PUBLIC

SAP Cloud Platform Integration for data services 1.0.11

2020-02-14

Security Guide
© 2020 SAP SE or an SAP affiliate company. All rights reserved.

THE BEST RUN

Content

1 Security Guide for SAP Cloud Platform Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1 SAP Cloud Platform Integration Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

3 Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1 User administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 User authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.3 User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4 Network and Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.1 Network security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
4.2 Communication channel security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5 Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1 Data flow and data storage security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2 PGP Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3 Certificate storage in the SAP Data Services Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.4 Data privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

6 Operational Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

6.1 Operational security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

7 HANA Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

7.1 SAP HANA database security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

8 Browser Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1 Browser support for SAP UI5 technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

9 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

9.1 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Security Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Information about data subjects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Read Access Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Consent for personal data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Security Guide
2 PUBLIC Content
1 Security Guide for SAP Cloud Platform
Integration

This guide describes security requirements for SAP Cloud Platform Integration for data services.

Sections in this guide include:

● Architecture
● Users
● Network and Communication
● Data
● Operational Security
● HANA Database
● Browser Support
● Data Protection and Privacy

Security Guide
Security Guide for SAP Cloud Platform Integration PUBLIC 3
2 Architecture

2.1 SAP Cloud Platform Integration Architecture

SAP Cloud Platform Integration for data services interacts with your local SAP landscape via the SAP Data
Services Agent and secure HTTPS and RFC connections.

 Note

Even when your data flows from the cloud to your on-premise landscape, there is no need to open the
firewall to inbound traffic. The SAP Data Services Agent always initiates the request.

Security Guide
4 PUBLIC Architecture
SuccessFactors BizX

When used with SuccessFactors BizX, the SAP Cloud Platform Integration architecture is slightly different:

Security Guide
Architecture PUBLIC 5
3 Users

3.1 User administration

Each SAP Cloud Platform Integration customer is assigned its own unique organization. The organization's
Security Administrator manages the users from the Administration page within the SAP Cloud Platform
Integration user interface.

The Security Administrator can create, activate, delete and assign roles to users within the organization.

3.2 User authentication

Users are authenticated by the SAP Cloud Identity Service. SAP Cloud Identity Service verifies user identities,
grants authentication, and enables single sign-on across any platform within the SAP landscape that is
connected to it.

After the Security Administrator creates a user within SAP Cloud Platform Integration, an account activation
email is automatically sent from SAP Cloud Identity Service to the new user. If the user has an existing SAP
Cloud Identity Service account, then those credentials are used.

After activating the SAP Cloud Identity Service account, the user can log into SAP Cloud Platform Integration in
one of the following ways:

● user credentials (email and password)

● browser-based certificate
The certificate is issued by SAP for SAP web applications and must be imported to the browser.

Alternate identity provider (IdP)

If you have configured a corporate tenant within SAP Cloud Platform Identity Authentication Service or have a
third-party corporate identity provider and use SAP Cloud Identity Service as a proxy, then you can transfer the
identity provider for SAP Cloud Platform Integration for data services. Transferring to an alternate identity
provider is done by the Security Administrator.

WebServicesUser

The WebServicesUser is a pre-defined system user only for Cloud Platform Integration web services. By default
this user is disabled. The web services user is not a regular user where the password policy is enforced by the
system. The web services user password does not automatically expire.

Security Guide
6 PUBLIC Users
An administrator can enable the WebServicesUser and also set and change the password.

Related Information

Web Services Guide for SAP Cloud Platform Integration

Transfer Your Identity Provider (IdP)

3.3 User Roles

Control access to SAP Cloud Platform Integration functionality by assigning roles to your users.

 Note

You must have Security Administrator permissions to create users and assign roles.

SAP Cloud Platform Integration supports the following user roles:

Role Authorizations

Production Operator ● Executes and schedules tasks and processes in the

Production environment
● Views tasks, processes, data flows, and datastore
connections
● Monitors running and finished tasks and processes

Administrator ● Has all the abilities of a Production Operator

● Manages the registration of Data Services Agent
instances
● Creates or modifies datastore connection information
in the Production environment
● Promotes tasks and processes between environments,
for example from Sandbox to Production

Integration Developer ● Creates and modifies tasks, processes, data flows, and
datastore connections
● Executes and schedules tasks and processes in non-
production environments such as Sandbox and views
data to verify the results
● Can access only non-production environments, such as
Sandbox

Security Administrator ● Creates, activates, and deletes users

● Assigns roles to users
● Views security log

Security Guide
Users PUBLIC 7
Role Authorizations

SAP Support ● For information only. Members of the SAP Support

team are automatically assigned to this role to facilitate
troubleshooting.
● The Security Administrator cannot assign or unassign
users to this role, but can add additional roles for the
user
● The SAP Support user role provides limited access to
Sandbox and Production environments. For details, see
SAP Support user role permissions [page 8].

Site Administrator ● Defines the primary organization Security

Administrator
● Defines the connection to the SAP HANA instance

SAP Support user role permissions

Activity Sandbox Production

Log on ✓ ✓

View projects, processes, tasks, data ✓ ✓

flows and their configurations

Edit projects, processes, tasks, data ✓ X

flows and their configurations

All deletion activities except sources, X X

transforms, targets, and imported ta­
bles in Sandbox

Export tasks ✓ ✓

Import and promote tasks X X

System Configuration: view ✓ ✓

System Configuration: edit ✓ X

Datastore: view ✓ ✓

Datastore: edit, including import tables ✓ X

Schedule: view configuration ✓ ✓

Schedule: activate, deactivate, update, X X

and delete

Security Guide
8 PUBLIC Users
 Activity Sandbox Production

Task: "Run Now" ✓ X

Design-time data (JIT): execution ✓ X

History: view ✓ ✓

History: clear X X

Manage task version X X

Task execution logs (run in debug ✓ ✓

mode)

Datastore test connection ✓ ✓

Web Services: views ✓ ✓

Web Services: run task ✓ X

Administration tab (all subtabs) X X

Security Guide
Users PUBLIC 9
4 Network and Communication

4.1 Network security

Network security is implemented by the SAP Cloud.

Key aspects of the SAP Cloud include the following:

● All the publicly exposed entry points are protected by a firewall and/or intrusion prevention mechanism.
● Every exposed TCP port has protocol filters to avoid unwanted protocol traffic from entering or exiting.
● Only port 443 with SSL is exposed from the outside to prevent leakage of information. SSL sessions
terminate at the true end-point and not at the intermediate servers.
● All load balancers are on port 80 or 443. Load balancers secure communication with the application server
at runtime.
● Firewall rules prevent any non-public URL or interface from being sniffed or phished from the internet.
● All critical flows use TLS to prevent in flight data from being introspected as man-in-the-middle attack.
● All symmetric keys are at least 256-bit strength and asymmetric keys are at least 1024-bit strength. All
keys are safely handled according to SAP policies.
● Keystore passwords are not stored in unprotected places (if they need to be stored).

4.2 Communication channel security

SAP Cloud Platform Integration uses communication protocols appropriate for each supported type of
communication path.

The communication channels used by SAP Cloud Platform Integration, the protocol used for the connection,
and the type of data transferred are shown in the following table:

Communication path Protocol used Type of data transferred

Access data from on-premise systems RFC, database-specific connectivity All application data
such as ERP or a database. Data is ac­ protocol such as Oracle Call Interface
cessed by the SAP Data Services Agent (OCI) or ODBC
running locally.

Access data from cloud systems such SOAP webservice, RESTful webservice All application data
as SuccessFactors™ or a web service. or OData over either HTTP or HTTPS
Data is accessed by the SAP Data
Services Agent running locally.

Access files from remote file servers. SFTP All application data
Data is accessed by the SAP Data
Services Agent running locally.

Security Guide
10 PUBLIC Network and Communication
Communication path Protocol used Type of data transferred

Administration and Developer user in­ JSON over HTTPS All application data
terface accessed by a web browser con­
nected to the SAP Cloud Platform
Integration server.

SAP Data Services Agent to Cloud HTTPS using TLS 1.2 All application data
Platform Integration server.

Cloud Platform Integration server to JDBC (communication within SAP data­ All application data
target HANA Cloud applications such centers - not over public internet)
as SAP Integrated Business Planning.

You must secure the connectivity from the Data Services Agent to on-premise applications and databases
using the measures provided by each application. For example, use Secure Network Communications (SNC)
for RFC or SSL for databases and web services (SOAP, REST, or OData). For information about securing the
connectivity, refer to the application documentation.

Security Guide
Network and Communication PUBLIC 11
5 Data

5.1 Data flow and data storage security

SAP Cloud Platform Integration offers seamless and secure integration between on-premise and cloud
systems. The SAP Data Services Agent always initiates the request, so there is no need to open your firewall to
inbound traffic.

The Data Services Agent provides direct secure access to ECC sources, SuccessFactors BizX, and
heterogeneous sources including files and databases.

Data persistence

Data is piped between the source and target and does not persist in SAP Cloud Platform Integration. On-
premise and cloud applications are supported as source and target in the following directions:

● on-premise to cloud
● cloud to on-premise
● cloud-to-cloud

 Note

In some cases, during runtime, data is cached on the disk where the Data Services Agent is installed;
however all files are cleared after task execution. In the event of an agent crash, files from previous runs are
cleared.

Data storage

SAP Cloud Platform Integration processes data in memory and then transfers it to the target application. Only
connection information and metadata for sources and targets is stored in the SAP HANA database in the cloud
and in the embedded database on the agent system.

Cryptographic keys

Within SAP Cloud Platform Integration, certain data is encrypted to ensure privacy, keep it free from
corruption, and maintain access control. Cryptographic keys are used to encrypt and decrypt this sensitive
data. The cryptographic keys are stored in the SAP HANA database and are managed by the Security
Administrator based on the organization's security guidelines and procedures. The security administrator can
create, deactivate, revoke and delete the keys.

Security Guide
12 PUBLIC Data
File formats

A file format is a set of properties that describes the metadata structure of a flat data file. File formats allow the
software to access flat data files on an SAP Data Services Agent host system, and read from or write to those
files while the software executes a task.

To prevent directory path traversal, only the directories specified in the "Configure Directories" option in the
SAP Data Services Agent configuration tool are permitted.

SAP Cloud Platform Integration supports SSH File Transfer Protocol (SFTP) when transferring data to or from
external servers. Password and public key authentication are both supported.

Data stored in files can be PGP-encrypted and signed.

 Note

It is recommended that you use SFTP and PGP to protect all sensitive data.

When a file is transferred to an external server using SFTP, a copy of the file remains in the Agent root
directory.

5.2 PGP Management

SAP Cloud Platform Integration uses PGP to encrypt or decrypt sensitive data that is stored in files. PGP
provides privacy and security.

By encrypting the files, only the intended receiver will be able to see the actual content. The optional digital
signature verifies the sender's identity. It is recommended that you use PGP to protect all sensitive data.

PGP keys are managed through the Data Services Agent Configuration program. Within an SAP Cloud Platform
Integration organization, a single key pair is shared between all agents. Additionally any external (third-party)
public keys must be imported on all systems hosting an SAP Data Services Agent.

The following keys are used to read files from an external source:

Key Use

Organization public key Used by external third-party to encrypt data

Organization private key Used to decrypt the data from the external third-party

External third-party public key Imported and then used to verify the digital signature

The following keys are used to load files to an external source:

Key Use

External third-party public key Used by SAP Cloud Platform Integration to encrypt data

Organization private key Used when generating the optional digital signature.

Organization public key Exported from SAP Cloud Platform Integration. Sent to third
party to use to verify the digital signature

Security Guide
Data PUBLIC 13
5.3 Certificate storage in the SAP Data Services Agent

All certificates for Cloud Platform Integration are stored in the agent in C:\Program Files\sap
\DataServicesAgent\ssl and its subfolders.

Each subfolder contains a different type of certificate:

● dsod_agent. Contains the agent's own private key and certificate. This key and certificate are self-signed
and generated during installation, so each agent has a unique certificate. The certificate will get uploaded
to the SAP Cloud Platform Integration for data services server when the agent is configured using the
configuration tool. The private key will be used for generating each request’s signature, which will be
verified by the server using the previously uploaded certificate.
● mds. Contains certificates for communicating with other applications, including certificates for SAP
applications such as SuccessFactors and HANA Cloud Platform. As a convenience, certificates which
appear in this folder do not have to copied over from the external application
● trusted_certs. Contains certificates for communicating with the SAP Cloud Platform Integration for
data services server (integration.ondemand.com, hcids.hana.ondemand.com,
hcids.us1.hana.ondemand.com) and enables the secure HTTPS communication to the server. (TLS 1.2 is
used for the HTTPS communication.)

 Note

Communication between the agent and the SAP Cloud Platform Integration for data services server is
always started by the agent, so it is always an outbound request from the agent. There will never be an
inbound request from the server to the agent. Instead, the agent polls the server for tasks to perform,
etc.

5.4 Data privacy

View Data

SAP Cloud Platform Integration provides a View Data feature which allows the user to see the data loaded when
a task is run in the sandbox environment. The View Data feature is intended to allow users to conveniently
verify the results of tasks which are under development and eliminates the need to switch to the target
application to do so. View Data is available only in the sandbox environment and only for data loaded in an SAP
HANA database (not for other targets). Upon request, View Data can be disabled in the sandbox environment.

 Note

If sensitive data is loaded during a test run in the sandbox, it can be viewed. Customers should not load
sensitive data in their sandbox environments.

Security Guide
14 PUBLIC Data
Web service response

SAP Cloud Platform Integration provides the ability to load data to external web service targets and receive a
response from the external web service. This response can be displayed in the task execution history by
configuring the Display response in task history datastore option. The default value is “No”, and web service
responses are not displayed in the task history.

If you are concerned about sensitive data potentially being exposed in a web service response, leave the setting
at the default value of “No”. In the production repository, only an Administrator can change the value to “Yes”.

 Note

Any displayed web service responses are cleared when the task history is cleared, and when the Display
response in task history option value is changed from “Yes” to “No”.

Security Guide
Data PUBLIC 15
6 Operational Security

6.1 Operational security

SAP Cloud Platform Integration is hosted by the SAP HANA application cloud. All operational processes are in
accordance with SAP HANA application cloud operation security guidance.

Security Guide
16 PUBLIC Operational Security
7 HANA Database

7.1 SAP HANA database security

SAP Cloud Platform Integration is powered by SAP HANA. Within an SAP HANA database, separate repository
schemas are created for each SAP Cloud Platform Integration organization.

Each organization's schemas are unique to that organization and are never shared between organizations.
Within an organization there are two separate schemas: one each for the sandbox and production
environments.

Authentication at the schema level

These schemas are protected with SAP HANA access control. Metadata, jobs, data flows, runtime histories and
logs from different customers reside in separate HANA schemas.

SAP Cloud Platform Integration does not store data from on-premise or cloud sources in its HANA database.
Data is passed to the target applications.

Restricted port access

There are specific ports opened to the SAP HANA server. All other ports are by default set with “deny” access
control.

Restricted protocol access

The SAP HANA server does not expose protocols other than JDBC, SSH and other administrative-related
protocols.

Security Guide
HANA Database PUBLIC 17
8 Browser Support

8.1 Browser support for SAP UI5 technology

The SAP Cloud Platform Integration application uses SAP UI5 technology which is based on JavaScript.

In order for SAP Cloud Platform Integration to operate properly JavaScript must be enabled on the browser
where it is running.

Security Guide
18 PUBLIC Browser Support
9 Data Protection and Privacy

9.1 Data Protection and Privacy

Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with applicable data privacy regulations, it is necessary to consider compliance with industry-
specific legislation in different countries. SAP provides specific features and functions to support compliance
with regards to relevant legal requirements, including data protection. SAP does not give any advice on whether
these features and functions are the best method to support company, industry, regional, or country-specific
requirements. Furthermore, this information does not give any advice or recommendation in regards to
additional features that would be required in particular IT environments; decisions related to data protection
must be made on a case-by-case basis, under consideration of the given system landscape and the applicable
legal requirements.

 Note

In the majority of cases, compliance with applicable data protection and privacy laws will not be covered by
a product feature. SAP software supports data protection compliance by providing security features and
specific data protection-relevant functions, such as simplified blocking and deletion of personal data. SAP
does not provide legal advice in any form. Definitions and other terms used in this document are not taken
from any given legal source.

Related Information

Glossary [page 20]

Deletion of Personal Data [page 21]
Security Log [page 22]
Information about data subjects [page 23]
Read Access Logging [page 23]
Consent for personal data [page 23]

Security Guide
Data Protection and Privacy PUBLIC 19
9.1.1 Glossary

Term Definition

Personal data Any information relating to an identified or identifiable natu­

ral person ("data subject"). An identifiable natural person is
one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, men­
tal, economic, cultural, or social identity of that natural per­
son.

Purpose A legal, contractual, or in other form justified reason for the

processing of personal data. The assumption is that any
purpose has an end that is usually already defined when the
purpose starts.

Blocking A method of restricting access to data for which the primary

business purpose has ended.

Deletion The irreversible destruction of personal data.

Retention period The period of time between the end of purpose (EoP) for a
data set and when this data set is deleted subject to applica­
ble laws. It is a combination of the residence period and the
blocking period.

End of purpose (EoP) A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization (e.g. tax auditors).

Sensitive personal data A category of personal data that usually includes the follow­
ing type of information:

● Special categories of personal data such as data reveal­

ing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership and
the processing of genetic data, biometric data, data
concerning health or sex life or sexual orientation
● Personal data subject to professional secrecy
● Personal data relating to criminal or administrative of­
fenses
● Personal data concerning insurances and bank or credit
card accounts

Security Guide
20 PUBLIC Data Protection and Privacy
Term Definition

Residence period The period of time after the end of purpose (EoP) for a data
set during which the data remains in the database and can
be used in case of subsequent processes related to the origi­
nal purpose. At the end of the longest configured residence
period, the data is blocked or deleted. The residence period
is part of the overall retention period.

Where-used check (WUC) A process designed to ensure data integrity in the case of
potential blocking of business partner data. An application's
where-used check (WUC) determines if there is any depend­
ent data for a certain business partner in the database. If de­
pendent data exists, this means the data is still required for
business activities. Therefore, the blocking of business part­
ners referenced in the data is prevented.

Consent The action of the data subject confirming that the usage of
his or her personal data shall be allowed for a given purpose.
A consent functionality allows the storage of a consent re­
cord in relation to a specific purpose and shows if a data
subject has granted, withdrawn, or denied consent.

9.1.2 Deletion of Personal Data

The handling of personal data is subject to applicable laws related to the deletion of such data at the end of
purpose (EoP). If there is no longer a legitimate purpose that requires the use of personal data, it must be
deleted. When deleting data in a data set, all referenced objects related to that data set must be deleted as well.
It is also necessary to consider industry-specific legislation in different countries in addition to general data
protection laws. After the expiration of the longest retention period, the data must be deleted.

SAP Cloud Platform Integration users and datastores can be deleted manually using the product user
interface. Deleting a user or datastore removes the associated data except where it appears in the security log.

The security log records all actions taken within SAP Cloud Platform Integration as well as who took them. This
information must be retained for auditing purposes. The retention period for the Security log can be defined by
the Security Administrator in the SAP Cloud Platform Integration user interface in Administration
Settings . The log is permanently deleted at the end of the retention period.

Offboarding

If you terminate your ownership of an SAP Cloud Platform Integration account, the following data is deleted
from your customer tenant:

● Your user name (the first and last name on your account).

Security Guide
Data Protection and Privacy PUBLIC 21
● Your email address.
● The IP addresses of your datastores.
● Customer name or ID.
● Security logs.

9.1.3 Security Log

The security log provides information about occurrences of user-related events, datastore updates, and task or
process actions.

In SAP Cloud Platform Integration for data services, the security log can be accessed under Administration
Security Log . You must have Security Administrator permissions to view the security log.

The security log includes occurrences of the following events:

Security events

● Create, modify or delete a user

● Grant or revoke a user role
● View user details or roles
● Successful logins
● Create or delete an Agent
● Enter or reset a datastore password
● View datastore configurations
● View datastore tables
● Access to SAP Cloud Platform Integration inbound web services (including IP address)
● View the security log

Datastore updates

● Create, update or delete datastores

● Add, reimport or delete tables
● Create, save, update, or delete system configurations

Task or process actions

● Schedule a production task or process

● Activate, delete, deactivate, or modify a task or process schedule
● Run a task or process in Production
● Promote a task or process to Production

 Note

Configuration data consists primarily of task definition (mappings, filters, transformations, rules,
connection information, and so on). Task or process definition cannot be modified in the production
environment.

Security Guide
22 PUBLIC Data Protection and Privacy
9.1.4 Information about data subjects

Each user has the right to obtain a report showing his personal data that is stored by SAP Cloud Platform
Integration for data services.

As an SAP customer, you can request this report from SAP Support.

9.1.5 Read Access Logging

Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be
categorized as sensitive by law, by external company policy, or by internal company policy.

Read access to sensitive data is logged in the security logs for the production environment

9.1.6 Consent for personal data

For its own operations SAP Cloud Platform Integration for data services does not store any data which is
subject to consent. If any external data source stores any personal data which SAP Cloud Platform Integration
can access via a source datastore, the owner of this data source must obtain the consent.

In cases when SAP Cloud Platform Integration for data services uses personal data collected for SAP Support
troubleshooting purposes using the Data Services Agent diagnostic tool, consent is granted in the contract
between SAP and its customer.

Types of information that is collected by the diagnostic tool for analysis includes:

● System-related information including operating system, IP addresses, processors, JVM memory and
system space statistics
● Network diagnostics to check communication between the Data Services Agent and SAP Cloud Platform
Integration server
● TCP/IP port information
● Security certficate information

Security Guide
Data Protection and Privacy PUBLIC 23
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.

Security Guide
24 PUBLIC Important Disclaimers and Legal Information
Security Guide
Important Disclaimers and Legal Information PUBLIC 25
www.sap.com/contactsap

© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN