Security Guide PUBLIC

SAP Enterprise Project ConnectionDocument Version: 3.0 FP01 Version 2 – 2017-10-27

SAP Enterprise Project Connection 3.0 Security Guide

Content

1 SAP Enterprise Project Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide

Content

Document History

The following table provides an overview on the most important document changes.

CautionBefore you start the implementation, make sure that you have the latest version of this document. You can find the latest version at http://help.sap.com.

Table 1:

Version Date Description

3.0 2016-04-30 Initial version

3.0 FP01 2017-06-15 New document template and template-related adaptions

Chapters User Management and Network and Communication Security re­vised

3.0 FP01 Version 2 2017-10-27 New chapter Data Protection

SAP Enterprise Project Connection 3.0 Security GuideDocument History P U B L I C 3

1 SAP Enterprise Project Connection

With the increased use of distributed systems and the Internet for managing business data, the demands on security are on the rise. When using a distributed system, you must ensure that your data and processes support your business needs without enabling unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system cannot result in loss of information or processing time. These demands on security apply to SAP Enterprise Project Connection.

SAP Enterprise Project Connection has a Java component that runs on SAP NetWeaver AS Java 7.5. The corresponding SAP NetWeaver 7.5 security guides apply to SAP Enterprise Project Connection. SAP Enterprise Project Connection has an ABAP component that runs on SAP ERP 6.0 and SAP S/4HANA, on-premise, so the security guide for SAP ERP 6.0 and SAP S/4HANA, on-premise applies to SAP Enterprise Project Connection.

For a complete list of the available SAP Security Guides, see SAP Service Marketplace at http://service.sap.com/securityguide .

NoteSAP Enterprise Project Connection 3.0 supports SAP ERP as well as SAP S/4HANA, on-premise edition. In this document, SAP ERP implies SAP S/4HANA, on-premise edition.

Technical System Landscape

For information, see the following table:

Table 2:

Topic URL

Technical description for SAP Enterprise Project Connection and the underlying SAP NetWeaver AS Java components

http://service.sap.com/instguides

High availability http://sdn.sap.com/irj/sdn/ha

Technical landscape design http://sdn.sap.com/irj/sdn/landscapedesign

Security http://sdn.sap.com/irj/sdn/security

http://service.sap.com/securityguide

SAP Notes http://service.sap.com/notes

Released platforms http://service.sap.com/pam

4 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide

SAP Enterprise Project Connection

User Administration and Authentication

SAP Enterprise Project Connection uses the user management and authentication mechanisms provided with the SAP NetWeaver platform. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver AS ABAP Security Guide and SAP NetWeaver AS Java Security Guide apply to the SAP Enterprise Project Connection.

User Management

User management for the SAP Enterprise Project Connection uses mechanisms provided with the SAP NetWeaver AS ABAP and Java, for example, tools, user types, and password policies. In addition, we provide a list of the standard users required for operating the SAP Enterprise Project Connection.

User Administration Tools

The following table shows the tools to use for user management and user administration with the SAP Enterprise Project Connection.

Table 3:

Tool Use

User management engine with SAP NetWeaver AS Java This is the tool with which the SAP NetWeaver AS Java user is created and managed.

User and role maintenance with SAP ERP 6.0 or SAP S/4HANA, on-premise

This is the tool with which the RFC user and RFC user role are created and managed.

User Types

It is necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

The user types required for SAP Enterprise Project Connection are the following:

● Individual○ Dialog users are used for SAP GUI and RFC connections○ Administrators run the SAP Enterprise Project Connection configuration scenario in SAP NetWeaver AS

Java● Technical

○ Service users are used to communicate from SAP NetWeaver AS Java to SAP ERP and are managed by the service user transaction

○ Communication users are used to communicate from to SAP NetWeaver AS Java and are managed by SAP NetWeaver AS Java Administrator

○ Third-party integration users are used for application-specific APIs. Those users are dedicated technical users that are used as a proxy users for communication with end point systems such as Oracle Primavera and Microsoft Project Server.

SAP Enterprise Project Connection 3.0 Security GuideSAP Enterprise Project Connection P U B L I C 5

RecommendationAvoid using a person’s real credentials for use as a technical user.

For more information about user types, see http://help.sap.com/nw Security Guide .

Standard Users

The following table illustrates the standard users necessary to operate SAP Enterprise Project Connection:

Table 4:

System ID Password Description

SAP NetWeaver AS Java EPCRESTUSER Determined during installa­tion; user has an initial pass­word that is required to be changed upon first connec­tion

Created in SAP NetWeaver AS Java after deploying SAP En­terprise Project Connection; used for HTTP communica­tions from SAP ERP to SAP NetWeaver AS Java

SAP ERP SAPGUI EPCINTERFACE Determined during installa­tion

Created in SAP ERP; used for communication from SAP NetWeaver AS Java to SAP ERP

Oracle Primavera P6 EPPM User-selected Determined during Oracle Pri­mavera P6 Integration API in­stallation

Created in Oracle Primavera P6 EPPM System; used for communication with Oracle Primavera P6 Integration API and/or SOAP Web Services

Microsoft Project Server User-selected in form: Do­main-Name\User-Name

Determined during Microsoft Project Server installation

Created in Microsoft Project Sever interface used for com­munication with Microsoft Project Server and SOAP Web Services

Authorizations

SAP Enterprise Project Connection uses the authorization concept provided by SAP ERP and SAP NetWeaver AS Java; they assign authorizations to role-based users. For role maintenance required for SAP Enterprise Project Connection, see the Installation Guide for SAP Enterprise Project Connection.

Standard Roles

The following table summarizes the standard roles SAP Enterprise Project Connection uses.

6 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide

SAP Enterprise Project Connection

Table 5:

Role Description

SAP NetWeaver administrator Required to log into the SAP NetWeaver AS Java Administrator console to run the configuration scenario for SAP Enterprise Project Connection

EPCINTERFACE_ROLE Created in SAP ERP during installation using the correspond­ing transaction and applied to EPCINTERFACE when creating the RFC connection to SAP ERP system from SAP NetWeaver AS Java

Datapath-rest-access Applied to EPCRESTUSER in SAP NetWeaver AS Java, which authenticates the SAP GUI ABAP destination to make HTTP rest calls to the SAP NetWeaver AS Java

Standard Objects

For a list of Standard Authorization Objects needed in the SAP ERP system, see the Installation Guide for SAP Enterprise Project Connection.

Session Security Protection

To increase security and prevent access to the SAP logon ticket and security session cookies, we recommend activating secure session management. We also recommend using SSL to protect the network communications where these security-relevant cookies are transferred.

Session Security Protection on SAP NetWeaver AS ABAP

To activate session security on SAP NetWeaver AS ABAP, set the corresponding profile parameters and activate the session security for the clients using the corresponding transaction.

For more information, see Activating HTTP Security Session Management on AS ABAP.

Session Security Protection on SAP NetWeaver AS Java

For more information, see Protecting Sessions Security.

Network and Communication Security

Your network infrastructure is important in protecting your system. Your network must support the necessary communication for your business needs without enabling unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at the operating system level and application level) or network attacks, such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, there is no way for intruders to compromise the machines and gain access to the back-end system’s database or files. Additionally, if users are unable to connect to the LAN, they cannot exploit well-known bugs and security holes in network services on the server machines.

SAP Enterprise Project Connection 3.0 Security GuideSAP Enterprise Project Connection P U B L I C 7

The network topology for the SAP Enterprise Project Connection is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP Enterprise Project Connection.

For more information, see the following sections in the SAP NetWeaver Security Guide:

● Network and Communication Security● Security Guides for Connectivity and Inoperability Technologies

Communication Channel Security

The following table illustrates the communication channels used by the SAP Enterprise Project Connection, the protocol used for the connection, and the type of data transferred.

Table 6:

Communication Path Protocol Data Type

SAP ERP to SAP Enterprise Project Con­nection

HTTP; HTTPS XML

SAP NetWeaver AS Java to SAP ERP RFC ABAP request

SAP Enterprise Project Connection to

Oracle Primavera P6 EPPM System

API - Oracle Primavera Integration API client library

XML

SAP Enterprise Project Connection to Oracle Primavera P6 EPPM System

SOAP Web Services over HTTP/HTTPS SOAP envelope

SAP Enterprise Project Connection to Microsoft Project Server

SOAP Web Services over HTTP/HTTPS SOAP envelope

DIAG and RFC connections are protected using SNC; HTTP connections are protected using SSL protocol; SOAP connections are protected with Web services security.

RecommendationWe recommend using secure protocols whenever possible.

For more information, see Transport Layer Security and Web Services Security in the SAP NetWeaver Security Guide.

Network Security

For more information, see Network Security and Security Aspects for Database Connections sections in the SAP NetWeaver Security Guide.

Data Storage Security

All the application data for SAP Enterprise Project Connection, including transmission results, jobs, connection configurations, uploaded integration solutions and jar files, are stored in SAP NetWeaver AS Java database. The passwords, as part of user credentials for connections, are encrypted and stored in SAP NetWeaver AS Java database.

8 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide

SAP Enterprise Project Connection

When SAP Enterprise Project Connection is installed as DEVELOPMENT type, the integration solutions are stored in the file system, with the solution home path specified by the user during the installation. The authorization with read and write permission to those files of integration solutions is provided to the user during the customized integration solution development.

Security for Additional Applications

You follow the security requirement for Oracle Primavera P6 EPPM System when running integration solution with Oracle Primavera P6 EPPM System.

You follow the security requirement for Microsoft Project Server when running integration solution with Microsoft Project Server.

Security-Relevant Logging and Tracing

SAP Enterprise Project Connection security-relevant logging is found in the standard SAP Java log view under category /Applications/CA-EPC and in the SAP default trace view under message component CA-EPC.

SAP Virus Scan Interface

SAP Enterprise Project Connection 3.0 integrates the SAP Virus Scan Interface (SAP VSI) to protect the server from malicious content. Perform a virus scan before uploading files or importing documents. See SAP Note 817623 . SAP NetWeaver integrates external malware products via certified interface, NW-VSI. A list of the certified products for the interface is available on SAP Service Marketplace at http://service.sap.com/securitypartners . See SAP Note 786179 .

Configuration

To configure SAP VSI, see SAP NetWeaver 7.5 application help at http://help.sap.com/saphelp_nw75/helpdata/en/4e/0ac1ca085c570ae10000000a42189e/frameset.htm .

If the SAP VSI setup is incomplete, SAP Enterprise Project Connection cannot scan viruses when uploading files. If the virus scan provider service is not active in the server, a warning appears in the log file. If the virus scan profile, Z_EPCPROFILE, is not created or activated in the server, a warning appears in the log file.

Data Protection

Introduction to Data Protection

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP Enterprise Project Connection

SAP Enterprise Project Connection 3.0 Security GuideSAP Enterprise Project Connection P U B L I C 9

provides to support compliance with the relevant legal requirements and data privacy. This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape, implemented custom integration scenario and the applicable legal requirements.

NoteCompliance with data privacy laws is not a product feature. SAP software supports data privacy by providing security features and specific functions relevant to data protection, such as functions for restricting access to personal data and deletion of personal data. SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.

Table 7: Glossary

Term Definition

Personal Data Information about an identified or identifiable natural person

Business purpose A legal, contractual, or in other form justified reason for the processing of personal data

Deletion Deletion of personal data so that the data is no longer usable

Retention period The time period during which data must be available

SAP Enterprise Project Connection approach to Data Protection

Many data protection requirements for the SAP Enterprise Project Connection depend on how the integration scenario is defined and implemented. A custom implementation of the integration scenario using SAP Enterprise Project Connection integration platform may process and store (as a result of the execution of the data integration scenario) data that may contain personal data. The developer of the custom integration solution should be aware of it and take additional steps to protect such data from unauthorized access.

NoteUsing capabilities to communicate with other project and portfolio management systems, like Microsoft Project Server and Oracle Primavera, SAP Enterprise Project Connection may also be used to access and process personal data that is read form those systems.

10 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide

SAP Enterprise Project Connection

SAP Enterprise Project Connection provides several security-related features to implement general security requirements that are also required for data protection and privacy:

Table 8: Features

Aspect of Data Protection and Privacy SAP EPC 3.0 Feature

Access Control ● Authentication● Authorization● Data Encryption (for example, all credentials used for

communication with external project and portfolio man­agement systems like Microsoft Project Server or Oracle Primavera are encrypted)

Access logging and tracing Audit logging

Transmission Control/Communication Security SAP EPC supports secure communication (SSL) with external project and portfolio management systems like Microsoft Project Server or Oracle Primavera, and supports encrypted communication with Oracle Primavera EPPM Web Service

Data Deletion SAP EPC Configuration Scenario (CTC) supports Clear Data­base Tables that allow EPC Administrators to delete outdated or not relevant results of executed integration scenarios.

SAP EPC CTC provides functionality for deletion of SAP EPC log files and traces. Those files may contain personal data based on the custom integration scenario implementation.

For more information about data protection, see 2536145 .

SAP Enterprise Project Connection 3.0 Security GuideSAP Enterprise Project Connection P U B L I C 11

Important Disclaimers and Legal Information

Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.

AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.

Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).

12 P U B L I CSAP Enterprise Project Connection 3.0 Security Guide

Important Disclaimers and Legal Information

SAP Enterprise Project Connection 3.0 Security GuideImportant Disclaimers and Legal Information P U B L I C 13

go.sap.com/registration/contact.html

© 2017 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.