Security Information for SAP Predictive Maintenance · PDF fileSecurity Information for SAP...

Security Information PUBLIC

SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02Document Version: 1.08 – 2017-04-07

Security Information for SAP Predictive Maintenance and Services, on-premise edition

Content

1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 Integration into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.1 Role Templates for SAP Predictive Maintenance and Service, on-premise edition. . . . . . . . . . . . . . . . . . 8

3.2 Password Policy Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.3 User-Provided Services for SAP Predictive Maintenance and Service, on-premise edition. . . . . . . . . . . . 11

3.4 Roles for Working with the Data Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.1 Deleting Personal Data from Data Science Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.2 Deleting Personal Data from AHCC and AHFS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Retrieve the Workspace ID of a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Retrieve a CSRF Token. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Delete the Workspace of a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Delete a User and a Workspace Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.3 Deleting Data from the Data Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.4 Deleting Personal Data from Key Figures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5 Communication Channels and Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

6 Operational Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

6.1 Whitelist of URLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

7 Auditing and Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

8 Application and Product Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

9 Deinstallation of Software Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

10 Firewall Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

2 P U B L I CSecurity Information for SAP Predictive Maintenance and Services, on-premise edition

Content

1 Document History

CautionBefore you read this document, make sure you have the latest version of this document. You can find the latest version at the following location: https://uacp2.hana.ondemand.com/doc/97cbab0f1c184d54adad4a6aea170ac1/1.0%20FP02/en-US/Security_Information_for_SAP_Predictive_Maintenance_and_Services_on_premise_edition.pdf

TipYou might need to refresh your browser to see the latest version of this document.

The following table provides an overview of the most important document changes:

Table 1:

Version Date Description

1.08 2017-04-05 Updated:

● Password Policy Information [page 11]

1.07 2017-04-04 Updated:

● Whitelist of URLs [page 23]

1.06 2017-01-03 Updated:

● Deleting Data from the Data Model [page 19]

1.05 2016-12-08 Updated:

● Authorizations [page 8]● Role Templates for SAP Predictive

Maintenance and Service, on-premise edition [page 8]

● Deleting Personal Data from AHCC and AHFS [page 15]

● Retrieve the Workspace ID of a User [page 16]

● Delete the Workspace of a User [page 17]

● Delete a User and a Workspace Mapping [page 18]


● Deleting Personal Data from Key Figures [page 20]

Security Information for SAP Predictive Maintenance and Services, on-premise editionDocument History P U B L I C 3

https://uacp2.hana.ondemand.com/doc/97cbab0f1c184d54adad4a6aea170ac1/1.0%20FP02/en-US/Security_Information_for_SAP_Predictive_Maintenance_and_Services_on_premise_edition.pdf



Version Date Description

1.04 2016-12-06 Updated:

● User Administration and Authentication [page 5]

● Firewall Configuration [page 29]

1.03 2016-12-05 Updated:


1.02 2016-11-11 Added:


● Deleting Personal Data from Key Figures [page 20]

1.01 2016-09-29 Updated:

● Link to this document

1.0 2016-09-28 Initial Version


Document History

2 User Administration and Authentication

SAP Predictive Maintenance and Service, on-premise edition uses the user management and authentication mechanisms provided with the SAP HANA platform and the SAP HANA XS Advanced runtime. Therefore, the security recommendations and guidelines for user administration and authentication as described in the following security guides also apply to SAP Predictive Maintenance and Service, on-premise edition:

● SAP HANA Security Guide (1.0 SPS12)To access the guide, download the SAP HANA Platform 1.0 SPS 12 documentation set.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to SAP Predictive Maintenance and Service, on-premise edition, in the following topics:

● User Management [page 5]This topic lists the tools to use for user management, and the types of users required for SAP Predictive Maintenance and Service, on-premise edition.

● Integration into Single Sign-On Environments [page 7]This topic describes how SAP Predictive Maintenance and Service, on-premise edition supports Single Sign-On mechanisms.

2.1 User Management

User management for SAP Predictive Maintenance and Service, on-premise edition uses the mechanisms provided with the SAP HANA platform and the SAP HANA XS Advanced runtime, for example, tools, user types, and password policies. For an overview of how these mechanisms apply for SAP Predictive Maintenance and Service, on-premise edition, see the sections below.

User Management Tools

The table below shows the tools to use for user management and user administration with SAP Predictive Maintenance and Service, on-premise edition.

Security Information for SAP Predictive Maintenance and Services, on-premise editionUser Administration and Authentication P U B L I C 5

https://help.sap.com/hana_platform_earlier_releases?current=hana_platform#section1

Table 2: User Management Tools

Tool Detailed Description Prerequisites

● SAP HANA studio● SAP HANA cockpit

https://help.sap.com/hana_platform : Security SAP

HANA Security Guide

System privilege USER ADMIN is assigned.

NoteThe SYSTEM database user is the default user created when SAP HANA is installed.

Application role builder (SAP HANA XS Advanced)

http://help.sap.com/hana_platform/ : System

Administration SAP HANA

Administration Guide

Role collection XS_AUTHORIZATION_ADMIN is assigned.

User Types

It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

The user types that are required for SAP Predictive Maintenance and Service, on-premise edition include the following:

● Individual users○ Database users are required for access to the SAP HANA database.○ Administration users are required for installing and configuring the components of SAP Predictive

Maintenance and Service, on-premise edition and maintaining users.○ Business users are required for access to the Asset Health Control Center.○ Users for data science services are required for model management, model learning, and model training.

● Technical users○ Technical users required by the insight providers for working with the Insight Provider Catalog.

Related Information

SAP Help Portal: SAP HANA PlatformAuthorizations [page 8]


User Administration and Authentication

http://help.sap.com/hana_platform

2.2 Integration into Single Sign-On Environments

SAP Predictive Maintenance and Service, on-premise edition supports the Single Sign-On (SSO) mechanisms provided by SAP HANA. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP HANA Security Guide also apply to SAP Predictive Maintenance and Service, on-premise edition. For more information about the available authentication mechanisms, see https://help.sap.com/hana_platform : Security SAP HANA Security Guide

Related Information

SAP Help Portal: SAP HANA Platform

Security Information for SAP Predictive Maintenance and Services, on-premise editionUser Administration and Authentication P U B L I C 7


3 Authorizations

SAP Predictive Maintenance and Service, on-premise edition uses the authorization concept provided by SAP HANA. Therefore, the recommendations and guidelines for authorizations as described in the following security guides also apply to SAP Predictive Maintenance and Service, on-premise edition:

● https://help.sap.com/hana_platform : Security SAP HANA Security Guide

● http://help.sap.com/hana_platform/ : System Administration SAP HANA Administration Guide

● https://help.sap.com/hana_options_eim : System Administration, Security, and Maintenance Information SAP HANA Enterprise Information Management Administration Guide

The SAP HANA authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the Application Role Builder tool (SAP HANA XS Advanced) and the SAP HANA Administration Console in SAP HANA.

For more information about how to use the Application Role Builder tool and the required XSA roles, see http://help.sap.com/hana_platform/ : System Administration SAP HANA Administration Guide .

For more information about how to use the SAP HANA Administration Console, see http://help.sap.com/hana_platform/ : System Administration SAP HANA Administration Guide .

NoteFor more information about how to create and assign role collections, see the chapter Maintaining Role Collections and Users in SAP HANA in the guide Installation of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.

Related Information

SAP Help Portal: SAP HANA PlatformSAP Help Portal: SAP HANA Enterprise Information Management

3.1 Role Templates for SAP Predictive Maintenance and Service, on-premise edition

The table below shows the XS Advanced roles that are delivered with SAP Predictive Maintenance and Service, on-premise edition.


Authorizations


https://help.sap.com/hana_options_eim

Table 3: XS Advanced Role Templates

Application Name (in Application Role Builder tool)

Role Template Name (in Application Role Builder tool)

Description

pdms ConfigUser Role template used to configure insight providers and access the Asset Health Control Center

Consists of the following scopes:

● ConfigAccess: Scope that gives permission to configure insight providers and the Insight Provider Catalog

● AppAccess: Scope that gives permission to read the configuration of insight providers and the Insight Provider Catalog, and to read and write to insight providers and application data

pdms ExecutorUser Role template to schedule tasks for data replication


● ExecutorAccess: Scope that gives permission to schedule tasks for data replication

pdms ThingModeler Role template to maintain IoT application services: Configuration services and Thing services


● ThingModelAccess: Scope that gives permission to read and write to IoT application services

pdms ThingReader Role template to read Thing instances from the Thing model


● ThingRead: Scope that gives permission to read Thing instances of IoT application services

Security Information for SAP Predictive Maintenance and Services, on-premise editionAuthorizations P U B L I C 9

Application Name (in Application Role Builder tool)

Role Template Name (in Application Role Builder tool)

Description

pdms ThingWriter Role template to read Thing instances from the Thing model


● ThingWrite: Scope that gives permission to write to Thing instances of IoT application services

pdms AHCCUser Role template to access the Asset Health Control Center application


● AppAccess: Scope that gives permission to read the configuration of insight providers and the Insight Provider Catalog, and to read and write to insight providers and application data

● AHCCAccess: Scope that gives permission to access the Asset Health Control Center application

pdms DataScienceUser Role template to access data science models and algorithms


● DataScienceAccess: Scope that gives permission to read and write to data science models and algorithms

For more information about how to use the Application Role Builder tool and the required XSA roles, see http://help.sap.com/hana_platform/ : System Administration SAP HANA Administration Guide .

NoteFor more information about how to create and assign role collections, see the chapter Maintaining Role Collections and Users in SAP HANA in the guide Installation of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.

Related Information



Authorizations


3.2 Password Policy Information

Password Expiration Time

If technical users are locked because of an expired password, for example, SAP Predictive Maintenance and Service, on-premise edition will not work as desired. You therefore need to make sure that password expiration times for technical users allow users to work in SAP Predictive Maintenance and Service, on-premise edition for as long as is needed.

You can set the expiration time of passwords of technical users of SAP HANA as described in https://help.sap.com/hana_platform : Security SAP HANA Security Guide SAP HANA Authentication and Single Sign-On Password Policy .

Related Information


3.3 User-Provided Services for SAP Predictive Maintenance and Service, on-premise edition

The following user-provided services are created to make a user-provided service instance available to the software components. The following user-provided services are created when installing SAP Predictive Maintenance and Service, on-premise edition

Table 4: User-Provided Services for SAP Predictive Maintenance and Service, on-premise edition

User-Provided Service Description

service-catalog-ups User-provided service to configure the location of an instance of the Insight Provider Catalog, and user credentials

data-access-ups User-provided service for data access

fusion-view-ups User-provided service to display merged data in the asset health control center and on the asset health fact sheet.

datascience-ups User-provided service for data science services

executor-service-ups User-provided service to schedule data replication

Security Information for SAP Predictive Maintenance and Services, on-premise editionAuthorizations P U B L I C 11


3.4 Roles for Working with the Data Model

To load data to SAP Predictive Maintenance and Service, on-premise edition 1.0, and to work with and build insight providers, certain roles are required

The following roles are automatically available to you after you have installed SAP Predictive Maintenance and Service, on-premise edition 1.0:

Table 5: Roles

Role Description

com.sap.pdms.sdm::DATA.Consumer This role has SELECT privileges on all tables or views delivered with SAP Predictive Maintenance and Service, on-premise edition 1.0.

com.sap.pdms.sdm::DATA.Consumer# This role has SELECT privileges grantable to other users on all tables or views delivered with SAP Predictive Maintenance and Service, on-premise edition 1.0.

com.sap.pdms.sdm::DATA.Provider This role has SELECT, INSERT, UPDATE, and DELETE privileges on all tables or views delivered with SAP Predictive Maintenance and Service, on-premise edition 1.0.

com.sap.pdms.sdm::DATA.Provider# This role has SELECT, INSERT, UPDATE, and DELETE privileges grantable to other users on all tables or views delivered with SAP Predictive Maintenance and Service, on-premise edition 1.0.

These roles need to be assigned to users in SAP HANA studio by a SYSTEM user.


Authorizations

4 Data Protection

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes concepts to support compliance with the relevant legal requirements and data privacy.

SAP Predictive Maintenance and Service, on-premise edition uses the data protection mechanisms provided with SAP HANA, and SAP IQ. Therefore, the security recommendations and guidelines for data protection described in the following security guides also apply to SAP Predictive Maintenance and Service, on-premise edition:


Handling of Users and Passwords

Users created for SAP Predictive Maintenance and Service, on-premise edition should each have different passwords, and only as many roles assigned as needed.

Deletion of Personal Data

SAP Predictive Maintenance and Service, on-premise edition offers REST APIs to delete personal data, for example. For an overview of the REST APIs, see the guide Configuration of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.

For detailed deletion procedures, see the following chapters:

● Deleting Personal Data from Data Science Services [page 14]● Deleting Personal Data from AHCC and AHFS [page 15]● Deleting Data from the Data Model [page 19]● Deleting Personal Data from Key Figures [page 20]

Related Information

SAP Help Portal: SAP HANA PlatformRole Templates for SAP Predictive Maintenance and Service, on-premise edition [page 8]

Security Information for SAP Predictive Maintenance and Services, on-premise editionData Protection P U B L I C 13


4.1 Deleting Personal Data from Data Science Services

Deleting personal data stored when using data science services.

Context

The user ID of the user who created a data mining model is stored. The data is stored in the table MODEL_MASTER in the HDI schema of the data science services. To edit this data, proceed as follows:

Procedure

1. Find the name of the schema where the services are deployed. You find this information in the xs environment of the datascience-db application.

a. Log on to the xsa server and execute the command xs env datascience-db.

This command returns all the variables set for the datascience-db application.b. In the output, look for the container that is called datascience-hdi and extract the values for user,

password and schema from there.2. In SAP HANA studio, configure access to the HANA system where SAP Predictive Maintenance and Service,

on-premise edition is deployed using the user name and password that you just extracted.3. Go to the schema whose name you just extracted for the table MODEL_MASTER4. In the table MODEL_MASTER, look for the field CREATED_BY.

This field contains the user ID of the user who created a specific model.5. You can modify this information using the following statement:

Sample Code

update "<password>"."MODEL_MASTER" set CREATED_BY='<new_value>' where CREATED_BY='<user_id>'

This statement removes the user ID and replaces it with a new value at all instances where the user ID is entered as creator ID. As <new_value> you can enter UNKNOWN, for example.

6. (Optional) If you need to delete all data science models that were created by a user, execute the following statement:

Sample Code

delete from "<password>"."MODEL_MASTER" where CREATED_BY='<user_id>'


Data Protection

4.2 Deleting Personal Data from AHCC and AHFS

Prerequisites

The following roles are assigned to your user:

● <pdms-tech>● <ahcc-user-role>

For more information about role collections, see the chapters Maintaining Roles and Users in SAP HANA and Role Templates for SAP Predictive Maintenance and Service, on-premise edition in the guide Installation of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.

Context

You can use REST APIs to delete users, theirs workspaces, and their workspace mappings from the Asset Health Control Center and the Asset Health Fact Sheet. To delete personal data, proceed as follows:

Procedure

1. Retrieve the workspace ID mapped to a user as described in the chapter Retrieve the Workspace ID of a User [page 16].

This REST endpoint works with form-based authentication.

After this REST call, you have retrieved the <user_worksapce_ID> of a user for LOCATION='controlcenter' (Asset Health Control Center).

2. Retrieve a csrf token for URI 1 as described in the chapter Retrieve a CSRF Token [page 17].

3. Delete the workspace of a user using the <user_worksapce_ID> as described in the chapter Delete the Workspace of a User [page 17].

After this REST call, you have deleted the workspace of a user.4. Retrieve a csrf token for URI 2 as described in the chapter Retrieve a CSRF Token [page 17].

5. Delete a user and the workspace mapping to this user as described in the chapter Delete a User and a Workspace Mapping [page 18].

After this REST call, you have deleted a user and the workspace mapping to this user for LOCATION='controlcenter' (Asset Health Control Center).

6. Repeat the steps 1 to 3 using LOCATION='factsheet' (Asset Health Fact Sheet).

You have now also deleted a user, the workspace of this user, and the workspace mapping to this user for the Asset Health Fact Sheet.


Related Information

Role Templates for SAP Predictive Maintenance and Service, on-premise edition [page 8]

4.2.1 Retrieve the Workspace ID of a User

Request

NoteThis REST endpoint works with form-based authentication.

Format: JSON

URI: http://<hostname>:<router port>/app/ahcc/api/v1/odata/Workspace(USER_ID='<user_ID>',LOCATION='controlcenter')

HTTP Method: GET

Permission: Role collection <ahcc-user-role>

Response

Response Example

{ "d": { "__metadata": {…}, "USER_ID": "<user_ID>", "LOCATION": "controlcenter", "WORKSPACE_ID": "<user_worksapce_ID>" }}

Related Information

Deleting Personal Data from AHCC and AHFS [page 15]


Data Protection

4.2.2 Retrieve a CSRF Token

Request

Format: JSON

URI 1: http://<hostname>:<router port>/workspace-management/api/v1/admin/workspaces

URI 2: http://<hostname>:<router port>/app/ahcc/api/v1/odata

HTTP Method: GET

NoteAs the REST end points used for the deletion of users, their workspaces, and their workspace mappings are protected against cross site request forgery (CSRF), you need to retrieve the CSRF token first before the REST calls can be made to delete personal data. Extract the value for x-csrf-token from the response headers.

Related Information


4.2.3 Delete the Workspace of a User

Request

Format: JSON

URI: http://<hostname>:<router port>/workspace-management/api/v1/admin/workspaces/<user_worksapce_ID>

HTTP Method: DELETE

Permission: Role collection <pdms-tech>Before you send the DELETE call, enter the x-csrf-token that you just retrieved in the header section of your REST API call.

Examplekey = x-csrf-token


value = <CSRF token that you retrieved with the previous GET call>

You can then go ahead with the DELETE call.

Response

NoteWhen no content is displayed after you have sent the REST call, the user workspace is deleted.

Response Status and Error Codes

Table 6:

Category Code Description

Not found 204 No user workspace with the specified ID exists.

Related Information


4.2.4 Delete a User and a Workspace Mapping

Request

NoteThis REST endpoint works with form-based authentication.

Format: JSON

URI: http://<hostname>:<router port>/app/ahcc/api/v1/odata/Workspace(USER_ID='<user_ID>',LOCATION='controlcenter')

HTTP Method: DELETE

Permission: Role collection <pdms-tech>Before you send the DELETE call, enter the x-csrf-token that you just retrieved in the header section of your REST API call.


Data Protection

Examplekey = x-csrf-token

value = <CSRF token that you retrieved with the previous GET call>

You can then go ahead with the DELETE call.

Response

NoteWhen no content is displayed after you have sent the REST call, the user and the workspace mapping are deleted.

Response Status and Error Codes

Table 7:

Category Code Description

Not found 204 No user with the specified ID exists.

Related Information


4.3 Deleting Data from the Data Model

Prerequisites

The role com.sap.pdms.sdm::DATA.Provider is assigned to your user with which you log on to SAP HANA studio.


Context

Proceed as described in the following steps to delete data from the data model that is described in the installation guide of SAP Predictive Maintenance and Service, on-premise edition.

Procedure

1. Log on to SAP HANA studio.2. Delete data from tables and views using the DELETE statement as explained in the chapter DELETE

Statement (Data Manipulation) in the SAP HANA SQL and System Views Reference.a. The following SQL statement is an example of how to delete data from the READINGS_T table.

Sample Code

DELETE FROM READINGS_T WHERE Thing = '<ThingId>';

After executing the above statement, the rows containing the specified <ThingId> are deleted from the READINGS_T table.

a. The following SQL statement is an example of how to delete data from the WORKACTIVITY table.

Sample Code

DELETE FROM "SAP_PDMS_DATA"."com.sap.pdms.sdm::DATA.WORKACTIVITY_T" WHERE "AssignedTo" = '<User_ID>' OR "ReportedBy" = '<User_ID>';

After executing the above statement, the rows containing the specified <User_ID> are deleted from the WORKACTIVITY table.

4.4 Deleting Personal Data from Key Figures

Prerequisites

The role com.sap.pdms.sdm::DATA.Provider is assigned to your user with which you log on to SAP HANA studio.


Data Protection

https://help.sap.com/saphelp_hanaplatform/helpdata/en/20/d6169a75191014892db922f94abe41/content.htm

https://help.sap.com/saphelp_hanaplatform/helpdata/en/20/d6169a75191014892db922f94abe41/content.htm

Context

You can delete data from the data model that is described in the installation guide of SAP Predictive Maintenance and Service, on-premise edition.

NoteDeletion operations on the views and tables of the data model need to be preceded by the following SQL statement:

set schema "SAP_PDMS_DATA";

Procedure

1. In the XSA system where the insight provider for key figures is running, execute the comand xs env key-figures-ipro-backend.

2. Note down the value of the environment variables user, password, and schema contained under VCAP_SERVICES.hana.credentials.

3. Logon to the HANA system with the user name and password you just noted down.4. Below you user, locate the table KEY_FIGURE_TABLE in the schema you just noted down.

5. To find a certain person who has configured key figures or key figure sets, execute the command select "value" from <SCHEMA>."KEY_FIGURE_TABLE" where "attribute" = 'metadata.modifiedBy'.

6. To delete information about a certain person, execute the command delete from "0F0F1A9A994F469B80261BAA53B6E9C1"."KEY_FIGURE_TABLE" where "attribute" = 'metadata.modifiedBy' and "value" = '<USER>'.

Related Information

Data Protection [page 13]


5 Communication Channels and Interfaces


Communication Channels and Interfaces

6 Operational Security

6.1 Whitelist of URLs

SAP Predictive Maintenance and Service, on-premise edition needs several URLs to connect to the application and insight providers, the data platform, and data science services.

The data platform and the application, together with the insight providers, are accessed using the host and port of the pdms router. The following example depicts a URL for connecting to these components:

Examplehttp(s)://<host.of.pdms.router>:<port of pdms router>/<URLsuffix/correspondingto/component>/<endpoint>

The data science services are accessed using the host and port of the data scienc app router. The following example depicts a URL for connecting to data science services:

Examplehttp(s)://<host.of.datasci-approuter>:<port of datasci-approuter>/<URLsuffix_corresponding_to_algorithm>/api/<endpoint>

Table 8: URL Whitelist

Destination URL URL Suffix

UI5 library http(s)://<host.of.pdms.router>:<port of pdms router>

/lib/ui5/

pdms app container http(s)://<host.of.pdms.router>:<port of pdms router>

/lib/sap-pdms-appcontainer/

Insight provider catalog http(s)://<host.of.pdms.router>:<port of pdms router>

/platform/service-catalog/

Insight provider: 2D chart http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/twod-viz/

Back end of insight provider: Key figures http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/key-figures-backend/

Security Information for SAP Predictive Maintenance and Services, on-premise editionOperational Security P U B L I C 23

Destination URL URL Suffix

UI of insight provider: Key figures http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/key-figures-ui/

Insight provider: Work activity http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/work-activity/

Insight provider: Map http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/geospatial/

Insight provider: 3D chart http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/threed-viz/

Insight provider: Asset Explorer http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/asset-explorer/

Insight provider: Derived signals http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/derived-signals/

Insight provider: Filter

NoteThis insight provider is consumed by the Asset Explorer.

http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/filter/

Insight provider: Components http(s)://<host.of.pdms.router>:<port of pdms router>

/ipro/components/

Asset Health Control Center http(s)://<host.of.pdms.router>:<port of pdms router>

/app/ahcc/

Administration launchpad http(s)://<host.of.pdms.router>:<port of pdms router>

/app/launchpad/

Data science service: Anomaly Detection with Principal Component Analysis


/datasci_pca

Data science service: Distance-Based Failure Analysis Using Earth Mover’s Distance


/datasci_emd

Data science service: Remaining Useful Life Prediction Using Weibull


/datasci_wbl

Table 9: URL Endpoints

Endpoint Description

/index.html Welcome file


Operational Security

Endpoint Description

/router/plugins Plugin metadata

/logout Logout

/<api>/<endpoint> REST APIs of the individual microservices

NoteFor more information about which REST APIs are provided with SAP Predictive Maintenance and Service, on-premise edition, see the guide Configuration of SAP Predictive Maintenance and Service, on-premise edition 1.0 FP02.

Security Information for SAP Predictive Maintenance and Services, on-premise editionOperational Security P U B L I C 25

7 Auditing and Logging

SAP Predictive Maintenance and Service, on-premise edition uses the concepts for auditing and logging provided by SAP HANA. Therefore, the recommendations and guidelines for auditing and logging as described in the following security guides also apply to SAP Predictive Maintenance and Service, on-premise edition:


● https://help.sap.com/hana_options_eim : System Administration, Security, and Maintenance Information SAP HANA Enterprise Information Management Administration Guide

Related Information

SAP Help Portal: SAP HANA PlatformSAP Help Portal: SAP HANA Enterprise Information Management


Auditing and Logging


https://help.sap.com/hana_options_eim

8 Application and Product Security

Cookies

SAP Predictive Maintenance and Service, on-premise edition 1.0 relies on cookies created by underlying platforms like the XSA router and XSA runtimes.

For more information about cookies, please refer to the security information of the underlying platforms.

Example● SAP HANA Security Guide

Security Information for SAP Predictive Maintenance and Services, on-premise editionApplication and Product Security P U B L I C 27

http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

9 Deinstallation of Software Components

To deinstall the software components of SAP Predictive Maintenance and Service, on-premise edition 1.0, manual steps are required. These steps are described in the installation guide in the chapter Uninstalling Components of SAP Predictive Maintenance and Service, on-premise edition in the installation guide of SAP Predictive Maintenance and Service, on-premise edition 1.0.


Deinstallation of Software Components

10 Firewall Configuration

To access SAP Predictive Maintenance and Service, on-premise edition 1.0 using VPN, the following ports need to be opened across the firewall:

● Port on which the PDMS router is run. For more information, see the chapter Installing SAP Predictive Maintenance and Service, on-premise edition 1.0 in the installation guide of SAP Predictive Maintenance and Service, on-premise edition 1.0.

● Port on which the User Account and Authentication service (UAA) is run. For more information, see the SAP HANA Security Guide (1.0 SPS12 or 2.0 SP00)To access the guide, download the SAP HANA Platform 1.0 SPS 12 documentation set.

Security Information for SAP Predictive Maintenance and Services, on-premise editionFirewall Configuration P U B L I C 29

https://help.sap.com/hana_platform_earlier_releases?current=hana_platform#section1

Important Disclaimers and Legal Information

Coding SamplesAny software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP intentionally or by SAP's gross negligence.

AccessibilityThe information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.

Gender-Neutral LanguageAs far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.

Internet HyperlinksThe SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: http://help.sap.com/disclaimer).


Important Disclaimers and Legal Information

http://help.sap.com/disclaimer/

Security Information for SAP Predictive Maintenance and Services, on-premise editionImportant Disclaimers and Legal Information P U B L I C 31

go.sap.com/registration/contact.html

© 2017 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

https://go.sap.com/registration/contact.html

https://go.sap.com/registration/contact.html

http://www.sap.com/corporate-en/legal/copyright/index.epx

http://www.sap.com/corporate-en/legal/copyright/index.epx

Security Information for SAP Predictive Maintenance · PDF fileSecurity Information for SAP...

Documents

Transcript of Security Information for SAP Predictive Maintenance · PDF fileSecurity Information for SAP...