Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Security Guide
© 2020 SAP SE or an SAP affiliate company. All rights reserved.
2 Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1 SAP Cloud Platform Integration Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
3 Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1 User administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 User authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.3 User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5 Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1 Data flow and data storage security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2 PGP Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3 Certificate storage in the SAP Data Services Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.4 Data privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8 Browser Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1 Browser support for SAP UI5 technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Security Guide
2 PUBLIC Content
1 Security Guide for SAP Cloud Platform
Integration
This guide describes security requirements for SAP Cloud Platform Integration for data services.
● Architecture
● Users
● Network and Communication
● Data
● Operational Security
● HANA Database
● Browser Support
● Data Protection and Privacy
Security Guide
Security Guide for SAP Cloud Platform Integration PUBLIC 3
2 Architecture
SAP Cloud Platform Integration for data services interacts with your local SAP landscape via the SAP Data
Services Agent and secure HTTPS and RFC connections.
Note
Even when your data flows from the cloud to your on-premise landscape, there is no need to open the
firewall to inbound traffic. The SAP Data Services Agent always initiates the request.
Security Guide
4 PUBLIC Architecture
SuccessFactors BizX
When used with SuccessFactors BizX, the SAP Cloud Platform Integration architecture is slightly different:
Security Guide
Architecture PUBLIC 5
3 Users
Each SAP Cloud Platform Integration customer is assigned its own unique organization. The organization's
Security Administrator manages the users from the Administration page within the SAP Cloud Platform
Integration user interface.
The Security Administrator can create, activate, delete and assign roles to users within the organization.
Users are authenticated by the SAP Cloud Identity Service. SAP Cloud Identity Service verifies user identities,
grants authentication, and enables single sign-on across any platform within the SAP landscape that is
connected to it.
After the Security Administrator creates a user within SAP Cloud Platform Integration, an account activation
email is automatically sent from SAP Cloud Identity Service to the new user. If the user has an existing SAP
Cloud Identity Service account, then those credentials are used.
After activating the SAP Cloud Identity Service account, the user can log into SAP Cloud Platform Integration in
one of the following ways:
If you have configured a corporate tenant within SAP Cloud Platform Identity Authentication Service or have a
third-party corporate identity provider and use SAP Cloud Identity Service as a proxy, then you can transfer the
identity provider for SAP Cloud Platform Integration for data services. Transferring to an alternate identity
provider is done by the Security Administrator.
WebServicesUser
The WebServicesUser is a pre-defined system user only for Cloud Platform Integration web services. By default
this user is disabled. The web services user is not a regular user where the password policy is enforced by the
system. The web services user password does not automatically expire.
Security Guide
6 PUBLIC Users
An administrator can enable the WebServicesUser and also set and change the password.
Related Information
Control access to SAP Cloud Platform Integration functionality by assigning roles to your users.
Note
You must have Security Administrator permissions to create users and assign roles.
Role Authorizations
Integration Developer ● Creates and modifies tasks, processes, data flows, and
datastore connections
● Executes and schedules tasks and processes in non-
production environments such as Sandbox and views
data to verify the results
● Can access only non-production environments, such as
Sandbox
Security Guide
Users PUBLIC 7
Role Authorizations
Log on ✓ ✓
Export tasks ✓ ✓
Datastore: view ✓ ✓
Security Guide
8 PUBLIC Users
Activity Sandbox Production
History: view ✓ ✓
History: clear X X
Security Guide
Users PUBLIC 9
4 Network and Communication
● All the publicly exposed entry points are protected by a firewall and/or intrusion prevention mechanism.
● Every exposed TCP port has protocol filters to avoid unwanted protocol traffic from entering or exiting.
● Only port 443 with SSL is exposed from the outside to prevent leakage of information. SSL sessions
terminate at the true end-point and not at the intermediate servers.
● All load balancers are on port 80 or 443. Load balancers secure communication with the application server
at runtime.
● Firewall rules prevent any non-public URL or interface from being sniffed or phished from the internet.
● All critical flows use TLS to prevent in flight data from being introspected as man-in-the-middle attack.
● All symmetric keys are at least 256-bit strength and asymmetric keys are at least 1024-bit strength. All
keys are safely handled according to SAP policies.
● Keystore passwords are not stored in unprotected places (if they need to be stored).
SAP Cloud Platform Integration uses communication protocols appropriate for each supported type of
communication path.
The communication channels used by SAP Cloud Platform Integration, the protocol used for the connection,
and the type of data transferred are shown in the following table:
Access data from on-premise systems RFC, database-specific connectivity All application data
such as ERP or a database. Data is ac protocol such as Oracle Call Interface
cessed by the SAP Data Services Agent (OCI) or ODBC
running locally.
Access data from cloud systems such SOAP webservice, RESTful webservice All application data
as SuccessFactors™ or a web service. or OData over either HTTP or HTTPS
Data is accessed by the SAP Data
Services Agent running locally.
Access files from remote file servers. SFTP All application data
Data is accessed by the SAP Data
Services Agent running locally.
Security Guide
10 PUBLIC Network and Communication
Communication path Protocol used Type of data transferred
Administration and Developer user in JSON over HTTPS All application data
terface accessed by a web browser con
nected to the SAP Cloud Platform
Integration server.
SAP Data Services Agent to Cloud HTTPS using TLS 1.2 All application data
Platform Integration server.
Cloud Platform Integration server to JDBC (communication within SAP data All application data
target HANA Cloud applications such centers - not over public internet)
as SAP Integrated Business Planning.
You must secure the connectivity from the Data Services Agent to on-premise applications and databases
using the measures provided by each application. For example, use Secure Network Communications (SNC)
for RFC or SSL for databases and web services (SOAP, REST, or OData). For information about securing the
connectivity, refer to the application documentation.
Security Guide
Network and Communication PUBLIC 11
5 Data
SAP Cloud Platform Integration offers seamless and secure integration between on-premise and cloud
systems. The SAP Data Services Agent always initiates the request, so there is no need to open your firewall to
inbound traffic.
The Data Services Agent provides direct secure access to ECC sources, SuccessFactors BizX, and
heterogeneous sources including files and databases.
Data persistence
Data is piped between the source and target and does not persist in SAP Cloud Platform Integration. On-
premise and cloud applications are supported as source and target in the following directions:
● on-premise to cloud
● cloud to on-premise
● cloud-to-cloud
Note
In some cases, during runtime, data is cached on the disk where the Data Services Agent is installed;
however all files are cleared after task execution. In the event of an agent crash, files from previous runs are
cleared.
Data storage
SAP Cloud Platform Integration processes data in memory and then transfers it to the target application. Only
connection information and metadata for sources and targets is stored in the SAP HANA database in the cloud
and in the embedded database on the agent system.
Cryptographic keys
Within SAP Cloud Platform Integration, certain data is encrypted to ensure privacy, keep it free from
corruption, and maintain access control. Cryptographic keys are used to encrypt and decrypt this sensitive
data. The cryptographic keys are stored in the SAP HANA database and are managed by the Security
Administrator based on the organization's security guidelines and procedures. The security administrator can
create, deactivate, revoke and delete the keys.
Security Guide
12 PUBLIC Data
File formats
A file format is a set of properties that describes the metadata structure of a flat data file. File formats allow the
software to access flat data files on an SAP Data Services Agent host system, and read from or write to those
files while the software executes a task.
To prevent directory path traversal, only the directories specified in the "Configure Directories" option in the
SAP Data Services Agent configuration tool are permitted.
SAP Cloud Platform Integration supports SSH File Transfer Protocol (SFTP) when transferring data to or from
external servers. Password and public key authentication are both supported.
Note
It is recommended that you use SFTP and PGP to protect all sensitive data.
When a file is transferred to an external server using SFTP, a copy of the file remains in the Agent root
directory.
SAP Cloud Platform Integration uses PGP to encrypt or decrypt sensitive data that is stored in files. PGP
provides privacy and security.
By encrypting the files, only the intended receiver will be able to see the actual content. The optional digital
signature verifies the sender's identity. It is recommended that you use PGP to protect all sensitive data.
PGP keys are managed through the Data Services Agent Configuration program. Within an SAP Cloud Platform
Integration organization, a single key pair is shared between all agents. Additionally any external (third-party)
public keys must be imported on all systems hosting an SAP Data Services Agent.
The following keys are used to read files from an external source:
Key Use
Organization private key Used to decrypt the data from the external third-party
External third-party public key Imported and then used to verify the digital signature
Key Use
External third-party public key Used by SAP Cloud Platform Integration to encrypt data
Organization private key Used when generating the optional digital signature.
Organization public key Exported from SAP Cloud Platform Integration. Sent to third
party to use to verify the digital signature
Security Guide
Data PUBLIC 13
5.3 Certificate storage in the SAP Data Services Agent
All certificates for Cloud Platform Integration are stored in the agent in C:\Program Files\sap
\DataServicesAgent\ssl and its subfolders.
● dsod_agent. Contains the agent's own private key and certificate. This key and certificate are self-signed
and generated during installation, so each agent has a unique certificate. The certificate will get uploaded
to the SAP Cloud Platform Integration for data services server when the agent is configured using the
configuration tool. The private key will be used for generating each request’s signature, which will be
verified by the server using the previously uploaded certificate.
● mds. Contains certificates for communicating with other applications, including certificates for SAP
applications such as SuccessFactors and HANA Cloud Platform. As a convenience, certificates which
appear in this folder do not have to copied over from the external application
● trusted_certs. Contains certificates for communicating with the SAP Cloud Platform Integration for
data services server (integration.ondemand.com, hcids.hana.ondemand.com,
hcids.us1.hana.ondemand.com) and enables the secure HTTPS communication to the server. (TLS 1.2 is
used for the HTTPS communication.)
Note
Communication between the agent and the SAP Cloud Platform Integration for data services server is
always started by the agent, so it is always an outbound request from the agent. There will never be an
inbound request from the server to the agent. Instead, the agent polls the server for tasks to perform,
etc.
View Data
SAP Cloud Platform Integration provides a View Data feature which allows the user to see the data loaded when
a task is run in the sandbox environment. The View Data feature is intended to allow users to conveniently
verify the results of tasks which are under development and eliminates the need to switch to the target
application to do so. View Data is available only in the sandbox environment and only for data loaded in an SAP
HANA database (not for other targets). Upon request, View Data can be disabled in the sandbox environment.
Note
If sensitive data is loaded during a test run in the sandbox, it can be viewed. Customers should not load
sensitive data in their sandbox environments.
Security Guide
14 PUBLIC Data
Web service response
SAP Cloud Platform Integration provides the ability to load data to external web service targets and receive a
response from the external web service. This response can be displayed in the task execution history by
configuring the Display response in task history datastore option. The default value is “No”, and web service
responses are not displayed in the task history.
If you are concerned about sensitive data potentially being exposed in a web service response, leave the setting
at the default value of “No”. In the production repository, only an Administrator can change the value to “Yes”.
Note
Any displayed web service responses are cleared when the task history is cleared, and when the Display
response in task history option value is changed from “Yes” to “No”.
Security Guide
Data PUBLIC 15
6 Operational Security
SAP Cloud Platform Integration is hosted by the SAP HANA application cloud. All operational processes are in
accordance with SAP HANA application cloud operation security guidance.
Security Guide
16 PUBLIC Operational Security
7 HANA Database
SAP Cloud Platform Integration is powered by SAP HANA. Within an SAP HANA database, separate repository
schemas are created for each SAP Cloud Platform Integration organization.
Each organization's schemas are unique to that organization and are never shared between organizations.
Within an organization there are two separate schemas: one each for the sandbox and production
environments.
These schemas are protected with SAP HANA access control. Metadata, jobs, data flows, runtime histories and
logs from different customers reside in separate HANA schemas.
SAP Cloud Platform Integration does not store data from on-premise or cloud sources in its HANA database.
Data is passed to the target applications.
There are specific ports opened to the SAP HANA server. All other ports are by default set with “deny” access
control.
The SAP HANA server does not expose protocols other than JDBC, SSH and other administrative-related
protocols.
Security Guide
HANA Database PUBLIC 17
8 Browser Support
The SAP Cloud Platform Integration application uses SAP UI5 technology which is based on JavaScript.
In order for SAP Cloud Platform Integration to operate properly JavaScript must be enabled on the browser
where it is running.
Security Guide
18 PUBLIC Browser Support
9 Data Protection and Privacy
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with applicable data privacy regulations, it is necessary to consider compliance with industry-
specific legislation in different countries. SAP provides specific features and functions to support compliance
with regards to relevant legal requirements, including data protection. SAP does not give any advice on whether
these features and functions are the best method to support company, industry, regional, or country-specific
requirements. Furthermore, this information does not give any advice or recommendation in regards to
additional features that would be required in particular IT environments; decisions related to data protection
must be made on a case-by-case basis, under consideration of the given system landscape and the applicable
legal requirements.
Note
In the majority of cases, compliance with applicable data protection and privacy laws will not be covered by
a product feature. SAP software supports data protection compliance by providing security features and
specific data protection-relevant functions, such as simplified blocking and deletion of personal data. SAP
does not provide legal advice in any form. Definitions and other terms used in this document are not taken
from any given legal source.
Related Information
Security Guide
Data Protection and Privacy PUBLIC 19
9.1.1 Glossary
Term Definition
Retention period The period of time between the end of purpose (EoP) for a
data set and when this data set is deleted subject to applica
ble laws. It is a combination of the residence period and the
blocking period.
End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization (e.g. tax auditors).
Sensitive personal data A category of personal data that usually includes the follow
ing type of information:
Security Guide
20 PUBLIC Data Protection and Privacy
Term Definition
Residence period The period of time after the end of purpose (EoP) for a data
set during which the data remains in the database and can
be used in case of subsequent processes related to the origi
nal purpose. At the end of the longest configured residence
period, the data is blocked or deleted. The residence period
is part of the overall retention period.
Where-used check (WUC) A process designed to ensure data integrity in the case of
potential blocking of business partner data. An application's
where-used check (WUC) determines if there is any depend
ent data for a certain business partner in the database. If de
pendent data exists, this means the data is still required for
business activities. Therefore, the blocking of business part
ners referenced in the data is prevented.
Consent The action of the data subject confirming that the usage of
his or her personal data shall be allowed for a given purpose.
A consent functionality allows the storage of a consent re
cord in relation to a specific purpose and shows if a data
subject has granted, withdrawn, or denied consent.
The handling of personal data is subject to applicable laws related to the deletion of such data at the end of
purpose (EoP). If there is no longer a legitimate purpose that requires the use of personal data, it must be
deleted. When deleting data in a data set, all referenced objects related to that data set must be deleted as well.
It is also necessary to consider industry-specific legislation in different countries in addition to general data
protection laws. After the expiration of the longest retention period, the data must be deleted.
SAP Cloud Platform Integration users and datastores can be deleted manually using the product user
interface. Deleting a user or datastore removes the associated data except where it appears in the security log.
The security log records all actions taken within SAP Cloud Platform Integration as well as who took them. This
information must be retained for auditing purposes. The retention period for the Security log can be defined by
the Security Administrator in the SAP Cloud Platform Integration user interface in Administration
Settings . The log is permanently deleted at the end of the retention period.
Offboarding
If you terminate your ownership of an SAP Cloud Platform Integration account, the following data is deleted
from your customer tenant:
● Your user name (the first and last name on your account).
Security Guide
Data Protection and Privacy PUBLIC 21
● Your email address.
● The IP addresses of your datastores.
● Customer name or ID.
● Security logs.
The security log provides information about occurrences of user-related events, datastore updates, and task or
process actions.
In SAP Cloud Platform Integration for data services, the security log can be accessed under Administration
Security Log . You must have Security Administrator permissions to view the security log.
Security events
Datastore updates
Note
Configuration data consists primarily of task definition (mappings, filters, transformations, rules,
connection information, and so on). Task or process definition cannot be modified in the production
environment.
Security Guide
22 PUBLIC Data Protection and Privacy
9.1.4 Information about data subjects
Each user has the right to obtain a report showing his personal data that is stored by SAP Cloud Platform
Integration for data services.
As an SAP customer, you can request this report from SAP Support.
Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be
categorized as sensitive by law, by external company policy, or by internal company policy.
Read access to sensitive data is logged in the security logs for the production environment
For its own operations SAP Cloud Platform Integration for data services does not store any data which is
subject to consent. If any external data source stores any personal data which SAP Cloud Platform Integration
can access via a source datastore, the owner of this data source must obtain the consent.
In cases when SAP Cloud Platform Integration for data services uses personal data collected for SAP Support
troubleshooting purposes using the Data Services Agent diagnostic tool, consent is granted in the contract
between SAP and its customer.
Types of information that is collected by the diagnostic tool for analysis includes:
● System-related information including operating system, IP addresses, processors, JVM memory and
system space statistics
● Network diagnostics to check communication between the Data Services Agent and SAP Cloud Platform
Integration server
● TCP/IP port information
● Security certficate information
Security Guide
Data Protection and Privacy PUBLIC 23
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
Security Guide
24 PUBLIC Important Disclaimers and Legal Information
Security Guide
Important Disclaimers and Legal Information PUBLIC 25
www.sap.com/contactsap
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.