Security and Your SAP System When Working with Winshuttle Products



Similar documents
SSO Methods Supported by Winshuttle Applications

So far in the first three chapters of this book we have studied an overview of SAP

SAP Netweaver Application Server and Netweaver Portal Security

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Implementation Guide SAP NetWeaver Identity Management Identity Provider

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Addressing the SAP Data Migration Challenges with SAP Netweaver XI

Master Data Governance Security Guide

A Guide to New Features in Propalms OneGate 4.0

Configuring Java IDoc Adapter (IDoc_AAE) in Process Integration. : SAP Labs India Pvt.Ltd

..making process automation a business priority..

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

SAP NetWeaver Information Lifecycle Management

Application Gateway with Apache

: C_TADM SAP Certified Technology Associate System Administration (Oracle DB) with SAP NetWeaver 7.0 EhP2. Title : Version : Demo

SAP NetWeaver & Enterprise Services Architecture

Andreas Schneider-Neureither (Ed.) SAP System Landscape Optimization

Frequently Asked Questions

SAP Project Portfolio Monitoring Rapid- Deployment Solution: Software Requirements

Efficiently Automating MDM and Business Process through Winshuttle: The Moen and Rockwell Automation Stories

tibbr Now, the Information Finds You.

Mobile Application Development Platform Comparison

SAP R/3 Security Assessment Framework

Web Applications Access Control Single Sign On

STRONGER AUTHENTICATION for CA SiteMinder

Extending The Value of SAP with the SAP BusinessObjects Business Intelligence Platform Product Integration Roadmap

SAP NetWeaver MDM Business Content

SAP HANA Cloud Applications Partner Program Certification

KEMP LoadMaster. Enabling Hybrid Cloud Solutions in Microsoft Azure

Cybersecurity and Secure Authentication with SAP Single Sign-On

Gateway Apps - Security Summary SECURITY SUMMARY

SAP Banking Technology. Technical Overview Roland Keller Solution Architect SAP NetWeaver Technology. Layer. SAP Application. (e.g.

SAP NetWeaver Application Server architecture

QlikView's Value Proposition to SAP Accounts

SAP Certified Development Professional - ABAP with SAP NetWeaver 7.0

RS MDM. Integration Guide. Riversand

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Okta/Dropbox Active Directory Integration Guide

Tableau Server Security. Version 8.0

Connect & License Management Samantha Godfrey Winshuttle

SAP CHANGE MANAGEMENT. A Project. Presented. to the Faculty of. California State University, Chico. In Partial Fulfillment

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

ATTACKS TO SAP WEB APPLICATIONS

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

SAP NetWeaver AS Java

ERPConnect 4.5 vs. SAP.NET Connector 3.0

Security Guide SAP GUI for Windows

SAP Support Services

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Unleash the Power of Single Sign-On with Microsoft and SAP

Novacura Flow 5. Technical Overview Version 5.6

How To Manage Work Mode On An It Calendar On An Apa System

Mobilizing Business Processes Security Issues and Advantages of Using Sap Mobile Infrastructure In The Development of Mobile Applications

ABAP Debugging Tips and Tricks

SAP Courses. SAP eacademy Net/Weaver-ABAP Basics (SAP NetWeaver ) 25 R SAP eacademy SAP NetWeaver Business Warehouse R

SAP-integrated Travel Scenarios in SharePoint

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

SOA REFERENCE ARCHITECTURE: WEB TIER

U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Records Management

<Insert Picture Here> Oracle Database Security Overview

Take Control of Identities & Data Loss. Vipul Kumra

Security and Risk Management

White paper: Information Rights Management for IBM FileNet. Page 1

SAP Single Sign-On 2.0 Overview Presentation

SAP SECURITY OPTIMIZATION

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

Service Virtualization: Managing Change in a Service-Oriented Architecture

Provide access control with innovative solutions from IBM.

The Consultant s Guide to SAP SRM

TRANSACTION Advanced Guide. Version 10.3

How To Manage An Sap Solution

Oracle WebCenter Content

Application Services Portfolio

SAP WEB DISPATCHER Helps you to make decisions on Web Dispatcher implementation

, Aplicor, Inc., All Rights Reserved

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Ensuring the security of your mobile business intelligence

White Paper: Managing Security on Mobile Phones

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

Solution Manager: What Is It & What Can It Do for Your Business? A Solution Overview written by Ken Asher, Sr. SAP Architect

NCSU SSO. Case Study

Integrating Siebel CRM with Microsoft SharePoint Server

Hardening of SAP HTTP- and Webservices

Hardening of SAP HTTP- and Webservices

TFS ApplicationControl White Paper

SAP Senior Consultant Master of Engineering Diploma in business administration

Enterprise Content Management (ECM) Strategies

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Comparison of ERPConnect Services (ECS) vs. Duet Enterprise for Microsoft SharePoint and SAP

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

How Accenture is taking SAP NetWeaver Identity Management to the next level. Kristian Lehment, SAP AG Matthew Pecorelli, Accenture

Working with the ERP Integration Service of EMC Documentum Process Services for SAP

IBM Tivoli Monitoring for Applications

Transcription:

Security and Your SAP System When Working with Winshuttle Products 2014 Winshuttle, LLC. All rights reserved. 2/14 www.winshuttle.com

Background Companies running SAP systems are accustomed to configuring and maintaining elaborate security models to ensure the overall integrity of the data in the ERP system. In particular, to prevent unauthorized access to SAP systems, data and SAP-based business processes. SAP provides the business with six levels of system security: Software Lifecycle Security through the transport management layer Infrastructure Security through managed modes of communication Secure User Access through user identification Secure Collaboration through federated identity management, trust relationships and secure messaging Application Security which restricts what users can see and how they can see it http://www.isss.ch/events/ft2004.04/schumacher.pdf 2

Any solution that a business attaches to an SAP system, such as one offered by Winshuttle, needs to be aligned with the existing security model for SAP in order to meet business security standards. For a given SAP installation there are a number of different system attributes that need to be considered. These include but are not limited to: The application platform itself, which may comprise.net, Java, ABAP and a combination of other technologies. The various SAP components themselves, namely CRM, APO, SRM, MDM, ERP etc. The operating environment components, such as the operating system, the database and the different types of client interaction environments such as SAP GUI, Portal and the NWBC. Each of these components typically have different attributes and each of these in turn may represent more or less robust ways of securing your SAP system. In this white paper, we ll cover the six level of SAP system security in the context of Winshuttle and explore the SAP system attributes that are relevant to Winshuttle products. SAP Software Life Cycle Security SAP systems have a robust system life cycle model that can be shot circuited or made more elaborate depending on a given business requirement. Typically it is expected that in any given SAP environment, there is a Development, a Quality Assurance and a Productive system. Some SAP environments may have multiple QA or pre-production environments or environments for specific project initiatives. Using SAP products like ChaRM CTS+, NWDI or the existing Transport Management System in SAP, a business can manage the components in their SAP system. ChaRM for example provides an overview of technical objects across multiple environments. The transaction code STMS is used to execute the SAP technical objects and apply them in different environments and NWDI supports version control for JAVA-based SAP objects. 3

How does Winshuttle handle Software Life Cycle Security? Winshuttle s approach to technical objects is different than that of SAP s. Winshuttle products function in two modes of technical object management: Local management Central management As the name suggests, local management is about managing automation artifacts or Winshuttle scripts locally. This is typically appropriate where there are a small number of users of Winshuttle products and where there is perhaps less rigor required around the management of the objects in the Winshuttle automation library. Scripts are not subject to any version other than that defined by the author. And the approach for script distribution is to either embed the script in a given workbook or to make them and their templates available to others in the organization by way of some file sharing mechanism. For user communities greater than 1 10 users, this method may be acceptable but really hinges on the number of scripts, the relative complexity of those scripts, the frequency with which they are used, and the frequency with which they are changed. Using local management, scripts have no state and are always available for use with any selected SAP system. Central management involves securing scripts for productive use in a centralized repository where their use can be controlled and monitored. Winshuttle supports a controlled and managed automation script repository by allowing the establishment of basic SharePoint Workflows and management of versions of scripts and policies. This enables usage and various automation object constraints all based upon SharePoint. Central management of script and template objects requires the implementation of a centralized server component on the SharePoint infrastructure. This component is called Winshuttle Central. Winshuttle Central not only manages the productive vs. non productive state of Winshuttle automation scripts, it also allows the centralized management reporting of Winshuttle automation script usage. Companies with ten or more users of Winshuttle products are strongly urged to use Winshuttle Central as part of their Winshuttle Suite deployment. Using the Winshuttle Transaction and Query applications, authors of scripts and queries check scripts into their Central site on SharePoint. There, various workflow activities and procedures can be applied to the scripts which can transition them from a development or non-productive state into a productive state. Scripts without a state of production cannot be run against a production defined system. 4

For those companies requiring a more segregated Development vs. Production environment, it is recommended that two Central systems be established and that file transfer or manual movement of scripts between the environments be established. Winshuttle scripts never reside on your SAP system, and although they leverage your SAP system configuration as part of the authoring process, no changes are applied to your SAP system to create scripts. As a consequence of this characteristic, if you upgrade your SAP system or apply changes to your SAP environment that modify your SAP configuration or the sequential ordering or placement of fields in your SAP screens, your existing transaction recording scripts may need to be recreated. SAP Infrastructure Security One of the primary modes of communication with a given SAP system is by way of RFC over TCP/IP, CPI-C or a Q-API (queued application programming interface). Communication between clients and a given SAP system is typically by way of dialog sessions using Remote Function Calls (RFC) which is a process of executing a program on the target SAP system. Other communication methods might be by way of HTTP, HTTPS, SMTP, SOAP and XML which may or may not leverage RFCs depending on the process. Sessions instantiated via a SAP dialog session make use of Remote Function Calls (RFC), which is the standard SAP interface for communication between clients and SAP systems as well as between SAP systems and non-sap systems. Data is typically exchanged with SAP systems using RFCs to invoke requests (call a function) but may use EDI like IDOC interfaces, ALE/EDI or remotely enabled Function Modules like BAPIs. Requests to an SAP system are routed through the SAP Gateway which enables communications between the SAP system and the other system. How does Winshuttle handle SAP Infrastructure Security? Winshuttle products that talk directly to the SAP system respect all of the existing infrastructural security in your SAP environment and do not bypass any of the existing mechanisms you have in place for protecting your SAP investment. Winshuttle products communicate with your SAP system via RFC, irrespective of whether the process is a query, the invocation of an SAP transaction call or the calling of an SAP BAPI or remotely enabled Function Module. Winshuttle products may communicate with your SAP system over HTTP/S, SMTP, SOAP or XML depending on whether your scenario requires the use of this method. The current versions of Winshuttle products do not yet make use of IDOC interfaces or ALE/EDI. Winshuttle products do not need to be registered on your SAP Gateway. Explicitly identified RFC destinations such as the Winshuttle RFC sessions are created in an ad hoc fashion according to your need to make calls to SAP just as users would create RFC sessions with SAP in an ad hoc fashion. SAP Secure User Access & Secure Collaboration SAP users are identified by way of a credential in the target SAP system. This prevents unidentified or unauthorized users from accessing the SAP system. Identifying who users are, challenging them with a user name and password, and generally administering users is performed inside the SAP system but can be augmented using products like Identity Management solutions, Single Sign On (SSO) and authentication systems and general access control systems. A common scenario is to integrate some enterprise wide authentication system with your SAP system and allow users to sign on once with their windows or SAP Portal username and password and then pass tokens seamlessly between the authentication system and SAP. 5

How does Winshuttle handle SAP Secure User Access & Secure Collaboration? Winshuttle completely adheres to a given SAP system Secure User Access model. Users cannot execute scripts against an SAP system without a valid and active SAP credential. Users with a valid credential that has been disabled, locked or expired in an SAP system cannot access any BAPI, transaction or tables unless that user ID is enabled, extended or unlocked. Please refer to the document entitled Configuring Winshuttle to work with SSO for details on working with SAP and Winshuttle products in environments with SSO. 1 2 Trust Domain Controller Computer 4 Winshuttle User 3 Winshuttle Logon Component 5 Back end SAP system Where a credential is granted access through a token passed from the SAP system to the browser, this can be leveraged by Winshuttle products to perform activities for the lifetime of the token/certificate. Winshuttle products are able to communicate with your SAP system over SNC as well as unsecured network connections. Winshuttle systems typically do not maintain a permanently open RFC connection to the SAP system because RFC communications are instantiated on demand. Although it is possible to use an anonymous system account to create connections from Winshuttle products to a given SAP system, most installations and use cases involve the use of explicitly identified SAP users with associated SAP credentials. Connections created from Winshuttle products to the SAP system therefore clearly identify who the user is and what actions they are performing in the standard SAP system monitoring tools. SAP Application Security SAP application security is configured by SAP customers according to their specific regulatory compliance requirements. There may be addition data privacy or data protection measures, as well as specialized roles and authorization concepts established in a given SAP installation and certain activities may be monitored or audited. In addition, there may be transaction or data specific configuration in a given SAP system which may trigger SAP workflows or the invocation of certain SAP controls. Some SAP installations may also make use of products like SAP Virsa Firefighter roles for certain transaction or functional restrictions. 6

How does Winshuttle handle SAP Application Security? Winshuttle products completely adhere to the Application Security rules established in your SAP environment. Users that do not have access to certain transaction codes, tables, or data will not be able to bypass the role and profile imposed security that you have applied to their user identifiers. Though a Winshuttle user may have access to a given automation script, that calls a specific transaction or BAPI, that user cannot invoke the associated SAP transaction or BAPI if they do not have access to it as a part of their standard SAP security authorizations. Winshuttle products also allow users to perform actions against SAP systems that may be only temporarily granted access to certain SAP transactions through products like Virsa Firefighter. SAP Installation Components A given SAP installation may involve many SAP products and components. These systems may be a combination of legacy systems and new components that SAP has developed and promoted on recent times. These components may include SAP ECC, MDM, SRM, APO, CRM etc In addition to the different backend SAP systems that a given installation may have, some installations may use a variety of client-based solutions to communicate with the backend SAP landscape. These client solutions may include the SAP desktop GUI for Windows operating systems, the SAP NetWeaver Business Client, the SAP Portal, the SAP GUI rendered in a browser window, Terminal Services running the SAP GUI or custom.net front-ends to SAP systems. 7

What does Winshuttle work with? Generally speaking, Winshuttle products work with any ABAP-based SAP system that can be communicated with over RFC. This includes R/3 4.6c through the current releases of ECC. Winshuttle products also work with SRM, APO and CRM systems in a limited way. Processes and functions that are only available in the SAP Portal or which have been developed using Java or Web dynpros cannot be automated with Winshuttle products. Some Java and Web dynpro functions as well as some standard SAP transactions have alternative interfacing methods enabled through BAPIs and Function Modules written in ABAP and these can be used by Winshuttle products in a number of very effective and robust ways. Winshuttle products do not work with SAP products specifically developed for.net platforms and which have no ABAP components such as SAP MDM and SAP BusinessOne. Authors of scripts and Query developers require the SAP GUI to be installed on the machines that they author transaction recordings and queries. Some minimal SAP GUI components are also required for Runners of transaction automations and queries in order to open the RFC communication with the SAP Gateway. The presence of the NWBC is not sufficient for recording or running Winshuttle desktop products. What SAP changes and authorizations are required to make Winshuttle work with SAP? Most recently, several customers have found that after applying SAP BASIS 7.00 Support Package 24 (and related packages in other SAP BASIS versions) that certain transaction recording modes, particularly non-batch input recordings, no longer worked. Winshuttle has a solution for this problem which requires the installation of a Z Function Module. Please contact Winshuttle support for more information on this. Further reading: http://www.winshuttle.com/white-papers/winshuttle-sso-whitepaper-en.pdf http://www.winshuttle.com/white-papers/winshuttle-addressingsecurityperformanceusabilitywithquery-whitepaper-en.pdf http://www.winshuttle.com/white-papers/winshuttle-easyalternativetolsmw-whitepaper-en.pdf http://www.winshuttle.com/white-papers/winshuttle-mitigatingriskwithmassdatachange-whitepaper-en.pdf http://www.winshuttle.com/white-papers/winshuttle-easingsoxcompliance-whitepaper-en.pdf http://www.winshuttle.com/white-papers/winshuttle-complyingwithsapsecurityusingtransaction-whitepaper-en.pdf 8

Empowering People Making Heroes Founded in 2003, Winshuttle is a global company with sales and support offices worldwide. For more information about Winshuttle solutions or to contact a representative near you, please visit www.winshuttle.com. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information