1

Release 1.0

Business Process Blueprinting Security Guide

2

Copyright

© Copyright 2011 SAP AG. All rights reserved. SAP Library document classification: PUBLIC No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

3

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

4

Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different

types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and table titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

5

Contents

Introduction .................................................................................................................................................. 6

Before You Start ............................................................................................................................................ 7

Technical System Landscape ......................................................................................................................... 8

User Administration and Authentication ...................................................................................................... 9

User Management .................................................................................................................................... 9

Authorizations ............................................................................................................................................ 11

Network and Communication Security ...................................................................................................... 12

Communication Channel Security ........................................................................................................... 13

Communication Destinations .................................................................................................................. 13

Data Storage Security ................................................................................................................................. 14

Security Logging and Tracing ..................................................................................................................... 14

6

Introduction

This guide does not replace the daily operations handbook that we recommend customers to

create for their specific productive operations.

Target Audience

Developers

Technology consultants

System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical

Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software

life cycle, whereas the Security Guide provides information that is relevant for all life cycle.

Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, the demands

on security are also on the rise. When using a distributed system, you need to be sure that your data and

processes support your business needs without allowing unauthorized access to critical information. User

errors, negligence, or attempted manipulation on your system should not result in loss of information or

processing time. To assist you in securing the access to business functionality with Business process

Blueprinting, we provide this Security Guide.

About this Document The Security Guide provides an overview of the security-relevant information that applies to Business

process Blueprinting.

Overview of the Main Sections

The Security Guide comprises the following main sections:

● Before You Start

This section contains information about why security is necessary, how to use this document and references to other Security Guides that build the foundation for this Security Guide.

● Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by Business process Blueprinting tool.

● User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

7

○ Recommended tools to use for user management.

○ User roles and types that are required by the Business Process Blueprinting tool.

● Authorizations

This section provides an overview of the authorization concept that applies to Business Process Blueprinting tool.

● Network and Communication Security

This section provides an overview of the communication paths used by Business Process Blueprinting tool and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

● Data Storage Security

This section provides an overview of any critical data that is used by Business Process Blueprinting tool and the security mechanisms that apply.

● Security Logging and Tracing

This section provides an overview of the trace and log files that contain security-relevant information of the Business Process Blueprinting tool.

Before You Start

Business Process Blueprinting is based on the SAP NetWeaver Application Server for ABAP Server

technology (AS ABAP). Therefore, the corresponding security guides also apply to Business Process

Blueprinting. Pay particular attention to the most relevant sections and to specific restrictions as

indicated in the table below.

Application Security guide

SAP Netweaver AS ABAP SAP NetWeaver Application Server ABAP

Security Guide

A complete list of all the available SAP Security Guides can be found at the SAP Service Marketplace under the quick link securityguide.

Additional Information

The following table lists special topics for security and their relevant quick links.

Content SAP Service Marketplace Address

8

Security service.sap.com/security

Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes

Released platforms service.sap.com/platforms

Network security service.sap.com/securityguide

SAP Solution Manager service.sap.com/solutionmanager

Technical System Landscape

The figure below shows an overview of the technical system landscape for Business Process

Blueprinting.

For more information about the technical system landscape, see the resources listed in the table below.

System Role

Solution Composer

Solution composer allows data exchange between Solution Manager and Business Process Blueprinting. It synchronizes data between the client and server.

SAP Solution SAP Solution Manager is a centralized support and system management suite from

9

Manager where you receive the content.

BPR SAP Solution Manager stores content of the offered SAP solutions in form of realized

business scenarios, business processes and process steps in Business process

Repository.

User Administration and Authentication

The Business process Blueprinting uses the user management and authentication mechanisms provided

with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore,

the security recommendations and guidelines for user administration and authentication as described in

the SAP NetWeaver Application Server ABAP Security Guide [SAP Library] also apply to the Business

Process Blueprinting tool.

This authentication mechanism is based on the basic authentication feature of the HTTP. We recommend that you use Secure Socket Layer (SSL), since this will encrypt all information exchanged between the client and server.

In addition to these guidelines, we include information about user administration and authentication that

specifically applies to the Business Process Blueprinting tool in the following topics:

User Management User management for the Business process Blueprinting tool uses the mechanisms provided with the

SAP NetWeaver Application Server ABAP, for example tools, user types, and password policies. For an

overview of how these mechanisms apply for the Business Process Blueprinting tool, see the sections

below. In addition, we provide a list of the standard users required for operating the Business Process

Blueprinting tool.

User Administration Tools

Business Process Blueprinting tool uses UME (User Management Engine) as its data source for user management data.

For the server related components, no replication of user data is required as we maintain it in the same system for SAP Solution Manager as well as for Solution Composer.

User Management Tools

Tool Detailed Description

SAP NetWeaver Administrator

To set up an administrator user

User maintenance (transaction SU01)

To create users

10

User Types It is often necessary to specify different security policies for different types of users. For example, your

policy may specify that individual users who perform tasks interactively have to change their passwords

on a regular basis, but not those users under which background processing jobs run.

There are the following types of users in Business Process Blueprinting tool.

Dialog users are used for SAP GUI for Windows.

System users are used for background processing and communication within a system (Such as

RFC users)

Technical users are used for communication between Solution composer and SAP Solution

Manager.

For more information about user types, see User Types in the Security Guide for SAP NetWeaver AS

ABAP.

Overview of roles and User Types

System Role Type Default Password

Description

SAP Solution Manager

/SOCO/FABRIC_USER

Dialog user

yes Installed by

the

authorized

user

administrator

/SOCO/FABRIC_ADMIN

System user

yes Installed by

the

authorized

user

administrator

SAP_BC_WEBSERVICE_ADMIN

System user

yes Installed by

the

authorized

user

administrator

SAP_BC_WEBSERVICE_ADMIN_TEC

System user

yes Installed by

the

authorized

user

administrator

SAP_BC_WEBSERVICE_CONFIGURATOR

System user

yes Installed by

the

11

authorized

user

administrator

Note

When the user enters the credentials in the Business Process Blueprinting tool to connect to the server,

the data gets transported by Client Encryption framework and this data will be verified with the user

credentials stored in RFC destination.

Authorizations

The following table provides the information about the application specific roles.

Role Description

/SOCO/FABRIC_ USER Basic access to Solution Composer Foundation

/SOCO/FABRIC_ ADMIN

Full access to Solution Composer Foundation

The following table provides the information about SAP standard admin roles.

Role Description

SAP_BC_WEBSERVICE_ADMIN

Administration authorizations for Web Services in AS ABAP

SAP_BC_WEBSERVICE_ADMIN_TEC

● Role for technical administrator of Web services.

● Monitoring sequences, messages, logging, tracing.

● Monitoring of payload for component SAP_BASIS.

● Administration of tracing and logging, RFC.

● Defining, executing Web Services.

● Administration of the Internet Communication Framework.

● Administration of the RFC destination.

12

● Administration of the Task Watcher and the Event Handler.

SAP_BC_WEBSERVICE_CONFIGURATOR

Administration authorizations for the properties of the Web service at runtime.

● /SOCO/FABRIC_ADMIN and /SOCO/FABRIC_USER are the roles which are provided along with the application.

● The user is mapped to the application specific roles or SAP standard admin roles based on the user’s need.

● The authorization information comes from ABAP authorization objects.

Note

The Business Process Blueprinting tool uses the authorization concept provided by SAP

NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP

NetWeaver AS Security Guide ABAP also apply to the Business Process Blueprinting tool.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based

on roles. For role maintenance, use the profile generator (transaction PFCG) when using ABAP

technology and the User Management Engine’s user administration console when using Java.

Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to

support the communication necessary for your business needs without allowing unauthorized access. A

well-defined network topology can eliminate many security threats based on software flaws (at both the

operating system and application level) or network attacks such as eavesdropping. If users cannot log on

to your application or database servers at the operating system or database layer, then there is no way

for intruders to compromise the machines and gain access to the backend system’s database or files.

Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit

well-known bugs and security holes in network services on the server machines.

The network topology for the Business Process Blueprinting tool is based on the topology used by the

SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP

NetWeaver Security Guide also apply to the Business Process Blueprinting tool. Details that specifically

apply to the Business Process Blueprinting tool are described in the following topics:

● Communication Channel Security

This topic describes the communication paths and protocols used by the Business Process Blueprinting tool.

● Network Security

This topic describes the recommended network topology for the Business Process Blueprinting tool. It shows the appropriate network segments for the various client and server components and

13

where to use firewalls for access protection. It also includes a list of the ports needed to operate the Business Process Blueprinting tool.

● Communication Destinations

This topic describes the information needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:

● Network and Communication Security [SAP Library]

● Security Aspects for Connectivity and Interoperability [SAP Library]

Communication Channel Security

● The communication between the SAP Solution Manager and the Solution Composer happens through web service APIs and RFC.

● The data that is communicated between the client and the application server are application data, overhead data, security logs and trace files and it happens through HTTP REST. HTTPS is used when a secure connection or data protection is required.

● User credentials entered in the client while connecting to the server are encrypted by the client side encryption framework for security purpose.

The following table provides an overview of the communication channels and the technology used

in each case:

Communication between…

Technology used for communication

Type of Data Transferred

Data Requiring Special Protection

Business Process Blueprinting tool and Solution composer

Hypertext Transfer Protocol (HTTP), Secure Hypertext Transfer Protocol (HTTPS)

Application data, overhead data, security logs, trace files

User name and password

SAP Solution Manager and Solution composer

Web service APIs Application data No

Solution composer and BPR

SOAP Application data No

Communication Destinations

The communication between client and server happens through HTTP or HTTPS connection which is established on the tool via preference page .

Webservice configuration is used for the communication between Solution composer and SAP Solution Manager.

AISOCO_SOLMAN_PROJECT RFC destination which accesses BPR (Business Process Repository) content from SAP Solution Manager is delivered along with the application.

14

Note

The package context in which Business Process Blueprinting users work will have an attribute on that

package with the value of the RFC destination to identify that it is in this Business Process Blueprinting

context that the SAP Solution Manager connection has to be established.

Data Storage Security

● The system data is stored in the SAP database. Configuration file is stored in File System. It contains the connection details which is used by the client to connect to the server.

● A part of data is stored in the database when the client connects to the SAP Solution Manager for the first time. Subsequently the data gets stored whenever the user accesses the content from the client or the server.

● Read, write, modify and delete accesses are the access types provided to the users along with the application. The user can use these access types based on their needs.

● Cookies are used to store the data such as SAP context and path at the frontend. These data will be available till the session exists.

Security Logging and Tracing

● The application log and trace security relevant information with respect to the

client is stored in the client workspace.

server is stored in the server database.

Note

Using transaction code ‘slg1‘ you can analyse the server related logs.

● You can configure the log on attempts in the server using standard sap transactions for which admin has the access.

● You can configure the Severity level by navigating through Change preferences Tracing and Logging Severity.

● The information written for the severity levels are :

Severity

Details

FATAL

Announces that the application cannot recover from error.

The severe situation causes a fatal termination.

ERROR Announces that the application can recover from error.

15

However, it cannot fulfill the required task due to the error.

WARNING

Announces that the application can recover from an

anomaly and fulfill the required task. However, it needs

attention from developer/operator.

INFO

Informational text, mostly for echoing what is performed.

PATH

For tracing the execution flow. It is used, for example, in the

context of entering and leaving a method, looping and

branching operations.

ALL

For debugging purposes, with extensive and low level

information.

NONE To deactivate logging / tracing.