SAP Ariba security guide
32
PUBLIC 2022-03 SAP Ariba security guide SAP Ariba cloud solutions © 2022 SAP SE or an SAP affiliate company. All rights reserved. THE BEST RUN
Transcript of SAP Ariba security guide
PUBLIC2022-03
SAP Ariba security guideSAP Ariba cloud solutions
© 2
022
SAP
SE o
r an
SAP affi
liate
com
pany
. All r
ight
s re
serv
ed.
THE BEST RUN
Content
SAP Ariba security guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Topics about user management security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4User administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4User groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7User roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Topics about extending login security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Multifactor authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Single sign-on with corporate authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16SAP Ariba solutions integration with SAP Cloud Identity Access Governance. . . . . . . . . . . . . . . . . . . . . .17
Securing web service applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Securing file uploads. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Anti-virus scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Data storage security in SAP Ariba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Data encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Data deletion in Ariba Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Managing audit information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Certificate requirements and management in SAP Ariba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Certificate-based authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Security features for SAP Ariba mobile apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2 PUBLICSAP Ariba security guide
Content
SAP Ariba security guide
This guide is for administrators who want to understand and use SAP Ariba security features.
This guide applies to:
● Ariba Network● SAP Ariba Buying● SAP Ariba Buying and Invoicing● SAP Ariba Invoice Management● SAP Ariba Catalog● SAP Ariba Contracts● SAP Ariba Contract Invoicing● SAP Ariba Spend Analysis● SAP Ariba Strategic Sourcing Suite● SAP Ariba Sourcing● SAP Ariba Supplier Information and Performance Management● SAP Ariba Supplier Lifecycle and Performance● SAP Ariba Supplier Risk● SAP Ariba Supply Chain Collaboration for Buyers
Data Protection and Privacy Compliance
For more information about SAP Ariba data protection and privacy compliance, see Data Protection and Privacy .
Related guides
Managing SAP Ariba audit information
SAP Ariba security guideSAP Ariba security guide PUBLIC 3
Topics about user management security
User administration [page 4]
User groups [page 7]
User roles [page 10]
User administration
You can create, manage, and monitor user accounts for your organization in the Administration user interface.
You can use the Administration user interface to perform user administrator tasks, such as:
● Creating new user accounts● Deleting users when they leave the organization● Resetting user passwords● Acting as another user● Locking and unlocking user accounts● Monitor user activity
Ariba Network
Topics for Ariba Network administrators that create, manage, and monitor user accounts:
Task Description Reference
Assign user management capabilities to users
The current account administrator can create a role with the User Administration permission and assign it to non-administrator buyer users, called user administrators. User administrators can perform administrative functions, such as tasks relevant to user management and buyer user access to Ariba Network.
How to assign user management capabilities to users
Delete a user If a user has left the company, a buyer administrator can delete the user to prevent its further use to access Ariba Network.
How to delete a user
4 PUBLICSAP Ariba security guide
Topics about user management security
Task Description Reference
Monitor user access activity Administrators and user administrators can use the User Access log to monitor daily user activity when users log in to Ariba Network. Information about the number of failed access attempts and their reasons since the last successful logon for each user can also be tracked here.
Monitoring user access activity
Prevent Ariba Network buyer users from logging in manually
Buyers whose Ariba Network accounts are configured for single sign-on corporate authentication can prevent users from logging in to the Ariba Network manually, outside of the single sign-on configuration.
Preventing Ariba Network buyer users from logging in manually
Reassign a user login If a user has left the company, a buyer administrator can reassign that user’s login to another individual, to retain the user setup and data.
How to reassign a user login
Reset a user’s password Buyer administrators can reset an existing user's password.
How to change a user’s role and reset the password
Revoke user access to Ariba Network
Users can request that the administrator for their account remove their personal information from the system. If approved, the user can’t log into How to track and audit supplier group membership changes any longer, and their personal information is no longer visible to users, including in transaction documents shared and exchanged with business partners.
Removing your personal information and revoking user access to Ariba Network
Track and audit supplier group membership changes
You can track and audit changes to the membership of supplier groups (when suppliers are added or removed).
How to track and audit supplier group membership changes
Transfer administration ownership
The current account administrator can reassign ownership of the Ariba Network account to another person.
How to transfer administration ownership
SAP Ariba Strategic Sourcing and Supplier Management solutions
Topics for SAP Ariba Strategic Sourcing and Supplier Management solutions administrators that create, manage, and monitor user accounts:
Task Description Reference
Act as another user As an administrator, you can act as another user, for example to test a user account.
How to act as another user
SAP Ariba security guideTopics about user management security PUBLIC 5
Task Description Reference
Anonymize personal data for deactivated users
Administrators can anonymize user data for deactivated users.
How to anonymize personal data for deactivated users
Block users Blocking a user prevents the user from logging in to the SAP Ariba application.
Blocking users in the site
Create and manage user delegations
User delegation allows one user to delegate tasks or responsibilities to another user. You can view, create, and end user delegations from Ariba Administrator. You can also change the delegatee for a delegation.
How to create and manage user delegations
Deactivate or reactivate a user
When you deactivate a user, the user is no longer active or visible in the SAP Ariba site, but the user record is preserved.
How to deactivate or reactivate a user
Generate or reset user passwords
You must generate temporary passwords for new users, and reset passwords for existing users who have forgotten their passwords.
How to generate or reset user passwords
Let non-administrators act as another user
The Act As group allows administrators to assign users to act as other users, without assigning all other administrator privileges associated with the Customer Administrator group. The limited ability to act as other users is very useful for users who have to perform an action on behalf of another user in their absence, or for those who test a new functionality by acting as different users.
How to let non-administrators act as another user
Lock or unlock a user Locking a user prevents the user from logging in to SAP Ariba. Users can be locked and unlocked by the administrator. Users can also become locked automatically after a set number of failed login attempts.
How to lock or unlock a user
View or disconnect user sessions
When a user logs into your site, it creates a user session. You can view all current user sessions from Ariba Administrator, and you can disconnect a user's session.
How to view or disconnect user sessions
View user activities in the audit log
The audit log is where you can see the specific activities one or more users are performing on your site.
How to view user activities in the audit log
SAP Ariba Procurement solutions
Topics for SAP Ariba Procurement solutions administrators that create, manage, and monitor user accounts:
6 PUBLICSAP Ariba security guide
Topics about user management security
Task Description Reference
Act as another user You can perform certain actions as another user.
How to act as another user
Anonymize personal data for deactivated users
Administrators can anonymize user data for deactivated users.
How to anonymize personal data for deactivated users
Block users Blocking a user prevents the user from logging in to the SAP Ariba application.
Blocking users in the site
Create or end a user delegation
You can create or end delegations of authority on behalf of users.
How to create or end a user delegation
Deactivate and reactivate a user
When you deactivate a user, the user is no longer active or visible in the SAP Ariba application.
How to deactivate and reactivate a user
Generate or reset user passwords
You can generate and reset temporary passwords by using the Users task in Ariba Administrator.
How to generate or reset user passwords
Let non-administrators act as another user
You can add users to the Act As group to allow them to act as another user.
How to let non-administrators act as another user
Lock and unlock a user Locking a user prevents the user from logging in to the SAP Ariba application.
How to lock and unlock a user
Monitor user activities You can track activity for all users, or search for specific users to monitor, in the audit log.
How to monitor user activities
Terminate a user When a user has permanently left your company, you can terminate the user. Terminating involves locking the user out of the system, delegating the user’s authority to another user to complete any outstanding approvable tasks, and then deactivating the user.
How to terminate a user
View user information You can review user information from Ariba Administrator.
How to view user information
User groups
Groups grant users access to functionality in SAP Ariba Strategic Sourcing and Supplier Management solutions and SAP Ariba Procurement solutions.
Roles grant users access to functionality in Ariba Network. For information about creating and assigning roles to Ariba Network users, see User roles [page 10].
Group membership enables users to perform specific actions in the end-user and Ariba Administrator interfaces. For example, only members of the Customer Administrator group can use Ariba Administrator to import, export, and manage all types of data.
SAP Ariba includes a number of default, or system-defined, groups. You can also add custom groups.
SAP Ariba security guideTopics about user management security PUBLIC 7
SAP Ariba Strategic Sourcing and Supplier Management solutions
Topics for SAP Ariba Strategic Sourcing and Supplier Management solutions administrators that create and assign groups that reflect the access requirements, job function, and responsibilities of system users:
Task Description Reference
Learn about user groups in SAP Ariba Strategic Sourcing and Supplier Management solutions.
Reference information about the user groups in SAP Ariba Strategic Sourcing and Supplier Management solutions. Groups grant users access to functionality.
Strategic sourcing and supplier management group descriptions
Learn about assigning either custom or default user groups to supplier management project teams.
You can assign either custom or default user groups to supplier management project teams using a buyer category assignment (user matrix) CSV data file import.
User groups in supplier management buyer category assignments (the user matrix)
Learn about SAP Ariba Supplier Management solutions global user groups
SAP Ariba Supplier Management solutions use membership in global user groups to grant users permissions to work with specific supplier management features.
Supplier management user groups
Learn about Project Owner group and capabilities
Every project team has a Project Owner group. In general terms, the Project Owner group is the most powerful group in a project and always has special capabilities and access rights, independent of any roles assigned to it.
Project Owner group and capabilities
Learn about product sourcing personas and user groups
The product sourcing personas define the most common user roles and how they participate in various workflows. To be able to perform the tasks, each of the personas must be part of the user groups that have the necessary permissions.
Product sourcing personas and user groups
View user groups You can view all the groups, both system and custom, for your site, in Ariba Administrator.
How to view user groups
Add and modify user groups You can add (create) custom groups and edit them, and you can edit some fields in system groups (for example, to assign users to a system group).
How to add and modify user groups
Define subgroups for custom user groups
The Import Group/Subgroup Relationships data import task defines subgroups, or child groups, for your custom groups.
Defining subgroups for custom user groups
8 PUBLICSAP Ariba security guide
Topics about user management security
Task Description Reference
Deactivate or reactivate custom user groups
You can deactivate custom groups but not system groups. When you deactivate a custom group, the group is no longer active or visible in the SAP Ariba site, but the group record is preserved. You can reactivate inactive groups.
How to deactivate or reactivate a custom user group
Create and edit project groups
When you create a project, you specify a team of users to work on the project. A project team consists of project groups. Each project group has differ-ent roles, which specify the permissions for the users in that group.
How to create and edit project groups
SAP Ariba Procurement solutions
Topics for SAP Ariba Procurement solutions administrators that create and assign groups that reflect the access requirements, job function, and responsibilities of system users:
Task Description Reference
Learn about user groups in SAP Ariba Procurement solutions.
Reference information about the user groups in SAP Ariba Procurement solutions. Groups grant users access to functionality.
SAP Ariba Procurement solutions group descriptions
Learn about data import tasks for groups
There are two data import tasks available for SAP Ariba solutions, and one additional data import task available only for SAP Ariba Catalog.
Data import tasks for groups
Define custom groups You use the Import Custom Groups data import task to define custom groups. This task reads data from the CSV file named CustomGroup.csv.
Import Custom Groups
Define child groups for your custom groups
You use the Import Group to Child Group Mapping data import task to define child groups for your custom groups.
Import Group to Child Group Mapping
Import Punchin groups Only users belonging to PunchIn groups can punch in to SAP Ariba Catalog from an external procurement system.
Import Punchin Groups in SAP Ariba Catalog
Import user group mappings You use the Import User Group Mapping data import task to assign users to groups.
Import User Group Mappings
SAP Ariba security guideTopics about user management security PUBLIC 9
Task Description Reference
Defines user group mappings The Import User to Group Mapping Data (Consolidated File) data import task defines user-group mappings and is also used to make users responsible for specific purchasing units through their group assignments. It reads from the UserGroupConsolidated.csv file.
Import User to Group Mapping Data (Consolidated File)
Manage groups in Ariba Administrator
You can view system groups and add users and child groups to them, and create, deactivate, and reactivate custom groups in Ariba Administrator.
How to manage groups in Ariba Administrator
Learn about rationalizing user and group data in multi-ERP
Rationalizing data includes instructions for the customer administrator for preparing various types of ERP data for import into the parent and child sites of a single- or multi-variant configuration.
The first step in rationalizing user data is to decide which users need access to the parent site and which users need access to child sites.
Rationalizing user and group data
Learn about group membership required for PCard functionality
PCard Managers can view, assign, and reconcile all charges that are unassigned in your buying solution.
Group membership required for PCard functionality
Review your group memberships
You can see which groups you belong to by viewing your user profile.
How to review your group memberships to understand your access permissions (SAP Ariba Procurement solutions)
Learn about users and groups in guided buying
Create users and configure their information so they can access guided buying and have a seamless purchasing experience.
Users and groups in guided buying
User rolesBy creating roles and then adding users to them, administrators can control who can log in to your organization’s Ariba Network account and which areas of the service each user can access.
Groups grant users access to functionality in SAP Ariba Strategic Sourcing and Supplier Management solutions and SAP Ariba Procurement solutions. For more information about creating and assigning users to groups, see User groups [page 7].
10 PUBLICSAP Ariba security guide
Topics about user management security
Ariba Network
In Ariba Network, a user with the Administrator role can create a role with certain permissions and assign the role to a buyer user.
A role defines a user function within Ariba Network, such as Purchase Order Generator. Each role has a unique name and set of associated permissions that specify what users who are assigned to the role can see and do in Ariba Network. A role can be assigned to any number of users.
Topics for Ariba Network administrators that create roles that reflect the access requirements, job function, and responsibilities of system users:
Task Description Reference
Learn about Ariba Network roles, the Administrator role, and predefined roles.
A user with the Administrator role can create a role with certain permissions and assign the role to a buyer user.
The Administrator role includes all available permissions. These permissions grant the Administrator role access to all areas of your Ariba Network account.
Ariba Network roles
Learn about Ariba Network permissions.
A permission grants access to a certain area of the Ariba Network user interface. Each role includes one or more permissions.
Ariba Network permissions
Create new user roles Buyer administrators can define new roles with a specific set of user permissions that determine what the assigned users can see or do in Ariba Network.
How to create a role
Modify user roles Buyer administrators can edit a role's name, description, and assigned permissions.
How to modify a role
Reassign users to different roles
Buyer administrators can change the role assigned to users.
How to reassign users to a different role
Change a user’s role Buyer administrators can select a different role for an existing user.
How to change a user’s role and reset the password
Delete roles Buyer administrators can delete roles that they no longer need.
How to delete a role
SAP Ariba Strategic Sourcing and Supplier Management solutions
Topics for SAP Ariba Strategic Sourcing and Supplier Management solutions administrators that create groups and assign roles to groups at the template or individual project level:
SAP Ariba security guideTopics about user management security PUBLIC 11
Task Description Reference
Learn about project group roles.
When designing templates or creating a project, you might want to create groups with different capabilities and access rights.
Project group roles
12 PUBLICSAP Ariba security guide
Topics about user management security
Topics about extending login security
Multifactor authentication [page 13]
Single sign-on with corporate authentication [page 16]
SAP Ariba solutions integration with SAP Cloud Identity Access Governance [page 17]
Multifactor authenticationMultifactor authentication is an authentication method in which a computer user is granted access after presenting multiple credentials. This provides an extra layer of security for users that log in with a username and password to protect their account in case of stolen credentials.
A common example of multifactor authentication is the combination of a password with a one-time token or PIN provided through an application on a smartphone or via text message. Without both pieces of information, a user cannot gain access. Two-factor authentication is a type, or subset, of multifactor authentication. Two-factor authentication, sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user's credentials and the resources the user can access. The usage of the Time-based One-time Password (TOTP) algorithm is as specified by the RFC 6238 standard.
In Ariba Network and SAP Ariba solutions, administrators can enable multifactor authentication for individual users and user groups. When multifactor authentication is enabled for a group, all users in that group can start using multifactor authentication. Multifactor authentication can be enabled only for accounts that do not use corporate authentication with single sign-on. In addition to turning multifactor authentication on or off, administrators can also perform maintenance tasks, such as unlocking user accounts that are locked due to invalid sign on attempts and sending reminder emails to users who have not set up multifactor authentication.
Multifactor authentication is enabled for sites by default. After the customer administrator enables multifactor authentication for their users, each user must set up multifactor authentication for their account the next time they log in to the SAP Ariba solution. A secret key is generated for each user and provided to the user. The user provides the secret key to an authenticator application (for example, SAP Authenticator or other compatible authenticators such as Google Authenticator or Microsoft Authenticator) to generate a time-based verification code. After the user enters their username and password, they enter their time-based verification code before logging into the SAP Ariba solution. SAP Ariba solutions capture all multifactor authentication configuration changes in a site for auditing purposes.
Email notifications are sent to users after the administrator enables multifactor authentication for a user, when the due date to set up has expired, when the administrator resets multifactor authentication for the user, when user account gets locked due to invalid sign on attempts, when user account is unlocked, and so on.
SAP Ariba security guideTopics about extending login security PUBLIC 13
Ariba Network supplier administrators
Topics for Ariba Network supplier administrators that configure and manage multifactor authentication:
Task Description Reference
Learn about multifactor authentication
Multifactor authentication provides an additional level of security by ensuring that users are able to authenticate themselves using an authentication factor in addition to their user name and password.
Multifactor authentication
Enable multifactor authentication for login
You can enable multifactor authentication for users.
How to enable multifactor authentication for login
Configure multifactor authentication settings
You can configure the multifactor authentication settings.
How to configure multifactor authentication settings
Manage multifactor authentication for users
You can manage multifactor authentication for users.
How to manage multifactor authentication for users
Ariba Network supplier administrators can refer supplier users to:
● How to set up multifactor authentication (supplier user) for information about setting up multifactor authentication.
● How to set up multifactor authentication using a new device (supplier user) for information about setting up multifactor authentication on a new device.
Ariba Network buyer administrators
Topics for Ariba Network buyer administrators that configure and manage multifactor authentication:
Task Description Reference
Learn about multifactor authentication
Multifactor authentication provides an additional level of security by ensuring that users are able to authenticate themselves using an authentication factor in addition to their user name and password.
Multifactor authentication
Enable multiactor authentication for login
You can enable multifactor authentication for users.
How to enable multifactor authentication for login
Configure multifactor authentication settings
You can configure the multifactor authentication settings.
How to configure multifactor authentication settings
Manage multifactor authentication for users
You can manage multifactor authentication for users.
How to manage multifactor authentication for users
Ariba Network buyer administrators can refer buyer users to:
● How to set up multifactor authentication (buyer user) for information about setting up multifactor authentication.
14 PUBLICSAP Ariba security guide
Topics about extending login security
● How to set up multifactor authentication using a new device (buyer user) for information about setting up multifactor authentication on a new device.
SAP Ariba Strategic Sourcing and Supplier Management solutions
Topics for SAP Ariba Strategic Sourcing and Supplier Management solutions administrators that configure and manage multifactor authentication:
Task Description Reference
Learn about how to enable and configure multifactor authentication for users
Multifactor authentication provides an additional level of security by ensuring that users are able to authenticate themselves using an authentication factor in addition to their user name and password.
Multifactor authentication
Manage multifactor authentication for users
You can enable and administer multifactor authentication for users.
How to administer multifactor authentication for users
Manage multifactor authentication for user groups
You can administer multifactor authentication for user groups.
How to administer multifactor authentication for groups
Enable multifactor authentication by importing users
You can enable multifactor authentication for new users by importing the users.
How to enable multifactor authentication by importing users
Enable multifactor authentication by importing groups
You can enable multifactor authentication for new groups by importing the groups.
How to enable multifactor authentication by importing groups
Set multifactor authentication configuration parameters
You can set multifactor authentication configuration parameters in Ariba Ad
ministrator using the Intelligent Configuration Manager Manage Configurations workspace.
Intelligent Configuration Manager parameters reference
SAP Ariba Strategic Sourcing and Supplier Management solutions administrators can refer users to Setting up multifactor authentication for information about setting up multifactor authentication.
SAP Ariba Procurement solutions
Topics for SAP Ariba Procurement solutions administrators that configure and manage multifactor authentication:
SAP Ariba security guideTopics about extending login security PUBLIC 15
Task Description Reference
Learn about how to enable and configure multifactor authentication for users
Multifactor authentication provides an additional level of security by ensuring that users are able to authenticate themselves using an authentication factor in addition to their user name and password.
Multifactor authentication
Manage multifactor authentication for users
You can enable and administer multifactor authentication for users.
How to administer multifactor authentication for users
Manage multifactor authentication for user groups
You can administer multifactor authentication for user groups.
How to administer multifactor authentication for groups
Enable multifactor authentication by importing users
You can enable multifactor authentication for new users by importing the users.
How to enable multifactor authentication by importing users
Enable multifactor authentication by importing groups
You can enable multifactor authentication for new groups by importing the groups.
How to enable multifactor authentication by importing groups
Set multifactor authentication configuration parameters
You can set multifactor authentication configuration parameters in Ariba Ad
ministrator using the Intelligent Configuration Manager Manage Configurations workspace.
Intelligent Configuration Manager parameters reference
SAP Ariba Procurement solutions administrators can refer users to Setting up multifactor authentication for information about setting up multifactor authentication.
Single sign-on with corporate authenticationIn organizations where single sign-on (SSO) with corporate authentication is set up, a user can sign in with one username and password to access multiple applications, including SAP Ariba Procurement solutions and SAP Ariba Strategic Sourcing solutions.
SSO systems store user credentials for multiple applications and automatically submit those credentials on behalf of users when needed. Users log in once, rather than re-logging in with a separate set of credentials for each application they access. SSO with corporate authentication can also provide centralized control and enforcement of corporate authentication policies.
To use SSO with corporate authentication, your network administrator must enable communication between your user authentication system and your SAP Ariba solution.
For information about integrating corporate authentication with a single sign-on solution, see Remote Authentication for Ariba On Demand , and the Ariba Remote Authentication Deployment Guide . You can also search on Knowledge@Ariba for information about SAML (Security Assertion Markup Language).
16 PUBLICSAP Ariba security guide
Topics about extending login security
SAP Ariba solutions integration with SAP Cloud Identity Access GovernanceIntegrating SAP Ariba cloud solutions with SAP Cloud Identity Access Governance enables buyers to manage user access by leveraging the capabilities of SAP Cloud Identity Access Governance.
SAP Cloud Identity Access Governance, a solution that manages access request creation and approval workflows, sends approved requests to applications in order to provision or change user access to those applications.
When SAP Ariba cloud solutions are integrated with SAP Cloud Identity Access Governance:
● SAP Cloud Identity Access Governance subscribers can include access to SAP Ariba cloud solutions for buyers in their global identity and access management framework.
● Buyers using SAP Ariba cloud solutions can adopt the identity and access management capabilities of SAP Cloud Identity Access Governance to manage user access to SAP Ariba cloud solutions.
SAP Cloud Identity Access Governance offers:
● Simplified governance of data access, with real-time, dashboard-driven analysis, insights, and audit reporting, for more productivity, visibility, and decision support
● Minimized access risk, non-compliance, and financial loss● Configurable, predefined access policies and rules for governance enforcement● Seamless user experience across all your solutions, whether from SAP Ariba or other companies● Access control to enterprise applications and users anywhere and on any device, for comprehensive
governance● A cloud solution for identity and access governance with automated, maintenance-free updates
Enabling this feature
To enable this feature, have your Designated Support Contact (DSC) submit a Service Request (SR). An SAP Ariba Support representative will follow up to complete the request.
Prerequisites
You must have a subscription to SAP Cloud Identity Access Governance.
Your site must be configured to support SAP S/4HANA Cloud and SAP Ariba master data native integration for procurement. SAP Ariba Customer Support configures this for you.
Restrictions
This feature doesn't cover access to Ariba Network.
This feature is available only for sites hosted by SAP Ariba in a North America or European Union data center.
SAP Ariba security guideTopics about extending login security PUBLIC 17
For more information
Documentation about integrating SAP Ariba solutions with SAP Cloud Identity Access Governance is on the SAP Help Portal. See Getting started.
18 PUBLICSAP Ariba security guide
Topics about extending login security
Securing web service applications
You can use HTTPS with TLS mutual authentication to secure SAP Ariba web service applications.
SAP Ariba supports HTTPS with TLS mutual authentication to secure applications that use the following web services:
● SAP Ariba APIs (RESTful APIs)● SAP Ariba SOAP APIs● Any API used to send or receive cXML documents from Ariba Network (cXML-enabled applications)
HTTPS provides an encrypted communication channel; if you do not use HTTPS, your data is sent in cleartext. In addition to encrypted communication, HTTPS provides authentication between the client and server. When a client connects via HTTPS, the server sends its certificate so the client can authenticate the server. HTTPS can also be used by the server to authenticate the client by using TLS mutual authentication. With TLS mutual authentication, both the client and server send their X.509 certificate when the connection is being established.
To use HTTPS with TLS mutual authentication, you must obtain and maintain X.509 certificates to authenticate your applications. The certificates must be issued by a Certificate Authority (CA) trusted by SAP Ariba. To get information about the CAs currently trusted by SAP Ariba or to register a public CA to be trusted by SAP Ariba, contact SAP Ariba Support.
Inbound and Outbound web services
SAP Ariba provides both inbound and outbound web services.
● With inbound web services, SAP Ariba is the server and the API application is the client. HTTPS sessions are initiated by your client.
● With outbound web services, SAP Ariba hosts the information or resource, but the HTTPS session is initiated by SAP Ariba. In this case, SAP Ariba is the client and the API application is the server in the HTTPS session establishment dialog and the initial message in the dialog originates from SAP Ariba.Your site's security infrastructure may require you to configure source IP addresses for inbound traffic. A list IP addresses used by SAP Ariba is available on the SAP Ariba Connect website (you must be an SAP Ariba customer or partner and registered to access this site).
Securing SAP Ariba APIs (RESTful) web service applications
Inbound SAP Ariba (RESTful) APIsRequests and responses for inbound SAP Ariba (RESTful) APIs are exchanged using HTTPS. In addition, the inbound SAP Ariba APIs are secured by the SAP Ariba API Gateway and OAuth 2.0 authentication. All inbound SAP Ariba API requests must have both an application key for the API Gateway authentication and an OAuth access token unique to the client application making the request. The SAP Ariba APIs use the OAuth Client Credentials (two-legged OAuth protocol) authorization flow.
SAP Ariba security guideSecuring web service applications PUBLIC 19
A high-level description of the workflow for accessing an SAP Ariba web service is as follows:
● Log in to the SAP Ariba developer portal to generate an application key and OAuth credentials (OAuth client ID and OAuth secret).
● Request an OAuth access token from the SAP Ariba OAuth authentication server, which is secured using HTTPS with TLS. The request includes the OAuth client ID and OAuth secret. The OAuth authentication server sends an OAuth access token with a fixed-length validity period and a refresh token; the refresh token is used to request a new access token if the access token expires.
● Use the OAuth access token and application key to send requests to the API endpoint.
Outbound SAP Ariba (RESTful) APIs
The SAP Ariba developer portal also allows you to publish outbound RESTful APIs (outbound from the web service client to an application hosted on your system). When you request the SAP Ariba developer portal to publish your outbound API, you can select mutual authentication between the SAP Ariba outbound gateway and your OAuth server. If you select mutual authentication, a link to the SAP Ariba client certificate appears on the SAP Ariba developer portal configuratiion page. You can download this certificate and add it to your certificate storage utility.
Task Additional information Reference
Use OAuth to secure SAP Ariba APIs
Developer portal authentication
Securing SAP Ariba SOAP web service applications
SAP Ariba recommends that you configure SOAP web services to use HTTPS with TLS mutual authentication. The SAP Ariba SOAP web services also support Web Services Security (WS-S) for signing SOAP messages.
In mutual TLS authentication, the client (an SAP Ariba solution) and the server (an external system) exchange certificates over a TLS 1.2 connection to authenticate each other. The server validates the client's certificate against the certificates configured in its truststore. The new administrator page gives customers an easy way to create and manage certificate configurations, which can be used to authenticate end points. Each certificate configuration is created for a specific application. Customers can optionally add a backup certificate as part of the configuration. The backup certificate is used when the primary certificate becomes unusable.
Mutual TLS authentication certificate configurations for outbound communications can be created only by SAP Ariba administrators. When customers search for saved configurations, they can see these outbound certificate configurations also. However, they cannot edit these configurations. Customers can copy SAP Ariba certificates from an outbound certificate configuration for use in validating outbound communications.
Task Description Reference
Collect security information to configure SOAP web services
How to collect access and security information for SOAP web services
20 PUBLICSAP Ariba security guide
Securing web service applications
Task Description Reference
Configure mutual TLS authentication for inbound SOAP web services
Configuring mutual TLS authentication certificates for inbound SOAP web services
Configure mutual TLS authentication for outbound SOAP web services
How to configure mutual TLS authentication for outbound SOAP web services
Securing cXML-enabled applications for Ariba Network
Ariba Network sends and receives all cXML documents using HTTPS.
Inbound Ariba Network applicationsFor inbound Ariba Network applications (inbound to Ariba Network from your application), Ariba Network always sends its server certificate during the session establishment dialog. To ensure trust between both the client and serve, you can obtain a client certificate and configure your cXML setup for certificate authentication. Because Ariba Network sends its server certificate as part of the HTTP session establishment dialog, both the server (Ariba Network) and your client are then authenticated using certificates.
Outbound Ariba Network applicationsFor outbound applications (outbound from Ariba Network to your application; your application is the server in the HTTPS session establishment dialog), Ariba Network supports mutual authentication and sends its client certificate to your server if requested in the session establishment dialog.
Task Additional information Reference
Secure cXML-enabled applications used to transmit and receive cXML documents
Document addressing and security
SAP Ariba security guideSecuring web service applications PUBLIC 21
Securing file uploads
Anti-virus scanningSAP Ariba scans files uploaded using both the user interface and the SAP Ariba integration toolkit.
SAP Ariba Strategic Sourcing and Supplier Management solutions
Topics about securing file uploads for SAP Ariba administrators:
Task Description Reference
Learn about anti-virus scanning.
Administrators can access the Virus Scan category in the audit logs to view detailed error information about virus scans.
Anti-virus scanning
Ariba Network
Topics about securing file uploads for Ariba Network administrators:
Task Description Reference
Learn about anti-virus scanning.
SAP Ariba automatically scans external files that are uploaded to Ariba Network.
Attachments and anti-virus scanning
22 PUBLICSAP Ariba security guide
Securing file uploads
Data storage security in SAP Ariba
Data encryptionSAP Ariba uses data encryption to protect data while in transit and at rest.
Encryption is an important part of SAP Ariba's data protection strategy. SAP Ariba uses both encryption-at-rest and encryption-in-transit to secure your data as it flows into the cloud environment of SAP Ariba solutions.
SAP Ariba Strategic Sourcing and Supplier Management solutions
Topics for SAP Ariba Strategic Sourcing and Supplier Management solutions administrators that create, manage, and monitor user accounts:
Task Description Reference
Learn about data encryption in SAP Ariba Strategic Sourcing and Supplier Management solutions.
Encryption of personally identifiable information (PII) and other text information at storage time.
Enhanced data encryption
Data deletion in Ariba NetworkAriba Network buyer and supplier administrators can specify the retention period for transaction documents. Additionally, Ariba Network automatically deletes master data of buyer and supplier accounts after an extended period of inactivity.
For more information, see:
● Data deletion criteria for buyers● Data deletion criteria for suppliers
SAP Ariba security guideData storage security in SAP Ariba PUBLIC 23
Managing audit information
As part of audit compliance requirements, SAP Ariba solutions and Ariba Network must store information about changes made. Configuration changes, master data changes, and changes related to transactions need to be recorded for audit purposes. You can use the audit service provided by SAP Ariba to store and retrieve this audit data.
Ariba Network
Topics for Ariba Network administrators that need to monitor selected user and administrator actions:
Task Description Reference
Monitor user access activity Administrators and user administrators can use the User Access log to monitor daily user activity when users log in to Ariba Network. Information about the number of failed access attempts and their reasons since the last successful logon for each user can also be tracked here.
Monitoring user access activity
Track and audit supplier group membership changes
You can track and audit changes to the membership of supplier groups (when suppliers are added or removed).
How to track and audit supplier group membership changes
Track and audit transaction rule changes
You can search for details about changes to transaction rule settings, including the user who made the changes, date, country/region, and supplier group.
How to track and audit transaction rule changes
View audit events in the user interface
You can use the audit log to view the specific activities that users, integration tools, or scheduled tasks performed in your site.
How to view audit events in the user interface
View generated audit reports You can view generated reports to analyze activity in your SAP Ariba solution. The SAP Ariba audit service Reports tab has filters for viewing reports for specific applications, dates, or event types.
How to view generated audit reports
Generate audit reports You can quickly generate an audit report from data on the SAP Ariba audit service Reports tab.
How to generate audit reports
24 PUBLICSAP Ariba security guide
Managing audit information
SAP Ariba APIs
Topics for administrators that need to monitor selected user and administrator actions:
Task Description Reference
Retrieve data from the audit service
The Audit Search API enables you to retrieve stored audit data.
About Audit Search API
SAP Ariba Strategic Sourcing and Supplier Management solutions
Topics for SAP Ariba Strategic Sourcing and Supplier Management solutions administrators that need to monitor selected user and administrator actions:
Task Description Reference
View audit events in the user interface
You can use the audit log to view the specific activities that users, integration tools, or scheduled tasks performed in your site.
How to view audit events in the user interface
View generated audit reports You can view generated reports to analyze activity in your SAP Ariba solution. The SAP Ariba audit service Reports tab has filters for viewing reports for specific applications, dates, or event types.
How to view generated audit reports
Generate audit reports You can quickly generate an audit report from data on the SAP Ariba audit service Reports tab.
How to generate audit reports
View user activities in the audit log
The audit log is where you can see the specific activities one or more users are performing on your site.
How to view user activities in the audit log
View or disconnect user sessions
When a user logs into your site, it creates a user session. You can view all current user sessions from Ariba Administrator, and you can disconnect a user's session.
How to view or disconnect user sessions
SAP Ariba Procurement solutions
Topics for SAP Ariba Procurement solutions administrators that need to monitor selected user and administrator actions:
SAP Ariba security guideManaging audit information PUBLIC 25
Task Description Reference
View audit events in the user interface
You can use the audit log to view the specific activities that users, integration tools, or scheduled tasks performed in your site.
How to view audit events in the user interface
View generated audit reports You can view generated reports to analyze activity in your SAP Ariba solution. The SAP Ariba audit service Reports tab has filters for viewing reports for specific applications, dates, or event types.
How to view generated audit reports
Generate audit reports You can quickly generate an audit report from data on the SAP Ariba audit service Reports tab.
How to generate audit reports
Monitor user activities You can track activity for all users, or search for specific users to monitor, in the audit log.
How to monitor user activities
26 PUBLICSAP Ariba security guide
Managing audit information
Certificate requirements and management in SAP Ariba
Certificate-based authentication
SAP Ariba provides X.509 certificate-based authentication.
SAP Ariba stores private keys for its certificates in a secured and hardened key management infrastructure. In certain environments, this is further protected by a FIPS 140-2 Level 2 Hardware Security Module (HSM).
SAP Ariba cloud integration
Topics for SAP Ariba administrators who configure and manage certficate-based authentication:
Task Description Reference
Use certificate-based authentication for the SAP Ariba integration toolkit
In SAP Ariba cloud solutions that are configured for certificate-based authentication, the SAP Ariba server uses the certificate to authenticate upload and download requests from the SAP Ariba integration toolkit.
How to use certificate-based authentication
Import server and client certificates into SAP NetWeaver keystore
How to import server and client certificates into a view
Configure SSL certificate for mediated connectivity
Administrators can enable HTTPS connection between SAP Process Integration and SAP Ariba solutions over Mediated Connectivity, configure SSL certificate.
How to configure SSL certificate for mediated connectivity
Ariba Network
Topics for Ariba Network administrators that configure and manage certificate-based authentication:
SAP Ariba security guideCertificate requirements and management in SAP Ariba PUBLIC 27
Task Description Reference
Obtain a digital certificate Obtain a signed digital certificate from a Certificate Authority trusted by SAP Ariba.
How to obtain a digital certificate
28 PUBLICSAP Ariba security guide
Certificate requirements and management in SAP Ariba
Security features for SAP Ariba mobile apps
Security features in the SAP Ariba mobile apps help protect your data and the communication between the app and SAP Ariba. SAP Ariba mobile apps include the following security configuration options and controls.
Security configurations:
● User authentication - username and password credentials are required to log in to SAP Ariba mobile apps.● User authorization - SAP Ariba mobile app functionality is controlled by user authorizations and permissions
defined in the web application.● Fingerprint recognition - users can use fingerprint recognition instead of their username and password to log
into SAP Ariba mobile apps.● Face ID support for iOS devices - users can use facial recognition on devices that support it to access SAP
Ariba mobile apps.● Password reset - users can reset their password, and administrators can reset passwords on behalf of a user,
from the web application. Users must enter their username and new password after password reset to re-enable Face ID or Touch ID features.
● Device deactivation - if a user's mobile device is lost or stolen, the user or administrator can deactivate SAP Ariba mobile apps via the web application.
● Minimum OS version requirement - SAP Ariba mobile apps have minimum OS version requirements to ensure users' mobile devices have the latest updates for security and stability.
Security controls:
● Data encryption - all data is encrypted, including data transmitted over the network and limited data stored on the device.○ All communication between the device and the server is over TLS 1.2.○ Data stored on mobile devices is encrypted using AES 256.
● Device passcode - SAP Ariba mobile apps can only be launched on a passcode-protected device.● Jailbroken and rooted devices - SAP Ariba mobile apps aren't supported on jailbroken and rooted devices. If a
device is jailbroken or rooted after an app is installed and activated, the app is deactivated and all data is wiped when the app is reopened.
● Screen focus - SAP Ariba mobile apps show a blank screen when the user focus is moved away from the app.
For more information about SAP Business Network Supplier mobile app, see About the SAP Business Network Supplier mobile app.
For more information about SAP Ariba Procurement mobile app, see SAP Ariba Procurement mobile app security features.
SAP Ariba security guideSecurity features for SAP Ariba mobile apps PUBLIC 29
Important Disclaimers and Legal Information
HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.
Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.
Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free LanguageSAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders, and abilities.
30 PUBLICSAP Ariba security guide
Important Disclaimers and Legal Information
SAP Ariba security guideImportant Disclaimers and Legal Information PUBLIC 31
www.ariba.com
© 2022 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.
THE BEST RUN
