SAP FioriDocument Version: 1.0 - 2013-05-14

SAP Fiori Security

Table of Contents1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.1 Secure System Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53.1 Network and Communication Security Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.2 Communication Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.3 OData and HTTP Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.4 URL Rewriting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.5 Internet Communication Framework Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.6 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4 Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84.1 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4.1.1 User Creation and Authorization Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94.1.2 User Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.1.3 User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.1.4 User Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4.2 User Authentication and Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104.2.1 SAML 2.0 Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.2.2 SAP Logon Tickets (MYSAPSSO2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.2.3 X.509 Client Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114.2.4 SAP NetWeaver Gateway Username and Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4.3 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5 Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135.1 Security Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135.2 Services for Security Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

2 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Fiori Security

Table of Contents

1 Overview

1.1 Overview

When running your SAP Business Suite system, you must ensure that your data and processes support your business needs without allowing unauthorized access to critical information.

User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to SAP Fiori applications.

This guide provides security-relevant information applicable to SAP Fiori applications. Because SAP Fiori applications deal with business data from your core business processes, they adhere to the highest security and quality requirements.

The system landscape for SAP Fiori applications is built from multiple components, such as SAP Enterprise Resource Planning (ERP) and SAP NetWeaver Gateway, so the corresponding component security guides also apply.

Related LinksSAP Security Guides for ERPSAP NetWeaver Gateway Security 2.0SAP Security Guides

SAP Fiori SecurityOverview © 2013 SAP AG or an SAP affiliate company. All rights reserved. 3

2 Access

2.1 Secure System Access

Secure system access for SAP Fiori applications involves password, user, and password policies, as well as special considerations for mobile devices.

With SAP Fiori applications, you can access many of the main functions of your SAP Enterprise Resource Planning (ERP) system. Changes made on these applications are automatically updated in the system over the Internet, online, and in real time. The applications connect to the SAP ERP backend system using HTTPS, and the same user, password, and password policies apply when connecting from a personal computer or a mobile device.

Special Considerations

Because mobile devices are at a greater risk of being lost or stolen, it is highly recommended that you configure your mobile devices to use the security features provided by the relevant mobile device platform.

● Enable an additional PIN (personal identification number) code to enable users to lock their devices and prevent unauthorized users from accessing data.

● Enable remote management software allowing you to remotely lock mobile devices or wipe the data from them.

NoteWe strongly recommend that each mobile device has only a single dedicated user.

4 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Fiori Security

Access

3 Communication

3.1 Network and Communication Security Overview

The following table shows the communication channels used by SAP Fiori applications, the protocol used for the connection, and the type of data transferred.

Communication Path Protocol Type of Data Transferred Data Requiring Special Protection

Web browser acting as frontend client to SAP NetWeaver Gateway

HTTP/HTTPS Application data and security credentials

Security credentialsApplication data (depending on individual security requirements and the criticality of the data)

SAP NetWeaver Gateway to SAP ERP backend system

RFC Application data (authentication via trusted RFC)

Application data (depending on individual security requirements and the criticality of the data)

3.2 Communication Encryption

All communication channels should be encrypted in order to ensure confidentiality and integrity of data.

HTTP connections can be protected through Transport Layer Security (TLS) .

RFC connections can be protected through Secure Network Communications (SNC).

Demilitarized Zone

Internet access to your SAP ERP backend system from an SAP Fiori application can be secured by means of an application-level gateway in the corporate network Demilitarized Zone (DMZ). This is described in the SAP NetWeaver Security Guide.

In the following sections of this chapter, the application-level gateway is referred to as the reverse proxy.

Related LinksSAP NetWeaver Gateway, see Encrypted Communication ChannelsTransport Layer Security (SAP NetWeaver Security Guide version 7.3 EHP 1)Application-Level Gateways Provided by SAP (SAP NetWeaver Security Guide version 7.3 EHP 1)Using Multiple Network Zones ((SAP NetWeaver Security Guide version 7.3 EHP 1)

SAP Fiori SecurityCommunication © 2013 SAP AG or an SAP affiliate company. All rights reserved. 5

3.3 OData and HTTP Methods

Because SAP Fiori apps use the Open Data Protocol (OData) to access data, the reverse proxy must be configured to allow certain HTTP methods.

SAP Fiori applications access backend data via OData. OData is a standardized protocol for creating and consuming data APIs. OData builds on core protocols like HTTP and commonly accepted methodologies like REST. The result is a uniform way to expose full-featured data APIs.

RESTful web services rely on HTTP semantics. Thus they use PUT and DELETE HTTP methods for update and delete operations. If a reverse proxy is used, it must be configured to allow those HTTP methods for the SAP NetWeaver Gateway OData services.

3.4 URL Rewriting

It is recommended that you configure URL rewrite rules.

SAP NetWeaver Gateway OData services may return some Gateway absolute URLs. When these services are accessed through a reverse proxy, these URLs may be invalid and/or disclose system information (protocols, hostname, port numbers).

Therefore, it is recommended to configure URL rewrite rules at the reverse proxy level. The data to process can be identified through its Content-Type HTTP header. The following content should be processed:

● text/HTML● application/XML● application/JSON

3.5 Internet Communication Framework Security

SAP Fiori applications consist of SAP NetWeaver Gateway OData services and HTML5/SAP UI5-based web-enabled content managed by the Internet Communication Framework (transaction SICF)

You must activate the ICF services required for the applications that you want to use.

NoteYou can also activate these services during the technical configuration.

NoteBesides the activation of ICF nodes for the OData services gateway, you need to activate the OData services themselves, within the gateway configuration. For more information about ICF and OData service activation, see the SAP Fiori Installation and Configuration Guide.

6 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Fiori SecurityCommunication

Related LinksRFC/IFC Security Guide (for SAP NetWeaver Gateway 7.3 EHP 1)

3.6 Session Security Protection

For NetWeaver version 7.0 and higher, it is recommended to activate HTTP security session management using transaction SICF_SESSIONS. In particular it is recommended to activate extra protection of security-related cookies.

● The HttpOnly flag instructs the browser to deny access to the cookie through client side script. As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.

● The Secure flag tells the browser to send the cookie only if the request is being sent over a secure channel such as HTTPS. This helps protect the cookie from being passed over unencrypted requests.

These additional flags are configured through the following profile parameters:

Profile Parameter Recommended Value Description Comment

icf/set_HTTPonly_flag_on_cookies

0 Add HttpOnly flag Client-dependent

login/ticket_only_by_https

1 Add Secure flag Not client-dependent

Related LinksActivating HTTP Security Session Management on AS ABAP

SAP Fiori SecurityCommunication © 2013 SAP AG or an SAP affiliate company. All rights reserved. 7

4 Users

4.1 User Administration and Authentication

SAP Fiori applications adopt the user management and authentication mechanisms provided by the SAP NetWeaver platform, specifically SAP NetWeaver Application Server ABAP.

Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the applications except in certain aspects such as authentication. The SAP NetWeaver Application Server ABAP Security Guide contains the following information:

● User management● The user management concept, the tools used for user management, and the types of users required● User Authentication and Single Sign-On● The authentication options supported and how they are integrated with SAP Single Sign-On mechanisms● Authorization and roles● An overview of the authorization concept for mobile applications, authorization settings, network and

communication security, and standard authorization roles● Standard Authorization Objects● A summary of password-related security issues

The SAP NetWeaver Application Server ABAP Security Guide is available on the SAP Help Portal, or via the link in Related Links.

The applications use the following user management concepts:

Users in the Backend System (SU01, PFCG)

Existing users are relevant for the backend system. The authorizations required for a particular application are provided using a PFCG role delivered for each application. For more information, see Authorizations and Roles in this guide.

NoteIf you enable users who never directly access the backend system, you should create these users in the backend system without a password. This protects them against attacks that exploit incorrect or insecure password handling (these users are unlikely to change the initial password if they do not actually need to).

Users in SAP NetWeaver Gateway (SU01, PFCG)

Users also require a user ID for the SAP NetWeaver Gateway layer. They must have the same username as the users in the backend system. The user requires certain authorizations that allow the services of the application to be triggered in the backend. If you copy the users from the backend users, note the following recommendations:

8 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Fiori Security

Users

● If you use SSO2 logon tickets to authenticate the requests from the mobile device on SAP NetWeaver Gateway, you should copy the user without any password. This protects against attacks based on incorrect or insecure password handling.

● The same recommendations apply if you prefer to create users from scratch. If users already exist in SAP NetWeaver Gateway, these steps are not relevant. Authentication can be carried out with the same credentials as for the existing application.

To authenticate users, you can set up integration with your existing SSO solution based on SAP Logon Tickets or SAML. The user name in the system that issues the logon tickets has to be the same as the user name for the Gateway system and backend system.Related LinksSAP NetWeaver Application Server ABAP Security GuideUser Authentication and Single Sign-On [page 10]SAP Fiori applications support the following authentication and single sign-on mechanisms.

4.1.1 User Creation and Authorization Assignment

Follow this procedure to create users and assign authorizations to them:

1. Create users on the SAP NetWeaver Gateway system and on the application backend system.2. Decide on your preferred mechanism for user authentication and SSO.3. Create dedicated authorizations for application users in the Gateway system.

4.1.2 User Management Tools

For information about the tools used for user management and user administration with these applications, refer to the documentation, User and Role Administration of AS ABAP.

NoteFor user notification about initial logon and activation, a user management tool is often used to send out an e-mail containing the necessary logon information.

Related LinksUser and Role Administration of AS ABAP

4.1.3 User Types

You may have to employ different security policies for different types of users.

For SAP Fiori, the following minimum user types are required:

● Individual userIndividual users provide access to an application and to administrative tasks.

SAP Fiori SecurityUsers © 2013 SAP AG or an SAP affiliate company. All rights reserved. 9

● Technical userTechnical users enable data communication between systems.

Related LinksUser Types

4.1.4 User Data Synchronization

Users must have the same user name in SAP NetWeaver Gateway as they do in the backend system. You can use the Central User Administration (CUA) or your existing identity management system to ensure user names on both systems match.

4.2 User Authentication and Single Sign-On

SAP Fiori applications support the following authentication and single sign-on mechanisms.

4.2.1 SAML 2.0 Single Sign-On

The Security Assertion Markup Language (SAML) version 2.0 is a standard for the communication of assertions about principals, typically users.

The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource.

SAML version 2.0 is an SAP-recommended single sign-on (SSO) solution, which provides cross-domain SSO, single log-out (SLO), and identity federation capabilities. It requires an Identity Provider (IdP) in the landscape.

Related LinksSAML 2.0

4.2.2 SAP Logon Tickets (MYSAPSSO2)

SAP Fiori supports the use of logon tickets for SSO.

In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) within the same domain as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the ticket.

NoteThe SAP ticket is passed in the MYSAPSSO2 cookie. The initial SAP system and SAP NetWeaver Gateway must be in the same domain in order to have the cookie correctly transmitted.

10 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Fiori Security

Users

NoteUser names must match between the system issuing the ticket and the SAP NetWeaver Gateway.

Related LinksAuthentication on the AS ABAP

4.2.3 X.509 Client Certificates

An X.509 client certificate is a digital “identification card” for use in the Internet, also known as a public-key certificate.

A user who accesses the SAP Web Application Server and presents a valid certificate is authenticated on the server using the TLS protocol. The information contained in the certificate is passed to the server and the user is logged on to the server based on this information. User authentication takes place in the underlying protocols and no user ID and password entries are necessary.

Related LinksUsing X.509 Certificates

4.2.4 SAP NetWeaver Gateway Username and Password

This authentication method can include authenticating with a standard login form and HTTP basic authentication.

Authenticating with a standard login form

The CL/UI2/CL_SRA_UISRA000_LOGIN custom implementation ICF system login class with the SAP Fiori theming is available in the /UI2/SRVC_INFRASRA000 package. It provides a login form with an SAP Fiori theme. Optional language and client selection can be configured.

In order to leverage ICF system login in an SAP Fiori application, login must be configured at least on the following nodes:

● /sap/bc/ui2/start_up● /sap/bc/ui5_ui5/ui2/launchpage● /sap/bc/ui5_ui5/ui2/tilechips● SAP Fiori UI add-ons nodes /sap/bc/ui5_ui5 /sap/xxx

It is possible to achieve simpler configuration through higher ICF nodes. However, this may potentially affect other applications.

SAP Fiori SecurityUsers © 2013 SAP AG or an SAP affiliate company. All rights reserved. 11

HTTP Basic Authentication

Basic authentication is an HTTP standard authentication method designed to allow a web browser or other web client to provide credentials in the form of a user ID and password when making a request to a server system.

Basic authentication is supported by the majority of Web clients and is the authentication mechanism that can be implemented with the least additional effort.

Related LinksSystem LogonBasic Authentication (User ID and Password)

4.3 Authorizations

SAP Fiori applications use the authorization concept provided by the SAP NetWeaver Application Server ABAP.

Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP Fiori applications. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the Application Server ABAP (AS ABAP).

Gateway Roles and Authorizations

All HTML 5–based applications communicate with the ABAP backend through OData services, which must be activated during system installation.

In addition to authorization in the backend ERP system, users must be granted authorization to access the HTML 5-based applications and the OData services in the SAP NetWeaver Gateway.

For more information about how to configure the gateway for OData channel users or gateway users, see SAP Help Portal at http://help.sap.com/nw SAP Gateway Security Information English SAP Netweaver Gateway Security Guide Authorizations in the SAP System Roles in the SAP NetWeaver Gateway Landscape

, also available via the link in Related Links.

Related LinksSAP Netweaver Gateway Security GuideRole Administration (SAP NetWeaver 7.3 EHP1

12 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Fiori Security

Users

5 Logging

5.1 Security Relevant Logging and Tracing

For more information about security logs for the SAP NetWeaver Gateway, see “Logging in SAP NetWeaver Gateway” section of the SAP NetWeaver Gateway Developer Guide for SAP NetWeaver Gateway SP06.Related LinksSAP NetWeaver Gateway Developer Guide

5.2 Services for Security Lifecycle Management

The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis:

Security Chapter in the EarlyWatch Alert (EWA) Report

This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you the following:

● Whether SAP Security Notes have been identified as missing on your systemIn this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP Notes, the report should be able to help you decide on how to handle the individual cases.

● Whether an accumulation of critical basis authorizations has been identifiedIn this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports.

● Whether standard users with default passwords have been identified on your systemIn this case, change the corresponding passwords to non-default values.

Security Optimization Service (SOS)

The Security Optimization Service can be used for a more thorough security analysis of your system, including the following:

● Critical authorizations in detail● Security-relevant configuration parameters● Critical users● Missing security patches

SAP Fiori SecurityLogging © 2013 SAP AG or an SAP affiliate company. All rights reserved. 13

This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site service. We recommend you use it regularly (for example, once a year) and in particular after significant system changes or in preparation for a system audit.

Security Configuration Validation

The Security Configuration Validation can be used to continuously monitor a system landscape for compliance with predefined settings, for example, from your company-specific SAP Security Policy. This primarily covers configuration parameters, but it also covers critical security properties such as the existence of a non-trivial Gateway configuration or making sure standard users do not have default passwords.

Security in the RunSAP Methodology / Secure Operations Standard

With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in a secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP’s knowledge base wherever appropriate.

Related LinksEarlyWatch AlertSAP Security Optimization Service PortfolioSAP Security NotesEnd To End Change Control Management, see the Configuration Validation sectionRun SAP Methodology, see sections 2.6.3, 3.6.3, and 5.6.3

14 © 2013 SAP AG or an SAP affiliate company. All rights reserved.SAP Fiori Security

Logging

www.sap.com/contactsap

© 2013 SAP AG or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.