SAP Sourcing / CLM Webcast Series
Security concepts
SAP Sourcing Center of Excellence – Gary Boutin Sept 2012
© 2012 SAP AG. All rights reserved. 2
SAP Sourcing / CLM 2012 Webcast Series
Goal
• Spread the knowledge about SAP Sourcing • Build and leverage the SAP Sourcing
community
Audience
• SAP Consulting and Field Services • Partner Consulting • SAP Sourcing Customers
Upcoming Webcasts
• Workflows in SAP Sourcing/CLM
© 2012 SAP AG. All rights reserved. 3
The objective for this session is:
Provide an overview of Security Topics in SAP Sourcing / CLM Provide an understanding of Security Settings in the application Review options for authentication
Objectives
© 2012 SAP AG. All rights reserved. 4
Agenda
Landscape Security
File Security
Application Security Topics
Multi-Tenant Security and restrictions
© 2012 SAP AG. All rights reserved. 5
SAP Sourcing / CLM Security
Landscape Security
Landscape
Security
!
© 2012 SAP AG. All rights reserved. 6
Load Balancer
IDS/IPS Web Server e.g. Enterprise Portal
SMTP LDAP* Virus Scan*
NW J2EE .NET*
Web/App Layer
Database Layer
Oracle or DB2
Database Layer Firewalls
SERVER DESCRIPTIONS
SMTP: Outbound SMTP Relay Required LDAP*: Used for authentication (NW UME can also be used) Virus Scan: Symantec AV Scan Engine (server side software. Attachments are streamed through his service before being written to disk) NW J2EE: NetWeaver Java Web Application Server (NW 7.30) .NET: Server used for contract generation (requires MS-Word) PI: SAP NW PI 7.0+ (for integration to ERP and SRM) FTP: typically used to move integration files around. File share could be used IDS: Intrusion Detection/Protection; recommended: MacAfee 2750 SAP ERP: SAP ERP-MM 6.0 EhP 0 – EhP 6 SAP SRM: SAP SRM 7.0 EhP 0 - 2; NWA-IC component required for integration
Sellside User
SAP Sourcing
Firewall Firewall e.g. VPN
https http(s)
Optimizer*
Buyside User
*: These servers are optional and only required if that particular usage
scenario is enabled
https
JDBC
Integration
PI* FTP* SAP ERP*
SAP SRM*
Landscape Security
Recommended system landscape
© 2012 SAP AG. All rights reserved. 7
Landscape security
Additional Notes
Separate database instance behind a second firewall. This is not required but a best practice
as all the configuration data and user data is
stored within the database
HTTP should not be used in a Production environment. HTTPS is recommended
Alternative schemes using Reverse Proxies
and/or appservers in a DMZ are also possible. When implementing load balancers, we require
sticky sessions
Questions when designing the infrastructure: High availability? Max number of concurrent users? How will external users access this system? Will internal users have to be on the internal
network to access the application?
© 2012 SAP AG. All rights reserved. 8
Local • File based list of users and hashed
passwords. • Not supported in Production mode, does
not synch multiple password files.
LDAP – Direct support for: • Oracle Directory (Sun One) • Microsoft Active Directory • Open LDAP
Netweaver UME • Native support for NetWeaver UME and
by extension other LDAPs NetWeaver supports
Single-Sign On (SSO) • Portal integration • SAP login tickets, Other
SAML 2 • As of Version 9, There is support for
SAML 2
Landscape Security
Authentication Options
© 2012 SAP AG. All rights reserved. 9
Landscape Security
Netweaver UME
SAP NetWeaver 7.3
SAP Sourcing
User Management Engine
(UME)
Central Instance (CI)
Mode
User Data Store
(LDAP or Database)
Internal Buyers and
Vendors
⁞ Cluster
Application User Authentication Options NetWeaver UME (SAP NetWeaver AS 7.3 for Sourcing 7 SP3+) User Repository
NetWeaver UME Native Database NetWeaver UME Supported LDAP
© 2012 SAP AG. All rights reserved. 10
Landscape Security
SAML 2.0 Usage Flow SAP Sourcing
(Service Provider) Identity Provider
SAP Netweaver
IDM (SAP Identity Management 7.1 SP5+ and 7.2)
App
Server Browser
User Firewall
SAML 2.0
SAP
Sourcing
Wave 9
1. User requests SAP Sourcing resource
2. SAML adapter in container redirects browser to IdP
3. IdP will log the user in by asking the user for credentials and authenticating
5. IdP returns encoded SAML response to browser
6. Browser sends SAML response to SAML adapter 7. SAML adapter sends
attribute to SAP Sourcing for validation
9. SAP Sourcing sends requested resource
4. IdP generates SAML response
8. SAP Sourcing will validate the user per the attribute
© 2012 SAP AG. All rights reserved. 11
Landscape Security
Additional Settings
SAP Sourcing/CLM 7.0:
Additional servlet used to login as the system user. (and only the system user) / fssystem
SAP Sourcing/CLM 9.0:
Additional servlet used to login as the enterprise user. (and only the enterprise user) /fsenterprise
Based on this, the proxies/ load balancer in the landscape could be configured to block traffic to these servlets from external access. In effect, only users within the proper network layer could access these administrative users.
During initial login as the system user users will be required to change the system password. There were several instances where this was not done in the past. We are providing a friendly reminder that leaving this password as the default one is not a good practice.
© 2012 SAP AG. All rights reserved. 12
SAP Sourcing / CLM
File Security
File Security
!
© 2012 SAP AG. All rights reserved. 13
File Security
Virus scan The optional Virus Scanner should always be used unless the
environment is absolutely protected against uploading infected files. Consider external systems and the use of portable media like USB drives.
File extension white list / black list system
properties – (System Context)
attachments:
attachments.upload.file.extension_list <Comma Separated List>
attachments:
attachments.upload.file.extension_list_permitted TRUE Setting this property to FALSE makes this a black list – (not
recommended) Application server
Files/directories in the sourcing installation directories should have the minimum required access.
© 2012 SAP AG. All rights reserved. 14
SAP Sourcing / CLM
Application Security Settings
Application
Security Settings
!
© 2012 SAP AG. All rights reserved. 15
Application Security Settings
Application security options
System Properties Security Profiles Document Security Templates Collaborator Roles Groups User Accounts
© 2012 SAP AG. All rights reserved. 16
Application Security Settings
System Properties
system.security.directory.display_entry_does_not_exist_error
system.security.separate_pswd_and_name
system.logs.max_age_days
upp.account.attributesEditList
upp.account.attributesViewEdit
upp.metering.login_inactivity_timeout
attachments.upload.file.extension_list
attachments.upload.enable.sellers
odp.system.tenant.advanced_tenant_security_enabled
odp.system.tenant.multi_tenant_enabled
© 2012 SAP AG. All rights reserved. 17
Application Security Settings
Security Profiles (1/3)
• Class Level Security Profiles define which
• Document “classes”, Features, and Master data a user gets access to
© 2012 SAP AG. All rights reserved. 18
Object Level Security Profiles define what a User could do when they have access to a particular document, Master data object etc.
Application Security Settings
Security Profiles (2/3)
© 2012 SAP AG. All rights reserved. 19
In the Access Rights Tab, there are
• 15 groupings of security rights.
• Each grouping contains several(many) individual objects (classes) that can have individual ACLs set.
• Not Set = Deny.
• Allow overrides Deny / Not Set
NOTE: Object Level and Restrict Access Checkboxes
Application Security Settings
Security Profiles (3/3)
© 2012 SAP AG. All rights reserved. 20
Security Profiles are determined for specific user functions. They can be layered to provide additional access. Keep in mind the rules about how the ACL precedence works:
• Not Set = Deny. = No access
• An Allow in any Profile, overrides any number of Deny / Not Set = Access
Keep in mind out of the box security profiles are properly maintained during upgrades. Custom Security Profiles might not be.
Always review the Upgrade Workbooks for Security Profile modifications.
Application Security Settings
Additional Security Profiles
© 2012 SAP AG. All rights reserved. 21
Document Security Templates
• Each business document, Query, Report, Workbench needs a Document Security Template.
• This security configuration determines some important default behavior.
• They can be Document Type specific or class wide
© 2012 SAP AG. All rights reserved. 22
Document Security Templates
© 2012 SAP AG. All rights reserved. 23
Collaborator Roles
The user friendly wrapper for object level Security Profiles.
These are the selections we have when adding collaborators to specific documents.
© 2012 SAP AG. All rights reserved. 24
User Groups
• User Groups provide a means to assign Security Profiles to a logical group of user accounts. They can be hierarchical.
• This is a Best Practice for assigning security profiles.
© 2012 SAP AG. All rights reserved. 25
User Accounts
User maintenance, Password Generation, and assignment of access through the
user account (Vendor Contact)
© 2012 SAP AG. All rights reserved. 26
SAP Sourcing / CLM
Multi-Tenant Security and Restrictions
Multi-Tenant
Security &
Restrictions
!
© 2012 SAP AG. All rights reserved. 27
Multi-Tenant Security
Multi-tenancy is a deployment model whereby separate enterprises may be hosted within a single SAP Sourcing system.
Each individual Customer is installed as a separate enterprise within this system.
Each individual enterprise has a unique context ID and all enterprise scoped data and configurations include this ID in its database record.
© 2012 SAP AG. All rights reserved. 28
Multi-Tenant Security
Once enabled the multi-tenant security model will add additional levels of security to further isolate access to system functionality that could allow cross tenant data access.
The areas automatically restricted for the enterprise and other tenant users include: Queries – Neither the enterprise user nor tenant
users are allowed to create Query definitions. Query Groups – Neither the enterprise user nor
tenant users are allowed to create Query Groups. Reports – Neither the enterprise user nor tenant
users are allowed to create Reports. Script Definitions – Neither the enterprise user
nor tenant users are allowed to create Script definitions.
Workflow Definitions – Neither the enterprise user nor tenant users are allowed to create Workflow definitions.
© 2012 SAP AG. All rights reserved. 29
Multi-Tenant Security
Localized Resources – can be created by the enterprise user or admin user with the proper security profile setting but no existing localized resource created at the system level can be overridden .
UDO’s – User defined objects will not be available to end users in a multi-tenant environment.
On Demand Workbooks – The reference guide now provides links to on-demand workbooks. These workbooks provide modified security profiles and content for package specific implementations of SAP Sourcing in a Multi-tenant environment. The packages include: Sourcing Only Contract Lifecycle Management (CLM) Only Supplier Management Only Sourcing and CLM
© 2012 SAP AG. All rights reserved. 30
Multi-Tenant Security
Tenant Configuration -- To facilitate implementation by hosting organizations and consulting, the concept of an Advanced Tenant User was introduced.
This will allow for temporary access to configuration items like Queries, Scripts and Workflows to named users with the System Administrator rights. The system user can assign these users to any of the available tenants as required. It is highly recommended that once the task is complete the user is removed as an advanced user.
In version 9, This is automated by specifying a duration. The rights will expire based on this value.
© 2012 SAP AG. All rights reserved. 31
What is wrong with this URL?
HTTP://123.45.67.89:52000/fsvendor/portal/login 1) HTTP 2) IP address and port exposed for external (supplier) portal 3) Missing deployment context
HTTPS://company.abc.com/sourcing/fsvendor/portal/login
Thank You!
Contact information: Gary Boutin CISSP SAP Sourcing CoE
© 2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
© 2012 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.