Security Guide for SAP Reinsurance Management 8.0 FPS02

Security Guide

Document Version: 1.0 – 2018-07-27

PUBLIC

Security Guide for SAP Reinsurance Management 8.0 FPS02 for

SAP S/4HANA

eXchange Data Interface

Page 2 of 24

1 Table of Contents

1 Table of Contents 2

2 Document History 3

3 Introduction 4

4 Before You Start 6

5 Technical System Landscape 7

6 User Administration and Authentication 8

6.1 User Management 8

6.2 User Data Synchronization 9

6.3 Integration into Single Sign-On Environments 9

7 Authorizations 10

8 Session Security Protection 12

9 Network and Communication Security 13

9.1 Communication Channel Security 13

9.2 Network Security 14

9.3 Communication Destinations 14

10 Internet Communication Framework Security 15

11 Application-Specific Virus Scan Profile (ABAP) 16

12 Data Storage Security 17

13 Data Protection 18

13.1 Asking for User Consent 19

13.2 Display of Personal Data in XDI Management Cockpit 19

13.3 Search, Display, Delete and Change of Personal Data via Free Text Search 19

13.3.1 Specific Free Text Search Configuration 20

13.3.2 List of Free Text Search XDI Fields 21

13.4 Read Access Logging 22

13.4.1 Specific Read Access Log Configuration 23

13.4.2 List of Specific Read Access Log Configuration 24

Page 3 of 24

2 Document History

Version Date Change

1.0 2018-07-27 Initial version

Page 4 of 24

3 Introduction

Purpose

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to the eXchange Data Interface (XDI). To assist you in securing XDI, we provide this Security Guide.

About this Document

The Security Guide provides an overview of the security-relevant information that applies to XDI.

XDI consists of the following levels:

ACORD AMS Web Service (inbound, outbound)

Middleware (e. g. BizTalk, SAP PI)

SAP NetWeaver ABAP

This security guide only focuses on component XDI on SAP NetWeaver. For the XDI components ACORD AMS Web Service and Middleware the specifications of the respective software providers/manufacturers have to be considered.

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.

Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by XDI.

User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

Recommended tools to use for user management

User types that are required by XDI

Overview of the user synchronization strategy, if several components or products are involved

Overview of how integration into Single Sign-On environments is possible

Authorizations

This section provides an overview of the authorization concept that applies to XDI.

Session Security Protection

This section provides information about activating secure session management, which prevents JavaScript or plug-ins from accessing the SAP logon ticket or security session cookie(s).

Page 5 of 24

Network and Communication Security

This section provides an overview of the communication paths used by XDI and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

Internet Communication Framework Security

This section provides an overview of the Internet Communication Framework (ICF) services that are used by XDI.

Application-Specific Virus Scan Profile (ABAP)

This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles are activated.

Data Storage Security

This section provides an overview of any critical data that is used by XDI and the security mechanisms that apply.

Data Protection

This section provides information about how XDI protects personal or sensitive data.

Enterprise Services Security

This section provides an overview of the security aspects that apply to the enterprise services delivered with XDI

Services for Security Lifecycle Management

This section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.

Page 6 of 24

4 Before You Start

Fundamental Security Guides

XDI 2.17 requires Microsoft Internet Information Server (IIS), Microsoft BizTalk or other middleware tools and SAP Reinsurance Management. Therefore, the corresponding Security Guides also apply to XDI. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.

Fundamental Security Guides

Scenario, Application or Component Security Guide Most Relevant Sections or Specific Restrictions

SAP NetWeaver Security Guide

SAP Reinsurance Management Only necessary if SAP NetWeaver platform is in use.

Microsoft Internet Information Server

Microsoft BizTalk

Important SAP Notes

The most important SAP Notes that apply to the security of XDI are shown in the table below.

Title SAP Note Comments

CORR: Field enhancement for informational report

2579383 See description in SAP Note

CORR: Field enhancement for free text search

2579557 See description in SAP Note

Page 7 of 24

5 Technical System Landscape

The figure below shows an overview of the technical system landscape for XDI.

Electronic Data Exchange for Reinsurance

Architecture & Framework

© msg | 2018 | msg.XDI 1

Communication

Channel msg.XDI

FS-CD

SAP FI-GL

FS-RI

Account

MiddlewareSAP PI / MS BizTalk or

Customer Individual

msg.XDI

Facades

msg

.XD

I F

acad

e

Str

uctu

re

FS

-RI

Str

uctu

reFacade

Logic

XDI

Management

Cockpit

FS

-CD

Str

uctu

re

SAP Netweaver

ABAP

Loss

Loss

BAPI

Account

BAPIOpen Item

Message

archive

FS-RI BAPI and

FS-CD Payment Lot

FS-CD

Item

msg.XDI

RFC

XSD Validation and

Error Handling

AC

OR

D S

tru

ctu

re

msg

.XD

I F

ac

ad

e

Str

uc

ture

Document Management

System

msg.XDI

ACORD

AMS Web

Service

(inbound)

FTP

File

Email

...

ACORD

AMS Client

(outbound)

Page 8 of 24

6 User Administration and Authentication

XDI uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server for ABAP Security Guide [SAP Library] also apply to XDI.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to XDI in the following sections:

User Management

This section lists the tools to use for user management, the types of users required, and the standard users that are delivered with XDI

User Data Synchronization

XDI shares user data with Central User Administration. This section describes how the user data is synchronized with these other sources.

Integration into Single Sign-On Environments

This section describes how XDI supports Single Sign-On mechanisms.

6.1 User Management

User management for XDI uses the mechanisms provided with the SAP NetWeaver Application Server ABAP, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for XDI, see the sections below. In addition, we provide a list of the standard users required for operating XDI.

User Administration Tools

The table below shows the tools to use for user management and user administration with XDI.

User Management Tools

Tool Detailed Description Prerequisites

User and role maintenance with SAP NetWeaver AS ABAP

(transaction SU01, PFCG)

For more information, see User and Role Administration of Application Server ABAP [SAP Library].

None

User Types

The user types that are required for XDI include:

Individual users:

Dialog users are used for XDI Management Cockpit (XMC).

Technical users:

Service users are used for communication between Middleware and SAP Backend System.

Background users are used for Closing Batch functionality in XDI.

Page 9 of 24

6.2 User Data Synchronization

All user administration within XDI is represented by the Central User Administration.

6.3 Integration into Single Sign-On Environments

XDI supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide [SAP Library] also apply to XDI.

Page 10 of 24

7 Authorizations

XDI uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to XDI.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles.

For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User

Management Engine’s user administration console on the AS Java.

Standard Roles

The table below shows the standard roles that are delivered with XDI.

Standard Roles

Role Description

/MPR/XDI_RFC This role is delivered as a template and can be used for both service users and dialog users. This role enables the processing of ACORD messages for both interface and dialog.

/MPR/XDI This role is delivered as a template and can be used for dialog users. This role includes all authorizations for executing the relevant XDI transactions in SAP.

/MPR/XDI_RFC_DEBUG This role is delivered as a template and can be used for both service users and dialog users. This role is an extension of role /MPR/XDI_RFC and enables debugging mode for service users.

/MPR/XTT_TESTTOOL This role is delivered as a template. It includes all authorizations for managing and processing test cases in XDI Test Tool.

Standard Authorization Objects

The table below shows the security-relevant authorization objects that are used by XDI.

Standard Authorization Objects

Authorization Object Field Value Description

/MPR/XDI /MPR/XAGCY Example:

DUNS_dun_and_bradstreet

Lloyds etc.

Agency, which represents the type of identification for identification number in SAP Business Partner

/MPR/XFUNC Process message

Change message status

Send acknowledgement

Display message in XMC

Create note

Scope of functions in XDI

Page 11 of 24

Authorization Object Field Value Description

Execute APIs

Display DRI process list

/MPR/XMTYP acknowledgement

claim_movement

financialaccount

repository_operation_request

repository_operation_response

technical_account

ACORD messages, which can be processed with XDI

/MPR/XPAID <Party><ID> Partner identification number from ACORD message

/MPR/XROLE broker

cedent

insurer

reinsurer

serviceprovider

Specification of sender or receiver of an ACORD message

/MPR/XROTY All role categories

Recipient

Sender

Detailed specification of

/MPR/XROLE.

/MSG/X_SRC ACTVT Change

Display

Authorization object for results of free text search

/MSG/X_DPP ACTVT Delete

Execute

Display saved data

Authorization object for data privacy and protection

YRVB_BATCH ACTVT

/MSG/R_REP

/MSG/R_VAR

BUKRS

/MSG/R_ABT

/MSG/R_STE

Not described in this guide (see detailed description in SAP Reinsurance Management documentation)

User must have authorization to execute program /MSG/X_FREETEXT_SEARCH

Page 12 of 24

8 Session Security Protection

To increase security and prevent access to the SAP logon ticket and security session cookie(s), we recommend activating secure session management.

We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

Session Security Protection on the AS ABAP

To activate session security on the AS ABAP, set the corresponding profile parameters and activate the

session security for the client(s) using transaction SICF_SESSIONS.

For more information, a list of the relevant profile parameters, and detailed instructions, see Activating HTTP Security Session Management on AS ABAP [SAP Library] in the AS ABAP security documentation.

Page 13 of 24

9 Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system level and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for XDI is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to XDI. Details that specifically apply to XDI are described in the following sections:

Communication Channel Security

This section describes the communication paths and protocols used by XDI.

Network Security

This section describes the recommended network topology for XDI. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate XDI.

Communication Destinations

This section describes the information needed for the various communication paths, for example, which users are used for which communications.

9.1 Communication Channel Security

The table below shows the communication channels used by XDI, the protocol used for the connection, and the type of data transferred.

Communication Path Protocol Used Type of Data Transferred

Data Requiring Special Protection

Front-end client using SAP GUI for Windows to application server

DIAG All application data Passwords, credit card information

Front-end client using a Web browser to application server

HTTPS All application data Passwords, credit card information

Application server to application server

RFC Application data System information

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. SOAP connections are protected with Web services security.

Recommendation

We strongly recommend using secure protocols (SSL, SNC) whenever possible.

For more information, see Transport Layer Security [SAP Library] and Web Services Security [SAP Library] in the SAP NetWeaver Security Guide.

Page 14 of 24

9.2 Network Security

Ports

XDI runs on SAP NetWeaver and uses the ports from the AS ABAP. For more information, see the topics for AS ABAP Ports [SAP Library] in the corresponding SAP NetWeaver Security Guides. For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document "TCP/IP Ports Used by SAP Applications", which is located on SAP Developer Network at http://scn.sap.com/community/security under Infrastructure Security -> Network and Communications Security.

9.3 Communication Destinations

XDI sends messages, like TechAccount, ClaimMovement or Acknowledgement from the SAP NetWeaver system to connected Middleware. TCP/IP connection is used for the connection between XDI and

Middleware. The connections can be configured with SAP transaction SM59 (Configuration of RFC

Connection). No connections are delivered with XDI, therefore, the configuration has to be done by the customer.

Connection Destinations

Destination Delivered Type User, Authorizations

Description

XDI_ACK No TCP/IP

Registered Server Program -> Communication via RFC

All SAP logon variants possible

SAP NetWeaver Application Server ABAP Security Guide [SAP Library]

Connection is used for sending ACORD Acknowledgement messages from XDI

XDI_DRI No TCP/IP




Connection is used for sending ACORD DRI messages fromf XDI

XDI_SEND_CM No TCP/IP




Connection is used for sending ACORD ClaimMovement messages from XDI

XDI_SEND_TA No TCP/IP




Connection is used for sending ACORD TechAccount messages fromf XDI

Page 15 of 24

10 Internet Communication Framework Security

You should only activate those services that are needed for the applications running in your system. For XDI, the following services are needed:

/default_host/sap/bc/webdynpro without subnodes

/default_host/sap/public/bc with following subnodes

/default_host/sap/public/bc/ur

/default_host/sap/public/bc/icons

/default_host/sap/public/bc/icons_rtl

/default_host/sap/public/bc/webicons

/default_host/sap/public/bc/pictograms

/default_host/sap/public/bc/webdynpro/* (ssr, mimes, usw.)

/default_host/sap/public/myssocntl

/default_host/sap/bc/webdynpro/mpr/xmc_gui_ap_search

/default_host/sap/bc/webdynpro/mpr/xmc_gui_ap_search2

/default_host/sap/bc/webdynpro/mpr/xmc_gui_ap_dr_prclst

/default_host/sap/bc/webdynpro/mpr/xmc_gui_wd_extrefgen

/default_host/sap/bc/gui/sap/its/webgui

/default_host/sap/bc/gui with all subnodes and subelements

/default_host/sap/public/bc/its with all subnodes and subelements

Use transaction SICF to activate these services.

If your firewall(s) use(s) URL filtering, also note the URLs used for the services and adjust your firewall settings accordingly.

Page 16 of 24

11 Application-Specific Virus Scan Profile (ABAP)

SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system. To manage the interface and what file types are checked or blocked, there are virus scan profiles. Different applications rely on default profiles or application-specific profiles.

To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During this process, you also set up the default behavior. SAP also provides default profiles.

Page 17 of 24

12 Data Storage Security

Data Storage

XDI has the following levels where business data and master data can be stored:

Web Service

Middleware (e.g. BizTalk, SAP PI)

SAP NetWeaver

Web Service (only business data)

In-force business data (included in ACORD messages) can be stored as a file in a customer-specific storage location.

Middleware (only business data)

All data traffic is recorded for a specific time, configured by the customer, in middleware. ACORD messages can also be archived in a configurable file folder.

SAP NetWeaver

In-force business data and master data is stored in XDI in the SAP system’s database. Neither individual user data nor external configuration data is used. Only user data from SAP Business Partner is used.

Master data is stored in the database when XDI is customized. The in-force business data is written to the database immediately after the ACORD messages arrive in FS-RI.

The application holds the data in the main memory until a commit is run (in other words, until the information is written to the database).

Protect Access to the File System

XDI Web Service and Middleware save data in files in the file system. Therefore, it is important to explicitly provide access to the corresponding files in the file system without allowing access to other directories or files (also known as directory traversal).

It is also necessary that only authorized people have access to the specific file folders.

Page 18 of 24

13 Data Protection

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that functions that are provided to support compliance with the relevant legal requirements and data privacy.

This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.

Note

In the majority of cases, compliance with data privacy laws is not a product feature.

The software supports data privacy by providing security features and specific data-protection-

relevant functions such as functions for the simplified blocking and deletion of personal data.

This document does not provide legal advice in any form. The definitions and other terms used in

this guide are not taken from any given legal source.

Glossary

Term Definition

Personal data Information about an identified or identifiable natural person.

Business purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts.

Blocking A method of restricting access to data for which the primary business purpose has ended.

Deletion Deletion of personal data so that the data is no longer usable.

Retention period The time period during which data must be available.

End of purpose (EoP) A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization.

Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). The following sections are related to data protection and require appropriate TOMs:

Access control: Authentication features as described in section User Administration and Authentication.

Authorizations: Authorization concept as described in section Authorizations.

Read access logging: As described in section Read Access Logging.

Transmission control / Communication security: As described in section Network and Communication

Security.

Page 19 of 24

Input control / Change logging: Change logging is described in the application-specific documentation

in section Data Protection.

Availability control as described in:

Data Storage Security

SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-

Oriented View Solution Life Cycle Management SAP Business Continuity

Separation by purpose: Is subject to the organizational model implemented and must be applied as part

of the authorization concept.

Caution

The extent to which data protection is ensured depends on secure system operation. Network

security, security note implementation, adequate logging of system changes, and appropriate usage

of the system are the basic technical requirements for compliance with data privacy legislation and

other legislation.

Configuration of Data Protection Functions

Certain central functions that support data protection compliance are grouped in Customizing for Cross-Application Components under Data Protection.

Additional industry-specific, scenario-specific or application-specific configuration might be required.

For information about the application-specific configuration, see the application-specific Customizing

structure msg.XDI - eXchange Data Interface in SHI3.

13.1 Asking for User Consent

XDI covers only reinsurance business, not primary insurance business. Reinsurance business is business between insurance companies or brokers and reinsurance companies and not between insurance companies and their end customers (natural persons).

Additionally, all personal data in XDI, for which consent would have to be given, is replicated from a primary insurance company or broker, respectively from their systems.

Consequently, asking for consent to gather and process personal data is not possible / necessary for XDI and has to be covered by primary insurance companies and brokers and their systems.

13.2 Display of Personal Data in XDI Management Cockpit

As previously described, XDI might process data (personal data) that is subject to the data protection laws applicable in specific countries. In XDI Management Cockpit (XMC), personal data can only be displayed; no changes or deletions are allowed in this tool. The display of personal data can be tracked by configuration of Read Access Logging. The necessary settings are described in Read Access Logging.

You can open XMC as described below:

1. Start transaction /MPR/X_WD_XMC_NEW.

2. Open Web Dynpro application /MPR/XMC_GUI_WD_SEARCH2.

13.3 Search, Display, Delete and Change of Personal Data via Free Text Search

As previously described, XDI might process data (personal data) that is subject to the data protection laws applicable in specific countries. Similarly to SAP Reinsurance Management, XDI provides a two-step

Page 20 of 24

editing process to retrieve, display, delete and change the information based on personal data search criteria.

13.3.1 Specific Free Text Search Configuration

In the first step, the search is started as a parallelized background program (/MSG/X_FREETEXT_SEARCH).

The background program persists a result list with the hits. For this purpose, a CSV file is stored on the application server of the SAP system and picked up by the background program. The CSV file contains the personal data search criteria (each search criterion separated by a ";" and each search criterion must be written in a new line of the CSV file). After processing, an application log with success messages is output.

Caution

It is recommended not to run the program /MSG/X_FREETEXT_SEARCH multiple times concurrently to avoid a heavy load on the database.

Before you schedule the program /MSG/X_FREETEXT_SEARCH as background task, the following steps

still have to be done:

1. Start transaction CG3Z and assign the physical path where the CSV file with free text search criteria is

stored.

2. Start transaction FILE and assign the physical path (configured in item 1.) to the logical path on the

SAP system.

3. Assign authorization object /MSG/X_DPP to the batch user and choose the activity criteria "Delete",

"Execute" and "Display saved data".

4. Start transaction SE38, choose program /MSG/X_FREETEXT_SEARCH and execute this program.

5. Set the functional parameters:

Enter the logical file path (configured in item 2.) and add the CSV file name, which includes the free

text search criteria.

6. Make the technical settings:

Deactivate the Sequential Processing checkbox.

Objects per Package can be configured to meet the customer’s needs.

Select "XDI" in the Context of Search field.

7. Save the settings in a variant.

8. Assign authorization object YRVB_BATCH to the batch user.

9. Assign program /MSG/X_FREETEXT_SEARCH with the variant saved in item 6.

10. Schedule program /MSG/X_FREETEXT_SEARCH with the variant saved in item 6 as a background task.

In the second step, the evaluation of search runs takes place. For this, the Web Dynpro Floor Plan

Manager application "Administration of the free text search" (/MSG/82_TXTSEARCH_MGMT_OVP_WA) is

provided.

To open the Web Dynpro Floor Plan Manager application "Administration of the free text search"

(/MSG/82_TXTSEARCH_MGMT_OVP_WA), the authorization object /MSG/X_SRC must be assigned to your

user.

The initial screen enables the search for results of the free text search. The result list in the same screen

shows the search results. It is possible to discard the search results or to navigate to the Detail: Result of

Free Text Search screen.

On the Detail: Result of Free Text Search screen, single or multiple detail results can be discarded. Also, in

Edit mode, the current content of text fields can be changed. When changes are saved, they are transferred

directly to the text file of the corresponding XDI field.

Page 21 of 24

Note

Change of current content is not checked.

Change of current content is only possible for XDI text fields. This means that it is not possible

to change date and currency fields, for example.

The changes of corresponding XDI fields are logged in the database table /MPR/X_DP_CHGLG to prevent

data loss due to mistake deletion.

The program /MPR/X_DP_DEL_CHGLOG is provided to display and delete the change log entries. Only

users to which the authorization object /MSG/X_SRC is assigned are allowed to display and delete the

change log entries with program /MPR/X_DP_DEL_CHGLOG.

To execute the program, enter the days in the Days Relevant for Deletion field. The program determines all

change log entries that have exceeded the specified days relevant for deletion, dependent on the change

date of each change log entry. By setting the Test Run checkbox , you can display the change log entries

for the specified days relevant for deletion. The change log entries are only deleted if the Test Run

checkbox is not set.

If you want to display all change log entries, you need to run the program with 0 days relevant for deletion

and the Test Run checkbox selected.

13.3.2 List of Free Text Search XDI Fields

The following table lists those XDI fields, for which the Free Text Search is supported.

Table XDI Field

ClaimMovement Header Data 4

(/MPR/XCM_HEAD4) Lawyer Name (LAWYER_NAME)

Name of the Surveyor (SURVEYOR_NAME)

Partner Name in ACORD Messages (CLMANT_PARTY_NAM)

Claim Adjuster Name (ADJUST_NAME)

ClaimMovement Header Data Xchanging Extensions

(/MPR/XCM_HEADXCH)

Summary of the Person Insured's Medical History (SUM_INS_NARR)

Acknowledgement Partner Data

(/MPR/XACK_PARTY) Partner Name in ACORD Messages (PARTY_NAME)

Name of Contact Person at Partner (PERSON_NAME)

The following fields are only changed if search criterion was found in the

field PARTY_NAME:

Street and House Number of the Partner (STREET_NR)

Location of Partner (CITY_NAME)

Postal Code of Partner (POSTALCOD)

Mail of Contact Person at Partner (MAIL)

Phone Number of Contact Person at the Partner (TELEPHONE)

Fax No. of the Contact Person at the Partner (FAXNR)

Country of Partner (COUNTRY)

Province/District of the Partner (SUBENTITY)

ClaimMovement Partner Data

(/MPR/XCM_PARTY) Partner Name in ACORD Messages (PARTY_NAME)



field PARTY_NAME:


Page 22 of 24

Table XDI Field








FinancialAccount Partner Data

(/MPR/XFA_PARTY) Partner Name in ACORD Messages (PARTY_NAME)



field PARTY_NAME:









TechAccount Partner Data

(/MPR/XTA_PARTY) Partner Name in ACORD Messages (PARTY_NAME)



field PARTY_NAME:









Header Data Table of an ACORD TechAccount Message

(/MPR/XTAC_HEAD)

Name of the Cedent of an ACORD Message (CEDENT_PARTY_NAM)

Policy Holder Name (ORIG_POL_HOLDER)

ClaimMovementHeader 2

(/MPR/XC_CM_CLAI2)

Name of Policy Holder (CLAIMANT_NAME)

Logging Table for ACORD ClaimMovement Message

(/MPR/XCLAIMMOVE)

Name of Party Who Sent ACORD Message (SENDER_PARTY_NAM)

Recipient Name (RECEIVER_PARTY_N)

13.4 Read Access Logging

In this document only Read Access Logging for XDI SAP NetWeaver is described.

Page 23 of 24

Note

For the XDI components Web Service and Middleware the Read Access Logging specifications of

the respective software providers/manufacturers have to be used.

Read access to personal data is partially based on legislation and it is subject to logging functionality. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information, such as which business users accessed personal data, for example, of a business partner, and in which time frame.

You can configure in RAL which read-access information to log and under which conditions.

SAP delivers sample configurations for applications. For more information, see the application-specific sections of the security guide.

You can display the configurations in the system by performing the following steps:

1. In transaction SRALMANAGER, on the Administration tab page, choose Configuration.

2. Choose the desired channel, for example WebDynpro.

3. Choose Search.

4. The system displays the available configurations for the selected channel.

5. Choose Display Configuration for detailed information about the configuration. Related recordings can

also be displayed for specific channels.

Prerequisites

Before you can use the delivered RAL configurations, you must meet the following prerequisites:

You are using:

NW 751:SP0

AS ABAP 7.51

Kernel 7.45 SP21 and above

SAP_UI 7.51 (UI5 1.40)

The RAL configurations have been activated.

You have enabled RAL in each system client.

More Information

For general information about Read Access Logging, see the product assistance for SAP NetWeaver on SAP Help Portal at https://help.sap.com/viewer/p/SAP_NETWEAVER under SAP NetWeaver Library: Function-Oriented View -> System Security for SAP NetWeaver AS for ABAP Only.

For up-to-date information about the delivered RAL configurations, see SAP Note 2347271.

13.4.1 Specific Read Access Log Configuration

You can configure in Read Access Logging (RAL) which read access information to log and under which conditions.

XDI delivers sample configurations for applications.

You can find the configurations as described in the section Read Access Logging.

Page 24 of 24

Fields are logged in the configurations detailed under List of Specific Read Access Log Configurations in combination with additional fields according to related business contexts.

You can configure in RAL which read access information to log and under which conditions.

SAP delivers sample configurations for applications. To use these configurations, save the ZIP attachments from the following SAP Notes:

2477806: Read access logging content for application FS-RI

2516645: Read access logging content for application FS-RI

Extract these ZIP files and use transaction SRALMANAGER to import the RAL configurations using the

Import function for configurations.

13.4.2 List of Specific Read Access Log Configuration

Configuration Fields Logged Business Context

Channel: Web Dynpro

MSGXDI_MANAGEMENT_COCKPIT

Logging of displayed field NarrativeSum Insured in XDI Management Cockpit

Specific data from insured exchanged in London Market via this field

Channel: Remote Function Call

/MPR/FB_XF_RECEIVE_CM_XCH_LM

Logging of RFC importing field IS_CM_HEADXCH-SUM_INS_NARR

Specific data from insured exchanged in London Market via this field

www.sap.com/contactsap

© 2018 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or

for any purpose without the express permission of SAP AG. The information

contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain

proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies (“SAP

Group”) for informational purposes only, without representation or

warranty of any kind, and SAP Group shall not be liable for errors or

omissions with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express warranty

statements accompanying such products and services, if any. Nothing

herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their

respective logos are trademarks or registered trademarks of SAP AG in

Germany and other countries. Please see www.sap.com/corporate-

en/legal/copyright/index.epx#trademark for additional trademark

information and notices.

Material Number: NA

Documents

Security Guide for SAP Reinsurance Management 8.0 FPS02