0% found this document useful (0 votes)

35 views54 pages

Security Guide

The document is a comprehensive security guide for SAP Business ByDesign, detailing the necessity of security, technical system landscape, and various security aspects related to data, user administration, and mobile applications. It covers user management, authentication mechanisms, authorizations, and security for additional applications, along with recommendations for data storage and data center security. The guide emphasizes the importance of maintaining security policies and practices to protect sensitive information and ensure system integrity.

Uploaded by

Jalpa Harshal Desai

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

35 views54 pages

Security Guide

Uploaded by

Jalpa Harshal Desai

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 54

INTERNAL

2022-02-10

Security Guide for SAP Business ByDesign

THE BEST RUN

Content

1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Necessity of Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Document Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4 Security Aspects of Data, Data Flow, and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.1 Communication Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2 Business-To-Business Communication and Application Integration. . . . . . . . . . . . . . . . . . . . . . . . . 11
4.3 Communication Arrangement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Create a Communication Arrangement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Delete a Communication Arrangement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
4.4 E-Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
MIME Type Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
5.2 User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.3 Authentication Mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Logon Using SAML 2.0 Assertion for Front-End Single Sign-On (SSO). . . . . . . . . . . . . . . . . . . . . 22
Logon Using Client Certificate (X.509). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Logon Using User ID and Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.4 Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.1 Authorizations Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.2 Access Restriction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.3 Segregation of Duties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

7 Mobile Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.1 General Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.2 Mobile Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.3 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.4 Secure System Access and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
7.5 Password Change and Password Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
7.6 Special Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Security Guide for SAP Business ByDesign

2 INTERNAL Content
7.7 Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Password Retention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Support Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Cache Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Offline Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

8 Front-End Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

8.1 HTML5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

8.2 Microsoft ® Silverlight™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

9 Security of Data Storage and Data Centers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

9.1 Asset Protection and Data Integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

9.2 Power Backup and Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

9.3 Restricted Physical Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

9.4 Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

9.5 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

10 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

10.1 Confirm The Signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

10.2 Saving Logon Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

10.3 Intelligent Robotic Process Automation (IRPA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

11 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

11.1 Service Composition Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

URL Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

HTML Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Map Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Data Mashups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

11.2 Internal and External Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Security Management and Continual Improvement of Security. . . . . . . . . . . . . . . . . . . . . . . . . 45

12 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

12.1 Information Lifecycle Management for Data Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

12.2 Security-Relevant Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

13 Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Security Guide for SAP Business ByDesign

Content INTERNAL 3
1 Document History

Version Date Change

1.0 2013-11-20 Initial version for SAP Business ByDe

sign, SAP Cloud for Customer and SAP
Cloud for Travel and Expense November
2013

1.1 2013-11-28 The following chapters have been up

dated:

● Business-to-Business Communi
cation and Application Integration
● Logon Using Client Certificate (X.
509)

1.2 2014-09-05 Miscellaneous typographical errors cor

rected. No technical updates made to
the content

1.3 2016-11-06 Removed references for other cloud

products and SSL protocol

1.4 2018-02-04 Data Protection and Privacy and Best

Practices sections have been updated

Security Guide for SAP Business ByDesign

4 INTERNAL Document History
2 Introduction

2.1 About this Document

The Security Guide provides an overview of the security-relevant information that applies to SAP Business
ByDesign.

2.2 Necessity of Security

With the increasing use of distributed systems and the Internet for managing business data, demands on
security are also on the rise.

When using a distributed system, you must ensure that your business processes do not permit unauthorized
access to critical information. User errors, negligence, or attempted manipulation of your system should not
result in loss of information or processing time. These security requirements apply equally to SAP Cloud
solutions.

To assist you in ensuring the security of your SAP Business ByDesign solution, we provide this Security Guide.

2.3 Document Structure

The Security Guide contains the following sections:

● Technical System Landscape

This section describes the technical components and communication paths that are used in the solution.
● User Administration and Authentication
This section describes the user administration tools, and the system access and authentication concept
that applies to the solution.
● Authorizations
This section describes the authorization concept of the solution.
● Mobile Applications
This section describes mobile applications.
● Front-End Security
This section describes the security mechanisms that apply to the front end.
● Security of Data Storage and Data Centers

Security Guide for SAP Business ByDesign

Introduction INTERNAL 5
This section describes critical data that is used by the solution, and the security mechanisms that apply.
● Security for Additional Applications
This section contains security information about additional software components that are associated with
the solution.
● Other Security-Relevant Information
This section contains information about service composition security, and internal and external audits.
● Security-Relevant Logging and Tracing
This section describes trace and log files that contain security-relevant information, allowing you to
reproduce activities if a security breach occurs.

Security Guide for SAP Business ByDesign

6 INTERNAL Introduction
3 Technical System Landscape

SAP Business ByDesign is hosted in SAP's own data center located either in China, Germany, the United States
of America or Australia.

Customers can choose in which data center their solution shall run. The solution provides optional integration
with a full Enterprise Resource Planning (ERP) suite, including the associated server landscape and system
maintenance.

Since the SAP Business ByDesign solution deals with business data from your core business processes, SAP
adheres to the highest security and quality requirements, as follows:

● The business data is stored securely in SAP data centers.

● Customers share physical hardware, but their data is separated into tenants.
● Users who require access to the business data must authenticate themselves, and their identity must be
verified by user and access management.
● Customer data always belongs to the customer.

You can access your SAP Business ByDesign solution in the following ways:

● Desktop computer: browser-based Internet access from any network with internet access
● Portable computers: browser-based Internet access from any network with internet access
● Mobile devices: Native Apps (Access via a Web browser on a mobile phone or tablet is neither supported
nor recommended.)

Industry best practices and state-of-the-art open cryptographic standards secure and protect communications
between customer devices and the system landscapes of your SAP Business ByDesign solution in the SAP data
center.

Security Guide for SAP Business ByDesign

Technical System Landscape INTERNAL 7
The following diagram summarizes the technical system landscape for standard access:

To access SAP Business ByDesign solution, you must enter a unique, customer-specific URL.

Communication is carried out via the Reverse Proxy (RP) component in the SAP data center.

The Reverse Proxy is the SAP Web Dispatcher, which is developed and maintained by SAP Cloud Support.

The communication channels that require mutual authentication are secured by using standard Transport
Layer Security (TLS) protocol. For more information about connectivity, see Technical Connectivity Guide for
SAP Cloud Applications.

The server certificate used by the reverse proxy must be trusted by the SAP Cloud system. You can download
these certificates at https://secure.omniroot.com/support/sureserver/rootcert.cfm .

The communication channels for monitoring and maintaining instances of your SAP Business ByDesign
solution instances in the SAP data center network are also encrypted and authenticated.

Ensure that you also read the following relevant subsections:

● Using Firewall Systems for Access Control Application-Level Gateways Provided by SAP Web
Dispatcher
● Using Multiple Network Zones

You can upload attachment files to the SAP Business ByDesign solution in several application scenarios, for
example in billing, in data migration, or image files of your travel expense receipts. Regularly updated antivirus
software checks the uploaded files for viruses and other types of malicious software.

 Recommendation

In addition to this antivirus software, we recommend that you also use antivirus software. Uploaded files
are blocked based on their filename extensions, that can be manipulated.

Security Guide for SAP Business ByDesign

8 INTERNAL Technical System Landscape
In Business Configuration, you can define the type of files that can be uploaded to the solution. You should note
that filename extensions can be changed to disguise the actual file format.

Security Guide for SAP Business ByDesign

Technical System Landscape INTERNAL 9
4 Security Aspects of Data, Data Flow, and
Processes

4.1 Communication Channels

The table below shows the communication channels used by SAP Business ByDesign, the protocol used for
connection, and the type of data transferred.

Type of Data Transfer Data Requiring Spe

Communication Path Protocol Used Technology Used red cific Protection

Web browser acting as HTTPS REST services Application data User IDs, passwords
front-end client to ac
cess the hosted SAP
Business ByDesign
system.

Apple® iPad® applica HTTPS REST services Application data User IDs, passwords,
tion, Apple® iPhone®, application data
BlackBerry® player,
Android ™, Windows ®
Phone

E-mail SMTP SMTP server Application data Confidential data

Business-to-business HTTPS Web services Application data Application data

communication and
application integration

Cryptographic Protocols

Inbound Communications

For all inbound communications, TLS 1.2 or higher is required. The following cipher suites are supported:

● TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256
● TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384
● TLS_ECDHE_RSA_WITH_AES128_CBC_SHA
● TLS_ECDHE_RSA_WITH_AES256_CBC_SHA384

Security Guide for SAP Business ByDesign

10 INTERNAL Security Aspects of Data, Data Flow, and Processes
● TLS_ECDHE_RSA_WITH_AES256_CBC_SHA
● TLS_ECDHE_ECDSA_WITH_AES128_GCM_SHA256
● TLS_ECDHE_ECDSA_WITH_AES256_GCM_SHA384
● TLS_ECDHE_ECDSA_WITH_AES128_CBC_SHA
● TLS_ECDHE_ECDSA_WITH_AES256_CBC_SHA384
● TLS_ECDHE_ECDSA_WITH_AES256_CBC_SHA
● TLS_RSA_WITH_AES128_GCM_SHA256
● TLS_RSA_WITH_AES256_GCM_SHA384
● TLS_RSA_WITH_AES128_CBC_SHA
● TLS_RSA_WITH_AES256_CBC_SHA

 Note

SAP Business ByDesignsolution uses port 443 for HTTPS connectivity.

 Caution

We strongly recommend that you use secure protocols such as Transport Layer Security (TLS) or Secure
Network Communication (SNC).

4.2 Business-To-Business Communication and Application

Integration
Business-to-Business (B2B) communication and application integration refers to the exchange of business-
related data across administrative domains.

These domains need not necessarily belong to different entities, such as companies; they can also represent
different geographic subsidiaries of the same company.

Communication arrangements enable you to configure the electronic data exchange between your solution and
a communication partner. A communication partner can be a business partner in a B2B communication
scenario or an external communication system that is used for application integration, for example, external
time recording or master data systems.

SAP Business ByDesign provides communication scenarios for inbound and outbound communication that
you can use to create communication arrangements. Inbound communication defines how business
documents are received from a communication partner, whereas outbound communication defines how
business documents are sent to a communication partner.

Before you can use electronic data exchange for a particular business process, you must configure and activate
a communication arrangement for the corresponding communication scenario. You can do so during your
solution configuration or, after configuration is complete, in the Communication Arrangements work center
view in the Application and User Management work center.

You can find the list of trusted certification authorities for server certificates in the Application and User
Management work center under Common Tasks Edit Certificate Trust List .

Security configuration for electronic data exchange is conducted at the communication arrangements level,
where you can configure the authentication method and communication security.

Security Guide for SAP Business ByDesign

Security Aspects of Data, Data Flow, and Processes INTERNAL 11
Like end user authentication, B2B communication and application integration can be authenticated by two
mechanisms: user ID plus password, and the X.509 client certificate. For inbound communication, you can
upload the communication partner’s client certificate in the configuration user interface, and map it to the
communication user.

 Caution

You can download an X.509 key pair from SAP Business ByDesign. These key pairs are only intended for
communication with the SAP Cloud solution and must not be used for other communication. This is
because the corresponding certificate can be blocked in the solution and you can make the key pair invalid
for logging on to the client but you cannot invalidate its other uses.

For outbound communication, you can upload a PKCS#12 container file, consisting of a private key and the
corresponding client certificate that must be trusted and mapped by the communication partner.
Administrators can monitor the validity of client certificates in the Application and User Management work
center under Common Tasks Edit Certificate Trust List .

Certificates have a validity period and expire at a defined point in time. Before expiration, they must be
renewed; if the client certificate’s Subject or Issuer has changed, then the upload and mapping process must
be repeated. Communication arrangements are the customer’s responsibility, since their configuration reflects
the specific details of their business partner. As a result, expiring certificates cannot be replaced automatically
by SAP; this action must be performed by the customer.

A good security concept also includes mandatory periodic password changes. These changes must be
performed synchronously by both parties involved. If an expired client certificate is renewed with the same
attributes, the certificate information can be exchanged asynchronously.

 Recommendation

We recommend authentication using Single-Sign on with SAML 2.0 for browser-based access and user
names plus passwords for access from mobile devices. Please ensure that the passwords used are strong
enough.

4.3 Communication Arrangement

Communication arrangements help you to configure the electronic data exchange between the solution and a
communication partner.

Communication arrangements can be set up for multiple business documents and communication methods.
The solution provides communication scenarios for inbound and outbound communication that you can use to
create communication arrangements. Inbound communication defines how business documents are received
from a communication partner, whereas outbound communication defines how business documents are sent
to a communication partner.

The communication arrangements can be created in the solution from the Communication Arrangements view.
The Communication Arrangements view enables administrators to create and edit communication
arrangements that your company has set up with a communication partner.

You can access this view from the Application and User Management work center.

Security Guide for SAP Business ByDesign

12 INTERNAL Security Aspects of Data, Data Flow, and Processes
The following communication types are supported:

● Business-to-business (B2B)
This communication type defines an electronic data exchange with a business partner.
● Application integration
This communication type defines an electronic data exchange with a communication system. For more
information, see SAP Hybris Cloud for Customer Administration Guide on the Help Portal.

 Note

Some communication arrangements are automatically created in your solution configuration. This is
indicated by the selected Predefined check box in the worklist of the Communication Arrangements view.
For predefined communication arrangements with inbound communication, you only have to define the
communication account.

4.3.1 Create a Communication Arrangement

1. Open the New Communication Arrangement guided activity in the Communication Arrangements view by
clicking New.
2. In the Select Scenarios step, select the communications scenario for which you want to create a
communication arrangement and click Next.

 Note

Based on the communication scenario you selected, the system presets the fields in the next steps
with default values. You can change the values where ever possible if in case it is necessary.

3. In the Define Business Data step, enter business data. The entry fields on the screen are dependent on the
communication type of the selected communication scenario.
1. If you have selected a B2B scenario, enter the ID of the business partner and select the associated
Identification Type. If necessary, you can also enter the ID of the contact person at the business
partner. If you have selected an application integration scenario, enter the System Instance ID of the
communication system with which you want to set up a communication arrangement.

 Note

Before you set up a communication arrangement, you must create a communication system.

2. In the My Communication Data section, check the default values and make changes if necessary. Enter
the company that communicates with your communication partner. By default, the Company ID is
preset with the company that you are assigned to. If you use a B2B scenario, you must also enter a
valid identification type.
3. If a communication arrangement contains a service interface that supports code list mapping, the
Code List Mapping field is displayed. In this field, you can choose the relevant code list mapping group
for the communication scenario that you are using.
4. Click Next.
4. In the Define Technical Data step, define the technical settings for inbound and outbound communication.
1. Select the Communication Method you want to use for the communication arrangement. To
communicate with your business partner, you can either establish a direct connection or you can use a
collaboration service provider that provides services for B2B communication.

Security Guide for SAP Business ByDesign

Security Aspects of Data, Data Flow, and Processes INTERNAL 13
2. If you use inbound communication, select the Application Protocol and Authentication Method in the
Inbound Communication: Basic Settings section.
3. In the User ID field, click Edit Credentials.
Depending on the chosen authentication method, you need to define the credentials of the
communication user as described in the following table. The user ID of the communication user is
created automatically.

Authentication Method Settings

SSL client certificate If you use this authentication method, you need to upload
the public key certificate that has been provided by your
communication partner. If your communication partner can
not provide a certificate, you can create and download a
PKCS#12 key pair file. The PKCS#12 key pair file is password
encrypted and contains a public key certificate and a private
key. You need to provide the PKCS#12 file to your communi
cation partner.

1. Choose Certificate.
2. Click Upload Certificate and choose the relevant certifi-
cate.
3. Click OK.

To create a PKCS#12 key pair file, perform the following

steps:

1. Choose Certificate.
2. Click Create and Download Key Pair.
3. Define a name for the PKCS#12 file and save it.
4. Define a password for the PKCS#12 file and click OK.
5. Click OK.

 Note
● You have to provide your communication partner
with the PKCS#12 file and the corresponding pass
word.
● To import the PKCS#12 key pair file to a third-party
tool, see Importing Key Pair file to a Third Party
Tool.

User ID and password If you use this authentication method, you need to define a
password as follows:

● Choose Change Password.

● Enter a password.
Note that you have to provide your communication part
ner with the user ID and password
● Click OK.

Security Guide for SAP Business ByDesign

14 INTERNAL Security Aspects of Data, Data Flow, and Processes
4.3.2 Delete a Communication Arrangement

1. In the Communication Arrangements view, select the relevant communication arrangement.

2. Click Delete.
3. In the dialog box that opens, click Delete to confirm the deletion.

 Note

Predefined communication arrangements cannot be deleted.

4.4 E-Mail

SAP Business ByDesign enables you to encrypt outgoing e-mails and check the signature of incoming e-mails
by using the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard.

You can use this function for e-mail communication between your system and your employees, in e-mail
scenarios provided by SAP (for example, self-service or approval scenarios). You can specify which e-mail
scenarios you want to use in Business Configuration.

 Caution

We strongly recommend that you only send encrypted mails and accept only signed e-mails.

The system uses the same certificate for signature check and e-mail encryption, which means that the same
private key is used for signing and decrypting an e-mail to or from an employee.

The following MIME types are supported for e-mail communication with the system:

● .gif
● .jpg/.jpeg
● .pdf
● .tif/.tiff
● .png

 Caution

When you use S/MIME, ensure that the data is encrypted. Note that e-mail header data, for example, the
subject line, is not encrypted. The sensitivity setting for password e-mails is set by default to private.

Security Guide for SAP Business ByDesign

Security Aspects of Data, Data Flow, and Processes INTERNAL 15
The following diagram provides an overview of how e-mail encryption and signature is set up:

Enabling S/MIME Security

To add encryption security to e-mail channels, you can enable S/MIME to your solution.

Procedure

1. Add e-mail security to your project scope.

2. Implement e-mail security for your solution.
1. Choose Business Configuration, select your project from the list, and click Open Activity List.
2. Click Fine-Tune.
3. Open E-Mail Encryption and Signature Check.
4. In the list of incoming e-mails, set the Signature for SAP Cloud for Service: E-Mail Security, B2B
Scenario and SAP Cloud for Service: E-Mail, B2C Scenario. Choose Check (and Reject if Untrusted) if
you require a high level of security or Do Not Check if you do not have security requirements.

Security Guide for SAP Business ByDesign

16 INTERNAL Security Aspects of Data, Data Flow, and Processes
5. In the list of outgoing e-mails, set the Encryption and Signature for SAP Cloud for Service: E-Mail
Security, B2B Scenario and SAP Cloud for Service: E-Mail Security, B2C Scenario. The suggested
settings are Encrypt if possible for Encryption and Sign for Signature.
6. Save your settings.
3. Activate your settings.
1. Choose AdministratorCommon TasksConfigure S/MIME.
2. Click Activate S/MIME.
3. Select Check signature of Incoming E-Mails to encrypt incoming e-mails. Select Encrypt Outgoing E-
Mails to encrypt outgoing e-mails. Select Signing Outgoing E-Mails for your solution to provide a
signature to other systems.
The settings you selected in Fine-Tuning gets enabled if you activate them. If you do not activate your
settings, your system does not have security enabled.
4. Save your settings.

Configuring S/MIME Security

To enable e-mail notifications, you must also upload the CA certificates in this area for the generic business
task management e-mail address for all involved employees and managers.

 Note

To set up your SAP Hybris Cloud for Customer solution system to include e-mail as a communication
channel for creating and responding to customer service tickets, see the SAP Hybris Cloud for Customer
Administrator Guide on Help Portal.

Procedure

1. Choose Configure S/MIME in the Business Configuration work center under Common Tasks.
2. On the Incoming E-Mail tab, upload the CA certificates from all involved employees for the generic incoming
e-mail addresses Business Task Management E-Mail Notifications.
3. On the Outgoing E-Mail tab, install the system CA certificate in the e-mail client of the involved employee as
follows:
1. Click on Link to SAP CA and open the site SAP Trust Center ServiceRoot Certificates.
2. Click on SAP Passport CA Certificate. A pop-up opens.
3. Click Install Certificate and follow the wizard by clicking Next.
4. Select Place all certificates in the following store and click Browse.
5. Select Trusted Root Certification Authorities and click OK and then Next. Now the CA from the system
is installed locally.
4. Now activate the S/MIME. On the Activate S/MIME tab, select the options:
1. Check Signature of Incoming E-Mails
2. Encrypt Outgoing E-Mails (optional)
3. Signing Outgoing E-Mails

 Note

E-Mail Notifications: Ensure that the involved employees are business users and have valid e-mail
addresses, and that the CA certificates from the employees are uploaded to the system for outgoing e-
mails.

Security Guide for SAP Business ByDesign

Security Aspects of Data, Data Flow, and Processes INTERNAL 17
E-Mail Notifications: Each involved employee must subscribe to the e-mail notifications by opening the
Notifications view and choosing Subscribe to E-Mail.

E-Mail Notifications: Check that the e-mail clients of the involved employees have enabled the receipt of
encrypted e-mails.

4.4.1 MIME Type Configuration

This section describes steps to select appropriate MIME types from the available list, that are specific to your
project.

MIME type configuration controls the files you can add to SAP Business ByDesign. This includes attachment
upload as well as files sent via email attachments.

We recommend that you start with a minimal MIME list, as you have the option of adding more later. Choose
from the list of allowed MIME types for uploading documents that are specific for your project.

Follow these steps to select MIME types from the provided list:

1. Go to Business Configuration work center, select your Implementation Project and click Open Activity List.
Select the All tab and search for Allowed MIME Types for Document Upload.
2. In the ALLOWED MIME TYPES FOR DOCUMENT UPLOAD screen, select your project relevant MIME types.

 Caution

When checking documents, the system assigns unknown MIME types to the application/octet-stream
MIME type. If you define the application/octet-stream MIME type as allowed, all documents whose MIME
types are not specified in the MIME type list can be uploaded. This MIME type is available for fallback
purposes. Therefore, we recommend that you not define the application/octet-stream MIME type as
allowed until emergency. During Emergency, carefully scan the documents before uploading them.

Deactivation of MIME type Check

In case you would like to deactivate MIME type check, follow these steps:

 Caution

MIME type checks provide additional protection in terms of security of the documents processed. We
strongly recommend not to deactivate these checks.

Security Guide for SAP Business ByDesign

18 INTERNAL Security Aspects of Data, Data Flow, and Processes
5 User Administration and Authentication

5.1 User Management

User management for SAP Business ByDesign is located in the Application and User Management work center.

The following table provides an overview of all activities related to user administration that you can perform as
an administrator:

Documentation in the Help

View Subview Activity Center

Application and User Man Business Users Lock and unlock users Business Users Quick Guide
agement
Change user password

Edit the validity of a user

Assign security policies to

users

Assign access rights to users

for work centers and work
center views

Restrict read and write acess

for users to specific data

Assign business roles to

users

Support and Technical Users View all support and techni

cal users available in the sys
tem

Business Roles Define access rights in busi Business Roles Quick Guide
ness roles

Application and User Man Communication Arrange Create technical users for Business Roles Quick Guide
agement ments electronic data exchange

Communication Certificates Manage certificates that you Personalize my Settings

use for electronic data ex
change

Security Guide for SAP Business ByDesign

User Administration and Authentication INTERNAL 19
Documentation in the Help
View Subview Activity Center

Common Tasks Edit Security Policies Specify security policies for Security Policies Quick Guide
user passwords

Configure Single Sign On Download service proIdP Configure your Solution for
metadata, and activate SSO

Configure S/MIME Configure and activate e-mail Email Security

communication with S/MIME
Configuration: Load Certifi-
cates and Activate Signing
and Encryption for E-Mails

Edit Certificate Trust List Edit trust list of certificates Communication Arrange
used for communication ar ments Quick Guide
rangements

 Note
The list of trusted certifi-
cation authorities is
available on the Web dis
patcher. Certificates with
which users log on must
be issued by one of these
certification authorities.

For more information about how to perform these activities, see the documentation of the corresponding work
center view.

Business Roles

A business role is a set of access rights that you can assign to multiple business users who perform similar
business tasks. You can also make employee assignments to define who is responsible for changing a business
role, for example, managers who need to change business roles that are relevant for their business areas.

You can access the Business Roles view from the Application and User Management work center.

When creating and editing a business role, you can assign work centers and work center views, and define
access restrictions for each view. You can also define a main, or default, business role when associating that
business role with a relationship.

Procedure

1. From the Application and User Management work center, go to Business Roles view.
2. If you want to edit the read and write access for users to whom any of the business roles are assigned, click
on any of the business roles listed and then click Edit. Next, click the Access Restrictions tab.

Security Guide for SAP Business ByDesign

20 INTERNAL User Administration and Authentication
3. Select the view for which you want to restrict access rights and choose the corresponding access
restriction in the Read Access and Write Access column. You can choose between the following settings for
access restrictions:
1. No Access (Only available as a restriction for write access) - The user has no write access.
2. Unrestricted - The user has access to all business data related to the view.
3. Restricted - The user only has access to specific business data, depending on the access context. If
you select Restricted, you can restrict read and write access on the basis of predefined restriction rules
that you can choose from the Restriction Rule drop-down list.
4. If you choose the Define Specific Restrictions restriction rule, another list appears in which you can
restrict access to specific data, which is defined by the access group. For example, if a view has the
Site access context, you can restrict write access in this view for business documents that belong to a
specific site.
5. To do so, choose Detailed Restrictions and select or deselect the corresponding check box in the Read
Access or Write Access column.
4. If you want to grant the user access to data that is no longer in use, choose Historic Restrictions. Select or
deselect the corresponding check box in the Read Access or Write Access column.
5. To check whether the access rights are consistent, click Actions and choose Access Rights Consistency.
Each view contains specific activities that can be carried out by a user with the necessary access rights for
the view. Note that some activities can be carried out in multiple views. Therefore, when you grant access
rights, you should be aware that if there is a conflict, unrestricted access rights override any restrictions
you have defined.
6. If there are activities displayed on the Check Access Rights Consistency screen, the access rights are
inconsistent. Check whether you need to redefine the access rights.
7. When finished, click on Save to save the edits you have made to the business role and the users.

5.2 User Types

SAP Business ByDesign provides the following user types:

User Type Description

Business User A user type for normal interactive users resulting from hiring
an employee or creating a service agent. Business users al
ways have to change their initial password during the first
logon. The properties of the passwords are determined by
the assigned security policy.

 Note
Service agents are used for external users, for example,
partners or partner contacts. Apply specific security
policies and use specific roles to keep internal and exter
nal employees separated. We also recommend that you
lock external users as soon as they are no longer
needed.

Security Guide for SAP Business ByDesign

User Administration and Authentication INTERNAL 21
User Type Description

Technical User A user type for non-interactive usage, either predefined by

SAP for technical operations or resulting from the creation of
communication arrangements. Technical users either do not
have passwords or have password but do not have to change
them.

Support User A user type for interactive support users used by SAP Cloud
Services to access the system as part of incident processing.

It is often necessary to specify different security policies for different users. For example, your policy may
mandate that individual users who perform tasks interactively change their passwords on a regular basis.

You can only specify security policies for the Business User user type.

5.3 Authentication Mechanisms

Every user type must authenticate itself to SAP Business ByDesign for regular browser-based front-end access,
as well as for electronic data exchange, such as Business-to-Business communication. SAP Business ByDesign
does not support anonymous access.

When a new user is created in the solution, for example, during the hiring process of a new employee, a user ID
is created.

To log on the solution, the following authentication mechanisms are supported:

● Logon using SAML 2.0 assertion for front-end Single Sign-On (SSO)
● Logon using client certificate (X.509) as logon certificate
● Logon using user ID and password

5.3.1 Logon Using SAML 2.0 Assertion for Front-End Single

Sign-On (SSO)
Your solution supports SSO based on Security Assertion Markup Language 2.0 (SAML 2.0).

To use this function, your system landscape requires the following components:

● An SAML 2.0 enabled identity provider (IdP)

● At least one local service provider, for example, your solution or a Web-based 3rd-party product
● A browser client

The use of an SAML 2.0. enabled identity provider is mandatory. If you have no identity provider, it is
recommended that you use SAP Identity Provider.

When a user connects to the service provider by using the corresponding URL, the browser redirects the
authentication request to the IdP. If the user is not yet logged on, he or she is prompted to logon to the IdP.

Security Guide for SAP Business ByDesign

22 INTERNAL User Administration and Authentication
After that the browser redirects the connection back to the original URL and the user is automatically logged
on to the service provider. This process flow is always the same for all server providers.

The mutual trust between service provider and IdP is established by the exchange of certificates and additional
metadata.

For more information, see Front-End Single Sign-On document and the SAP Identity Provider document in Help
Portal.

Configure Your Solution for Single Sign-On

This section describes how to set up your solution to use front end single sign-on (SSO).

Prerequisites

You have downloaded the XML file of the metadata of your identity provider (IdP).

You can configure SSO in your system using the Configure Single Sign-On common task that can be found in
the Application and User Management work center.

1. Choose My System.
2. Under Download Metadata, depending on the type of metadata acceptable to your identity provider,
choose either of the following: SP Metadata (Service Provider Metadata) or STS Metadata (Security Token
Service Metadata).
3. Save the XML file for upload into the IdP.

 Note

Some IdPs can upload all information from the metadata XML file. Others require manual entry of the
information contained in the file.

4. Specifiy whether the employee can manually choose between logging on with a user ID and password or
SSO by selecting the Manual Identity Provider Selection check box.
5. In the SSO URL section, specify the URL that should be used by the employee to log on to the system. In
the URL Sent to Employee drop-down list you can choose from the following options:
1. Non-SSO URL: The system sends only the normal system URL to the employee. The employee cannot
log on using SSO and must use a password or a certificate instead.
2. SSO URL: The system sends only the SSO URL to the employee. The employee can log on using SSO.
The authentication request is redirected through the IdP.
3. Automatic selection: If SSO is not active, the system sends the normal system URL to the employee. If
SSO is active, the system checks whether the employee has a password. If the password is available,
both SSO URL and non-SSO URL are sent to the employee. However, if the employee has no password,
only the SSO URL is sent to the employee.
6. Choose Identity Provider.
7. Click New Identity Provider and select the metadata XML file that you have downloaded from your IdP. By
importing the metadata, the system automatically uploads the required signature certificate and
encryption certificate.
8. If you have multiple identity providers configured and you have not selected the Manual Identity Provider
Selection check box in the previous step, you must select the default IdP, which is automatically selected
when logging onto the system. To do so, select the corresponding IdP and click Actions, then choose Set to
Default.

Security Guide for SAP Business ByDesign

User Administration and Authentication INTERNAL 23
9. If required, you can specify the Alias, that defines the displayed name of the IdP that appears on the log on
screen.
10. If your IdP requires the element Assertion Consumer Service URL in the SAML request, select the Include
Assertion Consumer Service URL check box.
11. Once you have configured your IdP, activate SSO in your cloud solution. To do so, click Activate Single Sign-
On.
12. Save your changes.

5.3.2 Logon Using Client Certificate (X.509)

Users can also log on with a client certificate to complete authentication.

To do so, users can choose between the following options:

● If users already possess a suitable client certificate from a trusted Certification Authority, then they can
map the client certificate to their user ID.
● If no suitable client certificate is available, then users can request a client certificate from within the
solution. In response, an SAP Certification Authority will provide the requested certificate. This request can
be repeated on any other device you use to access the solution. You cannot use the same certificate to log
on with multiple users.

We strongly recommend that you never store the X.509 client certificate in an unprotected keystore. The
download also contains the corresponding private key. Therefore, the downloaded file should be protected with
a sufficiently strong passphrase of the user’s choice.

The following table contains the trusted certification authorities for client certificates:

Trusted Certification Authorities

Commona Name E-
Country Organization Organizationa; Unit Common Name Mail

DE Deutsche Telekom AG T-TeleSec Trust Center Deutsche Telekom

Root CA 1

DE SAP Trust Community SAP Passport CA

DE TC TrustCenter GmbH TC TrustCenter Class 2 TC TrustCenter Class 2

CA CA II

DE TC TrustCenter GmbH TC TrustCenter Univer TC TrustCenter Univer

sal CA sal CA I

DE TC TrustCenter for Se TC TrustCenter Class 1 certificate@trustcen-

curity in Data Net CA ter.de
works GmbH

IE Baltimore CyberTrust Baltimore CyberTrust

Root

Security Guide for SAP Business ByDesign

24 INTERNAL User Administration and Authentication
Commona Name E-
Country Organization Organizationa; Unit Common Name Mail

US Entrust.net www.entrust.net/CPS Entrust.net Secure

incorp. by ref.(limits Server Certification
liab.), © 1999 En Authority
trust.net Limited

US Entrust.net www.entrust.net/ Entrust.

Client_CA_Info/CPS
net Client Certification
incorp. by ref. limits
Authority
liab., © 1999 En
trust.net Limited

US Equifax Equifax Secure Certifi-

cate Authority

US GTE Corporation GTE CyberTrust Solu GTE CyberTrust Global

tions, Inc. Root

US GoDaddy.com, Inc. http://certifi- Go Daddy Secure Cer

cates.godaddy.com/ tification Authority
repository

US The Go Daddy Group, Go Daddy Class 2 Cer

Inc. tification Authority