SAP MII - Security Guide

PUBLICDocument Version: 15.2.0 – 2018-03-25

SAP MII - Security Guide

© 2

020

SAP

SE o

r an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

1 SAP Manufacturing Integration and Intelligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Security Aspects of Data, Data Flow and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

5 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

6 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

7 Session Security Protection on the AS Java. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257.1 Cross Origin Resource Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

8 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

9 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

10 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

11 Communications Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

12 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

13 Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

14 Enterprise Services Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

15 Security Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

16 Other Security-Related Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2 PUBLICSAP MII - Security Guide

Content

1 SAP Manufacturing Integration and Intelligence

Use

The SAP Manufacturing Integration and Intelligence (SAP MII) is powered by the SAP Netweaver Java Application Server. Therefore, the corresponding Security Guides also apply to SAP MII. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.

The OEE_ERP component of Overall Equipment Effectiveness Management (OEE) is built from the Production Order Component in SAP ERP and can be installed respectively used beginning with SAP ERP 6.0 and SAP NetWeaver 7.0 upward. Therefore, the corresponding Security Guides also apply to OEE.

Fundamental Security Guides

● NW 750● SAP ERP 6.0

SAP MII - Security GuideSAP Manufacturing Integration and Intelligence PUBLIC 3

2 Technical System Landscape

SAP MII supports several inbound and outbound communications channels. External systems can interact with SAP MII through the following channels:

● HTTP● HTTPS● Web service● IDoc● RFC● Enterprise JavaBeans (EJB)● Java Message Services (JMS)● OData and HANA SDA Connector

All requests to SAP MII must go through the SAP NetWeaver User Management Engine for basic authentication or single sign-on (SSO) authentication.

All user interaction with SAP MII is handled in HTTP or HTTPS and must go through the SAP user management engine for authentication.

For communication with SAP ERP, you can use the SAP Java Resource Adapter (SAP JRA), SAP Java Connector (SAP JCo), or Web services. For security reasons, we recommend SAP JRA instead of SAP JCo. For more information about configuring an SAP JRA connection to an ERP system, see the SAP NetWeaver CE application help on the SAP Help Portal at http://help.sap.com/nwce .

Different SAP MII systems communicate through virtual servers using HTTPS communication channels. For security reasons, we recommend you to use HTTPS always.

For communication with shop floor systems, you can use Plant Connectivity.

For more information about SAP PCo, see the SAP Help Portal at http://help.sap.com Plant Connectivity .

You can integrate SAP MII into SAP NetWeaver Development Infrastructure (NWDI) using an HTTPS communication channel. All requests from SAP MII to NWDI go through the SAP user management engine for authentication on the NWDI side.


Technical System Landscape

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com%2Fnwce

http://help.sap.com/disclaimer?site=http%3A%2F%2Fhelp.sap.com

3 Security Aspects of Data, Data Flow and Processes

The figure below shows an overview of the process flow for the SAP MII.

The table below shows the security aspect to be considered for the process step and what mechanism applies.

Step Description Security Measure

1 Web Pages ( HTML/JSP/IRPT) communicates to AS Java

Secured protocol HTTPS is recommended

SAP MII - Security GuideSecurity Aspects of Data, Data Flow and Processes PUBLIC 5

Step Description Security Measure

2 Applets communicates to AS Java Secure applet – servlet connection is used

RecommendationUse SAP UI5 based display templates such as i5chart, i5grid, and i5SPCChart instead of applets wherever possible.

3 SAP MII Business transaction communicates with SAP Business System

SAP Jco, SAP JRA or Web services can be used. For security reasons SAP JRA is recommended.

4 SAP Data Server communicates with Database

TCP/IP and proprietary binary protocol is used

5 SAP MII communicates with SAP NWDI All requests from SAP MII to NWDI are through SAP user management engine for authentication on the NWDI side. HTTPS Communication channel is used.


Security Aspects of Data, Data Flow and Processes

4 User Administration and Authentication

SAP MII uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server Java. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server Java Security Guide also apply to SAP MII. For more information, see the SAP Help Portal at http://help.sap.com/nwce SAP NetWeaver Composition Environment Library Administrator's Guide SAP NetWeaver CE Security Guide Security Guides for CE Core Components SAP NetWeaver Application Server Java Security Guide .

The OEE_ERP component of OEE Management uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to OEE Management.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to MII and OEE in the following topics:

User Management

User management for SAP MII uses the mechanisms provided with SAP NetWeaver Application Server Java, such as tools and password policies. SAP MII does not support the SAP NetWeaver Technical User concept.

User management for OEE_ERP component of OEE Management uses the mechanisms provided with the SAP NetWeaver Application Server (ABAP), such as, tools, user types, and password policies. For an overview of how these mechanisms apply for OEE see the sections below. In addition, we provide a list of the standard users required for operating OEE.

User Administration Tools

User management and user administration in SAP MII is handled by the SAP User Management Engine in SAP ERP.

User Management Tools (OEE_ERP Component)

Tool Detailed Description Prerequisites

User maintenance for ABAP-based systems (transaction SU01)

For more information about the authorization objects provided by the subcomponents of the SAP Overall Equipment Effectiveness Management, see the relevant component in the section Authorizations.

NA

SAP MII - Security GuideUser Administration and Authentication PUBLIC 7



Role maintenance with the profile generator for ABAP-based systems (PFCG)

For more information about the roles provided by the subcomponents of SAP Overall Equipment Effectiveness Management, see the relevant component in the section Authorizations. For more information, see User and Role Administration of Application Server ABAP.

NA

User Types

It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

The user types that are required for the OEE Management include:

● Individual users:Dialog users are used for SAP GUI for Windows or RFC connections (which are used by the front-end component to communicate with the back end)

● Technical users:Service users will connect from OEE Integration framework.

For more information on these user types, see User Types in the SAP NetWeaver AS ABAP Security Guide.

Standard Users

There are no standard users provided with SAP MII. You must create users in the SAP User Management Engine in SAP ERP.

With the OEE_MII component the OEE functionality delivers one standard user called OEE_ADMIN who can perform some of the administrative configuration. You must create users in the SAP User Management Engine in SAP ERP.

With the OEE_ERP component no standard user is provided. However, the following standard users are necessary for operating OEE. You must ensure that these users are available when you start to configure the application.

System User ID Type Password Description

System where OEE is installed

<User 1> Dialog user You specify the initial password during the installation.

The main OEE user, needed for the OEE functionality and other ERP-PP transactions.

System where OEE is installed

<User 1> Service user You specify the initial password during the installation.

The main OEE user, needed for the OEE functionality and other ERP-PP transactions.


User Administration and Authentication

NoteWe recommend changing the user IDs and passwords for users that are automatically created during installation.

Integration Into Single Sign-On Environments

SAP MII supports the SSO mechanisms provided by SAP NetWeaver CE. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver CE Security Guide also apply to SAP MII. The supported mechanisms are as follows:

Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using remote function calls.

For more information, see Secure Network Communications (SNC) in the SAP NetWeaver Application Server Security Guide.

SAP Logon Tickets

SAP MII supports the use of logon tickets for SSO when using a Web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

You can find more information under Logon Tickets in the SAP NetWeaver Application Server Security Guide.

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

You can find more information under Client Certificates in the SAP NetWeaver Application Server Security Guide.

SAP MII - Security GuideUser Administration and Authentication PUBLIC 9

5 Authorizations

SAP MII uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server Java Security Guide apply to SAP MII.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the user administration console in the SAP User Management Engine in SAP ERP.

NoteFor more information about how to create roles, see Creating Authorization Roles in the SAP NetWeaver CE Library help at http://help.sap.com/nwce .

NW750 Authorizations

● JMS AuthorizationsWith NW 7.50, the JMS authorization mechanism is changed to provide better protection for the JMS destinations. After the change, the Everyone role will no longer have the default permissions to access JMS destinations. When a destination is created using JMS Server Configuration plug-in, the required actions to use it are also being created. The NW Administrator user through the UME administration plug-in can assign these actions to the desired roles/groups. For more information, see SAP Notes 2159438 and 2167993 .

● Clickjacking protection for UI5 pagesFor SSCE dashboards and web pages created in workbench, additional security has been added which prevents clickjacking or “UI Redress attack”. This feature needs to be enabled in NW 750 server. For more information, see SAP Note 2170590 .

You should assign the users that you set up in the SAP User Management Engine in SAP ERP to the following default roles for SAP MII:

● SAP_XMII_UserUsers assigned to this role have read access but no access to administration screens or the SAP MII Workbench.

● SAP_XMII_DeveloperUsers assigned to this role have access to the SAP MII Workbench and some administration screens, such as Time Periods, Connection Store Editor, and Credential Store Editor.

● SAP_XMII_AdministratorUsers assigned to this role have the same permissions as users assigned to the SAP_XMII_User and SAP_XMII_Developer roles, plus administration access except for the following: NWDI integration configuration, encryption configuration, and import and export of configuration data.

● SAP_XMII_Super_AdministratorUsers assigned to this role have access to all SAP MII functions with no limitations.

● SAP_XMII_Read_OnlyUsers assigned to this role have read permission for administration screens and access to the SAP MII Workbench without save permission.

● SAP_XMII_DynamicQuery


Authorizations


http://help.sap.com/disclaimer?site=https://launchpad.support.sap.com/#/notes/2159438



Users assigned to this role have permission to run dynamic queries (queries without a query template). By default, this permission is granted to users assigned to the SAP_XMII_Administrator and SAP_XMII_Super_Administrator roles. You can assign this role to specific or all users.

For more information, see the SAP MII 15.4 Installation Guide.

In the SAP MII system, you can assign the following components to SAP User Management Engine in SAP ERP roles:

● Data serversFor more information, see Data Servers in the SAP MII application help at http://help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence .

● TransactionsFor more information, see Transaction in the SAP MII application help at http://help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence .

● Query and display templatesFor more information, see Query Template and Display Template in the SAP MII application help at http://help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence .

● ProjectsFor more information, see Projects in the SAP MII application help at http://help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence .

● Self Service Composition EnvironmentFor more information, see Maintain Security and Actions for Permissions in the SAP MII application help at http://help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence .Access to dashboards is role-specific. You are assigned XMII_SSCE_ALL and XMII_SSCE_CHANGE roles. Users with XMII_SSCE_CHANGE role can access or change other user's dashboards. For details, see User Management.

RecommendationYou assign:

○ Roles XMII_SSCE_CHANGE and XMII_SSCE_ALL to users who needs access to change the dashboards only.

○ Role XMII_SSCE_DEVELOPER to add custom code in dashboard.

NoteAssignments to the previous SAP MII components are saved to SAP MII internal tables and are not persisted in the SAP User Management Engine in SAP ERP repository; therefore, they are not accessible to SAP risk management tools, such as compliant user provisioning, for tracking critical authorization combinations.

SAP MII - Security GuideAuthorizations PUBLIC 11







Projects

OEE-specific Authorization (OEE_MII component)

In SAP OEE, transaction data is segregated according to the client and plant. Users can perform set of operations depending on the client and plant they are responsible for. You can grant user access to client and plant by assigning a User Management Engine (UME) user group in Admin Configuration User Group Assignment and User Group Dashboard Assignment. You can make these assignments through the Worker UI Management section on the SAP MII main menu screen.

When users log on to the OEE dashboard for the first time, they are automatically logged on to the first client, plant and the work unit. It is possible to assign default client, plant, and work unit to a user.

To be able to assign this to a user in UME, first create a default client, plant, work unit, and dashboard fields in SAP NetWeaver as follows:

1. In Identity Management, choose Configuration.2. In the Configuration screen, choose the User Administrator UI tab page and choose Modify Configuration.3. In the Administrator-Management Custom Attributes field, enter the following data SAPOEE:DEFAULT

CLIENT; SAPOEE:DEFAULT PLANT; SAPOEE:DEFAULT WORKUNIT; SAPOEE:DEFAULT POD; SAPOEE:ERP PERSONNEL NUMBER.

4. Save your entries.

After you have created the default field, you can assign default site to a user as follows:

1. Log on to SAP NetWeaver as administrator user.2. Navigate to Identity Management and select user that you want to assign default site to.3. Choose Modify. On the Customized Information tab page, enter values for the following fields:

○ Default Client○ Default Plant○ Default Work Unit○ Default Dashboard

4. Save your entries.5. Repeat these steps for each user.

NoteIf you create the default fields in SAP NetWeaver UME, but do not define default field values for the user in UME User Configuration, on the first logon user will be redirected to what comes first alphabetically in the list where this user is defined.

SAP OEE delivers the following actions:

Action Type Description

OEEProductionRun_Read Transaction Action to enable read of shift related data collection header data.


Authorizations


OEEReleaseDemand_Read Transaction Action to enable read of operation level demand data.

OEEReportDowntime_Read Transaction Action to enable read of reported down times.

OEEDataCollection_Read Transaction Action to enable read of reported data collection.

OEEProductionOrder_Read Transaction Action to enable read of production order.

OEEProductionRun_Operator Transaction Action to enable read and change production activity

OEEProductionRun_Create_Update Transaction Actions to enable create and update of shift related data collection header data. This is required close a shift.

OEEReleaseDemand_Create_Update Transaction Actions to enable create and update of operation level demand data. This is required to do close order

OEEProductionRun_All Transaction Action to enable all operation on shift related data collection header record.

OEEReleaseDemand_All Transaction Action to enable all operation on operation level demand data.

OEEReportDowntime_All Transaction Action to enable all operation for report down times.

OEEDataCollection_All Transaction Action to enable all operation for data collection and report all quantity.

OEEProductionOrder_All Transaction Action to enable all operation for production order.

OEEQueueMonitor_All Transaction Action to enable create, read, update, and delete of entries in the OEE integration queue.

OEEQueueMonitor_Read Transaction Action to enable read of OEE integration queue.

OEEWorkflowConfig_All Configuration Action to enable create, read, update, and delete of workflow configurations.



OEEWorkflowConfig_Read Configuration Action to enable read of workflow configurations.

OEEGlobalConfig_All Configuration Action to enable create, read, update, and delete of global configurations.

OEEGlobalConfig_Read Configuration Action to enable read of global configu-rations.

OEESupportedPlants_All Configuration Action to enable create, read, update, and delete of the supported plants.

OEESupportedPlants_Read Configuration Action to enable read of the supported plants.

OEEActivity_Read Configuration Action to enable read of activity config-uration.

OEEPod_Read Configuration Action to enable read of dashboard configuration.

OEEUserGroupPodAssignment_Read Configuration Action to enable read of user group dashboard assignment.

OEECustomizationName_Read Configuration Action to enable read of customization name.

OEECustomizationValue_Read Configuration Action to enable read of customization value.

OEEConfigUserGroupAssign-ment_Read

Configuration Action to enable read of users who have authorization to assign user groups to dashboard.

OEEUserGroupAssignment_Read Configuration Action to enable read of user group assignment.

OEEScheduledDown_Read Configuration Action to enable read of schedule down.

OEEStatus_Read Configuration Action to enable read of status configu-ration.

OEEActivity_All Configuration Action to enable all operation on activity. It is required to create and update activities.

OEEPod_All Configuration Action to enable all operation on dashboard. It is required to create and update dashboards.


Authorizations


OEEUserGroupPodAssignment_All Configuration Action to enable all operation on user group dashboard assignment. It is required to assign dashboard to a user group.

OEECustomizationName_All Configuration Action to enable all operation on customization name. It is required to create and update customization names and their allowed values.

OEECustomizationValue_All Configuration Action to enable all operation on customization value. It is required to create and update customization values and their details.

OEEConfigUserGroupAssignment_All Configuration Action to enable assignment of authorization to users, who in turn can assign user groups to dashboards.

OEEUserGroupAssignment_All Configuration Action to enable all operation on user group assignment. This is required to assign users the authorization to perform user group dashboard assignment.

OEEScheduledDown_All Configuration Action to enable all operation on scheduled down maintenance. This is required to create and update scheduled downs.

OEEStatus_All Configuration Action to enable all operation on status. This is required to create and update status configurations.

OEEExtension_All Configuration Action to enable all operation on extension maintenance.

OEEMasterConfiguration_Read Configuration Action to enable read of SAP ERP master and configuration objects.

OEEReasonCodeMapping_Read Configuration Action to enable read of assigned reason codes in configuration.

OEEReasonCodeMapping_All Configuration Action to enable permissions to assign or delete assignment of reason codes in configuration.



OEEErpConfirmations_Read Configuration Action to enable read of confirmation related data.

OEEErpConfirmations_All Configuration Action to enable permission to send confirmations.

OEEExtension_Read Configuration Action to enable read of extensions maintained.

OEEIntegrationIdoc_All Configuration Action to enable execution of IDocs.

OEEIntegrationReconcileIdoc_All Configuration Action to enable reconcile IDocs.

OEESAPIntQuery_All Configuration Action to enable all permissions for SAP integration query object.

SAP OEE delivers the following roles and their associated actions:

Role Name Description Associated Actions

OEE_OPERATOR Assign this role to the operator who would do all data collection using operator dashboard.

This role has all authorization to report production, rejection, and other data collection. The role also has authorization to report downtimes and uptimes on a work unit.

The role, however, has only read authorization on configuration data.

OEEProductionRun_Operator

OEEReportDowntime_All

OEEDataCollection_All

OEEProductionOrder_All

OEEExtension_Read

OEEReasonCodeMapping_Read

OEEStatus_Read

OEEScheduledDown_Read

OEEUserGroupPodAssignment_Read

OEEUserGroupAssignment_Read


OEEProductionOrder_Read

OEECustomizationValue_Read

OEEPod_Read

OEECustomizationName_Read


Authorizations


OEEActivity_Read

OEEProductionRun_Read

OEEReleaseDemand_Read

OEEQueueMonitor_Read

OEESupportedPlants_Read

OEEWorkflowConfig_Read

OEEGlobalConfig_Read

OEEMasterConfiguration_Read


OEEERPConfirmations_Read

OEE_SUPERVISOR Assign this role to a supervisor who has additional authorizations to start, stop, resume, close shift, and complete order.

The role also has the required authorization on some configuration activities.

OEEProductionRun_Create_Update

OEEReleaseDemand_Create_Update




OEEExtension_Read


OEEStatus_Read







OEEPod_Read




OEEActivity_Read







OEEERPConfirmations_All

OEE_ADMIN This role is for allowing access to OEE configuration screens.

OEEActivity_All

OEEPod_All

OEEUserGroupPodAssignment_All

OEECustomizationName_All

OEECustomizationValue_All

OEEConfigUserGroupAssignment_All

OEEUserGroupAssignment_All

OEEScheduledDown_All

OEEStatus_All

OEEReasonCodeMapping_All

OEEExtension_All

OEEQueueMonitor_All

OEESupportedPlants_All

OEEWorkflowConfig_All

OEEGlobalConfig_All


OEEReasonCodeMappingAll


Authorizations


OEEErpConfirmations_All

OEEExtension_Read

OEE_SUPERADMIN This role has all authorizations. This role also has some specific actions to set up user group admin for specific plants.

OEEProductionRun_All

OEEReleaseDemand_All



OEEActivity_All

OEEUserGroupPodAssignment_All

OEEUserGroupAssignment_All

OEEScheduledDown_All

OEECustomizationName_All

OEECustomizationValue_All


OEEExtension_All

OEEStatus_All


OEEPod_All

OEEQueueMonitor_All

OEESupportedPlants_All

OEEWorkflowConfig_All

OEEGlobalConfig_All

OEESAPIntQuery_All






OEE_INTEGRATOR This role is for enabling the integration from ERP to OEE.

OEEIntegrationIdoc_All

OEEIntegrationReconcileIdoc_All

OEEReleaseDemand_Create_Update

OEEExtension_Read


OEEStatus_Read






OEEPod_Read


OEEActivity_Read



OEEProductionRun_Operator




OEEQueueMonitor_All




OEESAPIntQuery_All


Authorizations





OEE_READ_ONLY This role is to allow a user to see all the data on the dashboard. However, no reporting or editing is possible.



OEEReportDowntime_Read

OEEDataCollection_Read


OEEExtension_Read


OEEStatus_Read






OEEPod_Read


OEEActivity_Read









OEEERPConfirmations_Read

SAP OEE also delivers the following users by default:

1. OEE_ADMIN: This user has the OEE_SUPERADMIN role to start the initial set up.2. OEE_INTEGRATOR: This user has the OEE_INTEGRATOR role which can be used in integration

configuration.

These users are also assigned SAP MII and SAP NetWeaver roles required to perform relevant administrative tasks.

SAP MII roles assigned are:

● SAP_XMII_Administrator● SAP_XMII_User● SAP_XMII_Developer● SAP_XMII_DynamicQuery● SAP_XMII_Read_Only● SAP_XMII_Super_Administrator● SAP_XMII_ProjectManagement

For more information on the SAP MII roles, see the SAP MII security guide at http://help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence 14.0 Security Information .

SAP NetWeaver role assigned is ADMINISTRATOR.

You should create plant and line specific user groups for roles such as operator, supervisor, and administrator and assign the corresponding roles delivered by OEE. If required, you can also create custom roles by assigning appropriate actions and use those in plant and line specific user group.

OEE-specific Authorization (OEE_ERP component)

OEE Management uses the authorization concept provided by the SAP NetWeaver AS ABAP. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to OEE.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s user administration console on the AS Java.

Standard Roles

There are no standard roles that are used by SAP Overall Equipment Effectiveness Management.

Standard Authorization Objects


Authorizations


The table below shows the security-relevant authorization objects that are used by the SAP OEE Management:

Authorization Object Field Value Permitted Activities

Plant hierarchy /OEE/C_MPH ACTVT, WERKS, TCODE Create or generate / Change / Display / Delete

Global Hierarchy /OEE/C_MGH ACTVT, /OEE/TMPLT, TCODE

Create or generate / Change / Display / Delete

Reason code /OEE/C_PRC ACTVT, WERKS, TCODE Create or generate / Change / Display / Delete

BO IDOC /OEE/IDOC ACTVT, TCODE Execute


6 Session Security Protection

To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookie(s), we recommend activating secure session management.

We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

To send requests to the OData service using HTTP POST, PUT or DELETE, you have to send an additional request parameter whose values are fetched in the following way:

● The client must send a HTTP GET to the server using the URL, http://<server>:<port>/XMII/IlluminatorOData/QueryTemplate?xsrfid=Fetch.

● The server will return one of the header's key as xsrfid and the value will be an encrypted token.● When the services using POST, PUT or DELETE are called, the client returns the token name xsrfid and its

value in a request parameter as http://<server>:<port>/XMII/IlluminatorOData/QueryTemplate?QueryTemplate=<template name>&xsrfid=<responseHeaderValue>.

When the client is unable to send the above mentioned token and its value while calling the OData service, then the call is incomplete and an HTTP response code 403 is returned. The xsrfid token is not required for you to execute the query in HTTP GET.

The OData service when called in any mode expects basic authentication credentials in the Request Header. The service returns Response Code 401 if the credentials details are not provided. A dialog box requesting for user credentials is displayed in the browser. The service is executed on providing the correct credentials.

NoteThe credentials details are cached. Once provided, the credentials are not required for subsequent requests to SAP MII. User has to close the browser window to start a new session or to logoff from SAP MII.


Session Security Protection

7 Session Security Protection on the AS Java

In the Config Tool, edit the following properties for the Web Container service, which control security-related aspects of HTTP sessions:

Property Recommended Value

SessionIdRegenerationEnabled True

SystemCookiesDataProtection False

NoteSAP MII does not support this property.

SystemCookiesHTTPSProtection True

These properties are supported from MII 12.2 SP02 or higher.

You cannot pass sessions between clients if you have set the SessionIdRegenerationEnabled property to true. For an SAP MII user, the administrator will have to provide credentials for every test and execution of the webpage from MII Workbench while developing content on SAP MII. To avoid this, you have to configure Single Sign On feature of AS Java. SPNego login module or X.509 client certificate authorization can be used to enable Single Sign On in AS Java environment.

For more details on configuring SPNego or X.509 based Single Sign On on NW7.11 platform, refer SAP Note 1538719.

SAP MII - Security GuideSession Security Protection on the AS Java PUBLIC 25

7.1 Cross Origin Resource Sharing

Set the Cross Origin Resource Sharing properties from SAP MII administration menu System ManagementSystem Properties :

Screen Name Property Name Description

Allow Cross Origin Resource Sharing CrossOriginResourceSharing Allows scripts to request to a domain other than the hosted domain. In other words, a browser based application sends a request to a server residing in a different domain. A valid Cross Origin Resource Sharing request contains a header called domain which is automatically added by the browser.

Cross Origin Resource Sharing is supported in the following browsers:

● Chrome 3+● Firefox 3.5+● Opera 12+● Safari 4+● Internet Explorer 8+

Allowed Hosts AllowedHosts Hosts that are allowed to make Cross Origin Resource Sharing requests. * allows all hosts to make these requests

Allow Credentials AllowCredentials Enables MII server to add Access-Control-Allow-Credentials to the response.

Expose Headers ExposeHeaders Comma separated list of headers that is allowed by MII server.

Allow Methods AllowMethods Comma separated list of http methods allowed for Cross Origin Resource Sharing.

Allow Headers AllowHeaders Allows headers containing response to preflight request having Access-Control-Request-Headers

Maximum Age MaximumAge Time in seconds for which the preflight response can be cached.


Session Security Protection on the AS Java

8 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users cannot connect to the server local area network (LAN), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for SAP MII is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver CE Security Guide also apply to SAP MII. Details that specifically apply to the SAP MII are described in the following topics:

● Communication Channel SecurityThis topic describes the communication paths and protocols used by the SAP MII.

● Network SecurityThis topic describes the recommended network topology for the SAP MII. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate the SAP MII.

● Communication DestinationsThis topic describes the information needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:

● Network and Communication Security● Security Aspects for Connectivity and Interoperability

SAP MII - Security GuideNetwork and Communication Security PUBLIC 27

9 Communication Channel Security

The table below shows the communication channels used by the SAP MII, the protocol used for the connection and the type of data transferred.

Communication Path Protocol Used Type of Data TransferredData Requiring Special Protection

Frontend client using a Web browser to application server

HTTPS All application data Credential Store Data, Configurations Import/export

Application server to SAP ERP

SAP JRA, SAP Java Connector (SAP JCo),Web services

All Business Data

Application server to SAP ERP SAP JRA, SAP Java Connector (SAP JCo),Web services. All Business Data Application server to another Application server

HTTPS All Business Data

Application server to shop floor systems and HANA SDA

TCP/IP All Business Data

Application server to SAP NWDI

HTTPS All MII Content files

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.

RecommendationWe strongly recommend using secure protocols (SSL, SNC) whenever possible.

For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.


Communication Channel Security

10 Network Security

SAP MII applets require that you are logged on to SAP MII using HTTP or HTTPS. We recommend that you use HTTPS.

You can logon to a SAP MII with a username and password in the URL or for use in programmatic calls. This function is included for legacy support only. We recommend that you use HTTPS and post the username and password parameters rather than include them in the URL. An SAP MII proprietary binary protocol is used for communication between SAP MII and PCo for increased transmission speeds. The content of the stream can be sniffed out due to the format of the protocol. Therefore, communication between PCo and SAP MII should be transmitted on a secure network. If you are assigned to the SAP_XMII_DynamicQuery, SAP_XMII_Administrator, or SAP_XMII_Super_Administrator roles, you can run queries from a URL or a query template. If you are not assigned to this role, you can only run queries when a query template is specified. The mode and data server for the query cannot be changed.

When you parameterize SQL queries, you can insert SQL since the Param.x fields are inserted directly into the SQL statements before being run. The parameters and SQL are not validated, so you should use caution when parameterizing queries.

For more information, see the Network Security and Security Aspects for Database Connections sections.

SAP MII - Security GuideNetwork Security PUBLIC 29

11 Communications Destinations

SAP MII does not deliver preconfigured RFC or JCo destinations or ports.


Communications Destinations

12 Data Storage Security

All passwords used in SAP MII content are encrypted based on the SAP MII encryption configuration. Depending on their availability, the SAP MII administrator can select between TripleDES or DES encryption. If encryption is not available (for example, due to export restrictions), passwords are Base64-encoded. Since Base64 encoding is not an encryption method, it is not secure. We recommend that you use TripleDES for encryption of passwords in SAP MII.

The encryption key is automatically generated for every SAP MII installation and cannot be seen or changed. The SAP MII encryption key is stored in the SAP NetWeaver Secure Storage service of the underlying SAP NetWeaver installation. For more information, see the security guides of SAP NetWeaver 7.3 and SAP NetWeaver CE.

Credentials, or the combination of a user name and password, are maintained in the SAP MII credential store and stored in an encrypted form in the SAP MII database.

CautionSAP MII custom actions API provides access to secure storage where user credentials are stored. Every custom action running on an SAP MII server is readable. Since this function is open, only deploy reliable custom action packages to your SAP MII system.

SAP MII users and administrators do not have access to the persisted passwords. If you have write access to the SAP MII Workbench and can create transactions, you can reuse credentials in the SAP MII credential store. For more information about credentials, see the SAP MII application help on the SAP Help Portal at http://help.sap.com SAP Business Suite SAP Manufacturing SAP Manufacturing Integration and Intelligence .

When you export SAP MII configuration settings, you must choose an encryption algorithm and enter a pass phrase. All password information in the selected SAP MII configuration is then decrypted with the SAP MII key that is stored in the SAP NetWeaver Secure Storage service, encrypted again using the algorithm and pass phrase, and persisted as a ZIP file on the client machine. On the target SAP MII system, you have to enter the encryption algorithm and pass phrase, then the system unpacks, decrypts, and encrypts the configuration from the ZIP file according to the encryption settings of the target SAP MII system.

CautionSince the encryption algorithm and pass phrase may have to be communicated to others so it can be manually entered in the target system, you should take additional security measures to protect this information against misuse. Anyone who knows the encryption algorithm and pass phrase could decrypt the credential information and misuse it.

SAP MII - Security GuideData Storage Security PUBLIC 31



Data Protection

There is no personal data stored in SAP MII other than the user ID. However, if any personal and (or) sensitive information is stored in MDO, or custom table accessed using MII data services or processed in MII transactions, the access and deletion should be taken care by the customer.

SQL Injection

A user with dynamic query permission can access, run and manipulate the values in SQL queries from the URL. In order to restrict manipulating values in SQL, MDO, and KPI queries, especially through the Query, FilterExpr, SortExpr and GroupingExpr parameters, a new parameter called Allow Dynamic Query is included in the Data Server configurations. This field is available as a check box on the Data Servers screen, only for the SQL, MDO and KPI connector types. In other words, the check box will be available for Data Servers with the following connectors:

● IDBC● VirtualIDBC● OLEDB● DataSource● MDO● VirtualMDO● KPI● VirtualKPI

To execute dynamic queries using either of the Query, FilterExpr, SortExpr or GroupingExpr parameters in the URL, adhere to the following conditions:

1. The user must be authorized with the SAP_XMII_DynamicQuery, SAP_XMII _Administrator or SAP_XMII_Super_Administrator roles.

2. The check box Allow Dynamic Query parameter must be selected on the Data Server.3. The role SAP_XMII_DynamicQuery must be assigned to the data server on the Data Access screen.

Any errors that occur while executing dynamic queries are logged.

Note1. The usage of Query, FilterExpr, SortExpr and GroupingExpr parameters in the URL is restricted by

selecting Restrict Property Override on the query template.2. The user can run complete SQL, MDO, and KPI queries from the URL for dynamic queries. Ensure that

the credentials on the data server have the proper security restrictions on the backend server.

By default, the Allow Dynamic Query check box is de-selected for the newly created data servers with the above mentioned connectors.

NoteFor existing data servers from earlier releases, the changes are migrated automatically and the check box is selected. To execute dynamic queries on the migrated data servers, the role SAP_XMII_DYNAMIC_QUERY must be assigned to the data server on the Data Access screen.

Directory Traversal

32 PUBLICSAP MII - Security GuideData Storage Security

SAP MII system does not impose any constraints to access a file system. As a result, any user can access the folders and files where SAP MII is installed. As part of the security changes, the file system access is restricted to a certain path and its subfolders. Following features are added:

1. A new system property, Default File Path is introduced wherein you can define the path on the file system to store files for Read/Write operations. This file path provides access to the subfolders too.

2. This system property is pre-shipped with the value MII. This allows the user to perform the Read/Write operations on the files in the specified folder and subfolders.

3. The value of this system property can be changed. If the file path is empty, the user will be able to access the entire file system, provided the file system permissions allow Read/Write. This behavior will be the same as the earlier releases, that is, there will be no restriction on the file system access.

4. The path defined in the system property is represented differently on the file system based on the operating system as follows:1. In the case of Windows operating system, the system property must be specified starting from one

level below the root directory or the disk-drive specifier (typically this is C drive on Windows system).

Example○ If MII is the value of the system property, the folder on the file system will be C:\MII○ If MII\Content is the value of the system property, the folder on the file system will be C:\MII

\Content

2. In the case of Linux operating system, the system property must be specified starting from one level below the root directory, which is "/"

Example○ If MII is the value of the system property, the folder on the file system will be /MII○ If MII/Content is the value of the system property, the folder on the file system will be /MII/

Content

NoteRegardless of the operating system, the root directory is the directory under which MII is installed.

5. The user can access the file system using the following list of MII actions in the Workbench.○ File I/O

○ Write File○ Delete File○ Create Directory○ Create Zip Archive○ GetFileList○ FTPInput○ FTPOutput

○ E-Mail○ Send Mail○ Read Mail

○ Logging○ XML Tracer

○ Web

SAP MII - Security GuideData Storage Security PUBLIC 33

○ HTML Saver○ XML Saver○ Test Saver○ Image Saver○ HTMLLoader○ XMLLoader○ TextLoader○ ImageLoader

NoteThe above mentioned actions are now restricted to search the path defined in the system property.

6. An error log is created when the user tries to access any other folder that is not mentioned in MII System Configurations screen through the above mentioned actions.

7. When you upgrade to higher versions, the existing transactions with the above mentioned actions will not work. All the content needs to be moved to the existing path and all transactions need to be updated accordingly, or the file path in MII System Configurations screen needs to be changed.

NoteEnsure that the access restrictions on the file system are enforced at the operating system level.

34 PUBLICSAP MII - Security GuideData Storage Security

13 Ports

The MII runs on SAP NetWeaver and uses the ports from the AS Java. For more information, see the topics for AS Java Ports in the corresponding SAP NetWeaver Security Guides.

SAP MII - Security GuidePorts PUBLIC 35

14 Enterprise Services Security

The following chapters in the NetWeaver Security Guide and documentation are relevant for all enterprise services delivered with SAP MII:

● Security Guide Web Services● Recommended WS Security Scenarios● SAP NetWeaver Process Integration Security Guide

You can access the Security Guide using http://help.sap.com Technology Platform SAP NetWeaverSAP NetWeaver 7.5 Security Guide.

Currently, SAP MII does not support SystemCookiesDataProtection indicator of AS Java. Turn off the indicator in Display Templates screen.


Enterprise Services Security

15 Security Logging and Tracing

Security-relevant changes are logged using a separate category (/system/security/audit/XMII) in the standard SAP User Management Engine in SAP ERP logging file.

Security permissions for data servers and services are written to the security log with the xMII Security category. The data includes the previous value and the value to which the security permission was changed.

Security permissions for transactions and templates are also written to the same log, but only a status change is noted.

SAP MII - Security GuideSecurity Logging and Tracing PUBLIC 37

16 Other Security-Related Information

For more information on enabling the Clickjacking Protection Service for the following:

● UI5 content(i5Chart/SSCE): See the topic Enabling the Clickjacking Protection Service in the NetWeaver 7.5 Security Guide. You can access the Security Guide using http://help.sap.com Technology PlatformSAP NetWeaver SAP NetWeaver 7.5 Security Guide.

● Web Dynpro screens: See the topic Security Aspects of Web Dynpro for Java in the NetWeaver 7.5 Security Guide. You can access the Security Guide using http://help.sap.com Technology Platform SAP NetWeaver SAP NetWeaver 7.5 Security Guide.


Other Security-Related Information

Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

SAP MII - Security GuideImportant Disclaimers and Legal Information PUBLIC 39

www.sap.com/contactsap

© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

https://www.sap.com/about/legal/trademark.html

SAP MII - Security Guide

Documents

Transcript of SAP MII - Security Guide