SAP Sales and Operations Planning 3.0 SP02 Security Guide

SAP Sales and Operations Planning 3.0 SP02 Security Guide

Table of Contents1 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1 Fundamental Security Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

2.2 Important SAP Notes and References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.3 Additional Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Security Aspects of Data, Data Flow, and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.2 User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.3 User Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5.4 Password Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

5.5 Unlocking a User Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

5.6 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5.7 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

6 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

6.1 Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

6.2 Role and Authorization Concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

6.2.1 Defining Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

6.3 Standard Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

6.4 Password Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

7 Storage and Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

8 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

9 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

9.1 Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

10 Data Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

11 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

12 Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2 © 2014 SAP SE or an SAP affiliate company. All rights reserved.SAP Sales and Operations Planning 3.0 SP02 Security Guide

Table of Contents

1 About this DocumentWith the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise.

When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. These demands on security apply likewise to the SAP Sales and Operations Planning (S&OP) application, powered by SAP HANA. This security guide will assist you in securing the SAP S&OP application.

SAP Sales and Operations Planning 3.0 SP02 Security GuideAbout this Document © 2014 SAP SE or an SAP affiliate company. All rights reserved. 3

2 Before You Start

2.1 Fundamental Security Guides

Other SAP security guides can be used as a resource for SAP Sales and Operations Planning (S&OP)

SAP Sales and Operations Planning is comprised of the following components:

● SAP HANA

● Extended Application Services (HANA XS)

● SAP S&OP add-in for Microsoft Office Excel

Table 1: Fundamental Security GuidesScenario, Application or Component Security Guide Most Relevant Sections or Specific Restrictions

SAP HANA Security Guide N/A

NoteThis is applicable for the on premise version of SAP Sales and Operations Planning

For a complete list of the available SAP Security Guides, see the SAP Service Marketplace .

2.2 Important SAP Notes and References

SAP Service Marketplace provides relevant information about the prerequisites for this product, as well as the latest information about reported issues and workarounds.

Before installing the required components make sure that you have all relevant information about the pre-requisites, and download the latest version of each SAP Note, found on the SAP Service Marketplace. The following SAP references are relevant for your implementation:

Table 2:Title SAP Note Number or Other Reference

SAP Central Note SAP Note 2049769


Before You Start

http://help.sap.com/disclaimer?site=http://service.sap.com/securityguide

2.3 Additional Information

See the listed Quick Links for more information about specific security-related topics.

Table 3:Content Quick Link on SAP Service Marketplace or SDN

Security http://sdn.sap.com/irj/sdn/security

Security Guides http://service.sap.com/securityguide

Related SAP Notes http://service.sap.com/notes

http://service.sap.com/securitynotes

Released platforms http://service.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP Sales and Operations Planning Service Marketplace

http://service.sap.com/sap30

SAP Sales and Operations Planning 3.0 SP02 Security GuideBefore You Start © 2014 SAP SE or an SAP affiliate company. All rights reserved. 5

3 Technical System LandscapeThe SAP Sales and Operations Planning application utilizes SAP Data Services or SAP HANA Cloud Integration (HCI) to integrate data into the system landscape.

The following figure provides an overview of the deployment model and technical system landscape employed by SAP Sales and Operations Planning.


Technical System Landscape

4 Security Aspects of Data, Data Flow, and ProcessesThe figure below shows an overview of the security aspects of the SAP Sales and Operations Planning (S&OP) .

The following figure shows an overview of the security aspects employed for a key figure query.

The following figure shows an overview of the security aspects employed for a simulate or save operation.

SAP Sales and Operations Planning 3.0 SP02 Security GuideSecurity Aspects of Data, Data Flow, and Processes © 2014 SAP SE or an SAP affiliate company. All rights reserved. 7

Table 4: The table below shows the security aspects to be considered for each process and what mechanism applies.Step Description Security Measure

1 User clicks on simulate or save SAP S&OP add-in sends a request through HTTPS

2 Authentication HANA XS (XS) checks to see if the user is logged on

3 Convert from XML/JSON Validates input and converts from XML/JSON

4 Runs simulate calculation in SAP HANA

Control access per user to key figures and master data for planning (using visibility filters). For more information about roles and visibility filters, see the online help. Visibility filters also apply to:

● Saving as only values that have been read into the planning session can be changed and then saved

● Master data access and to adding new combinations

The following figure shows an overview of the security aspects employed for authenticating an SAP Jam user.


Security Aspects of Data, Data Flow, and Processes

SAP Sales and Operations Planning 3.0 SP02 Security GuideSecurity Aspects of Data, Data Flow, and Processes © 2014 SAP SE or an SAP affiliate company. All rights reserved. 9

5 User Administration and Authentication

5.1 User Management

Each user of SAP Sales and Operations Planning (S&OP) has his/her own landscape, and users of each customer are managed in SAP HANA user management.

SAP S&OP uses SAP HANA mechanisms (for example, roles and password policies) and provides a web client application that enables administrators to add, remove, or update SAP S&OP users. For more information on setting up and managing users in the application, refer to User Management in the application Help.

5.2 User Types

There are two user types provided for SAP Sales and Operations Planning (S&OP).

The user types that ship with SAP Sales and Operations Planning include:

● The administrative user SOPADMIN has ALL_INCLUSIVE permissions for all administrative tasks in User Management including creating users and roles and granting permissions.

● The default BASIC_USER can view analytics such as charts and dashboards.

5.3 User Creation

Users with Manage Users and Roles permissions can create and edit users.

New users must change their initial password when logging on for the first time (a restriction that is enforced by SAP HANA). When a user does not know or cannot recall their logon information, then users with Manage Users and Roles permissions can define a new password, or they can lock or unlock a password for any other user by:

● Creating a user in SAP S&OP, defining a password for the user, and manually emailing the user the logon information.

● Creating a user and having the system generate a random initial password for the user.

5.4 Password Reset

Users have options for resetting their password in SAP Sales and Operations Planning.

There are several reasons why users might need to reset their passwords:

● They are logging in to a new account for the first time, and the administrator has configured password reset on first login as a security measure


User Administration and Authentication

● The user has mistyped their password several times and their account has been locked as a result● The user has forgotten their password and just wants to reset it

The following methods are available for resetting a user's password:

● Users can change their passwords in Settings

● The user‘s administrator can reset the password for any user (who has the same permissions or lower)

NoteFor information on password policies, refer to http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

5.5 Unlocking a User Account

If a user exceeds the maximum number of incorrect user or password combinations before a successful (correct) logon, the account will be locked. An administrator with Manage Users and Roles permissions can unlock the user's account.

Context

There are two ways to unlock a user's account:

● User Management list:

1. Choose User Management.2. For the user to unlock, clear the User Locked check box.

● User details interface:

1. Choose User Management.2. Choose the user name to unlock.3. Clear the Locked User check box.

Reset the user's password, then inform the user of the new password. They will be prompted to change the password upon logging in.

Related Information

Resetting Passwords [page 17]Defining Roles [page 13]

SAP Sales and Operations Planning 3.0 SP02 Security GuideUser Administration and Authentication © 2014 SAP SE or an SAP affiliate company. All rights reserved. 11

http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

5.6 Authentication

Authentication can be based on multiple forms of credentials.

This application uses the following credentials for authentication:

● A unique ID chosen by the user

● A unique password chosen by the user

● A set of user permissions that are defined by an administrator user in roles and visibility filters to control access to the data

5.7 Integration into Single Sign-On Environments

Integration into SAP Single Sign-On environments is not supported in this release.


User Administration and Authentication

6 Authorizations

6.1 Use

The SAP HANA authorization concept is based on assigning authorizations to users through their roles and individual visibility filters.

NoteIt is the customer administrator’s responsibility to validate the consistency of the authorization models in the application.

Administrators manage users and their permissions in the web client application using the User Management interface.

6.2 Role and Authorization Concept

The administrator of the application can create new roles with any combination of permissions.

Administrators manage roles and authorizations in the web client application using the User Management interface.

Related Information

Defining Roles [page 13]

6.2.1 Defining Roles

Context

Roles determine which permissions your users have in the application and in the add-in for Microsoft Excel. If you do not assign any roles, by default all users can view analytics (charts and dashboards) with at least one visibility filter applied. The predefined ALL-INCLUSIVE role has predetermined permissions that cannot be edited.

You can also control the key figures that are visible to and/or editable for different users.

SAP Sales and Operations Planning 3.0 SP02 Security GuideAuthorizations © 2014 SAP SE or an SAP affiliate company. All rights reserved. 13

Procedure

1. Choose Roles and Permissions.2. To create a new role, choose + Add New Role.3. Enter a name (required) and a description (optional) for the role.4. Select the check boxes for the Permissions to include in this role. The following table lists the permissions that

are shipped with the product:

Table 5: User PermissionsPermission Description

Add New Master Data Allows viewing, adding, and copying of master data in the add-in for Microsoft Excel. For more information, see Maintain Master Data in the help for the add-in for Microsoft Excel.

Manage Users and Roles Determines what operations users can perform by creating and assigning roles. Determines what data users can view by creating and assigning visibility filters.

Manage Dashboards Allows users to create, edit, and delete dashboards.

Manage Charts Allows users to create, edit, and delete charts.

Manage Scenarios Allows scenario planning such as promoting scenarios to baseline, reinitializing (copying) the baseline to the scenario, and viewing status in the add-in for Microsoft Excel.

Manage Planning View Templates

Allows adding, updating, and deleting planning view templates in the add-in for Microsoft Excel. Assign this permission only to template administrators, not to end users. For more information, see “Templates” in the help for the add-in for Microsoft Excel.

Model Configuration Allows model configuration functions such as creating, copying, and activating new data models in the web client.

Data Import Allows data import into the application using a .zip file containing your manifest (.xml) and data files (.csv).

Add Attribute Combinations Allows adding new combinations of attribute values to a planning view in the add-in for Microsoft Excel. For more information, see “New Combinations” in the help for the add-in for Microsoft Excel.

Delete Attribute Combinations

Allows deleting new combinations of attribute values to a planning view in the add-in for Microsoft Excel. For more information, see New Combinations in the help for the add-in for Microsoft Excel.

Planning View Layout Allows changing the axes (row or column) of key figures, attributes of planning levels, time periods, and scenarios within a planning view in the add-in for Microsoft Excel.


Authorizations

Permission Description

Redo Snapshot Allows the most recent data that was captured by a previously invoked snapshot with the current values to be overridden. The older data in the previously invoked snapshot is not affected in any way.

Snapshot Allows archiving of the key figures in each planning cycle or whenever the key figures are final.

Statistical Forecasting Allows the execution of statistical forecast processes in the add-in for Microsoft Excel. For more information, see Statistical Forecasting in the help for the Microsoft Excel add-in.

Supply Planning Allows the execution of statistical forecast processes in the add-in for Microsoft Excel. For more information, see Statistical Forecasting in the help for the Microsoft Excel add-in.

Threshold Allows users to create, delete, or view thresholds.

Update/Delete Master Data Allows editing and deleting master data in the add-in for Microsoft Excel. For more information, see Maintain Master Data in the help for the add-in for Microsoft Excel.

5. Select key figures for this role.a) Select Edit Key Figures.b) Select the appropriate planning area from the drop-down list.c) Select the key figure to assign, click the right arrow to move it to the Selected Key Figures pane, and

repeat as necessary. You can also use SHIFT_click or CTRL-click to move multiple objects.d) To include the key figures in a role and to enable a user to only view the key figures, select the relevant

View check boxes. To include the key figures in a role and to enable a user to edit them, select the relevant Edit check boxes.

6. Select the check boxes for the Reason Codes you want this role to include. Reason codes are used to indicate why a user made changes to a planning view. When they save the data, users select a reason code and can enter a comment. Customers define their own reason codes.

7. When you are done adding roles, choose Save.

Related Information

Adding Users, and Assigning Roles and Visibility Filters [page 16]Resetting Passwords [page 17]Editing User Details [page 18]Creating Visibility Filters [page 19]

Visibility filters control what master data is visible to a user for a particular planning area.

Deactivating User Accounts [page 22]Deactivation blocks a user's access to the application.


6.2.1.1 Adding Users, and Assigning Roles and Visibility Filters

Prerequisites

● You have Manage Users and Roles permissions.● At least one role is defined.

Context

To add users and assign roles and visibility filters:

Procedure

1. Choose User Management.2. Choose + Add New User.3. In the dialog box, enter the user information.

Fields marked with an asterisk are required.In general passwords should be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, and one number. Note that user name and password requirements can be configured in SAP HANA Studio. For details about password requirements, see “Password Policy” in the SAP HANA Security Guide.

4. Select the role(s) to assign to the user by clicking Assign Roles. In the resulting dialog box, select the role to assign, click the right arrow to move it to the Selected Roles pane, repeat as necessary, and click Save.

5. Select the visibility filter(s) to assign to the user by clicking Assign Visibility Filter. In the resulting dialog box, select the filter to assign, click the right arrow to move it to the Selected Filters pane, repeat as necessary, and choose Save.

6. Choose Save.

Related Information

Creating Visibility Filters [page 19]Visibility filters control what master data is visible to a user for a particular planning area.

Defining Roles [page 13]Editing User Details [page 18]Resetting Passwords [page 17]Deactivating User Accounts [page 22]

Deactivation blocks a user's access to the application.


Authorizations

http://help.sap.com/hana_appliance/


6.2.1.2 Resetting Passwords

Context

During a logon session, users can reset their own passwords in the Settings control panel:

1. In the upper-right corner of the web client window, under the drop-down arrow choose Settings.2. Under Reset password:

a. Enter your current password.b. Type a new password, then retype it to confirm.c. Save the new password.

If a user exceeds the maximum number of incorrect user or password combinations before a successful (correct) logon, their account will be locked. An administrator with Manage Users and Roles permissions can unlock the user's account. The administrator should then reset the user's password as described in the following procedure, and inform them of the new password.

NoteUsing SAP HANA studio, an administrator can also use the SQL command ALTER USER <user_name> RESET CONNECT ATTEMPTS to reset the number of invalid attempts to 0 and enable a user to re-connect immediately. For information about password policies, see “Password Policy” in the SAP HANA Security Guide.

Administrator's can reset a user's password in the User Management panel:

Procedure

1. Choose User Management.2. Select the user name from the list.3. Choose Reset password.4. Enter a new password, reenter to confirm it, and choose Reset.

A completion dialog confirms that the user's password has been changed.5. Call or send the user a secure e-mail informing them of the new, temporary password they can use to log in to

unlock their account.The user will be prompted to change the password when they first log in with the reset password you provided.

Results

The user will be able to log in with the temporary reset password you provided and will then change their password to a new, permanent password to use from that point forward.



Related Information

Unlocking a User Account [page 11]If a user exceeds the maximum number of incorrect user or password combinations before a successful (correct) logon, the account will be locked. An administrator with Manage Users and Roles permissions can unlock the user's account.

Adding Users, and Assigning Roles and Visibility Filters [page 16]Defining Roles [page 13]Editing User Details [page 18]Creating Visibility Filters [page 19]


Deactivating User Accounts [page 22]Deactivation blocks a user's access to the application.

6.2.1.3 Editing User Details

Prerequisites

After creating a user, you can edit user information, roles, and visibility filters.

Procedure

1. Choose User Management.A list of users and their information displays.

2. To view or change a user's details, select the user's name from the list.User Detail Description

General information

Edit basic user information such as a name and an email address.

Active User: Activate or deactivate the user by selecting or clearing the check box. This control is also available in the User Management user list.

Locked User: When this checkbox is selected, the user has been locked by the system due to too many incorrect log on/password combinations. Clear the check box to unlock the user and reset the password. Then notify the user, either through secured email or with a phone call, to indicate they will need to reset their password upon log-in.

Reset Password If the user forgot or wants to change their password, choose Reset password. Enter and confirm the new password and choose Reset. Notify the user either through secured email or with a phone call to indicate they will need to reset their password upon logging in.

Roles Select the roles with the associated permissions you want to assign to the user. To add roles, see Defining Roles [page 13].


Authorizations

User Detail Description

Visibility Filters Select the visibility filters you want to assign to the user. Visibility filters determine what the user can see and access in a planning view. To add visibility filters, see Creating Visibility Filters [page 19].

3. Choose Save.

Related Information

Adding Users, and Assigning Roles and Visibility Filters [page 16]Resetting Passwords [page 17]

6.2.1.4 Creating Visibility Filters


Prerequisites

● An understanding of master data types and how they are used by your planning area● Familiarity with your master data

Context

The Visibility Filters interface lets you create, edit, and delete filters. At least one visibility filter must be assigned to users in order for them to be able to view data.

● A visibility filter defines a set of attribute combinations that are visible to the user:

○ If there is no condition for an attribute, all values are allowed.○ Conditions for different attributes within a visibility filter are combined with AND (intersection).○ Conditions for the same attribute within a visibility filter are combined with OR (union).

● Different visibility filters are combined so that the user has access to the union of the sets of attribute combinations that each of them allows.

NoteIf a user is assigned a role that has permission for supply planning, ensure that he or she has visibility to all data related to supply planning such as all attribute values related to customers, products, locations, resources, and bill of material (BOM) components. This is because the calculation of some key figures (such as capacity usage) may depend on other key figure values defined for various products,locations, and customers. If the user has limited visibility of data, the resulting key figure values will be incorrect.


The product ships with the predefined visibility filter View All Data for all of the planning areas. This filter enables the user to see all of the data in the application from all of the planning areas (and supersedes any other filter(s) that have been applied).

Visibility filters are dependent on the model configured in the Configuration interface. When you activate a planning area in Configuration, a View All Data filter is created for the specific planning area.

You cannot edit or delete the View All Data filter. If there is more than one visibility filter assigned to a user, there is an OR relationship between them (union).

Procedure

1. Choose Visibility Filters.2. To create a new visibility filter, choose + Add New Visibility Filter. To edit a filter, click its name.

You can sort the list by clicking any column name and selecting Sort Ascending, Sort Descending, or enter a value in the Filter box to search for a specific entry.

3. Enter a name (required) and a description (optional) for the filter.The name and description must be 3-20 alphanumeric characters in length.

4. In Planning Area, choose a planning area.5. Under Filter Rules, choose a filter attribute.

If you define a filter that uses the same attribute more than once, there is an OR relationship between them:

Table 6: Example OneAttribute Operator Value

Customer ID equal Company ABC

Customer ID equal Company XYZ

Result: You can view data for either Customer ID Company ABC OR Customer ID Company XYZ.

If you define a filter that uses two or more different attributes, there is an AND relationship between them:

Table 7: Example TwoAttribute Operator Value

Customer ID equal Company ABC

Customer ID equal Company XYZ

Location Region equal USA

Result: You can view locations in the USA for (AND) either Customer ID Company ABC OR Customer ID Company XYZ.

6. Choose an operator.


Authorizations

Table 8: Description of OperatorsOperator Description Example

equal The result is equal to the value Rule: Customer ID equal Company ABC

Result: You can view the details of the specific customer Company ABC.

greater than The result is greater than the value

greater than or equal to The result is greater than or equal to the value

less than The result is less than the value

less than or equal to The result is less than or equal to the value

between The result is between the selected values

contains pattern The result matches the pattern defined. You can use the wild-cards * and ? as follows:

○ * can be substituted for any other multiple characters in a string

○ ? can be substituted for any single character in a string

Rule: Customer ID equal Company*

Result: You can view the details of Company ABC, Company 9000, or any other suffix.

Rule: Customer ID equal Company?

Result: You can view the details of a company with a single character, for example Company A or Company Z.

has no value The attribute value is empty (is null)

has some value The attribute has any value (is not null)

nodes and descendants This operator is available if an attribute is hierarchical. Therefore, the result includes the selected node and all of its descendants.

Rule: Asset ID nodes and descendants Baker plant

Result: You can view the details of the Baker plant and all of its descendants (for example Buildings 1, 2, and 3).

7. Enter a value.8. To add additional rules to the filter, choose the plus icon (Add Filter Rule).9. Choose Save.

Note: Changing the planning area clears the filter rules.


The new filter appears in the Visibility Filters list. You can now assign this filter to a user.

Related Information

Adding Users, and Assigning Roles and Visibility Filters [page 16]Defining Roles [page 13]

6.2.1.5 Deactivating User Accounts

Deactivation blocks a user's access to the application.

Context

To deactivate a user account:

Procedure

1. Choose User Management .A list of users and their information appears.

2. To deactivate a user's account, clear the User Activated check box next to the user's account name.Or, open the user's detail window by clicking the user's name and clear the Active User check box.

Related Information

Adding Users, and Assigning Roles and Visibility Filters [page 16]Defining Roles [page 13]Resetting Passwords [page 17]Editing User Details [page 18]Creating Visibility Filters [page 19]



Authorizations

6.3 Standard Roles

There are two roles that are delivered with the application.

Role Description

ALL_INCLUSIVE User role that executes all operations in the application.

BASIC_USER This role is hidden. Minimum permissions are required to log in to the application and change the password. Assigned by default to all users and used for viewing only.

Users can have additional roles and permissions. The administrator defines the roles and assigns them to users.

6.4 Password Policies

SAP Sales and Operations Planning (S&OP) uses a "Strong Password" scheme as mandated by SAP product standards.

SAP standards, controlled by SAP HANA, require password value compliance and password expiration policies. For more information, see SAP HANA Security Guide.

SAP checks for forbidden passwords, including the following:

● ABcd1234● Abcd1234● Abcd12345● Abcd123456● Abcd1234567● Welcome1● Welcome2● Welcome3● Sap1234● Waldorf1



7 Storage and Network SecurityNetwork and storage security are vital considerations with any implementation.

For information about implementing storage and network security, see the SAP HANA Security Guide.


Storage and Network Security

8 Communication Channel SecurityThe table below shows the communication channels, the protocol used for the connection, and the type of data transferred.

Table 9: Communication ChannelsCommunication Path Protocol Used Type of Data Transferred Data Requiring Special

Protection

Upload data from source systems (ERP)

HTTPS All application data N/A

SAP S&OP add-in for Microsoft Excel

JSON over HTTPS All application data

Administration and User configuration user interface

JSON over HTTPS All application data

SAP Jam JSON and XML over HTTPS

All collaboration data

SAP Sales and Operations Planning 3.0 SP02 Security GuideCommunication Channel Security © 2014 SAP SE or an SAP affiliate company. All rights reserved. 25

9 Data Storage Security

9.1 Data Storage

All applications on the server side are stored in the SAP HANA database.

The only exception occurs when you import data from on premise systems via secure file transfer protocol (SFTP).

Data is protected by the security infrastructure and operational procedures of the SAP Cloud for SAP on HANA.


Data Storage Security

10 Data PrivacyThe customer should define appropriate data privacy and protection measures and check the respective local legal and privacy requirements before using or implementing certain scenarios in the application.

Parts or all of the master data, as well as application data, can be regarded as sensitive data. Application data can contain customer, product, sales, production plans, and revenue plans, so it must be properly protected against unauthorized access or evaluation. Because the application allows for customization of the master data models as well as mapping data from external sources to these models, the application and system users are responsible for customizing authorizations so that the local legal requirements are observed. All personal data stored or accessed by the application should be kept to the necessary minimum. In addition, SAP recommends that you only import the minimum amount of data required to support the use cases in which you are interested.

NoteIf you use Microsoft Excel for planning purposes, note that MS Excel collects financial and collaboration information outside MS Excel. If you download this information to MS Excel and save, you are responsible for that external information. SAP recommends that you save this data as a password protected file.

SAP Sales and Operations Planning 3.0 SP02 Security GuideData Privacy © 2014 SAP SE or an SAP affiliate company. All rights reserved. 27

11 Security-Relevant Logging and TracingWeb client application logon attempts are saved in the HANA logs.

Logon attempts are audited by SAP HANA. For more information, refer to the SAP HANA Security Guide.

SAP HANA tables containing the information on users, roles, and permission assignments also have auditing fields that log the modifications of these tables.


Security-Relevant Logging and Tracing

http://help.sap.com/hana_appliance#section3

12 Frequently Asked QuestionsSAP HANA provides security for all aspects of the application.

Table 10:Question Answer

How is stored data protected? ● KeyStoreSecure vaults (keystores) are used to store sensitive information and keys. All keystores are passphrase protected and are not stored along with the data.

● Data Isolation data is stored in separate SAP HANA instances or schemas so that every access from one domain to another validates user credentials against the local identity store, adding the required isolation.

How are configuration, user, password files, and so on managed?

The SAP solution authenticates the user. It is often necessary to specify different security policies for different types of users. The user types include named users, who represent real persons and are used for daily work with the SAP HANA database. These users are created by the user administrator. Request a change using the support model. Passwords follow the policy described in http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf.

Can a customer configure the internal access to his/her instance on the Cloud?

Yes. On request, SAP can restrict access to the system to a white list of individual IP addresses.

Is security of data traffic over the public internet provided?

Data sent over the internet is encrypted. For more information, see Communication Channel Security [page 25].

SAP Sales and Operations Planning 3.0 SP02 Security GuideFrequently Asked Questions © 2014 SAP SE or an SAP affiliate company. All rights reserved. 29



Important Disclaimers on Legal AspectsThis document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error-free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.

Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.

AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document.

Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. Regarding link classification, see: http://help.sap.com/disclaimer.


Important Disclaimers on Legal Aspects

http://help.sap.com/disclaimer/

http://help.sap.com/disclaimer/

SAP Sales and Operations Planning 3.0 SP02 Security GuideImportant Disclaimers on Legal Aspects © 2014 SAP SE or an SAP affiliate company. All rights reserved. 31

www.sap.com/contactsap

© 2014 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

http://www.sap.com/contactsap

http://www.sap.com/corporate-en/legal/copyright/index.epx

http://www.sap.com/corporate-en/legal/copyright/index.epx

Documents

SAP Sales and Operations Planning 3.0 SP02 Security Guide