sis100 - overview about product security, idm and sso

SAP Product Management

SAP TechEd 2013

SIS100

Overview About Product Security Identity Management and Single Sign-On

copy 2013 SAP AG or an SAP affiliate company All rights reserved 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision This presentation is not subject to your license agreement or any other agreement

with SAP SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation This presentation and SAPs

strategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice This document is provided without a warranty of any kind either

express or implied including but not limited to the implied warranties of merchantability fitness for a

particular purpose or non-infringement SAP assumes no responsibility for errors or omissions in this

document except if such damages were caused by SAP intentionally or grossly negligent


Security ndash What is the problem realm

Security Management

SA

P G

RC

SAP NetWeaver Identity Management

Secure Programming

Vu

lne

rab

ility A

na

lys

is a

nd

Te

stin

g

Secure Software Development Lifecycle Se

cu

rity O

ptim

iza

tion

Se

lf Se

rvic

e

SAP NetWeaver Single Sign-On

Data Privacy Security Logging Monitoring

SIE

M

IT Security

Lower cost R

ais

e E

fficie

ncy

Web S

erv

ices S

ecurity

Read Access Logging

SSLTLS

Dig

ital S

ign

atu

ree

-Sig

na

ture

SNC

LD

AP

Kerberos

Budget restrictions

Security Services

Secure by Default SAP ID Service

Clo

ud S

ecurity

Mobile Security SCIM

Op

en

ID C

on

nect

Confidentiality

Non-re

pudia

tion

Authentication Integrity

Authorization

So

cia

l iden

tities

HANA


SAP offers a holistic suite of security products features and

services to ensure secure customer systems

SAP NetWeaver Cloud and SAP ID Service Security features for cloud applications

Authentication Single Sign-On and

Identity Federation for cloud applications

Security Products SAP NetWeaver Identity Management

SAP GRC Access Control


SAP NetWeaver 740 Secure basis for SAP HANA

OAuth for mobile scenarios

Virus Scan Interface 20

Security Policies

Read Access Logging

Internal and External Security Assessments

Security Response Process

Security Product Standard and Validation

Common Criteria Certification Software Security Assurance

Security Services and Information Best practices and security configuration guides on SCN

SAP Online Help Security Optimization (self-) Service Configuration Validation


The SAP Ecosystem Advantage Strong Security Partner Network

For security and compliant identity management SAP collaborates with numerous partners

offering specialized solutions and services

to fulfill even the most specific requirements of SAP customers

The SAP ecosystem responds to a growing need for a more collaborative business approach

ndash an approach designed specifically to deliver unparalleled customer value

The SAP ecosystem puts customers in the center of a dynamic universe that includes SAP

other customers partners and individuals


Agenda

SAP Solutions for Security Identity Management and Single Sign-On

SAP NetWeaver Security Solutions

ndash Authentication and Single Sign-On

ndash Authorization and Role Management

ndash SAP HANA Security

ndash Mobile Security Cloud Security

ndash Logging and Monitoring

ndash Encryption of Data at Rest and in Transit

ndash Secure Software Development Standards and Certifications

ndash Security Services and Support Offerings


ndash Single Sign-On Enterprise Single Sign-On

ndash Identity Federation



SAP NetWeaver Security Features Authentication and Single Sign-On


Secure access to applications

Improve corporate security decrease operational costs

3rd party

systems

SAP mobile

applications

SAP cloud

applications

SAP

Business Suite

authentication and single sign-on

security governance and compliance

identity management

make it easy for your users to do what theyrsquore allowed to do

making sure you know your users and what they can do

ensure corporate compliance to regulatory requirements

Faster onboarding

of new hires 70 Reduction of password

related help desk calls 70


SAP NetWeaver Authentication and Single Sign-On Functionalities

SAP GUI User-ID + Password

X509 Client Certificates


ndash Kerberos

ndash 2-Factor Authentication

3rd party SNC provider

Web Based User-ID + Password

X509 Authentication

SAML2

SAP Logon Tickets

Kerberos SPNego

OAuth

For Kerberos SPNego on SAP NetWeaver AS ABAP the SAP NetWeaver Single Sign-On product is required


Security Policies

Security Policies allow to control abilities of

users to access a system

The permitted mechanisms to authenticate

Settings for password strength and expiration

Settings on how combinations of mechanisms work together

Privileges to allow authentication when the system is in a

maintenance mode

Availability of features is dependent on the application server version used

SAP NetWeaver Security Features Authorization and Role Management


The SAP NetWeaver AS ABAP Authorization Concept

The SAP ABAP Role Based Authorization Concept

bull allows for enforcing the best practices (segregation of duties least-privilege etc)

enables to meet the required system protection

Karen

John

Susan


Runtime

check

for each field

Authorization Object X

Field1

Field10


Field1 = ValuesX1

Field 10 = Values 10 Authorization Object Y

Field1 = ValuesY1

Field 10 = Values 10 Authorization Object Z

Field1 = ValuesZ1

Field10 = ValuesZ10

Authorization Profile

Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X

ID Field1 FIELD ValueX1


IF SY-SUBRC NE 0

MESSAGE ldquoBad authzrdquo

ENDIF

System

instanciated and

assigned

checked against

specific values

SAP ABAP Authorization Concept

Authorization Objects are the key pillar of

the ABAP Authorization Concept

They provide the meta-level on top of which

authorization checks are defined


Org Units

HR Organizational Management ndash Org Structure in HR

S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units

HR Organizational Management ndash Role Assignment

S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM

SAP NetWeaver Security Solutions SAP HANA Security


SAP HANA ndash overview of security functions

SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption

Audit Logging Identity Store

SQ

L

SAP HANA Studio

Administration

Application


SAP HANA ndash authentication and single sign-on

SAP HANA

AuthenticationSSO

Authorization

Encryption


SQL access ndash User name and password

(incl password policy)

ndash Kerberos

ndash SAML

HTTP access (SAP HANA XS) ndash User name and password (basic authentication

form-based login incl password policy)

ndash SAML

ndash X509

ndash SAP logon tickets

XS

Application


SAP HANA ndash user and role management

SAP HANA

AuthenticationSSO

Authorization

Encryption


For logon users must exist in the identity store of the SAP HANA database

Roles (and privileges) can be assigned to users

Roles are used to bundle and structure privileges

ndash Create roles for specific groups of users role hierarchies supported

Role lifecycle design time roles export to production system activate runtime

XS

Application


SAP HANA ndash authorization Privilege types

SAP HANA

AuthenticationSSO

Authorization

Encryption


System privileges Authorize execution of administrative actions for the entire SAP HANA database

SQL privileges Authorize access to data and operations on database objects

Analytic privileges Authorize read access on analytic views at run-time provide row-level access control based on dimensions of the respective view

Package privileges Authorize access in the repository (modeling environment) at design time

Application privileges Authorize access to SAP HANA XS application functions

XS

Application


SAP HANA ndash communication and data encryption

SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application

Communication encryption

ndash SSL

Data encryption

ndash Data volumes on disk


SAP HANA ndash audit logging

SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application

Logging of critical events for security and compliance eg ndash User role and privilege changes ndash Configuration changes

User-defined policies for audit logging Data access logging

ndash Read and write access (tables views) execution of procedures

Audit trail written to Linux syslog


SAP HANA ndash security administration

SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio

SQL interface (command line tool

hdbsql available)

XS

Application

SAP NetWeaver Security Solutions Mobile Security Cloud Security


Mobile app security A strong foundation makes mobile successful

Mobile Security

Device

Mobile Device Management

Application

Mobile App

Security

Mobile Enterprise

App Store

Secure e-Mail Container

Content

Mobile Content Management

Communications

Telecom Expense Management

Systems

Management

Enterprise Mobility Management System

SAP Mobile Security

On-Premise Hybrid Cloud


Share My Files My Files - Any Device Mobilize Enterprise Content

Introducing SAP Mobile Documents

Access personal business

documents instantly on your

laptop or any mobile device

Discover and access content

from corporate document

management systems

Share files with teams

colleagues and business

partners from anywhere

SAP Mobile Documents is designed for enterprise deployments where collaboration security

and control of business content is critical Users enjoy anytime anywhere access to view and

collaborate on personal and corporate content in an easy-to-use native mobile app

Session MOB118 Secure Mobile Content Management with SAP Mobile Documents


SAP ID Service ndash One Login for Cloud Applications

Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud

Managing identities and

their lifecycle within the

SAP Cloud

Leverage SSO to SAP web sites

On-Demand applications

One SAP identity SAP ID service bridges the

gap between

bull customerrsquos on-premise

application

bull SAP on-demand

applications

bull SAP websites

bull 3rd party on-demand

applications

by verifying user identities

and granting authentication

On-premise app

Session SIS102 SAP ID Service ndash Single Sign-On for Cloud Applications


Enterprise Cloud Two Identity bdquoCampsldquo

ndash Handled With Industry Standards

SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS

OpenID REST Kerberos

Enterprise (OnPremise)

InternetCloud (OnDemand)

SAP bridges the gap between these two bdquocampsldquo


Support of Industry Standards

REST is the preferred choice for UI consumption scenarios in the cloud

SOAPWS- is the preferred choice for process integration in the enterprise

Public consumable SaaS-APIs tend to support a RESTful protocol style rather

than SOAPWS-

Integration between OnDemand to OnPremise requires SSO in both directions

and restricted permissions on enterprise resources for inbound calls

The Web SSO profile of SAML is a commonly deployed protocol in the

enterprise and broadly supported for browser-based access to applications

hosted in the (public) cloud


On-Premise Authentication via IdP Proxying Integrating Customerrsquos On-Premise IdP and 3rd Party Applications with SAP ID Service

Simple Trust Configuration OP OD instead of point-to-point connections

Customer On-Premise Network SAP On-Demand Network

User

On-Premise

IdP

X509

SAP Business ByDesign

SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML


OnDemand and OnPremise Integration SAP NetWeaver Identity Management

SAP NetWeaver Identity Management supports integration with OnDemand and OnPremise

SAP solutions The solution offers secure connectivity authentication and single sign-on as

well as compliant user and role management Integration with software-as-a-service offerings

from SAP is also supported

OnDemand integration OnPremise integration

OnDevice integration


Secure Communication and Interaction OnDemand Solutions

Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider

SAP NetWeaver Security Solutions Logging and Monitoring


Monitoring and Auditing in ABAP- and Java-Based SAP Solutions

Configuration and

results of Security Audit

Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java


Logging and Monitoring ndash AS ABAP Tools Overview

Audit Information System

Used to ensure secure and compliant operations of business functions

Target Audience Auditor

Read Access Log

Used to ensure compliant access to sensitive or classified data

Allows to track who did access which data when and via which interface

Target Audience Data Protection Officer

Security Audit Log

Monitoring of security relevant events in the system like logon access control violations and more

Target Audience Security Administrator


Monitoring and Auditing The SAP Audit Information System (AIS)

Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items

Non-SAP Environment SAP Environment

Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip



The Audit Information System

facilitates smoother and

better quality audits

It consists of a number of single

roles and is a

collection

structure

default setup

hellipof SAP standard programs

The AIS is the Toolbox

for the AUDITOR

in the SAP environment


Read Access Logging Features

Read Access Logging (RAL) allows to log all access to classified or sensitive data and

supports the evaluation of these events It allows to track

Who did access the data

Which data was accessed

When was the data accessed

How did the data access take part via which transaction or user interface

Amount of detail to be logged is customizable based on

user interfaces used to access the data

operations executed on remote APIs

users using the remote APIs user interfaces

entities and their content

Session SIS104 ndash Finding the Leak ndash Using Access Logging to Monitor Access to Sensitive Data


SAP NetWeaver AS ABAP Read Access Logging Framework

Users accessing applications via a configured channel (ABAP Web Dynpro SAP GUI

WebService or RFC) will trigger the framework to store data presented to the user via this

channel in the read access log according to the logging configuration

ABAP Server

Application Web Dynpro

Read Access

Log


Read Access Logging Framework Features

Read Access Logging allows to log all access to classified or sensitive data and support the

evaluation of these events Using filters you can restrict the amount of data logged and also

the data logged thus keeping private data out of the logs


SAP Custom Development ndash User Interface (UI) Logging

SAP Backend System Repository

Permanent

Log Storage

SAP GUI

for Windows Dynpro Processor

Request

Response

Observed

data traffic

Application

Logic

Delivered sample Implementation

Temporary

Log

Asynchronous

call of

log service

In addition to the Read Access Logging framework you can use the SAP Custom Development UI

logging solution for releases before NW 740 UI logging is currently available as RCS product for the

channels SAP GUI for WindowsHTMLJava CRM Web Client UI and Business Warehouse (BEx

Analyzer BEx Web BW-IP MDX BICS) Further channels as well as individual enhancements can be

provided on request


UI Logging Log Record Example I

Transaction BP (Business Partner) Log Record


UI Logging Log Record Example II

Transaction SE16 (Table Viewer) Log Record


Access Logging with Business Warehouse

SAP Business Warehouse supports logging of access to data via the BaDI

RSEC_LEGAL_AUDIT_SAP (LOPD solution)

LOPF was first available with the BW 70 release

Within the solution you can configure the information to be logged per InfoProvider

The LOPD logging mechanism will at first do a simple relevance check

for the InfoProvider underlying a query

For further information see SAP Note

933441 - Frequently asked questions on BW 70 and data protection


Read Access Logging versus UI Logging

Read Access Logging is a framework to enable compliant logging of data access by SAP

systems developed and available as of SAP Netweaver AS ABAP 740

The UI Logging solution from SAP Custom Development Services is available on AS ABAP

versions 700 701 702 710 711

Supported by Read Access Channel

Channel Logging UI Logging Solution

SAP GUI No 700hellip731

Web Dynpro ABAP 740 SP02 On Req

CRM Web Client UI No 700hellip731

Business Warehouse No 700hellip731 BW 70

Web Services 740 On Req

SAP RFC 740 SP02 On Req

Business Server Pages (BSP) No On Req


Read Access Logging

Compliance to Legal Regulations

Please note that often there are different regulations in place which may partially contradict

each other to a certain extent Some of them my limit the amount of data which may be

recorded without violating legal regulations or other standards Examples are for instance full

credit card details

When recording data containing information about individuals this may be subject to the

data protection and privacy laws Often these laws only allow storing such data for a certain

purpose and even then only for a limited amount of time

In addition a detailed logging of employee actions might meet the definitions of behavioral

control performance control in the Works Constitution legislation of certain countries In this

case an approval of the works council might be mandatory

SAP NetWeaver Security Solutions Encryption of Data at Rest and in Transit


Digital Signatures Via SSF API and Secure Login Library

SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver

Secure Store and Forward (SSF) library

SAP CRYPTOLIB or Secure Login Library

Digital signatures for legally binding

contracts

Integration with Secure Store and

Forward (SSF) API

Out of the box support for a set of

SAP transactions

Consistent with SAP Single Sign-On

mechanisms

Easy and flexible to implement

Generation of X509 certificates and

smart card support

PCI-DSS-compliant encryption


Digital Signatures ndash Step By Step

transaction

triggers digital

signature

user information

is transferred

user authenticates and

digital certificate is received

application digitally signs

documents and stores data

Supported out-of-the-box for

a set of SAP transactions

Programmingintegration

necessary in case of

ABAP programming for

other transactions not yet

supporting SSF

Integration of Secure Login

Library with client actions

Hardware support needed

SAP Client

3

2

1

4


SNC Client Encryption

Secure network communications

A secure communication channel is using an encryption algorithm to

render the transmitted data unreadable during transport and protecting

the information passing through the channel

Compliance

Integrity

Confidentiality

SAP offers free encryption libraries for the communication between

SAP application servers SAP also provides the encryption between

SAP Windows GUI clients and SAP applications servers included in

SAP NetWeaver


SNC Client and Server Encryption ndash Overview

Included in SAP NetWeaver

license

Encryption between SAP client

and application server

Based on SNC and Kerberos

No hybrid encryption available

compared to SAP NetWeaver

Single Sign-On

No single sign-on included

SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC

SAP NetWeaver Security Solutions Secure Software Development

Security Standards and Certifications

Security Services and Support Offerings


Protecting Your SAP Systems

SAP

Secure Software

Development

Customers

Secure Software

Development

Security Services Security Management



SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development



SAP Product Innovation Lifecycle

INVENT DEFINE DEVELOP DEPLOY OPTIMIZE

Planning to

Development

Secure software development is embedded in the Product Innovation Lifecycle

ndash We train developers on secure software development

ndash We plan and implement security using product standard requirements

ndash We use state of the art quality assurance methods

ndash We verify in quality gates that requirements are met

ndash We provide fixes via Product Security Response if vulnerabilities are identified

ndash We provide Active Global Support and consulting security services

Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



SAP Security Services Overview (12)

SAP Security Patch Day

SAP security notes second Tuesday every month

SAP Active Global Support

security tools and services

SAP Solution Manager System Recommendations

SAP EarlyWatch Alert (EWA) with security section

SAP Solution Manager Configuration Validation

SAP Security Optimization Service (SOS)

SAP security consulting services



SAP Security Training

Secure operation trainings by SAP

Secure development trainings by partners

SAP Security Documentation

Security notes published on Service Marketplace

SAP security guides for every product

SAP security recommendations on some patch days

Secure programming guides

RunSAP end-to-end solution operations

Books published by SAP Press



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



SAP Security Management for Your Systems

Are you ready

Do you have management support for SAP security

Do you have defined responsibilities for SAP security

Do you have a security contact maintained in SMP

Do you have standards and guidelines for SAP security

Do you have know how in security operations

Do you have know how in secure development

Do you have know how in authorizations and SoD

Do you monitor compliance with standards and guidelines

SAP Security is more than roles and profiles

Examples secure system configuration patch management


Secure System Configuration SAP NetWeaver AS ABAP

Network filtering SAP GUI for Windows

Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS

ABAP RFC Connectivity

Password Management

Password Policy

Password Hashes

Default Passwords

Secure Session Handling from security recommendations

discussed later


Patch Management and Security Monitoring

Check security of your systems as onsite remote

or self service via SAP Solution Manager

Verify release information and configuration

parameters against targets for all systems

connected to Solution Manager

Evaluate SAP security notes every patch day

Most important notes which can be automatically

applied are checked and result is presented

Manage SAP security notes for all systems


Session SIS103 ndash Security Control Center by SAP Active Global Support


The automation of lifecycle management (LM) activities eases the setup and operation of

SAP systems by guiding administrators through configuration and operation tasks

Easy-to-use light-weight tool ndash short startup time small memory footprint

List of configuration tasks provided with the tool LM Automation Standalone 10 SP00

ndash each task available in two flavors ndash one for ABAP one for Java application servers

ndash SSL Validation validates configuration settings

(such as SAP Crypto Graphic library installation) for enabling SSL (HTTPS)

ndash SSL Profile Validation validates parameter settings for secure sessions

ndash SSL Maintenance performs configuration and describes required manual tasks

such as SAP Crypto Graphic library installation and profile parameter settings

for enabling SSL (HTTPS)

For more information see SAP Note 1532674

LM Automation Standalone Automates Security-Related

Configuration and Validation Tasks for Your SAP Systems



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



Secure Custom Development ndash Secure Design

Secure design

Authentication and identity propagation

Secure session handling

Communication protocols

Authorization concept

Logging and audit trace

Resources

SAP security recommendations

SAP security guides

How to verify

Design review architectural risk analysis


Secure Custom Development ndash Secure Programming

Secure programming - avoid security bugs

Cross-site scripting (XSS)

Cross-site request forgery (XSRF)

SQL injection

Directory traversal

ABAP code injection

Resources

SAP Secure Programming Guides

SAP Security Recommendations

How to verify

Source code scanning ndash automate it


Overview of SAP Code Check Tools (Topic Source Code Scan)

SAP recommends customers and partner to do security code scans (among

other measures) for custom developed code (see note 1697494)

ABAP Test Cockpit (ATC)

Central place for all check tools exemption handling result storage

Code Inspector (SCI)

Open framework for customers partners and SAP to develop code related checks

Extended Program Check (SLIN)

Extended program check which analyzes the source code

SAP NetWeaver Application Server add-on for code vulnerability analysis

Code checks for security vulnerabilities Main focus of the tool is to analyze the data flow and the user input

Session SIS261 ndash Your Way to Secure ABAP CodendashScan Analyze and Fix Your Programs


Application Security Testing

Security Testing in terms of dynamic application security testing (DAST) and static application

security testing (SAST) are measures to improve code quality and security

Neither DAST nor SAST are a guarantee to find all security issues in an application

Manual Source Code

Review

Automated Source

Code Analysis

Automated Application

Vulnerability Scanning

Manual Application

Penetration Testing

DAST find vulnerabilities in the

running application SAST find vulnerabilities

analyzing the sources


Code Vulnerability Analysis Scan Analyze and Fix Your Programs

Manual Source Code Review

Automated Source

Code Analysis



Manual Application Penetration

Testing

DAST

Find vulnerabilities in the

running application

SAST

Find vulnerabilities analyzing

the sources

SAP NetWeaver Application Server add-on

for code vulnerability analysis

Finding security issues at design time is easier and less

expensive

Session SIS261 ndash Your Way to Secure ABAP Code ndash Scan Analyze and Fix Your Programs


Stay Informed and Report Issues

Security-related news from SAP (patches whitepapers etc)

Subscribe to the SAP Support Portal Newsletter Spotlight News My

SAP HotNews My SAP Security Notes

Maintain a security contact in SAP Service Marketplace who get

ad-hoc SAP Product Security Notifications

ndash Send out for very important security-related news

Reporting product security issues

Create a customer ticket in the support system

If you do not have SAP support send an email to securesapcom

ndash Please use PGP for email encryption

ndash Public PGP key is linked at httpsservicesapcomsecuritynotes


Security Response SAP

You have found a Security Vulnerability in a SAP product

What to do Open a customer message

How does SAP provide a fix when a security vulnerability was found

SAP releases all fixes to security vulnerabilities together on the monthly

security patch day (the 2nd Tuesday of every month)

You want to keep yourself up-to-date about security response

practices in general

Goto the SAP Service Marketplace for spotlight news

check of the security notes released on the Security Patch Days

subscription to the SAP support portal newsletter

maintenance of a security contact in your organization

You will find all links and more information on security response

using quick link lsquosecuritynotesrsquo on the SAP Service Marketplace


Security Topics in SAP Education Courses

Curricula

SAP System Administration ndash User and Security

SAP Governance Risk amp Compliance

Certification

SAP Certified Technology Professional ndash Security with SAP

NetWeaver 70

The Security Consultant Certification test

Verifies the participantrsquos profound knowledge in the area of

SAP NetWeavertrade Security

Proves that the candidate has an advanced understanding

of this topic and is able to apply these skills in consulting

projects providing implementation guidance

Booking code P_ADM_SEC_70

Topic Course ID

Authorizations AS ABAP ADM940

Authorizations AS Java

Portal

ADM200 EP200

ADM800

Authorizations BW BW365

SAP NetWeaver Identity

Management ADM920

Security Auditing ADM950

Technical Security (RFC

SSL SNC hellip) ADM960


Common Criteria Certification

for Information Technology Security Evaluation (ISO 15408)

Accepted in most of the major global markets

Permits to compare between independent security evaluations

Encompasses all processes involved in the production and delivery of an IT product and a

thorough examination of its security features

A vendor can choose the scope of evaluation out of seven evaluation

assurance levels (EALs)

EAL 4 is the highest internationally accepted level

Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7


Common Criteria Certified SAP Products

New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted

httpsservicesapcomcommoncriteria

The SAP NetWeaver Application Server

forms the security foundation for most SAP

implementations

Certified products

SAP NetWeaver Application Server Java

702 SP03 EAL 4+ (certified in 2011)

SAP NetWeaver Application Server ABAP

702 SP08 EAL 4+

(Certificate received in February 2012)

SAP NetWeaver Single Sign-On Single Sign-On Password Manager

Session SIS200 ndash SAP NetWeaver Single Sign-On Overview and Latest News (Lecture 1hr)

Session SIS265 ndash Single Sign-On for the ABAP World using SAP NetWeaver Single Sign-On (HO 2hr)


Compliant Identity Management and Single Sign-On

Compliance and

Governance


Identity Management


Management

Authentication and Single

Sign-On

SAP NetWeaver Single Sign-

On

SAP offers a complete suite of compliance governance identity management and single

sign-on solutions




Single sign-on

SAP GUI for Windows SAP GUI for Java Web

applications

Integration capabilities

Microsoft Active Directory Server

Microsoft Certificate Store

Advanced SNC encryption

Strong encryption of communication

Enterprise Single Sign-On for legacy systems

Support of additional authentication methods

Smart cards

Radius


SAP NetWeaver Identity Management and Single Sign-On

User and role management

Provisioning

to SAP systems and Non-SAP

Identity Center

Virtual Directory Server

Identity Services

Integration with SAP GRC Access Control

Identity federation

Single sign-on to SAP GUI SAP and

non-SAP web-based applications

(Kerberos X509 SAML)

Digital signatures

Re-authentication

Advanced encryption of SAP GUI for

Windows communication

Strong authentication

(Radius smart cards)

RSA Certification

Coming with version 20

SPNEGO for ABAP (Kerberos support for

web-based access to ABAP)

FIPS 140-2 certification for Crypto Library

Basic encryption of the communication path for SAP Windows clients and SAP

application servers

(No single sign-on)

SAP NetWeaver Identity Management SAP NetWeaver Single Sign-On SNC Client Encryption

SAP NetWeaver Identity Management and Single Sign-On SAP NetWeaver


SAP NetWeaver

SAP NetWeaver Single Sign-On and Solution Components


Web Access Management


Partner

API

Endorsed Business Solution (EBS) with CA SiteMinder product Policy-based authentication and authorization to Web applications XACML-based and policy-enforced access

Identity Federation Web based and Web service-based authentication Single sign-on and identity federation via SAML 20 Cross company domain single sign-on

Secure Login

Enterprise Single Sign-On

Single sign-on for Web-based and Web service-based applications Standard-based single sign-on for SAP GUI (Kerberos X509) Digital signature for integrity and re-authentication for critical applications

Enterprise Single Sign-On (E-SSO) for legacy systems (ftp databases terminal telnet)

Secured and automated login via user and password

Basic encryption between SAP Windows clients and SAP application servers

No single sign-on


EBS CA SiteMinderreg


Endorsed Business Solution with CA ndash CA SiteMinder ndash

Dynamic authorization (SAP NetWeaver Java and non-SAP)

Dynamic authentication (SAP NetWeaver Java and non-SAP)

Social networking authentication (Facebook Google etc)

Cross application and cross domain session management

Support for sign-on to heterogeneous applications from mobile platforms via browsers and native apps

User to application security for a heterogeneous app environment

No client deployed to desktop

The essential difference CA SiteMinderreg delivers the above capabilities for

SAP and non-SAP application environments to create a common web access management

layer for customers in a heterogeneous environment


What is Enterprise Single Sign-On

Terminal Emulator

Web Form

Primary

Authentication E-SSO

E-SSO

Monitor

Local Management Console

Web Basic

jack_jones

Windows application Java application

jack_jones


Secure Login ndash Solution Architecture

Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client

Backend System Backend System

SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config

Data Backend System Backend System Authentication Server (eg

SAP User Management)

Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library

SAP NetWeaver Single Sign-On Identity Federation

Session SIS264 ndash Security Assertion Markup Language 20 ndash Single Sign-On and Identity Federation


Why Identity Federation

Different companies

One business process

Separated IT infrastructure

Cloud

Datacenter A Datacenter B

hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B


Identity Federation ndash Solution

ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP

Identity Provider Identity Provider

Identity Federation

Each company maintains only

its own identities

A company can trust the

identities of another

organization

Employees of the company A

can get access to shared

information of company B

SAP Business Suite will be

enabled for SAML (Service

Provider)

Identity Provider and Service

Provider are based on the open

SAML standard

Datacenter A


Identity Provider ndash Web Browser-Based Single Sign-On

SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account

log onlog off SAML token

Landscape consists out of an Identity

Provider and systems enabled via

Service Providers (SAML)

Web users trying to access a system

will be redirected to the Identity

Provider

Once a user is authenticated by the

Identity Provider the user can access

all systems (via Service Provider)

without re-authentication

Web Browser-based single sign-on is

user-centric


Session SIS105 ndash SAP NetWeaver Identity Management 72 ndash New Features and Functions (Lecture 1hr)

Session SIS106 ndash CUA Replacement with SAP NetWeaver Identity Management Using Best Practices (Lecture 1hr)

Session SIS203 ndash SAP NetWeaver Identity Management 72 Mobility REST UI5 (Lecture 1hr)

Session SIS262 ndash Introducing SAP NetWeaver Identity Management Developer Studio (HO 2hr)

Session SIS263 ndash Advanced features of SAP NW IdM Context Based Role Assignments (HO 2hr)



eg on-boarding

SAP NetWeaver

Identity Management

Password management

Provisioning to SAP and non-SAP systems

Identity mgmt monitoring amp audit

Rule-based assignment of business roles

Identity virtualization and identity as service

Approval workflows

Central Identity Store

SAP Access Control

(GRC)

Compliance checks through GRC

SAP Business Suite Integration



Identity Center

External repositories

Architecture of SAP NetWeaver Identity Management 72

IC database

Either MS-SQL Oracle-DB soon IBM-DB2

Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher

Event Agent ltltStartsgtgt

AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc

External applications

SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro

ID Mgmt UI abstraction

JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse

Compliant Identity Management with


Session SIS205 ndash Strategies for closing the gap between access control and identity management processes


Compliant Identity Management

SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1

2 Request sent for approval to

bull Manager

bull Delegate

bull Role owner

bull Application owner

bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1

3 Approval granted from

bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1

4 Send for risk analysis to

bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1

5 Risk analysis and remediation

bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to

bull Business applications

bull non-SAP systems

bull hellip

And send approval mail to User


2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1

SAP GRC Access Control 4

5

Compliance

Team

6


What Is the Role of SAP GRC Access Control

vs SAP NetWeaver Identity Management


Centralized user management Centralized management of identity

information across multiple data source

Integration and synchronization of

system authorization data Manage user privileges centrally

Single Sign On Automates and simplifies integration

with Enterprise SSO and Web SSO

Federated Identity Simplifies integration with standard-

supported Identity Federation


Access Risk Identification Define and understand access risks

Access Analysis and Response Analyze and mitigate access risks

Access Reviews Periodic reviews of assignments

risk violations and controls

Centralized Compliant Role

Repository Define and manage compliant roles

Compliant identity

management for the

entire system

landscape


SAP GRC Access Control 100 - Architecture

SAP NetWeaver

AS ABAP 702

AC PC amp RM (Software Component GRCFND_A)

SAP ERP (46C ndash 71)

Non-SAP Business

Applications Adapter

NW Function Modules (Plug-in GRCPINW)

HR Function Modules

PC Automated Ctrls (Plug-in GRCPIERP)

SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content

Identity Management Solutions

(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter

SAP Crystal Reports Adapter and Active Component Framework ndash needed for viewing GRC embedded SAP Crystal Reports

Content Lifecycle

Management (CLM)

SAP GRC 100


Compliant Identity Management Example Customer Scenario

Reduce TCO by simplifying assignment of roles and privileges to users triggered by HR events

Reduce risk through compliance checks and remediation

Automate manual processes through integration

Identity

Management

Calculate Entitlements

Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles

Heterogeneous Landscape

Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges

Moving Security to the next Level

Planned Features and Developments Centralized SAP Attack Monitoring Infrastructure

UCONN


Planned enhancement - Architecture Draft for

Centralized SAP Attack Monitoring Infrastructure

Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database

SAP Attack Monitoring Infrastructure

Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP

Limited analysis possibilities on local SAP NetWeaver Systems have to be discussed


Summary ndash Key Take-Away

SAP NetWeaver TODAY is the favored technology platform for SAP

customers integrating heterogeneous landscapes

Significant investments into security for networked solutions identity management

SSO and integrated security management offering will allow customers to

implement secure business processes

The support for SAML 20 for Identity Federation provides

international standards support and heterogeneity mandatory for composite

business applications and networked solutions

SAP leads in the industry by helping our customers to thrive in today`s

business networks

This presentation and SAPs strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice

This document is provided without a warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a

particular purpose or non-infringement


Further Information

SAP Public Web

SAP NetWeaver Security space on SCN httpscnsapcomcommunitysecurity

SAP NetWeaver Identity Management space on SCN httpscnsapcomcommunitynetweaver-idm

SAP NetWeaver Single Sign-On space on SCN httpscnsapcomcommunitynetweaver-sso

SDN NetWeaver Security Forum

httpscnsapcomcommunitysecuritycontentfilterID=content~objecttype~objecttype[thread]

SAP Online Help for SAP NetWeaver Identity Management

httphelpsapcomcontentdocumentationnetweaverdocu_nw_idm_designhtm

SAP Security Recommendations ldquoSecure Configuration SAP NetWeaver Application Server ABAPrdquo

httpscnsapcomdocsDOC-17149


SAP TechEd Virtual Hands-on Workshops and SAP TechEd Online Continue your SAP TechEd education after the event

SAP TechEd Virtual Hands-on Workshops

Access hands-on workshops post-event

Available January ndash March 2014

Complementary with your SAP TechEd registration

SAP TechEd Online

Access replays of keynotes Demo Jam SAP TechEd

LIVE interviews select lecture sessions and more

View content only available online

httpsaptechedhandsonsapcom

httpsaptechedcomonline

Feedback Please complete your session evaluation for SIS100

Thanks for attending this SAP TechEd session


copy 2013 SAP AG or an SAP affiliate company All rights reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG

The information contained herein may be changed without prior notice

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors

National product specifications may vary

These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only without representation or warranty of any kind and

SAP Group shall not be liable for errors or omissions with respect to the materials The only warranties for SAP Group products and services are those that are set forth

in the express warranty statements accompanying such products and services if any Nothing herein should be construed as constituting an additional warranty

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and

other countries

Please see httpwwwsapcomcorporate-enlegalcopyrightindexepxtrademark for additional trademark information and notices


Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision This presentation is not subject to your license agreement or any other agreement

with SAP SAP has no obligation to pursue any course of business outlined in this presentation or to

develop or release any functionality mentioned in this presentation This presentation and SAPs

strategy and possible future developments are subject to change and may be changed by SAP at any

time for any reason without notice This document is provided without a warranty of any kind either

express or implied including but not limited to the implied warranties of merchantability fitness for a

particular purpose or non-infringement SAP assumes no responsibility for errors or omissions in this

document except if such damages were caused by SAP intentionally or grossly negligent



Security Management

SA

P G

RC


Secure Programming

Vu

lne

rab

ility A

na

lys

is a

nd

Te

stin

g


cu

rity O

ptim

iza

tion

Se

lf Se

rvic

e



SIE

M

IT Security

Lower cost R

ais

e E

fficie

ncy

Web S

erv

ices S

ecurity

Read Access Logging

SSLTLS

Dig

ital S

ign

atu

ree

-Sig

na

ture

SNC

LD

AP

Kerberos

Budget restrictions

Security Services


Clo

ud S

ecurity


Op

en

ID C

on

nect

Confidentiality

Non-re

pudia

tion


Authorization

So

cia

l iden

tities

HANA













Security Policies

Read Access Logging

















Agenda




















3rd party

systems

SAP mobile

applications

SAP cloud

applications

SAP

Business Suite



identity management




Faster onboarding








ndash Kerberos




X509 Authentication

SAML2

SAP Logon Tickets

Kerberos SPNego

OAuth



Security Policies







maintenance mode








Karen

John

Susan


Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




Security Management

SA

P G

RC


Secure Programming

Vu

lne

rab

ility A

na

lys

is a

nd

Te

stin

g


cu

rity O

ptim

iza

tion

Se

lf Se

rvic

e



SIE

M

IT Security

Lower cost R

ais

e E

fficie

ncy

Web S

erv

ices S

ecurity

Read Access Logging

SSLTLS

Dig

ital S

ign

atu

ree

-Sig

na

ture

SNC

LD

AP

Kerberos

Budget restrictions

Security Services


Clo

ud S

ecurity


Op

en

ID C

on

nect

Confidentiality

Non-re

pudia

tion


Authorization

So

cia

l iden

tities

HANA













Security Policies

Read Access Logging

















Agenda




















3rd party

systems

SAP mobile

applications

SAP cloud

applications

SAP

Business Suite



identity management




Faster onboarding








ndash Kerberos




X509 Authentication

SAML2

SAP Logon Tickets

Kerberos SPNego

OAuth



Security Policies







maintenance mode








Karen

John

Susan


Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries














Security Policies

Read Access Logging

















Agenda




















3rd party

systems

SAP mobile

applications

SAP cloud

applications

SAP

Business Suite



identity management




Faster onboarding








ndash Kerberos




X509 Authentication

SAML2

SAP Logon Tickets

Kerberos SPNego

OAuth



Security Policies







maintenance mode








Karen

John

Susan


Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries












Agenda




















3rd party

systems

SAP mobile

applications

SAP cloud

applications

SAP

Business Suite



identity management




Faster onboarding








ndash Kerberos




X509 Authentication

SAML2

SAP Logon Tickets

Kerberos SPNego

OAuth



Security Policies







maintenance mode








Karen

John

Susan


Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries






3rd party

systems

SAP mobile

applications

SAP cloud

applications

SAP

Business Suite



identity management




Faster onboarding








ndash Kerberos




X509 Authentication

SAML2

SAP Logon Tickets

Kerberos SPNego

OAuth



Security Policies







maintenance mode








Karen

John

Susan


Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries







ndash Kerberos




X509 Authentication

SAML2

SAP Logon Tickets

Kerberos SPNego

OAuth



Security Policies







maintenance mode








Karen

John

Susan


Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries



Security Policies







maintenance mode








Karen

John

Susan


Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries








Karen

John

Susan


Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries



Runtime

check

for each field


Field1

Field10


Field1 = ValuesX1


Field1 = ValuesY1


Field1 = ValuesZ1

Field10 = ValuesZ10


Authorization

Authorization

Authorization

Role assigned to

User

assigned to

Users Master Record

Transaction T

Program P

AUTHORITY-CHECK

OBJECT X



IF SY-SUBRC NE 0


ENDIF

System

instanciated and

assigned

checked against

specific values







Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries



Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105


Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries



Org Units


S

Position

70008501

S

Position

70008502

O-Org Unit

Finance

O-Org Unit

HR

O - Org Unit

Market GER

1n

1n

P

Employee

John Smith

P

Employee

Eva Scott

11 11

US

SAP User

SMITHJ

US

SAP User

SCOTTE

11 11

Positions

Employees

Users

Infotype 105

AG

Role

GEN_FIN

AG

Role

HR_ADM

User SMITHJ

inherits roles

GEN_FIN and

HR_ADM




SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





SAP HANA

XS

HT

TP

(S)

Client

SQ

L

MD

X

Application Server

Client

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP HANA

AuthenticationSSO

Authorization

Encryption




ndash Kerberos

ndash SAML



ndash SAML

ndash X509


XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP HANA

AuthenticationSSO

Authorization

Encryption







XS

Application



SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application


ndash SSL

Data encryption




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP HANA

AuthenticationSSO

Authorization

Encryption


XS

Application







SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP HANA

AuthenticationSSO

Authorization

Encryption


SQ

L

SAP HANA Studio

Administration

SAP HANA Studio


hdbsql available)

XS

Application




Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





Mobile Security

Device


Application

Mobile App

Security

Mobile Enterprise

App Store


Content


Communications


Systems

Management


SAP Mobile Security










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries










management systems










Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




Authentication

Single Sign-On

User

Management

SAP ID service

SAP

Cloud



SAP Cloud




gap between


application

bull SAP on-demand

applications

bull SAP websites


applications



On-premise app





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





SAML

Liberty ID-WSF

WS- SOAP

OAuth

XRDS










than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries







than SOAPWS-










User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries






User

On-Premise

IdP

X509


SAP HANA Cloud

SAP

ID service

Social IdP

SAML

3rd party App

SAML











Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries












Backend Networks

Company B

R3

R3

Application

server farm ERP

ERP

DIR

Backend Networks

Company A

R3

R3

Application

server farm ERP

ERP

DIR

On-

Demand

On-

Demand

Company A Company B

Identity

Provider

On-

Demand

SAML SAML

SAML SAML

SAP

Logon

Tickets

SAP

Logon

Tickets

SAML

Identity

Provider




Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





Configuration and


Log in ABAP

Transactions

SM18 SM19 SM20

Results of Log

Viewer in Java






Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries







Read Access Log




Security Audit Log





Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




Audit planning

Work program

- System audit

- Business audit

Export

inte

rface

Online controls on

the SAP database

System information

Reconciliation

BS PampL

Account balances

Documents

Data export

Account balances

Line items


Work

paper

prep

Report

Analysis software

( ACL IDEA hellip )

Reporting software

Line items

Balances

Accounts

Customers

Vendors

Assets

Material

Orders

Invoices

hellip







roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries








roles and is a

collection

structure

default setup



for the AUDITOR





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





















ABAP Server


Read Access

Log









Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries










Permanent

Log Storage

SAP GUI


Request

Response

Observed

data traffic

Application

Logic


Temporary

Log

Asynchronous

call of

log service





provided on request






















versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries























versions 700 701 702 710 711











Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries



Read Access Logging





credit card details










SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





SRM SCM ERP

PLM CRM

SAP Business Suite

SAP NetWeaver




contracts


Forward (SSF) API


SAP transactions


mechanisms



smart card support




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




transaction

triggers digital

signature

user information

is transferred











supporting SSF




SAP Client

3

2

1

4







Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries








Compliance

Integrity

Confidentiality




SAP NetWeaver




license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





license






Single Sign-On


SAP NetWeaver

Business Client

SAP GUI for

Windows

RFC

client

Business Explorer

Browser (BEx

Browser)

SNC

SAP application

server

SAP application

server

Client

Server

SNC SNC






SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries







SAP

Secure Software

Development

Customers

Secure Software

Development




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP

Secure Software

Development

Customers

Secure Software

Development

Secure Software

Development





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





Planning to

Development








Development

to Production

Production to

Ramp Up

Quality

Gate

Quality

Gate

Quality

Gate



SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries



























SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




Are you ready














Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





Limit Web Enabled

Content

SAP Gateway and

SAP Message Server

Security

Secure Network

Communication (SNC)

and HTTPS


Password Management

Password Policy

Password Hashes

Default Passwords


discussed later































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries
































SAP Customers

Secure Software

Development

Secure Software

Development

Secure Software

Development




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




Secure design






Resources


SAP security guides

How to verify







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries







SQL injection

Directory traversal

ABAP code injection

Resources



How to verify




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




















Manual Source Code

Review

Automated Source

Code Analysis



Manual Application

Penetration Testing







Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





Automated Source

Code Analysis




Testing

DAST


running application

SAST


the sources




expensive
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries
































Curricula



Certification


NetWeaver 70








Topic Course ID



Portal

ADM200 EP200

ADM800



Management ADM920














Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries












Functionally

tested

Structurally

tested

Methodically

tested and

checked

Methodically

designed

tested and

reviewed

Semi-

formally

designed

and tested

Semi-

formally

verified

designed

and tested

Formally

verified

designed

and tested EAL 1

EAL 2

EAL 3

EAL 4

EAL 5

EAL 6

EAL 7



New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




New Zealand

Canada

Sweden

Czech Republic

India

UK

Finland

Italy

Pakistan

Israel

The Netherlands

Singapore

Turkey

Germany

Denmark

Greece

Japan

Rep Of Korea

Spain

Norway

Austria

US

Australia

Hungary

Malaysia

France

Markets where

the Common

Criteria

Certificate is

accepted




implementations

Certified products




702 SP08 EAL 4+







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries







Compliance and

Governance


Identity Management


Management


Sign-On


On


sign-on solutions




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




Single sign-on


applications








Smart cards

Radius




Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





Provisioning


Identity Center


Identity Services


Identity federation




Digital signatures

Re-authentication





RSA Certification






application servers

(No single sign-on)




SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries



SAP NetWeaver





Partner

API



Secure Login






No single sign-on

















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries


















Terminal Emulator

Web Form

Primary


E-SSO

Monitor


Web Basic

jack_jones


jack_jones



Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




Client System

SAP Frontend

NWBC SAP GUI

Secure Login Client


SAP Backend System

ABAP

Stack

Secure

Login

Library

NetWeaver CE 72

Secure Login

Server

Config



Secure Login Lib R

R DIAG SNC HTTP(S)

R

PSE Service

Java

Stack

Browser

Key Store

Web Browser

SLWC

(Applet)

SAP or Java

Crypto Library





Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries






Different companies



Cloud


hellip hellip

hellip

ERP

CRM

SCM

ERP

CRM

SCM

Company A Company B



ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




ERP

CRM

SCM

Company A Company B

Datacenter B SP

SP

SP

ERP

CRM

SCM

SP

SP

SP


Identity Federation


its own identities



organization






Provider)



SAML standard

Datacenter A



SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP NetWeaver Java

Identity Provider

User Account

SAP NetWeaver ABAP

Service Provider

User Account

SAP NetWeaver Java

Service Provider

User Account

NON SAP

Service Provider

User Account







Provider






user-centric









eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries










eg on-boarding

SAP NetWeaver

Identity Management

Password management





Approval workflows


SAP Access Control

(GRC)





Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




Identity Center



IC database


Stored procedures

Logs Audit IdS

HTTPS

Runtime

(Java)

Runtime

(VB) DSE

(VB)

(VB) Dispatcher


AS Java

VDS

dB protocol

LDAP Java

ABAP WebServices

Active Dir

etc


SAP HR

LDAPWebServices

etc SiteMinder

App specific

R

R R

Java VM

VDS

LDAP R

AS Java

Web Dynpro


JMX

User Interface

R MMC

Management

Console

Soon to be Eclipse






SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries







SAP NetWeaver

Identity Management

1

1 Request for

bull Role

bull Privileges

bull User account

bull hellip


User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


Approver

2

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

Approver

User



SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP NetWeaver

Identity Management

1


bull Manager

bull Delegate

bull Role owner


bull hellip


2

3

4

Approver

User



SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP NetWeaver

Identity Management

1


bull Reject

bull Approve

bull Mitigate

bull Modify request

bull hellip


2

3

4

5

Compliance

Team Approver

User



SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP NetWeaver

Identity Management

1

6 Provision to



bull hellip



2

3

4

5

Compliance

Team Approver

User

6

6



2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




2

3

6

Result


Approver

User

SAP NetWeaver

Identity Management

1


5

Compliance

Team

6




















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





















Compliant identity

management for the

entire system

landscape



SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




SAP NetWeaver

AS ABAP 702



Non-SAP Business



HR Function Modules


SAP NW Portal 702

GRC Portal Content

SAP NW BW 702

GRC BI Content


(SAP or Non-SAP)

optional

optional

optional

http

Web

services

RFC

optional

RFC

DIAG http

RFC

SAP NW JAVA 702

Adobe Document

Services

optional optional

Front-End Client

SAP

GUI

710 Web Browser

Adobe Flash Player

SAP CR Adapter


Content Lifecycle

Management (CLM)

SAP GRC 100






Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries







Identity

Management


Based on Position

HR Application

New Hire

Change

Position

Line Manager

No

Approve

Assignments

Create User

Assign Roles

Create User

Assign Roles

Create User

Assign Roles


Yes

SAP

GRC Access Control

Compliance Check

Remediation

Create User

Assign Privileges



UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries




UCONN




Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries





Attack Pattern

Updates by SAP

Logs of SAP

NetWeaver

Logs of Non

SAP NetWeaver

Desktop

Frontend

Mobile

Frontend Logs of

Infrastructure

Logs of

Database


Ag

gre

ga

tio

n N

orm

aliz

atio

n

Con

ne

ctivity

Filt

eri

ng

Extr

actio

n

Logs Network

IDS API to other

SIEM tools

Alerts from SAP

SolMan

Information Back

Channel to SAP













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries













business networks





Further Information

SAP Public Web
















SAP TechEd Online


















other countries



Further Information

SAP Public Web
















SAP TechEd Online


















other countries








SAP TechEd Online


















other countries














other countries


sis100 - overview about product security, idm and sso

Documents

sap ag

sap affiliate company

product security

sap ecosystem advantage

sap hana oauth

sap online help

security policies

security configuration