PLM Architecture

Published on June 2016 | Categories: Documents | Downloads: 36 | Comments: 0 | Views: 777
of 51
Download PDF   Embed   Report

Comments

Content

SAP Project and Portfolio Management Security Guide

SAP Project and Portfolio Management 4.00
Document Version 2.00 – May 2006

SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, © Copyright 2006 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. These materials are subject to change without notice. These Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. Disclaimer UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Documentation on SAP Service Marketplace Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. You can find this documentation at
service.sap.com/instguidesNW04

and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.

Typographic Conventions
Type Style Example Text Represents Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table titles. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Meaning Caution Example Note Recommendation Syntax

EXAMPLE TEXT

Example text

Example text

<Example text>

EXAMPLE TEXT

SAP Project and Portfolio Management Security Guide

May 2006

Contents
1 2 3 SAP PROJECT AND PORTFOLIO MANAGEMENT SECURITY GUIDE........................ 1 TECHNICAL SYSTEM LANDSCAPE ............................................................................... 3 USER ADMINISTRATION AND AUTHENTICATION ....................................................... 4 3.1 3.2 3.3 3.4 4 User Management..................................................................................................... 5 User Management in cFolders .................................................................................. 6 Data Synchronization ................................................................................................ 8 Integration into SSO Environments........................................................................... 9

AUTHORIZATIONS ......................................................................................................... 10 4.1 4.2 Authorization Objects and Roles............................................................................. 11 Access Control Lists................................................................................................ 14

5

NETWORK AND COMMUNICATION SECURITY .......................................................... 17 5.1 5.2 Communication Channel Security........................................................................... 18 Network Security ..................................................................................................... 21 5.2.1 Internet Gateway Types and Setups ............................................................ 23 5.2.2 Scenario A: No Content Server .................................................................... 25 5.2.3 Scenario B: One Hidden Content Server ..................................................... 28 5.2.4 Scenario C: One Public Content Server (cFolders) ..................................... 30 5.2.5 Scenario D (cFolders) .................................................................................. 32 5.2.6 Scenario E (cFolders)................................................................................... 34 5.2.7 Additional Components (cFolders) ............................................................... 35 5.2.8 Integration with Back-End Systems (cFolders) ............................................ 36 5.2.9 Plug-In Security ............................................................................................ 38 Communication Destinations .................................................................................. 39

5.3 6 7 8

DATA STORAGE SECURITY ......................................................................................... 40 SECURITY FOR ADDITIONAL APPLICATIONS ........................................................... 41 MINIMAL INSTALLATION............................................................................................... 42 8.1 8.2 Browser Plug-In for File Handling ........................................................................... 44 ActiveX for Microsoft Project Integration................................................................. 45

9

OTHER SECURITY-RELEVANT INFORMATION .......................................................... 46

10 APPENDIX ....................................................................................................................... 47

SAP Project and Portfolio Management Security Guide

May 2006

1

SAP Project and Portfolio Management Security Guide
This guide is available in English only. It does not replace the daily operations handbook that we recommend customers create for their specific productive operations.

About this Guide
SAP Project and Portfolio Management comprises cProjects, cFolders, and xRPM, all of which are based on the SAP Web Application Server (SAP Web AS). You should therefore take the security information for the SAP Web AS into consideration. This guide only describes the security information that differs from it, as well as additional security information. Related Security Guides Application SAP Web AS SAP Enterprise Portal Guide SAP Security Guide SAP Enterprise Portal Security Guide Most Relevant Sections or Specific Restrictions

Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security also apply to the SAP Project and Portfolio Management Security Guide. We provide this guide to assist you in securing SAP Project and Portfolio Management.

Target Groups
● ●

Technical consultants System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all time frames.

1

SAP Project and Portfolio Management Security Guide

May 2006

Important SAP Notes
Check regularly which SAP Notes are available about the security of the application.

SAP Note Number 216419 128447 517860 517484

Title Multi-Level Caching and Content Server Proxies Trusted/Trusting Systems Logging on to BSP Applications Inactive Services in the Internet Communication Framework

2

SAP Project and Portfolio Management Security Guide

May 2006

2

Technical System Landscape

The following table lists where you can find more information about the technical system landscape. More Information About the Technical System Landscape Topic Application and industryspecific components such as SAP Financials and SAP Retail, technology components such as SAP Web Application Server Security Guide/Tool Master Guide Quick Link to the SAP Service Marketplace instguides

security

3

SAP Project and Portfolio Management Security Guide

May 2006

3
● ● ● ●

User Administration and Authentication
User Management [Page 4] User Management in cFolders [Page 5] Data Synchronization [Page 8] Integration into SSO Environments [Page 8]

For an overview of user administration and authentication in SAP Project and Portfolio Management, see the following sections:

4

SAP Project and Portfolio Management Security Guide

May 2006

3.1

User Management

In cProjects, you use the SAP user administration of the SAP Web Application Server (SAP Web AS) to create all users. For more information about creating users in the SAP Web AS, see the SAP Library under SAP NetWeaver → Security → Identity Management → Users and Roles (BC-SEC-USR). In cFolders, you use the SAP user administration of the SAP Web AS to create at least one cFolders administrator who then has authorization to create individual users locally in the cFolders application. Alternatively, you can use central user administration with the SAP User Management Engine (SAP UME), or another central user administration tool. For more information, see User Management in cFolders [Page 5]. In xRPM, you can create users with the mySAP Human Resources (mySAP HR) integration scenario. You can make the relevant settings in Customizing for SAP xRPM under Global Customizing → Global Settings → Define Global Settings / Override Default Global Settings. For more information, see the solution management content for xRPM under Organizational Areas → Product Development and Introduction → Business Processes → Strategic Portfolio Management → Configuration Content for xPRM. In xRPM, you can also maintain users independently of the mySAP HR integration scenario using transaction RPMUSER. You can generate user names and passwords with the BADI RPM_CREATEUSR_NAME.

5

SAP Project and Portfolio Management Security Guide

May 2006

3.2
Tool

User Management in cFolders
Detailed Description SAP Library under SAP NetWeaver → Security (BC-SEC) → Identity Management → Users and Roles (BC-SECUSR) → User Maintenance Solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → User Administration in cFolders Solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Central User Management: Integration with SAP UME Prerequisites/Comment You need this transaction to create an initial cFolders administrator, that is, a user with the role “user administrator” (SAP_CFX_USER_ADMINISTRATOR). Thereafter, the use of this transaction is optional.

User Administration Tools

Transaction SU01 in the SAP Web Application Server (SAP Web AS)

Local user administration in the cFolders application

You have created a user with the role “user administrator” and set up the required roles for cFolders in the SAP Web AS.

Central user administration using SAP User Management Engine (SAP UME)

You have created a user with the role “user administrator” in the SAP Web AS.

Users and Passwords
The user with the role “user administrator” (SAP_CFX_ADMINISTRATOR) is responsible for creating users at the customer site. For more information about the roles used in cFolders, see Authorizations [Page 10].

No users are delivered with the software.

6

SAP Project and Portfolio Management Security Guide

May 2006

Individual Users
Individual users in cFolders are dialog users. However, with the exception of users with the role “user administrator”, individual users are not authorized to execute any transactions in the SAP Web AS. Their authorizations are limited to the cFolders application.

This applies to users with a cFolders role only. It is also possible to combine the cFolders roles with other existing authorization roles. In this case, the user may have authorization for transactions in the SAP Web AS. If you are using local user administration in the cFolders application, the user administrator creates individual users. The system then creates a password automatically for the initial logon and sends it to the user in an e-mail. Only user administrators are authorized to reset passwords and can see these functions in the cFolders system. If a password is reset, a new password is created automatically and sent to the user by e-mail. This session password is stored and encrypted as described in the SAP Web AS Security Guide on SAP Service Marketplace at service.sap.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology → User Authentication → Authentication and Single Sign-On.

You also need passwords in cFolders for the WebEx meeting service and the FTP box, both of which are optional functions. These passwords are managed by the cFolders application and are stored using the ABAP Secure Store mechanism, which is described in more detail in the SAP Web AS Security Guide on SAP Service Marketplace at service.sap.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “Secure Store and Forward Mechanisms (SSF) and Digital Signatures”. If you are using SAP UME, the UME system logs on to cFolders with a user with the role “user administrator” and creates the required users in cFolders. Users created in this way do not have a password in the cFolders system, but they need a mySAP.com logon ticket for the UME. For more information, see the following SAP Notes:
● ● ●

557350 - Generating SSO Tickets 701205 - EP6.0: Single Sign On using SAP Logon Tickets 550742 - FAQ: General Questions About Single Sign-On

Technical Users
In the standard cFolders scenario, no technical users are required. However, if you want to use the Supplier Relationship Management (SRM) integration, communication with the SRM system requires the service user “User ID in an RFC connection”. You set up this user when you configure a logical destination in transaction SM59 in the SAP Web AS. When you do this, you must provide a valid user ID and password, which enables the cFolders system to log on to the SRM system. The user ID of this user can be any valid cFolders ID. The password of the user is stored in the ABAP Secure Store mechanism, which is described in more detail in the SAP Web AS Security Guide in the section “Secure Store and Forward Mechanisms (SSF) and Digital Signatures”. For more information about the SRM integration, see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Integration with mySAP SRM.

7

SAP Project and Portfolio Management Security Guide

May 2006

3.3

Data Synchronization

cProjects, cFolders, and xRPM all use the standard SAP Web Application Server (SAP Web AS) procedure for user data synchronization.

In cProjects, you also have the option of integrating mySAP Human Resources (mySAP HR), which enables you to distribute the organizational plan (structure) in your company, including the employees, from mySAP HR to the cProjects system. If you also use Workforce Management Core (WFM Core), you can replicate data from the mySAP HR system to WFM Core. This enables you to select your resources according to their availability. For more information, see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes → Project Execution with cProjects → Configuration → Distributing SAP HR Master Data via ALE to cProjects. You can integrate xRPM with mySAP HR. For more information, see the solution management content for xRPM under Organizational Areas → Product Development and Introduction → Business Processes → Strategic Portfolio Management → Configuration Confent for xRPM → SAP Human Capital Management Integration.

8

SAP Project and Portfolio Management Security Guide

May 2006

3.4

Integration into SSO Environments

cProjects, cFolders, and xRPM are all based on HTTP Internet applications. Therefore, they support the logon mechanisms provided by the SAP Web Application Server (SAP Web AS). This means that they accept SAP logon tickets, as well as X.509 digital certificates. For more information, see the SAP Web AS Security Guide on SAP Service Marketplace at service.sap.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “User Authentication”.

9

SAP Project and Portfolio Management Security Guide

May 2006

4


Authorizations
ABAP authorization objects and roles [Page 10] This is the standard method for controlling access to transactions and programs in an SAP ABAP system. Authorizations are combined in an authorization profile that is associated with a role. User administrators can then assign the corresponding roles via the user master record, so that the user can access the appropriate transactions for his or her tasks. For more information, see the SAP Web AS Security Guide on SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver ’04 Component Security Guides → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “SAP Authorization Concept”.


In cFolders, cProjects, and xRPM, authorizations are controlled in the following ways:

Access control lists [Page 13] These allow you to add another level of security by controlling authorization at object level. For example, who has authorization to change a particular project definition or collaboration.

In cProjects only, you can use two additional authorization mechanisms: • System administrators can grant access to objects via a BSP application. This is an exception to the normal process and is only used if the administrator of the object is not available due to illness, for example. The system sends the "new" and "old" administrators an e-mail to inform them of the new authorization holder. For more information, see the solution management content for cProjects under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cProjects → Business Customizing → Granting Administration Authorization for an Object. In Customizing for cProjects, you can assign initial views for cProjects to a role. If you do not make an entry in Customizing, the user can access all initial views available for his or her role(s). For more information, see the solution management content for cProjects under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cProjects → General Settings → Define Initial Views for cProjects.



10

SAP Project and Portfolio Management Security Guide

May 2006

4.1

Authorization Objects and Roles

You can maintain the following role authorizations in cFolders, cProjects, and xRPM using the SAP Profile Generator.

cFolders Roles
The following roles are delivered with cFolders: Role User (SAP_CFX_USER) Authorization Use cFolders in the Internet browser create collaborations, objects, status profiles and so on. Includes standard user authorizations (see SAP_CFX_USER) and authorization to start cFolders for the first time. In addition, authorization to create, change, and delete users, reset their passwords, and also assign all SAP_CFX* roles. Includes standard user authorizations (see SAP_CFX_USER) and authorization to change all network settings and release batch jobs (for status and e-mail notifications). Includes standard user authorizations (see SAP_CFX_USER) and authorization to maintain the features and appearance of cFolders (for example, reset system settings and languages). Includes standard user authorizations (see SAP_CFX_USER) and authorization to manage all collaborations, status profiles, and user groups.

User administrator (SAP_CFX_USER_ADMINISTRATOR)

Network administrator (SAP_CFX_NETWORK_ADMINISTRATOR)

cFolders administrator (SAP_CFX_CFOLDERS_ADMINISTRATOR)

Superuser (SAP_CFX_SUPER_USER_ADMIN)

Administrator (SAP_CFX_ADMINISTRATOR)

Includes standard user authorizations (see SAP_CFX_USER) and authorization to administer the cFolders application. Authorization to start the jobs for summary e-mails and reminder notifications for status management. Assigned automatically in the background when you create a system user. This role is not assigned to any actual users, it is just for the system user.

E-mail system user (SAP_CFX_EMAIL_SYSTEM_USER)

You can use these SAP standard roles or create your own, as required. These can include the SAP_CFX roles or you can define your own authorization objects.

Except for creating roles, you carry out all settings for cFolders in the cFolders application. There are no other Customizing activities to be carried out in the SAP Web AS.

11

SAP Project and Portfolio Management Security Guide

May 2006

cProjects Roles
The following single roles are delivered with cProjects: Role SAP_CPR_PROJECT_ADMINISTRATOR SAP_CPR_TEMPLATE_ADMINISTRATOR Authorization Create projects (project definitions). Create, change, read, and delete all templates in cProjects. Use cProjects, but no authorization to perform any activities in a particular project. To do this users need project-specific authorizations, which can be distributed either directly or through their assignment to a role. This role must be included in every cProjects composite role. The following composite roles are delivered with cProjects: Role SAP_CPR_DECISON_MAKER SAP_CPR_INTERESTED SAP_CPR_MEMBER SAP_CPR_PROJECT_LEAD Authorization cProjects decision maker. Contains the role SAP_CPR_USER. cProjects interested party. Contains the role SAP_CPR_USER. cProjects team member. Contains the role SAP_CPR_USER. cProjects project manager. Contains the role SAP_CPR_PROJECT_ADMINISTRATOR and SAP_CPR_USER cProjects template responsible. Contains the roles SAP_CPR_TEMPLATE_ADMINISTRATOR and SAP_CPR_USER

SAP_CPR_USER

SAP_CPR_TEMPLATE_RESPONSIBLE

You can use these SAP standard roles or create your own. For more information see the solution management content for cProjects under Solutions → mySAP PLM → Configuration Settings → SAP cProject Suite 4.00 → General Settings → Activating Single Roles for cProjects and Creating Roles for the Project-Specific Authorization Checks.

In cProjects, you carry out Customizing activities in the SAP Web AS. Only system administrators, that is, users with the authorization profile SAP_ALL, are authorized to carry out Customizing for cProjects.

xRPM Roles
In the xRPM frontend application, SAP delivers one portal role (Portfolio Manager) and three subordinate roles. For more information about the front-end roles, see the Business Package for Project, Portfolio Management and Design Collaboration 4.0 in the SAP Library under SAP xApps → SAP xApp Resource and Portfolio Management.

12

SAP Project and Portfolio Management Security Guide

May 2006

In the xRPM back-end system, SAP delivers the following roles: Roles SAP_XRPM_ADMINISTRATOR Authorization Superuser authorization in xRPM. Used to create new portfolios. This role also provides the assigned user full access to all xRPM business objects in the system. General xRPM user. All users should be assigned this role. Has general authorizations to use xRPM, but no specific object access. This access must be assigned to the user via ACLs.

SAP_XRPM_USER

You can use these SAP standard roles or create your own. For more information about roles in xRPM, see the solution management content for xRPM under Organizational Areas → Product Development and Introduction → Business Processes → Strategic Portfolio Management → Configuration Content for xRPM.

13

SAP Project and Portfolio Management Security Guide

May 2006

4.2


Access Control Lists
Objects in cFolders are: collaborations, areas, folders, documents, status profiles, and user groups. There are six authorization activities: read, write, create, administration, delete, and none. It is also possible to create authorizations that depend on the status of an object. Authorization can be granted to users, user groups, and roles. Objects in cProjects are: project definitions, phases, tasks, checklists, checklist items, project roles, and documents. There are four general authorization activities: no authorization, admin, write, and read. There are three authorization activities for project definitions only: evaluate, resource management, and accounting. Staffing management and candidate management are also available for project roles. Authorization can be granted to users, user groups, HR organizational units, and roles. Objects in xRPM are: portfolios, buckets, items, reviews, collections. There are four general authorization activities: no authorization, admin, write, and read. There is one additional activity: owner. This activity simply documents that the user assigned is the person with business ownership of the specified object.

Access control lists (ACLs) in cFolders, cProjects, and xRPM are used to define authorizations at object level.





The administrator (creator) of the individual object maintains the ACLs. The first administrator can define additional administrators, or give write or read authorization, for example, to other users. The transition from role-based authorization to ACLs is as follows: If you have authorization to create an object, for example a collaboration or a project definition, as defined by your SAP role (see Authorization Objects and Roles in the cProject Suite [Page 10]), you are automatically the ACL administrator for the object you create. You can then add other users to the ACL list. For more information, see the SAP Library under mySAP Business Suite → mySAP Product Lifecycle Management → SAP cProject Suite →
● ●

Collaboration Folders (cFolders) → Authorizations [Extern] Collaboration Projects (cProjects) → Authorizations [Extern]

See also the section below, “Authorization Check”.

Superusers
cFolders and cProjects both have a superuser concept that overrides ACL authorizations. For more information, see the solution management content for:


cProjects under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cProjects → Business Customizing → Granting Administration Authorization for an Object. cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cProjects → Business Customizing → Setting Up Administrators for cFolders.



Users who have the SAP_ALL authorization profile, which is generated automatically, also have the superuser role.

14

SAP Project and Portfolio Management Security Guide

May 2006

Authorization Check in cProject Suite
Prerequisites
You have implemented SAP Notes 688997 and 788139.

Authorization Check Sequence for cProjects and cFolders
Authorizations for an object are inherited from top to bottom in the project hierarchy (cProjects) and in the collaboration hierarchy (cFolders). They can also be assigned explicitly to each object. When the system carries out an authorization check, it first analyzes direct authorizations to an object and if none exist, it checks whether there is an inherited authorization. The system executes this process for the different authorization holders until an authorization is found. The system checks the authorization holders in the following order: 1. Users 2. User groups 3. Organizational units (cProjects only) 4. Roles Individual users take precedence over user groups, user groups take precedence over roles, and so on. This also applies to inherited authorizations. This means that, for example, a user’s inherited authorization takes precedence over a user group’s direct authorization. If a user is assigned to an object, for example, via several user groups, the most extensive authorization is valid.

A user is assigned to user groups A and B simultaneously. User group A has read authorization for a project definition, and user group B has write authorization for the same project definition. The user therefore has write authorization for the project definition.

Additional Information on ACLs in xRPM
You can either assign authorizations directly to a user or the user inherits them from parent business objects. Authorizations that are directly assigned always override inherited authorizations. The following hierarchy is used to determine authorization inheritance:
● ● ● ● ●

Portfolio → Bucket Bucket → Bucket Bucket → Item Bucket → Review Bucket → Collection

The following activities are supported on the above business objects:
● ●

None: The user to which this activity is assigned has no authorization for the business object. Read: The user to which this activity is assigned has authorization to read the data of the specified business object.

15

SAP Project and Portfolio Management Security Guide

May 2006

● ●

Write: The user to which this activity is assigned has read authorization and also has authorization to change the data of the specified business object. Admin: The user to which this activity is assigned has write authorization. He or she also has authorization to assign ACLs to other users for the business object, and can perform the additional activities specific to the following business objects: ○ ○ Portfolio: Create/delete and administer all business objects below the portfolio. Bucket: Create/delete and administer items, reviews and collections assigned to the specific bucket. Reassign items to other buckets for which the user also has administrative access.



Owner: The user to which this activity is assigned is identified as the business owner or responsible person of the specified business object. This activity is a purely informative activity and provides no specific authorizations for the business object.

16

SAP Project and Portfolio Management Security Guide

May 2006

5

Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level), or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines. The network topology for SAP Project and Portfolio Management is based on the topology used by the SAP Web Application Server. Therefore, the security guidelines and recommendations described in the SAP Web AS Security Guide also apply to SAP Project and Portfolio Management. Details that specifically apply to SAP Project and Portfolio Management are described in the following topics:
● ● ●

Communication Channel Security [Page 17] Network Security [Page 21] Communication Destinations [Page 38]

17

SAP Project and Portfolio Management Security Guide

May 2006

5.1

Communication Channel Security
Communication Technology HTTP(S) Scenario cFolders and cProjects Data Transferred Files, metadata, and user data (passwords, user names) Comment/Security Recommendation

cProject Suite Communication Channel Security Communication Channel cFolders or cProjects front end (browser) to the SAP Web Application Server (SAP Web AS) WebDAV interface

HTTP(S) with WebDAV extension

cFolders and cProjects

Files and metadata

WebDAV interface is used to connect the KM repository, and also front-end WebDAV clients

cFolders or cProjects front end (browser) to content or cache servers SAP Web AS to content or cache servers

HTTP(S)

cFolders and cProjects

Files

HTTP(S)

cFolders and cProjects

Metadata, files

Back-end systems (PLM cFolders Add-On, for example) to cFolders or cProjects front end (browser)

RFC

cFolders

Metadata, files

The cFolders backend integration calls the cFolders system from the back end. Possible back ends are: SAP PLM 4.6C and higher, or the cProjects application. In both cases, the back end always calls cFolders, cFolders never calls back.

SAP Web AS to other application servers (for example, SRM, HR, CO)

RFC

cFolders and cProjects

Metadata, files

For the SRM scenario, cFolders calls the SRM server using a technical user. If the cFolders system and the SRM system are located in different network segments, a SAP router can be used to secure the communication.

18

SAP Project and Portfolio Management Security Guide

May 2006

cProjects communicates with 3rd party or SAP systems to obtain or create information on object links between cProjects and objects located in the 3rd party/SAP system. Possible SAP systems are: SAP R/3 4.6C and higher. The communication to 3rd party systems has to be implemented at the customer site. The 3rd party/SAP system never calls back. For more information, see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes → Project Planning with cProjects → Setting Up Object Links. cProjects front end to cFolders front end cProjects Web AS to SRM via SAP XI RFC cProjects Metadata, files cProjects calls cFolders, cFolders never calls back.

HTTP(S)

cProjects

Metadata

In cFolders, HTTP(S) is also used to communicate with the ECL viewer, which is a front-end installation, and the WebEx meeting service, which is an external third-party system used for online meetings.

In cFolders, new users receive their user IDs and passwords by e-mail. Since emails are potentially unsafe, this mechanism can be switched off in cFolders. The user administrator then has to communicate this information to the user by other means. For more information, see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProjects 4.00 → Basic Settings for cFolders → System Connections → System Configuration for Accessing cFolders → Enabling E-Mails for cFolders. For information about security measures when using HTTP(S) in the cProject Suite, see Network Security [Page 21].

19

SAP Project and Portfolio Management Security Guide

May 2006

xRPM Communication Channel Security Communication Channel xRPM core on the Web AS to the SAP Enterprise Portal xRPM core on the Web AS to SAP cProjects xRPM core on the Web AS to SAP PLM PS xRPM core on the Web AS to SAP HCM xRPM core on the Web AS to SAP BW on the Web AS xRPM core on the Web AS to Microsoft Project xRPM core on the Web AS to SAP Content Management, SAP Workflow, SAP Collaboration Room, xRPM core on the Web AS to SAP xApp Product Definition xRPM core on the Web AS to SAP FI/CO Communication Technology HTTP JCo RFC RFC / HTTP Data Transferred Files, metadata, and user data (passwords, user names) Files, metadata Comment Security Recommendation

RFC

Files, metadata

SAP ALE RFC

Files, metadata

ALE RFC

Files, metadata

HTTP / SSL

Files, metadata, and user data (passwords, user names) Files, metadata

RFC

RFC / HTTP

Files, metadata

RFC / ALE

Files, metadata

For information about security measures when using RFC communication channels, see the SAP Web AS Security Guide on SAP Service Marketplace at service.sap.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “Protecting Your Productive System (Change and Transport System)”.

20

SAP Project and Portfolio Management Security Guide

May 2006

5.2

Network Security

cProject Suite
SAP supports three installation variants for the cProject Suite:
● ●

Installation of cFolders and cProjects within the intranet For internal collaboration only. Installation of cFolders and cProjects outside the intranet (usually DMZ/demilitarized zone) Mainly for external collaboration. This installation is not recommended by SAP for security reasons. Installation of cFolders outside the intranet (usually DMZ/demilitarized zone) and cProjects within the intranet This scenario is highly recommended by SAP. It should be chosen if cProjects is being used for internal project management and cFolders for secure collaboration with external partners.



The term DMZ is used here in a very general way. More precisely, cFolders or cProjects should be installed in a different network segment to the intranet, which is easier to reach from the Internet. Usually only reverse proxies and firewalls are located in the DMZ itself. For more information, see the Master Guide for mySAP PLM Using cProject Suite 4.00 on SAP Service Marketplace at service.sap.com/instguides → mySAP Business Suite Solutions → mySAP PLM → using cProject Suite 4.00 → cProject Suite 4.00: Master Guide in the “Technical Implementation” section.

Installation Scenarios
All the following installation scenarios can be used for cFolders. Scenarios A and B only can be used for cProjects:
● ● ● ● ●

Scenario A: no content server [Page 24] Scenario B: one hidden content server [Page 27] Scenario C: one public content server [Page 29] Scenario D: content servers in different locations, one Internet gateway or multiple Internet gateways [Page 31] Scenario E: installation of cFolders 4.00 on top of ECC 6.00 [Page 33]

Installation scenario B, with one hidden content server, is the installation scenario with the highest level of security.

In cFolders and cProjects, there is no fixed port for communication and the firewall settings described in the SAP Web AS Security Guide apply. For more information, see SAP Service Marketplace at service.sap.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “Network Security for SAP Web AS ABAP”.

21

SAP Project and Portfolio Management Security Guide

May 2006

See also:
● ● ● ● ●

Internet Gateway Types and Setups [Page 22] Additional Components (cFolders) [Page 34] Integration with Back-End Systems (cFolders) [Page 35] Plug-In Security [Page 37]

xRPM
For information about network security for xRPM, see the Security Guide for the Web Application Server.

22

SAP Project and Portfolio Management Security Guide

May 2006

5.2.1

Internet Gateway Types and Setups

cFolders and cProjects are Internet scenarios, therefore, the base server must be accessible not only to intranet (or internal) users, but also to Internet (or external) users all over the world. To protect the base server from malicious attacks and distorted requests, several standard Internet security components can be installed in front of the server, forming an Internet gateway. Some of these components, such as the SAP Web Dispatcher or the built-in features in the SAP Web Application Server (SAP Web AS), are from SAP, while other components like reverse proxies or hardware load balancers are non-SAP products. There are many components such as these in existence, which can be used alone or in conjunction with one another. This makes it impossible to recommend the best solution: it always depends on company policy, the existing server landscape, and individual security requirements. In general, Internet gateway architecture consists of the following:
● ●

Outer firewall: restricts HTTP requests to allowed ports and protocols, for example, only HTTPS requests on port 443 are allowed, everything else is blocked. Application proxies: servers without their own built-in logic, which accept requests, analyze them in terms of security rules, and route the requests towards the real application server. Reverse proxies or the SAP Web Dispatcher are types of application proxies. Inner firewall: restricts connections at IP level and checks the communication on TCP/IP low-level session handling.



The following figures show two typical types of Internet gateway. The first one consists completely of non-SAP components, the second introduces the SAP Web Dispatcher for loadbalancing purposes (this is unnecessary if there is only one application server).

These or similar types of Internet gateways must be placed in front of every HTTP server that can be accessed from the Internet. However, one Internet gateway can be used for several servers because the load on the Internet gateway is not high.

23

SAP Project and Portfolio Management Security Guide

May 2006

Directed HTTP Calls
HTTP required HTTP optional

TCP Subnet No. 1 TCP Session Handling

Port Filter (80/443)

Server No. 1
cFolders or cProjects + User Management

External Location

Reverse Proxy
e.g. Apache Web server on a Linux machine (can handle load for many servers)

Internet Explorer FIREWALL No.1

TCP Subnet No. 2 FIREWALL No. 2

Server No. 2
Content Server - if public

Internet Gateway

Internet Gateway Architecture with Non-SAP Components
Directed HTTP Calls HTTP required HTTP optional

TCP Subnet No. 1 TCP Session Handling App. Server 1

Port Filter (80/443)

Web Dispatcher

External Location

Reverse Proxy
e.g. Apache Web server on a Linux machine (can handle load for many servers)

Internet Explorer FIREWALL No.1

(Load Balancing)

App. Server 2

TCP Subnet No. 2 FIREWALL No. 2 Server No. 2
Content Server - if public

Internet Gateway

Internet Gateway Architecture with the SAP Web Dispatcher

24

SAP Project and Portfolio Management Security Guide

May 2006

5.2.2

Scenario A: No Content Server

In scenario A, the complete installation consists only of the cFolders or cProjects server (SAP Web AS).


For cFolders, this server is designed to be placed in the demilitarized zone (DMZ) of company networks. The server must be placed inside the DMZ and should also be placed inside its own Internet Protocol (IP) subnet. For more information, see Definition of a Subnet [Page 26]. For cProjects, the server is located in the intranet.



Directed HTTP Calls HTTP required

Internet Gateway Firewalls, Reverse Proxy, SAP Web Dispatcher

Location 1 SUBNET Internet Explorer

External Location Internet Explorer

SAP Web AS (cFolders)

Location 2 Internet Explorer

Internet

DMZ

FIREWALL Intranet Border

Intranet

Scenario A: cFolders

25

SAP Project and Portfolio Management Security Guide

May 2006

Directed HTTP Calls HTTP required

Location 1

Internet Explorer

SAP Web AS (cProjects)

Location 2

Internet Explorer

Intranet

Scenario A: cProjects

26

SAP Project and Portfolio Management Security Guide

May 2006

5.2.2.1

Definition of a Subnet

A subnet is an IP address range from which no other IP or Domain Name System (DNS) addresses that are located outside the network segment of the subnet can be reached. The implied consequences of this are as follows:
● ●

You cannot reach external addresses from inside the subnet without the explicit use of proxy technology. With proxies between the subnet and external addresses, each access can be controlled at IP number level. This means that you can explicitly allow communication between IP 111.111.111.111 from inside the subnet to the address 222.222.222.222 outside the subnet, but to no other address worldwide. In particular, you can ensure that even if a server inside the subnet is hacked and conquered by an external hacker and this server is under complete control of the external hacker, the hacker cannot influence any other system outside the subnet. If there is no other server inside the subnet, it is impossible to gain access to any other system.



An important rule for network security states that HTTP calls should only be allowed from network areas with a high security level to network areas with the same or a lower security level, never the other way around. This means that a call from the intranet (high security) to a server in the DMZ (lower security) is acceptable. Without the subnet, however, the rule would be violated for the external user, because the extranet has the lowest security level. The introduction of the IP subnet is therefore recommended because it creates an isolated IP range that can be considered as an artificial area with an even lower level of security. Another reason for the subnet in the DMZ around the cFolders server (see figure Scenario A: cFolders [Page 24]) has already been mentioned: protection of other servers that already exist in the DMZ. A company usually places all servers that are accessible from the Internet inside the DMZ. This leads to a network area with several servers, one of which would be the cFolders server. By placing it, or even better, each DMZ server, in its own subnet, they are separated from each other on a low network level. You can ensure that the transferred metadata and files are secure by using Secure Sockets Layer (SSL) technology. The SAP Web AS can be configured in such a way that it only allows HTTPS connections, and no HTTP connections. This is a requirement for the external user. The internal user could use HTTP, but in this case, you must ensure that the external user can only use the HTTPS address and not the HTTP address. You can achieve this by configuring the external firewall to allow access only via HTTPS to the IP addresses of the subnet in which the cFolders server is located.

27

SAP Project and Portfolio Management Security Guide

May 2006

5.2.3


Scenario B: One Hidden Content Server

In the second type of installation, one content server is added to the network environment. For cFolders, the addition of a content server does not affect the security of the SAP Web AS server because they are located in different subnets [Page 24]. This scenario is even more secure than the SAP Web AS itself, because the content server is also placed in its own subnet and the gateway between the SAP Web AS subnet and the content server subnet can be controlled using a separate proxy, possibly with embedded firewall technology. If you do not want to use two subnets with a proxy between them, the content server can also be placed inside the SAP Web AS subnet. As already explained, the SAP Web AS can communicate without any restrictions with other servers inside its subnet, on the same security level. This configuration is easier to maintain and almost as secure as the extended configuration. A proper firewall configuration between the extranet and DMZ must then allow access only to the SAP Web AS, and not to the content server.


For cProjects, the SAP Web AS and the content server are both located in the intranet.

Directed HTTP Calls HTTP required

SUBNET

Location 1 Internet Explorer

External Location

SAP Web AS (cFolders)

Internet Explorer SUBNET Internet Gateway Content Server FIREWALL Intranet Border

Location 2

Internet Explorer

Internet

DMZ

Intranet

Scenario B: cFolders

28

SAP Project and Portfolio Management Security Guide

May 2006

Directed HTTP Calls HTTP required

Location 1 SAP Web AS (cProjects) Internet Explorer

Location 2

Content Server

Internet Explorer

Intranet
Scenario B: cProjects

29

SAP Project and Portfolio Management Security Guide

May 2006

5.2.4

Scenario C: One Public Content Server (cFolders)

In scenario C, a content server that is accessible from the Internet and/or the intranet is added to the network environment:
Directed HTTP Calls HTTP required HTTP optional

SUBNET

Location 1

External Location

SAP Web AS (cFolders)

Internet Explorer

Internet Explorer

Location 2

Internet Gateway

Content Server

Internet

DMZ

FIREWALL Intranet Border

Internet Explorer

Intranet

Scenario C: One Public Content Server If you configure the external firewall to allow direct access to both the SAP Web AS and the content server, you end up with two servers that can be accessed by external users. The consequences are as follows:
● ● ●

One subnet for both servers is sufficient. Both can be reached by external users, which means that they are on exactly the same security level. External access to each server must only be possible using HTTPS, not HTTP. Access by internal users causes no security problems.

At this point, it is important to understand that the SAP Web AS and the content server use totally different HTTP technologies. The SAP Web AS is a completely new server designed for Internet use, and so far, no known attack by a hacker has succeeded. The content server runs as a Microsoft Internet Server API (ISAPI) extension to a Microsoft Internet Information Server (IIS). Since IIS is a very popular product, it has been the target of many hostile attacks. The installation of all relevant security patches for the IIS is therefore highly recommended. Another big difference between the SAP Web AS and the content server is that access to the cFolders server (SAP Web AS) requires user authentication by login or X509 certificates. Access to the content server, however, does not require authentication by user login. User authentication for the content server (and cache server) relies on signed URLs, which consists of two elements: normal parameters and authentication. As a result, the URL is quite long: a signed URL can have more than 700 characters. A signed URL for content server access must be created from the cFolders server. In cFolders, you usually never see these URLs. If a user opens a file, they are created on demand in the cFolders server. The signed part of the URL contains a digital signature that

30

SAP Project and Portfolio Management Security Guide

May 2006

repeats the unsigned parameters and allows the content server to check whether the URL has been properly identified by the cFolders server. The URL also contains a time stamp (default: 2 hours). To access a file from the content server the following steps are required: Download: 5. Logon to the cFolders server (SAP Web AS) with strong user authentication. 6. User navigates in cFolders and wants to read a file (download). 7. cFolders creates a signed URL that can be used in a HTTP GET request to the content server. The URL is only valid for 2 hours. The upload procedure is similar:
...

1. Logon to the cFolders server (SAP Web AS) with strong user authentication. 2. User navigates in cFolders and wants to create a document. 3. cFolders creates a signed URL that can be used in a HTTP POST request to the content server. The URL is only valid for 2 hours. Furthermore, it can only be used once, which means that you can only create the document once within a time frame of two hours.

31

SAP Project and Portfolio Management Security Guide

May 2006

5.2.5

Scenario D (cFolders)

Scenario D can be split into two main sub-scenarios, depending on the number of Internet gateways between the intranet/demilitarized zone (DMZ) and the extranet. In terms of security, D1 and D2 are identical.
Directed HTTP Calls HTTP required HTTP optional

SUBNET
SAP Web AS (cFolders)

Location 1
Content Server Cache Server

External Location

Internet Explorer

Internet Explorer SUBNET Internet Gateway
Cache Server

FIREWALL Intranet Border

Location 2

Internet

Content Server

Internet Explorer

DMZ

Intranet

Scenario D1
Directed HTTP Calls HTTP required HTTP optional

SUBNET
SAP Web AS (cFolders)

Location 1 Internet Explorer

Internet Gateway

FIREWALL Intranet Border

Internet Explorer

Content Server

Cache Server

External Location 1

Internet Gateway

External Location 2

SUBNET
Cache Server

Location 2 (with its own Internet Gateway)

Internet Explorer

Content Server

Internet Explorer

Internet

DMZ

Intranet

Scenario D2

32

SAP Project and Portfolio Management Security Guide

May 2006

The security problem in this scenario (D1 and D2) is caused by placing the internal content/cache servers in the intranet. Instead of doing this, you might consider the configuration shown for location two in the figures above.

If you have a DMZ at a location, this does not necessarily mean that you also have an Internet gateway. In general, DMZ only implies that you cannot reach intranet addresses from DMZ servers, but the other way around (Intranet → DMZ) does not cause any problems. If you really need to put the content server inside the intranet, make sure that you introduce subnets and control the IP routing by using the appropriate proxies. For information on configuring proxies, see SAP Note 216419.

33

SAP Project and Portfolio Management Security Guide

May 2006

5.2.6

Scenario E (cFolders)

In scenario E, the complete installation consists only of one server with cFolders installed on ECC.

Location 1 SUBNET Internet Explorer

cFolders 4.00 (on ECC 6.00)

Location 2 Internet Explorer

Intranet

SAP generally recommends variant E only for internal collaboration with cFolders 4.00, as both cFolders 4.00 and ECC 6.00 are situated in the intranet. Access to cFolders by external users in this scenario would result in access to the intranet by external users. However, placing the whole system (ECC 6.00 with cFolders 4.00 on top) into the inner DMZ would enable - for access from the extranet - a higher level of security than allowing extranet access to a system (ECC 6.00 with cFolders 4.00 on top) in the intranet. For more information, see the SAP NetWeaver Security Guide, section “Using Multiple Network Zones” on the SAP Help Portal at help.sap.com under SAP NetWeaver → SAP NetWeaver 2004s SPS 07 → English → SAP NetWeaver Library → Administrator’s Guide → SAP NetWeaver Security Guide → Network and Communication Security → Using Firewall Systems for Access Control → Using Multiple Network Zones. SAP Consulting can offer billable support for risk evaluation.

34

SAP Project and Portfolio Management Security Guide

May 2006

5.2.7

Additional Components (cFolders)

The security of additional cFolders components does not depend on the number of content servers in other network segments. Therefore, these components are summarized in a small installation of type A:
Directed HTTP Calls HTTP required FTP, Mail (optional)

Location 1 HTTP(s) to WebEx WebEx Site SUBNET Internet Explorer

Internet Gateway

External Location Internet Explorer

SAP Web AS (cFolders) FIREWALL Intranet Border

Location 2 Internet Explorer

Mail Gateway

FTP Box

Internet

DMZ

Intranet

Additional Components in cFolders The security of the additional components can be considered uncritical. The mail server and FTP server are never directly accessed by users, especially not by external users. This means that it is sufficient to put the additional components in the same subnet as the cFolders server (SAP Web AS), which means they have at least the same security level. There is one default case where the SAP Web AS acts as a HTTP client and makes external HTTP calls: the SAP WebEx demo site. This only occurs in cFolders demo installations. Productive installations communicate with the WebEx service only by being redirected via the user’s browser.

35

SAP Project and Portfolio Management Security Guide

May 2006

5.2.8

Integration with Back-End Systems (cFolders)

cFolders has two official SAP back-end systems: the cFolders back-end add-on for 4.6B and 4.6C systems, and the cProjects application. Both systems are typically located in the intranet zone. Communication between the back-end system(s) and the cFolders server (SAP Web AS) is relevant to security because the cFolders server is located in the demilitarized zone (DMZ). The network environment looks like this:
HTTP(s) Calls RFC Calls External Location SUBNET Internet Explorer

Internet Explorer

SAP Router (Optional)

SAP Web Application Server (cFolders)

cProjects 2.00 (Direct RFC Integration)

FIREWALL 2 Intranet Border

Internet

FIREWALL 1

4.6 PLM + cFolders Back-End Add-On

DMZ

Back-End Integration

Both types of back-end system use SAP’s own protocol “RFC” to communicate, rather than HTTP. However, the user also uses the Internet Explorer browser to control the results, which means that he or she also needs a HTTP(S) connection between the intranet and the DMZ. For more information, see Scenario A: No Content Server [Page 24]. In both cases, the direction of communication is from the intranet to the DMZ, that is, from a zone with a high level of security to a zone with a lower level of security. For this configuration, no additional network security is needed. However, if your network policy demands additional control over communication, this can be achieved by using an SAP router, which allows you to control the RFC communication in detail. In particular it allows you to restrict calls to certain IP addresses. The cFolders server never calls the back-end system, the back-end system always calls the cFolders server. A trusted-trusting system relationship between the cFolders server in the DMZ and the back end in the intranet is the most likely scenario. This allows Single Sign-On (SSO) for RFC connections and HTTP(S). While the trusted-trusting relationship between cFolders and the back end is being set up, an RFC connection must be opened from the cFolders server to the back end. This means that the intranet firewall must allow a temporary connection from the outside to the inside for the RFC. This connection can be shut down after the system relationship has been set up; it is only needed for exchanging system certificates. However, if you do not want to open the firewall temporarily, you can move the cFolders server to the intranet, establish the connection, set up the trusted-trusting relationship, and then move the

36

SAP Project and Portfolio Management Security Guide

May 2006

cFolders system back into the DMZ. The easiest time to do this is when the systems are being set up initially.

37

SAP Project and Portfolio Management Security Guide

May 2006

5.2.9

Plug-In Security

The plug-in used in cFolders, which is also referred to as the “Easyedit” plug-in, is an applet that provides more convenient file handling than the usual HTML methods. The applet is located on some HTML pages and communicates via HTTP(S) with the cFolders server (SAP Web AS) and, optionally, with content servers. This means that in terms of server security, no additional network configuration is required to enable the applet, because it only uses the same HTTP(S) connections as the cFolders application. It is, however, important to understand that this plug-in is executed on the front end and that it requests extended authorizations from the user during runtime. In particular, it needs permission to read and write files to the local file system and permission to execute them. To be able to do this, the applet has two versions: the first is digitally signed with the official SAP signature for the Microsoft Java Virtual Machine (JVM) and the second for use with the SUN plug-in JVM. With the intact official signature, SAP guarantees that the applet, as provided, has not been changed or modified in any way. To accept the applet‘s signature, the public key of the signature must be imported to the browser. Without this, the browser displays a security warning. To prevent this from being displayed in the future, activate the Always trust content from SAP AG indicator.

38

SAP Project and Portfolio Management Security Guide

May 2006

5.3

Communication Destinations

For the default cFolders and cProjects scenarios, no RFC destination is required. However, if you are using the cFolders or cProjects application programming interfaces (APIs) via the SOAP wrapper, the APIs consist of RFC function modules. The cFolders APIs are required for:
● ● ● ● ● ● ●

Back-end integration SRM integration Collaboration room integration Enterprise Portal Knowledge management integration cProjects integration ECL viewer

The cProjects APIs are required for:
● ● ● ● ● ●

Knowledge management integration Enterprise Portal cFolders integration Object links to SAP R/3 or mySAP ERP Workforce Management Core integration (only if it is run on an external system) mySAP HR integration

If a user needs to use the APIs they must have the basic RFC authorization for the relevant API function modules. The SOAP wrapper adheres to the authorization rules that apply if the RFC module is called directly. The function group names are as follows:
● ●

For cFolders: CFX_API For cProjects: CPR_API

To view the application-specific and basis authorization objects used in cProjects and cFolders, see the roles [Page 10] used for each scenario.

In cFolders, for example, all relevant authorization objects are assigned to the role SAP_CFX_ADMINISTRATOR and can be viewed using transaction PFCG in the SAP Web Application Server (SAP Web AS). For more information about authorization objects and roles, see the SAP Web AS Security Guide on SAP Service Marketplace at service.sap.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “SAP Authorization Concept”.

39

SAP Project and Portfolio Management Security Guide

May 2006

6

Data Storage Security

cProject Suite
In both cFolders and cProjects, data is mainly stored on the SAP Web Application Server (SAP Web AS) database. An exception to this is when files are checked out for editing. In this case, files are stored locally on the user’s hard drive and it is their responsibility to protect the files according to company security policy. Depending on which installation scenario you have chosen for cFolders or cProjects, files might also be stored on content servers. For information about security measures to be taken in this case, see Network Security [Page 21].

In the default setting for cFolders and cProjects, data is protected using the ACL concept already described in Authorizations [Page 10]. A Web browser is required for both scenarios. However, no cookies are used to store data on the front end. In cFolders only, some settings are made using WebDAV access to XML files that are stored on the SAP Web AS database. As these XML files may contain sensitive data, you have the option of switching off WebDAV access. For more information, see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Changing cFolders Standard Settings Using WebDAV.

xRPM
In xRPM, data is stored on the SAP Web Application Server (SAP Web AS) database.

40

SAP Project and Portfolio Management Security Guide

May 2006

7

Security for Additional Applications

cProject Suite
cFolders
cFolders uses the ECL viewer for viewing and redlining graphical formats. The ECL viewer is installed on the front end (browser) and therefore HTTP(S) is also used to communicate with the ECL viewer. The same security measures as for communication to and from the front end apply. For more information about security measures for HTTP(S) and RFC communication, see Communication Channel Security [Page 17]. Certain types of information can be automatically sent to users by e-mail, for example, information about a change to an object, or logon information for new users. Since e-mails are potentially unsafe, all e-mails except those containing logon information contain uncritical information. You can switch off the mechanism for sending logon mails, as described in the solution management content for cFolders under Solutions → mySAP PLM → SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Enabling E-Mails for cFolders.

cProjects
When transferring projects to Microsoft ® Project only the information for which the user has at least read authorization is transferred. The protection of this downloaded data is not part of the cProjects security model. When the user saves the project to his or her hard drive, the system does not perform an authorization check if somebody else opens the project again in Microsoft Project.

xRPM
For the Microsoft Project Server Integration, a Project Data Services (PDS) extender is required to support the integration with xRPM. This extender is available on the SAP Developer Network (SDN).

41

SAP Project and Portfolio Management Security Guide

May 2006

8

Minimal Installation

cFolders
The minimal installation for cFolders is Scenario A: No Content Server [Page 24]. The following functions in cFolders are optional and can be activated if required:


WebDAV access: see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Changing cFolders Standard Settings Using WebDAV. E-mails for sending information: see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Enabling E-Mails for cFolders. Back-end integration: see the SAP Library under mySAP Business Suite → mySAP Product Lifecycle Management → SAP cProject Suite → Collaboration Folders (cFolders) → cFolders Back-End Integration [Extern]. SRM integration: see the the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Integration with mySAP SRM. ECL viewer: see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Enabling E-Mails for cFolders. WebEX: see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Configuring the WebEX Meeting Service.











RFC access is required for back-end integration and SRM integration. To allow a user to access these functions it is necessary to assign the authorization object S_RFC in his or her user profile.

cProjects
The minimal installation for cProjects is Scenario A: No Content Server [Page 24]. The following functions are optional and can be activated if required:


Microsoft ® Project integration: see Customizing for Collaboration Projects under Connection to External Systems → Microsoft Project Integration → Assign Fields. Access to Microsoft Project is controlled by the use of an ActiveX control [Page 44]. The control has to be accepted by the user on the front end PC.



mySAP HR integration: see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes → Resource and Time Management with cProjects → Distributing SAP HR Master Data via ALE to cProjects. WFM Core integration: see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes



42

SAP Project and Portfolio Management Security Guide

May 2006

→ Resource and Time Management with cProjects → Connecting Workforce Management Core.


cFolders integration: see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes → Project Execution with cProjects → Preparing Integration with cFolders. Accounting integration: see the solution management content for cProjects under Organizational Areas → Financials → Business Processes → Project Accounting with cProjects → Defining Settings for Accounting Integration. Object links to xPD application: see the solution management content for cProjects under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cProjects → System Connections → Making Settings for xPD Integration.





RFC access is required for mySAP HR integration, WFM Core integration (if it is run on an external system), and cFolders integration. To allow a user to access these functions it is necessary to assign the authorization object S_RFC in his or her user profile.

xRPM
Information to follow.

43

SAP Project and Portfolio Management Security Guide

May 2006

8.1

Browser Plug-In for File Handling

In both cFolders and cProjects, you have the option of using a browser plug-in (java-based applet), which enables user-friendly file handling when checking documents in and out. Without this, files can still be edited using plain HTML, however, this is not as easy to use. Using the applet does not change the security level on the server, because the applet only automates some HTTP calls. However, the end user must accept a signed applet on the front end. This is a zero-footprint step that must be confirmed for each browser session, unless the user accepts the digital certificate. For more information, see Plug-In Security [Page 37].

44

SAP Project and Portfolio Management Security Guide

May 2006

8.2

ActiveX for Microsoft Project Integration

cProjects
cProjects provides an ActiveX control for communication with Microsoft ® Project. The ActiveX is located on some HTML pages and communicates via HTTP(S) with the cProjects server (SAP Web AS) and directly with the Microsoft Project DOM API. This means that in terms of server security, no additional network configuration is required to enable ActiveX, because it uses the same HTTP(S) connections as the cProjects application. The ActiveX control does not access any resources on the front end, other than via the MS Project application. The ActiveX is digitally signed with the official SAP signature. With the intact official signature, SAP guarantees that the ActiveX, as provided, has not been changed or modified in any way.

ActiveX must be installed once only, the first time you use the integration of Microsoft Project. This occurs automatically in the Internet Explorer. Subsequent calls to the integration then reuse the installed ActiveX. However, you can activate or deactivate the download and execution of ActiveX components in the standard Internet Explorer browser settings (local front-end settings). If you cannot use ActiveX, for example, due to company policy, you cannot use the Microsoft Project integration.

xRPM
To integrate Microsoft Project with xRPM, you can use the Microsoft Project Client. This uses an ActiveX control, which is installed or upgraded automatically by an interactive process on your system when the project integration component is used for the first time.

45

SAP Project and Portfolio Management Security Guide

May 2006

9

Other Security-Relevant Information

The following functions contain active code, and can be deactivated if your security policy does not allow its use:

cProject Suite
● ● ● ● ●

Browser plug-in for file handling: Deactivating this does not result in any loss of functionality, as files can still be processed using plain HTML. Microsoft ® Project integration (cProjects): If you deactivate ActiveX [Page 44], Microsoft Project integration is not possible. ECL viewer (cFolders): If you do not install this locally, no redlining functions are available in cFolders. Data sheet comparison (cFolders): If you deactivate ActiveX, data sheet comparison is not possible. WebEx meetings service (cFolders): If you deactivate this, no comparable alternative is provided in cFolders.

xRPM
Microsoft ® Project integration: If you deactivate ActiveX [Page 44], Microsoft Project Client integration is not possible.

46

SAP Project and Portfolio Management Security Guide

May 2006

10 Appendix
Related Security Guides
You can find more information about the security of SAP applications on the SAP Service Marketplace, quick link: security. Security guides are available using the quick link securityguide.

Related Information
For more information about topics related to security, see the links shown in the table below. Quick Links to Related Information Content Quick Link on the SAP Service Marketplace (service.sap.com) Master Guides, Installation Guides, Upgrade Guides, Solution Management Guides Related SAP Notes Released platforms Network security instguides ibc notes platforms network securityguide SAP Solution Manager solutionmanager

47

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close