Security Guide

SAP Policy Management

Document Version: 1.0 2017-04-27

CUSTOMER

SAP Policy Management 5.4 Security Guide

2

Customer

2017 SAP SE. All rights reserved.

SAP Policy Management 5.4

Typographic Conventions

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,

pushbuttons labels, menu names, menu paths, and menu options.

Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, table names, and key concepts of a programming language when they

are surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,

names of variables and parameters, source text, and names of installation, upgrade and

database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as

they appear in the documentation.

Variable user entry. Angle brackets indicate that you replace these words and characters

with appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .

SAP Policy Management 5.4

Document History

Customer

2017 SAP SE. All rights reserved. 3

Document History

Version Date Change

1.0 2017-04-27 Initial version of this guide

4

Customer

2017 SAP SE. All rights reserved.

SAP Policy Management 5.4

Table of Contents

Table of Contents

1 Introduction ................................................................................................................................... 5

2 Before You Start ............................................................................................................................ 8

3 Technical System Landscape .................................................................................................... 10

4 Security Aspects of Data, Data Flow, and Processes .............................................................. 11

5 User Administration and Authentication ................................................................................. 12 5.1 User Management ................................................................................................................................ 12 5.2 Integration into Single Sign-On Environments ..................................................................................14

6 Authorizations ............................................................................................................................. 15

7 Session Security Protection ...................................................................................................... 23

8 Network and Communication Security ....................................................................................24 8.1 Communication Channel Security ..................................................................................................... 25 8.2 Network Security ................................................................................................................................. 26 8.3 Communication Destinations ............................................................................................................. 26

9 Application-Specific Virus Scan Profile (ABAP) ..................................................................... 32

10 Data Storage Security ................................................................................................................ 33

11 Data Protection ...........................................................................................................................34 11.1 Deletion of Personal Data ................................................................................................................... 35 11.2 Read Access Logging .......................................................................................................................... 39 11.3 Search Help Restrictions .................................................................................................................... 39

12 Security for Additional Applications ........................................................................................ 41

13 Other Security-Relevant Information .......................................................................................42

14 Security-Relevant Logging and Tracing ...................................................................................43

15 Services for Security Lifecycle Management ......................................................................... 44

SAP Policy Management 5.4

Introduction

Customer

2017 SAP SE. All rights reserved. 5

1 Introduction

Caution

This guide does not replace the administration or operation guides that are available for productive

operations.

Target Audience

Technology consultants

Security consultants

System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation

Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas

the Security Guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on

security are also on the rise. When using a distributed system, you need to be sure that your data and processes

support your business needs without allowing unauthorized access to critical information. User errors,

negligence, or attempted manipulation of your system should not result in loss of information or processing time.

These demands on security apply likewise to SAP Policy Management (FS-PM). To assist you in securing your FS-

PM system, we provide this Security Guide.

SAP Policy Management is an in-force business system that requires a high level of security. It is important that

the personal data in the policies and contracts can only be displayed and changed by authorized persons. Various

international legal regulations, such as the Federal Data Protection Act, also call for utmost care with regard to the

way security is handled in SAP Policy Management.

About this Document

Caution

Before you start, make sure that you have the latest version of this document. You can find the latest

version SAP Policy Management -> Security -> Security Guide.

The Security Guide provides an overview of the security-relevant information that applies to SAP Policy

Management. For the application components used by FS-PM (FS-CD, FS-CS, FS-BP, FS-RI, FS-CM, FS-CML,

PFO, OM and Product Engine), reference is made to the respective Security Guide.

https://uacp2.hana.ondemand.com/viewer/p/SAP_POLICY_MANAGEMENT

6

Customer

2017 SAP SE. All rights reserved.

SAP Policy Management 5.4

Introduction

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this document and references

to other Security Guides that build the foundation for this Security Guide.

Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by

SAP Policy Management.

Security Aspects of Data, Data Flow and Processes

This section provides an overview of security aspects involved throughout the most widely-used processes

within SAP Policy Management.

User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

o Recommended tools to use for user management

o User types that are required by SAP Policy Management

o Overview of how integration into Single Sign-On environments is possible

Authorizations

This section provides an overview of the authorization concept that applies to SAP Policy Management.

Session Security Protection

This section provides information about activating secure session management, which prevents JavaScript or

plug-ins from accessing the SAP logon ticket or security session cookie(s).

Network and Communication Security

This section provides an overview of the communication paths used by SAP Policy Management and the

security mechanisms that apply. It also includes our recommendations for the network topology to restrict

access at the network level.

Application-Specific Virus Scan Profile (ABAP)

This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles

are activated.

Data Storage Security

This section provides an overview of any critical data that is used by SAP Policy Management and the security

mechanisms that apply.

Data Protection

This section provides information about how SAP Policy Management protects personal or sensitive data.

Security for Additional Applications

This section provides securi