Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Security Guide
Document Version: 1.0 – 2018-07-27
PUBLIC
Security Guide for SAP Reinsurance Management 8.0 FPS02 for
SAP S/4HANA
eXchange Data Interface
Page 2 of 24
1 Table of Contents
1 Table of Contents 2
2 Document History 3
3 Introduction 4
4 Before You Start 6
5 Technical System Landscape 7
6 User Administration and Authentication 8
6.1 User Management 8
6.2 User Data Synchronization 9
6.3 Integration into Single Sign-On Environments 9
7 Authorizations 10
8 Session Security Protection 12
9 Network and Communication Security 13
9.1 Communication Channel Security 13
9.2 Network Security 14
9.3 Communication Destinations 14
10 Internet Communication Framework Security 15
11 Application-Specific Virus Scan Profile (ABAP) 16
12 Data Storage Security 17
13 Data Protection 18
13.1 Asking for User Consent 19
13.2 Display of Personal Data in XDI Management Cockpit 19
13.3 Search, Display, Delete and Change of Personal Data via Free Text Search 19
13.3.1 Specific Free Text Search Configuration 20
13.3.2 List of Free Text Search XDI Fields 21
13.4 Read Access Logging 22
13.4.1 Specific Read Access Log Configuration 23
13.4.2 List of Specific Read Access Log Configuration 24
Page 4 of 24
3 Introduction
Purpose
With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to the eXchange Data Interface (XDI). To assist you in securing XDI, we provide this Security Guide.
About this Document
The Security Guide provides an overview of the security-relevant information that applies to XDI.
XDI consists of the following levels:
ACORD AMS Web Service (inbound, outbound)
Middleware (e. g. BizTalk, SAP PI)
SAP NetWeaver ABAP
This security guide only focuses on component XDI on SAP NetWeaver. For the XDI components ACORD AMS Web Service and Middleware the specifications of the respective software providers/manufacturers have to be considered.
Overview of the Main Sections
The Security Guide comprises the following main sections:
Before You Start
This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.
Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by XDI.
User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
Recommended tools to use for user management
User types that are required by XDI
Overview of the user synchronization strategy, if several components or products are involved
Overview of how integration into Single Sign-On environments is possible
Authorizations
This section provides an overview of the authorization concept that applies to XDI.
Session Security Protection
This section provides information about activating secure session management, which prevents JavaScript or plug-ins from accessing the SAP logon ticket or security session cookie(s).
Page 5 of 24
Network and Communication Security
This section provides an overview of the communication paths used by XDI and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by XDI.
Application-Specific Virus Scan Profile (ABAP)
This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles are activated.
Data Storage Security
This section provides an overview of any critical data that is used by XDI and the security mechanisms that apply.
Data Protection
This section provides information about how XDI protects personal or sensitive data.
Enterprise Services Security
This section provides an overview of the security aspects that apply to the enterprise services delivered with XDI
Services for Security Lifecycle Management
This section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.
Page 6 of 24
4 Before You Start
Fundamental Security Guides
XDI 2.17 requires Microsoft Internet Information Server (IIS), Microsoft BizTalk or other middleware tools and SAP Reinsurance Management. Therefore, the corresponding Security Guides also apply to XDI. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.
Fundamental Security Guides
Scenario, Application or Component Security Guide Most Relevant Sections or Specific Restrictions
SAP NetWeaver Security Guide
SAP Reinsurance Management Only necessary if SAP NetWeaver platform is in use.
Microsoft Internet Information Server
Microsoft BizTalk
Important SAP Notes
The most important SAP Notes that apply to the security of XDI are shown in the table below.
Title SAP Note Comments
CORR: Field enhancement for informational report
2579383 See description in SAP Note
CORR: Field enhancement for free text search
2579557 See description in SAP Note
Page 7 of 24
5 Technical System Landscape
The figure below shows an overview of the technical system landscape for XDI.
Electronic Data Exchange for Reinsurance
Architecture & Framework
© msg | 2018 | msg.XDI 1
Communication
Channel msg.XDI
FS-CD
SAP FI-GL
FS-RI
Account
MiddlewareSAP PI / MS BizTalk or
Customer Individual
msg.XDI
Facades
msg
.XD
I F
acad
e
Str
uctu
re
FS
-RI
Str
uctu
reFacade
Logic
XDI
Management
Cockpit
FS
-CD
Str
uctu
re
SAP Netweaver
ABAP
Loss
Loss
BAPI
Account
BAPIOpen Item
Message
archive
FS-RI BAPI and
FS-CD Payment Lot
FS-CD
Item
msg.XDI
RFC
XSD Validation and
Error Handling
AC
OR
D S
tru
ctu
re
msg
.XD
I F
ac
ad
e
Str
uc
ture
Document Management
System
msg.XDI
ACORD
AMS Web
Service
(inbound)
FTP
File
...
ACORD
AMS Client
(outbound)
Page 8 of 24
6 User Administration and Authentication
XDI uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server for ABAP Security Guide [SAP Library] also apply to XDI.
In addition to these guidelines, we include information about user administration and authentication that specifically applies to XDI in the following sections:
User Management
This section lists the tools to use for user management, the types of users required, and the standard users that are delivered with XDI
User Data Synchronization
XDI shares user data with Central User Administration. This section describes how the user data is synchronized with these other sources.
Integration into Single Sign-On Environments
This section describes how XDI supports Single Sign-On mechanisms.
6.1 User Management
User management for XDI uses the mechanisms provided with the SAP NetWeaver Application Server ABAP, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for XDI, see the sections below. In addition, we provide a list of the standard users required for operating XDI.
User Administration Tools
The table below shows the tools to use for user management and user administration with XDI.
User Management Tools
Tool Detailed Description Prerequisites
User and role maintenance with SAP NetWeaver AS ABAP
(transaction SU01, PFCG)
For more information, see User and Role Administration of Application Server ABAP [SAP Library].
None
User Types
The user types that are required for XDI include:
Individual users:
Dialog users are used for XDI Management Cockpit (XMC).
Technical users:
Service users are used for communication between Middleware and SAP Backend System.
Background users are used for Closing Batch functionality in XDI.
Page 9 of 24
6.2 User Data Synchronization
All user administration within XDI is represented by the Central User Administration.
6.3 Integration into Single Sign-On Environments
XDI supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide [SAP Library] also apply to XDI.
Page 10 of 24
7 Authorizations
XDI uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to XDI.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles.
For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User
Management Engine’s user administration console on the AS Java.
Standard Roles
The table below shows the standard roles that are delivered with XDI.
Standard Roles
Role Description
/MPR/XDI_RFC This role is delivered as a template and can be used for both service users and dialog users. This role enables the processing of ACORD messages for both interface and dialog.
/MPR/XDI This role is delivered as a template and can be used for dialog users. This role includes all authorizations for executing the relevant XDI transactions in SAP.
/MPR/XDI_RFC_DEBUG This role is delivered as a template and can be used for both service users and dialog users. This role is an extension of role /MPR/XDI_RFC and enables debugging mode for service users.
/MPR/XTT_TESTTOOL This role is delivered as a template. It includes all authorizations for managing and processing test cases in XDI Test Tool.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by XDI.
Standard Authorization Objects
Authorization Object Field Value Description
/MPR/XDI /MPR/XAGCY Example:
DUNS_dun_and_bradstreet
Lloyds etc.
Agency, which represents the type of identification for identification number in SAP Business Partner
/MPR/XFUNC Process message
Change message status
Send acknowledgement
Display message in XMC
Create note
Scope of functions in XDI
Page 11 of 24
Authorization Object Field Value Description
Execute APIs
Display DRI process list
/MPR/XMTYP acknowledgement
claim_movement
financialaccount
repository_operation_request
repository_operation_response
technical_account
ACORD messages, which can be processed with XDI
/MPR/XPAID <Party><ID> Partner identification number from ACORD message
/MPR/XROLE broker
cedent
insurer
reinsurer
serviceprovider
Specification of sender or receiver of an ACORD message
/MPR/XROTY All role categories
Recipient
Sender
Detailed specification of
/MPR/XROLE.
/MSG/X_SRC ACTVT Change
Display
Authorization object for results of free text search
/MSG/X_DPP ACTVT Delete
Execute
Display saved data
Authorization object for data privacy and protection
YRVB_BATCH ACTVT
/MSG/R_REP
/MSG/R_VAR
BUKRS
/MSG/R_ABT
/MSG/R_STE
Not described in this guide (see detailed description in SAP Reinsurance Management documentation)
User must have authorization to execute program /MSG/X_FREETEXT_SEARCH
Page 12 of 24
8 Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.
Session Security Protection on the AS ABAP
To activate session security on the AS ABAP, set the corresponding profile parameters and activate the
session security for the client(s) using transaction SICF_SESSIONS.
For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTP Security Session Management on AS ABAP [SAP Library] in the AS ABAP security documentation.
Page 13 of 24
9 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system level and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for XDI is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to XDI. Details that specifically apply to XDI are described in the following sections:
Communication Channel Security
This section describes the communication paths and protocols used by XDI.
Network Security
This section describes the recommended network topology for XDI. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate XDI.
Communication Destinations
This section describes the information needed for the various communication paths, for example, which users are used for which communications.
9.1 Communication Channel Security
The table below shows the communication channels used by XDI, the protocol used for the connection, and the type of data transferred.
Communication Path Protocol Used Type of Data Transferred
Data Requiring Special Protection
Front-end client using SAP GUI for Windows to application server
DIAG All application data Passwords, credit card information
Front-end client using a Web browser to application server
HTTPS All application data Passwords, credit card information
Application server to application server
RFC Application data System information
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services security.
Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see Transport Layer Security [SAP Library] and Web Services Security [SAP Library] in the SAP NetWeaver Security Guide.
Page 14 of 24
9.2 Network Security
Ports
XDI runs on SAP NetWeaver and uses the ports from the AS ABAP. For more information, see the topics for AS ABAP Ports [SAP Library] in the corresponding SAP NetWeaver Security Guides. For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document "TCP/IP Ports Used by SAP Applications", which is located on SAP Developer Network at http://scn.sap.com/community/security under Infrastructure Security -> Network and Communications Security.
9.3 Communication Destinations
XDI sends messages, like TechAccount, ClaimMovement or Acknowledgement from the SAP NetWeaver system to connected Middleware. TCP/IP connection is used for the connection between XDI and
Middleware. The connections can be configured with SAP transaction SM59 (Configuration of RFC
Connection). No connections are delivered with XDI, therefore, the configuration has to be done by the customer.
Connection Destinations
Destination Delivered Type User, Authorizations
Description
XDI_ACK No TCP/IP
Registered Server Program -> Communication via RFC
All SAP logon variants possible
SAP NetWeaver Application Server ABAP Security Guide [SAP Library]
Connection is used for sending ACORD Acknowledgement messages from XDI
XDI_DRI No TCP/IP
Registered Server Program -> Communication via RFC
All SAP logon variants possible
SAP NetWeaver Application Server ABAP Security Guide [SAP Library]
Connection is used for sending ACORD DRI messages fromf XDI
XDI_SEND_CM No TCP/IP
Registered Server Program -> Communication via RFC
All SAP logon variants possible
SAP NetWeaver Application Server ABAP Security Guide [SAP Library]
Connection is used for sending ACORD ClaimMovement messages from XDI
XDI_SEND_TA No TCP/IP
Registered Server Program -> Communication via RFC
All SAP logon variants possible
SAP NetWeaver Application Server ABAP Security Guide [SAP Library]
Connection is used for sending ACORD TechAccount messages fromf XDI
Page 15 of 24
10 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For XDI, the following services are needed:
/default_host/sap/bc/webdynpro without subnodes
/default_host/sap/public/bc with following subnodes
/default_host/sap/public/bc/ur
/default_host/sap/public/bc/icons
/default_host/sap/public/bc/icons_rtl
/default_host/sap/public/bc/webicons
/default_host/sap/public/bc/pictograms
/default_host/sap/public/bc/webdynpro/* (ssr, mimes, usw.)
/default_host/sap/public/myssocntl
/default_host/sap/bc/webdynpro/mpr/xmc_gui_ap_search
/default_host/sap/bc/webdynpro/mpr/xmc_gui_ap_search2
/default_host/sap/bc/webdynpro/mpr/xmc_gui_ap_dr_prclst
/default_host/sap/bc/webdynpro/mpr/xmc_gui_wd_extrefgen
/default_host/sap/bc/gui/sap/its/webgui
/default_host/sap/bc/gui with all subnodes and subelements
/default_host/sap/public/bc/its with all subnodes and subelements
Use transaction SICF to activate these services.
If your firewall(s) use(s) URL filtering, also note the URLs used for the services and adjust your firewall settings accordingly.
Page 16 of 24
11 Application-Specific Virus Scan Profile (ABAP)
SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system. To manage the interface and what file types are checked or blocked, there are virus scan profiles. Different applications rely on default profiles or application-specific profiles.
To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During this process, you also set up the default behavior. SAP also provides default profiles.
Page 17 of 24
12 Data Storage Security
Data Storage
XDI has the following levels where business data and master data can be stored:
Web Service
Middleware (e.g. BizTalk, SAP PI)
SAP NetWeaver
Web Service (only business data)
In-force business data (included in ACORD messages) can be stored as a file in a customer-specific storage location.
Middleware (only business data)
All data traffic is recorded for a specific time, configured by the customer, in middleware. ACORD messages can also be archived in a configurable file folder.
SAP NetWeaver
In-force business data and master data is stored in XDI in the SAP system’s database. Neither individual user data nor external configuration data is used. Only user data from SAP Business Partner is used.
Master data is stored in the database when XDI is customized. The in-force business data is written to the database immediately after the ACORD messages arrive in FS-RI.
The application holds the data in the main memory until a commit is run (in other words, until the information is written to the database).
Protect Access to the File System
XDI Web Service and Middleware save data in files in the file system. Therefore, it is important to explicitly provide access to the corresponding files in the file system without allowing access to other directories or files (also known as directory traversal).
It is also necessary that only authorized people have access to the specific file folders.
Page 18 of 24
13 Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that functions that are provided to support compliance with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with data privacy laws is not a product feature.
The software supports data privacy by providing security features and specific data-protection-
relevant functions such as functions for the simplified blocking and deletion of personal data.
This document does not provide legal advice in any form. The definitions and other terms used in
this guide are not taken from any given legal source.
Glossary
Term Definition
Personal data Information about an identified or identifiable natural person.
Business purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts.
Blocking A method of restricting access to data for which the primary business purpose has ended.
Deletion Deletion of personal data so that the data is no longer usable.
Retention period The time period during which data must be available.
End of purpose (EoP) A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization.
Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). The following sections are related to data protection and require appropriate TOMs:
Access control: Authentication features as described in section User Administration and Authentication.
Authorizations: Authorization concept as described in section Authorizations.
Read access logging: As described in section Read Access Logging.
Transmission control / Communication security: As described in section Network and Communication
Security.
Page 19 of 24
Input control / Change logging: Change logging is described in the application-specific documentation
in section Data Protection.
Availability control as described in:
Data Storage Security
SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-
Oriented View Solution Life Cycle Management SAP Business Continuity
Separation by purpose: Is subject to the organizational model implemented and must be applied as part
of the authorization concept.
Caution
The extent to which data protection is ensured depends on secure system operation. Network
security, security note implementation, adequate logging of system changes, and appropriate usage
of the system are the basic technical requirements for compliance with data privacy legislation and
other legislation.
Configuration of Data Protection Functions
Certain central functions that support data protection compliance are grouped in Customizing for Cross-Application Components under Data Protection.
Additional industry-specific, scenario-specific or application-specific configuration might be required.
For information about the application-specific configuration, see the application-specific Customizing
structure msg.XDI - eXchange Data Interface in SHI3.
13.1 Asking for User Consent
XDI covers only reinsurance business, not primary insurance business. Reinsurance business is business between insurance companies or brokers and reinsurance companies and not between insurance companies and their end customers (natural persons).
Additionally, all personal data in XDI, for which consent would have to be given, is replicated from a primary insurance company or broker, respectively from their systems.
Consequently, asking for consent to gather and process personal data is not possible / necessary for XDI and has to be covered by primary insurance companies and brokers and their systems.
13.2 Display of Personal Data in XDI Management Cockpit
As previously described, XDI might process data (personal data) that is subject to the data protection laws applicable in specific countries. In XDI Management Cockpit (XMC), personal data can only be displayed; no changes or deletions are allowed in this tool. The display of personal data can be tracked by configuration of Read Access Logging. The necessary settings are described in Read Access Logging.
You can open XMC as described below:
1. Start transaction /MPR/X_WD_XMC_NEW.
2. Open Web Dynpro application /MPR/XMC_GUI_WD_SEARCH2.
13.3 Search, Display, Delete and Change of Personal Data via Free Text Search
As previously described, XDI might process data (personal data) that is subject to the data protection laws applicable in specific countries. Similarly to SAP Reinsurance Management, XDI provides a two-step
Page 20 of 24
editing process to retrieve, display, delete and change the information based on personal data search criteria.
13.3.1 Specific Free Text Search Configuration
In the first step, the search is started as a parallelized background program (/MSG/X_FREETEXT_SEARCH).
The background program persists a result list with the hits. For this purpose, a CSV file is stored on the application server of the SAP system and picked up by the background program. The CSV file contains the personal data search criteria (each search criterion separated by a ";" and each search criterion must be written in a new line of the CSV file). After processing, an application log with success messages is output.
Caution
It is recommended not to run the program /MSG/X_FREETEXT_SEARCH multiple times concurrently to avoid a heavy load on the database.
Before you schedule the program /MSG/X_FREETEXT_SEARCH as background task, the following steps
still have to be done:
1. Start transaction CG3Z and assign the physical path where the CSV file with free text search criteria is
stored.
2. Start transaction FILE and assign the physical path (configured in item 1.) to the logical path on the
SAP system.
3. Assign authorization object /MSG/X_DPP to the batch user and choose the activity criteria "Delete",
"Execute" and "Display saved data".
4. Start transaction SE38, choose program /MSG/X_FREETEXT_SEARCH and execute this program.
5. Set the functional parameters:
Enter the logical file path (configured in item 2.) and add the CSV file name, which includes the free
text search criteria.
6. Make the technical settings:
Deactivate the Sequential Processing checkbox.
Objects per Package can be configured to meet the customer’s needs.
Select "XDI" in the Context of Search field.
7. Save the settings in a variant.
8. Assign authorization object YRVB_BATCH to the batch user.
9. Assign program /MSG/X_FREETEXT_SEARCH with the variant saved in item 6.
10. Schedule program /MSG/X_FREETEXT_SEARCH with the variant saved in item 6 as a background task.
In the second step, the evaluation of search runs takes place. For this, the Web Dynpro Floor Plan
Manager application "Administration of the free text search" (/MSG/82_TXTSEARCH_MGMT_OVP_WA) is
provided.
To open the Web Dynpro Floor Plan Manager application "Administration of the free text search"
(/MSG/82_TXTSEARCH_MGMT_OVP_WA), the authorization object /MSG/X_SRC must be assigned to your
user.
The initial screen enables the search for results of the free text search. The result list in the same screen
shows the search results. It is possible to discard the search results or to navigate to the Detail: Result of
Free Text Search screen.
On the Detail: Result of Free Text Search screen, single or multiple detail results can be discarded. Also, in
Edit mode, the current content of text fields can be changed. When changes are saved, they are transferred
directly to the text file of the corresponding XDI field.
Page 21 of 24
Note
Change of current content is not checked.
Change of current content is only possible for XDI text fields. This means that it is not possible
to change date and currency fields, for example.
The changes of corresponding XDI fields are logged in the database table /MPR/X_DP_CHGLG to prevent
data loss due to mistake deletion.
The program /MPR/X_DP_DEL_CHGLOG is provided to display and delete the change log entries. Only
users to which the authorization object /MSG/X_SRC is assigned are allowed to display and delete the
change log entries with program /MPR/X_DP_DEL_CHGLOG.
To execute the program, enter the days in the Days Relevant for Deletion field. The program determines all
change log entries that have exceeded the specified days relevant for deletion, dependent on the change
date of each change log entry. By setting the Test Run checkbox , you can display the change log entries
for the specified days relevant for deletion. The change log entries are only deleted if the Test Run
checkbox is not set.
If you want to display all change log entries, you need to run the program with 0 days relevant for deletion
and the Test Run checkbox selected.
13.3.2 List of Free Text Search XDI Fields
The following table lists those XDI fields, for which the Free Text Search is supported.
Table XDI Field
ClaimMovement Header Data 4
(/MPR/XCM_HEAD4) Lawyer Name (LAWYER_NAME)
Name of the Surveyor (SURVEYOR_NAME)
Partner Name in ACORD Messages (CLMANT_PARTY_NAM)
Claim Adjuster Name (ADJUST_NAME)
ClaimMovement Header Data Xchanging Extensions
(/MPR/XCM_HEADXCH)
Summary of the Person Insured's Medical History (SUM_INS_NARR)
Acknowledgement Partner Data
(/MPR/XACK_PARTY) Partner Name in ACORD Messages (PARTY_NAME)
Name of Contact Person at Partner (PERSON_NAME)
The following fields are only changed if search criterion was found in the
field PARTY_NAME:
Street and House Number of the Partner (STREET_NR)
Location of Partner (CITY_NAME)
Postal Code of Partner (POSTALCOD)
Mail of Contact Person at Partner (MAIL)
Phone Number of Contact Person at the Partner (TELEPHONE)
Fax No. of the Contact Person at the Partner (FAXNR)
Country of Partner (COUNTRY)
Province/District of the Partner (SUBENTITY)
ClaimMovement Partner Data
(/MPR/XCM_PARTY) Partner Name in ACORD Messages (PARTY_NAME)
Name of Contact Person at Partner (PERSON_NAME)
The following fields are only changed if search criterion was found in the
field PARTY_NAME:
Street and House Number of the Partner (STREET_NR)
Page 22 of 24
Table XDI Field
Location of Partner (CITY_NAME)
Postal Code of Partner (POSTALCOD)
Mail of Contact Person at Partner (MAIL)
Phone Number of Contact Person at the Partner (TELEPHONE)
Fax No. of the Contact Person at the Partner (FAXNR)
Country of Partner (COUNTRY)
Province/District of the Partner (SUBENTITY)
FinancialAccount Partner Data
(/MPR/XFA_PARTY) Partner Name in ACORD Messages (PARTY_NAME)
Name of Contact Person at Partner (PERSON_NAME)
The following fields are only changed if search criterion was found in the
field PARTY_NAME:
Street and House Number of the Partner (STREET_NR)
Location of Partner (CITY_NAME)
Postal Code of Partner (POSTALCOD)
Mail of Contact Person at Partner (MAIL)
Phone Number of Contact Person at the Partner (TELEPHONE)
Fax No. of the Contact Person at the Partner (FAXNR)
Country of Partner (COUNTRY)
Province/District of the Partner (SUBENTITY)
TechAccount Partner Data
(/MPR/XTA_PARTY) Partner Name in ACORD Messages (PARTY_NAME)
Name of Contact Person at Partner (PERSON_NAME)
The following fields are only changed if search criterion was found in the
field PARTY_NAME:
Street and House Number of the Partner (STREET_NR)
Location of Partner (CITY_NAME)
Postal Code of Partner (POSTALCOD)
Mail of Contact Person at Partner (MAIL)
Phone Number of Contact Person at the Partner (TELEPHONE)
Fax No. of the Contact Person at the Partner (FAXNR)
Country of Partner (COUNTRY)
Province/District of the Partner (SUBENTITY)
Header Data Table of an ACORD TechAccount Message
(/MPR/XTAC_HEAD)
Name of the Cedent of an ACORD Message (CEDENT_PARTY_NAM)
Policy Holder Name (ORIG_POL_HOLDER)
ClaimMovementHeader 2
(/MPR/XC_CM_CLAI2)
Name of Policy Holder (CLAIMANT_NAME)
Logging Table for ACORD ClaimMovement Message
(/MPR/XCLAIMMOVE)
Name of Party Who Sent ACORD Message (SENDER_PARTY_NAM)
Recipient Name (RECEIVER_PARTY_N)
13.4 Read Access Logging
In this document only Read Access Logging for XDI SAP NetWeaver is described.
Page 23 of 24
Note
For the XDI components Web Service and Middleware the Read Access Logging specifications of
the respective software providers/manufacturers have to be used.
Read access to personal data is partially based on legislation and it is subject to logging functionality. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information, such as which business users accessed personal data, for example, of a business partner, and in which time frame.
You can configure in RAL which read-access information to log and under which conditions.
SAP delivers sample configurations for applications. For more information, see the application-specific sections of the security guide.
You can display the configurations in the system by performing the following steps:
1. In transaction SRALMANAGER, on the Administration tab page, choose Configuration.
2. Choose the desired channel, for example WebDynpro.
3. Choose Search.
4. The system displays the available configurations for the selected channel.
5. Choose Display Configuration for detailed information about the configuration. Related recordings can
also be displayed for specific channels.
Prerequisites
Before you can use the delivered RAL configurations, you must meet the following prerequisites:
You are using:
NW 751:SP0
AS ABAP 7.51
Kernel 7.45 SP21 and above
SAP_UI 7.51 (UI5 1.40)
The RAL configurations have been activated.
You have enabled RAL in each system client.
More Information
For general information about Read Access Logging, see the product assistance for SAP NetWeaver on SAP Help Portal at https://help.sap.com/viewer/p/SAP_NETWEAVER under SAP NetWeaver Library: Function-Oriented View -> System Security for SAP NetWeaver AS for ABAP Only.
For up-to-date information about the delivered RAL configurations, see SAP Note 2347271.
13.4.1 Specific Read Access Log Configuration
You can configure in Read Access Logging (RAL) which read access information to log and under which conditions.
XDI delivers sample configurations for applications.
You can find the configurations as described in the section Read Access Logging.
Page 24 of 24
Fields are logged in the configurations detailed under List of Specific Read Access Log Configurations in combination with additional fields according to related business contexts.
You can configure in RAL which read access information to log and under which conditions.
SAP delivers sample configurations for applications. To use these configurations, save the ZIP attachments from the following SAP Notes:
2477806: Read access logging content for application FS-RI
2516645: Read access logging content for application FS-RI
Extract these ZIP files and use transaction SRALMANAGER to import the RAL configurations using the
Import function for configurations.
13.4.2 List of Specific Read Access Log Configuration
Configuration Fields Logged Business Context
Channel: Web Dynpro
MSGXDI_MANAGEMENT_COCKPIT
Logging of displayed field NarrativeSum Insured in XDI Management Cockpit
Specific data from insured exchanged in London Market via this field
Channel: Remote Function Call
/MPR/FB_XF_RECEIVE_CM_XCH_LM
Logging of RFC importing field IS_CM_HEADXCH-SUM_INS_NARR
Specific data from insured exchanged in London Market via this field
www.sap.com/contactsap
© 2018 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or
for any purpose without the express permission of SAP AG. The information
contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies (“SAP
Group”) for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing
herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in
Germany and other countries. Please see www.sap.com/corporate-
en/legal/copyright/index.epx#trademark for additional trademark
information and notices.
Material Number: NA