Sop

SAP Sales and Operations PlanningDocument Version: 3.0.1 - 2014-01-03

SAP Sales and Operations Planning Security Guide

Table of Contents1 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1 Fundamental Security Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.2 Important SAP Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.3 Additional Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

4 Security Aspects of Data, Data Flow and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105.2 User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105.3 User Creation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105.4 Password Reset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105.5 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115.6 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

6 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126.1 Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126.2 Role and Authorization Concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

6.2.1 Define Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126.3 Standard Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196.4 Password Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

7 Storage and Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

8 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

9 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239.1 Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239.2 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

10 Data Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

11 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2511.1 Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2511.2 Securing SAP HANA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

11.2.1 Authentication at the Schema Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2511.2.2 Restricted Port Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2511.2.3 Restricted Protocol Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2511.2.4 Restricted Origination IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Sales and Operations Planning Security Guide

Table of Contents

12 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

13 Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

SAP Sales and Operations Planning Security GuideTable of Contents © 2013 SAP AG or an SAP affiliate company. All rights reserved. 3

1 About this DocumentWith the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise.

When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. These demands on security apply likewise to the SAP Sales and Operations Planning (S&OP) application, powered by SAP HANA®. This security guide will assist you in securing the SAP S&OP application.


About this Document

2 Before You Start

2.1 Fundamental Security Guides

Other SAP security guides can be used as a resource for SAP Sales and Operations Planning (S&OP)

SAP Sales and Operations Planning is comprised of the following components:

● SAP HANA

● Extended Application Services (HANA LJS)

● SAP S&OP add-in for Microsoft Office Excel

Table 1: Fundamental Security GuidesScenario, Application or Component Security Guide Most Relevant Sections or Specific Restrictions

SAP HANA Security Guide N/A

For a complete list of the available SAP Security Guides, see the SAP Service Marketplace .

2.2 Important SAP Notes

Before installing the required components make sure that you have all relevant information about the pre-requisites and the latest version of each SAP Note, found on the SAP Service Marketplace. The following SAP Notes are relevant for your implementation:

Table 2:Title SAP Note

Release Restriction Note Note 1714463

2.3 Additional Information

See the listed Quick Links for more information about specific security-related topics.

Table 3:Content Quick Link on SAP Service Marketplace or SDN

Security http://sdn.sap.com/irj/sdn/security

Security Guides http://service.sap.com/securityguide

SAP Sales and Operations Planning Security GuideBefore You Start © 2013 SAP AG or an SAP affiliate company. All rights reserved. 5

http://help.sap.com/disclaimer?site=http://service.sap.com/securityguide

Content Quick Link on SAP Service Marketplace or SDN

Related SAP Notes http://service.sap.com/notes

http://service.sap.com/securitynotes

Released platforms http://service.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP Sales and Operations Planning Service Marketplace

http://service.sap.com/sap30


Before You Start

3 Technical System LandscapeThe figure below shows an overview of the technical system landscape for the SAP Sales and Operations Planning application.

SAP Sales and Operations Planning Security GuideTechnical System Landscape © 2013 SAP AG or an SAP affiliate company. All rights reserved. 7

4 Security Aspects of Data, Data Flow and ProcessesThe figures below shows an overview of the security aspects of the SAP Sales and Operations Planning (S&OP) application.


Security Aspects of Data, Data Flow and Processes

Table 4: The table below shows the security aspects to be considered for the each process and what mechanism applies.Step Description Security Measure

1 User clicks on simulate or save SAP S&OP add-on sends request through HTTPS

2 Authentication HANA XS (XS) checks if the user is logged on

3 Convert from XML/JSON Validates input and converts from XML/JSON

4 Runs simulate calculation in HANA Control access per user to key figures and master data for planning (using visibility filters). For more information about roles and visibility filters, see the online help. Visibility filters also apply to:

● Saving as only values that have been read into the planning session can be changed and then saved

● Master data access and to adding new combinations

.

SAP Sales and Operations Planning Security GuideSecurity Aspects of Data, Data Flow and Processes © 2013 SAP AG or an SAP affiliate company. All rights reserved. 9

5 User Administration and Authentication

5.1 User Management

Each user of SAP Sales and Operations Planning (S&OP) has their own landscape, and users of each customer are managed in SAP HANA user management.

SAP S&OP uses SAP HANA mechanisms (for example, roles and password policies) and provides a web client application that enables administrators to add, remove, or update SAP S&OP users.

5.2 User Types

There are two user types provided for SAP Sales and Operations Planning (S&OP).

The user types that ship with SAP Sales and Operations Planning include:

● The administrative user SOPADMIN has ALL_INCLUSIVE permissions for all administrative tasks in User Management including creating users and roles and granting permissions.

● The default BASIC_USER can view analytics such as charts and dashboards.

5.3 User Creation

Users with Manage Users and Roles permissions can create and edit users.

New users must change their initial password when logging on for the first time (a restriction that is enforced by SAP HANA). When a user does not know or cannot recall their logon information, then users with Manage Users and Roles permissions can define a new password, or they can lock or unlock a password for any other user by:

● Creating a user in SAP S&OP, defining a password for the user, and manually emailing the user the logon information.

● Creating a user and having the system generate a random initial password for the user.

5.4 Password Reset

There are two options for resetting a password in SAP Sales and Operations Planning.

The following options are available for resetting the user password:

● A user can change their password in Settings


User Administration and Authentication

● The user‘s administrator can reset the password for any user (who has the same permissions or lower)

5.5 Authentication

Authentication is based on multiple forms of credentials.

These credentials are:

● User chosen ID

● User chosen password

● User permissions that are defined in roles and visibility filters to control access to the data

5.6 Integration into Single Sign-On Environments

Integration into SAP Single Sign-On environments is not supported in this release.

SAP Sales and Operations Planning Security GuideUser Administration and Authentication © 2013 SAP AG or an SAP affiliate company. All rights reserved. 11

6 Authorizations

6.1 Use

The SAP HANA authorization concept is based on assigning authorizations to users through their roles and individual visibility filters.

NoteIt is the customer administrator’s responsibility to validate the consistency of the authorization models in the application.

Administrators manage users and their permissions in the web client application using the User Management interface.

6.2 Role and Authorization Concept

The administrator of the application can create new roles with any combination of permissions.

Administrators manage roles and authorizations in the web client application using the User Management interface.

Related Information

Define Roles [page 12]

6.2.1 Define Roles

Roles determine which permissions your users have in the application and in the add-in for Microsoft Excel. If you do not assign any roles, by default all users can view analytics (charts and dashboards) with at least one visibility filter applied. The predefined ALL-INCLUSIVE role has predetermined permissions that cannot be edited.

You can also control the key figures that are visible to and/or editable for different users.

1. Choose Roles and Permissions.2. To create a new role, choose + Add New Role.3. Enter a name (required) and a description (optional) for the role.4. Select the check boxes for the Permissions to include in this role. The following table lists the permissions that

are shipped with the product:


Authorizations

Table 5: User PermissionsPermission Description

Manage Users and Roles Determines what operations users can perform by creating and assigning roles. Determines what data users can view by creating and assigning visibility filters.

Manage Dashboards Allows users to create, edit, and delete dashboards.

Manage Charts Allows users to create, edit, and delete charts.

Manage Scenarios Allows scenario planning such as promoting scenarios to baseline, reinitializing (copying) the baseline to the scenario, and viewing status in the add-in for Microsoft Excel.

Manage Planning View Templates

Allows adding, updating, and deleting planning view templates in the add-in for Microsoft Excel. Assign this permission only to template administrators, not to end users. For more information, see “Templates” in the help for the add-in for Microsoft Excel.

Model Configuration Allows model configuration functions such as creating, copying, and activating new data models in the web client.

Data Import Allows data import into the application using a .zip file containing your manifest (.xml) and data files (.csv).

Add Attribute Combinations Allows adding new combinations of attribute values to a planning view in the add-in for Microsoft Excel. For more information, see “New Combinations” in the help for the add-in for Microsoft Excel.

Delete Attribute Combinations

Allows deleting new combinations of attribute values to a planning view in the add-in for Microsoft Excel. For more information, see “New Combinations” in the help for the add-in for Microsoft Excel.

Statistical Forecasting Allows the execution of statistical forecast processes in the add-in for Microsoft Excel. For more information, see “Statistical Forecasting” in the help for the Microsoft Excel add-in.

Supply Planning Allows execution of supply planning algorithms for supply chain planning in the add-in for Microsoft Excel. For more information, see “Multilevel Supply Planning” in the help for the add-in for Microsoft Excel.

5. Select key figures for this role.a) Select Edit Key Figures.b) Select the approppriate planning area from the drop-down list.c) Select the key figure to assign, click the right arrow to move it to the Selected Key Figures pane, and

repeat as necessary. You can also use SHIFT_click or CTRL-click to move multiple objects.d) To include the key figures in a role and to enable a user to only view the key figures, select the relevant

View check boxes. To include the key figures in a role and to enable a user to edit them, select the relevant Edit check boxes.

6. Select the check boxes for the Reason Codes you want this role to include. Reason codes are used to indicate why a user made changes to a planning view. When they save the data, users select a reason code and can enter a comment. Customers define their own reason codes.

SAP Sales and Operations Planning Security GuideAuthorizations © 2013 SAP AG or an SAP affiliate company. All rights reserved. 13

7. When you are done adding roles, choose Save.

Related Information

Add Users and Assign Roles and Visibility Filters [page 14]Reset Passwords [page 15]Edit User Details [page 16]Create Visibility Filters [page 16]Visibility filters control what master data is visible to a user for a particular planning area.

Deactivate Users [page 19]Deactivation blocks a user's access to the application.

6.2.1.1 Add Users and Assign Roles and Visibility Filters

Prerequisites

● You have Manage Users and Roles permissions.● At least one role is defined.

To add users and assign roles and visibility filters:

1. Choose User Management.2. Choose + Add New User.3. In the dialog box, enter the user information.

Fields marked with an asterisk are required.In general passwords should be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, and one number. Note that user name and password requirements can be configured in SAP HANA Studio. For details about password requirements, see “Password Policy” in the SAP HANA Security Guide.

4. Select the role(s) to assign to the user by clicking Assign Roles. In the resulting dialog box, select the role to assign, click the right arrow to move it to the Selected Roles pane, repeat as necessary, and click Save.

5. Select the visibility filter(s) to assign to the user by clicking Assign Visibility Filter. In the resulting dialog box, select the filter to assign, click the right arrow to move it to the Selected Filters pane, repeat as necessary, and choose Save.

6. Choose Save.

Related Information

Create Visibility Filters [page 16]Visibility filters control what master data is visible to a user for a particular planning area.

Define Roles [page 12]


Authorizations

http://help.sap.com/hana_appliance/


Edit User Details [page 16]Reset Passwords [page 15]Deactivate Users [page 19]Deactivation blocks a user's access to the application.

6.2.1.2 Reset Passwords

Users can reset their own passwords in the Settings control panel:

1. In the upper-right corner of the application window, under the drop-down arrow choose Settings.2. Under Reset password, enter the current password, type a new password, and retype it to confirm.3. Choose Save.

If a user exceeds the maximum number of incorrect user or password combinations before a successful (correct) logon, the account will be locked. An administrator with Manage Users and Roles permissions can unlock the user's account. The administrator should then reset the user's password as follows and inform the user of their new password.

NoteUsing SAP HANA studio, you can use the SQL command ALTER USER <user_name> RESET CONNECT ATTEMPTS to reset the number of invalid attempts to 0 and enable the user to connect immediately.

1. Choose User Management.2. Select the required user from the list.3. Choose Reset password.4. Enter a new password, reenter to confirm it, and choose Reset.5. Call or send the user a secure e-mail informing them of the new password.

The user will be required to change the password upon logging in.

For information about password policies, see “Password Policy” in the SAP HANA Security Guide.

Related Information

Add Users and Assign Roles and Visibility Filters [page 14]Define Roles [page 12]Edit User Details [page 16]Create Visibility Filters [page 16]Visibility filters control what master data is visible to a user for a particular planning area.

Deactivate Users [page 19]Deactivation blocks a user's access to the application.



6.2.1.3 Edit User Details

After creating a user, you can edit user information, roles, and visibility filters.

1. Choose User Management.A list of users and their information displays.

2. To view or change a user's details, select the user's name from the list.User Detail Description

General information

Edit basic user information such as a name and an email address.

Active User: Activate or deactivate the user by selecting or clearing the check box. This control is also available in the User Management user list.

Locked User: When this check box is selected, the user has been locked by the system due to too many incorrect log on/password combinations. Clear the check box to unlock the user and reset the password. Then notify the user either through secured email or with a phone call to indicate they will need to reset their password upon log-in.

Reset Password If the user forgot or wants to change their password, choose Reset password. Enter and confirm the new password and choose Reset. Notify the user either through secured email or with a phone call to indicate they will need to reset their password upon logging in.

Roles Select the roles with the associated permissions you want to assign to the user. To add roles, see Define Roles [page 12].

Visibility Filters Select the visibility filters you want to assign to the user. Visibility filters determine what the user can see and access in a planning view. To add visibility filters, see Create Visibility Filters [page 16].

3. Choose Save.

Related Information

Add Users and Assign Roles and Visibility Filters [page 14]Reset Passwords [page 15]

6.2.1.4 Create Visibility Filters

Visibility filters control what master data is visible to a user for a particular planning area.

Prerequisites

● An understanding of master data types and how they are used by your planning area● Familiarity with your master data

The Visibility Filters interface lets you create, edit, and delete filters. At least one visibility filter must be assigned to users in order for them to be able to view data.


Authorizations

● A visibility filter defines a set of attribute combinations that are visible to the user:

○ If there is no condition for an attribute, all values are allowed.○ Conditions for different attributes within a visibility filter are combined with AND (intersection).○ Conditions for the same attribute within a visibility filter are combined with OR (union).

● Different visibility filters are combined so that the user has access to the union of the sets of attribute combinations that each of them allows.

The product ships with the predefined visibility filter View All Data for all of the planning areas. This filter enables the user to see all of the data in the application from all of the planning areas (and supercedes any other filter(s) that have been applied).

Visibility filters are dependent on the model configured in the Configuration interface. When you activate a planning area in Configuration, a View All Data filter is created for the specific planning area.

You cannot edit or delete the View All Data filter. If there is more than one visibility filter assigned to a user, there is an OR relationship between them (union).

1. Choose Visibility Filters.2. To create a new visibility filter, choose + Add New Visibility Filter. To edit a filter, click its name.

You can sort the list by clicking any column name and selecting Sort Ascending, Sort Descending, or enter a value in the Filter box to search for a specific entry.

3. Enter a name (required) and a description (optional) for the filter.The name and description must be 3-20 alphanumeric characters in length.

4. In Planning Area, choose a planning area.5. Under Filter Rules, choose a filter attribute.

If you define a filter that uses the same attribute more than once, there is an OR relationship between them:

Table 7: Example OneAttribute Operator Value

Customer ID equal Company ABC

Customer ID equal Company XYZ

Result: You can view data for either Customer ID Company ABC OR Customer ID Company XYZ.

If you define a filter that uses two or more different attributes, there is an AND relationship between them:

Table 8: Example TwoAttribute Operator Value

Customer ID equal Company ABC

Customer ID equal Company XYZ

Location Region equal USA

Result: You can view locations in the USA for (AND) either Customer ID Company ABC OR Customer ID Company XYZ.

6. Choose an operator.


Table 9: Description of OperatorsOperator Description Example

equal The result is equal to the value Rule: Customer ID equal Company ABC

Result: You can view the details of the specific customer Company ABC.

greater than The result is greater than the value

greater than or equal to The result is greater than or equal to the value

less than The result is less than the value

less than or equal to The result is less than or equal to the value

between The result is between the selected values

contains pattern The result matches the pattern defined. You can use the wildcards * and ? as follows:

○ * can be substituted for any other multiple characters in a string

○ ? can be substituted for any single character in a string

Rule: Customer ID equal Company*

Result: You can view the details of Company ABC, Company 9000, or any other suffix.

Rule: Customer ID equal Company?

Result: You can view the details of a company with a single character, for example Company A or Company Z.

has no value The attribute value is empty (is null)

has some value The attribute has any value (is not null)

nodes and descendants This operator is available if an attribute is hierarchical. Therefore, the result includes the selected node and all of its decendents.

Rule: Asset ID nodes and descendants Baker plant

Result: You can view the details of the Baker plant and all of its decendants (for example Buildings 1, 2, and 3).

7. Enter a value.8. To add additional rules to the filter, choose the plus icon (Add Filter Rule).9. Choose Save.

Note: Changing the planning area clears the filter rules.The new filter appears in the Visibility Filters list. You can now assign this filter to a user.


Authorizations

Related Information

Add Users and Assign Roles and Visibility Filters [page 14]Define Roles [page 12]

6.2.1.5 Deactivate Users

Deactivation blocks a user's access to the application.

To deactivate a user:

1. Choose User Management .A list of users and their information appears.

2. For the user to deactivate, clear the User Activated check box.Or, open the user's detail window by clicking the user's name and clear the Active User check box.

Related Information

Add Users and Assign Roles and Visibility Filters [page 14]Define Roles [page 12]Reset Passwords [page 15]Edit User Details [page 16]Create Visibility Filters [page 16]Visibility filters control what master data is visible to a user for a particular planning area.

6.3 Standard Roles

There are two roles that are delivered with the application.

Role Description

ALL_INCLUSIVE User role that executes all operations in the application.

BASIC_USER This role is hidden. Minimum permissions are required to log in to the application and change the password. Assigned by default to all users and used for viewing only.

Users can have additional roles and permissions. The administrator defines the roles and assigns them to users.


6.4 Password Policies

SAP Sales and Operations Planning (S&OP) uses a "Strong Password" scheme as mandated by SAP product standards.

SAP standards, controlled by SAP HANA, require password value compliance and password expiration policies. For more information, see SAP HANA Security Guide.


Authorizations

http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

7 Storage and Network SecurityNetwork and storage security are vital considerations with any implementation.

For information about implementing storage and network security, see the SAP HANA Security Guide.

SAP Sales and Operations Planning Security GuideStorage and Network Security © 2013 SAP AG or an SAP affiliate company. All rights reserved. 21

8 Communication Channel SecurityThe table below shows the communication channels, the protocol used for the connection, and the type of data transferred.

Table 10: Communication ChannelsCommunication Path Protocol Used Type of Data Transferred Data Requiring Special

Protection

Upload data from OP Systems (ERP)

HTTPS All application data N/A

SAP S&OP add-in for Microsoft Excel

JSON over HTTPS All application data

Administration and User configuration user interface

JSON over HTTPS All application data


Communication Channel Security

9 Data Storage Security

9.1 Data Storage

Most data on the server side is stored in the SAP HANA database.

The only exception is when importing data from On Premise (OP) systems. In case of data stored in the SAP HANA database, data is protected by authorization rules defined by the customer’s administrator.

9.2 Data Protection

Application data is protected by SAP HANA tools.

Some of these tools are SAP HANA user management, SAP HANA Studio, *DBC drivers, and XS Engine. Microsoft Excel documents on the user’s computer also store some portion of the data.

NoteIn order to protect this data we suggest limiting access to these files to relevant users and using data encryption tools.

SAP Sales and Operations Planning Security GuideData Storage Security © 2013 SAP AG or an SAP affiliate company. All rights reserved. 23

10 Data PrivacyThe customer should define appropriate data privacy and protection measures and check the respective local legal and privacy requirements before using or implementing certain scenarios in the application.

Parts or all of the master data, as well as application data, can be regarded as sensitive data. Application data can contain customer, product, sales, production plans, and revenue plans, so it must be properly protected against unauthorized access or evaluation. Because the application allows for customization of the master data models as well as mapping data from external sources to these models, the application and system users are responsible for customizing authorizations so that the local legal requirements are observed. All personal data stored or accessed by the application should be kept to the necessary minimum. In addition, it is suggeested you only import the minimum amount of data required to support the use cases in which you are interested.


Data Privacy

11 Other Security-Relevant Information

11.1 Use

The web client application is developed using SAP UI 5 technology which is based on JavaScript.

The web client application will not work properly on any browser that does not support the running of java scripts.

11.2 Securing SAP HANA

There are many ways to secure SAP HANA, including restricted access and required authentication.

11.2.1 Authentication at the Schema Level

Every SAP S&OP application instance makes use of multiple schemas on one SAP HANA database.

These schemas are protected with SAP HANA access control. Data from different customers resides in separate SAP HANA instances.

11.2.2 Restricted Port Access

There are specific ports opened to the SAP HANA server and all other ports are set with “deny” access control by default.

11.2.3 Restricted Protocol Access

The SAP HANA server does not expose protocols other than ODBC, SSH and other administrative related protocols.

11.2.4 Restricted Origination IP

The SAP HANA server does not access and accept connections to or from unknown origination points. Sockets can only be opened from a restricted set of servers.

SAP Sales and Operations Planning Security GuideOther Security-Relevant Information © 2013 SAP AG or an SAP affiliate company. All rights reserved. 25

12 Security-Relevant Logging and TracingWeb client application logon attempts are saved in the HANA logs.

Logon attempts are audited by SAP HANA. For more information, refer to the SAP HANA Security Guide.

SAP HANA tables containing the information on users, roles, and permission assignments also have auditing fields that log the modifications of these tables.


Security-Relevant Logging and Tracing

http://help.sap.com/hana_appliance#section3

13 Frequently Asked QuestionsSAP HANA provides security for all aspects of the application.

Table 11:Question Answer

How is stored data protected? ● KeyStoreSecure vaults (keystores) are used to store sensitive information and keys. All keystores are passphrase protected and are not stored along with the data.

● Data Isolation data is stored in separate SAP HANA instances or schemas so that every access from one domain to another validates user credentials against the local identity store, adding the required isolation.

How are configuration, user, password files, and so on managed?

The SAP solution authenticates the user. It is often necessary to specify different security policies for different types of users. The user types include named users, who represent real persons and are used for daily work with the SAP HANA database. These users are created by the user administrator. Passwords follow the policy described above.

How does SAP HANA facilitate identifying suspicious activity?

There are monitoring tools in place.

Is the hosted client environment secure and separated from other company environments?

Every customer has a dedicated production server, therefore each is physically separated for the application.

Is security of data traffic over the public internet provided?

Data sent over the internet is encrypted. For more information, see Communication Channel Security [page 22].

SAP Sales and Operations Planning Security GuideFrequently Asked Questions © 2013 SAP AG or an SAP affiliate company. All rights reserved. 27

www.sap.com/contactsap

© 2013 SAP AG or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

http://www.sap.com/contactsap

http://www.sap.com/corporate-en/legal/copyright/index.epx

http://www.sap.com/corporate-en/legal/copyright/index.epx

Documents

Sop