Security Guide
Document Version: 4.0 – 2017-09-29
CUSTOMER
SAP Capital Yield Tax Management for Banking 8.0
2
© 2017 SAP AG. All rights reserved. Typographic Conventions
Typographic Conventions
Type Style Description
Example Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Textual cross-references to other documents.
Example Emphasized words or expressions. EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE Keys on the keyboard, for example, F2 or ENTER .
Document History
© 2017 SAP AG. All rights reserved. 3
Document History
Version Date Change
1.0 2013-07-04 Initial version
2.0 2013-08-30
3.0 2015-12-04 Update for Support Package 08
4.0 2017-09-29 Chapter 12: Data Protection and Privacy: Updated according to Soteria DPP documentation guidelines. All links updated where required.
Table of Contents
© 2017 SAP AG. All rights reserved. 4
Table of Contents
1 Introduction ................................................................................................................................... 5
2 Before You Start ............................................................................................................................ 8
3 Technical System Landscape ...................................................................................................... 9
4 Security Aspects of Data, Data Flow, and Processes ............................................................. 10
5 User Administration and Authentication ................................................................................. 12 5.1 User Management ............................................................................................................................... 13 5.2 User Data Synchronization ................................................................................................................. 14 5.3 Integration into Single Sign-On Environments .................................................................................. 14
6 Authorizations ............................................................................................................................. 15
7 Session Security Protection ..................................................................................................... 20
8 Network and Communication Security .................................................................................... 21 8.1 Communication Channel Security ..................................................................................................... 21 8.2 Network Security ................................................................................................................................. 22 8.3 Communication Destinations ............................................................................................................. 24
9 Internet Communication Framework Security ........................................................................ 25
10 Application-Specific Virus Scan Profile (ABAP) .................................................................... 26
11 Data Storage Security ................................................................................................................ 27
12 Data Protection and Privacy ..................................................................................................... 29 12.1 Consent ................................................................................................................................................. 31 12.2 Read Access Logging .......................................................................................................................... 31 12.3 Information Report ............................................................................................................................. 32 12.4 Deletion of Personal Data ................................................................................................................... 32 12.5 Change Logging ................................................................................................................................... 34
13 Security for Additional Applications ........................................................................................ 35
14 Other Security-Relevant Information ...................................................................................... 36
15 Services for Security Lifecycle Management .......................................................................... 37
Introduction
© 2017 SAP AG. All rights reserved. 5
1 Introduction
Caution
This guide does not replace the administration or operation guides that are available for productive
operations.
Target Audience
• Technology consultants
• Security consultants
• System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical
Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the
software life cycle, whereas the Security Guides provide information that is relevant for all life cycle
phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the
demands on security are also on the rise. When using a distributed system, you need to be sure that
your data and processes support your business needs without allowing unauthorized access to critical
information. User errors, negligence, or attempted manipulation of your system should not result in loss
of information or processing time. These demands on security apply likewise to the SAP Capital Yield
Tax Management for Banking 8.0. To assist you in securing the SAP Capital Yield Tax
Management for Banking 8.0, we provide this Security Guide.
This guide contains security-relevant information for SAP Capital Yield Tax Management for
Banking 8.0. Generally the data stored is personal data that is subject to national data protection laws.
In particular, information about transactions made by customers who are also bank employees is
distinguished by internal agreements (employee accounts). This data must be protected specifically
against unauthorized access by other employees. SAP Capital Yield Tax Management for Banking
8.0 provides suitable protection mechanisms. You must also be able to ensure that employees cannot
change their own personal business data without authorization.
Introduction
© 2017 SAP AG. All rights reserved. 6
Overview of the Main Sections
The Security Guide comprises the following main sections:
• Before You Start
This section contains information about why security is necessary, how to use this document and references
to other Security Guides that build the foundation for this Security Guide.
• Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by the
SAP Capital Yield Tax Management for Banking 8.0.
• Security Aspects of Data, Data Flow, and Processes
This section provides an overview of security aspects involved throughout the most widely-used processes
within the SAP Capital Yield Tax Management for Banking 8.0.
• User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
o Recommended tools to use for user management
o User types that are required by the SAP Capital Yield Tax Management for Banking 8.0
o Standard users that are delivered with SAP Capital Yield Tax Management for Banking 8.0
o Overview of the user synchronization strategy, if several components or products are involved
o Overview of how integration into Single Sign-On environments is possible
• Authorizations
This section provides an overview of the authorization concept that applies to the SAP Capital Yield Tax
Management for Banking 8.0.
• Session Security Protection
This section provides information about activating secure session management, which prevents JavaScript or
plug-ins from accessing the SAP logon ticket or security session cookie(s).
• Network and Communication Security
This section provides an overview of the communication paths used by the SAP Capital Yield Tax Management
for Banking 8.0 and the security mechanisms that apply. It also includes our recommendations for the
network topology to restrict access at the network level.
• Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by
the SAP Capital Yield Tax Management for Banking 8.0.
• Application-Specific Virus Scan Profile (ABAP)
This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles
are activated.
• Data Storage Security
This section provides an overview of any critical data that is used by the SAP Capital Yield Tax Management
for Banking 8.0 and the security mechanisms that apply.
• Data Protection
This section provides information about how the SAP Capital Yield Tax Management for Banking 8.0 protects
personal or sensitive data.
Introduction
© 2017 SAP AG. All rights reserved. 7
• Security for Additional Applications
This section provides security information that applies to third-party or additional applications that are used
with the SAP Capital Yield Tax Management for Banking 8.0.
• Other Security-Relevant Information
• Error! Reference source not found.
This section provides an overview of the trace and log files that contain security-relevant information, for
example, so you can reproduce activities if a security breach occurs.
• Services for Security Lifecycle Management
This section provides an overview of services provided by Active Global Support that are available to assist
you in maintaining security in your SAP systems on an ongoing basis.
.
Before You Start
© 2017 SAP AG. All rights reserved. 8
2 Before You Start
Fundamental Security Guides
SAP Capital Yield Tax Management for Banking 8.0 is based on SAP NetWeaver technology.
Therefore, the corresponding Security Guides also apply to SAP Capital Yield Tax Management for
Banking 8.0. Pay particular attention to the most relevant sections or specific restrictions as indicated
in the table below:
Fundamental Security Guides
Scenario, Application or Component Security Guide
SAP NetWeaver - Security Guide (choose your NW version and see the respective security guide)
Security Guide - SAP ERP
Security Guide - banking services from SAP
Security Guide S/4HANA for on premise edition 1511
For a complete list of the available SAP Security Guides, see SAP Service Marketplace at
http://service.sap.com/securityguide.
For a list of additional security-relevant SAP Hot News and SAP Notes, see also SAP Service Marketplace
at https://support.sap.com/securitynotes.
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below:
Content Quick Link on SAP Service Marketplace or SCN
Security http://scn.sap.com/community/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes https://support.sap.com/notes https://support.sap.com/securitynotes
Released platforms https://support.sap.com/release-upgrade-maintenance/pam.html
Network security http://service.sap.com/securityguide
SAP Solution Manager https://support.sap.com/solutionmanager
SAP NetWeaver http://scn.sap.com/community/netweaver http://help.sap.com/netweaver
Technical System Landscape
© 2017 SAP AG. All rights reserved. 9
3 Technical System Landscape
Use
SAP Capital Yield Tax Management for Banking 8.0 is an add-on to the following basis solutions:
• SAP ERP 6.0 EhP7 or higher
• banking services from SAP 9.0
• SAP S/4HANA, on-premise edition
Therefore, the security guides listed in section “Before You Start” are fundamental.
For more information about the technical system landscape, see the resources listed in the table below:
Topic Guide/Tool Link on SAP Service Marketplace or SAP Help Portal
Technical description for SAP Capital Yield Tax Management for Banking 8.0 and the underlying components such as SAP NetWeaver
Master Guide
http://service.sap.com/instguides
High availability
CYT Application Operations Guide
https://help.sap.com/viewer/p/SAP_CAPITAL_YIELD_TAX_MANAGEMENT
Technical landscape design
See applicable documents
http://scn.sap.com/docs/DOC-8140
Security See applicable documents
http://scn.sap.com/community/security
Security Aspects of Data, Data Flow, and Processes
© 2017 SAP AG. All rights reserved. 10
4 Security Aspects of Data, Data Flow, and Processes
The figure below shows an account settlement integration scenario in SAP Capital Yield Tax
Management for Banking 8.0:
Account
Settlement
CYT
Interface
Customizing
Customizing
R
R
CYT
Calculator
Customizing
Customizing
R
Tra
nsa
ctio
na
l
Da
ta
Business Partner
Master Data
R
RA
M
The Tax Calculation module of SAP Capital Yield Tax Management for Banking 8.0 could be used
and installed on a distributed system. You need to be sure that unauthorized access to critical tax
information is checked. Additionally, user errors, negligence, or attempted manipulation of your system
should not result in loss of information or processing time.
For details about how to secure network setup, see the Network and Communication Security section of
this document.
For details about required authorizations, see the Authorizations section of this document.
A secure authorization concept restricts access to SAP Capital Yield Tax Management for Banking
8.0 interface. Users need to be identified and successfully authenticated before CYT interface is
executed.
Security Aspects of Data, Data Flow, and Processes
© 2017 SAP AG. All rights reserved. 11
For details about how to secure Account Settlement, see SAP ERP 6.0 Security Guides on http://service.sap.com/securityguide.
User Administration and Authentication
© 2017 SAP AG. All rights reserved. 12
5 User Administration and Authentication
SAP Capital Yield Tax Management for Banking 8.0 uses the user management and authentication
mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application
Server ABAP. Therefore, the security recommendations and guidelines for user administration and
authentication as described in the SAP NetWeaver Application Server ABAP Security Guide on SAP Help
Portal at http://help.sap.com also apply to SAP Capital Yield Tax Management for Banking 8.0.
In addition to these guidelines, we include information about user administration and authentication
that applies specifically to SAP Capital Yield Tax Management for Banking 8.0 in the following
topics:
• User Management
This topic lists the tools to use for user management, the types of users required, and the standard users that
are delivered with SAP Capital Yield Tax Management for Banking 8.0.
• User Data Synchronization
SAP Capital Yield Tax Management for Banking 8.0 does not share any user information with other sources.
SAP User Management is private and confidential.
• Integration into Single Sign-On Environments
This topic describes how SAP Capital Yield Tax Management for Banking 8.0 supports single sign-On
mechanisms.
User Administration and Authentication
© 2017 SAP AG. All rights reserved. 13
5.1 User Management
Use
User management for SAP Capital Yield Tax Management for Banking 8.0 uses the mechanisms
provided with the SAP NetWeaver Application Server ABAP, for example, tools, user types, and
password policies. For an overview of how these mechanisms apply for SAP Capital Yield Tax
Management for Banking 8.0, see the sections below. In addition, we provide a list of the standard
users required for operating SAP Capital Yield Tax Management for Banking 8.0.
User Administration Tools
The table below shows the tools to use for user management and user administration with SAP Capital
Yield Tax Management for Banking 8.0:
User Management Tools
Tool Detailed Description Prerequisites
User and role maintenance with SAP NetWeaver AS ABAP (Transactions SU01, PFCG)
For more information, see User and Role Administration of Application Server ABAP on http://service.sap.com/securityguide.
User Types
It is often necessary to specify different security policies for different types of users. For example, your
policy may specify that individual users who perform tasks interactively have to change their passwords
on a regular basis, but not those users under which background processing jobs run.
The user types that are required for SAP Capital Yield Tax Management for Banking 8.0 include:
• Individual users:
o Dialog users are used to enter master data and to start reports and transactions
• Technical users:
o Background users are used to execute background processes
For more information about these user types, see User Types in the SAP Process Integration Security Guide
on SAP Help Portal.
User Administration and Authentication
© 2017 SAP AG. All rights reserved. 14
Standard Users
No further users are named in addition to the standard users described in the SAP NetWeaver Security
Guide. All users are created by the customer's system administration, which also provides the initial
identification parameters (such as passwords).
5.2 User Data Synchronization
Use
SAP Capital Yield Tax Management for Banking 8.0 does not share any user information with other
sources. SAP User Management is private and confidential.
5.3 Integration into Single Sign-On Environments
Use
SAP Capital Yield Tax Management for Banking 8.0 supports the Single Sign-On (SSO) mechanisms
provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user
administration and authentication as described in the SAP NetWeaver Security Guide on SAP Help Portal at
http://help.sap.com also apply to SAP Capital Yield Tax Management for Banking 8.0.
For more information about the available authentication mechanisms, see section User Administration
and Authentication in the SAP NetWeaver Security Guide.
Authorizations
© 2017 SAP AG. All rights reserved. 15
6 Authorizations
Use
SAP Capital Yield Tax Management for Banking 8.0 uses the authorization concept provided by the
SAP NetWeaver AS ABAP. Therefore, the recommendations and guidelines for authorizations as
described in the SAP NetWeaver Application Server for ABAP Security Guide also apply to SAP Capital
Yield Tax Management for Banking 8.0.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles.
For role maintenance, use the profile generator (transaction PFCG) on the AS.
Note
For more information about how to create roles, see User Management in the SAP NetWeaver Security
Guide.
We recommend that you generate authorizations by assigning the required transaction codes to the role.
Note
The generation process does not work for assigning appropriate authorizations for CYT master data
maintenance using transaction bp (business partner maintenance). Make sure that you assign the
authorization object F_CYT_PART manually.
Role and Authorization Concept for SAP Capital Yield Tax Management for Banking 8.0
Standard Authorization Objects
SAP Capital Yield Tax Management for Banking 8.0 uses several authorization objects. You can
display the authorization objects in the system in transaction SU21.
• F_CYT_PART is used during authorization checks for master data (business partner data) in SAP Capital Yield
Tax Management for Banking 8.0. It supports authorization checks to access employee/staff data and
religious denomination key.
• F_CYT_POST is used during authorization checks for processes and reporting in SAP Capital Yield Tax
Management for Banking 8.0. It supports authorization checks to access employee/staff data.
• F_CYT_ARCH is used during authorization checks for archiving of SAP Capital Yield Tax Management for
Banking 8.0 data,
Authorizations
© 2017 SAP AG. All rights reserved. 16
• F_CYT_BPDP is used during authorization checks to access blocked data. Blocked data is data that regular
users and processes cannot access. It can be accessed only by authorized users such as data privacy officers
or auditors.
For more information, see the system documentation of the authorization objects (transaction SU21).
The table below shows the authorization object classes that are used by SAP Capital Yield Tax
Management for Banking 8.0:
Object Class Description CYT CYT Authorization Class BC_A Basis: Administration
The table below shows details of the security-relevant authorization objects that are used by SAP
Capital Yield Tax Management for Banking 8.0:
Authorization Object Field Value Description F_CYT_PART /CYT/CYTID CYT Area /CYT/STAFF X
blank
Authorization to access employee master data
/CYT/RELIG Blank (no
authorization)
X (Change)
A (Display)
B (Create, Delete)
Authorization to change, display, create or delete religious denomination data relevant in the German country version.
ACTVT 01 (Create)
02 (Change)
03 (Display)
Authorization to create, change and display master data
/CYT/UDATE Blank (Display)
X (Change)
Authorization to display or change the date for usage of church tax indicator. Relevant in the German country version.
F_CYT_POST /CYT/CYTID CYT area /CYT/STAFF Authorization to access
employee transactional data
/CYT/REL_C Authorization for tax calculation
ACTVT 10
48
Authorization to execute in simulation, or in productive mode with posting
F_CYT_ARCH ARCH_OBJ Archiving object ACTVT 01 (Create)
03 (Display)
25 (Reload))
Archiving activity (create or generate archive files, display
Authorizations
© 2017 SAP AG. All rights reserved. 17
Authorization Object Field Value Description
archives, reload from archive)
F_CYT_BPDP ACTVT 03 (Display) Display activity for blocked business partner
S_TABU_DIS ACTVT 02 (Change)
03 (Display)
BD (Maintain obj.
in non-OwnerSys.)
Table maintenance (via standard tools such as SM30)
CYTC Table authorization group
S_PROGRAM P_GROUP Business area =
application group
Authorization group ABAP/4 program
P_ACTION SUBMIT User action ABAP/4 program - execution of report
Critical Combinations
SAP Business Partner
To access specific business partner data in SAP Capital Yield Tax Management for Banking 8.0 the
authorization objects of SAP Capital Yield Tax Management for Banking 8.0 have to be used.
Additionally the following authorization objects to control the authorization for maintaining business
partner data of SAP Business Partner have to be considered:
Authorization Object Description B_BUPA_GRP Business Partner: Authorization Groups B_BUPA_ATT Business Partner: Authorization Types B_BUPA_FDG Business Partner: BP Roles B_BUPA_RLT Business Partner: Field Groups
For more information about authorization management, see the Customizing of the SAP Business Partner.
Religion and Staff-Sensitive Data
Authorization Object F_CYT_PART
The user interfaces to display and maintain business partner data includes the religion and staff-
sensitive data. In transaction BP the religious denomination key is replaced by 99 for unauthorized users
(/CYT/RELIG field, F_CYT_PART authorization object) and cannot be edited. In the API provided by SAP
Capital Yield Tax Management for Banking 8.0, the religious denomination key is replaced by the
dummy key 99.
The users without staff authorization (/CYT/STAFF field, F_CYT_PART authorization object) will not be
able to display the business partner data provided by SAP Capital Yield Tax Management for
Banking 8.0.
Authorizations
© 2017 SAP AG. All rights reserved. 18
Authorization Object F_CYT_POST
The staff authorization (field /CYT/STAFF, authorization object F_CYT_POST) is checked by the tax
calculation in the settlement process.
Note
There is no specific authorization check for religious denomination while running the tax calculation.
Thus, the authorization to execute tax calculation automatically includes the reading of sensitive
religious denomination data, if required for calculation. This is specifically relevant for the German tax
calculation.
Authorizations in Reporting
Reporting in SAP Capital Yield Tax Management for Banking 8.0 is checked against the
authorization object S_PROGRAM with the authorization group ABAP program (defined business areas)
P_GROUP and P_ACTION “SUBMIT”. Additionally, every report is checked against the objects F_CYT_POST
and F_CYT_PART. If only transaction data is involved, the authorization object F_CYT_POST is checked.
For reports that handle business partner data, the authorization object F_CYT_PART is checked.
Additionally, F_CYT_PART is executed in all search helps in the selection masks of reports.
If there is no authorization for employee/staff data (field /CYT/STAFF in authorization objects
F_CYT_POST and F_CYT_PART), the reports will not allow unauthorized users to process reports for
employee/staff.
Reports that change master data will require activity 02 for the productive run und 03 for the simulation
in the authorization object F_CYT_PART.
SAP Capital Yield Tax Management for Banking 8.0 provides reporting for tax offices. These
reports should consider all data including employee/staff and blocked business partners (authorization
object F_CYT_BPDP). The table below shows the security-relevant reports that will not check the
employee/staff authorization:
Report Description /IBS/BCY_STANM_AB2009_DE Prepare Tax Registration for Tax Office (Germany) /IBS/MCY_STEUERANMELD_AB2009 Display Tax Registration (Germany) /IBS/MCY_FSADV_CREATE Select Data According to the FSADV Regulations
(Germany) /IBS/BCY_FSADV_DATASET Creation of a File According to the FSADV
Regulations (Germany) /IBS/MCY_EUZ_FILE_C_AB2009 Create Report According to EU Savings Tax
Directive (Germany)
Authorizations
© 2017 SAP AG. All rights reserved. 19
Report Description /IBS/DCY_ABST_CYT_FI_AB2009 Capital Yield Tax Reconciliation Between CYT and
General Ledger /IBS/DCY_FA_ST_ANM_CH Registration with the Tax Authorities (Switzerland) /IBS/BCY_TS_P_PP_AB2009 Print Tax Statement
/CYT/R_FSADV_DATA_SELECT Select Data According to the FSADV Regulations (Germany) (since 2017)
/CYT/R_FSADV_DATA_SHOW Show Data According to the FSADV Regulations (Germany) (since 2017)
/CYT/R_FSADV_FILE_CREATE Creation of a File According to the FSADV Regulations (Germany) (since 2017)
/CYT/R_FSADV_FILE_IMPORT Import of a File According to the FSADV Regulations (Germany) (since 2017)
Archiving and Data Destruction
The standard roles of SAP Capital Yield Tax Management for Banking 8.0 do not contain
authorizations for archiving (authorization object F_CYT_ARCH) and for data access of blocked business
partner (authorization object F_CYT_BPDP). These authorization objects are to be included in the
respective roles for archiving and data destruction solutions and/or audit roles.
For more information about how to create roles and how to maintain authorizations for archiving and
data destruction solutions, see Security Guide for ADK-Based Data Archiving in the SAP NetWeaver
Security Guide on SAP Help Portal.
For more information about blocked business partner, see Data Protection.
Session Security Protection
© 2017 SAP AG. All rights reserved. 20
7 Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookie(s), we
recommend that you activate secure session management.
We also highly recommend using SSL to protect the network communications in which these security-
relevant cookies are transferred.
Session Security Protection on the AS ABAP
To activate session security on the AS ABAP, set the corresponding profile parameters and activate
session security for the client(s), that use transaction SICF_SESSIONS.
For more information, a list of the relevant profile parameters, and detailed instructions, see Activating
HTTP Security Session Management on AS ABAP.
Network and Communication Security
© 2017 SAP AG. All rights reserved. 21
8 Network and Communication Security
Your network infrastructure is extremely important for protecting your system. Your network needs to
support the communication necessary for your business needs without allowing unauthorized access. A
well-defined network topology can eliminate many security threats based on software flaws (at both
operating system level and application level) or network attacks such as eavesdropping. If users cannot
log on to your application or database servers at the operating system or database layer, then there is
no way for intruders to compromise the machines and gain access to the backend system’s database or
files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot
exploit well-known bugs and security holes in network services on the server machines.
The network topology for SAP Capital Yield Tax Management for Banking 8.0 is based on the
topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations
described in the SAP NetWeaver Security Guide also apply to SAP Capital Yield Tax Management
for Banking 8.0. Details that specifically apply to SAP Capital Yield Tax Management for Banking
8.0 are described in the following topics:
• Communication Channel Security
This topic describes the communication paths and protocols used by SAP Capital Yield Tax Management for
Banking 8.0.
• Network Security
This topic describes the recommended network topology for SAP Capital Yield Tax Management for Banking
8.0. It shows the appropriate network segments for the various client and server components and where to
use firewalls for access protection. It also includes a list of the ports needed to operate SAP Capital Yield Tax
Management for Banking 8.0.
• Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users
are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide on SAP Help
Portal:
• Network and Communication Security
• Security Guides for Connectivity and Interoperability Technologies
8.1 Communication Channel Security
Use
The table below shows the communication channels used by SAP Capital Yield Tax Management for
Banking 8.0, the protocol used for the connection and the type of data transferred:
Network and Communication Security
© 2017 SAP AG. All rights reserved. 22
Communication Path Protocol Used Type of Data Transferred
Data Requiring Special Protection
Frontend client using SAP GUI for Windows (workshop interface) to application server
DIAG
Application data
Passwords, personal data
Application server to third party application
RFC
Application data
Personal data
Application server to application server
RFC
Application data
Personal data
DIAG and RFC connections can be protected using Secure Network Communications (SNC).
Recommendation
Use secure protocols (SSL, SNC) whenever possible.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
8.2 Network Security
Use
SAP Capital Yield Tax Management for Banking 8.0 is based on SAP NetWeaver technology. For
more information about network security, see the following sections of the SAP NetWeaver Security
Guide:
• Network Services: Contains information about the services and ports used by SAP NetWeaver.
• Using Firewall Systems for Access Control: Contains information about firewall settings.
• Using Multiple Network Zones: Contains information about the network segments where the individual parts
of your application are to be configured.
If you offer services on the internet, you need to protect your network infrastructure with at least a
firewall. You can increase the security of your system (or group of systems) by creating the groups in
different network segments, each of which is protected from unauthorized access by a firewall.
Remember that unauthorized access can also come from inside, if an intruder has already taken control
of one of your systems.
Network and Communication Security
© 2017 SAP AG. All rights reserved. 23
Ports
SAP Capital Yield Tax Management for Banking 8.0 runs on SAP NetWeaver and uses the ports
from the AS ABAP. For more information, see Ports of SAP NetWeaver Application Server for ABAP in the
corresponding SAP NetWeaver Security Guide on SAP Help Portal. For other components, for
example, SAPinst, SAProuter, or SAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP
Applications on SAP Community Network.
Network and Communication Security
© 2017 SAP AG. All rights reserved. 24
8.3 Communication Destinations
Use
No RFC destinations are supplied with SAP Capital Yield Tax Management for Banking 8.0. When
you set up your non-local data flows, use transaction SM59 to create your RFC destinations. You can copy
the role SAP_RFC_CORR_REQ and assign this to the technical writer. For more information, see the
documentation for transaction SM59 and the SAP Notes in the SAP NetWeaver Security Guide.
User authorizations can become a security risk if used in an irresponsible way. Note the following
security rules for communication between two systems:
• Use the user categories System and Communication.
• Provide users with the minimum authorizations only.
• Choose a secure password and do not reveal this to anyone.
• Save user-specific logon data only for users in the System and Communications categories.
• If possible, use trusted system functions instead of saving user-specific logon data.
Internet Communication Framework Security
© 2017 SAP AG. All rights reserved. 25
9 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system.
Use the transaction SICF to activate these services.
If your firewall(s) use URL filtering, note the URLs used for the services and adjust your firewall settings
accordingly.
For more information, see Activating and Deactivating ICF Services in the SAP NetWeaver Library
documentation on http://help.sap.com.
For more information about ICF security, see the RFC/ICF Security Guide on
http://service.sap.com/securityguide.
Application-Specific Virus Scan Profile (ABAP)
© 2017 SAP AG. All rights reserved. 26
10 Application-Specific Virus Scan Profile (ABAP)
SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging
the system. To manage the interface and which file types are checked or blocked, there are virus scan
profiles. Different applications rely on default profiles or application-specific profiles.
To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During
this process, you also set up the default behavior. SAP also provides default profiles.
For more information, see SAP Virus Scan Interface on SAP Help Portal at http://help.sap.com and SAP
Note 1693981 (Unauthorized modification of displayed content).
Data Storage Security
© 2017 SAP AG. All rights reserved. 27
11 Data Storage Security
Use
SAP Capital Yield Tax Management for Banking 8.0 saves master, transactional, and reporting data
in SAP Capital Yield Tax Management for Banking 8.0 databases. You do not require any other
databases in addition to this standard.
Using Logical Path and File Names to Protect Access to the File System
Additionally, SAP Capital Yield Tax Management for Banking 8.0 saves some data in files in the file
system. Therefore, it is important to provide explicit access to the corresponding files in the file system
without allowing access to other directories or files (also known as directory traversal). This is achieved
by specifying logical paths and file names in the system that map to the physical paths and file names.
This mapping is validated at runtime and, if access is requested to a directory (including subdirectories)
that does not match a stored mapping, then an error occurs.
The following lists show the logical file names and paths used by SAP Capital Yield Tax Management
for Banking 8.0 and the programs for which these file names and paths apply:
Logical File Names Used
The following logical file names have been created to enable the validation of physical file names:
Logical File Name Logical Path Name Programs using this logical file
name
/IBS/CY_EUZ_EXPORT_FILE /IBS/CY_EUZ_EXPORT_FILE /IBS/MCY_EUZ_FILE_C_AB2009
/IBS/CY_FSADV /IBS/CY_FSADV /IBS/BCY_FSADV_DATASET
CYT/FSADV_2017 /CYT/FSADV_2017 /CYT/R_FSADV_FILE_CREATE
/CYT/R_FSADV_FILE_IMPORT
/CYT/FKB /CYT/FKB /CYT/R_FKB_DATASET
/CYT/KISTA /CYT/KISTA /CYT/R_KISTA_DATASET
/CYT/R_KISTA_UPDATE
/CYT/KISTA_IMP /CYT/KISTA_IMP /CYT/R_KISTA_DATASET
/CYT/R_KISTA_UPDATE
Data Storage Security
© 2017 SAP AG. All rights reserved. 28
Activating Validation of Logical Path and File Names
These logical paths and file names, as well as any subdirectories, are specified in the system for the
corresponding programs. For downward compatibility, validation at runtime is deactivated by default.
To activate validation at runtime, maintain the physical path using the transactions FILE (client-
independent) and SF01 (client-specific). To find out which paths are being used by your system, you can
activate the corresponding settings in the Security Audit Log.
For more information, see SAP Help Portal at http://help.sap.com:
• Logical File Names
• Auditing and Logging
Data Protection and Privacy
© 2017 SAP AG. All rights reserved. 29
12 Data Protection and Privacy
Data stored in SAP Capital Yield Tax Management for Banking 8.0 is person-related data that is
covered by data protection legislation.
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data privacy regulation, it is necessary to consider compliance with industry-
specific legislation in different countries. SAP provides specific features and functions to support
compliance with regards to relevant legal requirements, including data protection. SAP does not give
any advice on whether these features and functions are the best method to support company, industry,
regional, or country-specific requirements. Furthermore, this information does not give any advice or
recommendation in regards to additional features that would be required in particular IT environments;
decisions related to data protection must be made on a case-bycase basis, under consideration of the
given system landscape and the applicable legal requirements.
Note
In the majority of cases, compliance with applicable data protection and privacy laws will not be
covered by a product feature. SAP software supports data protection compliance by providing
security features and specific data protection-relevant functions, such as simplified blocking and
deletion of personal data. SAP does not provide legal advice in any form. Definitions and other terms
used in this document are not taken from any given legal source.
Glossary
Term Definition
Personal data Any information relating to an identified or
identifiable natural person ("data subject"). An
identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural, or social identity of that natural person.
Purpose A legal, contractual, or in other form justified
reason for the processing of personal data. The
assumption is that any purpose has an end that is
usually already defined when the purpose starts.
Data Protection and Privacy
© 2017 SAP AG. All rights reserved. 30
Blocking A method of restricting access to data for which
the primary business purpose has ended.
Deletion The irreversible destruction of personal data.
Retention period The period of time between the end of purpose
(EoP) for a data set and when this data set is
deleted subject to applicable laws. It is a
combination of the residence period and the
blocking period.
End of purpose (EoP) A method of identifying the point in time for a
data set when the processing of personal data is
no longer required for the primary business
purpose. After the EoP has been reached, the data
is blocked and can only be accessed by users with
special authorization (e.g. tax auditors).
Sensitive personal data A category of personal data that usually includes
the following type of information:
● Special categories of personal data such as
data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or
trade union membership and the processing of
genetic data, biometric data, data concerning
health or sex life or sexual orientation
● Personal data subject to professional secrecy
● Personal data relating to criminal or
administrative offenses
● Personal data concerning insurances and bank
or credit card accounts
Residence period The period of time after the end of purpose (EoP)
for a data set during which the data remains in the
database and can be used in case of subsequent
processes related to the original purpose. At the
end of the longest configured residence period,
the data is blocked or deleted. The residence
period is part of the overall retention period.
Data Protection and Privacy
© 2017 SAP AG. All rights reserved. 31
Where-used check (WUC) A process designed to ensure data integrity in the
case of potential blocking of business partner data.
An application's where-used check (WUC)
determines if there is any dependent data for a
certain business partner in the database. If
dependent data exists, this means the data is still
required for business activities. Therefore, the
blocking of business partners referenced in the
data is prevented.
Consent The action of the data subject confirming that the
usage of his or her personal data shall be allowed
for a given purpose. A consent functionality allows
the storage of a consent record in relation to a
specific purpose and shows if a data subject has
granted, withdrawn, or denied consent.
12.1 Consent
Tax authorities require and request end users’ personal data, and financial institutions are legally
obliged to provide this data to the tax authorities. Therefore, in this specific case end users do not have
the option of explicitly giving their consent to the disclosure of their data.
12.2 Read Access Logging
Read Access Logging (RAL) is used to monitor and log read access to sensitive data.
This data may be categorized as sensitive by law, by external company policy, or by internal company
policy. These common questions might be of interest for an application that uses Read Access Logging:
● Who accessed the data of a given business entity, for example a bank account?
● Who accessed personal data, for example of a business partner?
● Which employee accessed personal information, for example religion?
● Which accounts or business partners were accessed by which users?
These questions can be answered using information about who accessed particular data within a
specified time frame. Technically, this means that all remote API and UI infostructures (that access the
data) must be enabled for logging.
Data Protection and Privacy
© 2017 SAP AG. All rights reserved. 32
SAP Capital Yield Tax Management for Banking 8.0 provides sample RAL configuration to monitor
and log read access to sensitive data:
Logging purpose: PRIVACY_CY - Privacy Police SAP Capital Tax Management
Business Area for Log Domain: FSCYT
Catgorization Channels supported Log Domain
Religious Denomination • Remote Function Calls
• Dynpro
• CYT_BP_INTERNAL_ID - Internal ID of CYT
Business Partner (logging with value in sample
configuration)
• CYT_BP_RELIGION - Religious Denomination
(logging without value in sample configuration)
For information about how to configure and monitor RAL using System Security for SAP NetWeaver
Application Server (ABAP), see Read Access Logging on SAP Help Portal at http://help.sap.com.
12.3 Information Report
In addition to compliance with the general data protection regulation you may have requirements to
collect and report stored personal data. You can use the Information Retrieval Framework (IRF) for this
purpose. For more information about Information Retrieval Framework (IRF), see SAP Help Portal at http://help.sap.com.
12.4 Deletion of Personal Data
Simplified Blocking and Deletion
In addition to compliance with the general data protection regulation, it is necessary to consider
compliance with industry-specific legislation in different countries. A typical potential scenario in certain
countries is that personal data shall be deleted after the specified, explicit, and legitimate purpose for
the processing of personal data has ended, but only as long as no other retention periods are defined in
legislation, for example, retention periods for financial documents. Legal requirements in certain
scenarios or countries also often require blocking of data in cases where the specified, explicit, and
legitimate purposes for the processing of this data has ended, but the data has to be retained in the
database due to other legally defined retention periods. In some scenarios, personal data also includes
referenced data. Therefore, the challenge for deletion and blocking is to first handle referenced data
and finally other data, such as business partner data.
Deletion of Personal Data
The handling of personal data is subject to applicable laws related to the deletion of such data at the
end of purpose (EoP). If there is no longer a legitimate purpose that requires the use of personal data, it
must be deleted. When deleting data in a data set, all referenced objects related to that data set must
Data Protection and Privacy
© 2017 SAP AG. All rights reserved. 33
be deleted as well. It is also necessary to consider industry-specific legislation in different countries in
addition to general data protection laws. After the expiration of the longest retention period, the data
must be deleted.
SAP NetWeaver Information Lifecycle Management (SAP NetWeaver ILM) comprises – in
addition to standard data archiving – functions for data retention management. This is essential for
meeting legal requirements regarding the destruction of the personal data. SAP NetWeaver ILM
allows defining and managing retention rules for all SAP applications centrally using the Information
Retention Manager (IRM). SAP Capital Yield Tax Management for Banking 8.0 provides
integration with SAP NetWeaver ILM to support the requirements of data archiving and data deletion
for master, transactional and reporting data stored in SAP Capital Yield Tax Management for
Banking 8.0.
For more information about SAP NetWeaver ILM integration, see Archiving of CYT Data on http://help.sap.com.
The SAP Business Partner enables compliance with national legal requirements regarding the
destruction of personal data
• Support of the ILM Framework for retention management for SAP BP
• Blocking of personal data after residence period by limiting the access
• Destruction of personal data after retention period
After a defined residence time, expired SAP Business Partner data has to be blocked in such a way
that regular users and processes cannot access this data any more, but it can still be accessed by
authorized users such as data privacy officers or auditors. SAP Capital Yield Tax Management for
Banking 8.0 provides integration for blocking of SAP Business Partner data and an authorization
concept for blocked data to avoid unauthorized access. For details, see the Authorization section and
the authorization object F_CYT_BPDP.
Additionally, SAP Capital Yield Tax Management for Banking 8.0 supports the destruction of SAP
Business Partner data after the retention period.
For more information about integration with SAP Business Partner Lifecycle Management, see Archiving
(of business partner data) on http://help.sap.com .
Data Protection and Privacy
© 2017 SAP AG. All rights reserved. 34
12.5 Change Logging
This section provides an overview of the trace and log files that contain security-relevant data. If there is a security
violation, you can use these files to reproduce activities, for example.
Change Documents
All changes to the master data in SAP Capital Yield Tax Management for Banking 8.0 are
registered in the respective database tables and can be found using change documents.
You can recall the change documents in the respective transactions by choosing Display Change
Document. The change documents are archived and destroyed as described in the Data Destruction
section of this document.
Application Log
SAP Capital Yield Tax Management for Banking 8.0 uses the logging and tracing mechanisms of
SAP NetWeaver. SAP Capital Yield Tax Management for Banking 8.0 writes exceptions into the
Application Log. These exceptions can occur due to failed authorization checks, for example, and are
therefore relevant for security.
For information about logging and tracing mechanisms of SAP NetWeaver Application Server
(ABAP), see Auditing and Logging on SAP Help Portal at http://help.sap.com. For more information about
the application log, see Application Logging.
You can access the part of the application log specific to SAP Capital Yield Tax Management for
Banking 8.0 by using transaction SLG1 (Analyze Application Log) and entering the parameter Object
= /IBS/CYT.
Consider to delete all logs and protocols after 10 months because these logs may contain personal data.
The archiving object BC_SBAL is used to delete the logs and protocols from Application Log. For more
information, see Archiving Object BC_SBAL on SAP Help Portal.
SAP Capital Yield Tax Management for Banking 8.0 uses the following data tables to store logs and
protocols in addition to the Application Log. You can use the listed deletion reports to delete protocols
stored in these data tables:
Log Data Table Deletion report /IBS/TCY_INDX /CYT/R_INDX_DELETE /IBS/TCY_CLWLIST /CYT/R_CLWLIST_DELETE
For more information, see the documentation of the reports.
Security for Additional Applications
© 2017 SAP AG. All rights reserved. 35
13 Security for Additional Applications
Use
If you also use SAP applications that are not explicitly mentioned in this document, their individual
security guides apply. These must be considered in an overall security concept.
Other Security-Relevant Information
© 2017 SAP AG. All rights reserved. 36
14 Other Security-Relevant Information
Use
Note that access to the SAP development environment should be highly restricted. Users with
authorization for developing, debugging, and changing the contents of fields in the debugger, can
potentially read, change, or delete any information in SAP Capital Yield Tax Management for
Banking 8.0.
For example, they can change information by calling the relevant BAPI and circumventing the
programmed authorization checks. These users can also modify system parameters.
For information about how you can prevent unauthorized access to the SAP development environment,
see the SAP NetWeaver Security Guide.
Services for Security Lifecycle Management
© 2017 SAP AG. All rights reserved. 37
15 Services for Security Lifecycle Management
The following services are available from Active Global Support to assist you in maintaining security in
your SAP systems on an ongoing basis.
Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It
tells you:
• Whether SAP Security Notes have been identified as missing on your system.
In this case, you should analyze and implement the identified SAP Notes if possible. If you cannot implement
the SAP Notes, the report should be able to help you decide on how to handle the individual cases.
• Whether an accumulation of critical basis authorizations has been identified.
In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not,
correct the situation. If you consider the situation okay, you should still check for any significant changes
compared to former EWA reports.
• Whether standard users with default passwords have been identified on your system.
In this case, change the corresponding passwords to non-default values.
Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system,
including:
• Critical authorizations in detail
• Security-relevant configuration parameters
• Critical users
• Missing security patches
This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-
site service. We recommend you use it regularly (for example, once a year) and in particular after
significant system changes or in preparation for a system audit.
Security Configuration Validation
Security Configuration Validation can be used to monitor a system landscape continuously for
compliance with predefined settings, for example, from your company-specific SAP Security Policy. This
primarily covers configuration parameters, but it also covers critical security properties like the
Services for Security Lifecycle Management
© 2017 SAP AG. All rights reserved. 38
existence of a non-trivial Gateway configuration or making sure standard users do not have default
passwords.
Security in the RunSAP Methodology / Secure Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available
on how to operate SAP systems and landscapes in a secure manner. It guides you through the most
important security operation areas and links to detailed security information from SAP’s knowledge base
wherever appropriate.
More Information
For more information, see SAP Security Optimization Services Portfolio.
lll
www.sap.com/contactsap
© 2017 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System ads, System i5, System
p, System p5, System x, System z, System z10, System z9, z10, z9,
iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise
Server, PowerVM, Power Architecture, POWER6+, POWER6,
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2
Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks
of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc.,
used under license for technology invented and implemented by
Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These
materials are provided by SAP AG and its affiliated companies ("SAP
Group") for informational purposes only, without representation or
warranty of any kind, and SAP Group shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the
express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting
an additional warranty.