privacy
Help SAP Library Master Data Business Partners Functions Blocking and Deletion of Personal
Data in SAP CRM .

Prerequisites for SAP S/4HANA system

• In the SAP Cloud for Customer system, ensure the following:


• In the Business Configuration work center, navigate to your project and click Edit Project Scope. Under
Questions Communication and Information Exchange Integration with External Applications and
Solutions Integration of Master Data , select the Do you want to check and maintain end of purpose
of a business partner from an external application? business option.
• In the Administration work center, navigate to General Settings Integration Communication
Arrangement and configure the Business Partner End of Purpose Check from SAP Business Suite
communication scenario
• In the SAP Cloud Applications Studio, implement the CheckBusinessPartnerEndOfPurpose
BAdI in the http://sap.com/xi/AP/Common/Global namespace. You can implement end of purpose
checks in this BAdI and raise a VETO check .
• If you are using the SAP NetWeaver Process Integration (PI):
• Download the following PI content versions:
• C4CS4_IC 100 – SP08
• SAP BYD 2.40 – SP26
• Configure the following operation mapping:
• S4_C4C_BusinessPartnerEndOfPurposeCheck
• S4_C4C_BusinessPartnerEndOfPurposeSet
• If you are using the Cloud Platform Integration:
• Download the 1805 version of SAP Cloud for Customer Integration with SAP S/4HANA
• Configure the following iFlows:
• Check End of Purpose of Business Partners from SAP Business Suite
• Maintain End of Purpose of Business Partners from SAP Business Suite
• To see how you can control the blocking and deletion of personal data in SAP S/4HANA, refer to the SAP
Help Portal for SAP S/4HANA: http://help.sap.com/s4hana. Choose the relevant release, and navigate to
Product Assistance English Cross Components Data Protection .

Prerequisites for ERP system

• Ensure that the ERP system is at least on SAP ERP 6.0 EhP7 SP05.
• In the SAP Cloud for Customer system, ensure the following:
• In the Business Configuration work center, navigate to your project and click Edit Project Scope. Under
Questions Communication and Information Exchange Integration with External Applications and
Solutions Integration with SAP ERP , select the Do you want to integrate with the end of purpose
check of SAP ERP? business option.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 75
• In the Administration work center, navigate to General Settings Integration Communication
Arrangement and configure the Business Partner End of Purpose Check from SAP ERP
communication scenario
• In the SAP Cloud Applications Studio, implement the CheckBusinessPartnerERPEndOfPurpose
BAdI in the http://sap.com/xi/AP/Common/Global namespace. You can implement end of purpose
checks in this BAdI and raise a VETO check .
• If you are using the SAP NetWeaver Process Integration (PI):
• Download the following PI content versions:
• COD_ERP_INT_IC 6.00 – SP25
• SAP BYD 2.40 – SP26
• COD_ERP_INT 6.00 – SP25
• Configure the following operation mapping: ERP_COD_BusinessPartnerEndOfPurposeCheck
• If you are using the Cloud Platform Integration:
• Download the 1805 version of SAP Cloud for Customer Integration with SAP ERP
• Configure the following iFlows: Business Partner End of Purpose Check from SAP ERP
• Read note 2623441
• To see how you can control the blocking and deletion of personal data in ERP, refer to the ILM document:
Data Protection

4.10 Tax Numbers in SAP Cloud for Customer

Your SAP ERP or SAP S/4HANA system can contain various identification numbers, such as tax ID numbers or
social security numbers. Some of these identification numbers can be sensitive information and special data
protection policies could apply to them. To safeguard such information, you must filter out this information so
that these numbers aren't replicated to SAP Cloud for Customer.

 Restriction

While data encryption is addressed in SAP Cloud for Customer in secure communication channels and
at rest, there’s no specific masking or additional encryption. Therefore, you must filter out sensitive
information, such as personal identification numbers, before replicating.

To learn how to set up these filters for SAP ERP, see Business Partner Tax Code.

For instructions on how to set up these filters for SAP S/4HANA, see Restricting Sensitive Tax Number.

For instructions on how to set up these filters for SAP S/4HANA Cloud, see the section on Restricting
Sensitive Tax Number in the document: Setting Up Opportunity-to-Order with SAP Cloud for Customer (1VP).

SAP Cloud for Customer Security Guide


76 PUBLIC Personal Data Protection and Privacy
4.11 Glossary

The following terms are general to SAP products. Not all terms may be relevant for this SAP product.

Term Definition

Blocking A method of restricting access to data for which the primary


business purpose has ended.

Consent The action of the data subject confirming that the usage
of his or her personal data shall be allowed for a given
purpose. A consent functionality allows the storage of a con-
sent record in relation to a specific purpose and shows if
a data subject has granted, withdrawn, or denied consent.
The legal, contractual, or in other form justified reason for
the processing of personal data to complete an end-to-end
business process. The personal data used to complete the
process is predefined in a purpose, which is defined by the
data controller. The process must be defined before the per-
sonal data required to fulfill the purpose can be determined.

Data subject An identified or identifiable natural person, defined in rela-


tion to applicable data protection legislation, for example,
the EU GDPR.

Deletion Deletion of personal dataThe legal, contractual, or in other


form justified reason for the so that the data is no longer
available.

End of business Defines the end of active business and the start of residence
time and retention period.

End of purpose (EoP) End of purpose and start of blocking period. The point in
time when the primary processing purpose ends, for exam-
ple, a contract is fulfilled.

End of purpose (EoP) check A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization, for example, tax auditors.

Personal data Any information relating to an identified or identifiable natu-


ral person (“data subject”), defined in relation to applicable
data protection legislation, for example, the EU GDPR.

Purpose The information that specifies the reason and the goal for
the processing of a specific set of personal data. As a rule,
the purpose references the relevant legal basis for the proc-
essing of personal data.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 77
Term Definition

Residence period The period of time between the end of business and the
end of purpose (EoP) for a data set during which the data
remains in the database and can be used in case of sub-
sequent processes related to the original purpose. At the
end of the longest configured residence period, the data is
blocked or deleted. The residence period is part of the over-
all retention period.

Retention period The period of time between the end of the last business
activity involving a specific object (for example, a business
partner) and the deletion of the corresponding data, subject
to applicable laws. The retention period is a combination of
the residence period and the blocking period.

Sensitive personal data A category of personal data that usually includes the follow-
ing type of information:

• Special categories of personal data, such as data reveal-


ing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic
data, biometric data, data concerning health or sex life
or sexual orientation.
• Personal data subject to professional secrecy
• Personal data relating to criminal or administrative of-
fenses
• Personal data concerning insurances and bank or credit
card accounts

Technical and organizational measures (TOM) Some basic requirements that support data protection and
privacy are often referred to as technical and organizational
measures (TOM). The following topics are related to data
protection and privacy and require appropriate TOMs, for
example:

• Access control: Authentication features


• Authorizations: Authorization concept
• Read access logging
• Transmission control / Communication security
• Input control / Change logging
• Availability control
• Separation by purpose: Is subject to the organizational
model implemented and must be applied as part of the
authorization concept.

SAP Cloud for Customer Security Guide


78 PUBLIC Personal Data Protection and Privacy
Term Definition

Where-used check (WUC) A process designed to ensure data integrity in the case of
potential blocking of business partner data. An application's
where-used check (WUC) determines if there is any depend-
ent data for a certain business partner in the database. If
dependent data exists, this means the data is still required
for business activities. Therefore, the blocking of business
partners referenced in the data is prevented.

SAP Cloud for Customer Security Guide


Personal Data Protection and Privacy PUBLIC 79
5 Security of Data Storage and Data
Centers

The data centers that support SAP Cloud solutions incorporate multiple safeguards for physical data security
and integrity. They also provide high availability of your business data, using redundant networks and power
systems.

5.1 Asset Protection and Data Integrity

SAP follows operating best practices for data centers by deploying computation and storage parts of the
solution over separated fire-safe areas to support disaster recovery in the event of a fire.

For data backup and recovery purposes, a redundant hardware storage system performs regular backups. To
provide enhanced data integrity, your SAP Cloud solution uses an advanced database management solution to
store customer data and securely isolate each customer’s business information in its own database instance.

5.2 Data Storage


All storage devices use AES 256 encryption to protect data at rest. Current and backup data is covered by
encryption.

5.3 Power Backup and Redundancy

SAP data centers maintain multiple connections to several power companies, making a complete power outage
highly unlikely. Even if the local power grid were to fail, the data centers supporting your SAP Cloud solution
have an uninterruptible power supply for short-term outages, and a diesel generator backup power supply for
longer-term outages. Therefore, power interruptions or outages are unlikely to affect customer data or solution
access.

5.4 Restricted Physical Access

SAP data centers, located in the United States of America and Germany, are logically separated and staffed
around the clock, 365 days a year. A biometrics security system permits access only to authorized personnel,

SAP Cloud for Customer Security Guide


80 PUBLIC Security of Data Storage and Data Centers
and the data centers are partitioned such that authorized personnel can access only their designated areas.
Moreover, no direct network connection exists between individual SAP data centers; each SAP data center is
fully autonomous.

SAP Cloud for Customer Security Guide


Security of Data Storage and Data Centers PUBLIC 81
6 Auditing and Logging

Auditing and logging allow you to monitor and record specific events and actions performed in SAP Cloud for
Customer.

Change Logs [page 82]


Most business objects and every business partner object displays their detailed change logs in the
Change Logs tab. For example: Contacts, Individual Customer. If you are unable to see the tabs, then
you have to enable it using personalization; or have your administrator enable it for you.

Security Monitoring and Alerting [page 83]


Monitoring and alerting is a shared responsibility in which SAP focuses on infrastructure level events
and customers focus on the application level events.

Connectivity Errors - Troubleshooting [page 86]


The following table provides an overview of the error codes for outbound errors and recommendations
on how to solve the errors.

6.1 Change Logs

Most business objects and every business partner object displays their detailed change logs in the Change
Logs tab. For example: Contacts, Individual Customer. If you are unable to see the tabs, then you have to enable
it using personalization; or have your administrator enable it for you.

The Business Partners Work Center provides access to changes for all Business Partners such as: accounts,
employees, contacts, or individual customers. Different users can filter on their role to view and check on the
changes applicable to their activities. The Business Partner Changes tab, makes the change logs available to
a business partner. Access to the change log for the Business Partners tab should be restricted to users who
require it.

Go to Administrator Flexibility Change Log to view the custom changes applied to the system.

You can restrict access to the Change Logs tab using adaptation, based on the user role. This helps control
access to private information for all users.

SAP Cloud for Customer Security Guide


82 PUBLIC Auditing and Logging
6.2 Security Monitoring and Alerting

Monitoring and alerting is a shared responsibility in which SAP focuses on infrastructure level events and
customers focus on the application level events.

Log Transfer and Processing

Logs under SAP’s responsibility will be sent to monitoring systems located in the US or Europe. These logs are
protected and the access is limited to personnel on a need-to-know basis.

These logs contain usernames, IP addresses, and query strings for API calls.

6.2.1 Security-Relevant Reports

The solution offers a set of reports that provide insight into the system´s behavior. Depending on your
authorizations, not all of these reports may be accessible.

The following reports have security-relevant information and are available under Business Analytics Design
Reports :

• Access Rights Change Log


This report displays a list of all users in the system and their assigned access rights. It also lists when and
how the access rights were changed, and by whom. This information is relevant for compliance reasons,
enabling you to monitor the system to prevent fraud, or to trace who made system changes, if fraud has
been committed.
• All Current Access Rights
This report displays a list of all users in the system, and the access rights currently assigned to them. This
information is relevant for compliance reasons, enabling you to monitor the system to prevent fraud.
• All Current Users
This report displays a list of all users in the system. This information is relevant for compliance reasons,
enabling you to monitor the system to prevent fraud.
• User Activation and Deactivation Log
This report displays a list of all users in the system, and when they were activated or deactivated. This
information is also relevant for compliance reasons, enabling you to monitor the system to prevent fraud.

Also under Administration, you can find a list of IT control processes that allows you to monitor service provider
access to your solution. IT control processes are IT-related changes made in your system, such as software
updates or processes involving incident analysis.

SAP Cloud for Customer Security Guide


Auditing and Logging PUBLIC 83
6.2.2 Security-Relevant Data Sources

Security-relevant information is captured in data sources. As an administrator you can use reports that are
based on these data sources.

These data sources can also be accessed via the OData API to enable the extraction of security- relevant
information. You can extract the following data sources with the relevant OData APIs under Business
Analytics Design Data Sources Build OData Queries :

• User - Current Status Details


Provides data about the current status of users, including assigned work center, work center views, validity
dates, and whether the user is inactive.
• User - Activation Change Documents
Provides data about the activation change documents for users, including technical ID, whether the user is
a technical user or locked, and validity dates.
• User - Access Rights Change Documents
Provides data about the access rights change documents for users, including changes to the assignment of
work centers, work center views, and access rights.
• Identity
Provides all the attributes of an user.
• User Logon Details
Shows all the logon information for an user.
• User Logon Activity
Provides logon/logoff timestamps, current logon status.

Use Case Data source Sample Events

Suspicious user cre- User - Current Status Details Several users are getting created (creation time-
ation or change
stamps)

Formally invalid users have their validity period


changed to be valid again.

Mass change to invalidated users

Suspicious logon User Logon Details A user is logging on during non-business hours
times

Logon via suspi- User Logon Details User connects via an Android device and Firefox de-
cious client types spite company policy to only use Apple devices and
and/or device type Chrome

Suspicious user User - Current Status Details Users are being locked/unlocked over a certain
lock/unlock
threshold

Admin users are locked/unlocked

SAP Cloud for Customer Security Guide


84 PUBLIC Auditing and Logging
Use Case Data source Sample Events

Password brute User Logon Details Number of failed logon attempts is spiking over sev-
force attempts
eral users or outside of business hours

Several users show the same Date of Last Password


Lock

Password changes User Logon Details Password change on weekends

Password of technical user got changed

Password change even though user should authenti-


cate only via SSO

Authorization User - Access Rights Change Documents Users getting access rights outside their area of re-
changes sponsibility (e.g. users belonging to lead qualification
get access to sales orders and contracts)

Suspicious Security User Logon Details The security policy controls password complexity, if
Policy used in logon
username/password authentication is allowed at all

Administrator logs in using a security policy for low-


privilege users

Assignment of ad- User - Access Rights Change Documents List of administration related work center is available
ministrator rights
under Authentication Mechanisms

Non-Admin users get assigned to admin work cen-


ters

Related Information

Extract Data from Data Sources Using OData

6.2.3 Security-Relevant Log APIs

Use Read Access Logging (RAL) to log and monitor read-access to sensitive personal data such as bank data.
You can identify and track who has accessed critical information and when.

To download log data manually, follow these steps:

1. Navigate to Data Protection and Privacy Log Display .


2. Click the Advanced Search icon and select your date range.
3. Select the desired record and click Download.
The downloaded log entries are available in the XML format. The XML log lists the information about where
the data has been accessed, who has viewed the data, when the data was accessed, and what has been
accessed.

SAP Cloud for Customer Security Guide


Auditing and Logging PUBLIC 85
You can also download the RAL data via web service QueryReadAccessLogIn. To enable this service, navigate
to Administrator Integration , and create a new Communication Scenario and a new Communication
Arrangement.

 Note

• Read access logs are deleted automatically after 14 days.


• Store the data in a safe place which is accessible to only few authorized people.

6.3 Connectivity Errors - Troubleshooting

The following table provides an overview of the error codes for outbound errors and recommendations on how
to solve the errors.

Connectivity errors can occur on the client or on the server side. Errors that occur on the client side usually
mean that it is not possible to establish the technical HTTP(S) connection to the server on the network level.
Errors that occur on the server side are usually reported through an HTTP error code.

Outbound Errors
Error Code Reasons and Recommended Actions

ICM_HTTP_SSL_ERROR SSL error. This error may occur for several reasons. Depending on the
reason, proceed as follows:

• Reason:The configured port exists but is not an SSL port.


Action: Correct the port number in the Communication
Arrangement view.
• Reason: The SSL server certificate is signed by a Certificate Au-
thority (CA) that is unknown or not included on the trust list.
Action: Carefully check the certificate. If it is signed by the correct
CA, add the certificate from the CA to the trust list using the Edit
Certificate Trust List common task in the Administrator Work Cen-
ter.
• Reason: The server certificate is not part of the certificate chain or
is sent in the wrong sequence, or the chain contains superfluous
certificates.
Action: Check that the certificate chain that the server sends com-
plies with RFC5246.

ICM_HTTP_SSL_CERT_MISMATCH Invalid host name in SSL server certificate.

Reason: The server name or the server name pattern contained in the
server's certificate does not match the host name of the server.

Action: Contact the person responsible for the server and ask for the
server certificate setup to be checked and corrected if necessary. Note
that if the server is set up correctly, this error may indicate a man-in-
the-middle attack.

SAP Cloud for Customer Security Guide


86 PUBLIC Auditing and Logging
7 Front-End Security

Secure the customer interactions made through SAP Cloud for Customer.

The SAP Cloud solutions front ends consist of Web application user interfaces that support the following
features:

• X-Frame-options response header to avoid clickjacking attacks


• Cross-site request forgery (CSRF) protection
• Cross-site scripting (XSS) output encoding during SAP UI5 rendering
• UI and domain protection against URL mashups and content mashups in iFrames
• Secure socket layer (SSL) transport layer encryption using HTTPS
• Access to business data only after authentication and with sufficient authorizations using identity
management and Role-Based Access Management (RBAM)
• Cross-site-scripting counter measures

SAP Cloud for Customer Security Guide


Front-End Security PUBLIC 87
8 Network and Communication Security

Communication Security

SAP relies on encryption technology that uses HTTPS to prevent unauthorized parties from intercepting
network traffic. The encryption is based on the Transport Layer Security (TLS) protocol. The required
encryption software is a standard component of up-to-date client operating systems and Web browsers.

Network Security

The network for your SAP Cloud solution employs a number of several security technologies. The multilayered,
partitioned, proprietary network architecture permits only authorized access to the data centers that support
your SAP Cloud solution, with features that include:

• A Web dispatcher farm that hides the network topology from the outside world
• Multiple Internet connections to minimize the impact of distributed denial-of-service (DDoS) attacks
• An advanced intrusion detection system that continuously monitors solution traffic for possible attacks
• Multiple firewalls that divide the network into protected segments and shield the internal network from
unauthorized Internet traffic
• Third-party audits performed throughout the year to support early detection of any newly introduced
security issues

Communication Channels [page 89]


Learn about the different communication channels used by SAP Cloud solutions.

Renewal of Tenant Certificate [page 90]


Every Cloud for Customer tenant is provisioned with a tenant certificate issued by the SAP Passport
CA. The validity period of the tenant certificate is one year.

Business-To-Business Communication and Application Integration [page 91]


Business-to-Business (B2B) communication and application integration refers to the exchange of
business-related data across administrative domains. These domains need not necessarily belong to
different entities, such as companies; they can also represent different geographic subsidiaries of the
same company.

E-Mail [page 101]


SAP Cloud solutions enable you to encrypt outgoing e-mails and check the signature of incoming
e-mails by using the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard.

SAP Cloud for Customer Security Guide


88 PUBLIC Network and Communication Security
8.1 Communication Channels

Learn about the different communication channels used by SAP Cloud solutions.

The table shows the communication channels used by SAP Cloud solutions, the protocol used for the
connection, and the type of data transferred.

Type of Data Transfer- Data Requiring Special


Communication Path Protocol Used Technology Used red Protection

Web browser acting as HTTPS REST services Application data User IDs, passwords
front-end client to access
the hosted SAP Cloud
solution system

Apple® iPad® applica- HTTPS REST services Application data User IDs, passwords,
tion, Apple® iPhone®, application data
BlackBerry® player, An-
droid™(SAP Cloud for
Customer)

E-mail SMTP SMTP server Application data Confidential data

Business-to-business HTTPS Web services Application data Application data


communication and ap-
plication integration

Cryptographic Protocols

Inbound Communications

For all inbound communications, TLS 1.2 is required. The following list shows a subset of supported cipher
suites, in server-preferred order:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 Note

SAP Cloud for Customer solutions use port 443 for HTTPS connectivity.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 89
8.2 Renewal of Tenant Certificate

Every Cloud for Customer tenant is provisioned with a tenant certificate issued by the SAP Passport CA. The
validity period of the tenant certificate is one year.

For the functioning of the communications relying on the tenant certificate, it is mandatory to upload the valid
certificate after renewal every year to the relevant target systems.

You can view the tenant certificate from Administrator Common Tasks Edit Certificate Trust List View
Tenant Certificate .

You can download the tenant certificate from Administrator Communication Certificates Download
Tenant Certificate .

Prerequisite

To access the View Tenant Certificate and the Communication Certificates screens, you must be assigned to the
Communication Certificates view, under the Administrator work center.

Automatic Renewal of Tenant Certificate

The system checks the validity of the tenant certificate on the first day of every month through a background
process.

If the tenant certificate is about to expire within the next three months, the system sends a Tenant Certificate
About to Expire Within Three Months notification to all the administrators.

If the tenant certificate is about to expire within the next two months, the system attempts to renew the same.
On successful renewal, the system sends a Tenant Certificate Renewed notification to all the administrators.

Manual Renewal of Tenant Certificate

If the customer cannot wait for the automatic renewal, you, as an administrator, can manually renew the same.
Navigate to View Tenant Certificate and click Renew Tenant Certificate if the certificate is going to expire within
the next 3 months. On successful renewal, the system sends a Tenant Certificate Renewed notification to all
the adminsitrators.

 Note

• The action Renew Tenant Certificate is irreversible.


• The renewal process might take a few seconds or upto a few hours depending on the availability of the
system resources.

SAP Cloud for Customer Security Guide


90 PUBLIC Network and Communication Security
• You can view the status of the renewal by opening the View Tenant Certificate screen:
• The system displays an information message Tenant certificate renewal has been scheduled
in the background or Tenant certificate renewal is in process if the renewal is scheduled or in
process.
• The system displays an error message Tenant certificate renewal failed; please retry or report
an incident if the renewal failed. In this case, as the message suggests, you can try to renew again
or report an incident to SAP.
• If the renewal is successful, you can view the details of the renewed certificate on the screen.

8.3 Business-To-Business Communication and Application


Integration
Business-to-Business (B2B) communication and application integration refers to the exchange of business-
related data across administrative domains. These domains need not necessarily belong to different entities,
such as companies; they can also represent different geographic subsidiaries of the same company.

Communication arrangements enable you to configure the electronic data exchange between your solution
and a communication partner. A communication partner can be a business partner in a B2B communication
scenario or an external communication system that is used for application integration, for example, external
time recording or master data systems.

Your SAP Cloud solution provides communication scenarios for inbound and outbound communication
that you can use to create communication arrangements. Inbound communication defines how business
documents are received from a communication partner, whereas outbound communication defines how
business documents are sent to a communication partner.

Before you can use electronic data exchange for a particular business process, you must configure and
activate a communication arrangement for the corresponding communication scenario. You can do so during
your solution configuration or, after configuration is complete, under Administrator General Settings
Integration Communication Arrangements .

You can find the list of trusted certification authorities for server certificates under Administrator General
Settings Common Tasks Edit Certificate Trust List .

Security configuration for electronic data exchange is conducted at the communication arrangements level,
where you can configure the authentication method and communication security.

Like end user authentication, B2B communication and application integration can be authenticated by two
mechanisms: user ID plus password, and the X.509 client certificate. For inbound communication, you can
upload the communication partner’s client certificate in the configuration user interface, and map it to the
communication user.

 Caution

You can download an X.509 key pair from your SAP Cloud solutions. These key pairs are only intended
for communication with the SAP Cloud solution and must not be used for other communication. This is
because the corresponding certificate can be blocked in the solution and you can make the key pair invalid
for logging on to the client but you cannot invalidate its other uses.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 91
For outbound communication, you can upload a PKCS#12 container file, consisting of a private key and
the corresponding client certificate that must be trusted and mapped by the communication partner.
Administrators can monitor the validity of client certificates under Administrator General Settings
Common Tasks Edit Certificate Trust List .

Certificates have a validity period and expire at a defined point in time. Before expiration, they must be
renewed; if the client certificate’s Subject or Issuer has changed, then the upload and mapping process must
be repeated. Communication arrangements are the customer’s responsibility, since their configuration
reflects the specific details of their business partner. As a result, expiring certificates cannot be replaced
automatically by SAP; this action must be performed by the customer.

A good security concept also includes mandatory periodic password changes. These changes must be
performed synchronously by both parties involved. If an expired client certificate is renewed with the same
attributes, the certificate information can be exchanged asynchronously.

 Recommendation

We recommend authentication using Single-Sign on with SAML 2.0 for browser-based access. Please
ensure that the passwords used are strong enough.

8.3.1 Communication Arrangements Quick Guide

Communication arrangements help you to configure the electronic data exchange between the solution and a
communication partner.

Communication arrangements can be set up for multiple business documents and communication methods.
The solution provides communication scenarios for inbound and outbound communication that you can use to
create communication arrangements. Inbound communication defines how business documents are received
from a communication partner, whereas outbound communication defines how business documents are sent
to a communication partner.

The Communications Arrangements view enables administrators to create and edit communication
arrangements that your company has set up with a communication partner.

You can access this view from the Administrator work center, under General Settings Integration .

In the Communication Arrangements view, the following communication types are supported:

• Business-to-business (B2B)
This communication type defines an electronic data exchange with a business partner.
• Application integration
This communication type defines an electronic data exchange with a communication system.

 Note

Some communication arrangements are automatically created in your solution configuration. This is
indicated by the selected Predefined check box in the worklist of the Communication Arrangements view.
For predefined communication arrangements with inbound communication, you only have to define the
communication account.

SAP Cloud for Customer Security Guide


92 PUBLIC Network and Communication Security
8.3.1.1 Create a Communication Arrangement

Procedure

1. Open the New Communication Arrangement guided activity in the Communication Arrangements view by
clicking New.
2. In the Select Scenarios step, select the communications scenario for which you want to create a
communication arrangement and click Next.
Based on the communication scenario you selected, the system presets the fields in the next steps with
default values. Where possible, you can change the values, if necessary.
3. In the Define Business Data step, enter business data. The entry fields on the screen are dependent on the
communication type of the selected communication scenario.
a. If you have selected a B2B scenario, enter the ID of the business partner and select the associated
Identification Type. If necessary, you can also enter the ID of the contact person at the business
partner. If you have selected an application integration scenario, enter the System Instance ID of the
communication system with which you want to set up a communication arrangement. Note that before
you set up a communication arrangement, you need to create a communication system.
b. In the My Communication Data section, check the default values and make changes if necessary. Enter
the company that communications with your communication partner. By default, the Company ID is
preset with the company to which you are assigned. If you use a B2B scenario, you must also enter a
valid identification type.
c. If a communication arrangement contains a service interface that supports code list mapping, the
Code List Mapping field is displayed. In this field you can choose the relevant code list mapping group
for the communication scenario that you are using.
d. Click Next.
4. In the Define Technical Data step, define the technical settings for inbound and outbound communication.
a. Select the Communication Method you want to use for the communication arrangement. To
communicate with your business partner, you can either establish a direct connection or you can
use a collaboration service provider that provides services for B2B communication.
b. If you use inbound communication, select the Application Protocol and Authentication Method in the
Inbound Communication: Basic Settings section.
c. In the User ID field, click Edit Credentials.
Depending on the chosen authentication method, you need to define the credentials of the
communication user as described in the following table. The user ID of the communication user is
created automatically.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 93
Authentication Method Settings

SSL client certificate If you use this authentication method, you need to upload the public key
certificate that has been provided by your communication partner. If your
communication partner cannot provide a certificate, you can create and
download a PKCS#12 key pair file. The PKCS#12 key pair file is password
encrypted and contains a public key certificate and a private key. You need to
provide the PKCS#12 file to your communication partner.
1. Choose Certificate.
2. Click Upload Certificate and choose the relevant certificate.
3. Click OK.

To create a PKCS#12 key pair file, perform the following steps:


1. Choose Certificate.
2. ClickCreate and Download Key Pair.
3. Define a name for the PKCS#12 file and save it.
4. Define a password for the PKCS#12 file and click OK.
5. Click OK.

 Note
• You have to provide your communication partner with the PKCS#12
file and the corresponding password.
• To import the PKCS#12 key pair file to a third party tool, see the SAP
Cloud for Customer Administration Guide.

User ID and password If you use this authentication method, you need to define a password as
follows:
1. Choose Change Password.
2. Enter a password.
Note that you have to provide your communication partner with the user
ID and password.
3. Click OK.

d. If you use outbound communication, select the Application Protocol, Authentication Method and enter
the Host Name in the Outbound Communication: Basic Settings section. Depending on the chosen
authentication method, you need to define the relevant settings as defined in the following table.

Authentication Method Authentication Settings

SSL client certificate SAP system key If you use this authentication, the relevant certificate must be
pair known to the communication partner. Therefore, you need to
download the certificate as follows:
1. In the Authentication field, click Download.
2. Choose a location to save the certificate.
3. Provide your communication partner with the downloaded
certificate.

SAP Cloud for Customer Security Guide


94 PUBLIC Network and Communication Security
Authentication Method Authentication Settings

Trusted third party If you use this authentication, you need to upload the PKCS#12
key pair key pair file provided by your communication partner. The
PKCS#12 file is password-encrypted and contains a public key
certificate and a private key.
1. In the Authentication field, clickEdit Key Pair.
2. Click Upload Key Pair and choose the PKCS#12 file you want
to upload.
3. Enter the required password and click OK.

User ID and password If you use this authentication method, you need to enter the user
ID and password that is used by the communication partner for
the same communication arrangement.
1. In the User ID field, click Edit Credentials.
2. Enter the User ID and Password.
3. Click OK.

e. If necessary, you can individually configure each service that is used in the configuration scenario in
the advanced settings.
The service URLs for outbound communication are calculated from the protocol, port, host name, and
path. If you use SAP NetWeaver XI or IDoc, you do not need to change anything in the advanced settings
since the path is preset. However, if you use Web Services Reliable Messaging, you have to enter the path
for each service in the advanced settings.
a. To edit the advanced settings, click Edit Advanced Settings. Select the service you want to configure.
b. In the Details section, deselect the Use Basic Settingscheck box and change the relevant settings.
c. Click Next.

5. In the Review step, review the data you entered in the previous steps.
a. To ensure that all data is correct, click Check Completeness. You also see the service URLs for inbound
and outbound communication. If you use an inbound scenario, you must provide your communication
partner with the URLs for inbound communication since it is that address to which messages should
be sent.
b. To create and activate your communication arrangement in the system, click Finish. You can also save
an inactive version of the communication arrangement by clicking Save as Draft.
6. If you have created a communication arrangement for a B2B outbound scenario, you have to activate the
outbound channel for the business document that is used in the scenario.

Results

The system now uses electronic data exchange for the configured communication scenario.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 95
8.3.1.2 Create a Communication Arrangement for On-
Premise Integration

Multiple communication arrangements can be created for an on-premise integration through a guided activity.

Context

Instead of repeating common information each time you create a communication arrangement, you can enter
common information once and create communication arrangements in bulk.

You can access this from the Administrator Create Communication Arrangement for On-Premise
Integration common task.

 Note

This functionality is only valid for on-premise integrations.

Procedure

1. To open the New Communication Arrangement guided activity in the Communication Arrangements view,
click New.
2. In the Select Communication System step, enter business data.
a. Under Integration Details select the system you want to Integrate with and the relevant Integration
Middleware you want to use.

 Note

If PI is selected as the middleware, fill in the system details in the field PI Business System.

b. Under Communication System enter the System Instance ID of the communication system with which
you want to set up a communication arrangement.

 Note

Before you create a communication arrangement, you need to create a communication system.
See the SAP Cloud for Customer Administrator Guide for more detail.

With this action, the Communication System, User ID (Inbound Communication Credentials) and Host
Name are automatically populated.

If a communication arrangement contains a service interface that supports code list mapping, the
Code List Mapping field is displayed. In this field you can choose the relevant code list mapping group
for the communication scenario that you are using.
a. If you use inbound communication, select the Authentication Method in the Inbound Communication
Credentials section. Depending on the chosen authentication method, you need to define the

SAP Cloud for Customer Security Guide


96 PUBLIC Network and Communication Security
credentials of the communication user as described in the following table. The user ID is created
automatically.

Authentication Method Settings

SSL client certificate If you use this authentication method, you need to upload the public key
certificate that has been provided by your communication partner. If your
communication partner cannot provide a certificate, you can create and
download a PKCS#12 key pair file. The PKCS#12 file is password encrypted
and contains a public key certificate and private key. You need to provide the
PKCS#12 file to your communication partner.
1. Choose Certificate.
2. Click Upload Certificate and choose the relevant certificate.
3. Click OK.

To create a PKCS#12 key pair file, perform the following steps:


1. Choose Certificate.
2. Click Create and Download Key Pair.
3. Define a name for the PKCS#12 file and save it.
4. Define a password for the PKCS#12 file and click OK.
5. Click OK.

Note that you have to provide your communication partner with the PKCS#12
file and the corresponding password.

User ID and password If you use this authentication method, you need to define a password as
follows:
1. Choose Change Password.
2. Enter a password.

 Note
It is important to select a strong password and change the password
periodically. You have to provide your communication partner with
the user ID and password.

3. Click OK.

If you use outbound communication, select the Authentication Method. Depending on the chosen
authentication method, you need to define the relevant settings as described in the following table:

Authentication
Method Authentication Settings

SSL client certificate SAP system key pair If you use this authentication, the relevant certificate must be
known to the communication partner. Therefore, you need to
download the certificate as follows:
1. In the Authentication field, click Download.
2. Choose a location to save the certificate.
3. Provide your communication partner with the downloaded
certificate.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 97
Authentication
Method Authentication Settings

Trusted third-party key If you use this authentication, you need to upload the PKCS#12
pair key pair file provided by your communication partner. The
PKCS#12 file is password encrypted and contains a public key
certificate and private key.
1. In the Authentication field, click Edit Key Pair.
2. Click Upload Key Pair and choose the PKCS#12 file you
want to upload.
3. Enter the required password and click OK.

User ID and password If you use this authentication method, you need to enter the
user ID and password that is used by the communication part-
ner for the same communication arrangement.
1. In the User ID field, click Edit Credentials.
2. Enter the User ID and Password.
3. Click OK.

 Note

It is recommended to use certificates for authentication instead of user ID and password.

3. In the Communication Arrangements step, select one or more Communication Scenarios.

Status Interpretation

Create This status indicates that you have selected a communication scenario to be
created for the relevant communication arrangement.

Not Created This status indicates that the communication scenario has not yet been created
and the check box is unchecked.

Already Exists This status indicates that a communication scenario has been created already
and the check box will be disabled.

4. The Inbound and Outbound tabs are displayed, depending on the selected Communication Scenario. For
example, if a communication arrangement has only an inbound service interface, then the Inbound tab is
displayed.
5. Perform the following actions under the Inbound tab as necessary:

Enabled The check box can be unchecked if it is not necessary.

Service If the service is mandatory the check box is disabled.

Application Protocol Choose a protocol from the drop-down list.

Service URL Displays the URL of the service.

To check the information on the inbound service, click Check Service. Perform the following functions on
the Outbound tab as necessary.

Enabled The check box can be unchecked if not required.

Service If the service is mandatory the check box is disabled.

Application Protocol Choose a protocol from the drop-down list.

SAP Cloud for Customer Security Guide


98 PUBLIC Network and Communication Security
Host Name This field displays the host name of the system and is not editable.

Port Enter the port or path for the outbound service.

Service URL Displays the URL of the service.

6. To ensure that all data is correct, click Check Completeness.


7. To create and activate your communication arrangement in the system, click Finish.

Results

A success message is shown once the communication arrangement has been created successfully.

8.3.1.3 Edit a Communication Arrangement

Procedure

1. To open the Edit Communication Arrangement quick activity in the Communication Arrangements view,
select the relevant communication arrangement and click Edit.

 Note

You cannot edit predefined communication arrangements.

2. Change the relevant settings.


3. To save your changes and return to the work list, click Save and Reactivate.
4. In the worklist, you can click Check Completeness to see if your changes have been updated in the system.
It may take about a minute for the system to update the information.

8.3.1.4 Edit the Communication Credentials for a


Predefined Communication Arrangement

This task is only relevant for predefined communication arrangements with inbound communication.

Procedure

1. In the Communication Arrangements view, select the relevant communication arrangement. Predefined
communication arrangements are indicated by the selected Predefined check box.
2. Click Edit Credentials.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 99
3. Depending on the authentication method that you have agreed upon with your communication partner,
you need to define the credentials of the communication user as described in the following table. The user
ID of the communication user is created automatically.

Authentication Method Settings

SSL client certificate If you use this authentication method, you need to
upload the public key certificate that has been provided
by your communication partner. If your communication
partner cannot provide a certificate, you can create and
download a PKCS#12 key pair file. The PKCS#12 key
file is password encrypted and contains a public key
certificate and a private key. You need to provide the
PKCS#12 file to your communication partner.

To upload a public key certificate, perform the following


steps:
1. Choose Certificate.
2. Click Create and Download Key Pair.
3. Define a name for the PKCS#12 file and save it.
4. Define a password for the PKCS#12 file and click OK.

 Note
• You have to provide your communication partner
with the PKCS#12 file and the corresponding
password.
• To import the PKCS#12 key pair file to a
third party tool, see Create a Communication
Arrangement [page 93] in the Related Links
section.

User ID and password If you use this authentication method, you need to define
a password. The user ID is automatically predefined.
Perform the following steps:
1. Choose Change Password.
2. Enter a password. Note that you have to provide
your communication partner with the user ID and
password.

4. Click OK.

Related Information

Create a Communication Arrangement [page 93]

SAP Cloud for Customer Security Guide


100 PUBLIC Network and Communication Security
8.3.1.5 Delete a Communication Arrangement

Procedure

1. In the Communication Arrangements view, select the relevant communications arrangement.


2. Click Delete.
3. In the dialog box that opens, click Delete to confirm the deletion.

 Note

Predefined communication arrangements cannot be deleted.

8.4 E-Mail

SAP Cloud solutions enable you to encrypt outgoing e-mails and check the signature of incoming e-mails by
using the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard.

You can use this function for e-mail communication between your system and your employees, in e-mail
scenarios provided by SAP (for example, self-service or approval scenarios). You can specify which e-mail
scenarios you want to use in Business Configuration.

 Caution

We strongly recommend that you only send encrypted mails and accept only signed e-mails.

The system uses the same certificate for signature check and e-mail encryption, which means that the same
private key is used for signing and decrypting an e-mail to or from an employee.

The following MIME types are supported for e-mail communication with the system:

• .gif
• .jpg/.jpeg
• .pdf
• .tif/.tiff
• .png

 Caution

When you use S/MIME, ensure that the data is encrypted. Please note that e-mail header data, for
example, the subject line, is not encrypted. The sensitivity setting for password e-mails is set by default to
private.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 101
The following diagram provides an overview of how e-mail encryption and signature is set up:

E-Mail Security with S/MIME

8.4.1 Business E-Mails

Business e-mails are e-mail messages sent to Cloud for Customer through tickets, accounts, appointment,
visits, sales quote, workflow notification, etc.

SAP Cloud for Customer routes business mails using services of Cisco.

 Note

Mail relay path for inbound business mails: Sender CES Servers (CISCO Cloud) CISCO Mail Device
(SAP Network) SAP Cloud for Customer (SAP Network)

Mail relay path for outbound business mails: (SAP Network) CISCO Mail Device (SAP Network)
Recipients

• Envelope: From address

SAP Cloud for Customer Security Guide


102 PUBLIC Network and Communication Security
Syntax: <mailbox>@myXXXXXX.mail.crm.ondemand.com (generic) and
<mailbox>@myXXXXXX.mail.c4c.saphybriscloud.cn (for China tenants)
Example: dsn@myXXXXXX.mail.crm.ondemand.com/dsn@myXXXXXX.mail.c4c.saphybriscloud.cn
• Sender e-mail address (From Address) is taken from your business configuration or master data settings in
SAP Cloud for Customer (for example test@abc.com)
• Business e-mails are sent through the following IP addresses: 155.56.208.100/30, 157.133.97.216/30,
169.145.66.70/31, and 169.145.66.72/31
• DKIM Key will be enabled for your sender domain based on request only.
• Business e-mails will be enabled with SPF policy by default. SAP takes care of creating SPF record for your
SAP Cloud for Customer tenants.

8.4.2 Bulk E-Mails

Bulk e-mails are e-mail messages sent through marketing or campaign channels from/to the customer.

SAP Cloud for Customer uses the services of Episerver to route bulk e-mails.

 Note

Mail relay path for inbound bulk e-mails: Sender CES Servers (CISCO Cloud) CISCO Bulk Mail Device
(SAP Network) SAP Cloud for Customer (SAP Network)

Mail relay path for outbound bulk e-mails: Episerver Bulk Mail Service Recipients

• Envelope: from address follows the following syntax: <mailbox>@myXXXXXX.mail.crm.ondemand.com


(generic) and <mailbox>@myXXXXXX.mail.c4c.saphybriscloud.cn (for China tenants)
Example: dsn@myXXXXXX.mail.crm.ondemand.com/dsn@myXXXXXX.mail.c4c.saphybriscloud.cn
• Bulk e-mails are sent through the following IP addresses: 213.61.69.122/32, 193.169.180.0/23,
212.45.106.160/27, 91.229.178.0/23, and 91.241.72.0/22
• Bulk e-mails are enabled with DKIM policy. However, a DKIM key is enabled for a customer sender domain
and tenant based on request only.

8.4.3 Enabling S/MIME Security

To add encryption security to e-mail channels, you can enable S/MIME to your solution.

Procedure

1. Add e-mail security to your project scope.


2. Implement e-mail security for your solution.
a. Choose Business Configuration, select your project from the list, and click Open Activity List.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 103
b. Click Fine-Tune.
c. Open E-Mail Encryption and Signature Check.
d. In the list of incoming e-mails, set the Signature for SAP Cloud for Service: E-Mail Security, B2B
Scenario and SAP Cloud for Service: E-Mail, B2C Scenario. Choose Check (and Reject if Untrusted) if
you require a high level of security or Do Not Check if you do not have security requirements.
e. In the list of outgoing e-mails, set the Encryption and Signature for SAP Cloud for Service: E-Mail
Security, B2B Scenario and SAP Cloud for Service: E-Mail Security, B2C Scenario. The suggested
settings are Encrypt if possible for Encryption and Sign for Signature.
f. Save your settings.
3. Activate your settings.

a. Choose Administrator Common Tasks Configure S/MIME .


b. Click Activate S/MIME.
c. Select Check signature of Incoming E-Mails to encrypt incoming e-mails. Select Encrypt Outgoing
E-Mails to encrypt outgoing e-mails. Select Signing Outgoing E-Mails for your solution to provide a
signature to other systems.
The settings you selected in Fine-Tuning will only be enabled if you activate them. If you do not activate
your settings, your system will not have security enabled.
4. Save your settings.

8.4.4 Configuring S/MIME Security

To enable e-mail notifications, you must also upload the CA certificates in this area for the generic business
task management e-mail address for all involved employees and managers.

Procedure

1. Choose Configure S/MIME in the Administrator work center under Common Tasks.
2. On the Incoming E-Mail tab, upload the CA certificates from all involved employees for the generic incoming
e-mail addresses Business Task Management E-Mail Notifications.
3. On the Outgoing E-Mail tab, install the system CA certificate in the e-mail client of the involved employee as
follows:

a. Click on Link to SAP CA and open the site SAP Trust Center Service Root Certificates .
b. Click on SAP Passport CA Certificate. A pop-up opens.
c. Click Install Certificate and follow the wizard by clicking Next.
d. Select Place all certificates in the following store and click Browse.
e. Select Trusted Root Certification Authorities and click OK and then Next. Now the CA from the system
is installed locally.
4. Now activate the S/MIME. On the Activate S/MIME tab, select the options:
a. Check Signature of Incoming E-Mails
b. Encrypt Outgoing E-Mails (optional)
c. Signing Outgoing E-Mails

SAP Cloud for Customer Security Guide


104 PUBLIC Network and Communication Security
Results

• E-Mail Notifications: Ensure that the involved employees are business users and have valid e-mail
addresses, and that the CA certificates from the employees are uploaded to the system for outgoing
e-mails.
• E-Mail Notifications: Each involved employee must subscribe to the e-mail notifications by opening the
Notifications view and choosing Subscribe to E-Mail.
• E-Mail Notifications: Check that the e-mail clients of the involved employees have enabled the receipt
of encrypted e-mails.

8.4.5 Security Measures for E-Mail Domains

For outbound e-mail, SAP offers Sender Policy Framework (SPF) as a security measure and supports Domain
Keys Identified Mail (DKIM) keys by request.

8.4.5.1 Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an e-mail authentication technique that is used to prevent spammers from
sending messages on behalf of your domain.

This gives you the ability to specify which e-mail servers are permitted to send email on behalf of your domain.
SAP creates an SPF record for all SAP Cloud for Customer tenants using the CISCO mail device.

 Note

SAP enables SPF automatically for outbound e-mails. SPF records are updated on the technical from/Mail
From/Envelop-From addresses. The addresses are as follows:

• dsn@myXXXXXX.mail.crm.ondemand.com
• dsn@myXXXXXX.mail.c4c.saphybriscloud.cn

Sample SPF record for either domain: v=spf1 include:_spf.cmail.ondemand.com ~all

8.4.5.2 Domain Keys Identified Mail (DKIM)

Domain Keys Identified Mail (DKIM) is a signature based e-mail authentication technique involving a digital
signature that allows the receiver to check that an e-mail was sent and authorized by the owner of that domain.

DKIM signature is a header that is added to the message and is secured with encryption. SAP recommends
that sender domains used in your SAP solution are DKIM signed. Administrators must explicitly request a
unique DKIM key from SAP.

You can use external tools to check the SPF record or check the DKIM key of adomain.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 105
Users send business e-mails when they work with tickets, accounts, appointments, visits, sales quotes,
workflow notifications, or similar objects in the SAP solution.

Business e-mails are:

• Relayed from the CISCO mail device on the SAP Network.


• Sent through the following IP ranges:
• 155.56.208.100/30
• 157.133.97.216/30
• 169.145.66.70/31
• 169.145.66.72/31
If you have any throttling process or whitelisting of IPs for receiving mails in your network, update your
network environment IP addresses and add include:_spf.cmail.ondemand.com in your SPF domain if
required.
• Sent with a signed DKIM key, provided you’ve requested the DKIM key from SAP and activated the key.

Related Information

DKIM Keys for Sender Domains [page 106]


For outbound e-mail, SAP provides certain e-mail security measures automatically, such as the Sender
Policy Framework (SPF). To add Domain Keys Identified Mail (DKIM) authentication, administrators must
follow the procedure below. Further information can be found in the topic Enable DKIM for Business
E-mails.

8.4.5.3 DKIM Keys for Sender Domains

For outbound e-mail, SAP provides certain e-mail security measures automatically, such as the Sender Policy
Framework (SPF). To add Domain Keys Identified Mail (DKIM) authentication, administrators must follow the
procedure below. Further information can be found in the topic Enable DKIM for Business E-mails.

Context

Administrators must follow the process below to enable the DKIM keys provided by SAP.

 Note

For scenarios that generate mass e-mails, such as marketing or campaign execution, follow the procedure
to activate mass e-mail instead.

SAP Cloud for Customer Security Guide


106 PUBLIC Network and Communication Security
Procedure

1. Link the provided DKIM keys through DNS server CNAME records.
2. Create an incident to provide your domain details to SAP.
3. SAP activates the DKIM key for your solution and closes the incident.

Results

The DKIM key is activated for your domain and can be used in both test and productive tenants.

Related Information

Enable DKIM for Business E-mails [page 107]


Setup DKIM for all sending domains to ensure that your emails are delivered without disruptions to third
party e-mail accounts such as Gmail or Yahoo.

Activation of Mass E-Mail

8.4.5.4 Enable DKIM for Business E-mails

Setup DKIM for all sending domains to ensure that your emails are delivered without disruptions to third party
e-mail accounts such as Gmail or Yahoo.

Context

To ensure the security of your sender identity and improve email deliverability, it is essential to configure SPF
(Sender Policy Framework) and DKIM for all sending domains. The initial records for DKIM keys pertaining to
your tenant provided by SAP are as follows:

• c4c-busi-my<123456>-1._domainkey.c4cdkim.crm.ondemand.com
• c4c-busi-my<123456>-2._domainkey.c4cdkim.crm.ondemand.com
• c4c-busi-my<123456>-3._domainkey.c4cdkim.crm.ondemand.com

If the domain of your tenant's URL differs from the one stated above, you can locate your public domain key on
a similar URL, but with a different ending such as:

• c4cdkim.crm.ondemand.com (as stated in the above-mentioned example)


• c4cdkim.c4c.cloud.sap
• c4cdkim.c4c.sapcloud.cn
• c4cdkim.c4c.saphybriscloud.cn

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 107
Procedure

1. Replace <123456> in the above-mentioned records with your <Tenant ID> from your normal login domain.
2. Identify all the domains and subdomains you use for sending out emails with SAP Sales and Service Cloud.
This includes all domains used as the From: address in your SAP Sales and Service Cloud emails. For
example, if you send emails from user@example.com, user@test.example.com, and user@sample.com,
your list of domains would be: example.com, test.example.com, and sample.com.
3. Create CNAME entries for each selector and domain in your DNS server.
4. Replace the placeholders with your <Tenant ID> and validate the entries with your network admin before
applying them to your DNS Server:

c4c-busi-my<123456>-1._domainkey.example.com 3600 IN CNAME c4c-busi-


my<123456>-1.c4cdkim.crm.ondemand.com

c4c-busi-my<123456>-2._domainkey.example.com 3600 IN CNAME c4c-busi-my<123456>-2.


c4cdkim.crm.ondemand.com

c4c-busi-my<123456>-3._domainkey.example.com 3600 IN CNAME c4c-busi-my<123456>-3.


c4cdkim.crm.ondemand.com

c4c-busi-my<456789>-1._domainkey.test.example.com 3600 IN CNAME c4c-busi-my<456789>-1.


c4cdkim.crm.ondemand.com

c4c-busi-my<456789>-2._domainkey.test.example.com 3600 IN CNAME c4c-busi-my<456789>-2.


c4cdkim.crm.ondemand.com

c4c-busi-my<456789>-3._domainkey.test.example.com 3600 IN CNAME c4c-busi-my<456789>-3.


c4cdkim.crm.ondemand.com

c4c-busi-my<123456>-1._domainkey.sample.com 3600 IN CNAME c4c-busi-my<123456>-1.


c4cdkim.crm.ondemand.com

c4c-busi-my<123456>-2._domainkey.sample.com 3600 IN CNAME c4c-busi-my<123456>-2.


c4cdkim.crm.ondemand.com

c4c-busi-my<123456>-3._domainkey.sample.com 3600 IN CNAME c4c-busi-my<123456>-3.


c4cdkim.crm.ondemand.com
5. Create an incident with SAP Sales Cloud and SAP Service Cloud Product support team with the following
details:
1. Specify that you want to enable DKIM for business emails.
2. Provide the complete list of domains you have used for each tenant in your SAP Sales and Service
Cloud for sending business mails. For example:
1. On tenant my<123456>.crm.ondemand.com, example.com and sample.com domains are used
2. On tenant my<456789>.crm.ondemand.com, test.example.com domain is used
6. Wait for a response from our product support team. We will review your ticket and provide further
instructions or clarifications, if needed.

Related Information

Sender Policy Framework (SPF) [page 105]

SAP Cloud for Customer Security Guide


108 PUBLIC Network and Communication Security
Sender Policy Framework (SPF) is an e-mail authentication technique that is used to prevent spammers
from sending messages on behalf of your domain.

DKIM Keys for Sender Domains [page 106]


For outbound e-mail, SAP provides certain e-mail security measures automatically, such as the Sender
Policy Framework (SPF). To add Domain Keys Identified Mail (DKIM) authentication, administrators must
follow the procedure below. Further information can be found in the topic Enable DKIM for Business
E-mails.

8.4.5.5 Domain-Based Message Authentication, Reporting,


and Conformance (DMARC)

DMARC is an e-mail validation system designed to protect your company’s e-mail domain from being used for
e-mail spoofing, phishing scams, and other cybercrimes.

DMARC leverages the existing e-mail authentication techniques such as Sender Policy Framework (SPF) and
Domain Keys Identified Mail (DKIM). A message sent without DKIM or SPF can be considered suspicious by the
different e-mail analysis tools.

DMARC adds an important function, reporting. When a domain owner publishes a DMARC record into their
DNS record, they will gain insights on who is sending the e-mail on behalf of their domain. This information
can be used to get detailed information about the e-mail channel. Domain owners can use this information get
control over the e-mail sent on their behalf.

DMARC helps e-mail receivers determine if the purported message aligns with what the receiver knows about
the sender. If not, DMARC includes guidance on how to handle the non-aligned messages.

 Note

SAP Cloud for Customer does not provide alignment between the from domain (customer domain) and
envelope-from domain(myXX.mail.crm.ondemand.com). Hence, e-mails are not DMARC enforced. As a
result, if your domains have DMARC SPF policy enabled with aspf = s or aspf = r, but not setup DKIM
signing for the header.from domain, then the outbound mails sent from your SAP Cloud for Customer
tenants are bounced/rejected/quarantined. However, if the DMARC/DKIM alignment for your domain
passes, the complete email is treated as DMARC pass.

8.4.5.6 Enable DMARC for Bulk or Business E-mails

Setup DMARC for e-mail authentication to ensure that your bulk e-mails are delivered to third party email
accounts such as Gmail or Yahoo.

Context

As a prerequisite, ensure to activate DKIM before setting up DMARC.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 109
Procedure

1. Create TXT records in your DNS Servers for DMARC and align them with your network and security
experts. Following are examples of a non-impacting DMARC entry on your DNS Server for all used
domains:

Domain DNS Entry

_dmarc.example.com. 3600 IN TXT "v=DMARC1;p=none;pct=100;rua=mailto:dmarc@exam-


ple.com;aspf=r;fo=1;adkim=r;"

_dmarc.sample.com. 3600 IN TXT "v=DMARC1;p=none;pct=100;rua=mailto:dmarc@sam-


ple.com;aspf=r;fo=1;adkim=r;"

 Note

You need to adjust the above mentioned DNS entries to match your specific values, such as domain
names, email addresses, and other DMARC parameters.

2. Ensure that the email addresses specified in the DMARC statement behind "rua=" (reporting URI) are
valid and monitored by your organization. These addresses will receive DMARC reports from receiving mail
servers.
3. Before applying the DMARC records to your DNS Servers, validate the above suggestions with your
network administrator to ensure they align with your network infrastructure and security requirements.
4. Once you have confirmed the accuracy of the DMARC records, apply them to your DNS Server. This will
enable DMARC protection for your domains.

Related Information

DKIM Keys for Sender Domains [page 106]


For outbound e-mail, SAP provides certain e-mail security measures automatically, such as the Sender
Policy Framework (SPF). To add Domain Keys Identified Mail (DKIM) authentication, administrators must
follow the procedure below. Further information can be found in the topic Enable DKIM for Business
E-mails.

Domain-Based Message Authentication, Reporting, and Conformance (DMARC) [page 109]


DMARC is an e-mail validation system designed to protect your company’s e-mail domain from being used
for e-mail spoofing, phishing scams, and other cybercrimes.

8.4.6 Inbound E-Mails FAQ

SAP Cloud for Customer Security Guide


110 PUBLIC Network and Communication Security
8.4.6.1 Which server receives e-mails for the SAP
Cloud for Customer technical address domain
*.mail.crm.ondemand.com?

The current e-mail paths for the domain myXXXXXX.mail.crm.ondemand.com are mx1.cmail-
sap.c3s2.iphmx.com and mx2.cmail-sap.c3s2.iphmx.com.

Pref Hostname IP Address

10 mx1.cmail-sap.c3s2.iphmx.com 216.71.136.226

Cisco Systems Ironport Division


(AS30238)

10 mx2.cmail-sap.c3s2.iphmx.com 216.71.136.226

Cisco Systems Ironport Division


(AS30238)

8.4.6.2 What is the maximum allowed size limit for an


inbound e-mail?

The maximum allowed size limit for an inbound e-mail is 25MB including attachments.

8.4.6.3 Which attachment types are not allowed in inbound


e-mails?

Inbound e-mails with the following attachment file types (extensions) fall into the category of dangerous
attachments.

ade, adp, app, asp, bas, bat, bhx, cab, ceo, chm, cmd, com, cpl, crt, csr, der, exe, fxp, hlp, hta, inf, ins, isp, its,
js, jse, lnk, mad, maf, mag, mam, mar, mas, mat, mde, mim, msc, msi, msp, mst, ole, pcd, pif, reg, scr, sct, shb,
shs, vb, vbe, vbmacros, vbs, vsw, wmd, wmz, ws, wsc, wsf, wsh, xxe, docm, xlsm.

This also applies if attachments with these extensions are found in the following (password-protected)
archives: arj, cab, jar, lha, rar, tar, zip, gzip.

Such mails will have these attachments truncated, but the body of the mail will still be allowed into the SAP
Cloud for Customer system.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 111
8.4.6.4 Which HTML tags are not allowed in the body of
inbound e-mails?

SAP Cloud for Customer supports within incoming e-mails all HTML tags except <iframe>.

8.4.6.5 What action is taken if a URL has a low reputation


score?

E-mails having http URLs (example: https://testtest.com) in the mail body are checked for the reputation score
at CISCO servers.

URLs having a low web reputation score are removed by the CISCO server and sent to SAP Cloud for Customer.

Example: If the URL https://testtest.com is classified with a low web reputation, then this URL will not be
clickable from SAP Cloud for Customer even when you hover over the URL. You cannot copy the URL, instead
it would be shown as an image. If you want to access the link, you must manually type the URL in your browser
and access it.

8.4.7 Outbound E-Mails FAQ

8.4.7.1 Can customers point their SAP Cloud for Customer


tenant to their own mail infrastructure?

No. SAP Cloud for Customer does not currently support this feature.

8.4.7.2 Can the Envelop-From address be overwritten with


the From Address?

No. SAP Cloud for Customer does not currently support this feature.

SAP Cloud for Customer Security Guide


112 PUBLIC Network and Communication Security
8.4.7.3 What is the allowed size limit of outbound
and inbound e-mails sent from SAP Cloud for
Customer?

The size of the entire outbound e-mail message from SAP Cloud for Customer including the content, inline
images (if any), and any attachments can be up to, but not exceed 35 MB.

For an inbound e-mail message, the size cannot exceed 26 MB. This is due to the e-mail size getting bloated by
company e-mail servers before it is forwarded to SAP.

Any single attachment can be up to 20 MB in size.

8.4.7.4 Are e-mails relayed from the Cisco mail relay


servers secure?

Yes, e-mails are relayed securely with TLSv1.2 protocol by default, and if the recipient e-mail infra doesn't
support TLSv1.2 protocol, a fallback protocol is used.

 Note

It is currently recommended to ensure that your mail servers support TLSv1.2 protocol because TLSv1.0
and TLSv1.1 are disabled for both outbound and inbound e-mails.

8.4.7.5 Which IPs should be configured if the customer


maintains any throttling on their e-mail server?

The list of IP addresses is available in the Knowledgw Base Article under the section IP Ranges for Mail
Traffic.

8.4.7.6 How to check e-mail headers and identify that the


e-mail is coming from SAP Cloud for Customer mail
hosts?

1. Open the email.


2. Click the Message Options icon from the the Tags group.
3. Check if the addresses in the Internet Headers are part of the allowlist.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 113
8.4.7.7 What is the retry interval if the outbound e-mail
sent to the recipient is not delivered because of an
issue at the target server?

The retry attempt starts with a one-minute interval, doubles until the first hour. For the next 3 days, there will
be an attempt made every hour after which a hard bounce e-mail will be sent if the e-mail still cannot be relayed
to the recipient.

8.4.7.8 What is DKIM and what are the advantages of


enabling a DKIM key for business e-mails?

DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to check if an
e-mail was indeed sent and authorized by the owner of that domain.

8.4.7.9 How to check the DKIM key of a customer (sender)


domain?

1. Navigate to https://dkimcore.org/tools/keycheck.html.
2. Provide the details of the selector and domain.
3. Click Check.

SAP Cloud for Customer Security Guide


114 PUBLIC Network and Communication Security
8.4.7.10 How to check if e-mail messages sent from SAP
Cloud for Customer tenant are DKIM signed?

Check the e-mail headers header.i, header.s, and header.from of the received e-mail in the Authentication-
Results section. You can see the domain and selector details of the DKIM key here.

8.4.7.11 Is DKIM Key enabled by default for the sender's


domain?

No, an explicit request must be raised to create a DKIM key for your sender's domain that is used to relay
business e-mails from your SAP Cloud for Customer tenant.

8.4.7.12 Are e-mails sent from the domain


donotreply@myXXXXXX.mail.crm.ondemand.com
signed with a DKIM key?

No, emails sent from this domain are not signed with a DKIM key. All other e-mails are DKIM signed.

8.4.7.13 Can customers choose their own selector while


requesting a DKIM key?

No, a standard and unique selector is provided for each customer's domain. It is not possible to deliver DKIM
keys with custom selectors that are requested by customers.

DKIM key generation and activation is a one-time activity. Customers can request to generate a single key for
multiple domains. The same can be used for all their tenants (production and test).

Maintain the same selector and key for all tenants. Please do not alter the selector based on your tenant.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 115
8.4.7.14 What if customers do not want DKIM enabled
for their sender domain and do not have any IP
whitelisting/throttling/SPF record updated with an
old SAP address?

Outbound business e-mails will still be sent out from their SAP Cloud for Customer system. It is recommended
to use DKIM signed sender domains in their SAP Cloud for Customer system. This prevents emails from going
into junk, spam, or rejected folders

8.4.7.15 For which domains is it not possible to create DKIM


keys?

DKIM keys cannot be created for the following domains: gmail.com, yahoo.com, hotmail.com, outlook.com, and
sap.com.

8.4.7.16 What is Sender Policy Framework (SPF) and what are


the advantages of enabling SPF record for business
e-mails?

Sender Policy Framework (SPF) is an e-mail-authentication technique which is used to prevent spammers from
sending messages on behalf of your domain.

8.4.7.17 How can you check an SPF record?

1. Navigate to https://mxtoolbox.com/SuperTool.aspx.
2. Provide the technical sender address/domain as myXXXXXX.mail.crm.ondemand/
myXXXXXX.mail.c4c.saphybriscloud.cn.
3. Click on the SPF Record Lookup button.

8.4.7.18 What hapens if the old IP address is maintained in


the SPF record of the domains?

If the old IP address is maintained in the SPF record, a new entry with the new IP address should be created.

The current IP address for sending business mails is include:_spf.cmail.ondemand.com.

SAP Cloud for Customer Security Guide


116 PUBLIC Network and Communication Security
The old IP addresses for sending business mails are ip4:91.198.224.29/32 and ip4:194.37.255.29/32.

8.4.7.19 On which domains are SPF and DKIM policies


checked for outbound e-mails?

Checks are done at the recipient mail server. E-mails sent from SAP Cloud for Customer application have
headers.

SPF check is done on the Envelop-From address. Envelope-From address in SAP Cloud for Customer is as
follows: dsn@myXXXXXX.mail.crm.ondemand.com/dsn@myXXXXXX.mail.c4c.saphybriscloud.cn

DKIM Check is done on the From Address in the sender's domain (example: test.com, abc.uk).

8.4.7.20 Why do customer domains have DMARC SPF


policy enabled with aspf=s or aspf=r and why are
outbound e-mails sent from their SAP Cloud for
Customer tenants bounced/rejected/quarantined?

The Envelope-From address for outbound e-mails will always be the technical address (i.e.:
myXXXXXX.mail.crm.ondemand.com) and the from address will always be customer domain address. As of
now, SAP Cloud for Customer does not provide alignment between the from domain (customer domain) and
envelope-from domain(myXX.mail.crm.ondemand.com).

Hence, e-mails are not DMARC enforced. As a result, if the customer domains have DMARC SPF policy enabled
with aspf = s or aspf = r, but has not setup DKIM signing for their header.from domain, then the
outbound mails sent from their SAP Cloud for Customer tenants are bounced/rejected/quarantined. However,
if the DMARC/DKIM alignment for their domain passes, the complete email is treated as DMARC pass.

SAP Cloud for Customer Security Guide


Network and Communication Security PUBLIC 117
9 Application Security

SAP Cloud for Customer provides features to prevent unauthorized access.

Cookies [page 118]


In this section, you can find a list of cookies and their functions in SAP Cloud for Customer.

Security for Additional Applications [page 119]

9.1 Cookies

In this section, you can find a list of cookies and their functions in SAP Cloud for Customer.

SAP Cloud for Customer uses the following cookies to exchange information between the client and server.
This information may include session IDs, load-balancing information, or performance indicators, for example.

To protect the information contained in the cookies, SAP Cloud for Customer requires secure communication
channels (HTTPS) and sets the Secure and HttpOnly flags for all cookies.

Cookie Purpose When Set

Sap-client Three-digit tenant number Created as a browser session cookie


every time a new user visits the logon
screen for SAP Cloud for Customer.

Sap-ssolist Supports Single-Sign-On administra- Created as a browser session cookie


tion

Sap-usercontext Language and client number Created as a browser session cookie ev-
ery time a new user successfully logs on
to SAP Cloud for Customer.

Sap_c4c_logon_record GUID to link requests that belong to one Created as a browser session cookie ev-
logon session (for performance analy- ery time a new user successfully logs on
sis) to SAP Cloud for Customer.

SAP_SESSIONID_<systemname> Session ID Created as a browser session cookie ev-


_<tenant> ery time a new user successfully logs on
to SAP Cloud for Customer.

Saplb<systemname> Load balancing, system name, tenant Created as a browser session cookie ev-
number ery time a new user successfully logs on
to SAP Cloud for Customer.

SAP Cloud for Customer Security Guide


118 PUBLIC Application Security
9.2 Security for Additional Applications

SAP offers a set of additional software components that you can install, on desktop computers, for printing and
additional functionality.

Confirm the Signature

All additional applications of SAP Cloud solutions that are delivered for download are digitally signed. To
confirm the signature, proceed as follows:

1. Right-click on the file you have downloaded, then choose Properties.


2. In the dialog box, choose the Digital Signatures tab.
3. Confirm that the indicated Name of signer is SAP AG.

When you execute the installation of a file, a popup appears, indicating the Verified publisher. In this case, SAP
AG is indicated as well.

Saving Logon Data

SAP front-end components never share an existing authentication session on SAP Cloud solutions, for
example, within a Web browser or with another front-end component. Dedicated authentication is always
required to build a confidential communication channel, secured via the Secure Sockets Layer (SSL) protocol,
to your SAP Cloud solution.

If you log on to the system from a desktop computer with a user ID and password, you are asked whether you
want to store the password locally for subsequent authentication purposes. The password is encrypted, and
not stored as plain text. It is stored using the available protection mechanisms of the operating system, and
can be reused only by the operating system user who is currently logged on. If you do elect to use this function,
then you should activate it on your device only, and never on public computers.

SAP Cloud for Customer Security Guide


Application Security PUBLIC 119
10 Secure Delivery, Configuration, and
Change Management

Ensure that your SAP Cloud for Customer configuration is secure and remains secure.

Security for End-User Devices [page 120]


Here you can find security recommendations for end-user devices such as PCs, and laptops for
windows and apple products.

Service Composition Security [page 121]


This section describes security considerations that apply to the built-in mashups integration and web
services composition capabilities of SAP Cloud Solutions.

Security Recommendations [page 123]


Use the information in this table to secure the configuration and operation of SAP Cloud for Customer.

10.1 Security for End-User Devices

Here you can find security recommendations for end-user devices such as PCs, and laptops for windows and
apple products.

Since you can download data to your local devices, it’s important that you follow strict security protocols to
protect your data from getting compromised.

SAP Cloud for Customer offers many data-extraction features such as Data Workbench, OData APIs, Microsoft
Excel downloads, and so on.

 Caution

We strongly recommend that you use secure protocols to prevent security breaches of confidential data.

We recommend to:

• Protect user accounts with strong passwords.


• Enable and activate whole disk encryption to protect the data in case your machine gets lost/stolen.
• Keep operating system software, virus checkers, browsers, and other applications current, and ensure
available security patches are deployed.

Related Information

File and Attachment Processing [page 131]


Define the allowed file types for attachments and discover how to handle temporary files.

SAP Cloud for Customer Security Guide


120 PUBLIC Secure Delivery, Configuration, and Change Management
10.2 Service Composition Security
This section describes security considerations that apply to the built-in mashups integration and web services
composition capabilities of SAP Cloud Solutions.

Mashups and service composition entail cross-domain communication between various internet domains.

Content from different domains – especially active content, such as JavaScript – is always domain-separated
in the Web browser.

A same origin security policy common in Web browsers, prohibiting access to content across domain
separations, is activated, if necessary.

10.2.1 URL Mashup Integration

Both partners and administrators can create URL mashups to perform the following tasks:

• Open a Web page.


• Open a resource, for example, a Microsoft® Office or Adobe® PDF document, an Adobe® Flash® or
multimedia video file, and so on.
• Open a custom URL of a front-end application, for example, Microsoft® Outlook®, Apple iTunes®, and so on.

You can open these items from an SAP Cloud solution screen by configuring the URL with dynamic parameters
that are derived from the screen out-port interface of your SAP Cloud solution.

 Caution

Some URLs may pass your business data to an external application provided by a third-party organization,
for example, account data passed to a search engine when performing a reverse lookup in an online
address book. Therefore, before you use the URL mashup, we recommend that you confirm that it
conforms with your company’s security and data privacy policies.

Some Web browser settings, for example, popup blockers, may prevent the new browser window from
appearing in the URL mashup. We therefore recommend that you review your browser settings to
determine whether popups are allowed.

10.2.2 HTML Mashup Integration

Both partners and administrators can create HTML mashups to embed an HTML-based Web page or a
resource that can be rendered in a Web browser – for example, a Microsoft Office or Adobe PDF document,
or an Adobe Flash or multimedia video file – into an SAP Cloud solution screen by configuring the URL with
dynamic parameters that are derived from the SAP Cloud solution screen out-port interface.

 Caution

Certain URLs may pass your business data to an external application provided by a third-party
organization, for example, account or contact data passed to a social media Web site when displaying

SAP Cloud for Customer Security Guide


Secure Delivery, Configuration, and Change Management PUBLIC 121
the related profile. Therefore, before you use the map mashup, we recommend that you confirm that it
conforms with your company’s security and data privacy policies.

Bing Maps Web service communication takes place directly between the user’s Web browser and the
service provider via the Secure Sockets Layer (SSL), with the dedicated API key applied for each SAP
Cloud solution. Bear in mind that the Bing Map Web service provider may monitor the Bing Maps Web
service API usage in accordance with the terms of licensing. Therefore, before you use the map mashup, we
recommend that you review the API usage and licensing details with the Bing Maps Web service provider.

10.2.3 Map Mashup Integration

SAP Cloud solutions use Microsoft® Bing Maps™ as a built-in map service provider. Both administrators and end
users can configure the map mashup usage on an SAP Cloud solution screen to display the visual location or
route information on a map. Before Bing Maps mashups can be used, you as an administrator must activate
them by entering the Application Programming Interface (API) key for Bing Maps usage under Administrator
Mashup Authoring . For more information about the Bing Maps Web service partner, and to apply for an API
key, visit the SAP Cloud solutions communities.

 Caution

Bear in mind that the map mashup may convey business data of yours to the Bing Maps Web service
provider. For example, ship-to and bill-to addresses are transferred to the Bing Maps Web service provider
when displaying the related visual location on the map. Therefore, before you use the map mashup, we
recommend that you confirm that it conforms with your company’s security and data privacy policies.

Bing Maps Web service communication takes place directly between the user’s Web browser and the
service provider via the Secure Sockets Layer (SSL), with the dedicated API key applied for each SAP
Cloud solution. Bear in mind that the Bing Map Web service provider may monitor the Bing Maps Web
service API usage in accordance with the terms of licensing. Therefore, before you use the map mashup, we
recommend that you review the API usage and licensing details with the Bing Maps Web service provider.

10.2.4 Data Mashups

Both partners and administrators can create data mashups for composing Web services (provided by third-
party Web service providers) with business data derived from the SAP Cloud solutions. You can use the
integrated authoring tool, the Data Mashup Builder, to transform or merge external Web services with internal
business data, using industry-standard Web service protocols, for example, RSS/Atom, REST or SOAP Web
services.

Create Web services in your SAP Cloud solution before creating the Web service composition in the Data
Mashup Builder. API keys can be specified for the Web service security by means of industry-standard or Web
service specific authentication methods, for example, basic authentication, REST body credentials, or SOAP
service parameter credentials. The API keys entered by partners and administrators are stored in an isolated
secure storage of the your SAP Cloud solution back end, which is never exposed to end users.

SAP Cloud for Customer Security Guide


122 PUBLIC Secure Delivery, Configuration, and Change Management
 Caution

Certain Web services may transfer business data of yours to an external Web service provider from a
third-party organization. For example, account or address data is transferred to a data quality Web service
provider when data quality cleansing operations in Cloud applications are performed. Therefore, before
you use the mashup, we recommend that you confirm that the Web service conforms to your company’s
security and data privacy policies.

Web service communication in data mashups does not take place directly between the user’s Web browser
and the Web service provider. Rather, as a result of the cross-domain access policy restriction, it is tunneled
using the SAP Cloud solution system back-end Web service proxy. Only the Web service endpoints that
have been confirmed with acknowledgement by partners and administrators can be accessed by the SAP
Cloud solution system back-end Web service proxy by all end users of a customer. Therefore, before you
confirm that a Web service is added to your SAP Cloud solution, we recommend that you ensure that it
conforms to your company’s and country’s security policies.

10.3 Security Recommendations

Use the information in this table to secure the configuration and operation of SAP Cloud for Customer.

 Remember

As part of the cloud shared responsibility model (restricted access), you're responsible for determining if
any of these recommendations are relevant for your environment and to what extent.

The security recommendations are provided as a courtesy, without a warranty, and may be subject to
change. For more information, see the disclaimer.

Security Recommendations

Co Last
mp Pri- Secure Up-
one or- Opera- Ti- More In- dat In-
nt ity tions Map tle Default Setting or Behavior Recommendation formation e dex

SAP Crit- Authenti- Stro Default authentication Enable SAML 2.0 Assertion for Log on Us- C4C
ing SAML
Sale ical cation and ng method basic authentication Front-End Single Sign-On and dis- -IAS
2.0 Asser-
s Single au- with Username/Password able the default username/pass- -00
tion for
and Sign-On then word authentication method (C4C- Front-End 01
Ser tica- IAS-0002). Single
vice tion Sign-On
Clo (SSO)
[page 13]
ud

SAP Cloud for Customer Security Guide


Secure Delivery, Configuration, and Change Management PUBLIC 123
Co Last
mp Pri- Secure Up-
one or- Opera- Ti- More In- dat In-
nt ity tions Map tle Default Setting or Behavior Recommendation formation e dex

SAP Crit- Authenti- Stro Non-SSO URL is configured SSO URL to be configured. 2595989 C4C
Sale ical cation and ng by default as the one sent -IAS
s Single au- to employees, allowing to by- -00
and Sign-On then pass SSO. 02
Ser tica-
vice tion
Clo
ud

SAP Crit- Authenti- Stro Password access is not disa- Disable password access for all Log On C4C
Using
Sale ical cation and ng bled by default users working with SSO. -IAS
User ID
s Single au- -00
and Pass-
and Sign-On then word 03
Ser tica- [page 34]
vice tion
Clo
ud

SAP Crit- Authenti- Only sample password poli- If password authentication is used Security C4C
Policy
Sale ical cation and cies are configured to show- (which is not recommended, refer -IAS
Quick
s Single case the options, but are not to C4C-IAS-0001) a separate pass- -00
Guide
and Sign-On strong enough for productive word security policy needs to be [page 36] 04
Ser use. configured for administrators with
vice stricter rules.
Clo
ud

SAP Crit- Roles and Ac- SAP Cloud for Customer Configure a reasonable minimal Restrict- C4C
ing Access
Sale ical Authoriza- cess does not ship default roles. privileges concept for different -AU
Roles
s tions con- Initial user have to create ad- roles and users. Provide write ac- T-0
[page 10]
and trol mins and all the other roles cess only to users who need it to 001
Ser operate.
vice
Clo
ud

SAP Ad- Authenti- Stro Inactive users will be logged Review the time after which the Security C4C
Settings
Sale van cation and ng off of the system after 1 hour users will be log out and configure -IAS
[page 39]
s ced Single au- to your preference. -00
and Sign-On then 05
Ser tica-
vice tion
Clo
ud

SAP Cloud for Customer Security Guide


124 PUBLIC Secure Delivery, Configuration, and Change Management
Co Last
mp Pri- Secure Up-
one or- Opera- Ti- More In- dat In-
nt ity tions Map tle Default Setting or Behavior Recommendation formation e dex

SAP Ad- Authenti- Stro On by default in current re- Review the setting and enable the Certificate
Pinning
Sale van cation and ng lease certificate pinning in case it is disa-
[page 50]
s ced Single au- bled (upgrades from older releases
and Sign-On then will not change the setting).
Ser tica-
vice tion
Clo
ud
Mo-
bile

SAP Rec- System En- Email encryption is disabled Enable and configure S/MIME. Enabling
S/MIME
Sale om- hardening cryp by default
Security
s men tion
[page 103]
and ded
Ser
vice
Clo
ud

SAP Rec- System Ema Domain Keys Identified Mail Request DKIM Key for Sender Do- DKIM
Sale Keys for
om- hardening il (DKIM) authentication is dis- mains.
s Sender
men au- abled by default
and Domains
Ser ded then [page 106]
vice tica-
Clo tion
ud

SAP Rec- System File Default MIME types Review the list of allowed MIME Configure
Upload
Sale om- hardening up- types and keep it as minimal as
Controls
s men load possible.
[page
and ded con- 131]
Ser trol
vice
Clo
ud

SAP Cloud for Customer Security Guide


Secure Delivery, Configuration, and Change Management PUBLIC 125
Co Last
mp Pri- Secure Up-
one or- Opera- Ti- More In- dat In-
nt ity tions Map tle Default Setting or Behavior Recommendation formation e dex

SAP Ad- Data Pro- Per- No feedback on personal It is recommended to check the Adminis- C4C
ter Data
Sale van tection so- data removal runs status of data removal runs since -DP
Removal
s ced and Pri- nal the user triggering one receives no P-0
Runs
and vacy data direct feedback. [page 64] 001
Ser re-
vice mov
Clo al
ud

SAP Ad- Data Pro- Dat Nothing enabled by default, It is recommended to review data Data Re- C4C
tention
Sale van tection a re- initial values are set to 99 retention and backup/archive your -DP
[page 63]
s ced and Pri- ten- years. data/logs as per your specific regu- P-0
and vacy tion lation. 002
Ser
vice
Clo
ud

SAP Rec- Security Monitoring and alerting is a Security-relevant reports to be re- Security- C4C
Relevant
Sale om- monitor- shared responsibility in which viewed regularly. -MO
Reports
s men ing SAP focuses on infrastruc- N-0
[page 83]
and ded ture level events and custom- 001
Ser ers focus on the application
vice level events
Clo
ud

SAP Ad- Data Pro- Ob- As a data protection officer, It is recommended to create your Automate C4C
Removal
Sale van tection sol- you can schedule automated own scheduled runs. -DP
of Obso-
s ced and Pri- ete deletion of obsolete business P-0
lete Busi-
and vacy part partners, such as, contacts, ness Part- 003
Ser ner employees, and individual ners [page
vice re- customers 66]
Clo mov
ud al

SAP Ad- Data Pro- Personal Data removal de- Based on your specific require- Remove C4C
Personal
Sale van tection letes everything like associ- ments, the scope of Personal Data -DP
Data
s ced and Pri- ated activities, transactions, removal has to be configured to P-0
[page 57]
and vacy attachments by default avoid deletion of data to be kept. 004
Ser
vice
Clo
ud

SAP Cloud for Customer Security Guide


126 PUBLIC Secure Delivery, Configuration, and Change Management
Co Last
mp Pri- Secure Up-
one or- Opera- Ti- More In- dat In-
nt ity tions Map tle Default Setting or Behavior Recommendation formation e dex

SAP Rec- API If currently a business user is It is recommended to use the SAP Cloud C4C
for Cus-
Sale om- being used for technical inte- OData Services and it's integration -API
tomer
s men gration user. -00
OData API
and ded 01
Ser
vice
Clo
ud

SAP Rec- API Custom features of OData 'No Authorization Checks' toggle SAP Cloud C4C
for Cus-
Sale om- isn't available in case 'No has to be set to 'No'. -API
tomer
s men Authorization Checks' is ena- -00
OData API
and ded bled 02
Ser
vice
Clo
ud

SAP Ad- Authoriza- As an administrator, you It is recommended to set the visibil- Scope and C4C
Configure
Sale van tion can restrict relationship intel- ity based on who needs to be able -AU
Relation-
s ced ligence insights by specify- to access it. T-0
ship Intel-
and ing the business roles that ligence 002
Ser can have authorization to ac-
vice counts.
Clo
ud

SAP Crit- Mobile Se- Mobile Store Delivery list Mobile app should only be down- Mobile C4C
App Up-
Sale ical curity contains trusted sources loaded from the official sources. -MD
dates
s M-0
and 001
Ser
vice
Clo
ud

SAP Crit- Mobile Se- t Mobile device security man- General recommendations, such as Mobile De- C4C
vices
Sale ical curity agement screen lock, strong pin, etc., to -MD
[page 48]
s be followed and enforced via MDM M-0
and (Mobile Device Management) solu- 002
Ser tion.
vice
Clo
ud

SAP Cloud for Customer Security Guide


Secure Delivery, Configuration, and Change Management PUBLIC 127
Related Information

Explanation of Table Headings [page 129]

SAP Cloud for Customer Security Guide


128 PUBLIC Secure Delivery, Configuration, and Change Management
10.3.1 Explanation of Table Headings
Explanation of Table Headings

Secure Op- Default


Compo- erations Setting or Recom- More Infor- Last Up-
nent Priority Map Topic Behavior mendation mation dated Index

The name Defines the The Secure A topic is a Describes Defines our A link to Date of the A stable
of the com- criticality of Operations short de- the usage recommen- documen- last signifi- unique ref-
ponent to the recom- Map is a ref- scription or of the se- dation for tation that cant erence to
which the mendation. erence a general curity set- this config- explains change. identify the
setting be- model to heading to ting, includ- uration. how you recommen-
Critical Ex-
longs. structure find similar ing any con- can achieve dation.
poses
thethe broad topics text, or de- the recom-
sys-area of se- across serv- fault setting mendation.
temcurity
to for ices. behavior (if
signifi-
content, available).
cant
discus-  No
risk or te
sions, and
threat-
as a basis
ens Please
sys-for a 360° expect
temview on se- change
curity.
relia-
s here.
bility.
For more in-
Recom- Im-formation
mended proves
about the
the se-
Secure Op-
curity
erations
of the
Map, see
land-
scape
Security
andOverview
signifi-
as part
cantly
of the SAP
re-
Security
duces
theOptimiza-
at-
tacktion Serv-
sur-ices Portfo-
face.
lio.
Ad- Ex-
vanced tends
the
rec-
om-
men-
dation
to a
higher
stand-
ard.

SAP Cloud for Customer Security Guide


Secure Delivery, Configuration, and Change Management PUBLIC 129
Secure Op- Default
Compo- erations Setting or Recom- More Infor- Last Up-
nent Priority Map Topic Behavior mendation mation dated Index

The
rec-
om-
men-
dation
either
ex-
tends
the se-
curity
stand-
ards
to
higher
level
of pro-
tec-
tion or
to ad-
di-
tional
areas,
such
as
your
organ-
iza-
tion-
spe-
cific
re-
quire-
ments.

SAP Cloud for Customer Security Guide


130 PUBLIC Secure Delivery, Configuration, and Change Management
11 Operational Security

You must ensure the secure operation of your SAP Cloud for Customer instance to protect the confidentiality,
integrity, and availability of the information it processes

File and Attachment Processing [page 131]


Define the allowed file types for attachments and discover how to handle temporary files.

Security Management and Continual Improvement of Security [page 132]


Security Management at SAP Cloud for Customer aims towards the continual improvement of the
information security framework.

11.1 File and Attachment Processing

Define the allowed file types for attachments and discover how to handle temporary files.

11.1.1 Configure Upload Controls

This section describes the steps to specify the allowed file types.

Context

The Multipurpose Internet Mail Extensions (MIME) type configuration controls the files you can add to the
SAP Cloud for Customer system. These file types include attachment uploads as well as files sent via e-mail
attachments.

You can upload attachment files to your SAP Cloud solution in several application scenarios, for example in
billing, in data migration, or image files of your travel expense receipts. Regularly updated anti-virus software
checks the uploaded files for viruses and other types of malicious software.

 Recommendation

In addition to this anti-virus software, we recommend that our customers also use anti-virus software.

In Business Configuration, you can define which file types can be uploaded to your solution. Note that file-
name extensions can be changed to disguise the actual file format of the file.

We recommend that you start with a minimal MIME list, as you've the option of adding more later. Choose from
the list of allowed MIME types for uploading documents that are specific for your project.

SAP Cloud for Customer Security Guide


Operational Security PUBLIC 131
Follow these steps to select MIME types from the provided list:

Procedure

1. Navigate to Business Configuration Implementation Projects Open Activity List and open the
Allowed MIME Types for Document Upload fine-tuning activity.
2. In the new screen, select your project relevant MIME types.

11.1.2 Temporary Files

Your browser saves temporary files as you work. Use your browser tools to delete cached information.

On PCs and laptops, the IndexedDB of the browser is used to cache information, such as:

• Recent history
• Basic search (recent search entries)
• Value help (recent search entries)
• Home page (title information and data)

 Recommendation

SAP Cloud for Customer doesn't delete these types of temporary entries. To remove cached data, we
recommend using the appropriate features of your browser.

11.2 Security Management and Continual Improvement of


Security

Security Management at SAP Cloud for Customer aims towards the continual improvement of the information
security framework.

Compliance

SAP conducts several external audits every year for various certificates and attestations such as ISO, C5, SOC,
and so on.

You can find the current list of certifications in SAP Trust Center under the Compliance tab. Filter with SAP
Cloud for Customer to find the right compliance documents for your business needs including certifications,
attestations, and SOC reports.

SAP Cloud for Customer Security Guide


132 PUBLIC Operational Security
Penetration Tests and Vulnerability Scans

SAP conducts external penetration tests for product and infrastructure at least once a year. In addition, a
number of internal tests and security validations are performed by dedicated teams throughout the year.

Vulnerability scans with internal and external scope are performed on an ongoing basis.

You can find more details about scope and frequencies in the SOC2/C5 reports.

Code Scans

The complete code base is covered with static code scans. For the non-ABAP code base, SAP carries out
additional checks to look for open source vulnerabilities and ensures license compliance. Used open source
components are monitored for newly disclosed vulnerabilities.

SAP Cloud for Customer Security Guide


Operational Security PUBLIC 133
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:

• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.

• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using
such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.

Videos Hosted on External Platforms


Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.

Beta and Other Experimental Features


Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.

SAP Cloud for Customer Security Guide


134 PUBLIC Important Disclaimers and Legal Information
SAP Cloud for Customer Security Guide
Important Disclaimers and Legal Information PUBLIC 135
www.sap.com/contactsap

© 2024 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form


or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors


contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for


informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for


additional trademark information and notices.

THE BEST RUN

You might also like