SAP Cloud For Customer Security Guide

PUBLIC
SAP Cloud for Customer

Document Version: 1811 – 2019-01-18
SAP Cloud for Customer Security Guide

SAP Cloud for Customer
© 2019 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Security Aspects of Data, Data Flow, and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1 Communication Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Business-To-Business Communication and Application Integration. . . . . . . . . . . . . . . . . . . . . . . . . . 8
Communication Arrangements Quick Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
2.3 E-Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Enabling S/MIME Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuring S/MIME Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4 MIME Type Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5 SSN Tax Number in SAP Cloud for Customer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
VIDEO: Assigning User Access Rights by Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Restricting Access Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2 User Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3 Authentication Mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Log on Using SAML 2.0 Assertion for Front-End Single Sign-On (SSO). . . . . . . . . . . . . . . . . . . . 29
Logon Using Client Certificate (X.509). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Log On Using User ID and Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Creating a Security Certificate for HTTPS-Enabled Computer Telephony Integration (CTI). . . . . . 34
3.4 Security Policy Quick Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Business Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Create a Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Edit an Existing Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Assign Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Define the Default Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Delete an Existing Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.1 Authorization Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2 Access Restriction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Sales: Setting up User Access Rights and Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Service: Setting up User Access Rights and Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Restricting Access for Local Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.3 Segregation of Duties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

2 PUBLIC Content
5 Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.1 SAML2 Based SSO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.2 SSO Recommendation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.3 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.4 Secure System Access and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
SAP Cloud for Customer for Android. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Certificate Pinning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.5 Special Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.6 Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Support Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Cache Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Local Application Data Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.7 Offline Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
6 Front-End Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.1 Microsoft ® Silverlight™. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
6.2 HTML5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
7 Security of Data Storage and Data Centers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

7.1 Asset Protection and Data Integrity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.2 Power Backup and Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.3 Restricted Physical Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.4 Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
7.5 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
8 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
9 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

9.1 Security for End User Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
9.2 Service Composition Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
URL Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
HTML Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Map Mashup Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Data Mashups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
9.3 Internal and External Audits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Security Management and Continual Improvement of Security. . . . . . . . . . . . . . . . . . . . . . . . . 65
10 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

10.1 Disclose Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
10.2 Remove Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
10.3 Administer Data Removal Runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
10.4 Automate Removal of Obsolete Business Partners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
10.5 Enable Read Access Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Content PUBLIC 3
10.6 Depersonalize Transactional Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
10.7 Prerequisites for Usage Block Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
11 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

11.1 Change Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
11.2 Security-Relevant Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
11.3 Connectivity Errors - Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4 PUBLIC Content
1 Technical System Landscape
SAP Cloud solutions are hosted in SAP's own data center located either in Australia, Germany, Shanghai, or the
United States. Customers can choose in which data center their solution shall run.
The solutions provide optional integration with a full Enterprise Resource Planning (ERP) and Customer
Relationship Management (CRM) suite, including the associated server landscape and system maintenance.
Since SAP Cloud solutions deal with business data from your core business processes, SAP adheres to the
highest security and quality requirements, as follows:
● The business data is stored securely in SAP data centers.

● Customers share physical hardware, but their data is separated into tenants.
● Users who require access to the business data must authenticate themselves, and their identity must be
verified by user and access management.
● Customer data always belongs to the customer.
You can access your SAP Cloud solution in the following ways:
● Desktop computer: browser-based Internet access from any network with internet access
● Portable computers: browser-based Internet access from any network with internet access
● Mobile devices: native apps
Industry best practices and state-of-the-art open cryptographic standards secure and protect communications
between customer devices and the system landscapes of your SAP Cloud solution in the SAP data center.
The following diagram summarizes the technical system landscape for standard access:
To access SAP Cloud solutions, you must enter a unique, customer-specific URL.
Communication is carried out via the Reverse Proxy (RP) component in the SAP data center.
The Reverse Proxy is the SAP Web Dispatcher, which is developed and maintained by SAP Cloud Support.

Technical System Landscape PUBLIC 5
The communication channels that require mutual authentication are secured by using standard Transport
Layer Security (TLS) protocols. For more information about connectivity, see the Technical Connectivity
Guide for SAP Cloud Applications, on the SAP Help Portal: https://help.sap.com/cloud4customer.
The communication channels for monitoring and maintaining instances of your SAP Cloud solution instances
in the SAP data center network are also encrypted and authenticated.
You can upload attachment files to your SAP Cloud solution in several application scenarios, for example in
billing, in data migration, or image files of your travel expense receipts. Regularly updated anti-virus software
checks the uploaded files for viruses and other types of malicious software.
 Recommendation
In addition to this antivirus software, we recommend that our customers also use anti-virus software.
In Business Configuration, you can define which file types can be uploaded to your solution. You should note
that file-name extensions can be changed to disguise the actual file format of the file.

6 PUBLIC Technical System Landscape
2 Security Aspects of Data, Data Flow, and
Processes
Communication Channels [page 7]

Learn about the different communication channels used by SAP Cloud solutions.
Business-To-Business Communication and Application Integration [page 8]

Business-to-Business (B2B) communication and application integration refers to the exchange of
business-related data across administrative domains. These domains need not necessarily belong to
different entities, such as companies; they can also represent different geographic subsidiaries of the
same company.
E-Mail [page 18]

SAP Cloud solutions enable you to encrypt outgoing e-mails and check the signature of incoming e-
mails by using the Secure/Multipurpose Internet Mail Extensions (S/MIME)standard.
MIME Type Configuration [page 21]

This section describes steps to select appropriate MIME types from the available list, that are specific
to your project.
SSN Tax Number in SAP Cloud for Customer [page 21]

In SAP ERP, a customer can store various kinds of tax numbers. Some of these numbers capture the
personal identification numbers. From a security and compliance perspective, the customer should
filter these tax numbers in the middle ware so that these personal identification numbers do not get
replicated from SAP ERP to SAP Cloud for Customer.
2.1 Communication Channels
Learn about the different communication channels used by SAP Cloud solutions.
The table below shows the communication channels used by SAP Cloud solutions, the protocol used for the
connection, and the type of data transferred.
Type of Data Transfer Data Requiring Special

Communication Path Protocol Used Technology Used red Protection
Web browser acting as HTTPS REST services Application data User IDs, passwords
front-end client to access
the hosted SAP Cloud
solution system

Security Aspects of Data, Data Flow, and Processes PUBLIC 7
Type of Data Transfer Data Requiring Special
Communication Path Protocol Used Technology Used red Protection
Apple® iPad® application, HTTPS REST services Application data User IDs, passwords,
Apple® iPhone®, Black application data
Berry® player, Android™
(SAP Cloud for
Customer)
E-mail SMTP SMTP server Application data Confidential data
Business-to-business HTTPS Web services Application data Application data

communication and ap
plication integration
Cryptographic Protocols
Inbound Communications
For all inbound communications, TLS 1.0 or higher is required. The following list shows a subset of supported
cipher suites:
● TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA FS
● TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA FS
● TLS_RSA_WITH_AES128_CBC_SHA
● TLS_RSA_WITH_AES256_CBC_SHA
● TLS_RSA_WITH_3DES_EDE_CBC_SHA
 Note
SAP Cloud for Customer solutions use port 443 for HTTPS connectivity.
2.2 Business-To-Business Communication and Application

Integration
Business-to-Business (B2B) communication and application integration refers to the exchange of business-
related data across administrative domains. These domains need not necessarily belong to different entities,
such as companies; they can also represent different geographic subsidiaries of the same company.
Communication arrangements enable you to configure the electronic data exchange between your solution and
a communication partner. A communication partner can be a business partner in a B2B communication
scenario or an external communication system that is used for application integration, for example, external
time recording or master data systems.
Your SAP Cloud solution provides communication scenarios for inbound and outbound communication that
you can use to create communication arrangements. Inbound communication defines how business

8 PUBLIC Security Aspects of Data, Data Flow, and Processes
documents are received from a communication partner, whereas outbound communication defines how
business documents are sent to a communication partner.
Before you can use electronic data exchange for a particular business process, you must configure and activate
a communication arrangement for the corresponding communication scenario. You can do so during your
solution configuration or, after configuration is complete, in the Communication Arrangements work center
view in the Application and User Management work center.
You can find the list of trusted certification authorities for server certificates in the Application and User
Management work center under Common Tasks Edit Certificate Trust List .
Security configuration for electronic data exchange is conducted at the communication arrangements level,
where you can configure the authentication method and communication security.
Like end user authentication, B2B communication and application integration can be authenticated by two
mechanisms: user ID plus password, and the X.509 client certificate. For inbound communication, you can
upload the communication partner’s client certificate in the configuration user interface, and map it to the
communication user.
 Caution
You can download an X.509 key pair from your SAP Cloud solutions. These key pairs are only intended for
communication with the SAP Cloud solution and must not be used for other communication. This is
because the corresponding certificate can be blocked in the solution and you can make the key pair invalid
for logging on to the client but you cannot invalidate its other uses.
For outbound communication, you can upload a PKCS#12 container file, consisting of a private key and the
corresponding client certificate that must be trusted and mapped by the communication partner.
Administrators can monitor the validity of client certificates in the Application and User Management work
center under Common Tasks Edit Certificate Trust List .
Certificates have a validity period and expire at a defined point in time. Before expiration, they must be
renewed; if the client certificate’s Subject or Issuer has changed, then the upload and mapping process must
be repeated. Communication arrangements are the customer’s responsibility, since their configuration reflects
the specific details of their business partner. As a result, expiring certificates cannot be replaced automatically
by SAP; this action must be performed by the customer.
A good security concept also includes mandatory periodic password changes. These changes must be
performed synchronously by both parties involved. If an expired client certificate is renewed with the same
attributes, the certificate information can be exchanged asynchronously.
 Recommendation
We recommend authentication using Single-Sign on with SAML 2.0 for browser-based access. Please
ensure that the passwords used are strong enough.
2.2.1 Communication Arrangements Quick Guide

Communication arrangements help you to configure the electronic data exchange between the solution and a
communication partner.
Communication arrangements can be set up for multiple business documents and communication methods.
The solution provides communication scenarios for inbound and outbound communication that you can use to

create communication arrangements. Inbound communication defines how business documents are received
from a communication partner, whereas outbound communication defines how business documents are sent
to a communication partner.
The Communications Arrangements view enables administrators to create and edit communication
arrangements that your company has set up with a communication partner.
You can access this view from the Administrator work center, under General Settings Integration and/or
from the Application and User Management work center.
In the Communication Arrangements view, the following communication types are supported:
● Business-to-business (B2B)
This communication type defines an electronic data exchange with a business partner.
● Application integration
This communication type defines an electronic data exchange with a communication system.
 Note
Some communication arrangements are automatically created in your solution configuration. This is
indicated by the selected Predefined check box in the worklist of the Communication Arrangements view.
For predefined communication arrangements with inbound communication, you only have to define the
communication account.
2.2.1.1 Create a Communication Arrangement
Procedure
1. Open the New Communication Arrangement guided activity in the Communication Arrangements view by
clicking New.
2. In the Select Scenarios step, select the communications scenario for which you want to create a
communication arrangement and click Next.
Based on the communication scenario you selected, the system presets the fields in the next steps with
default values. Where possible, you can change the values, if necessary.
3. In the Define Business Data step, enter business data. The entry fields on the screen are dependent on the
communication type of the selected communication scenario.
a. If you have selected a B2B scenario, enter the ID of the business partner and select the associated
Identification Type. If necessary, you can also enter the ID of the contact person at the business
partner. If you have selected an application integration scenario, enter the System Instance ID of the
communication system with which you want to set up a communication arrangement. Note that before
you set up a communication arrangement, you need to create a communication system.
b. In the My Communication Data section, check the default values and make changes if necessary. Enter
the company that communications with your communication partner. By default, the Company ID is
preset with the company to which you are assigned. If you use a B2B scenario, you must also enter a
valid identification type.
c. If a communication arrangement contains a service interface that supports code list mapping, the
Code List Mapping field is displayed. In this field you can choose the relevant code list mapping group
for the communication scenario that you are using.

d. Click Next.
4. In the Define Technical Data step, define the technical settings for inbound and outbound communication.
a. Select the Communication Method you want to use for the communication arrangement. To
communicate with your business partner, you can either establish a direct connection or you can use a
collaboration service provider that provides services for B2B communication.
b. If you use inbound communication, select the Application Protocol and Authentication Method in the
Inbound Communication: Basic Settings section.
c. In the User ID field, click Edit Credentials.
Depending on the chosen authentication method, you need to define the credentials of the
communication user as described in the following table. The user ID of the communication user is
created automatically.
Authentication Method Settings
SSL client certificate If you use this authentication method, you need to upload the public key cer
tificate that has been provided by your communication partner. If your com
munication partner cannot provide a certificate, you can create and download
a PKCS#12 key pair file. The PKCS#12 key pair file is password encrypted and
contains a public key certificate and a private key. You need to provide the
PKCS#12 file to your communication partner.
1. Choose Certificate.
2. Click Upload Certificate and choose the relevant certificate.
3. Click OK.
To create a PKCS#12 key pair file, perform the following steps:

2. ClickCreate and Download Key Pair.
3. Define a name for the PKCS#12 file and save it.
4. Define a password for the PKCS#12 file and click OK.
5. Click OK.
 Note
○ You have to provide your communication partner with the PKCS#12
file and the corresponding password.
○ To import the PKCS#12 key pair file to a third party tool, see the SAP
Cloud for Customer Administration Guide.
User ID and password If you use this authentication method, you need to define a password as fol
lows:
1. Choose Change Password.
2. Enter a password.
Note that you have to provide your communication partner with the user
ID and password.
3. Click OK.
d. If you use outbound communication, select the Application Protocol, Authentication Method and enter
the Host Name in the Outbound Communication: Basic Settings section. Depending on the chosen
authentication method, you need to define the relevant settings as defined in the following table.

Authentication Method Authentication Settings
SSL client certificate SAP system key If you use this authentication, the relevant certificate must be
pair known to the communication partner. Therefore, you need to
download the certificate as follows:
1. In the Authentication field, click Download.
2. Choose a location to save the certificate.
3. Provide your communication partner with the downloaded
certificate.
Trusted third party If you use this authentication, you need to upload the PKCS#12
key pair key pair file provided by your communication partner. The
PKCS#12 file is password-encrypted and contains a public key
certificate and a private key.
1. In the Authentication field, clickEdit Key Pair.
2. Click Upload Key Pair and choose the PKCS#12 file you want
to upload.
3. Enter the required password and click OK.
User ID and password If you use this authentication method, you need to enter the user
ID and password that is used by the communication partner for
the same communication arrangement.
1. In the User ID field, click Edit Credentials.
2. Enter the User ID and Password.
3. Click OK.
e. If necessary, you can individually configure each service that is used in the configuration scenario in
the advanced settings.
The service URLs for outbound communication are calculated from the protocol, port, host name, and
path. If you use SAP NetWeaver XI or IDoc, you do not need to change anything in the advanced settings
since the path is preset. However, if you use Web Services Reliable Messaging, you have to enter the path
for each service in the advanced settings.
a. To edit the advanced settings, click Edit Advanced Settings. Select the service you want to configure.
b. In the Details section, deselect the Use Basic Settingscheck box and change the relevant settings.
c. Click Next.
5. In the Review step, review the data you entered in the previous steps.
a. To ensure that all data is correct, click Check Completeness. You also see the service URLs for inbound
and outbound communication. If you use an inbound scenario, you must provide your communication
partner with the URLs for inbound communication since it is that address to which messages should
be sent.
b. To create and activate your communication arrangement in the system, click Finish. You can also save
an inactive version of the communication arrangement by clicking Save as Draft.
6. If you have created a communication arrangement for a B2B outbound scenario, you have to activate the
outbound channel for the business document that is used in the scenario.
Results
The system now uses electronic data exchange for the configured communication scenario.

2.2.1.2 Create a Communication Arrangement for On-
Premise Integration
Multiple communication arrangements can be created for an on-premise integration through a guided activity.
Context
Instead of repeating common information each time you create a communication arrangement, you can enter
common information once and create communication arrangements in bulk.
You can access this from the Administrator Create Communication Arrangement for On-Premise
Integration common task.
 Note
This functionality is only valid for on-premise integrations.
Procedure
1. To open the New Communication Arrangement guided activity in the Communication Arrangements view,
click New.
2. In the Select Communication System step, enter business data.
a. Under Integration Details select the system you want to Integrate with and the relevant Integration
Middleware you want to use.
 Note
If PI is selected as the middleware, fill in the system details in the field PI Business System.
b. Under Communication System enter the System Instance ID of the communication system with which
you want to set up a communication arrangement.
 Note
Before you create a communication arrangement, you need to create a communication system.
See the SAP Cloud for Customer Administrator Guide for more detail.
With this action, the Communication System, User ID (Inbound Communication Credentials) and Host
Name are automatically populated.
If a communication arrangement contains a service interface that supports code list mapping, the
Code List Mapping field is displayed. In this field you can choose the relevant code list mapping group
for the communication scenario that you are using.
a. If you use inbound communication, select the Authentication Method in the Inbound Communication
Credentials section. Depending on the chosen authentication method, you need to define the

credentials of the communication user as described in the following table. The user ID is created
automatically.
SSL client certificate If you use this authentication method, you need to upload the public key cer
tificate that has been provided by your communication partner. If your com
munication partner cannot provide a certificate, you can create and download
a PKCS#12 key pair file. The PKCS#12 file is password encrypted and con
tains a public key certificate and private key. You need to provide the
PKCS#12 file to your communication partner.
2. Click Upload Certificate and choose the relevant certificate.
3. Click OK.
To create a PKCS#12 key pair file, perform the following steps:

2. Click Create and Download Key Pair.
5. Click OK.
Note that you have to provide your communication partner with the PKCS#12
file and the corresponding password.
User ID and password If you use this authentication method, you need to define a password as fol
lows:
2. Enter a password. Note that you have to provide your communication
partner with the user ID and password.
3. Click OK.
If you use outbound communication, select the Authentication Method. Depending on the chosen
authentication method, you need to define the relevant settings as described in the following table:
Authentication
Method Authentication Settings
SSL client certificate SAP system key pair If you use this authentication, the relevant certificate must be
known to the communication partner. Therefore, you need to
download the certificate as follows:
1. In the Authentication field, click Download.
2. Choose a location to save the certificate.
3. Provide your communication partner with the downloaded
certificate.

Authentication
Method Authentication Settings
Trusted third-party key If you use this authentication, you need to upload the PKCS#12
pair key pair file provided by your communication partner. The
PKCS#12 file is password encrypted and contains a public key
certificate and private key.
1. In the Authentication field, click Edit Key Pair.
2. Click Upload Key Pair and choose the PKCS#12 file you
want to upload.
3. Enter the required password and click OK.
User ID and password If you use this authentication method, you need to enter the
user ID and password that is used by the communication part
ner for the same communication arrangement.
1. In the User ID field, click Edit Credentials.
2. Enter the User ID and Password.
3. Click OK.
3. In the Communication Arrangements step, select one or more Communication Scenarios.
Status Interpretation
Create This status indicates that you have selected a communication scenario to be
created for the relevant communication arrangement.
Not Created This status indicates that the communication scenario has not yet been created
and the check box is unchecked.
Already Exists This status indicates that a communication scenario has been created already
and the check box will be disabled.
4. The Inbound and Outbound tabs are displayed, depending on the selected Communication Scenario. For
example, if a communication arrangement has only an inbound service interface, then the Inbound tab is
displayed.
5. Perform the following actions under the Inbound tab as necessary:
Enabled The check box can be unchecked if it is not necessary.
Service If the service is mandatory the check box is disabled.
Application Protocol Choose a protocol from the drop-down list.
Service URL Displays the URL of the service.
To check the information on the inbound service, click Check Service. Perform the following functions on
the Outbound tab as necessary.
Enabled The check box can be unchecked if not required.
Service If the service is mandatory the check box is disabled.
Application Protocol Choose a protocol from the drop-down list.
Host Name This field displays the host name of the system and is not editable.
Port Enter the port or path for the outbound service.
Service URL Displays the URL of the service.

6. To ensure that all data is correct, click Check Completeness.
7. To create and activate your communication arrangement in the system, click Finish.
Results
A success message is shown once the communication arrangement has been created successfully.
2.2.1.3 Edit a Communication Arrangement
Procedure
1. To open the Edit Communication Arrangement quick activity in the Communication Arrangements view,
select the relevant communication arrangement and click Edit.
 Note
You cannot edit predefined communication arrangements.
2. Change the relevant settings.

3. To save your changes and return to the work list, click Save and Reactivate.
4. In the worklist, you can click Check Completeness to see if your changes have been updated in the system.
It may take about a minute for the system to update the information.
2.2.1.4 Edit the Communication Credentials for a

Predefined Communication Arrangement
This task is only relevant for predefined communication arrangements with inbound communication.
Procedure
1. In the Communication Arrangements view, select the relevant communication arrangement. Predefined
communication arrangements are indicated by the selected Predefined check box.
2. Click Edit Credentials.
3. Depending on the authentication method that you have agreed upon with your communication partner,
you need to define the credentials of the communication user as described in the following table. The user
ID of the communication user is created automatically.

SSL client certificate If you use this authentication method, you need to upload
the public key certificate that has been provided by your
communication partner. If your communication partner
cannot provide a certificate, you can create and download
a PKCS#12 key pair file. The PKCS#12 key file is
password encrypted and contains a public key certificate
and a private key. You need to provide the PKCS#12 file to
your communication partner.
To upload a public key certificate, perform the following

steps:
2. Click Create and Download Key Pair.
 Note
○ You have to provide your communication partner
with the PKCS#12 file and the corresponding
password.
○ To import the PKCS#12 key pair file to a third
party tool, see Create a Communication
Arrangement [page 10] in the Related Links
section.
User ID and password If you use this authentication method, you need to define
a password. The user ID is automatically predefined.
Perform the following steps:
2. Enter a password. Note that you have to provide your
communication partner with the user ID and
password.
4. Click OK.
Related Information
Create a Communication Arrangement [page 10]
2.2.1.5 Delete a Communication Arrangement
Procedure
1. In the Communication Arrangements view, select the relevant communications arrangement.

2. Click Delete.
3. In the dialog box that opens, click Delete to confirm the deletion.
 Note
Predefined communication arrangements cannot be deleted.
2.3 E-Mail
SAP Cloud solutions enable you to encrypt outgoing e-mails and check the signature of incoming e-mails by
using the Secure/Multipurpose Internet Mail Extensions (S/MIME)standard.
You can use this function for e-mail communication between your system and your employees, in e-mail
scenarios provided by SAP (for example, self-service or approval scenarios). You can specify which e-mail
scenarios you want to use in Business Configuration.
 Caution
We strongly recommend that you only send encrypted mails and accept only signed e-mails.
The system uses the same certificate for signature check and e-mail encryption, which means that the same
private key is used for signing and decrypting an e-mail to or from an employee.
The following MIME types are supported for e-mail communication with the system:
● .gif
● .jpg/.jpeg
● .pdf
● .tif/.tiff
● .png
 Caution
When you use S/MIME, ensure that the data is encrypted. Please note that e-mail header data, for
example, the subject line, is not encrypted. The sensitivity setting for password e-mails is set by default to
private.

The following diagram provides an overview of how e-mail encryption and signature is set up:
E-Mail Security with S/MIME
2.3.1 Enabling S/MIME Security
To add encryption security to e-mail channels, you can enable S/MIME to your solution.
Procedure
1. Add e-mail security to your project scope. For more information, see the Administrator Guide.
2. Implement e-mail security for your solution.
a. Choose Business Configuration, select your project from the list, and click Open Activity List.
b. Click Fine-Tune.
c. Open E-Mail Encryption and Signature Check.

d. In the list of incoming e-mails, set the Signature for SAP Cloud for Service: E-Mail Security, B2B
Scenario and SAP Cloud for Service: E-Mail, B2C Scenario. Choose Check (and Reject if Untrusted) if
you require a high level of security or Do Not Check if you do not have security requirements.
e. In the list of outgoing e-mails, set the Encryption and Signature for SAP Cloud for Service: E-Mail
Security, B2B Scenario and SAP Cloud for Service: E-Mail Security, B2C Scenario. The suggested
settings are Encrypt if possible for Encryption and Sign for Signature.
f. Save your settings.
3. Activate your settings.
a. Choose Administrator Common Tasks Configure S/MIME .

b. Click Activate S/MIME.
c. Select Check signature of Incoming E-Mails to encrypt incoming e-mails. Select Encrypt Outgoing E-
Mails to encrypt outgoing e-mails. Select Signing Outgoing E-Mails for your solution to provide a
signature to other systems.
The settings you selected in Fine-Tuning will only be enabled if you activate them. If you do not activate
your settings, your system will not have security enabled.
4. Save your settings.
2.3.2 Configuring S/MIME Security
To enable e-mail notifications, you must also upload the CA certificates in this area for the generic business
task management e-mail address for all involved employees and managers.
Procedure
1. Choose Configure S/MIME in the Administrator work center under Common Tasks.
2. On the Incoming E-Mail tab, upload the CA certificates from all involved employees for the generic incoming
e-mail addresses Business Task Management E-Mail Notifications.
3. On the Outgoing E-Mail tab, install the system CA certificate in the e-mail client of the involved employee as
follows:
a. Click on Link to SAP CA and open the site SAP Trust Center Service Root Certificates .
b. Click on SAP Passport CA Certificate. A pop-up opens.
c. Click Install Certificate and follow the wizard by clicking Next.
d. Select Place all certificates in the following store and click Browse.
e. Select Trusted Root Certification Authorities and click OK and then Next. Now the CA from the system
is installed locally.
4. Now activate the S/MIME. On the Activate S/MIME tab, select the options:
a. Check Signature of Incoming E-Mails
b. Encrypt Outgoing E-Mails (optional)
c. Signing Outgoing E-Mails

Results
● E-Mail Notifications: Ensure that the involved employees are business users and have valid e-mail
addresses, and that the CA certificates from the employees are uploaded to the system for outgoing e-
mails.
● E-Mail Notifications: Each involved employee must subscribe to the e-mail notifications by opening the
Notifications view and choosing Subscribe to E-Mail.
● E-Mail Notifications: Check that the e-mail clients of the involved employees have enabled the receipt
of encrypted e-mails.
2.4 MIME Type Configuration
This section describes steps to select appropriate MIME types from the available list, that are specific to your
project.
Context
MIME type configuration controls the files you can add to the SAP Cloud for Customer system. This includes
attachment upload as well as files sent via email attachments.
We recommend that you start with a minimal MIME list, as you have the option of adding more later. Choose
from the list of allowed MIME types for uploading documents that are specific for your project.
Follow these steps to select MIME types from the provided list:
Procedure
1. Navigate to Business Configuration Implementation Projects Open Activity List . Select the All tab
and search for Allowed MIME Types for Document Upload.
2. In the ALLOWED MIME TYPES FOR DOCUMENT UPLOAD screen, select your project relevant MIME types.
2.5 SSN Tax Number in SAP Cloud for Customer
In SAP ERP, a customer can store various kinds of tax numbers. Some of these numbers capture the personal
identification numbers. From a security and compliance perspective, the customer should filter these tax
numbers in the middle ware so that these personal identification numbers do not get replicated from SAP ERP
to SAP Cloud for Customer.

Via HCI
The users must add all tax codes and set the IgnoreTaxCode to true for the ones they do not want to carry
over during the replication process.
Via PI
Create Value Mapping for the source agency ERP and scheme TaxCode, and target agency ERP and scheme
IgnoreTaxCode.
Enter all tax codes that you want to exclude (such as: CA5, US1, AR2) and the set the IgnoreTaxCode to true.

3 User Administration and Authentication
User management for SAP Cloud for Customer is located in the Administrator work center.
User Management [page 24]

User Types [page 28]
Authentication Mechanisms [page 28]

Every user type must authenticate itself to SAP Cloud solutions for regular browser-based front-end
access, as well as for electronic data exchange, such as Business-to-Business communication. SAP
Cloud solutions do not support anonymous access.
Security Policy Quick Guide [page 35]

You as an administrator can increase the security level, if desired, by editing and enhancing the security
policy, for example, by changing the complexity and validity for all passwords, in accordance with your
company´s security requirements.
3.1 User Management
 Note
For access rights, you must maintain necessary authorizations.
 Note
Personalizing any part of the UI does not change/add any security settings, as this is part of extensibility
which allows you to display/hide fields based on user/business roles, screen adaptations and so on. For
Example: even if you remove the edit button from the UI, the edit option is still available via OData API's.
Administrative authorizations should be limited to users who would be performing the administrative
functions. There should be a clear definition of roles and duties within the administrator user group itself. For
Example: you may have dedicated administrators for screen adoptions, but these team members would not
have the ability to change authorizations. Use the available standard reports to regularly monitor users with
administration rights, and also keep track of changes made to the user access rights.
The following table provides an overview of all activities related to user administration that you can perform as
an administrator:

24 PUBLIC User Administration and Authentication
User Administration Activities
Documentation in the Help
View Subview Activity Center
Administrator (SAP Cloud for Business Users Lock and unlock users Business Users Quick Guide
Customer) Change user password
Edit the validity of a user
Assign security policies to

users
Assign access rights to users

for work centers and work
center views
Restrict read and write ac

cess for users to specific
data
Assign business roles to

users
Support and Technical Users View all support and techni

cal users available in the sys
tem
Business Roles Define access rights in busi Business Roles Quick Guide
ness roles
Administrator (SAP Cloud for Communication Arrange Create technical users for Business Roles Quick Guide
ments electronic data exchange
Customer)
Communication Certificates Manage certificates that you Personalize my Settings
use for electronic data ex
change
Business Configuration (SAP Edit Security Policies Specify security policies for Security Policies Quick Guide
user passwords
Cloud for Customer)
Configure Single Sign On Download service provider Configure your Solution for
metadata, upload IdP meta Single Sign-On
data, and activate SSO
Configure S/MIME Configure and activate e- E-Mail Security

mail communication with S/
Configuration: Load Certifi
MIME
cates and Activate Signing
and Encryption for E-Mails

User Administration and Authentication PUBLIC 25
Documentation in the Help
View Subview Activity Center
Edit Certificate Trust List Edit trust list of certificates Communication Arrange
used for communication ar ments Quick Guide
rangements
 Note
The list of trusted certifi-
cation authorities is
available on the Web dis
patcher. Certificates
with which users log on
must be issued by one of
these certification au
thorities.
For more information about how to perform these activities, see the documentation of the corresponding work
center view.
3.1.1 VIDEO: Assigning User Access Rights by Roles
Use this video to discover how to create roles that you can assign to users for easier maintenance of user
access rights.
3.1.2 Restricting Access Roles
You use business roles to assign access rights to multiple business users who carry out the same activities. You
can also define access restrictions for a business role.
Procedure
1. From the Administrator work center, click on Business Roles.

2. If you want to edit the read and write access for users to whom any of the business roles are assigned, click
on any of the business roles listed and then click Edit. Next, click the Access Restrictions tab.
3. Select the view for which you want to restrict access rights and choose the corresponding access
restriction in the Read Access and Write Access column. You can choose between the following settings for
access restrictions:
○ No Access (Only available as a restriction for write access)

The user has no write access.
○ Unrestricted
The user has access to all business data related to the view.
○ Restricted
The user only has access to specific business data, depending on the access context. If you select
Restricted, you can restrict read and write access on the basis of predefined restriction rules that you
can choose from the Restriction Rule drop-down list.
If you choose the Define Specific Restrictions restriction rule, another list appears in which you can
restrict access to specific data, which is defined by the access group. For example, if a view has the
Site access context, you can restrict write access in this view for business documents that belong to a
specific site.
To do so, choose Detailed Restrictions and select or deselect the corresponding check box in the Read
Access or Write Access column.
4. If you want to grant the user access to data that is no longer in use, choose Historic Restrictions. Select or
deselect the corresponding check box in the Read Access or Write Access column.
5. To check whether the access rights are consistent, click Actions and choose Access Rights Consistency.
Each view contains specific activities that can be carried out by a user with the necessary access rights for
the view. Note that some activities can be carried out in multiple views. Therefore, when you grant access
rights, you should be aware that if there is a conflict, unrestricted access rights override any restrictions
you have defined.
 Tip
View A and view B both contain activity C. For view A, a user has unrestricted read and write access,
but for view B, the same user has read-only access. Because unrestricted access rights override
restricted access rights, the user will actually have both read and write access to both views. Checking
consistency will help you to identify these views and activities.
6. If there are activities displayed on the Check Access Rights Consistency screen, the access rights are
inconsistent. Check whether you need to redefine the access rights.
7. When finished, click on Assigned Users Activate User to save the edits you have made to the
business role and the users.

3.2 User Types
SAP Cloud solutions provide the following user types:
User Type Description
Business User A user type for normal interactive users resulting from hiring
an employee or creating a service agent. Business users al
ways have to change their initial password during the first
logon. The properties of the passwords are determined by
the assigned security policy.
 Note
Service agents are used for external users, for example,
partners or partner contacts. Apply specific security
policies and use specific roles to keep internal and exter
nal employees separated. We also recommend that you
lock external users as soon as they are no longer
needed.
Technical User A user type for non-interactive usage, either predefined by

SAP for technical operations or resulting from the creation of
communication arrangements. Technical users either do not
have passwords or have password but do not have to change
them.
Support User A user type for interactive support users used by SAP Cloud
Services to access the system as part of incident processing.
It is often necessary to specify different security policies for different users. For example, your policy may
mandate that individual users who perform tasks interactively change their passwords on a regular basis.
You can only specify security policies for the Business User user type.
3.3 Authentication Mechanisms
Every user type must authenticate itself to SAP Cloud solutions for regular browser-based front-end access, as
well as for electronic data exchange, such as Business-to-Business communication. SAP Cloud solutions do
not support anonymous access.
When a new user is created in your SAP Cloud solution, for example, during the hiring process of a new
employee, a user ID is created.

To log on your SAP Cloud solution, the following authentication mechanisms are supported:
● Logon using SAML 2.0 assertion for front-end Single Sign-On (SSO)
● Logon using client certificate (X.509) as logon certificate
● Logon using user ID and password
3.3.1 Log on Using SAML 2.0 Assertion for Front-End Single

Sign-On (SSO)
Your solution supports SSO based on Security Assertion Markup Language 2.0 (SAML 2.0). To use this
function, your system landscape requires the following components:
● An SAML 2.0 enabled identity provider (IdP)

● At least one local service provider, for example, your solution or a Web-based 3rd-party product
● A browser client
The use of an SAML 2.0. enabled identity provider is mandatory. If you have no identity provider, it is
recommended that you use SAP Cloud Platform Identity Authentication - IAS (former Cloud Identity).
When a user connects to the service provider by using the corresponding URL, the browser redirects the
authentication request to the IdP. If the user is not yet logged on, they are prompted to log on to the IdP. After
that the browser redirects the connection back to the original URL and the user is automatically logged on to
the service provider. This process flow is always the same for all server providers.
The mutual trust between service provider and IdP is established by the exchange of certificates and additional
metadata.
It is recommended you disable username and password based access for users who use SSO to log in. As the
users would use SSO, they wouldn’t be aware if their passwords get changed. IdPs could also provide extra
security features such as two-factor authentication, which would not be effective in case the username and
password option is still available.
For more information, see the Front-End Single Sign-On document in the Help Center and the SAP Identity
Provider documentation on SAP Help Portal at http://help.sap.com/netweaver SAP NetWeaver Identity
Management <release> Application Help .
3.3.1.1 Configure Your Solution for Single Sign-On
This topic describes how to set up your solution to use front end single sign-on (SSO).
Prerequisites
You have downloaded the XML file of the metadata of your identity provider (IdP)

Context
You can configure SSO in your system using the Configure Single Sign-On common task, which is started
from Application and User Management Common Tasks .
For more information, see the administrator guide for your cloud product at help.sap.com.
Procedure
1. Choose My System.
2. Under Download metadata, depending on the type of metadata acceptable to your identity provider,
choose either of the following: SP Metadata (Service Provider Metadata) or STS Metadata (Security Token
Service Metadata).
3. Save the XML file for upload into the IdP.
 Note
Some IdPs can upload all information from the metadata XML file. Others require manual entry of the
information contained in the file.
4. Specifiy whether the employee can manually choose between logging on with a user ID and password or
SSO by selecting the Manual Identity Provider Selection check box.
5. In the SSO URL section, specify which URL should be used by the employee to log on to the system. In the
URL Sent to Employee drop-down list you can choose from the following options:
a. Non-SSO URL: The system sends only the normal system URL to the employee. The employee cannot
log on using SSO and must use a password or a certificate instead.
a. SSO URL: The system sends only the SSO URL to the employee. The employee can log on using SSO.
The authentication request is redirected through the IdP.
a. Automatic selection: If SSO is not active, the system sends the normal system URL to the employee. If
SSO is active, the system checks whether the employee has a password. If the password is available,
both SSO URL and non-SSO URL are sent to the employee. However, if the employee has no password,
only the SSO URL is sent to the employee.
6. Choose Identity Provider.
7. Click New Identity Provider and select the metadata XML file that you have downloaded from your IdP. By
importing the metadata, the system automatically uploads the required signature certificate and
encryption certificate.
8. If you have multiple identity providers configured and you have not selected the Manual Identity Provider
Selection check box in the previous step, you must select the default IdP, which is automatically selected
when logging onto the system. To do so, select the corresponding IdP and click Actions, then choose Set to
Default.
9. If required, you can specify the Alias, which defines the displayed name of the IdP that appears on the log
on screen.
10. If your IdP requires the element Assertion Consumer Service URL in the SAML request, select the
Include Assertion Consumer Service URL check box.
11. Once you have configured your IdP, activate SSO in your cloud solution. To do so, click Activate Single Sign-
On.

12. Save your changes.
3.3.2 Logon Using Client Certificate (X.509)
Users can also log on with a client certificate to complete authentication. To do so, users can choose between
the following options:
● If users already possess a suitable client certificate from a trusted Certification Authority, then they can
map the client certificate to their user ID.
● If no suitable client certificate is available, then users can request a client certificate from within the SAP
Cloud solution. In response, an SAP Certification Authority will provide the requested certificate. This
request can be repeated on any other device you use to access SAP Cloud solutions. You cannot use the
same certificate to log on with multiple users.
We strongly recommend that you never store the X.509 client certificate in an unprotected keystore. The
download also contains the corresponding private key. Therefore, the downloaded file should be protected with
a sufficiently strong passphrase of the user’s choice.
The following table contains the trusted certification authorities for client certificates:
Trusted Certification Authorities

Organizational Common Name E-
Country Organization Unit Common Name Mail
DE Deutsche Telekom AG T-TeleSec Trust Deutsche Telekom

Center Root CA 1
DE SAP Trust Community SAP Passport CA
DE TC TrustCenter GmbH TC TrustCenter TC TrustCenter Class 2

Class 2 CA CA II
DE TC TrustCenter GmbH TC TrustCenter TC TrustCenter Univer

Universal CA sal CA I
DE TC TrustCenter for Security TC TrustCenter certificate@trustcen-

in Data Networks GmbH Class 1 CA ter.de
IE Baltimore CyberTrust Baltimore CyberTrust

Root
US Entrust.net www.entrust.net/ Entrust.net Secure

CPS incorp. by ref. Server Certification
(limits liab.), (c) Authority
1999 Entrust.net
Limited
US Entrust.net www.entrust.net/ Entrust.net Client Cer

Client_CA_Info/C tification Authority
PS incorp. by ref.
limits liab., (c)
1999 Entrust.net
Limited

US Equifax Equifax Secure

Certificate Au
thority
US GoDaddy.com, Inc. http://certifi- Go Daddy Secure Cer

cates.god tification Authority
addy.com/reposi
tory
US The Go Daddy Group, Inc. Go Daddy Class 2

Certification Au
thority
US VeriSign, Inc. Class 1 Public Pri

mary Certification
Authority

mary Certification
Authority - G2, (c)
1998 VeriSign, Inc.
- For authorized
use only, VeriSign
Trust Network

mary Certification
Authority

mary Certification
Authority

mary Certification
Authority - G2, (c)
1998 VeriSign, Inc.
- For authorized
use only, VeriSign
Trust Network

mary Certification
Authority

mary Certification
Authority - G2, (c)
1998 VeriSign, Inc.
- For authorized
use only, VeriSign
Trust Network

mary Certification
Authority


mary Certification
Authority - G2, (c)
1998 VeriSign, Inc.
- For authorized
use only, VeriSign
Trust Network

mary Certification
Authority - G2, (c)
1998 VeriSign, Inc.
- For authorized
use only, VeriSign
Trust Network
US VeriSign, Inc. VeriSign Trust VeriSign Class 1 Public

Network, (c) 1999 Primary Certification
VeriSign, Inc. - For Authority
authorized use
only

VeriSign, Inc. - For Authority - G3
authorized use
only

authorized use
only

authorized use
only

authorized use
only
ZA Thawte Consulting cc Certification Serv Thawte Premium premium-

ices Division Server CA server@thawte.com
ZA Thawte Consulting cc Certification Serv Thawte Server CA server-

ices Division certs@thawte.com
For more information about trust configuration, see SAP Help Portal at http://help.sap.com/netweaver SAP
NetWeaver Platform <release> Application Help Function-Oriented View <language> Security
User Authentication and Single Sign-On Integration in Single Sign-On (SSO) Environments Single Sign-On

for Web-Based Access Using X.509 Client Certificates Using X.509 Client Certificates on the AS ABAP
Configuring the System to Use the SAP Trust Center Service .
3.3.3 Log On Using User ID and Password
Users log on to SAP Cloud solutions with their assigned user ID and password.
By default, a strong security policy for passwords is pre-configured in your solution, based on SAP’s product
security standard. You as an administrator can set an initial password and edit and create security policies
according to the security requirements of your company.
For more information, see Security Policy Quick Guide [page 35].
If a user has forgotten the password, he or she can request a new one by using the password self-service on the
logon screen. A dialog box is displayed where the user has to enter the workplace e-mail address. Provided this
workplace e-mail address has already been entered for corresponding employee or service agent in your
solution, an e-mail containing a security code is sent to this e-mail address.
The system then displays a dialog box where the user can enter this security code. Note that the security code
is only valid in this dialog box. If the security code has been entered correctly, the system generates a new
temporary password with which the user can log on to the system. The system immediately displays another
dialog box requiring the user to change this temporary password.
Password Security
These are some security parameters you must have in place for password protection:
● Enforce strict password rules

● Increase minimum requirement for password length, and encourage introduction of complexity
● Validate password use and history to prevent repetition and re-use of same password
● For administrative users, passwords must be at least twelve characters long.
3.3.4 Creating a Security Certificate for HTTPS-Enabled

Computer Telephony Integration (CTI)
You can enable HTTPS security for outbound phone calls made from your cloud solution. To fully enable this
feature, you need to create a security certificate using the command line.
Prerequisites
To make outbound calls, you must have a CTI provider such as SAP Contact Center or an equivalent third-party
product.

Context
After you complete this process, end-users will be able to call customers directly from the cloud solution
without having to navigate another system.
Procedure
1. Enter the following into a command line prompt:makecert -n "CN=CODCTI Authority" -cy
authority -a t sha1 -sv "CODCTI_authority.pvk" -r "CODCTI_authority.cer" -sr
localmachine -ss ROOT
Replace CODCTI with your company name.
2. Enter the following into a command line prompt: makecert -n "CN=localhost" -ic
"CODCTI_authority.cer -iv "CODCTI_authority.pvk" -a sha1 -sky exchange -pe -sr
localmachine -ss MY "codcti_adapter.cer"
3. Enter the following into a command line prompt: netsh http add sslcert ipport=0.0.0.0:36731
certhash=0291c80612387afaee33f3589b4ab176c8d5336e appid={7346cd40-39c6-4813-
b414-019ad22e55b2}
Results
In the step examples, Certhash is the thumbprint of the codcti_adapter.cer. You can look this up in the
certificate. Appid is the appid of the CTI client adapter.
3.4 Security Policy Quick Guide
You as an administrator can increase the security level, if desired, by editing and enhancing the security policy,
for example, by changing the complexity and validity for all passwords, in accordance with your company´s
security requirements.
You can access the Edit Security Policies common task in the Administrator/Application and
User Management work center.
You can also define the length of time after which mobile users must reenter the app password to log on to the
system from a mobile device and the maximum number of times in succession a user can enter an incorrect
password before mobile app data is deleted from the mobile device as well as other properties regarding the
complexity of the password.
You have the option of choosing a flag to enforce password change requested by the administrator. Navigate to
Administrator Edit Security Policies , and choose the Password Logon Enabled flag. In the Admin
Password Change Enforcement dropdown, you can choose Enforce or Ignore.
For more information about the app password, see Secure System Access and Authentication [page 50].

3.4.1 Business Background
A security policy is a set of rules that defines password complexity, such as including numerical digits and
password validity, like requiring a password change after a certain period of time.
You can define multiple security policies because work areas or departments of a company may have different
password security requirements.
3.4.2 Create a Security Policy
Procedure
1. To create a new security policy, click Add Row.

The system creates a new security policy and generates the associated policy ID.
 Note
To create a new security policy similar to an existing one, select an existing security policy and click
Copy.
2. If necessary, change the Policy ID.

3. Enter a Policy Name and Description for the new security policy.
3.4.3 Edit an Existing Security Policy
Use this procedure to edit an existing security policy.
Procedure
1. Choose the security policy you need to edit.
 Remember
You cannot change policies that begin with S_ . These are default security policies delivered by SAP.
2. Change the complexity and validity rules for passwords assigned to the security policy.
 Remember
If a user's password does not comply with the changed password rules, the user is prompted to change
the password with the next system logon.

3.4.4 Assign Security Policies
You can assign a security policy to multiple business users at one time.
Procedure
1. In the Business User subview, click Actions and select Assign Security Policy.
2. Select one or more users that you need to assign a security policy to.
3. Click Assign Business Role and select the security policy that you would like to assign to the selected
business users.
4. Click OK to save the assignment.
3.4.5 Define the Default Security Policy
When a business user is created, the system automatically assigns the default security policy to the business
user.
Context
To define the default security policy, perform the following steps:
Procedure
1. In the Default column, set the check box for the security policy for the security policy you want to define
as the default security policy.
 Note
You can change the security policy assignment in the Business Users view. .

3.4.6 Delete an Existing Security Policy
Procedure
1. Choose the security policy you need to delete.
 Note
○ If you have selected a security policy beginning with S_, the Remove button is deactivated, as the
deletion of a default security policy delivered by SAP is not permitted.
○ You cannot delete a security policy that is currently assigned to users.
2. Click Remove.

4 Authorizations
 Note
For access rights, you must maintain necessary authorizations.
 Note
Personalizing any part of the UI does not change/add any security settings, as this is part of extensibility
which allows you to display/hide fields based on user/business roles, screen adaptations and so on. For
Example: even if you remove the edit button from the UI, the edit option is still available via OData API's.
Authorization Assignment [page 39]

You can assign authorizations to each employee who has a user ID in your solution.
Access Restriction [page 40]

You can define whether a particular user has read or write access to data in a work center view.
Segregation of Duties [page 47]

If the user has been assigned to multiple work centers, your SAP Cloud solution checks whether the
assigned views conflict with the segregation of duties.
4.1 Authorization Assignment
You can assign authorizations to each employee who has a user ID in your solution.
Employees are assigned to org units within organizational management. The assigned org unit determines the
functions that the employee can use.
Based on these functions, work centers and work center views are proposed for the users. Some business
processes require that a work center view can only be assigned together with one or more other work center
views. If you as an administrator assign such a work center view to a user, then your solution automatically
assigns these additional views to the user.
In SAP Cloud for Customer, you can enable partner contacts to access your SAP system by creating a user ID
separate from employees in your solution. Partner contacts are service agents, being used to give external
employees system access. Partner contacts should be assigned with their own business roles to maintain
limited access to your SAP system.
 Caution
Creating user IDs for your business partners will allow outside access to your system.

Authorizations PUBLIC 39
4.2 Access Restriction
You can define whether a particular user has read or write access to data in a work center view.
Your SAP Cloud solution provides the user with access to all of the business documents and Business Task
Management items in that work center view.
You can restrict access to specific data on the basis of the access context assigned to the work center view in
which the data appears.
 Caution
It is important to be aware of the following dependencies when you assign work centers and views directly
to users:
● Each work center view contains specific activities that can be carried out by a user with the necessary
access rights for the view. When you assign a view or work center directly to a user, rather than
assigning these through a business role, by default the user will have unrestricted read and write
access to all the functions associated with the work center view.
● Additionally, in some cases the same activities can be carried out in multiple views. When you grant
access rights, you should be aware that if there is a conflict, unrestricted access rights override any
restrictions you have defined. For example, view A and view B both contain activity C. For view A, a user
has unrestricted read and write access but for view B, the same user has read-only access. Because
unrestricted access rights override restricted access rights, the user will actually have both read and
write access to both views.
 Recommendation
We recommend that you handle access rights by assigning business roles to users rather than by assigning
work centers views directly to users. The advantages of assigning access rights through business roles are
considerable:
● It eliminates the risk of a user accidently having authorizations to read or edit data to which he or she
should not have unrestricted access.
● There is much less maintenance effort involved when you have to edit access rights, for example, after
an upgrade. You only have to edit the access rights associated with the business role and not the
individual user’s access rights.
4.2.1 Sales: Setting up User Access Rights and Restrictions
In SAP Cloud for Sales, the ability to grant and restrict authorizations is supported for most work center views,
such as Accounts, Employees, Products, Activities, or Opportunities.
Views are assigned through a work center to business roles. Authorizations for certain views can be restricted
either to employees or territories associated to the specific item within a view, or through an assignment of the
employee to an organizational unit.
Access Contexts and Restriction Rules

40 PUBLIC Authorizations
Access contexts bundle context-specific restriction rules that are assigned to various work center views and
you as administrator can choose a business role level which restriction rule will be used for which view.
You will find a could of applicable restriction rules when you set at least the Write Access to Restricted.
For example:
● 1015: Employee or territory:

○ 1: Assigned territories or and employees (for managers)
This rule implies that data can be accessed through direct employee assignment independent of the
employee role or through territory assignment. In case the rule applies to a manager, data is accessible
through employee and territorial hierarchy.
○ 2: Assigned territories and employee of user
This rule implies that data can only be accessed through direct employee assignment independent of
the employee role or through territory assignment.
○ 3: Assigned territories
This rule implies that data can only be accessed through territory assignment.
○ 99: Define specific restrictions
This rule should apply only if the above rules do not satisfy the access needs. Note that the restriction
rule 99 likely requires the set up of different business roles.
● 2001: Business object product:
○ 1: Sales organization of user
This rule implies that data can be accessed through the organizational assignment of the employee.
○ 99: Define specific restrictions
This rule should only apply if the above rules do not satisfy the access needs. Note that the restriction
rule 99 likely requires the set up of different business roles.
Access Context ID
Access context IDs are only appearing in the context of access rights on the business user level and you can
find the IDs of employees, business users, org units, territories, and sales channels. The following objects and
access context IDs are available:
● Employee: Employee ID
● Territories: Territory ID
● Org center: Org center ID
● Sales chain: Org center ID plus distribution channel
4.2.1.1 Sales: Setting up Business Roles and Users
Procedure
1. In the Administrator work center, choose General Settings Users Business Roles and create a
business role. The business role defines a set of work centers and its associated views, including its
restriction rules.
2. Assign work centers and views underWork Center and View Assignments. Select views applicable for the
business role.

3. Under Access Restrictions restrict the access for the work center views as appropriate by setting at least
the Write Access to Restricted or No Access. In case a view offers specific rules, you can select it from the
Restriction Rule drop-down box.
If you like to have different rules for write and read access for the same view, you need to create two
business roles with the same view assignment. One business role should get specific read access and write
restriction to No Access and the second business role should get the same view with both read and write
access.
4. Under Fields & Actions you can restrict the access for all extension fields and selected business fields and
actions.
5. Save your work and choose Actions Activate to activate your role.
6. In the Administrator work center, choose Users Employees and create an employee. Note that you
can create an employee only when you do not use external integrationwith, for example, SAP ERP.
7. Choose Users Business Users and open the created employee as a business user and choose Edit
Access Rights .
8. Under Business Role Assignment, assign the created business role to the user.
Under Access Restrictions you can restrict the access on a user-level only if you haven't assigned a
business role. For this, change at least the Write Access to Restricted. Now the restrictions on the Detailed
Restrictions tab are changeable and you can change the access on the Access Group ID level. We
recommend to restrict through the business role assignment only.
9. Save the changes.
Results
The authorization is set up for the corresponding business user.
4.2.1.2 Sales: Restricting Authorizations by Fields and

Actions
Note that the value Unrestricted is only relevant if the a user is assigned to more than one business role.
If a business field occurs in one of the business roles with access restriction Unrestricted, then the user has no
restriction even if there is another business role restricting the business field. If the business field does not
occur in a business role, but is restricted in another business role, then the user is restricted accordingly.
4.2.1.3 Sales: Restricting Authorizations by Employees
By editing the access group ID Employees, you, as an administrator, can grant authorizations to employees to
see items of their own, or of other employees.
Employees who have been granted the appropriate authorizations can see or update each item, as follows:

● Provided that they belong to the account team or territory team, meaning that they are directly or
indirectly associated with an account by means of any role (including a customer-derived one). Authorized
employees can view or updated accounts.
● Provided that they belong to the account team of an account that is associated with a contact, authorized
employees can view or update contacts.
● Provided that they are assigned as an involved party or sales team in a document such as activity, lead,
sales quote, or opportunity, authorized employees can view or update them.
 Note
Items for which no employee or territory has been assigned to can be accessed by all employees.
Within User Management, employees can be displayed either in simple list format or in the corresponding
organizational hierarchy, which indicates the employees responsible for each organizational unit. You, as an
administrator, can therefore choose to modify either the authorizations of the employee or of the employees
who are assigned to the relevant organizational unit.
If you choose to modify authorizations in relation to a particular organizational unit, then the authorization
changes will be applied to all employees who belong to that organizational unit, or to any subordinate unit. At a
later date, you can also modify the authorizations of individual employees on this organizational unit, if desired.
4.2.1.4 Sales: Restricting Authorizations by Territories
Authorizations for employees, fields, and actions can also be restricted on the basis of the territory that it is
automatically determined or maintained for that item.
 Note
Several territories can be assigned to an account at a given time.
By editing the access group ID Territories, you, as an administrator, can grant authorizations to the business
users that are associated with the territories. If you modify the authorization of a business user in relation to a
territory, then that user can view or update the items that are assigned to that territory, or to any
corresponding territory.
For example, if you assign authorization to an employee to view or update items that are related to a certain
territory, for example, the United States, then that employee can also view or update items that are related to
subordinate territories, such as California or Florida.
4.2.1.5 Sales: Recommended Rules for Authorization

Restrictions
To reduce the effort for the maintenance of authorizations, administrators should avoid using the specific
restriction 99 within a particular access context.
The other access restrictions rules are binding for the overall master data, meaning that you do not need to
need to change user restrictions seperately, or create new business roles. Rather, you, as an administrator, can

specify a restriction rule within a business role, and then assign that business role to multiple users. With this
approach, authorizations are automatically derived from the exisitng master data.
 Note
If employee's organizational or territory assignment changes occur after the initial assignment of a
restriction to a business role, then you, as a business administrator, must update your business users, to
ensure that these changes are considered:
● Choose Administrator Business Roles .

● Find the relevant business role.
● Choose Actions Update Business Users .
Whenever you, as an administrator, maintain the authorizations of business users, we recommend you assign
business roles to these users in concert with restriction rules.
Example: Using Restriction Rules in Access Context 1015
Access context 1015 (Employee or Territory) can be applied accounts, contacts, leads, sales leads,
opportunities, and sales quotes. Two restriction rules, described below, are delivered for this access context:
● Assigned Territories and Employees (for Managers):

This restriction rule grants authorization for:
○ The employee him- or herself
○ All employees within the line of organization of the employee, if the employee is a manager
○ All territories to which the employee is assigned, and all territories beneath the employee
● Assigned Territories and Employees of User
This restriction rule grants authorization for:
○ The employee him- or herself
○ All territories to which the employee is assigned, and all subterritories beneath the employee
4.2.1.6 Sales: User Authorization Troubleshooting
This section describes authorization issues that you, as an administrator, may encounter, and how you can
resolve them.
Authorization for a certain user has been restricted for a particular item, but the user can still view or edit
the item.
This issue commonly occurs for the following reasons:
● No employee or territory is assigned to an account, lead, opportunity, activity, or sales quote.

● No sales organization is assigned to the product.
● Employee is not assigned to a sales org unit.
● The restricted item appears in two work center views, but you did not restrict the user's authorization in
the same way in each view.
For example, if opportunities are not restricted under Analysis Pipeline and Analysis Forecast
in the same way, then users who are restricted from seeing opportunities in the sales pipeline may
nonetheless see opportunities in the forecast opportunity list, and vice versa.

The organizational or territory assignment of an employee or manager has changed, but the user cannot
access the items that relate to the new assignment.
If master data changes occur, then you, as the administrator, must update your business users as follows:
1. Choose Administrator Business Roles .

2. Find the relevant business role.
3. Choose Actions Update Business Users .
This action is especially important if you change, for example, the managerial responsibility for organizational
centers within the organizational hierarchy, or if you modify the assignment of employees to territories.
4.2.2 Service: Setting up User Access Rights and

Restrictions
Allowing employees to edit tickets gives an employee the ability to engage with customers.
In SAP Cloud for Service, you can limit the employee access to tickets to ensure that only qualified employees
engage with customers. You can limit the access of a single employee or group of employees. You can also limit
access for partners and partner contacts.
It is recommended that you use roles to enable access restriction. Assigning access using roles allows you to
create one set of access definitions that can be copied to multiple users.
4.2.2.1 Service: Defining User Access for a Group
Procedure
1. Create the organization that will contain the employees that you assign to this group.
2. After you have created the organization, create routing rules to define which tickets are assigned to the
organization.
3. Create a role. A role contains permissions that are inherited by each employee assigned to the role.
a. In the Access Restrictions tab, restrict read and write access for Tickets and Queue in the Assigned
Work Center Views list. Assign access rights to users according to your business needs.
b. To restrict employee access to the employee's organization, open the Detailed Restrictions list and
ensure that the check boxes for Read Access and Write Access are checked only for the employee's
organization.
c. To allow employees to read tickets in other organizations, open the Detailed Restrictions list and ensure
that the Read Access and Write Access check boxes list are checked for the employee's organization.
Select Read Access to allow the employee to read the tickets of the selected organization.
4. Assign the role to all applicable employees.

4.2.3 Restricting Access for Local Administrators
In a company with a global workforce, it is important to have administrators for global work tasks as well as
local administrators that cover subsidiary tasks. Therefore, the company should have a few global
administrators with expansive rights and many more local administrators with more restrictive rights.
Context
Additionally, these global and local administrators can edit access rights for business users by assigning
business roles with local scope to the users.
 Tip
You company's headquarters are located in Paris and you have subsidiaries in Chicago, Tokyo, and New
Delhi. If issues happen in the subsidiaries the workforce there can't wait until the administrators in Paris are
working again because they are in different time zones. So it would be better if you can create roles for local
administrators that are enabled to manage the local issues but without access to other data outside their
local organization.
Procedure
1. As global administrator you need to generally restrict access of your local administrators for views they will
be able to access and to assign them to the users of their sales organization. For this, select
Administrator General Settings Users Work Center View Restrictions for Local Administrators .
The views must either be Allowed or Partially Allowed. We recommend that:
a. You un-restrict at least the views Employees and Business Users.
b. You set the General Settings view and the Application and User Management work center to Not
Allowed.
2. Create a business role for the local administrators. The role for the local administrators should have all
Allowed and Partially Allowed views that you defined in tWork Center View Restrictions for Local
Administrators, and especially Employees and Business Users. Take care that the access for the Employees
and Business Users views are restricted to the sales organization of the users.
Only business roles with the scope Local can be assigned to business users by local administrators. A
business user is Global, if at least one view is either Not Allowed or Partially Allowed, but not restricted with
a restriction rule (besides restriction rule 99).
3. Now you can create business roles for local administrators with the allowed and partially allowed views you
defined in Work Center View Restrictions for Local Administrators.
○ You can only create local roles for views that you defined in Work Center View Restrictions for Local
Administrators view as Partially Allowed or Allowed. In case one view is marked as Not Allowed, the role
isn't visible for the local administrator.
○ Local administrators are disabled to assign global roles to local business users.

○ If you un-restrict a view in Access Restrictions that is set as Partially Allowed in Work Center View
Restrictions for Local Administrators, the entire role switches to Global and disappears for the local
administrator.
○ Local administrators can only use roles with scope Local.
4. On the Fields & Actions tab of your local administrator role, under Business Restrictions, you can also
restrict that the local administrator can be the only one to edit access rights or attributes of other users.
4.3 Segregation of Duties
If the user has been assigned to multiple work centers, your SAP Cloud solution checks whether the assigned
views conflict with the segregation of duties.
Segregation of duties is designed to minimize the risk of errors and fraud, and to protect company assets, such
as data or inventories.
The appropriate assignment of access rights distributes the responsibility for business processes and
procedures among several users.
For example, suppose that your company requires that two employees be responsible for the payment process.
This requirement ensures that the responsibility for managing company finances is shared by two employees.
A segregation of duties conflict occurs when a user has access to a set of work center views that could enable
him or her to make an error or commit fraud, thereby damaging company assets. If the application detects a
conflict, it indicates that conflict in the user interface and proposes possible solutions.
Based on this information, you can alert business process owners to existing conflicts, so that they can
implement process controls to mitigate them.

5 Mobile Devices
With the SAP Cloud mobile solutions, you can access many of the functions that have been tailored to business
on-the-run.
Changes made on mobile apps are automatically updated in the system over the internet, online, and in real
time. Mobile solutions connect to the SAP Cloud solution in the same way as personal computers do.
The following table provides information about the mobile devices on which you can run SAP Cloud solutions:
Supported Mobile devices:
Device/Operating System Supported
iPhone/iPad X
Android X
Windows Tablet X
Windows Phone X
Offline Support
SAP Cloud Solution iPad/iPhone Android Tablet/Phone Windows Tablet
Offline Support X X X
SAML2 Based SSO [page 49]

List of SAML2 based SSO supported mobile devices.
SSO Recommendation [page 49]

The following is our recommendation for the users.
Authorizations [page 49]

When you use SAP Cloud mobile solutions, you use the same URL address and logon credentials as for
desktop applications.
Secure System Access and Authentication [page 50]

Access from mobile devices (HTML5) is enabled by connecting to the back-end system using HTTPS
and the same user and password authentication used for connection from a personal computer.
Special Considerations [page 51]

Unlike stationary personal computers, mobile devices are at greater risk of being lost or stolen.
Therefore, we recommend that you use the security features provided by your mobile device platform.
Data Storage [page 51]

This section describes the types of data stored on the mobile device.
Offline Mode [page 55]

For working offline, data is stored on the device and encrypted.

48 PUBLIC Mobile Devices
5.1 SAML2 Based SSO
List of SAML2 based SSO supported mobile devices.
The following devices support the SAP Cloud for Customer hybrid apps with SAML2 based SSO:
Hybrid Apps
● SAP Cloud for Customer, extended edition for Android

● SAP Cloud for Customer, extended edition for iOS
● SAP Cloud for Customer, extended edition for Windows
Supported Devices
● Apple (iPhone and iPad)

● Android (Phone and Tablet)
● Microsoft Windows (Phone and Tablet)
 Recommendation
For set up information, refer to Log on Using SAML 2.0 Assertion for Front-End Single Sign-On (SSO) [page
29].
5.2 SSO Recommendation
The following is our recommendation for the users.
For the Single Sign On (SSO) option we recommend disabling the username and password access. However,
ensure that you maintain updated and accurate e-mail addresses for the users, as this is required in case of a
problem with the Single Sign On. The username and password options could be used as a fallback.
Administrators might have to send out initial passwords or users would have to reset password via self-service.
Both options require updated, correct e-mail addresses.
5.3 Authorizations
When you use SAP Cloud mobile solutions, you use the same URL address and logon credentials as for desktop
applications.
In the Application and User Management work center, ensure that for each mobile work center view to be
accessed on a mobile device, the user of the mobile device is assigned the related desktop work center view.
For more information, see the Business Users Quick Guide in the Help Center from any work center.

Mobile Devices PUBLIC 49
5.4 Secure System Access and Authentication
Access from mobile devices (HTML5) is enabled by connecting to the back-end system using HTTPS and the
same user and password authentication used for connection from a personal computer.
 Note
SAP Cloud for Customer solution now supports certificate pinning in the extended edition for the following
apps:
● iOS apps
● Android apps
5.4.1 SAP Cloud for Customer for Android
Android Credential Storage requires maintaining secure settings on the screen lock feature.
For SAP Cloud for Customer, extended edition for Android, it is mandatory for the user to have a screen lock to
be able to use the application. The application uses the Android Credential Storage to securely store sensitive
information and this requires the user to enable the screen lock.
Administrators can enforce this policy if the device is managed under MDM, otherwise, they have to inform the
users that a screen lock is mandatory. Earlier, it was possible for a user to create a logon profile, login and work
normally with the app. With 1811 the app can be installed but no logon profile can be created if the screen lock is
not enabled.
 Caution
Removing the screen lock will result in data loss (logon profiles will have to be re-created; unsynced offline
data will be lost).
5.4.2 Certificate Pinning
Enabling the certificate pinning feature allows secure communication between the app. and the SAP Cloud for
Customer server. Your administrator would have to enable the feature.
Go to Administrator General Settings Mobile Settings and in the Certificate Pinning field, select
Activate.
With the feature enabled, users cannot communicate with our server with a false or forged certificate. However,
the feature is disabled by default, but customers have the option to enable it via mobile configuration. When
you enable the feature, the mobile application performs the check.
 Note
For our forthcoming releases, we will enable the certificate pinning feature by default.

5.5 Special Considerations
Unlike stationary personal computers, mobile devices are at greater risk of being lost or stolen. Therefore, we
recommend that you use the security features provided by your mobile device platform.
For example:
● Use an additional, sufficiently long, PIN (personal identification number) to lock the device.
● Enable remote management software that allows you to lock the device remotely, or wipe data from it.
Stored data may contain potentially sensitive information. Ensure adequate protection for your business data
by using a strong password for device access. As an additional security measure, the stored data is also
encrypted with a Passcode.
The Passcode has a minimum length of 8 characters, with a longer length making for a stronger password.
The Passcode feature is available only for Mobile apps.
 Caution
Currently, when you edit the security policy for the extended apps, the Mobile App Password Complexity
settings are not considered. The mobile app password, known as passcode has to comply to a fixed
complexity rule defined by the extended app .
For information on how to operate your mobile device, refer to the device manufacturer's documentation.
5.6 Data Storage
This section describes the types of data stored on the mobile device.
The mobile apps for SAP Cloud solutions store three types of data on the mobile device, as outlined below.

User Name
On providing the login information, the user name will be masked to ensure the user's security. Refer to the
screen shots below:

Passcode
The passcode feature applies to the extended apps only, and is turned on by default. It is possible to enable
Touch ID as an alternative option for passcode if the device supports iOS and Android apps. However, the
administrator has the ability to disable the passcode for the user. The administrator can make this change in
the administration settings area of the solution. Refer to the Administrator Guide for more details on how to do
this.
 Note
SAP recommends having a device passcode in place for security reasons. The administrator has the ability
to make this feature optional for users.
Encryption
We recommend you keep the devices and apps as secure as possible by encrypting all data. However, if the
customer wants to increase the usability they need to be aware of the risk and must ensure there are other
protections (for example: strong device lock) in place.
For offline data storage, use the following:
● AES 256 encryption for all extended apps.
Support Log Files [page 54]

To obtain support for a technical error within the mobile app, you may be requested to activate the
app’s error-logging functionality. When error logging is active and the technical error is reproduced,
files containing technical data are created. These files enable SAP Cloud Support representatives to
resolve the error. Delete the log files once they are no longer required.
Cache Files [page 55]

To improve the mobile app’s performance, metadata is stored on your mobile device. The cached
information contains technical data that describes the user interface. The cache files can be deleted.
Local Application Data Storage [page 55]

SAP Cloud for Customer supports local application data storage.
5.6.1 Support Log Files
To obtain support for a technical error within the mobile app, you may be requested to activate the app’s error-
logging functionality. When error logging is active and the technical error is reproduced, files containing
technical data are created. These files enable SAP Cloud Support representatives to resolve the error. Delete
the log files once they are no longer required.

5.6.2 Cache Files
To improve the mobile app’s performance, metadata is stored on your mobile device. The cached information
contains technical data that describes the user interface. The cache files can be deleted.
For device-specific instructions on how to set the password expiration, enable logging, or delete logs and cache
files, refer to the mobile app’s documentation.
It is sometimes possible to upload pictures and other files from the mobile device to the SAP Cloud solution, for
example, pictures captured on a mobile phone’s camera. Such files are not managed through the SAP mobile
app. When files are uploaded to the solution, they are not deleted from the mobile device. To protect any
sensitive or confidential data that such files may contain, we recommend that you take extra precautions
appropriate for the specific mobile device in use. For more information, see the device manufacturer’s
documentation.
For device-specific instructions on how to set the password expiration, enable logging, or delete logs and cache
files, refer to the mobile app’s documentation.
You can upload pictures and other files from the mobile device to the SAP Cloud solution, for example, pictures
captured on a mobile phone’s camera. Such files are not managed through the SAP mobile app. When files are
uploaded to the solution, they are not deleted from the mobile device. To protect any sensitive or confidential
data that such files may contain, we recommend that you take extra precautions appropriate for the specific
mobile device in use. For information on how such files are secured and stored on your mobile device, refer to
the device manufacturer’s documentation.
5.6.3 Local Application Data Storage
SAP Cloud for Customer supports local application data storage.
To enable this, start the app and setup passcode, and enter system URL, username and password. During the
setup, the user has to enter a passcode that is different from the system password. The local application data
has been encrypted with a key derived from the app password. Authentication is required to switch between
online and offline mode
5.7 Offline Mode
For working offline, data is stored on the device and encrypted.
For mobile apps, once the device is online, data is sent to the back-end system and synchronized from the
mobile device.
When you set up a passcode for container apps for storing data in the offline mode, remember the following
points:
● The passcode should be at least eight characters long.

● There must be at least one numeral and one uppercase alphabet.

● You are allowed upto a maximum of eight failed attempts to logon. After which, you will need to reset the
passcode that will delete all information from the database.

6 Front-End Security
The SAP Cloud solutions front ends consist of Web application user interfaces based on Microsoft ® Silverlight™
or HTML5 technology.
Microsoft ® Silverlight™ [page 57]

Microsoft ® Silverlight™is a development platform for Web applications.
HTML5 [page 58]

HTML is a markup language for the Web. HTML allows you to format text, add graphics, create links,
input forms, frames and tables, and save it all in a text file that any browser can read and display.
HTML5 is the latest version. It offers enhanced multimedia capabilities.
6.1 Microsoft ® Silverlight™
Microsoft ® Silverlight™is a development platform for Web applications.
You can run Microsoft ® Silverlight™ applications in your Web browser and benefit directly from the browser´s
security mechanisms. Examples of browser security mechanisms are secure cookie handling and same-origin
policy. The same-origin policy ensures that confidential data is exchanged only with the domain of origin and
that it is not stored on the client after the current session ends.
Microsoft ® Silverlight ™ applications from different domains of origin run independently of one another. They do
not share resources, such as business data. The applications have very limited access to the client’s resources,
such as the local file system.
The user interface of your SAP Cloud solution benefits from the following front-end security mechanisms and
concepts:
● Microsoft ® Silverlight™application sandbox and resource isolation

● Secure socket layer (SSL) transport layer encryption using HTTPS
● Access to business data only after authentication and with sufficient authorizations using identity
management and Role-Based Access Management (RBAM)
● Cross-site-scripting countermeasures
● Microsoft’s secure default configuration in the framework
● Secure Web Application Development Guide
For more information, see the security information for Microsoft ® Silverlight™.

Front-End Security PUBLIC 57
6.2 HTML5
HTML is a markup language for the Web. HTML allows you to format text, add graphics, create links, input
forms, frames and tables, and save it all in a text file that any browser can read and display. HTML5 is the latest
version. It offers enhanced multimedia capabilities.
 Note
HTML5 has been released for SAP Cloud for Customer only.
In addition to the features that are also supported by Microsoft ® Silverlight™, HTML5 supports the following
features:
● X-Frame-options response header to avoid clickjacking attacks

● Cross-site request forgery (CSRF) protection
● Cross-site scripting (XSS) output encoding during SAP UI5 rendering
● UI and domain protection against URL mashups and content mashups in iFrames
For more information, see the security information for HTML5.

58 PUBLIC Front-End Security
7 Security of Data Storage and Data
Centers
The data centers that support SAP Cloud solutions incorporate multiple safeguards for physical data security
and integrity. They also provide high availability of your business data, using redundant networks and power
systems.
Asset Protection and Data Integrity [page 59]
Power Backup and Redundancy [page 59]
Restricted Physical Access [page 59]
Communication Security [page 60]
Network Security [page 60]
7.1 Asset Protection and Data Integrity
SAP follows operating best practices for data centers by deploying computation and storage parts of the
solution over separated fire-safe areas to support disaster recovery in the event of a fire.
For data backup and recovery purposes, a redundant hardware storage system performs regular backups. To
provide enhanced data integrity, your SAP Cloud solution uses an advanced database management solution to
store customer data and securely isolate each customer’s business information in its own database instance.
7.2 Power Backup and Redundancy
SAP data centers maintain multiple connections to several power companies, making a complete power outage
highly unlikely. Even if the local power grid were to fail, the data centers supporting your SAP Cloud solution
have an uninterruptible power supply for short-term outages, and a diesel generator backup power supply for
longer-term outages. Therefore, power interruptions or outages are unlikely to affect customer data or solution
access.
7.3 Restricted Physical Access
SAP data centers, located in the United States of America and Germany, are logically separated and staffed
around the clock, 365 days a year. A biometrics security system permits access only to authorized personnel,

Security of Data Storage and Data Centers PUBLIC 59
and the data centers are partitioned such that authorized personnel can access only their designated areas.
Moreover, no direct network connection exists between individual SAP data centers; each SAP data center is
fully autonomous.
7.4 Communication Security
SAP relies on encryption technology that uses HTTPS to prevent unauthorized parties from intercepting
network traffic. The encryption is based on the Transport Layer Security (TLS) protocol. The required
encryption software is a standard component of up-to-date client operating systems and Web browsers.
7.5 Network Security
The network for your SAP Cloud solution employs a number of security technologies. The multilayered,
partitioned, proprietary network architecture permits only authorized access to the data centers that support
your SAP Cloud solution, with features that include:
● A Web dispatcher farm that hides the network topology from the outside world
● Multiple Internet connections to minimize the impact of distributed denial-of-service (DDoS) attacks
● An advanced intrusion detection system that continuously monitors solution traffic for possible attacks
● Multiple firewalls that divide the network into protected segments and shield the internal network from
unauthorized Internet traffic
● Third-party audits performed throughout the year to support early detection of any newly introduced
security issues

60 PUBLIC Security of Data Storage and Data Centers
8 Security for Additional Applications
SAP offers a set of additional software components that you can install, on desktop computers, for printing and
additional functionality.
Confirm the Signature
All additional applications of SAP Cloud solutions that are delivered for download are digitally signed. To
confirm the signature, proceed as follows:
1. Right-click on the file you have downloaded, then choose Properties.

2. In the dialog box, choose the Digital Signatures tab.
3. Confirm that the indicated Name of signer is SAP AG.
When you execute the installation of a file, a popup appears, indicating the Verified publisher. In this case, SAP
AG is indicated as well.
Saving Logon Data
SAP front-end components never share an existing authentication session on SAP Cloud solutions, for
example, within a Web browser or with another front-end component. Dedicated authentication is always
required to build a confidential communication channel, secured via the Secure Sockets Layer (SSL) protocol,
to your SAP Cloud solution.
If you log on to the system from a desktop computer with a user ID and password, you are asked whether you
want to store the password locally for subsequent authentication purposes. The password is encrypted, and
not stored as plain text. It is stored using the available protection mechanisms of the operating system, and
can be reused only by the operating system user who is currently logged on. If you do elect to use this function,
then you should activate it on your device only, and never on public computers.

Security for Additional Applications PUBLIC 61
9 Other Security-Relevant Information
Security for End User Devices [page 62]

Security recommendations for end user devices such as PCs, and laptops for windows and apple
products.
Service Composition Security [page 62]
Internal and External Audits [page 65]
9.1 Security for End User Devices
Security recommendations for end user devices such as PCs, and laptops for windows and apple products.
Since you can download data to your local devices, it is very important that you follow strict security protocols
to protect your data from getting compromised.
SAP Cloud for Customer offers many data extraction features such as: mass data maintenance, excel
downloads etc.
 Caution
We strongly recommend that you use secure protocols to prevent security breaches of confidential data.
These are our recommendations:
● Protect user accounts with strong passwords.

● Enable and activate whole disk encryption to protect the data in case your machine gets lost/stolen.
● Keep operating system software, virus checkers, browsers, and other applications current, and ensure
available security patches are deployed.
9.2 Service Composition Security
This section describes security considerations that apply to the built-in mashups integration and Web services
composition capabilities of SAP Cloud Solutions. Mashups and service composition entail cross-domain
communication between various Internet domains.
Content from different domains – especially active content, such as JavaScript – is always domain-separated
in the Web browser.
A same origin security policy common in Web browsers, prohibiting access to content across domain
separations, is activated, if necessary.

62 PUBLIC Other Security-Relevant Information
9.2.1 URL Mashup Integration
Both partners and administrators can create URL mashups to perform the following tasks:
● Open a Web page.

● Open a resource, for example, a Microsoft® Office or Adobe® PDF document, an Adobe® Flash® or
multimedia video file, and so on.
● Open a custom URL of a front-end application, for example, Microsoft® Outlook®, Apple iTunes®, and so on.
You can open these items from an SAP Cloud solution screen by configuring the URL with dynamic parameters
that are derived from the screen out-port interface of your SAP Cloud solution.
 Caution
Some URLs may pass your business data to an external application provided by a third-party organization,
for example, account data passed to a search engine when performing a reverse lookup in an online
address book. Therefore, before you use the URL mashup, we recommend that you confirm that it
conforms with your company’s security and data privacy policies.
Some Web browser settings, for example, popup blockers, may prevent the new browser window from
appearing in the URL mashup. We therefore recommend that you review your browser settings to
determine whether popups are allowed.
9.2.2 HTML Mashup Integration
Both partners and administrators can create HTML mashups to embed an HTML-based Web page or a
resource that can be rendered in a Web browser – for example, a Microsoft Office or Adobe PDF document, or
an Adobe Flash or multimedia video file – into an SAP Cloud solution screen by configuring the URL with
dynamic parameters that are derived from the SAP Cloud solution screen out-port interface.
 Caution
Certain URLs may pass your business data to an external application provided by a third-party
organization, for example, account or contact data passed to a social media Web site when displaying the
related profile. Therefore, before you use the map mashup, we recommend that you confirm that it
conforms with your company’s security and data privacy policies.
Bing Maps Web service communication takes place directly between the user’s Web browser and the
service provider via the Secure Sockets Layer (SSL), with the dedicated API key applied for each SAP Cloud
solution. Bear in mind that the Bing Map Web service provider may monitor the Bing Maps Web service API
usage in accordance with the terms of licensing. Therefore, before you use the map mashup, we
recommend that you review the API usage and licensing details with the Bing Maps Web service provider.

Other Security-Relevant Information PUBLIC 63
9.2.3 Map Mashup Integration
SAP Cloud solutions use Microsoft® Bing Maps™ as a built-in map service provider. Both administrators and end
users can configure the map mashup usage on an SAP Cloud solution screen to display the visual location or
route information on a map. Before Bing Maps mashups can be used, you as an administrator must activate
them by entering the Application Programming Interface (API) key for Bing Maps usage in the Mashup
Authoring work center view of the Application and User Management work center. For more information about
the Bing Maps Web service partner, and to apply for an API key, visit the SAP Cloud solutions communities.
 Caution
Bear in mind that the map mashup may convey business data of yours to the Bing Maps Web service
provider. For example, ship-to and bill-to addresses are transferred to the Bing Maps Web service provider
when displaying the related visual location on the map. Therefore, before you use the map mashup, we
recommend that you confirm that it conforms with your company’s security and data privacy policies.
Bing Maps Web service communication takes place directly between the user’s Web browser and the
service provider via the Secure Sockets Layer (SSL), with the dedicated API key applied for each SAP Cloud
solution. Bear in mind that the Bing Map Web service provider may monitor the Bing Maps Web service API
usage in accordance with the terms of licensing. Therefore, before you use the map mashup, we
recommend that you review the API usage and licensing details with the Bing Maps Web service provider.
9.2.4 Data Mashups
Both partners and administrators can create data mashups for composing Web services (provided by third-
party Web service providers) with business data derived from the SAP Cloud solutions. You can use the
integrated authoring tool, the Data Mashup Builder, to transform or merge external Web services with internal
business data, using industry-standard Web service protocols, for example, RSS/Atom, REST or SOAP Web
services.
Create Web services in your SAP Cloud solution before creating the Web service composition in the Data
Mashup Builder. API keys can be specified for the Web service security by means of industry-standard or Web
service specific authentication methods, for example, basic authentication, REST body credentials, or SOAP
service parameter credentials. The API keys entered by partners and administrators are stored in an isolated
secure storage of the your SAP Cloud solution back end, which is never exposed to end users.
 Caution
Certain Web services may transfer business data of yours to an external Web service provider from a third-
party organization. For example, account or address data is transferred to a data quality Web service
provider when data quality cleansing operations in Cloud applications are performed. Therefore, before you
use the mashup, we recommend that you confirm that the Web service conforms to your company’s
security and data privacy policies.
Web service communication in data mashups does not take place directly between the user’s Web browser
and the Web service provider. Rather, as a result of the cross-domain access policy restriction, it is tunneled
using the SAP Cloud solution system back-end Web service proxy. Only the Web service endpoints that
have been confirmed with acknowledgement by partners and administrators can be accessed by the SAP

Cloud solution system back-end Web service proxy by all end users of a customer. Therefore, before you
confirm that a Web service is added to your SAP Cloud solution, we recommend that you ensure that it
conforms to your company’s and country’s security policies.
9.3 Internal and External Audits
SAP is committed to third-party validations, standards, and certifications of the policies and procedures we use
to maintain our customers’ security, privacy and data integrity. SAP maintains several certifications and
accreditations to ensure that we provide the highest standards of service and reliability to our customers. SAP
will continue efforts to obtain the strictest of industry certifications in order to verify its commitment to provide
secure and reliable services.
The Audit work center helps external and internal auditors conduct an audit for a company. It provides you with
read access to all information that is relevant for an audit, such as financial reports, master data, documents
and document flow, as well as user and access rights. The system provides this information through a selection
of reusable views from other areas. Unlike other work centers, the Audit work center permits read access only.
You cannot perform any changes there.
All planning, follow-up activities, reporting of audit results, and findings must be completed outside your SAP
Cloud solution.
The Audit work center provides the following information:
● General Ledger
● Fixed Assets
● Cost and Revenue
● Inventory Valuation
● Receivables
● Payables
● Liquidity Management
● User and Access Management
For more information, see the documentation of the Audit work center.
9.3.1 Security Management and Continual Improvement of

Security
Security Management at SAP Cloud Solutions aims towards the continual improvement of the information
security framework. SAP conducts several external audits to make sure that these aims are reached.
Certificate/Report Interval Conducted by
ISO 27001 (SAP Cloud Operations) Once a year Accredited auditing company

Other Security-Relevant Information PUBLIC 65
Certificate/Report Interval Conducted by
ISO 27001 (SAP Data Center Operations) Once a year Accredited auditing company
External pentest Once a year (SAP Cloud for Customer) Third-party security company
Internal pentest Four times a year (SAP Cloud for SAP C.E.R.T.
Customer)
Code Scan ABAP: Daily SAP Cloud for Customer
ABAP (SAP Cloud for Customer) Non-ABAP: Minimum once per release
Non-ABAP (SAP Cloud for Customer)
BS25999 (SAP Data Center Operations) Once a year Accredited auditing company

10 Data Protection and Privacy
Use the Data Protection and Privacy work center to manage personal and sensitive personal data of employees,
individual customers, and contacts. As an employee responsible for data protection and privacy regulation
compliance in an organization, you can use the work center to disclose as well as remove data on request.
Data processing systems store master data or transactional data used to perform business processes and to
document them. In many cases, it involves the personal data of employees, individual customers, and contacts.
In many countries, the storage, disclosure, and removal of such personal data from data storage systems must
be in accordance with statutory data protection laws. One requirement in many countries is that the personal
data can only be stored if a clear business reason for this data retention exists. Most data protection legislation
proscribes fixed retention periods, defining how long data can be stored in data systems, after which it must be
deleted. In addition, legislation in many countries stipulates that the data protection officer must disclose the
personal data of individuals, when they expressly request it.
The Data Protection and Privacy work center allows those responsible for data protection functions in an
organization to respond to requests to fulfill the following requirements:
● Disclose personal data for all employees, individual customers, and contacts.
● Remove personal data once the retention period for all relevant data is expired.
● Monitor and manage background data removal processes using an application log.
● Display log data detailing each access made to the Personal Data Disclosure and Personal Data Removal
overview screens containing personal data.
 Note
In this document, employees, individual customers, and contacts are collectively referred to as business
partners.
Features
There are a number of key features of Data Protection and Privacy in SAP Cloud for Customer. These are
outlined as follows:
Data Disclosure — Obligation to Disclose
A key principle in data protection and privacy is the Obligation to Disclose. This is an obligation set in legislation
in many countries where data protection regulation has been adopted. As an administrator responsible for data
protection regulation compliance, you can disclose personal data of employees, individual customers, and
contacts. You can display a summary of all data associated with these business partners stored in the SAP
Cloud for Customer system. You can also access the detailed records.
Data Removal — Deletion on Request
This second data protection and privacy principle refers to the requirement of organizations to delete personal
data held on its business partners that is kept in an identifiable form, and retain this data for no longer than
necessary. Where specified, organizations must delete all such personal data after the relevant data retention
period has elapsed.

Data Protection and Privacy PUBLIC 67
Read Access Logging
Certain categories of personal data are considered sensitive due to their criticality and importance. You can
activate tracking of read access to such personal data. You have to carefully review the groups of such personal
data available and activate read access logging for those groups which are processed by your organization. In
the SAP Cloud for Customer, you can also add custom fields and mark them for read access logging.
Change Log for Personal Data
A log is created whenever there is a change in personal data. You can view the change records for a specific
business object in the respective Changes tab.
If you are an administrator, you can restrict access to the change logs by removing access to the Changes tab
for regular users. You can then create a new layout that includes the Changes tab and assign this layout to
authorized users.
The change logs are not available via regular APIs. They can only be exported using a specific API accessible to
users with data protection and privacy related authorizations.
A change log is removed only when an object is completely depersonalized. This means that a log remains
unchanged even if personal data is removed from an active object.
Data Protection Roles
In large organizations, employees with the designated role (Data Protection Officer, for example) are
responsible for ensuring that data protection and privacy principles are followed, and that the organization
complies with all data protection and privacy legislation in force within the country (or countries) it operates.
However, these tasks can be delegated to other authorized employees, for example, designated Human
Resources administrators.
Authorization
The Data Protection and Privacy work center is only available to authorized employees or Data Privacy officers
in your organization. It is therefore strongly recommended this work center assignment is only given to those
employees directly responsible for data protection and privacy regulation compliance in your organization.
Usage Block
This is the point in time for a data set when the processing of personal data is no longer required for the
primary business purpose. After the End of Purpose has been reached, the data is blocked and can only be
accessed by users with special authorization, for example, tax auditors. In SAP Cloud for Customer, we have
the following solution:
● You can set a business process to end-of-purpose via an API call, which helps support integration. It
prevents the business process from displaying value helps, so you cannot use it to create new transactions.
There is however no standard access restriction. Any user can still search for the business process and
open it.
● You can delete or depersonalize data. If the data is still required for later audits. you can export it using the
OData APIs.
 Note
Employees, such as Data Protection officers with responsibility for data protection have full access rights
for the Data Protection and Privacy work center. These access rights allow an authorized user to access
personal data for the selected business partner in all SAP Cloud for Customer work centers where such
data exists. Because of the ability for an individual user to access large volumes of personal employee data
across many work centers, the access log is provided to allow transparency and traceability of user access

68 PUBLIC Data Protection and Privacy
to personal data. The log does not contain detailed personal data, but rather a summary of the types of
data accessed, when, and by whom it was accessed.
10.1 Disclose Personal Data
Disclose personal data of employees, individual customers, and contacts in the Data Protection and Privacy
work center.
As an administrator responsible for data protection regulation compliance, you can disclose personal data of
employees, individual customers, and contact. You can display a summary of all data associated with these
business partners stored in the SAP Cloud for Customer system. You can also access the detailed records.
 Note
partners.
Procedure
1. In the Data Protection and Privacy work center, open the Personal Data Disclosure view.
2. To display the disclosure-relevant data for employees, individual customers, and contacts, select the
relevant option from the dropdown. For example: If you want to disclose an employee’s data, select All
Employees.
3. Select the desired business partner from the list and click Disclose Data. A new overview screen opens that
displays all the disclosed data for the selected business partner.
 Note
Before the overview screen is loaded, a dialog box appears informing you that your access to this
screen is logged. Confirm this message to proceed.
4. Click Expand all to view all individual records that are to be disclosed. Click the expand and collapse
triangle icons to view individual data record summaries for the selected entity.
5. Click the links for the individual records, for example, General Data or transactional data, such as Leads or
Opportunities, to navigate to the actual data record held in the SAP Cloud for Customer system.
 Note
The figure shown in the Records column represents the number of discreet data records (for example,
Sales Orders) of the selected type assigned to the employee in the SAP Cloud for Customer system. A
zero indicates that no records of this type exist for the selected employee.
6. Click Close to return to the Personal Data Disclosure view.
You have successfully extracted a summary of all personal data required for disclosure to an individual who
requests it.

10.2 Remove Personal Data
Delete personal data of employees, individual customers, and contacts on their request in the Data Protection
and Privacy work center.
It is now possible for you, as an administrator with responsibility for data protection functions, to delete
personal data of employees, individual customers, and contacts on their request, at a time in the Personal Data
Removal view of the Data Protection and Privacy work center.
 Note
partners.
Prerequisite
The retention periods relevant for your country have been maintained in your system configuration in the
following fine-tuning activities:
● Data Retention Rule for Employees

If you configure this activity, the system runs a query for the employee validity dates. It then checks these
validity dates against the retention period configuration, which is similar to private accounts, sales orders
and quotes that raise vetoes. It also checks if any sales order or sales quote exists against the retention
period configuration, and then proceeds with the data removal process.
● Data Retention Rule for Private Accounts
If you configure this activity, the system checks if any sales order or sales quote exists against the retention
period configuration, and then proceeds with the data removal process.
 Note
Users with authorization to access the Data Protection and Privacy work center can perform all data
protection and privacy functions within this work center, including the disclosure and deletion of personal
data. Access to this work center is granted in the Administrator work center. Ensure that only employees
with authorization to disclose or delete personal data are granted access to the Data Protection and Privacy
work center.
Procedure
1. In the Data Protection and Privacy work center, open the Personal Data Removal view.
2. To display data for removal of employees, individual customers, and contacts, select the relevant option
from the drop-down. For example: If you want to remove an employee’s data, select All Employees. If you
want to delete the data for multiple employees, click the Show Advanced Filter icon. In the Employee ID
field, click the More Options icon. In the Employee ID dialog box that opens, enter the employee IDs or
employee names in the Value field and click Go.

 Note
If there is a legal requirement to keep a business partner information in the system, click Block Removal
to block the entity from being depersonalized. Click Unblock Removal once the blocking need no longer
exists.
When a business partner is blocked for removal, it is not possible to trigger a personal data removal run
from the Data Protection and Privacy work center. During scoping, you can prevent the deletion of
transactions that are assigned to a blocked business partner. To enable this option, navigate to
Business Configuration Implementation Projects Your Project Edit Project Scope Questions
Built-in Services and Support System Management Security Data Privacy and select the
related option.
3. Select the desired business partner from the list and click Remove Data. A new overview screen opens that
displays all the data that can be deleted.
4. To delete personal data of individual customers, and contacts, click Delete.
To delete employee data, follow these steps:
1. Select the Marked for Deletion checkbox for each work agreement (and associated documents) and
availability calendars you wish to set for later removal from the system
2. Click Delete to trigger the removal of all work agreements, availability calendars, and associated
application data marked for deletion from your system.
3. Confirm that you still wish to continue with this irreversible deletion of the selected records. If you are
removing the last remaining work agreement held for an employee, the system warns you that
continuing with this process removes the employee record from the SAP Cloud for Customer system.
4. Confirm that you wish to continue with the removal or cancel it.
After clicking Delete for all records marked for deletion, the Marked for Deletion checkbox is disabled,
while the remainder of the removal process is performed by the system in the background. After the
deletion process is successfully completed, for the affected work agreements, the Marked for Deletion
checkbox is disabled and Retention Period Completion status changes to No or No available data. The
begin date for these records also change.
5. Click Close to return to the Personal Data Removal screen.
 Note
● The data removal process is local in Cloud for Customer and is not replicated to any external system
such as SAP CRM, S/4, or SAP ERP. In an integrated landscape we presume that the backend systems
are the leading system which govern the life cycle of the customer record because the backend solution
ideally has financial documents like invoices.
As an alternative you can mark the customer record as obsolete and let the automated removal run
take care of triggering the removal. Once you mark the records as obsolete, the change is replicated to
the connected systems where each of these systems handle the customer records locally.
● If an individual account is deleted, all appearances in any party role for this instance in transactional
documents are depersonalized unless it is blocked for deletion.
● In addition, removal of employees and contact persons leads to different results for different
transactions. For example, activities might be deleted completely, whereas other transactions have
their descriptions removed or scrambled, or attachments deleted. During scoping, you can choose to
retain the transactional data that are assigned to contacts and employees. To enable this option,
navigate to Business Configuration Implementation Projects Your Project Edit Project Scope
Questions Built-in Services and Support System Management Security Data Privacy and

select the following question: During personal data removal, do you want to retain the transactional data
and remove only the personal data of contacts and employees?
Result
You have successfully removed all work agreements (and associated application data) and availability
calendars from the system for the selected entity. You can verify this removal by starting the Administer Data
Removal Runs common task, and selecting Successful Removal Runs in the Show field.
Your access to the data removal overview has been logged.
10.3 Administer Data Removal Runs
Check the status of all data removal runs performed in the background.
Removal of personal data in the Data Protection and Privacy work center is performed automatically in a
separate background process. The Administer Data Removal Runs common task provides you with an overview
of planned, current and completed data removal runs, the ability to reschedule failed runs, mark runs as
obsolete, and delete runs.
Data removal runs are triggered by users in the Personal Data Removal view and executed by the system in the
background. Within the Personal Data Removal screen from which the process is started, the user receives no
direct feedback on the status of the removal run that has been triggered. You check the outcome of all data
removal runs in the system using the Administer Data Removal Runs common task.
Features
The Administer Data Removal Runs common task provides you with an entry point to check the status of all
background data removal runs performed by the system.
Three key features of this common task are summarized below:
Schedule Job
Select an existing removal run and click Schedule on the initial Administer Data Removal Runs screen. Allows
you to reschedule runs that have previously failed.
Set Run To Obsolete
Select an existing removal run and click Actions Set to Obsolete . This is useful in situations when, for
example, technical issues mean there is no point in retrying the run in question at this point in time.
Delete Run
Select an existing failed removal run with the status Obsolete and click Delete . The removal run is deleted from
the system. You can also delete successfully completed removal runs.

 Note
Information about the removal run itself is stored by the system in the Removal Log if you are deleting a
previously successful removal run. However, the deletion of failed removal runs is not logged.
You access this log in the Common Tasks section of the Personal Data Removal view.
You can also access the Job Monitor by selecting an existing removal run and clicking View Jobs on the initial
Administer Data Removal Runs screen. The monitor displays the status for individual removal run jobs that
have commenced in the system and can provide more information as to why a particular job has failed, the
actual status of the job in the system (for example, Pending), or if there is an error in the job itself.
Application Log Detailed View
Accessed by clicking the Application Log ID for a given job in the Details section of the initial Administer Data
Removal Runs screen. Each instance of the Application Log consists of three different tab sections that group
the messages posted to the log itself:
● Overview
Displays an aggregation of the removal run data collected in Results.
● Settings
Contains information on the parameters and settings of the business objects in the system background:
log parameters, selection criteria used to create the log data, and any relevant data derived from
configuration settings.
● Results
Provides detailed information and status of the removal run, including any error messages generated
during execution.
 Example
As the Human Resources administrator, responsible for employee data protection and privacy in Akron
Heating, Oliver Adams must remove personal data for an employee who has requested its removal. The
statutory retention period for this data is completed, so Oliver can now remove this data from the system.
Oliver triggers removal of the employee's data on the Remove Employee screen and receives a message
that the data removal process for this employee has started in the background. Oliver now checks on the
status of the removal run he has triggered as follows:
1. He opens the Administer Data Removal Runs common task and in the Show field, he selects All
Removal Runs.
2. He sees from the Removal Failed column that the removal run he triggered was not successful.
3. He decides to reattempt this removal run, so clicks Schedule and opens the Schedule Job screen for his
selected run and selects the Start Immediately radio button.
4. This removal run unfortunately fails for a second time. Oliver decides therefore to abandon this
particular removal run and seek support from colleagues. He sets the run as obsolete and then clicks
Delete to remove all data about this failed run from the system. As the run failed and no personal data
was removed for the employee on this occasion, there is no entry made in the Removal Log by the
system.

10.4 Automate Removal of Obsolete Business Partners
As a data protection officer, you can schedule automated deletion of obsolete business partners, such as,
contacts, employees, and individual customers.
In the Administer Obsolete Business Partner Removal Runs view, you can create a batch job to schedule
deletion runs. You can schedule the runs immediately, or set a recurrence to continuously purge obsolete
business partners from the system. The system selects all the business partners that have been set as
obsolete before a certain cut-off date. This is required to account for deletion vetoes if a business partner can't
be deleted. Once the selection is done, the system creates one data removal run per business partner.
Pre-requisite
The business partners are already marked as obsolete.
Procedure
1. Navigate to Data Protection and Privacy Common Tasks and click Administer Obsolete Business
Partner Removal Runs.
2. Click New to open the Schedule Deletion Run screen.
3. Enter a Run ID and description. The Run ID must be a unique ID with no spaces or special characters.
4. Enter the Date Offset period. This means that the business partners are removed from the system after the
offset time is over, for example, 30 days after the business partners are set to obsolete.
5. Choose a Business Partner Type.
To include business partners that are mapped to other systems, select the Include Business Partners with
ID Mapping checkbox.
If you do not select the checkbox, the system excludes the business partners that are replicated in other
external systems such as SAP S/4HANA, and ERP, and only triggers removal for business partners
available locally in the SAP Cloud for Customer system.
To further filter, and include only business partners that are not blocked for removal, select the Only
Business Partners marked as End of Purpose checkox.
6. Select the run option to either start the run immediately or schedule a recurring run.
7. Click Save and Close.
In the Deletion Runs overview screen, select your run to see the details in the table below. Click the Application
Log ID hyperlink to open the screen with details of your run. In the Results tab, the system displays the status of
all the individual removal runs for each business partner, and the corresponding Run ID, if already scheduled.
 Note
● The green icon indicates that the removal run has been already scheduled. This does not mean that the
removal is successful. To check the status of the obsolete business partner removal runs performed in
the background, navigate to the Administer Data Removal Runs view and search by the Run ID.
● The red icon indicates that the system failed to trigger a removal run.

10.5 Enable Read Access Logging
Use Read Access Logging (RAL) to log and monitor read-access to sensitive personal data such as bank data.
You can identify and track who has accessed critical information and when.
In the SAP Cloud for Customer system, you can monitor the access to sensitive personal data in the Read
Access Logging view under the Data Protection and Privacy work center.
Read access logging is enabled for the following channels:
● User Interface (UI)

● Attachments
● Web Services
● OData Services
● Data workbench
● Change Log
● Analytics
● Excel Download
● Output Management
● Business Task Management
Whenever sensitive personal data fields are viewed by a user, a Read Access Log (RAL) entry is created. These
entries form different RAL field groups in the system.
If the field that you have marked as sensitive personal is part of a field group that is already active, the system
takes one day to start reading the access log for the same. To start read access logging immediately, activate or
deactivate the corresponding field group.
 Note
● You can add sensitive personal data fields only to Business Partner extensions.
● You cannot add sensitive personal data fields to object work lists, value selections, enterprise search,
or extension scenarios.
● You cannot use sensitive personal data fields as placeholders in workflow rules.
Standard RAL Field Groups
The standard Read Access Logging enabled fields along with the corresponding Field Group are listed in the
following table:
Business Objects Field Field Group
Business Partner – Banking extension Bank Account Number Business Partner Banking Data
(Bank account number for the liquid as

set)

Business Objects Field Field Group
Business Partner – Banking extension Bank Account Number Business Partner Banking Data
(Bank account number for the liability )
Business Partner Tax number and Type Business Partner Tax Data
Business Partner Place of Birth Business Partner Origin
Field Groups for Attachments
The following table gives you a list of the objects that support RAL enabled custom document type
attachments:
Business Objects Field Group
Activity Activity Attachment
Business partner Business Partner Attachment
Contract Contract Attachment
Lead Lead Attachment
Opportunity Opportunity Attachment
Promotion Purpose
Sales Document Sales Document Attachments
Service Request Service Request Attachment
Other Field Groups
The following list provides an overview of other available field groups:
● Data Workbench: Access to files stored in the Data Workbench can be enabled for read access logging.
● Key User Tools Extension Fields: This field group contains all custom fields added via the adaptation
mode and marked as sensitive personal data. This group is activated or deactivated after each change to
the custom field classification
● Output Management Data: Data that leaves the system via the Output Management (for example
printing) can be tracked via this group.
● Web Service Message: The web service monitoring provides access to the payloads of the processed web
service calls. Due to its potentially sensitive nature, this feature is restricted to administrators.

● SAP Cloud Applications Studio: Sensitive personal data custom fields added via the SAP Cloud
Applications Studio are controlled via field groups that correspond to their project name.
 Note
You are not allowed to debug or trace the SAP Cloud Applications Studio solution in the production
system, if RAL is scoped and any RAL field group is active. However, if you want to debug the solution,
your administrator must assign your user to the Production Debugging Authorization work center view.
After the debugging is complete, it is recommended that the authorization is removed.
Prerequisites
● You have selected the scoping question Do you want to switch on the Read Access Logging for sensitive
personal data?. To find this question, navigate to Business Configuration Implementation Project Edit
Project Scope Questions Built-in Services and Support System Management Security .
● You have defined customer document types for attachments using the following steps:
1. Navigate to Business Configuration Implementation Project and click Open Activity List.
2. Search and select the Customerdefined document types for attachments activity.
3. Under CustomerDefined Document Types, click Add Row, and then define your document type.
4. Select the relevant usage, and click Save and Close.
If you select the applicable usage on both the documents, attachments are copied to a follow-up
document.
Field Group Configuration
1. In the Data Protection and Privacy work center, navigate to Read Access Logging Field Group
Configuration .
The system displays a list of field groups that are available for the limited set of standard fields, as well as
for any documents that support sensitive custom document types. There is also a specific field group to
include all extension fields.
2. Select a field group from the available list and click Activate. The data for this field group is now enabled for
read access logging.
ClickDeactivate, if you do not want read access to that field group information to be included in the log.
To view changes to the field group, click Changes and enter the date range for which you want to see the
changes.
Click Actions Show Read Access Log to go directly to the Read Access Log screen.
Click Actions Generate Field Group Configurations to add a new field groups to the list of Field Groups
whenever it is available in the system.

Download Log Data
To download log data manually, follow these steps:
1. Navigate to Read Access Logging Log Display .

2. Click the Show Advanced Filter icon and select your date range.
3. Select the desired record and click Download.
The downloaded log entries are available in the XML format. The XML log lists the information about where
the data has been accessed, who has viewed the data, when the data was accessed, and what has been
accessed.
You can also download the RAL data via web service QueryReadAccessLogIn. To enable this service, navigate to
Administrator Integration , and create a new Communication Scenario and a new Communication
Arrangement.
 Note
● Read access logs are deleted automatically after 14 days.

● Store the data in a safe place which is accessible to only few authorized people.
10.6 Depersonalize Transactional Data

Delete or depersonalize data from all transactional documents.
The processing of personal data is subject to applicable laws related to the deletion of this data when the
specified, explicit, and legitimate purpose for processing this personal data has expired. If there is no longer a
legitimate purpose that requires the use of personal data, it must be removed. When removing data in a data
set, all referenced objects related to that data set must be removed as well.
As an administrator with responsibility for data protection functions, you have the ownership to decide when a
document loses its business purpose. In the SAP Cloud for Customer system, you can delete or depersonalize
a document based on the following conditions:
● Delete: Documents that do not provide any value after personal data is removed, are deleted. They are no
longer available in the system.
● Depersonalize: Documents that have business value, even if no personal data is available, are
depersonalized. The system removes all the personal data, but retains the business data. The documents
are still in the system and an authorized person can access them. However, these documents can no longer
be changed.
Since depersonalization removes all personal information, the processed objects are no longer available
with the My <business object> filter. Some data in a depersonalized document is replaced by XXXX, and
others, such as, attachments, are deleted. The transaction itself remains, but the personal data is either
removed completely, or replaced with XXXX.
You can trigger a deletion in the following ways: To delete or depersonalize a document, navigate to any object
worklist (For example: due to such as, appointment, lead, opportunity), select the object, and from the actions
list , click Delete, or Depersonalize. If there are no blockers (either due to an involved Business Partner
being blocked for deletion, or due to the object still being active), the selected objects are depersonalized.

If you are required to keep data without purpose longer due to conflicting laws or regulations, you must export
it using the corresponding oData API before you delete or depersonalize it from the system.
You can also delete or depersonalize PSM released objects.
Blocked for Deletion
In the Data Protection and Privacy work center, under Personal Data Removal, it is possible to block person
based business partners from being deleted.
During the depersonalization run, the system checks to ensure that none of the involved business partners
have been blocked from deletion. It continues with the process only if there are no restrictions.
When you mark a document for deletion or depersonalization, the system ignores any defined retention
periods since the customer is in full control over what should be deleted or exported.
The following table gives an overview of all the objects that can either be deleted or depersonalized.
Business Objects Delete Depersonalize More Information
Activity Lists Yes
Appointments Yes
Phone Calls Yes
Tasks Yes
Visits Yes
Chats Yes
Routes Yes
Plans Yes
Deal Registration Yes
Sales Lead Yes
Leads Yes
Opportunities Yes
Sales Forecast Yes
Sales Target Plan Yes
Sales Territories Yes
Promotions Yes
Invoice Yes
Payments Yes

Business Objects Delete Depersonalize More Information
Partner Application Yes
Contracts Yes
Customer Orders Yes
Customer Quotes Yes
Sales POD Yes
Installation Point Yes
Installed Base Yes
Maintenance Plan Yes
Registered Product Yes
Tickets Yes
Time Entry Yes
Time Reports Yes
In addition to the objects in the table, there are some special objects that are handled differently:
● Surveys: Surveys are not intended to collect personal data and are therefore not deleted during a
depersonalization run.
● Routing Rules, Tours, and Routes: Routing rules, tours, and routes are configuration settings and are not
depersonalized. These objects are directly deleted if they are no longer needed.
● Territory: Territory is not part of document driven deletion. If necessary, Business Partners can be
removed from it.
● Sales Target Plan and Sales Forecast: Sales target plan and forecast does not have an OData based
export. It is possible to export planning data as an excel in the OWL
● Sales Price Specifications: Sales Price Specifications are replicated from ERP to Cloud for Customer. This
data is read-only in Cloud for Customer and cannot be changed. If this information must be removed, it
must be deleted in the system that owns those records and then replicated into Cloud for Customer.

10.7 Prerequisites for Usage Block Integration
When a business partner is blocked in an SAP CRM, SAP S/4HANA, or ERP system, you must ensure that the
usage block is retained when you integrate these systems with the SAP Cloud for Customer system. To do that,
you must follow specific guidelines for each system.
Prerequisites for SAP CRM system
● Ensure that the CRM system is at least on SAP CRM EHP3 SP05.
● In the SAP Cloud for Customer system, ensure the following:
○ In the Business Configuration work center, navigate to your project and click Edit Project Scope. Under
Questions Communication and Information Exchange Integration with External Applications and
Solutions Integration of Master Data , select the Do you want to check and maintain end of purpose
of a business partner from an external application? business option.
○ In the Administration work center, navigate to General Settings Integration Communication
Arrangement and configure the Business Partner End of Purpose Check from SAP Business Suite
communication scenario.
○ In the SAP Cloud Applications Studio, implement the CheckBusinessPartnerEndOfPurpose
BAdI in the http://sap.com/xi/AP/Common/Global namespace. You can implement end of purpose
checks in this BAdI and raise a VETO check .
● If you are using the SAP NetWeaver Process Integration (PI):
○ Download the following PI content versions:
○ CRMCOD01 IC 700 – SP25
○ SAP BYD 2.40 – SP26
○ CRMPCD01 700 – SP25
○ Configure the following operation mapping:
○ CRM_COD_BusinessPartnerEndOfPurposeCheck
○ CRM_COD_BusinessPartnerEndOfPurposeSet.
● If you are using the Cloud Platform Integration:
○ Download the 1805 version of SAP Cloud for Customer Integration with SAP CRM
○ Configure the following iFlows:
○ Check End of Purpose of Business Partners from SAP Business Suite
○ Maintain End of Purpose of Business Partners from SAP Business Suite
● To see how you can control the blocking and deletion of personal data in SAP CRM, refer to the SAP Help
Portal for SAP CRM: http://help.sap.com/crm. Choose the relevant release, and navigate to Application
Help SAP Library Master Data Business Partners Functions Blocking and Deletion of Personal
Data in SAP CRM .

Prerequisites for SAP S/4HANA system

Solutions Integration of Master Data , select the Do you want to check and maintain end of purpose
of a business partner from an external application? business option.
Arrangement and configure the Business Partner End of Purpose Check from SAP Business Suite
communication scenario
○ In the SAP Cloud Applications Studio, implement the CheckBusinessPartnerEndOfPurpose
○ C4CS4_IC 100 – SP08
○ SAP BYD 2.40 – SP26
○ Configure the following operation mapping:
○ S4_C4C_BusinessPartnerEndOfPurposeCheck
○ S4_C4C_BusinessPartnerEndOfPurposeSet
○ Download the 1805 version of SAP Cloud for Customer Integration with SAP S/4HANA
○ Configure the following iFlows:
○ Check End of Purpose of Business Partners from SAP Business Suite
○ Maintain End of Purpose of Business Partners from SAP Business Suite
● To see how you can control the blocking and deletion of personal data in SAP S/4HANA, refer to the SAP
Help Portal for SAP S/4HANA: http://help.sap.com/s4hana. Choose the relevant release, and navigate to
Product Assistance English Cross Components Data Protection .
Prerequisites for ERP system
● Ensure that the ERP system is at least on SAP ERP 6.0 EhP7 SP05.
Solutions Integration with SAP ERP , select the Do you want to integrate with the end of purpose
check of SAP ERP? business option.
Arrangement and configure the Business Partner End of Purpose Check from SAP ERP
communication scenario
○ In the SAP Cloud Applications Studio, implement the CheckBusinessPartnerERPEndOfPurpose

○ COD_ERP_INT_IC 6.00 – SP25
○ SAP BYD 2.40 – SP26
○ COD_ERP_INT 6.00 – SP25
○ Configure the following operation mapping: ERP_COD_BusinessPartnerEndOfPurposeCheck
○ Download the 1805 version of SAP Cloud for Customer Integration with SAP ERP
○ Configure the following iFlows: Business Partner End of Purpose Check from SAP ERP
● Read note 2623441
● To see how you can control the blocking and deletion of personal data in ERP, refer to the ILM document:
Data Protection

11 Security-Relevant Logging and Tracing
Change Logs [page 84]

Most business objects and every business partner object displays their detailed change logs in the
Change Logs tab. For example: Contacts, Individual Customer. If you are unable to see the tabs, then
you have to enable it using personalization; or have your administrator enable it for you.
Security-Relevant Reports [page 84]
Connectivity Errors - Troubleshooting [page 85]

The following table provides an overview of the error codes for outbound errors and recommendations
on how to solve the errors.
11.1 Change Logs
Most business objects and every business partner object displays their detailed change logs in the Change
Logs tab. For example: Contacts, Individual Customer. If you are unable to see the tabs, then you have to enable
it using personalization; or have your administrator enable it for you.
The Business Partners work center provides access to changes for all business partners such as: accounts,
employees, contacts, or individual customers. Different users can filter on their role to view and check on the
changes applicable to their activities. The Business Partner Changes tab, makes the change logs available to a
business partner. Access to the change log for the Business Partners tab should be restricted to users who
require it.
Go to Administrator Business Flexibility Flexibility Change Log to view the custom changes applied to
the system.
You can restrict access to the Change Logs tab using Adapt Edit Master Layout , based on the user role.
This helps control access to private information for all users.
11.2 Security-Relevant Reports
The Application and User Management work center offers a set of reports that provide insight into the system
´s behavior. Depending on your authorizations, not all of those reports may be accessible.
The following reports are provided:
● Access Rights Change Log

This report displays a list of all users in the system and their assigned access rights. It also lists when and
how the access rights were changed, and by whom. This information is relevant for compliance reasons,

84 PUBLIC Security-Relevant Logging and Tracing
enabling you to monitor the system to prevent fraud, or to trace who made system changes, if fraud has
been committed.
● All Current Access Rights
This report displays a list of all users in the system, and the access rights currently assigned to them. This
information is relevant for compliance reasons, enabling you to monitor the system to prevent fraud.
● All Current Users
This report displays a list of all users in the system. This information is relevant for compliance reasons,
enabling you to monitor the system to prevent fraud.
● Seggregation of Duties (SOD) Conflicts Report
This report displays the list of segregation of conflicts existing between assigned views of the business
users. Segregation of duties is designed to minimize the risk of fraud and errors, and protect company
assets such as data or inventories. This information is relevant for compliance reasons, enabling you to
monitor the kind of authorizations you have for the users in your system and to make you aware of the kind
of conflicting authorization assignments for any of the users.
● User Activation and Deactivation Log
This report displays a list of all users in the system, and when they were activated or deactivated. This
information is also relevant for compliance reasons, enabling you to monitor the system to prevent fraud.
Also in the User and Access Management work center, the IT Compliance view displays a list of IT control
processes and allows you to monitor service provider access to your solution. IT control processes are IT-
related changes made in your system, such as software updates or processes involving incident analysis.
11.3 Connectivity Errors - Troubleshooting
The following table provides an overview of the error codes for outbound errors and recommendations on how
to solve the errors.
Connectivity errors can occur on the client or on the server side. Errors that occur on the client side usually
mean that it is not possible to establish the technical HTTP(S) connection to the server on the network level.
Errors that occur on the server side are usually reported through an HTTP error code.

Security-Relevant Logging and Tracing PUBLIC 85
Outbound Errors
Error Code Reasons and Recommended Actions
ICM_HTTP_SSL_ERROR SSL error. This error may occur for several reasons. Depending on the
reason, proceed as follows:
● Reason:The configured port exists but is not an SSL port.

Action: Correct the port number in the Communication
Arrangement view.
● Reason: The SSL server certificate is signed by a Certificate Au
thority (CA) that is unknown or not included on the trust list.
Action: Carefully check the certificate. If it is signed by the correct
CA, add the certificate from the CA to the trust list using the Edit
Certificate Trust List common task in the Application and User
Management work center.
● Reason: The server certificate is not part of the certificate chain or
is sent in the wrong sequence, or the chain contains superfluous
certificates.
Action: Check that the certificate chain that the server sends com
plies with RFC5246.
ICM_HTTP_SSL_CERT_MISMATCH Invalid host name in SSL server certificate.
Reason: The server name or the server name pattern contained in the
server's certificate does not match the host name of the server.
Action: Contact the person responsible for the server and ask for the
server certificate setup to be checked and corrected if necessary. Note
that if the server is set up correctly, this error may indicate a man-in-
the-middle attack.

86 PUBLIC Security-Relevant Logging and Tracing
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Important Disclaimers and Legal Information PUBLIC 87
www.sap.com/contactsap
© 2019 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

SAP Cloud For Customer Security Guide

Uploaded by

Copyright:

Available Formats

SAP Cloud For Customer Security Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Cloud For Customer Security Guide

Uploaded by

Copyright:

Available Formats

PUBLIC

SAP Cloud for Customer

SAP Cloud for Customer Security Guide

THE BEST RUN

1 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Security Aspects of Data, Data Flow, and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

SAP Cloud for Customer Security Guide

7 Security of Data Storage and Data Centers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

8 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

9 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

10 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

SAP Cloud for Customer Security Guide

11 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

SAP Cloud for Customer Security Guide

● The business data is stored securely in SAP data centers.

SAP Cloud for Customer Security Guide

SAP Cloud for Customer Security Guide

Communication Channels [page 7]

Business-To-Business Communication and Application Integration [page 8]

E-Mail [page 18]

MIME Type Configuration [page 21]

SSN Tax Number in SAP Cloud for Customer [page 21]

2.1 Communication Channels

Type of Data Transfer­ Data Requiring Special

SAP Cloud for Customer Security Guide

E-mail SMTP SMTP server Application data Confidential data

Business-to-business HTTPS Web services Application data Application data

2.2 Business-To-Business Communication and Application

SAP Cloud for Customer Security Guide

2.2.1 Communication Arrangements Quick Guide

SAP Cloud for Customer Security Guide

2.2.1.1 Create a Communication Arrangement

SAP Cloud for Customer Security Guide

Authentication Method Settings

To create a PKCS#12 key pair file, perform the following steps:

SAP Cloud for Customer Security Guide

SAP Cloud for Customer Security Guide

This functionality is only valid for on-premise integrations.

SAP Cloud for Customer Security Guide

Authentication Method Settings

To create a PKCS#12 key pair file, perform the following steps:

SAP Cloud for Customer Security Guide

3. In the Communication Arrangements step, select one or more Communication Scenarios.

Enabled The check box can be unchecked if it is not necessary.

Service If the service is mandatory the check box is disabled.

Application Protocol Choose a protocol from the drop-down list.

Service URL Displays the URL of the service.

Enabled The check box can be unchecked if not required.

Service If the service is mandatory the check box is disabled.

Application Protocol Choose a protocol from the drop-down list.

Port Enter the port or path for the outbound service.

Service URL Displays the URL of the service.

SAP Cloud for Customer Security Guide

2.2.1.3 Edit a Communication Arrangement

You cannot edit predefined communication arrangements.

2. Change the relevant settings.

2.2.1.4 Edit the Communication Credentials for a

SAP Cloud for Customer Security Guide

Type of Data Transfer Data Requiring Special

Restrict read and write ac

Support and Technical Users View all support and techni

DE TC TrustCenter GmbH TC TrustCenter TC TrustCenter Univer

US Entrust.net www.entrust.net/ Entrust.net Client Cer

US GoDaddy.com, Inc. http://certifi- Go Daddy Secure Cer

US VeriSign, Inc. Class 1 Public Pri

US VeriSign, Inc. Class 1 Public Pri

US VeriSign, Inc. Class 2 Public Pri

US VeriSign, Inc. Class 1 Public Pri

US VeriSign, Inc. Class 1 Public Pri

US VeriSign, Inc. Class 2 Public Pri

US VeriSign, Inc. Class 2 Public Pri

US VeriSign, Inc. Class 3 Public Pri