https://raw.githubusercontent.com/ajmaradiaga/feeds/main/scmt/topics/Security-blog-posts.xml SAP Community - Security 2024-07-26T23:01:57.208973+00:00 python-feedgen Security blog posts in SAP Community https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/isae-3000-for-sap-s-4hana-cloud-public-edition-evaluation-of-the/ba-p/13672124 ISAE 3000 for SAP S/4HANA Cloud Public Edition - Evaluation of the Authorization Role Concept 2024-04-24T18:37:57.586000+02:00 anandkapadia https://community.sap.com/t5/user/viewprofilepage/user-id/37089 <P style=" text-align: center; "><STRONG>This blog post is featured in the&nbsp;<A href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/sap-s-4hana-cloud-public-edition-identity-access-management-your-knowledge/ba-p/13533425" target="_blank">SAP S/4HANA Cloud Public Edition Identity Access Management - Your Knowledge Base</A>.</STRONG></P><H2 id="toc-hId-992522628">Introduction</H2><P>Authorization plays an essential role when we are talking about the Identity Access Management strategy of any ERP solution. Authorizing is the function of specifying access rights/privileges to resources. Authorizations allow what you can do on the system, once you have been authenticated.</P><P>In the context of SAP S/4HANA Cloud Public Edition, SAP divides the business functionality into semantically meaningful business catalogs, representing tasks or subprocesses within a business process. These business catalogs are the most finely grained units regarding structuring of work and authorization assignment.</P><H2 id="toc-hId-796009123">Background</H2><P>Business catalogs grant access to an app, a set of apps, or individual aspects of an app. Some business catalogs have restrictions. These restrictions give customers the option to further specify the way the user might interact with the app: they may, for example, grant write or read access. Business catalogs are grouped into collections called business roles.</P><P>A business role generally contains multiple business catalogs and corresponds to a set of authorizations required to perform the tasks of a particular job description, for example, a warehouse clerk. On the business role level, restriction values of the contained business catalogs are defined. A business catalog might be contained in different business roles and might have different restriction values assigned in these different business roles.</P><P>But now the question comes up, how does SAP ensure that the business catalogs - as the smallest building block from an IAM perspective - are not containing any inherent segregation of duties (SoD) conflicts and are fulfilling proper development processes?</P><P>For this, SAP regularly hires an external auditor to perform assurance procedures as a reasonable assurance engagement in accordance with the International Standard on Assurance Engagements (ISAE) 3000 Revised, "Assurance Engagements Other Than Audits or Reviews of Historical Financial Information” (ISAE 3000).</P><P>In this blog post, we will see the scope of the ISAE 3000 Assurance Report as well as the steps for requesting a copy of it.</P><H2 id="toc-hId-599495618">Scope of the ISAE3000 Assurance Report</H2><P>The scope of this report includes assurance procedures on the design and implementation as well as the effectiveness of the SAP S/4HANA Cloud Public Edition Authorization Concept of SAP regarding development, design, and implementation to avoid SoD conflicts.</P><P>In order to gain reasonable assurance evidence, the external auditor decided to assess all relevant processes that influence the quality and usage of the released business catalogs by SAP to customers. Some of these assurance procedures refer to the technical backend view on the Business Catalogs, called Business Catalog Roles. Please note that the technical backend cannot be accessed by SAP customers.</P><P>The assurance procedures included the assessment of the business catalog role concept structure covered following aspects (technical view):</P><UL><LI>Business catalog roles implemented naming conventions</LI><LI>Development process for business catalogs</LI><LI>Rule-compliant definition of SAP S/4HANA Cloud Public Edition business catalog roles</LI><LI>SoD-compliant definition of SAP S/4HANA Cloud Public Edition business catalog roles</LI></UL><P>Additionally, the external auditor inspected the SAP-internal testing and change management process with regards to the business catalog roles. Ultimately, the business catalog implementation by SAP (as it is delivered to customers) has been evaluated. This part of the assurance involved walkthroughs with the involved development teams through the newly released SAP Fiori applications to SAP S/4HANA Cloud Public Edition.</P><H2 id="toc-hId-402982113">Requesting a Copy of the ISAE3000 Assurance Report</H2><P style=" text-align : justify; ">The use of this report is restricted. A copy of this report is available for all SAP S/4HANA Cloud Edition customers with productive systems. This report is also available for prospective customers under the signed non-disclosure agreement. The report may include a qualified opinion.</P><P style=" text-align : justify; ">For requesting the report, kindly follow these steps:</P><UL><LI>Go to <A href="https://www.sap.com/about/trust-center.html" target="_blank" rel="noopener noreferrer">SAP Trust Center</A></LI><LI>Select&nbsp;<STRONG>Compliance</STRONG></LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Compliance.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/97101i1E1E6D1D1407E68D/image-size/large?v=v2&amp;px=999" role="button" title="Compliance.png" alt="Compliance.png" /></span></P><UL><LI>Select<STRONG> Find Compliance Documents</STRONG></LI></UL><P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Find compliance documents.png" style="width: 965px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/97102i230802B948CA6B8A/image-size/large?v=v2&amp;px=999" role="button" title="Find compliance documents.png" alt="Find compliance documents.png" /></span></STRONG></P><UL><LI>Filter the List of compliance documents. Search in the <STRONG>Offering Name</STRONG> for SAP S/4HANA Public Cloud</LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="S4HC.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/97103iF9DA867BF48BBDC2/image-size/large?v=v2&amp;px=999" role="button" title="S4HC.png" alt="S4HC.png" /></span></P><UL><LI>Search and Click on <STRONG>Reasonable Assurance Report (ISAE3000) on the S/4HANA Cloud Edition Authorization Role Concept</STRONG></LI></UL><P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ISAE300.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/97104i2C2B54945DD3B341/image-size/large?v=v2&amp;px=999" role="button" title="ISAE300.png" alt="ISAE300.png" /></span></STRONG></P><UL><LI>&nbsp;Scroll down and click on the button <STRONG><STRONG>Request a copy of the SAP S/4HANA ISAE 3000 Assurance Report</STRONG></STRONG></LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="request.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/97105i93D06E1F132CEAB9/image-size/large?v=v2&amp;px=999" role="button" title="request.png" alt="request.png" /></span></P><P>&nbsp;</P><H2 id="toc-hId-206468608">Conclusion</H2><P>For more Identity Access Management-related topics on SAP S/4HANA Cloud Public Edition, you can check out my blog post&nbsp;<A href="https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/sap-s-4hana-cloud-public-edition-identity-access-management-your-knowledge/ba-p/13533425" target="_blank">SAP S/4HANA Cloud Public Edition Identity Access Management - Your Knowledge Base</A>.</P><P>Please feel free to provide your feedback in the comment sections.&nbsp;</P><P>For more updates you can follow me via<SPAN>&nbsp;</SPAN><A href="https://www.linkedin.com/in/anand-kapadia" target="_blank" rel="noopener nofollow noreferrer">LinkedIn</A>.</P><P>&nbsp;</P> 2024-04-24T18:37:57.586000+02:00 https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/influence-the-development-of-sap-enterprise-threat-detection-cloud-edition/ba-p/13687244 INFLUENCE THE DEVELOPMENT OF SAP ENTERPRISE THREAT DETECTION, CLOUD EDITION 2024-05-03T06:40:10.948000+02:00 KirtiSingh01 https://community.sap.com/t5/user/viewprofilepage/user-id/1447958 <P>Introducing influence page for SAP Enterprise Threat Detection, cloud edition.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KirtiSingh01_2-1714475829296.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/103858i767BFD6748C29B56/image-size/large?v=v2&amp;px=999" role="button" title="KirtiSingh01_2-1714475829296.png" alt="KirtiSingh01_2-1714475829296.png" /></span></P><P>The SAP Enterprise Threat Detection product team are inviting customers and partners to share their feedback and ideas to enhance our solution.</P><P>On <A href="https://influence.sap.com/sap/ino/#/campaign/3606" target="_blank" rel="noopener noreferrer">SAP Enterprise Threat Detection, cloud edition Influence page</A> you can see all submitted requests, submit your improvement requests, vote and comment on other ideas.</P><P>The rationale and advantages of a customer influence page include:</P><UL><LI>Augmenting customers engagement and influence on product features.</LI><LI>Improving product/services using meaningful customer insights.</LI><LI>Cultivating an engaged community.</LI><LI>Serving as a central platform for customer suggestions and fueling innovation.</LI></UL><P>The product team regularly evaluates the ideas and considers them for roadmap planning. Votes help to priorities ideas along with other important selection criteria such as:</P><UL><LI><STRONG>DESIRABILITY</STRONG>: How many customers voted for this? How many customers will benefit from it?</LI><LI><STRONG>VIABILITY</STRONG>: Is this Improvement Request globally relevant? Is this in alignment with SAP’s strategy for the product?</LI><LI><STRONG>FEASIBILITY</STRONG>: Is the development effort realistic? Is this request achievable within the product’s architecture?</LI></UL><P>While this page is mainly for the public cloud edition, for private cloud and on-premise versions feel free to propose integration-related ideas.</P><P><STRONG>Follow the steps below to get access</STRONG>&nbsp;and start sharing your enhancement ideas:</P><UL><LI><STRONG>Go to</STRONG>&nbsp;<A href="https://influence.sap.com/sap/ino/#/campaign/3606" target="_blank" rel="noopener noreferrer">SAP Enterprise Threat Detection, cloud edition Influence page</A><U>.</U>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<UL class="lia-list-style-type-circle"><LI>In case you are a new user, create a user account using S-User-ID and accept the Terms of Use. Once the user is created you activate SSO and can access without any interruption.</LI></UL></LI></UL><UL><LI><STRONG>Follow&nbsp;</STRONG>the session to get notified of new Improvement Requests and blogs.</LI><LI><STRONG>Vote</STRONG>&nbsp;and&nbsp;<STRONG>comment</STRONG>&nbsp;on Improvement Requests posted by other customers/ partners.</LI><LI><STRONG>Submit</STRONG>&nbsp;new Improvement Requests.</LI></UL><P>You can also check out the videos\link below, if you wish to learn more about SAP Continuous Influence and how to submit and manage improvement requests:</P><UL><LI><A href="https://www.sap.com/assetdetail/2019/06/145793d7-517d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer">How to get started and navigate on the Customer Influence Site</A></LI><LI><A href="https://www.sap.com/assetdetail/2018/11/08f0cc5e-277d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer">How to submit an improvement request</A></LI><LI><A href="https://www.sap.com/about/customer-involvement/influence-adopt.influence-opportunities.html#join-customer-influence" target="_blank" rel="noopener noreferrer">SAP Customer Influence and Adoption main info page</A></LI></UL><P>Please reach us at <A href="mailto:SAP-ETD@sap.com" target="_blank" rel="noopener nofollow noreferrer">SAP-ETD@sap.com</A> in case of any issue.</P><P>We look forward to seeing your ideas and further improve our software as we move forward.</P> 2024-05-03T06:40:10.948000+02:00 https://community.sap.com/t5/technology-blogs-by-members/threat-actors-targeting-sap-applications/ba-p/13679657 Threat Actors targeting SAP Applications 2024-05-03T07:57:35.500000+02:00 jppereze https://community.sap.com/t5/user/viewprofilepage/user-id/91040 <P>Last week, Onapsis and Flashpoint released a report describing the evolution of the Treat Landscape around SAP Applications, including the intersection of SAP and Ransomware. Some of its highlights include a 490% increase of the mentions to SAP exploits or vulnerabilities across the open deep and dark web from 2020 to 2023, or a whopping 400% increase in the price or an Remote Command Execution exploit for SAP Applications from August of 2020 to April of 2024.</P><P>These Threat Intelligence indicates that Threat Actors of all types understand how to target SAP technology, by exploiting SAP CVE(s), exfiltrating financial reports from SAP Applications, performing financial fraud over extended periods of time, or even through the execution of Ransomware, which also targets SAP Applications and data. Some examples of these Threat Actors are APT10, a state sponsored actor, FIN7/FIN13, which are financially motivated Threat Actors or Cobalt Spider, a cybercriminal group.&nbsp;</P><P>This is an effort moving in the direction of helping SAP Customers tackle cybersecurity threats such as active cyberattacks or ransomware, as done in the past jointly with SAP:</P><UL><LI><A href="https://news.sap.com/2021/07/ransomware-threats-sap-onapsis/" target="_blank" rel="noopener noreferrer">Taking Ransomware Threats Seriously | SAP &amp; Onapsis | SAP News</A>&nbsp;</LI><LI><A href="https://news.sap.com/2021/04/sap-onapsis-application-cyber-threat/" target="_blank" rel="noopener noreferrer">SAP and Onapsis Help Protect Against Cyber Threats | SAP News</A>&nbsp;</LI></UL><P>So as SAP Customers, what should we do?&nbsp;</P><P>In short, Vulnerability Management, Threat Detection and Threat Intelligence should integrate and incorporate SAP Applications.&nbsp;</P><UL><LI>&nbsp;Vulnerabilities and misconfigurations affecting SAP are used by Threat Actors to target SAP Applications, so SAP Customers should have proper vulnerability management programs addressing vulnerabilities and issues in a timely way.&nbsp; There are specific vulnerabilities and risks that were identified as part of this research so those individual CVE(s) and misconfigurations are among the ones we should prioritize. Having said that, SAP releases patches periodically (second Tuesday of every month) and we should be able to process them and react accordingly. As an example, these are the patches released by SAP on April 2024:&nbsp;<A href="https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2024.html" target="_blank" rel="noopener noreferrer">SAP Security Patch Day – April 2024</A>&nbsp; &nbsp;</LI><LI>Threat Intelligence tailored to SAP Applications should be consumed and integrated into Security Operation Centers, giving defenders the right signals to protect these applications before the bad guys act. Besides this recently released report, in the past, CISA has released a number of alerts, warning SAP customers about a number of different threats:&nbsp;<UL class="lia-list-style-type-square"><LI><P><A href="https://www.cisa.gov/news-events/alerts/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications" target="_blank" rel="noopener nofollow noreferrer"><SPAN>Malicious Cyber Activity Targeting Critical SAP Applications | CISA</SPAN></A><SPAN>&nbsp;</SPAN></P></LI><LI><P><A href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-195a" target="_blank" rel="noopener nofollow noreferrer"><SPAN>Critical Vulnerability in SAP NetWeaver AS Java | CISA</SPAN></A><SPAN>&nbsp;</SPAN></P></LI><LI><P><A href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-122a" target="_blank" rel="noopener nofollow noreferrer"><SPAN>New Exploits for Unsecure SAP Systems | CISA</SPAN></A></P></LI><LI><P><A href="https://www.cisa.gov/news-events/alerts/2016/05/11/exploitation-sap-business-applications" target="_blank" rel="noopener nofollow noreferrer"><SPAN>Exploitation of SAP Business Applications | CISA</SPAN></A></P></LI></UL></LI><LI>Feeds of logs and audit trails should be integrated into existing continuous monitoring programs to detect when SAP vulnerabilities are being exploited, SAP users are compromised or any other type of threat is affecting SAP Applications. These types of signals are extremely important to understand what happens through an SAP Application and to proactively detect potential threats.</LI></UL><P>If you are interested on reading more of this research, the report is available for download at both Onapsis and Flashpoint sites (SAP community policies do not allow to add the link directly on this blog).&nbsp;</P><P>&nbsp;</P> 2024-05-03T07:57:35.500000+02:00 https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/shared-trouble-is-security-doubled-the-shared-responsibility-model-for-sap/ba-p/13690550 Shared Trouble is security doubled: the shared responsibility model for SAP S/4HANA Cloud 2024-05-07T09:21:45.077000+02:00 patrickboch https://community.sap.com/t5/user/viewprofilepage/user-id/727153 <P><SPAN>One of the advantages of cloud applications is that you don’t have to take care of security. Which is true – mostly. In reality, while most of the security responsibilities and tasks are taken over by the cloud service provider, there are some things which the customer still holds responsible for. And that also goes for the security responsibilities in SAP S/4HANA Cloud. </SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>Now, the title of this article specifically mentions SAP S/4HANA Cloud, without specifying whether it refers to private or public cloud. This is intentional as the focus is on the customer's responsibilities in the S/4HANA Cloud responsibility model – and in the following I’d like to highlight the responsibilities of the customer in general, while detailing the differences between SAP S/4HANA Cloud Privat Edition versus SAP S/4HANA Cloud Public Edition. </SPAN></P><H3 id="toc-hId-1123396740"><SPAN>&nbsp;</SPAN><STRONG><SPAN>Responsibilities in General</SPAN></STRONG></H3><P><SPAN>&nbsp;</SPAN><SPAN>In terms of security, responsibilities are relatively clearly split between the Cloud Service Provider (CSP) and the customer. On a high level, the CSP’s responsibility includes security operations, network application, database management, operating system management, and the bare metal, unless partnering with a hyperscaler.</SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>The customer, on the other hand, is responsible for the application's access and security. However, there's a significant distinction depending on whether we're discussing SAP S/4HANA public or private cloud. </SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>Looking at it from another perspective, as the cloud service provider, we don't have access to your customer data, user identities, authentication, and business processes. The responsibility for these aspects lies with the customer. Conversely, security for the application server, database, operating systems, physical security, and bare metal security falls under our, SAP's, jurisdiction as a cloud service provider. </SPAN></P><P><SPAN>Understanding the difference is crucial, not just for security, but for adjacent topics as well.</SPAN></P><H3 id="toc-hId-926883235"><SPAN>&nbsp;</SPAN><STRONG><SPAN>Auditing cloud applications</SPAN></STRONG></H3><P><SPAN>&nbsp;</SPAN><SPAN>In order to get an overview, let’s begin with how auditing is approached in different cloud deployment options. This will help elucidate why it's critical to clearly distinguish responsibilities between you as a customer and SAP as the cloud service provider. </SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>When examining IT general controls, one should consider business processes, applications, and infrastructure. These elements require auditing by your auditor. IT application controls relate to business transactions and processes. The software, such as SAP S/4HANA, handles this. However, as the customer, you define the business processes and are therefore accountable to the auditor to ensure these processes function as designed.</SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>Secondly, there are application-related controls. These involve access management, change management, security configuration, and monitoring of application jobs and integration scenarios. The goal here is to ensure the application is implemented securely and correctly to meet the requirements of the business processes. </SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>The same principle applies to IT infrastructure, which must be implemented correctly to support business processes without negative impacts. This includes operating system and database security, but also physical data center security. </SPAN></P><H3 id="toc-hId-730369730"><SPAN>&nbsp;</SPAN><STRONG><SPAN>Customer Audits </SPAN></STRONG></H3><P><SPAN>When considering various cloud service models, the scope of the auditor's role varies significantly between on-premise installations and software as a service. In an on-premise model, the customer’s auditor must assess everything from physical security to business process controls. </SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Different Cloud Deployment Models" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/105434iAAC8DD5A814E93CC/image-size/medium?v=v2&amp;px=400" role="button" title="patrickboch_1-1714726533473.png" alt="Different Cloud Deployment Models" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Different Cloud Deployment Models</span></span></P><P><SPAN>In an Infrastructure as a Service (IaaS) model, the auditor would need to rely on the cloud service provider for physical data center security and hardware matters. However, everything else, including service operating systems and databases, remains the customer's responsibility and must be audited accordingly.</SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>With Platform as a Service (PaaS), like S/4HANA private cloud, responsibilities for the security of operating systems and databases shift to the cloud service provider. </SPAN></P><P><SPAN>Software as a Service (SaaS) extends this concept further, in cases like the SAP S/4HANA public cloud, where standardized software is used by all customers. </SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>To manage these varying responsibilities, the SOC (Service Organization Control) report, specifically the SOC 2 report has been established as an industry standard. This report is an attestation from auditors that all controls regarding IT infrastructure and application responsibility are functioning as designed. </SPAN></P><P><SPAN>The SOC report's purpose is to prevent each customer's auditor from having to verify that a CSP is maintaining their controls correctly. </SPAN></P><P><SPAN>However, it's crucial to note that customers must request the SOC 2 report regularly from the CSP, review it, and ensure it aligns with their security requirements. Subsequently, the company and its IT auditors need to review the controls within the SOC 2 report to verify everything is in order.</SPAN></P><H3 id="toc-hId-533856225"><STRONG><SPAN>The differences in SAP S/4HANA deployment models</SPAN></STRONG></H3><P><SPAN>Let's delve into the S/4HANA application, specifically focusing on the differences between private and public cloud options. </SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>To do this, we could proceed alphabetically by topic, but the most effective approach would be through the lens of the SAP Secure Operations Map. This tool, although developed before the advent of cloud technology, remains relevant as it comprehensively covers all tasks required for running applications like S/4HANA.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SAP Secure Operations Map" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/105432i977A4808F87DD35E/image-size/medium?v=v2&amp;px=400" role="button" title="patrickboch_2-1714726533473.png" alt="SAP Secure Operations Map" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">SAP Secure Operations Map</span></span></P><P><SPAN>As a brief overview, the map starts at the top with the organization, which isn't directly related to IT. It emphasizes the need for security governance awareness and risk management - an area that's often overlooked. In essence, it's crucial to identify potential risks, prepare responses, and manage them appropriately. </SPAN></P><P><SPAN>Next, the secure operations map addresses the application itself, highlighting aspects like access management, authentication, authorizations, and custom code security. It considers all customizations made in your SAP S/4HANA system.</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>On the system level, the map focuses on security hardening, secure SAP code, our secure development process, and security monitoring. </SPAN></P><P><SPAN>At the bottom of the map, mirroring the cloud responsibilities we've discussed, there’s the environment. This includes network security, operating system, database security, and client security. </SPAN></P><P><SPAN>Taking a closer look at this, and returning to the cloud deployment models we discussed earlier, we see that the Secure Operations Map's five topics (environment, system, application, process, and organization) are all the customer's responsibility in an on-premise environment.</SPAN></P><P><SPAN>In a private environment, the responsibility transitions between SAP and the customer around the application area. In a public environment, we, as the service provider, shoulder a larger share of the responsibility compared to the customer.</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>Network security is a shared responsibility between customers and SAP, regardless of whether the environment is private or public. As a customer, you must ensure that the network you use to access applications is secure. For instance, in a private environment, you may use SAP GUI via a VPN tunnel to our network. In contrast, in the public cloud, you can only access the software through a web browser over the internet. In both cases, you as the customer need to ensure that the network on your end is secured.</SPAN></P><P><SPAN>The operating system database security is our responsibility, again, regardless of whether it's a private or public cloud. Client security, on the other hand, such as ensuring the SAP GUI or web browser is set up securely, falls under the customer's domain in both cases.</SPAN></P><P><SPAN>When it comes to system security hardening, it's our responsibility, fully. Secure SAP code, from a development perspective, is our responsibility in both private and public cloud scenarios. However, there's a key difference when it comes to patch management in the private cloud. Here, updates are individual per customer and may affect business processes or require system restarts. Therefore, we coordinate with you before initiating any updates, unlike in the public cloud, where updates affect all customers.</SPAN></P><P><SPAN>Security monitoring and forensics represent another shared responsibility, but there are differences between Rise and Grow. In Rise, due to access to most of the ABAP stack, similar to an on-premise environment, you receive more information, including infrastructure logs provided by our private cloud operations team, a service called LogServe. </SPAN></P><P><SPAN>In a public cloud scenario, we provide a limited number of logs for security monitoring. Some information, technically, is shared among all customers; hence, we can't share it with individual customers.</SPAN></P><H3 id="toc-hId-337342720"><STRONG><SPAN>The application</SPAN></STRONG></H3><P><SPAN>Let's delve into the application, specifically User and Identity Management. </SPAN></P><P><SPAN>When we discuss roles and authorizations, we see a distinction between private and public cloud environments. In a private cloud, customers retain access to the PFCG, the SAP system transaction where roles and authorizations are defined and implemented. It's important to note that while you do have PFCG access in the private cloud, it's not usually full access. You typically can't assign authorizations or access the roles and authorizations definition, PFCG, as an admin, particularly when it comes to technical security topics. </SPAN></P><P><SPAN>In the public cloud, we implement a different strategy. We use what we call business catalogues, the smallest units of roles and authorizations. These catalogues are combined to create roles within the application, aligning with your business processes. </SPAN></P><P><SPAN>Regarding Custom Code Security, your code is generally your responsibility. However, there's a slight difference between private and public clouds. In the private cloud, you have more opportunities to program additional applications on top of S/4HANA. In contrast, in the public cloud, we provide Developer Extensibility that allows business application extensions but limits access to low level functionality. </SPAN></P><P><SPAN>The last main topic from within the Secure Operations Map is Processes and Organizations. This is primarily the customer's responsibility, which is why we won’t discuss it here. </SPAN><SPAN>&nbsp;</SPAN></P><H3 id="toc-hId-140829215">Conclusion: Lots and less to think about</H3><P>As mentioned in the opening of this article: moving to the cloud gives you a lot less to think and worry about, especially when it comes to security. However, it does not relieve customers from all responsibility - something to keep in mind. On the other hand, we at SAP will support now and in the future by guiding customers through those settings they are responsible for. And by making S/4HANA Cloud the most secure ERP system.&nbsp;</P> 2024-05-07T09:21:45.077000+02:00 https://community.sap.com/t5/technology-blogs-by-members/streamlining-user-provisioning-from-ibm-verify-to-sap-cloud-identity/ba-p/13695010 Streamlining User Provisioning from IBM Verify to SAP Cloud Identity Services 2024-05-08T12:57:02.652000+02:00 TusharTrivedi https://community.sap.com/t5/user/viewprofilepage/user-id/150726 <P>SAP Cloud Identity Services (CIS), part of SAP BTP, can be used to integrate Identity Access Management (IAM). In our last blog, we discussed the integration of SAP Cloud Identity Services (CIS) with IBM Security Verify, and now we're taking the next step in this integration. User provisioning is the process of setting up new user accounts in a system or application. In this blog, we will explore a common use case - - transitioning user provisioning from IBM Verify to SAP Cloud Identity Services, and how this transition can streamline operations and enhance security.</P><P><STRONG>The Challenge of User Provisioning</STRONG></P><P>User provisioning is the process of granting and controlling access to resources within an organisation’s information technology infrastructure. Historically, on-boarding or off-boarding users has been a laborious and time-consuming procedure that frequently required numerous processes across multiple systems. As businesses embrace cloud solutions, the complexity of user provisioning has grown, necessitating automated and integrated approaches.</P><P><STRONG>Transitioning from IBM Verify to SAP Cloud Identity Services</STRONG></P><P>IBM Verify is a comprehensive identity and access management system that includes multi-factor authentication (MFA) and adaptive access control, while SAP Cloud Identity Services offers identity lifecycle management, single sign-on (SSO), and access governance features. Integrating these two systems can help organisations automate and streamline user provisioning operations, while also improving security and user experience.</P><P>&nbsp;</P><P><STRONG><U>How does it work?</U></STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 1.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107254iC87D93636632C1FF/image-dimensions/600x390?v=v2" width="600" height="390" role="button" title="Picture 1.jpg" alt="Picture 1.jpg" /></span></P><P>The diagram shows that IBM Security Verify acts as a central user management system. It creates user accounts and manages their attributes, and also provisions them (or creates them) in SAP Cloud Identity Services, potentially syncing relevant user attributes. Selected attributes from Verify are&nbsp;mapped&nbsp;to specific target attributes in SAP Cloud Identity Services, ensuring consistent user information across both systems. SCIM, a standardised protocol, enables communication between Verify and SAP Cloud Identity Services. On the left side of the diagram, IBM Security Verify acts as a SCIM server, receiving requests for user management and then modifying the target directory as needed. This streamlines user creation and ensures consistent user information across both systems.</P><P>&nbsp;</P><P><STRONG><U>Prerequisites</U></STRONG></P><UL><LI>SAP Cloud Identity Services (for trial instance check this <A href="https://help.sap.com/docs/cloud-identity?locale=en-US" target="_blank" rel="noopener noreferrer">link</A>)</LI><LI>IBM Security Verify (for trial instance check this <A href="https://www.ibm.com/docs/en/security-verify?topic=overview-accessing-security-verify" target="_blank" rel="noopener nofollow noreferrer">link</A>)</LI><LI>A smartphone with IBM Security Verify App</LI></UL><P>&nbsp;</P><P><STRONG><U>Configurations and Settings in IBM Security Verify and SAP Cloud Identity Services</U></STRONG></P><P>Log into <A href="https://ibmlabs.verify.ibm.com/ui/admin" target="_blank" rel="noopener nofollow noreferrer">IBM Security Verify</A> as an administrator  </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 2.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107255iF33506AB018341EE/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 2.jpg" alt="Picture 2.jpg" /></span></P><P>When a user logs in, the home screen as shown below will be displayed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 3.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107256iA46ECE028C7D63C1/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 3.jpg" alt="Picture 3.jpg" /></span></P><P>On the left panel, click on "Applications" under "Applications". On the right side of the screen, there is an “Add application” button. Click on it.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 4.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107258i998C9B160EB85555/image-dimensions/600x329?v=v2" width="600" height="329" role="button" title="Picture 4.jpg" alt="Picture 4.jpg" /></span></P><P>Fill in the necessary details under “General” section as below and save the details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 5.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107259iF49D6F1784AAD6A7/image-dimensions/600x363?v=v2" width="600" height="363" role="button" title="Picture 5.jpg" alt="Picture 5.jpg" /></span></P><P>Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab which is under “Services.”</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 6.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107261i1A4FCC6A1C0D1C12/image-dimensions/601x326?v=v2" width="601" height="326" role="button" title="Picture 6.jpg" alt="Picture 6.jpg" /></span></P><P>You have to enable the cloud identity services application.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 7.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107262i0B72D5F41CB61C9B/image-dimensions/601x316?v=v2" width="601" height="316" role="button" title="Picture 7.jpg" alt="Picture 7.jpg" /></span></P><P>Once enabled, it will look as below. Now, click on Cloud Identity Services application and you will be redirected to the login screen of the SAP authentication screen as shown below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 8.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107263iCC19230226369943/image-dimensions/601x316?v=v2" width="601" height="316" role="button" title="Picture 8.jpg" alt="Picture 8.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 9.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107266i357621A8168E5EF0/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 9.jpg" alt="Picture 9.jpg" /></span></P><P>After a successful login, you can see the home screen of Cloud identity Services. Go to the “Identity Providers” as highlighted below :</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 10.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107268i5D2F63349F825C38/image-dimensions/601x337?v=v2" width="601" height="337" role="button" title="Picture 10.jpg" alt="Picture 10.jpg" /></span></P><P>Click on the Corporate Identity providers and create new identity provider.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 11.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107269i7DEC6BF3C2F442CB/image-dimensions/601x313?v=v2" width="601" height="313" role="button" title="Picture 11.jpg" alt="Picture 11.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 12.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107270iDFD2CD3C9DA26807/image-dimensions/601x337?v=v2" width="601" height="337" role="button" title="Picture 12.jpg" alt="Picture 12.jpg" /></span></P><P>Once the new identity provider is successfully added,&nbsp; click on the identity provider type and select SAML 2.0 compliant, as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 13.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107271i5C962799BF791BA2/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 13.jpg" alt="Picture 13.jpg" /></span></P><P>Go to the SAML configuration section and fill in the information as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 14.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107275iD992FDB591A7B11C/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 14.jpg" alt="Picture 14.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 15.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107279i5840BC903244CD42/image-dimensions/601x314?v=v2" width="601" height="314" role="button" title="Picture 15.jpg" alt="Picture 15.jpg" /></span></P><P>You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to the &nbsp;“Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Services as highlighted below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 16.jpg" style="width: 598px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107280i74553FB8FBABC481/image-dimensions/598x329?v=v2" width="598" height="329" role="button" title="Picture 16.jpg" alt="Picture 16.jpg" /></span></P><P>Click on the Trusting application section and add SAP BTP trial subaccount.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 17.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107281i7C0241A7448A67D6/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 17.jpg" alt="Picture 17.jpg" /></span></P><P>Establish the trust configuration, which is under the “Security” section &nbsp;for the cloud identity application as shown in the below screenshots.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 18.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107282i6B60DB321260CD72/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 18.jpg" alt="Picture 18.jpg" /></span></P><P>You will see the below steps once you click on establish trust. In the first step, choose tenant and click on the next.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 19.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107284iC5DF2A58932143A3/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 19.jpg" alt="Picture 19.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 20.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107285i669823593CB1EF97/image-dimensions/601x317?v=v2" width="601" height="317" role="button" title="Picture 20.jpg" alt="Picture 20.jpg" /></span></P><P>After selecting a tenant, choose domain for your SAP Cloud Identity Services application.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 21.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107286iDC0DF0A0829D035F/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 21.jpg" alt="Picture 21.jpg" /></span></P><P>Click on the next button and configure parameters as shown in the below screenshot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 22.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107288iD40F34CDECC0FD9A/image-dimensions/601x317?v=v2" width="601" height="317" role="button" title="Picture 22.jpg" alt="Picture 22.jpg" /></span></P><P>Click on the next button and review the setup that you have done while establishing the trust. Finally, click on the finish button and save the details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 23.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107289iD6BAA6A35F4A9AA5/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 23.jpg" alt="Picture 23.jpg" /></span></P><P>Once done, you can see the trust new active trust configuration as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 24.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107392i27CD4C569D25B32C/image-dimensions/601x317?v=v2" width="601" height="317" role="button" title="Picture 24.jpg" alt="Picture 24.jpg" /></span></P><P>Now go back to IBM Security Verify and click on “Sign-on” section, then select “Use metadata” checkbox. It will allow us to upload the metadata file which we have downloaded from SAP BTP as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 25.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107394i216EC7591BDAD303/image-dimensions/601x317?v=v2" width="601" height="317" role="button" title="Picture 25.jpg" alt="Picture 25.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 26.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107395i35F9A561397134EF/image-dimensions/600x315?v=v2" width="600" height="315" role="button" title="Picture 26.jpg" alt="Picture 26.jpg" /></span></P><P>Upload the metadata file which you have recently saved on your device to IBM Verify dashboard.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 27.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107397i52227C152B94583A/image-dimensions/600x339?v=v2" width="600" height="339" role="button" title="Picture 27.jpg" alt="Picture 27.jpg" /></span></P><P>Now go to the “Account lifecycle” tab and add SCIM URL, Username and password detail as shown in below image. You can get all the details from SAP Cloud Identity Services application page.</P><P>&nbsp;</P><P>To get SCIM URL, go to SAP CIS and get the URL details from the browser and add “SCIM” at the end of URL.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 28.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107398i0F1E9139A1B89A00/image-dimensions/600x333?v=v2" width="600" height="333" role="button" title="Picture 28.jpg" alt="Picture 28.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 29.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107399iC0B3302E3F629661/image-dimensions/600x333?v=v2" width="600" height="333" role="button" title="Picture 29.jpg" alt="Picture 29.jpg" /></span></P><P>After adding the above details, scroll down and you can see “Attribute mapping” section. &nbsp;Click on the checkbox for which attribute you want to map from IBM Verify to SAP CIS and want to keep updated. Here we have checked email. &nbsp;Save this detail once changes are completed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 30.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107400i05DBB07F4608DEC7/image-dimensions/600x351?v=v2" width="600" height="351" role="button" title="Picture 30.jpg" alt="Picture 30.jpg" /></span></P><P>We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s add user with attribute&nbsp; into Verify and check if it is mapped to Cloud Identity Users dashboard.</P><P>Go to the Users tab under the “Directory” section on the left side of the verify dashboard and click on the “Add User” button as shown in below screenshot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 31.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107401iD25469100AB22F06/image-dimensions/601x359?v=v2" width="601" height="359" role="button" title="Picture 31.jpg" alt="Picture 31.jpg" /></span></P><P>Fill out the necessary information for the user as mentioned in the below image and click on the “Save” user tab.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 32.jpg" style="width: 300px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107402i6BC43DACFD285AE2/image-dimensions/300x427?v=v2" width="300" height="427" role="button" title="Picture 32.jpg" alt="Picture 32.jpg" /></span></P><P>Scroll down and you can add more detail about the user. Here we have added an email ID, mobile number and user company details.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 33.jpg" style="width: 300px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107404i61838B107F605CA6/image-dimensions/300x495?v=v2" width="300" height="495" role="button" title="Picture 33.jpg" alt="Picture 33.jpg" /></span>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 34.jpg" style="width: 293px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107405i6D6E7519C623DBAE/image-dimensions/293x495?v=v2" width="293" height="495" role="button" title="Picture 34.jpg" alt="Picture 34.jpg" /></span></P><P>Once done, click on the Save button and the user detail will be saved.</P><P>Open the Cloud Identity Services application and go to the user section to check whether the newly-created user from Verify is mapped.</P><P>Click on the “Instance and subscription” section from the “Services” section on the left menu, and once the application list is shown, click on the Cloud Identity Services application as shown below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 35.jpg" style="width: 601px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107406i9D4A6985D7838094/image-dimensions/601x353?v=v2" width="601" height="353" role="button" title="Picture 35.jpg" alt="Picture 35.jpg" /></span></P><P>When the new application is loaded, click on the “User Management” tile and all the user list will be displayed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 36.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107407i4908B40D66F3039E/image-dimensions/600x354?v=v2" width="600" height="354" role="button" title="Picture 36.jpg" alt="Picture 36.jpg" /></span></P><P>As you can see in the below screenshot, a new user is created, which is added from Verify and mapped into SAP Cloud Identity Services. Also, the user detail is mapped into Cloud Identity Services.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 37.jpg" style="width: 600px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/107408i49144A562C9FB9B1/image-dimensions/600x351?v=v2" width="600" height="351" role="button" title="Picture 37.jpg" alt="Picture 37.jpg" /></span></P><P><STRONG><U>Conclusion</U></STRONG></P><P>Effective user provisioning is critical to maintaining security, compliance, and operational efficiency. Centralising identity management, improving security, and streamlining administration activities enables organisations to successfully manage user identities and access controls across their entire IT infrastructure. Embracing integrated identity management solutions is more than just convenient - - &nbsp;it is a strategic need for businesses looking to flourish in an increasingly linked and security-conscious environment.</P><P><STRONG><U>More information:</U></STRONG></P><P>Refer to our another blog on <A href="https://community.sap.com/t5/technology-blogs-by-members/integrating-ibm-security-verify-with-sap-cloud-identity-services-in-sap-btp/ba-p/13651722" target="_blank">SAP Cloud Identity Service integration with IBM Security Verify</A>.</P><P>If you have any question or query about&nbsp;SAP BTP please refer to <A href="https://community.sap.com/" target="_blank">SAP Community</A> and for any question or query about IBM Security Verify refer to <A href="https://community.ibm.com/community/user/security/communities/community-home?CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d" target="_blank" rel="noopener nofollow noreferrer">IBM Security Verify Community</A></P> 2024-05-08T12:57:02.652000+02:00 https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/sap-s-4hana-extracting-user-email-addresses-from-standard-tables/ba-p/13697756 SAP S/4HANA - Extracting User Email Addresses from Standard Tables 2024-05-10T15:09:30.362000+02:00 karthikj2 https://community.sap.com/t5/user/viewprofilepage/user-id/148163 <P><FONT size="5"><STRONG>What are we discussing here?</STRONG></FONT></P><P>When working with SAP systems, it is fundamental to need / verify user <FONT size="4">email</FONT> addresses for various purposes. Whether it is to send Automated Notifications, facilitating communication between users, or Generating Reports, having accurate and up-to-date email addresses is crucial. However, extracting the email address from SAP system is not as easy as we think. In this blog post, we will explore the simplest method to extract / find email addresses of users from SAP Standard tables.</P><P>Note : There is no direct transaction code or program to extract email addresses of users</P><P><FONT size="5"><STRONG>How are we going to achieve it?</STRONG></FONT></P><P>The primary table that stores user information in SAP is <STRONG>USR21</STRONG>. This table contains User Master Data, including Personal Numbers (<STRONG>PERSNUMBER</STRONG>) associated with each user. To retrieve email addresses, we will link this table with the address data table <STRONG>ADR6</STRONG>.</P><P><STRONG>What is USR21?</STRONG></P><P>USR21 is a standard table in SAP ERP system that assigns User Names and Address Keys.</P><P><STRONG>What is ADR6?</STRONG></P><P>The ADR6 table in SAP ERP system is a standard table that stores email addresses (Business Address Services) for any address record.</P><P><FONT size="5"><STRONG>Procedure to Extract Email Address from SAP Tables</STRONG></FONT></P><P>Execute table view transaction code: <STRONG>SE16</STRONG> -&gt; Enter Table Name : <STRONG>USR21</STRONG> -&gt; Execute</P><P>Provide the list of User ID(s) through Multiple Selection for <STRONG>BNAME </STRONG>-&gt; Execute</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_5-1715344388432.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108676iCEC89D0CE48CCB7B/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_5-1715344388432.png" alt="karthikj2_5-1715344388432.png" /></span></P><P>Copy the list of Personnel Number <STRONG>(PERSNUMBER)</STRONG> for the users</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_6-1715344388441.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108674iCC1979566995EEFE/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_6-1715344388441.png" alt="karthikj2_6-1715344388441.png" /></span></P><P>Execute table view transaction code: <STRONG>SE16</STRONG> -&gt; Enter Table Name: <STRONG>ADR6</STRONG> -&gt; Execute</P><P>Provide the list of Personnel Number(s) through Multiple Selection for <STRONG>PERSNUMBER </STRONG>-&gt; Execute</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_7-1715344388447.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108675i7E1876E52EBE5A3D/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_7-1715344388447.png" alt="karthikj2_7-1715344388447.png" /></span></P><P><STRONG>SMTP_ADDR</STRONG> column of ADR6 table will provide the list of email address for users</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_8-1715344388454.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108680i9911656A2E120BA1/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_8-1715344388454.png" alt="karthikj2_8-1715344388454.png" /></span></P><P>SAP also offers to extract the list into Spreadsheet from this screen</P><P><STRONG>&nbsp;</STRONG><STRONG>Tip :</STRONG> Ensure to select ALV Grid Display in User Specific Settings at initial screen of ADR6</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="karthikj2_9-1715344388461.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/108681iA9B307175988C370/image-size/medium?v=v2&amp;px=400" role="button" title="karthikj2_9-1715344388461.png" alt="karthikj2_9-1715344388461.png" /></span></P><P><FONT size="5"><STRONG>What are other options?</STRONG></FONT></P><P>Another approach for SAP S/4HANA is to leverage the built-in Core Data Services<STRONG> (CDS)</STRONG> view.</P><P>Table :&nbsp;<STRONG>PUSER002</STRONG> can also be used | BNAME = UserName | Ensure column <STRONG>SMTP_ADDR</STRONG> is visible</P><P><FONT size="5"><STRONG>Word of Caution</STRONG></FONT></P><P><STRONG>Avoid Unintended Disclosure</STRONG></P><P>When querying SAP tables, be cautious not to inadvertently disclose email addresses to unauthorized users or external sources.</P><P>Limit access to relevant personnel and follow proper authorization procedures.</P><P>Remember, accurate and secure email addresses contribute to smooth business processes and effective communication within your organization. Handle them responsibly, and always prioritize data protection.</P><P>If you have any further questions or need assistance, do not hesitate to comment on this blog. Happy SAP querying!</P><P>Feel free to share this article with your colleagues and peers who work with SAP systems.</P> 2024-05-10T15:09:30.362000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/identity-access-management-iam-reference-architectures-2024/ba-p/13697891 Identity Access Management (IAM) Reference Architectures 2024 2024-05-10T17:20:21.397000+02:00 1Gunnar https://community.sap.com/t5/user/viewprofilepage/user-id/11449 <H1 id="toc-hId-865442847"><STRONG>Identity Access Management Reference Architectures in 2024</STRONG></H1><P>We are happy to share with you that we just released an update to our reference architectures (2024 version).</P><P>The latest version is published in&nbsp;<A href="https://discovery-center.cloud.sap/refArchCatalog/?category=security" target="_self" rel="nofollow noopener noreferrer">SAP Discovery Center</A> along with further links to our documentation and to related missions. We want to support you trying out easily what we describe.</P><P>If you are new to this topic, consider reading my&nbsp;<A href="https://community.sap.com/t5/technology-blogs-by-sap/identity-lifecycle-sap-reference-architecture-for-identity-access/ba-p/13504029" target="_self">older blog post about Cloud leading Identity Lifecycle from 2021.</A>&nbsp;The 1st chapter is still valid to start with - although it's 3 years old <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P data-unlink="true">We have an updated version of the <A href="https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfolio.html?anchorId=section_1784311506" target="_self" rel="noopener noreferrer">SAP Secure Operations Map</A>&nbsp;which allows you to verify your security requirements and map them to the regional requirements like NIST or BSI.<BR />The Secure Operations Map contains in the application layer the three main IAM pillars that are now described in the SAP Discovery Center:</P><H3 id="toc-hId-927094780"><A href="https://discovery-center.cloud.sap/refArchDetail/ref-arch-cloud-leading-authentication" target="_self" rel="nofollow noopener noreferrer">Authentication flows</A></H3><H3 id="toc-hId-730581275"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="[SAP Official]_SAP_Cloud_Leading_Authentication_L2.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/110029iB2CEA4D6F70D5B65/image-size/medium?v=v2&amp;px=400" role="button" title="[SAP Official]_SAP_Cloud_Leading_Authentication_L2.png" alt="[SAP Official]_SAP_Cloud_Leading_Authentication_L2.png" /></span><BR /><A href="https://discovery-center.cloud.sap/refArchDetail/ref-arch-cloud-leading-identity-lifecycle-authorizations" target="_self" rel="nofollow noopener noreferrer">Authorization flows as part of the identity lifecycle</A></H3><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="[SAP-official]_SAP_Cloud_Identity_Services_Authorization_L1.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/110031iA2E47F0A81B02F75/image-size/medium?v=v2&amp;px=400" role="button" title="[SAP-official]_SAP_Cloud_Identity_Services_Authorization_L1.png" alt="[SAP-official]_SAP_Cloud_Identity_Services_Authorization_L1.png" /></span></P><H2 id="toc-hId-404985051"><A href="https://discovery-center.cloud.sap/refArchDetail/ref-arch-cloud-leading-identity-lifecycle" target="_self" rel="nofollow noopener noreferrer">Identity Lifecycle flows</A></H2><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="[SAP Official]_SAP_Cloud_Identity_Services_Identity_Lifecycle_L1.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/110027iF904C1A7D2C1D674/image-size/medium?v=v2&amp;px=400" role="button" title="[SAP Official]_SAP_Cloud_Identity_Services_Identity_Lifecycle_L1.png" alt="[SAP Official]_SAP_Cloud_Identity_Services_Identity_Lifecycle_L1.png" /></span></P><P>&nbsp;</P><P>Please read them and we can use this community to discuss.</P><P>If you want to know more about the SAP Cloud Identity Services I recommend <A href="https://community.sap.com/t5/technology-blogs-by-sap/sap-cloud-identity-services-why-and-how-to-integrate-them-for-a-consistent/ba-p/13560015" target="_self">this blog post</A>.</P><P>&nbsp;</P><P>PS: Yes, we are already working on an integrated architecture which considers SAP Access Control - but we need a bit more time.</P><P>&nbsp;</P> 2024-05-10T17:20:21.397000+02:00 https://community.sap.com/t5/technology-blogs-by-members/installing-saprouter-on-linux-a-step-by-step-guide/ba-p/13698342 Installing SAPRouter on Linux: A Step-by-Step Guide 2024-05-11T15:55:48.753000+02:00 Muthumayandi_Yadava https://community.sap.com/t5/user/viewprofilepage/user-id/10779 <P><STRONG>What is SAP Router ?</STRONG></P><P>SAPRouter is a software component used to secure communication between SAP systems and the internet. Installing SAPRouter on Linux is a crucial step in ensuring secure communication for your SAP landscape. This step-by-step guide will walk you through the installation process.</P><P><STRONG>Prerequisites</STRONG>:</P><P>- Linux server (e.g., CentOS, Ubuntu)</P><P>- Root access to the server</P><P>- SAPRouter software package downloaded from the SAP Support Portal</P><P><STRONG>Step 1: Download SAPRouter:</STRONG></P><P>Download the SAPRouter software package from the SAP Support Portal. Ensure that you download the correct version for your operating system.</P><P><STRONG>Step 2: Extract the SAPRouter Package:</STRONG></P><P>Transfer the downloaded SAPRouter package to your Linux server. Use the following command to extract the package:</P><P>tar -xvf saprouter_&lt;version&gt;_linux_x86_64.tar.gz</P><P><STRONG>Step 3: Create a Directory for SAPRouter:</STRONG></P><P>Create a directory to store the SAPRouter files. You can use the following command to create the directory:</P><P>mkdir /usr/sap/saprouter</P><P><STRONG>Step 4: Copy SAPRouter Files:</STRONG></P><P>Copy the extracted SAPRouter files to the newly created directory:</P><P>cp -R &lt;path_to_extracted_files&gt;/saprouter /usr/sap/saprouter</P><P><STRONG>Step 5: Create a Configuration File:</STRONG></P><P>Create a configuration file named `saprouter.ini` in the `/usr/sap/saprouter` directory. Here's a basic example of the configuration file:</P><P># SAProuter Configuration File</P><P>version = 39</P><P>httpport = 81</P><P>tracefile = /usr/sap/saprouter/saprouter.trc</P><P>authid = *</P><P>permit = *</P><P><STRONG>Step 6: Set Permissions:</STRONG></P><P>Ensure that the SAPRouter binary and configuration files have the correct permissions:</P><P>chmod 755 /usr/sap/saprouter/saprouter</P><P>chmod 644 /usr/sap/saprouter/saprouter.ini</P><P>&nbsp;</P><P><STRONG>Step 7: Start SAPRouter:</STRONG></P><P>Start the SAPRouter using the following command:</P><P>/usr/sap/saprouter/saprouter -r -R /usr/sap/saprouter/saprouter.ini</P><P><STRONG>Step 8: Verify SAPRouter Status:</STRONG></P><P>Verify that SAPRouter is running and listening on the specified port (e.g., 81):</P><P>netstat -tuln | grep 81</P><P><STRONG>Step 9: Configure Firewall:</STRONG></P><P>Configure your firewall to allow incoming and outgoing traffic on the SAPRouter port (e.g., 81) to ensure proper communication.</P><P><STRONG>Step 10: Configure SAP Systems:</STRONG></P><P>Update the `secinfo` file of your SAP systems to include the SAPRouter details for communication through the SAPRouter.</P><P><STRONG>Overall information</STRONG>:</P><P>By following these steps, you can successfully install SAPRouter on your Linux server. This will help secure communication between your SAP systems and the internet, ensuring the integrity and confidentiality of your SAP la<SPAN>ndscape.</SPAN></P><P>#SAP #SAPRouter #Linux #Installation <a href="https://community.sap.com/t5/c-khhcw49343/SAP+Young+Thinkers/pd-p/7491a8e4-2c34-4d6b-bf69-b91db9291a90" class="lia-product-mention" data-product="1159-1">SAP Young Thinkers</a>&nbsp;#<a href="https://community.sap.com/t5/c-khhcw49343/Red+Hat+Enterprise+Linux/pd-p/566117836046276697184412662459974" class="lia-product-mention" data-product="304-1">Red Hat Enterprise Linux</a>&nbsp;<a href="https://community.sap.com/t5/c-khhcw49343/SUSE+Linux+Enterprise+Server/pd-p/68020287236497694019600446793069" class="lia-product-mention" data-product="305-1">SUSE Linux Enterprise Server</a>&nbsp;<a href="https://community.sap.com/t5/c-khhcw49343/SAP+Women+in+Tech/pd-p/5e61e027-661e-4c66-91ef-4e6fa20c40f6" class="lia-product-mention" data-product="1164-1">SAP Women in Tech</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/c-khhcw49343/SAP+Integration+Suite/pd-p/73554900100800003241" class="lia-product-mention" data-product="23-1">SAP Integration Suite</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/c-khhcw49343/SAP+Business+Application+Studio/pd-p/67837800100800007077" class="lia-product-mention" data-product="13-1">SAP Business Application Studio</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/10779">@Muthumayandi_Yadava</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/39302">@Subramanian</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/1387241">@Sap</a><SPAN>&nbsp;</SPAN><a href="https://community.sap.com/t5/user/viewprofilepage/user-id/121481">@YejinYun</a><SPAN>&nbsp;</SPAN></P> 2024-05-11T15:55:48.753000+02:00 https://community.sap.com/t5/technology-blogs-by-members/handling-profile-parameter-values-in-sap-netweaver-and-sap-hana/ba-p/13699505 Handling profile parameter values in SAP NetWeaver and SAP HANA 2024-05-13T15:15:53.323000+02:00 JoeGoerlich https://community.sap.com/t5/user/viewprofilepage/user-id/2716 <P><SPAN>Profile parameters accompany the SAP Basis administrators their entire lives. Still, in many SAP systems one can find sub-optimal handling of those and when it comes to monitoring or compliance checking one may be curious how to determine the currently effective values. This may be from a special interest if one considers to implement a tool for compliance checking.</SPAN><BR /><BR /><SPAN>In this blogpost I like to give a brief overview about profile parameters, maybe some handling tips.</SPAN></P><P><SPAN>In another <A title="Checking profile parameter values in SAP NetWeaver and SAP HANA" href="https://community.sap.com/t5/technology-blogs-by-members/checking-profile-parameter-values-in-sap-netweaver-and-sap-hana/ba-p/13504550" target="_blank">blogpost</A> I give an overview about how the effective profile parameter values can be determined.</SPAN></P><P>&nbsp;</P><H2 id="toc-hId-994581990">Effective Parameters</H2><P>At first we must know that many&nbsp;profile parameters have a so called „kernel default value“. This value is compiled into the kernel and will take effect if it is not overwritten by other means - we will come to that in a few.<BR /><BR />We can display the kernel default values of all parameters recognized by the actual SAP kernel for example by running the command <FONT face="courier new,courier">sappfpar</FONT> all on OS-level as user <EM>&lt;sid&gt;adm</EM>.</P><BLOCKQUOTE><STRONG>Please note:</STRONG> Looking at the output we may find some profile parameters which have no kernel default value and some parameters are entirely unknown to the kernel and therefore are not listed in the output at all. Values for these profile parameters must then be set explicitly in a profile file. An example would be the parameters <FONT face="courier new,courier">ccl/*</FONT> to setup the CommonCryptoLib.</BLOCKQUOTE><P>The kernel default values might change with newer releases or patch levels of the SAP kernel. New sub-parameters might be added to existing profile parameters. Furthermore, completely new parameters may be added and in rare cases parameters get removed.</P><BLOCKQUOTE><STRONG>Please note:</STRONG> SAP started to provide a list of what has been changed for profile parameters. We can find this in the What's New Viewer in the section ABAP Server Infrastructure -&gt; Parameter Changes. For example, <A href="https://help.sap.com/docs/ABAP_PLATFORM/66906ae3920c4fc684cf588290fb9267/fb05c58e8e4e43c29284863c7272666d.html" target="_blank" rel="noopener noreferrer">here</A>.</BLOCKQUOTE><P>To make profile parameter values configurable and persistent they have to be stored in the so-called profile files. At system startup the profile parameters’ values are read from those profile files residing on the filesystem. This happens in the following order:</P><TABLE border="1"><TBODY><TR><TD>#</TD><TD>Identifier</TD><TD>Location</TD></TR><TR><TD>1.</TD><TD>kernel default value</TD><TD>compiled into the kernel</TD></TR><TR><TD>2.</TD><TD>default profile</TD><TD><BR /><BR />for SAP NW: <FONT face="courier new,courier">/sapmnt/$SAPSYSTEMNAME/profiles/DEFAULT.PFL</FONT><BR /><BR />for SAP HANA: <FONT face="courier new,courier">/hana/shared/$SAPSYSTEMNAME/profile/DEFAULT.PFL</FONT><BR /><BR />for SAP Host Agent: n/a</TD></TR><TR><TD>3.</TD><TD>Instance profile</TD><TD><BR /><BR />for SAP NW: <FONT face="courier new,courier">/sapmnt/$SAPSYSTEMNAME/profiles/$SAPSYSTEMNAME_&lt;instance_name&gt;_&lt;saplocalhost&gt;</FONT><BR /><BR />for SAP HANA: <FONT face="courier new,courier">/hana/shared/$SAPSYSTEMNAME/profile/$SAPSYSTEMNAME_&lt;instance_name&gt;_&lt;saplocalhost&gt;</FONT><BR /><BR />for SAP Host Agent: <FONT face="courier new,courier">/usr/sap/hostctrl/exe/host_profile</FONT></TD></TR></TBODY></TABLE><P><BR />With this, we must keep in mind: A value from the instance profile might oversteer a value from the <FONT face="courier new,courier">DEFAULT.PFL</FONT>. In some cases, this may be used by intent.<BR /><BR /></P><H3 id="toc-hId-927151204">Determine the correct profile for a parameter and use variables to define its value</H3><P>As a rule of thumb, instance profiles (file name <FONT face="courier new,courier">&lt;SID&gt;_&lt;INSTANCE&gt;_&lt;HOST&gt;</FONT>) should contain only parameters which are specific for the particular instance.<BR />Instance specific parameters may also be shifted into the <FONT face="courier new,courier">DEFAULT.PFL</FONT> if there is a <EM>variable</EM> available which can be used to make values instance specific while defining them in the <FONT face="courier new,courier">DEFAULT.PFL</FONT>.<BR /><BR />To make this concept more clear, I like to give an example for that based on the profile parameter <FONT face="courier new,courier">icm/HTTP/logging_&lt;xx&gt;</FONT>:<BR /><BR />We should prefer to set the following in the default profile<BR /><FONT face="courier new,courier">icm/HTTP/logging_0 = PREFIX=/,LOGFILE=$(DIR_LOGGING)$(DIR_SEP)↵</FONT><BR /><FONT face="courier new,courier">icm_http_server_$(SAPSYSTEMNAME)_$(INSTANCE_NAME)_$(SAPLOCALHOST)-%y-%m-%d.log</FONT><BR /><FONT face="courier new,courier">over setting the following in the instance profile</FONT><BR /><FONT face="courier new,courier">icm/HTTP/logging_0 = PREFIX=/,LOGFILE=/usr/sap/NPL/D00/log/↵</FONT><BR /><FONT face="courier new,courier">icm_http_server_NPL_D00_vhcalnplci-%y-%m-%d.log</FONT><BR /><BR />In this example, we've made the value independent from the SID, Instance Name, hostname and we also made the value independent from the operating system by specifying the path by the variable <FONT face="courier new,courier">$(DIR_LOGGING)</FONT> and the delimiter using <FONT face="courier new,courier">$(DIR_SEP)</FONT>. So, no matter how many instances our system has, even if heterogenous, we can rely on the desired value will take effect on each instance.</P><P>&nbsp;</P><BLOCKQUOTE><STRONG>Excursus:</STRONG><BR />Having a closer look at the kernel default value of the profile parameter <FONT face="courier new,courier">DIR_LOGGING</FONT> we will see that it is specified as <FONT face="courier new,courier">$(DIR_INSTANCE)$(DIR_SEP)log</FONT>. And <FONT face="courier new,courier">DIR_INSTANCE</FONT> is specified as <FONT face="courier new,courier">$(DIR_SEP)usr$(DIR_SEP)sap$(DIR_SEP)$(SAPSYSTEMNAME)$(DIR_SEP)$(INSTANCE_NAME)</FONT>. For <FONT face="courier new,courier">DIR_SEP</FONT> the kernel default value is hard coded in the OS-specific SAP Kernel, for Linux it is "<FONT face="courier new,courier">/</FONT>".<BR />Knowing this, we can note: even nested usage of variables is possible.<BR /><BR />Another example would be the kernel default profile parameters <FONT face="courier new,courier">ES/SHM_SEG_SIZE</FONT> and <FONT face="courier new,courier">ES/SHM_MAX_PRIV_SEGS</FONT>. Both make use of variables. They are so called formula parameters. Their values are determined by using math functions:<BR /><FONT face="courier new,courier">ES/SHM_SEG_SIZE = ($(em/blocksize_KB)/1024 * (ceil(max($(ztta/max_memreq_MB) *2, $(abap/shared_objects_size_MB) + $(rsdb/tbi_buffer_area_MB) + 4*($(em/blocksize_KB)/1024)) / ($(em/blocksize_KB)/1024))))</FONT><BR /><BR />and show that calculated values can be used as variables for further calculations:<BR /><BR />ES/SHM_MAX_PRIV_SEGS = (ceil(max($(ztta/roll_extension_dia), $(ztta/roll_extension_nondia)) / (1024*1024 * $(ES/SHM_SEG_SIZE))) + 1)</BLOCKQUOTE><P><BR />&nbsp;Precisely, there are only <STRONG>very few</STRONG> profile parameters which <STRONG>must&nbsp;</STRONG>be set in the instance profile.</P><P>&nbsp;</P><BLOCKQUOTE><STRONG>Please note:&nbsp;</STRONG>The only deviation I came across are the <FONT face="courier new,courier">rdisp/wp_no_*</FONT> profile parameters which need to be set explicitly in the instance profile to be recognized correctly by the "Operation Modes and Instances" editor of transaction <STRONG>RZ04</STRONG>. A warning will be displayed if these profile parameters are not present in the instance profile. Even though, the values for these profile parameters would be correctly determined and used if they would be defined in the default profile only.</BLOCKQUOTE><P><BR />Some parameters are flagged as system-wide when being displayed in transaction <STRONG>RZ11</STRONG> and therefore should never be set in any instance profile.</P><P>&nbsp;</P><H2 id="toc-hId-601554980">Maintaining profile parameter values</H2><P>For maintaining profile parameter values, we have basically two possibilities.</P><P>1. Maintain the profile files on the OS-level using your preferred text editor.</P><BLOCKQUOTE><STRONG>Please note:</STRONG>&nbsp;If you maintain the profiles on OS-level, you should import profiles before displaying them in RZ10 to avoid inconsistencies.</BLOCKQUOTE><P>2. Logon to the system and use transaction RZ10.</P><BLOCKQUOTE><STRONG>Please note:</STRONG>&nbsp;In RZ10 the instance profile of the ASCS instance (<FONT face="courier new,courier">/usr/sap/&lt;SAPSID&gt;/SYS/profile/&lt;SAPSID&gt;_ASCS&lt;nn&gt;_&lt;hostname&gt;</FONT>) could be included after implementing SAP Note 2789094.</BLOCKQUOTE><P>&nbsp;</P><P>Profile parameter values become effective during the system startup. Some time this is also referred as 'they become "activated"'.</P><P>&nbsp;</P><H2 id="toc-hId-405041475">Change profile parameter values at runtime (Dynamic Parameters)</H2><P>For some profile parameters it is possible to change their value at runtime. These parameters are known as "Dynamic Parameters". Changes to such dynamic parameters during runtime (aka. "changes in productive operation") are withdrawn after a system restart.<BR /><BR />We can change profile parameters via web methods offered by the SAP Instance Agent (aka SAP Start Service):<BR /><FONT face="courier new,courier">sapcontrol -nr &lt;Inst-No&gt; -function [SetProcessParameter|SetProcessParameter2]</FONT><BR /><BR />Within AS ABAP, changes during runtime can be performed using transaction <STRONG>RZ11</STRONG> or function module <STRONG>TH_CHANGE_PARAMETER</STRONG>&nbsp;or&nbsp;<STRONG>SPFL_PARAMETER_CHANGE_VALUE</STRONG>.</P><P>For the ICM, vector parameters like <FONT face="courier new,courier">icm/HTTP/logging_&lt;xx&gt;</FONT>&nbsp;can be changed using the Function module <STRONG>ICM_SET_VECTOR_PARM</STRONG>. Some components like the ICM will recognize dynamic parameter changes and will perform a soft-restart, others will just use the new value for their next task execution.</P><P>&nbsp;</P><BLOCKQUOTE><STRONG>Please note:</STRONG> There are a few profile parameters which allow a change at runtime depending on their current value. Which means, we can change the value from 'a' to 'b' without a restart, but changing back from 'b' to 'a' would need a restart. This is for security reasons.</BLOCKQUOTE><P>Transaction <STRONG>RZ11</STRONG> provides a change history for dynamic changes performed since the last restart of the system. The link to the change history can be found below the "Current Value of Parameter"-table indicated by "Origin of Current Value: Dynamic Switch ( Change History )".</P><P><BR />As this link is only displayed if there have been changes since the last restart of the system, Frank Buchholz provided the report <STRONG>ZRSPFPAR_DYNAMIC_CD</STRONG> which can be found at GitHub <A title="Original URL: https://github.com/SAP-samples/security-services-tools Click to follow link." href="https://github.com/SAP-samples/security-services-tools" target="_blank" rel="noopener nofollow noreferrer">https://github.com/SAP-samples/security-services-tools</A> to make them visible for all dynamic changes. Values different to the effective value are displayed in yellow, values identical to the effective value are displayed in green.</P><P style=" padding-left : 30px; "><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JoeGoerlich_0-1715603934126.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/109579i82F7FD7C9AEB4BC4/image-size/medium?v=v2&amp;px=400" role="button" title="JoeGoerlich_0-1715603934126.png" alt="JoeGoerlich_0-1715603934126.png" /></span></P><BLOCKQUOTE><STRONG>Please note:</STRONG> As of <A href="https://me.sap.com/notes/2201397" target="_blank" rel="noopener noreferrer">SAP note 2201397</A> only the last 10 dynamic changes are logged. If you want to see all changes you have to search the syslog for the IDs Q19, Q1A.</BLOCKQUOTE><P>&nbsp;</P> 2024-05-13T15:15:53.323000+02:00 https://community.sap.com/t5/financial-management-blogs-by-members/security-by-default-vs-security-by-design-2/ba-p/13706057 Security by Default vs Security by Design # 2 2024-05-19T09:56:24.460000+02:00 GRCwithRaghu https://community.sap.com/t5/user/viewprofilepage/user-id/600573 <P>In my previous article, I’ve detailed about the nuances of securing SAP systems and the debate surrounding <STRONG>Security by default</STRONG> and <STRONG>Security by design</STRONG>. Those who missed it, can have a look at the blog post using this link.</P><P><A href="https://community.sap.com/t5/financial-management-blogs-by-members/security-by-default-vs-security-by-design/ba-p/13593897" target="_blank">https://community.sap.com/t5/financial-management-blogs-by-members/security-by-default-vs-security-by-design/ba-p/13593897</A></P><P>Now, let's further explore the imperative of adopting a “Security by design” approach within SAP environments. As mentioned, with cyber threats becoming increasingly sophisticated and pervasive, organizations must embed security considerations into every facet of SAP solutions is more critical than ever.</P><P><STRONG>The Evolution of Security by Design</STRONG></P><P><STRONG>Wait, I know you have in your mind! If Security by Design is important, why hasn't SAP included these features as standard?</STRONG></P><P>The concept of "Security by Design" has become increasingly vital to address various requirements to arrest Cyberattacks. “Security by Design” approach emphasizes integrating additional security measures in various levels of software systems and just not in the foundation. However, despite its recognized importance, some may wonder why SAP, hasn't made Security by Design a standard feature in its products?</P><P>The answer is simple!</P><P>SAP’s focus is ERP and automating and integrating various business functions, but not a core Cybersecurity function. However, SAP is bringing various solutions now starting from SAP GRC solution suite, till implementing of various frameworks such as NIST. Here is how SAP is bringing it’s various solutions to meet the NIST Cybersecurity framework:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_0-1716105064873.png" style="width: 682px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112698i11547A46552063D8/image-dimensions/682x349?v=v2" width="682" height="349" role="button" title="GRCwithRaghu_0-1716105064873.png" alt="GRCwithRaghu_0-1716105064873.png" /></span></P><P>Source: SAP</P><P>Before we understand how these solutions can be used, here are the few steps that you should implement. I am not covering this from a 7 layer perspective and as Security as the primary focus considering the “Security by Design” approach. The broad layers to be focused are:</P><OL><LI>Environment</LI><LI>System</LI><LI>Application</LI><LI>Processes, and</LI><LI>Organization</LI></OL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_1-1716105168070.png" style="width: 668px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112699i83AABBE66EE9CDAA/image-dimensions/668x704?v=v2" width="668" height="704" role="button" title="GRCwithRaghu_1-1716105168070.png" alt="GRCwithRaghu_1-1716105168070.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_2-1716105212393.png" style="width: 670px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112700i011208F133D3F01E/image-dimensions/670x838?v=v2" width="670" height="838" role="button" title="GRCwithRaghu_2-1716105212393.png" alt="GRCwithRaghu_2-1716105212393.png" /></span></P><P>Security by design emphasizes proactive risk mitigation, empowering organizations to identify and address security vulnerabilities at the earliest stages. By conducting comprehensive risk assessments and threat modeling exercises, organizations can anticipate potential security threats and implement safeguards accordingly.</P><P>Additionally, relying solely on static security measures is insufficient in combating evolving cyber threats. Security by design advocates for the implementation of adaptive defense mechanisms that can dynamically respond to emerging threats in real-time. This includes leveraging machine learning (ML) algorithms and artificial intelligence (AI) to detect anomalous behavior and pre-emptively mitigate security risks.</P><P>In conclusion, the adoption of a security by design approach is indispensable for securing SAP environments in an increasingly volatile threat landscape. By integrating security considerations into every stage of the SAP development lifecycle, organizations can mitigate risks, enhance resilience, and safeguard critical assets from cyber threats. I will provide more detailed insights into each of these levels in my next article. Stay tuned!</P><P>&nbsp;</P> 2024-05-19T09:56:24.460000+02:00 https://community.sap.com/t5/financial-management-blogs-by-members/unlocking-the-power-of-rsusr-lock-users-report-in-sap/ba-p/13706854 Unlocking the Power of RSUSR_LOCK_USERS Report in SAP 2024-05-20T16:11:52.741000+02:00 GRCwithRaghu https://community.sap.com/t5/user/viewprofilepage/user-id/600573 <P>Are you finding it challenging to use EWZ5 for locking and unlocking users during upgrade activities? Have you discovered that this transaction code is now obsolete and are you relying on a custom program? If so, consider using the ABAP program <STRONG>RSUSR_LOCK_USERS</STRONG>.</P><P>This program simplifies the user locking and unlocking process, making it an invaluable tool for managing user accounts efficiently during system upgrades.</P><P><STRONG>Understanding RSUSR_LOCK_USERS</STRONG></P><P>RSUSR_LOCK_USERS is a simple yet effective program that is built on top of RSUSR200 program. Here is the list of options available in the program screen:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_0-1716213232320.png" style="width: 536px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112958i2D7D8D6A7127A033/image-dimensions/536x720?v=v2" width="536" height="720" role="button" title="GRCwithRaghu_0-1716213232320.png" alt="GRCwithRaghu_0-1716213232320.png" /></span></P><P>As highlighted in the picture, the RSUSR_LOCK_USERS report offers the following sections:</P><P>&nbsp;</P><TABLE width="640px"><TBODY><TR><TD width="135.836px"><P><STRONG>Section</STRONG></P></TD><TD width="460.164px"><P><STRONG>What it offers?</STRONG></P></TD></TR><TR><TD width="135.836px"><P>User Selection</P></TD><TD width="460.164px"><P>This section offers the following:</P><P><STRONG>User</STRONG> – Selection of specific users.</P><P><STRONG>Group for Authorization</STRONG> – Uses SU01 user group assignments and picks the users based on the group assignment.</P><P><STRONG>Security Policies</STRONG> – Uses the Security Policy assigned to the user in SU01.</P><P><STRONG>Days Since Last Logon</STRONG> – To specify the no.of days since last login (for eg: If you wish to lock the users who haven’t logged-in to the system in the last 90 days, enter the value as 90).</P><P><STRONG>Days Since Password Change</STRONG> – To select users based on last password change.</P></TD></TR><TR><TD width="135.836px"><P>Selection by Validity of users</P></TD><TD width="460.164px"><P>Selection by Validity of users can be filtered by today's validity or by a specific period.</P><P><STRONG>Today (current date)</STRONG> – This option will specifically check for valid and invalid users of current date.</P><UL><LI>Users Valid Today – Consider the valid users of current date</LI><LI>Users Invalid Today – Consider the Invalid users of current date&nbsp;</LI></UL><P><STRONG>Validity Period </STRONG>– This option will specifically check for valid and invalid users over a specified period of time.</P><UL><LI>Users Valid &lt;From&gt; and &lt;To&gt; - Consider the valid users within the time period specified in the input.</LI><LI>Users Not valid &lt;From&gt; and &lt;To&gt; - Consider the Invalid users within the time period specified in the input.</LI></UL></TD></TR><TR><TD width="135.836px"><P>Selection by Locks</P></TD><TD width="460.164px"><P>This option facilitates filtering users based on their lock status. Below are the lock criteria that can be considered. Selecting one of these options is mandatory (Radio button selection).</P><UL><LI>Differentiation of Locks</LI><LI>All users with Administrator or Password Locks</LI><LI>Only Users without Locks</LI></UL><P><STRONG><EM>Differentiation of Locks </EM></STRONG></P><UL><LI><STRONG>User Locks (Administrator)</STRONG> – When the value "Set" is selected, it will include the list of users who have been locked by the administrator, with lock statuses of 32 and 64.</LI></UL><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_1-1716213376801.png" style="width: 465px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112959i931A644633DAACFC/image-dimensions/465x114?v=v2" width="465" height="114" role="button" title="GRCwithRaghu_1-1716213376801.png" alt="GRCwithRaghu_1-1716213376801.png" /></span></P><P><SPAN>When the value " Not Set" is selected, it will exclude the list of users who have been locked by the administrator, with lock statuses of 32 and 64</SPAN></P><P>&nbsp;</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_2-1716213376803.png" style="width: 479px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112960i2DDBAF33812CA456/image-dimensions/479x109?v=v2" width="479" height="109" role="button" title="GRCwithRaghu_2-1716213376803.png" alt="GRCwithRaghu_2-1716213376803.png" /></span><UL><LI><STRONG>Password Lock (Incorrect Logon)</STRONG> – When the value "Set" is selected, it will include the list of users who have been locked due to incorrect logons with the status of 128 while when the value “Not Set” is selected, it will exclude the list of users who have been locked due to incorrect logons with the status of 128</LI><LI><STRONG><EM>All users with Administrator or Password Locks – </EM></STRONG>It will include all users who meet the condition of being locked by the administrator (with lock status 32 &amp; 64) or having password locks (with lock status 128).</LI><LI><STRONG><EM>Only Users without Locks - </EM></STRONG>&nbsp;It includes users without any lock status (Active users)</LI></UL></TD></TR><TR><TD width="135.836px"><P>Selection by Login attempts</P></TD><TD width="460.164px"><P>This section sorts users based on their login attempts to the SAP system. By default, all options are selected, and you can deselect a box to exclude. Alternatively, all boxes can be unchecked if you do not wish to use this option.</P><P>&nbsp;</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_3-1716213376804.png" style="width: 457px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112961iF937FC96A2C4E234/image-dimensions/457x169?v=v2" width="457" height="169" role="button" title="GRCwithRaghu_3-1716213376804.png" alt="GRCwithRaghu_3-1716213376804.png" /></span><UL><LI>Users with incorrect Logon Attempts – Considers users who have made incorrect logon attempts.</LI><LI>Users with no Incorrect Logon Attempts – Considers users who have not made any incorrect logon attempts.</LI><LI>User Without Logon Date – Considers the users without any logon date in SU01</LI></UL></TD></TR><TR><TD width="135.836px"><P>Selection by User Type</P></TD><TD width="460.164px"><P>Selection by User Type filters users based on the user type defined in SU01. For example, you can lock only dialog users based on conditions specified within this program, such as users who have not logged into the system for a specific period of time.</P><P>Below are the user types available under this criteria:</P><UL><LI>Dialog Users</LI><LI>Communication Users</LI><LI>System Users</LI><LI>Service Users</LI><LI>Reference Users</LI></UL><P>NOTE: By default, all options are selected, and you can deselect a box to exclude. Alternatively, all boxes can be unchecked if you do not wish to use this option.</P></TD></TR><TR><TD width="135.836px"><P>Selection by status of password</P></TD><TD width="460.164px"><P>This section will be considered the users based on the status of the user password.</P><UL><LI>·Users with Production Password – Productive user</LI><LI>Users with Initial Password – Users who have never logged into the SAP system after the initial password was set by the admin.</LI><LI>Users with Deactivated Password – Users who password is deactivated &nbsp;</LI></UL><P>As selection type “Selection by Login attempts and Selection by User Type”, by default, all options are selected here as well, and you can deselect a box to exclude.</P></TD></TR><TR><TD width="135.836px"><P>Activity selection</P></TD><TD width="460.164px"><P>Once all the selection criteria are defined according to your requirements, you can proceed to the Activity selection option to specify your actions. Based on the conditions specified above, the result will now be executable. Below are the actions that can be taken when you execute the program.</P><OL><LI><STRONG>Test Selection</STRONG> – Test Selection presents the list of users on the output screen according to the criteria defined before any of the activities listed below are executed.</LI><LI><STRONG>Lock Users (Local Lock</STRONG>) – To Lock the user locally</LI><LI><STRONG>Unlock Users (Local Lock)</STRONG> – To unlock the user locally</LI><LI><STRONG>Set the End of the Validity Period to Today (Only for Valid Users)</STRONG> – Validity of the user will be ended with today’s date</LI><LI><STRONG>Set the End of the Validity Period to Yesterday (Only for Valid Users)</STRONG> – validity of the user will be ended with the yesterday’s date</LI></OL></TD></TR></TBODY></TABLE><P>As mentioned, RSUSR_LOCK_USERS aids in compliance and audit processes by providing a clear record of user account status and actions taken. This ensures that the organization can demonstrate adherence to security policies and regulations.</P><P><STRONG>How to Use RSUSR_LOCK_USERS?</STRONG></P><P>&nbsp;</P><OL><LI>Execute transaction code SA38 or SE38.</LI><LI>Enter “RSUSR_LOCK_USERS” in the program field and execute the report.</LI><LI>Complete the required selections such as specific users, lock/unlock conditions, and date ranges etc.,</LI><LI>Run the program to generate a list of users.</LI></OL><P>Consider the following condition for ending the validity of users as a reference. I have selected dialog users regardless of their password status—whether it's production, initial, or deactivated—and those who are already locked by the admin or due to password lock. Additionally, I have chosen users without logon data under "Selection by Logon Attempts." Once users meeting the defined criteria are identified, their ID validity should be set to end with yesterday’s date. &nbsp;&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_4-1716213879816.png" style="width: 542px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112964i1438C9BBEE2D5BF1/image-dimensions/542x584?v=v2" width="542" height="584" role="button" title="GRCwithRaghu_4-1716213879816.png" alt="GRCwithRaghu_4-1716213879816.png" /></span></P><P>After executing the program, the output will display the User IDs for which changes were made.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_5-1716213907899.png" style="width: 666px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112965iF0CE2F8C0F77C217/image-dimensions/666x223?v=v2" width="666" height="223" role="button" title="GRCwithRaghu_5-1716213907899.png" alt="GRCwithRaghu_5-1716213907899.png" /></span></P><P><STRONG>Result:</STRONG> According to the given criteria, user validity is ended with yesterday's date. The program was executed on 20.05.2024, so the user validity is set to end on 19.05.2024.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_6-1716213932140.png" style="width: 668px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112967i82A71E94E2C6D398/image-dimensions/668x288?v=v2" width="668" height="288" role="button" title="GRCwithRaghu_6-1716213932140.png" alt="GRCwithRaghu_6-1716213932140.png" /></span></P><P>Additionally, the program can be scheduled to run at regular intervals, ensuring that administrators are always aware of any locked user accounts. Automation can help in maintaining continuous oversight without manual intervention.</P><P><STRONG>Steps to schedule the job in the background:</STRONG></P><P>To automate the locking, unlocking, and validity ending of users without manual intervention, you can schedule this job to run in the background. This enables the program to execute automatically at specified intervals, ensuring users are locked or unlocked according to predefined criteria. It's recommended to thoroughly test the program in a non-production environment before scheduling it in a production system to ensure proper functionality and minimize potential disruptions. Follow the below steps to schedule the job in the background:</P><OL><LI>Execute transaction SE38 and input the program RSUSR_LOCK_USERS, then proceed to execute it.</LI><LI>Define the criteria for locking/unlocking or ending the validity of the user. &nbsp;</LI><LI>Click "Program" to schedule the job in the background or press F9</LI></OL><P>&nbsp; &nbsp; &nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_7-1716214002429.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112968i51C44D2AA328D622/image-size/medium?v=v2&amp;px=400" role="button" title="GRCwithRaghu_7-1716214002429.png" alt="GRCwithRaghu_7-1716214002429.png" /></span></P><P>&nbsp;</P><P>4. Specify the frequency at which the job should run and click Save.</P><P>When you have multiple criteria to schedule in the background, specify your criteria and press Ctrl+S to save as a variant as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GRCwithRaghu_8-1716214093015.png" style="width: 667px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/112969iEF8ECE5D181C07D6/image-dimensions/667x214?v=v2" width="667" height="214" role="button" title="GRCwithRaghu_8-1716214093015.png" alt="GRCwithRaghu_8-1716214093015.png" /></span></P><P>After saving the variants, the job can now be scheduled in the background via transaction code SM36.</P><P><STRONG>Conclusion</STRONG></P><P>The RSUSR_LOCK_USERS program is an indispensable tool for SAP administrators, providing critical insights and control over user account management. By effectively utilizing this program, organizations can enhance their security posture, ensure compliance with regulations, and maintain smooth operational workflows. Regular use and prompt action on the findings of the RSUSR_LOCK_USERS report will help in minimizing user access issues and reinforcing overall system security.</P> 2024-05-20T16:11:52.741000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/new-cio-guide-identity-lifecycle-in-sap-landscapes/ba-p/13720776 New CIO Guide: Identity Lifecycle in SAP Landscapes 2024-06-04T13:27:48.243000+02:00 Martina_Kirschenmann https://community.sap.com/t5/user/viewprofilepage/user-id/5013 <P>We just published our new, comprehensive CIO Guide: Identity Lifecycle in SAP Landscapes!</P><P><STRONG>This new CIO guide explores the SAP approach to identity and access management (IAM) in the context of the identity lifecycle. It explains how IAM software from SAP supports building successful system integrations in cloud and hybrid environments and includes diagrams and a reference architecture to illustrate the concepts. With SAP Cloud Identity Services and well-established IAM-related industry standards, SAP improves system integration and helps provide a seamless user experience while also improving security and compliance.</STRONG></P><P>The first version of this CIO guide was released in 2018 and quickly became one of the most popular documents in the SAP security community. Despite an update of the guide in 2021, a lot has changed again since then, so we decided to issue another update that builds on the proven format while adding new technical developments and strategic recommendations.</P><P>The most important change is that we have brought the capabilities of authentication, authorization, and provisioning together into one seamless solution, SAP Cloud Identity Services. At the same time, the Identity Directory service has assumed a much more prominent role as the backbone of IAM tools and processes.</P><P>The new guide explains the identity lifecycle and the SAP Cloud Identity Services strategy and explores the SAP offerings for each area. We also introduce a section on the reference architectures for IAM to provide you with an overview and comprehensive technical diagrams for the major IAM areas of authentication, identity lifecycle, and authorization.</P><P><A href="https://www.sap.com/documents/2018/05/38ce7d25-067d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="CIO Guide Identity Lifecycle in SAP Landscapes.png" style="width: 283px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/119193i67FFC4EEB104BA59/image-size/medium?v=v2&amp;px=400" role="button" title="CIO Guide Identity Lifecycle in SAP Landscapes.png" alt="CIO Guide Identity Lifecycle in SAP Landscapes.png" /></span></A></P><P style=" text-align: center; "><FONT size="5"><STRONG><A href="https://www.sap.com/documents/2018/05/38ce7d25-067d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer">Read the new CIO guide!</A></STRONG></FONT></P><P>&nbsp;</P><P><SPAN>For more information about <STRONG>SAP Cloud Identity Services</STRONG> and to stay up to date on the latest developments, visit our topic page in SAP Community:</SPAN></P><P><A href="https://pages.community.sap.com/topics/cloud-identity-services" target="_blank" rel="noopener noreferrer"><STRONG>https://pages.community.sap.com/topics/cloud-identity-services</STRONG></A></P><P>&nbsp;</P> 2024-06-04T13:27:48.243000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/sap%E3%82%AF%E3%83%A9%E3%82%A6%E3%83%89%E3%82%B5%E3%83%BC%E3%83%93%E3%82%B9%E3%81%AB%E3%81%8A%E3%81%91%E3%82%8B%E5%80%8B%E4%BA%BA%E6%83%85%E5%A0%B1%E4%BF%9D%E8%AD%B7%E6%B3%95%E3%81%AE%E8%80%83%E3%81%88%E6%96%B9/ba-p/13735510 SAPクラウドサービスにおける個人情報保護法の考え方 2024-06-19T17:08:57.395000+02:00 karai1 https://community.sap.com/t5/user/viewprofilepage/user-id/472646 <P>クラウドサービスの利用を考える企業から個人情報の取り扱い、特に個人データの第三者提供に該当有無について、尋ねられることがしばしばあります。この個人情報の取り扱いについて企業が悩む背景には、クラウドサービス特有の環境があると考えています。クラウドサービスはオンプレミスと異なりクラウドサービスプロバイダーが管理・運用する環境に企業の情報やデータをアップロードし処理及び保存等を行います。そのため、クラウドサービスプロバイダーが主体となり個人情報の取り扱いをしていると考えられる傾向があります。その結果、個人情報保護法の解釈及び適用においてクラウドサービスを利用する企業とクラウドサービスプロバイダーとの間で議論になることがあります。</P><P>本ブログでは、SAPクラウドサービスの利用を前提に議論となるクラウドサービスの個人情報の取り扱いについて説明をしたいと思います。</P><P>&nbsp;</P><P><STRONG><U>個人情報と個人データ</U></STRONG></P><P>本ブログで個人情報の取り扱いを説明する前に整理しておきたい単語があります。それは、<U>個人情報</U>と<U>個人データ</U>です。この違いについて個人情報保護委員会の<SPAN><A href="https://www.ppc.go.jp/all_faq_index/faq2-q2-3/" target="_blank" rel="noopener nofollow noreferrer">FAQ 2-3</A></SPAN> によると、個人情報は生存する個人に関する情報です。また、個人情報を容易に検索することができるように体系的にまとめ、データベース化されたものが個人データです。個人データは個人情報の検索や参照が容易になることから個人情報保護法において遵守すべき事項が多くなります。</P><P>クラウドサービスは基本的に企業からクラウドサービスにアップロードされた個人情報を個人データ化し、その個人データを企業の要件に従って処理を行うためのサービスとなります。従って、クラウドサービスにおける個人情報の取り扱いを考える上で重要となるのは個人データの取り扱いになります。ここでは、個人データの取り扱いにおいて個人情報保護法の中でクラウドサービスプロバイダーはどのような位置付けになるのかを考えて行きます。また個人情報保護法において個人データの取り扱いを知ることで、個人情報保護法の解釈及び適用がなぜ議論されるのかが見えてくると考えています。</P><P>&nbsp;</P><P><STRONG><U>個人情報保護法とクラウドサービス</U></STRONG></P><P>クラウドサービスで個人情報を取り扱う場合、個人情報保護法の解釈及び適用について議論として挙げられるのが、法第27条に書かれている個人データを第三者に提供してはならないという箇所です。</P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN>法第27条:個人情報取扱事業者は、次に掲げる場合を除くほか、あらかじめ本人の同意を得ないで、個人データを第三者に提供してはならない。</P><P>&nbsp;</P><P>この第三者がクラウドサービスプロバイダーが該当するのか否かですが、この第三者に該当判断を行うに辺り、参考になるのが法第27条5項及び第27条第5項第1号となります。</P><P>&nbsp;</P><P>法第27条5項:次に掲げる場合において、当該個人データの提供を受ける者は、前各項の規定の適用については、第三者に該当しないものとする。</P><P>第27条第5項第1号:個人情報取扱事業者が利用目的の達成に必要な範囲内において個人データの取扱いの全部又は一部を委託することに伴って当該個人データが提供される場合</P><P>&nbsp;</P><P>法第27条5項及び第27条第5項第1号によると、クラウドサービスを利用する企業からクラウドサービスプロバイダーは個人データの取り扱いを委託されているかどうかによって第三者の該当を判断することできます。では、委託の意味ですが、それは「個人情報の保護に関する法律についてのガイドライン(通則編)」の<SPAN><A href="https://www.ppc.go.jp/personalinfo/legal/guidelines_tsusoku/#a3-4-4" target="_blank" rel="noopener nofollow noreferrer">3-4-4 委託先の監督(法第25条関係)</A></SPAN>の注釈に答えがあります。注釈には以下のように書かれています。</P><P>&nbsp;</P><P>通則編 3-4-4:(※1)「個人データの取扱いの委託」とは、契約の形態・種類を問わず、個人情報取扱事業者が他の者に個人データの取扱いを行わせることをいう。具体的には、個人データの入力(本人からの取得を含む。)、編集、分析、出力等の処理を行うことを委託すること等が想定される。</P><P>&nbsp;</P><P>この注釈によると、委託に該当するには個人データの入力(本人からの取得を含む。)、編集、分析、出力等の処理を行うこととされています。では、クラウドサービスにおける通則編 3-4-4に示される4つの処理について考えたいと思います。</P><P>まず初めに個人データの入力ですが、基本的に個人データの取得はクラウドサービスを利用する企業が行うため、クラウドサービスプロバイダーは一切関わらることがありません。そのため、入力において委託は該当しません。</P><P>続いてですが、編集、分析、及び出力の3つを同時に考えたいと思います。編集、分析、及び出力においてクラウドサービスはクラウドサービスを利用する企業が望む形に入力された個人データを編集、分析、及び出力するための支援を行っているにすぎず、主体性を持って行うことはありません。そのため、編集、分析、及び出力においてクラウドサービスプロバイダーが主体となり実施していないので、委託に該当しないと言えます。</P><P>通則編 3-4-4が示す個人データの取扱いの委託にクラウドサービスプロバイダーが該当しないとするならば、法第27条に書かれている第三者の定義にクラウドサービスプロバイダーは該当しないため、クラウドサービスプロバイダーへ個人データの提供は非該当と言えます。</P><P>SAPクラウドサービス提供において上記を実施しないので、個人データの取扱い委託に該当しないとSAPは考えています。</P><P>尚、この委託の定義が個人情報保護法の解釈及び適用がなぜ議論の鍵となるため、実際にクラウドサービスの利用を検討される際にはこの委託についてしっかりと確認を行うことをお勧めします。</P><P>&nbsp;</P><P>クラウドサービスプロバイダーが個人データの提供に該当しないとはいえ、クラウドサービスプロバイダーは個人データを自身が運営・管理する環境の中で行っているため、個人データを保護する責任はあります。それは個人情報保護委員会の<SPAN><A href="https://www.ppc.go.jp/all_faq_index/faq1-q7-53/" target="_blank" rel="noopener nofollow noreferrer">FAQ7-53</A></SPAN>でも触れられています。</P><P>&nbsp;</P><P>FAQ 7-53(一部抜粋):当該クラウドサービス提供事業者が、当該個人データを取り扱わないこととなっている場合とは、契約条項によって当該外部事業者がサーバに保存された個人データを取り扱わない旨が定められており、適切にアクセス制御を行っている場合等が考えられます。</P><P>&nbsp;</P><P>FAQ 7-53では、個人情報の取扱いについてより明確なガイドラインを提供しています。SAPは契約書に顧客の指示に従ってのみ顧客データの処理を実施すると記載しています。このことからも、SAPクラウドサービス提供において、個人データの取扱い委託に該当しないと考えています。</P><P>&nbsp;</P><P>クラウドサービスプロバイダーが個人データの取り扱いの委託に該当しないとするならば、クラウドサービスプロバイダーは適切なアクセス制御を実施しなければならいとされています。つまりクラウドサービス上に保存された個人データに対して物理的及び技術的にアクセスできない環境を構築し、またそれらについて契約条項で示す必要があります。では実際にどのような対策が講じられているか説明をします。</P><P>&nbsp;</P><P><STRONG><U>個人情報を守るためのアクセス制御</U></STRONG></P><P>個人データはもっとも機微な情報の一つであると言えます。そのため、個人データを預かるクラウドサービスプロバイダーはしっかりとしたアクセス制御を講じる必要があります。ここからはSAPが実際に実施しているアクセス制御の一部を基に個人データへの適切なアクセス制御を紹介していきます。</P><P>詳細は以下の契約文書(英語)を参照してください。</P><P><A href="https://assets.cdn.sap.com/agreements/data-processing-agreements/tom/technical-and-organizational-measures-toms---sap-cloud-services-english-v8-2021.pdf" target="_blank" rel="noopener noreferrer">https://assets.cdn.sap.com/agreements/data-processing-agreements/tom/technical-and-organizational-measures-toms---sap-cloud-services-english-v8-2021.pdf</A></P><P>&nbsp;</P><P>・システムアクセスコントロール</P><P>・個人情報が保存及び処理されるシステムへのアクセスを厳しく制限するため、アクセスを許可するユーザは複数の権限レベルを持つ者に限っており、またアクセス許可を付与する場合には厳正な審査を行った後にアクセス権を付与しています。</P><P>・アクセスに用いるパスワードは他人との共有を禁止及び適切な管理(定期的なパスワード変更、要件に従った複雑なパスワードなど)を定めたポリシを策定し、また適切な管理が実施できるようにシステムによるパスワード管理を行っています。</P><P>・ファイヤウォールを用いてSAPのネットワークとシステムのネットワークを分断し、またパブリックネットワークから保護も行い、不正なアクセス対策を講じています。</P><P>・システムの脆弱性対策として、定期的かつ適切にセキュリティパッチの適用を実行しています。</P><P>・データアクセスコントロール</P><P>・個人情報へのアクセスはシステムを使用する権利(クラウドサービスを利用する企業)を有するものに制限しております。</P><P>・尚、SAPはクラウドサービスを利用する企業から求められた場合(例えばサポート等)に限り、システムを使用する権利を有する企業の許可を得た上で、適切な社内プロセスに従いアクセス許可をSAPの従業員に与えることがあります。</P><P>・システムのサーバーはセキュアなサーバールーム内で運用し、保護するセキュリティ対策は定期的に確認をしています。</P><P>・データアクセスにおいて不備などがないかを確認するため、定期的に脆弱性診断及びペネトレーションテストを実施しています。</P><P>・データ入力コントロール</P><P>・個人情報が SAP のシステムから入力、修正、又は削除されたかどうか、及び誰によって削除されたかを遡及的に検証し、立証することができるように対策を講じています。</P><P>・SAPはクラウドサービスを利用する企業から求めに応じてシステムを使用する権利を有する企業の許可を得た上でアクセスを行う場合、クラウドサービス内において技術的に可能な範囲においてクラウドサービス内での作業を記録するためにログシステムを実装しています。</P><P>・データ分離の管理</P><P>・SAP はデプロイされたソフトウェアの技術的機能を使用して、論理的なデータ分離を実現し、クラウドサービスを利用する企業が自身のデータのみにアクセスできるようにしています。</P><P>&nbsp;</P><P>上記より、SAPはクラウドサービス提供においては個人情報の取扱いはせず、適切な安全管理措置を実施しています。</P><P>&nbsp;</P><P>最後に、クラウドサービスにおける個人情報の取り扱いはクラウドサービスの機能や契約形態により異なったり、法解釈によって異なる場合があります。従って利用を検討されている企業での検討もお願いします。また、個人情報保護法は定期的に改定が実施されています。従って、導入時や定期的に貴社の法務担当と確認されることをお勧めいたします。</P> 2024-06-19T17:08:57.395000+02:00 https://community.sap.com/t5/technology-blogs-by-members/sap-authorization-audit-readiness-amp-critical-access-monitoring/ba-p/13741971 Sap Authorization Audit Readiness & Critical Access Monitoring!!! 2024-06-26T07:12:42.494000+02:00 Shivkumar_B https://community.sap.com/t5/user/viewprofilepage/user-id/879151 <P>As an SAP Authorization consultant, year on year we go through Internal/External Audit trials and provide evidence/clarifications for the samples requested.<BR />We need to justify if there a slippage in Process/Access assignments and leading to Audit Deficiencies failed to provide evidence.<BR />Auditors will leave no chance to find a process gap like an eagle catching a fish which is just above the river <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>To avoid Audit deficiencies, we need to have a detailed SOP (Standard Operating Process), religiously follow the process and document exceptions, if any.<BR />The most important aspect is to monitor Critical authorization assignments on monthly(suggested) or quarterly to assess unwanted assignments and remediate even before noticed by Audit team.</P><P>I have outlined most of the Critical Authorization monitoring controls as follows</P><H2 id="toc-hId-1018359265">1.&nbsp;&nbsp;&nbsp; Security Audit Parameters</H2><P>Below table provides generic Audit Parameters to be configured in Production systems, which are most important with regards to Audit controls.&nbsp; Below values specified are with respect to SAP best practices and may differ from individual organizations as well.</P><P>&nbsp;</P><TABLE width="299"><TBODY><TR><TD width="216"><P><STRONG>Password Parameters </STRONG></P></TD><TD width="83"><P><STRONG>Value</STRONG></P></TD></TR><TR><TD width="216"><P>login/min_password_lng</P></TD><TD width="83"><P>12</P></TD></TR><TR><TD width="216"><P>login/min_password_digits</P></TD><TD width="83"><P>1</P></TD></TR><TR><TD width="216"><P>login/min_password_lowercase</P></TD><TD width="83"><P>1</P></TD></TR><TR><TD width="216"><P>login/min_password_uppercase</P></TD><TD width="83"><P>1</P></TD></TR><TR><TD width="216"><P>login/min_password_specials</P></TD><TD width="83"><P>1</P></TD></TR><TR><TD width="216"><P>login/password_history_size</P></TD><TD width="83"><P>4</P></TD></TR><TR><TD width="216"><P>Login and Session</P></TD><TD width="83"><P>&nbsp;</P></TD></TR><TR><TD width="216"><P>login/failed_user_auto_unlock</P></TD><TD width="83"><P>1</P></TD></TR><TR><TD width="216"><P>login/fails_to_session_end</P></TD><TD width="83"><P>3</P></TD></TR><TR><TD width="216"><P>login/fails_to_user_lock</P></TD><TD width="83"><P>6</P></TD></TR><TR><TD width="216"><P>login/no_automatic_user_sapstar</P></TD><TD width="83"><P>1</P></TD></TR><TR><TD width="216"><P>rdisp/gui_auto_logout</P></TD><TD width="83"><P>1800</P></TD></TR><TR><TD width="216"><P>auth/object_disabling_active</P></TD><TD width="83"><P>N</P></TD></TR></TBODY></TABLE><H2 id="toc-hId-821845760">2.&nbsp;&nbsp;&nbsp; SAP Standard User Password and Active Status</H2><P>Sap Standard users such as SAP*, DDIC, TMSADM, SAPCPIC etc should have their initial password changed and keep locked these users in clients such as 000,001,066 &amp; Prod client and in some cases TMSADM and DDIC will be kept unlocked in master clients.</P><P>To validate Execute Tcode <STRONG>RSUSR003</STRONG>.</P><H2 id="toc-hId-625332255">3.&nbsp;&nbsp;&nbsp; Critical Standard Profiles (SAP_ALL and SAP_NEW)</H2><P>SAP standard critical authorization profiles SAP_ALL or SAP_NEW must not be assigned<BR />to any users in any of the clients.<BR />To check Go to SUIM--&gt;Users by Complex Selection Criteria--&gt;Roles/Profiles--&gt;Profile Name SAP_ALL and SAP_NEW.</P><H2 id="toc-hId-428818750">4.&nbsp;&nbsp;&nbsp; Standard SAP Roles Assignment</H2><P>Any users in Production client must not be assigned with SAP standard roles i.e Roles starting with SAP* or /*. To check go to SUIM--&gt;Users by Complex Selection Criteria--&gt;Roles/Profile--&gt; SAP* or /*.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_0-1719312223537.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128493iB03DD6A17EB8B2C1/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_0-1719312223537.png" alt="shivakumarbalaiah_balaiah_0-1719312223537.png" /></span></P><P>&nbsp;</P><H3 id="toc-hId-361387964">5<STRONG>.&nbsp;&nbsp; </STRONG><STRONG>Access to Create User Master</STRONG></H3><P>Access to create User master in Production should be restricted to Authorization team, since they need to create Service/System users. Dialog user creation should be via GRC system.<BR />To Check SUIM &gt;User by Complex Selection Criteria &gt;S_USER_GRP ACTVT = 01</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_1-1719310006480.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128452iC7CE2937AA91FB90/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_1-1719310006480.png" alt="shivakumarbalaiah_balaiah_1-1719310006480.png" /></span></P><P>&nbsp;</P><H3 id="toc-hId-164874459">6<STRONG>.&nbsp;&nbsp; </STRONG><STRONG>Access to Change User Master</STRONG></H3><P>This access is restricted to Authorization team and any other user should not be assigned with.</P><P>SUIM report &gt;User by Complex Selection Criteria &gt;S_USER_GRP ACTVT = 02 or 06</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_2-1719310049757.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128453i4367756EB14F62C5/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_2-1719310049757.png" alt="shivakumarbalaiah_balaiah_2-1719310049757.png" /></span></P><H3 id="toc-hId--31639046">7<STRONG>.&nbsp;&nbsp; </STRONG><STRONG>Access to Unlock Users or Reset Password</STRONG></H3><P>In ideal scenario, IT/Business user login to Production system via SSO (Single Sign On). There are exceptions for password login such as IT Admin Users (Security &amp; Basis) and few Business users, who need to connect to third party tools (example RF Gun) via Production user credentials. All the exceptions should be documented in SOP.</P><P>SUIM report &gt; User by Complex Selection Criteria &gt; S_USER_GRP ACTVT = 05</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_3-1719310084246.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128454i7596A47E761174FE/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_3-1719310084246.png" alt="shivakumarbalaiah_balaiah_3-1719310084246.png" /></span></P><H3 id="toc-hId--228152551">8<STRONG>.&nbsp;&nbsp; </STRONG><STRONG>Access to Debug with Change</STRONG></H3><P>Debug change access must be restricted from any Dialog users in Production and it should be part of an FF user only.<BR />To check SUIM report &gt; User by Complex Selection Criteria &gt; S_DEVELOP ACTVT = 02<BR />and OBJTYPE = DEBUG</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_4-1719310180390.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128455iE284630D38D48AAE/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_4-1719310180390.png" alt="shivakumarbalaiah_balaiah_4-1719310180390.png" /></span></P><H3 id="toc-hId--424666056">9<STRONG>.&nbsp;&nbsp; </STRONG><STRONG>Access to Import Transports</STRONG></H3><P>Only Basis/Release team should have access to import access in Production system.<BR />SUIM&gt;User by Complex Selection Criteria &gt;S_CTS_ADM &gt; Value= IMPA or IMPS<BR />SUIM report &gt; User by Complex Selection Criteria &gt; S_TRANSPRT ACTVT = 60</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_5-1719310225520.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128456i46C747EA6D9DE6F2/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_5-1719310225520.png" alt="shivakumarbalaiah_balaiah_5-1719310225520.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_6-1719310232023.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128457iC3F4D8EB16500113/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_6-1719310232023.png" alt="shivakumarbalaiah_balaiah_6-1719310232023.png" /></span></P><H3 id="toc-hId--621179561"><STRONG>10.&nbsp;&nbsp; </STRONG><STRONG>Execute Access for All Programs</STRONG></H3><P>No Users in Production should be assigned with all Program execute access.</P><P>SUIM &gt;User by Complex Selection Criteria &gt;S_PROGRAM P_ACTION = SUBMIT &amp; P_GROUP = #*</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_7-1719310277177.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128459i79CFB0CA67A7C252/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_7-1719310277177.png" alt="shivakumarbalaiah_balaiah_7-1719310277177.png" /></span></P><H3 id="toc-hId--892924435"><STRONG><SPAN>11. Authorization Objects Added Manually or Changed in Roles</SPAN></STRONG></H3><P>All authorization objects in the roles should be in Standard or Maintained status. Any exceptions should be documented. As per SAP best practice no objects should be added manually and there will be adverse effect during upgrades, since tcodes will fail which are dependent on manually added objects, but not linked via SU24.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_1-1719312362019.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128494i4834043C752A6254/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_1-1719312362019.png" alt="shivakumarbalaiah_balaiah_1-1719312362019.png" /></span></P><P>&nbsp;</P><P><STRONG>12.&nbsp;Custom Tcodes Without Authorization Object Linkage in SU24</STRONG></P><P>Custom Tcode must be associated with authorizations objects maintained in SU24.<BR />To check, extract all custom tcodes from SE16--&gt;TSTC--&gt;Z*<BR />Next copy tcodes from TSTC into table USOBT_C to check tcodes with SU24 object mappings and if tcodes not available in the report, then such custom tcodes must be added with suitable auth object into SU24.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_9-1719310410508.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128462iBBDBE333180C94AE/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_9-1719310410508.png" alt="shivakumarbalaiah_balaiah_9-1719310410508.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_10-1719310416783.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128463iD73564DF26674DCA/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_10-1719310416783.png" alt="shivakumarbalaiah_balaiah_10-1719310416783.png" /></span></P><H3 id="toc-hId--1089437940"><STRONG>13.&nbsp;&nbsp; </STRONG><STRONG>Administrator Access for All Batch Jobs</STRONG></H3><P>Batch admin access with Administrator i.e Y access should be restricted to Basis team.<BR />SUIM report &gt; User by Complex Selection Criteria &gt; S_BTCH_ADM BTCADMIN = Y</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_11-1719310470116.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128464i52B6793FC6DA548A/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_11-1719310470116.png" alt="shivakumarbalaiah_balaiah_11-1719310470116.png" /></span></P><H3 id="toc-hId--1285951445"><STRONG>14.&nbsp;&nbsp; </STRONG><STRONG>&nbsp;</STRONG><STRONG>Access to Delete Batch Jobs</STRONG></H3><P>SUIM report &gt;User by Complex Selection Criteria &gt;S_BTCH_JOB JOBACTION = DELE</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_12-1719310502785.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128465iD81E44580045553B/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_12-1719310502785.png" alt="shivakumarbalaiah_balaiah_12-1719310502785.png" /></span></P><H3 id="toc-hId--1482464950"><STRONG><SPAN>15.&nbsp;Access to Delete Logs or Jobs in Batch Input Processing</SPAN></STRONG></H3><P><SPAN>SUIM report &gt; User by Complex Selection Criteria &gt; S_BDC_MONI BDCAKTI = REOG or DELE</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_13-1719310524675.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128466i3468FABD56D4DF96/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_13-1719310524675.png" alt="shivakumarbalaiah_balaiah_13-1719310524675.png" /></span></P><H3 id="toc-hId--1678978455"><STRONG><SPAN>16.&nbsp;Access to All Batch Input Processing Sessions</SPAN></STRONG></H3><P><SPAN>SUIM report &gt; User by Complex Selection Criteria &gt; S_BDC_MONI BDCGROUPID = #*</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_14-1719310542021.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128468iA64392A477C5C0CB/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_14-1719310542021.png" alt="shivakumarbalaiah_balaiah_14-1719310542021.png" /></span></P><H3 id="toc-hId--1875491960"><STRONG><SPAN>17. RFC Administration Access</SPAN></STRONG></H3><P>This acccess should be restricted to either basis team or Batch Monitroing teams.</P><P>SUIM report &gt;&nbsp;User by Complex Selection Criteria &gt; S_TCODE = SM59 and&nbsp;S_ADMI_FCD = NADM</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_15-1719310572661.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128469i134BFF6D7CE1B42E/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_15-1719310572661.png" alt="shivakumarbalaiah_balaiah_15-1719310572661.png" /></span></P><H3 id="toc-hId--2072005465"><STRONG><SPAN>18.&nbsp;Execute Access for All RFCs</SPAN></STRONG></H3><P>This access should not be assigned to any Dialog users in Production system. For Batch job users also assign only required RFC authorization based on trace results, rather assigning full access.</P><P><SPAN>SUIM report &gt; User by Complex Selection Criteria &gt; S_RFC = #* (or S_RFC = "*")</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_16-1719310592744.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128470i6B4157DBF4FEAC51/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_16-1719310592744.png" alt="shivakumarbalaiah_balaiah_16-1719310592744.png" /></span></P><H3 id="toc-hId-2026448326"><STRONG><SPAN>19. Change Access for All Tables</SPAN></STRONG></H3><P>SUIM report &gt;User by Complex Selection Criteria &gt;S_TABU_DIS ACTVT = 02 and DICBERCLS = #*<BR />SUIM report &gt;User by Complex Selection Criteria &gt;S_TABU_NAM ACTVT = 02 and TABLE = #*</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_17-1719310618145.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128471iE654450247120FA8/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_17-1719310618145.png" alt="shivakumarbalaiah_balaiah_17-1719310618145.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_18-1719310644625.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128472i2E20BA66E2AE1F94/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_18-1719310644625.png" alt="shivakumarbalaiah_balaiah_18-1719310644625.png" /></span></P><H3 id="toc-hId-1829934821"><STRONG><SPAN>20. Display Access for All Tables</SPAN></STRONG></H3><P>You may be wondering why display access is critical, this is because a business user with display access on all tables can view Business critical information and leading to Business loss/audit deficiency.</P><P><SPAN>SUIM report &gt;User by Complex Selection Criteria &gt;S_TABU_DIS ACTVT = 03 and&nbsp;DICBERCLS = #*</SPAN></P><P><SPAN>SUIM report &gt;User by Complex Selection Criteria &gt; S_TABU_NAM ACTVT = 03 and&nbsp;TABLE = #*</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_19-1719310675075.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128473i391A999D04DE14E2/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_19-1719310675075.png" alt="shivakumarbalaiah_balaiah_19-1719310675075.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_20-1719310682089.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128474i062238A3FEB70A4F/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_20-1719310682089.png" alt="shivakumarbalaiah_balaiah_20-1719310682089.png" /></span></P><H3 id="toc-hId-1633421316"><STRONG><SPAN>21.&nbsp;Access to Modify Client Settings</SPAN></STRONG></H3><P>SUIM report User by Complex Selection Criteria &gt;S_TABU_DIS ACTVT = 02 and&nbsp;DICBERCLS = SS<BR />SUIM report &gt;User by Complex Selection Criteria &gt;S_TABU_NAM ACTVT = 02 and TABLE = T000</P><P>Note: Auth Group SS contains Security relevant tables and hence should be assigned to IT team only.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_21-1719310709720.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128475i63DF4F8CFA3A0D97/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_21-1719310709720.png" alt="shivakumarbalaiah_balaiah_21-1719310709720.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_22-1719310717706.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128476i24F14384D1259910/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_22-1719310717706.png" alt="shivakumarbalaiah_balaiah_22-1719310717706.png" /></span></P><H3 id="toc-hId-1605091502"><STRONG><SPAN>22. Access to Tables Not mapped to Authorization Groups</SPAN></STRONG></H3><P><SPAN>Tables i.e Both Standard and Custom, that are not mapped to specific authorization groups, will be automatically assigned to <STRONG>&amp;NC&amp;</STRONG> group. We need to make sure no users should have change access to group &amp;NC&amp; in Production.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_23-1719310743149.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128477iA45596C892572CE7/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_23-1719310743149.png" alt="shivakumarbalaiah_balaiah_23-1719310743149.png" /></span></P><H3 id="toc-hId-1408577997"><STRONG><SPAN>23. Access to Maintain Cross-Clients Tables</SPAN></STRONG></H3><P><SPAN>SUIM report &gt; User by Complex Selection Criteria &gt; S_TABU_CLI&nbsp;CLIIDMAINT = X</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shivakumarbalaiah_balaiah_24-1719310773700.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/128478iEAD18659B1E5F077/image-size/medium?v=v2&amp;px=400" role="button" title="shivakumarbalaiah_balaiah_24-1719310773700.png" alt="shivakumarbalaiah_balaiah_24-1719310773700.png" /></span></P><P>&nbsp;</P><P><STRONG>Conclusion</STRONG>:</P><P>Frequent monitoring of above critical access assignments will help to be prepared for Audit at any day and IT HPA (High Privilege Access) review as well, to make sure only relevant IT users assigned with privileged access.</P><P>&nbsp;</P><P>Regards</P><P>Shivkumar</P><P>&nbsp;</P> 2024-06-26T07:12:42.494000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/update-on-the-sap-identity-management-migration-to-microsoft-entra/ba-p/13742820 Update on the SAP Identity Management migration to Microsoft Entra 2024-06-26T18:13:52.119000+02:00 MichaelFr https://community.sap.com/t5/user/viewprofilepage/user-id/77947 <P><SPAN>In my last blog, <A href="https://community.sap.com/t5/technology-blogs-by-sap/preparing-for-sap-identity-management-s-end-of-maintenance-in-2027/ba-p/13596101" target="_blank">Preparing for SAP Identity Management’s End-of-Maintenance in 2027</A>, I explained what SAP Identity Management customers should consider as they are preparing for a new identity lifecycle management set-up. </SPAN></P><P><SPAN>Our collaboration with Microsoft is progressing. The focus is on developing guidance that will enable customers to migrate their identity management scenarios from SAP Identity Management to Microsoft Entra ID. Teams on both sides are closely aligned and working on migration guidelines as well as enhancements of the respective products and services. Together with the German-speaking SAP user group DSAG and several front-runner customers, we are working on best practice guides for a successful migration. &nbsp;</SPAN></P><P><SPAN>Microsoft recently published the first migration guideline in its Tech Community: <A href="https://techcommunity.microsoft.com/t5/microsoft-entra-blog/sap-identity-management-to-microsoft-entra-id-migration-guidance/ba-p/2520428" target="_blank" rel="nofollow noopener noreferrer">SAP Identity Management to Microsoft Entra ID</A> Migration Guidance Now Available. SAP customers who are using SAP Identity Management for cloud and on-premises applications like SAP SuccessFactors, SAP Cloud Identity Services, or Windows Server Active Directory can begin to use Microsoft Entra features such as Conditional Access to enforce Zero Trust access policies, and automatic provisioning that ensures users have the accounts they need for their job role. The guide offers detailed migration guidance for each SAP IDM scenario. </SPAN></P><P><SPAN>For SAP Identity Management customers who want more guidance on advanced IAM integration scenarios, such as Microsoft Entra ID Governance and the integration with SAP Cloud Identity Access Governance or external IDs, additional in-depth guidance for many areas will be published later this year.&nbsp;&nbsp;</SPAN></P><P><SPAN>In addition, SAP just published the latest version of the <A href="https://www.sap.com/documents/2018/05/38ce7d25-067d-0010-87a3-c30de2ffd8ff.html" target="_blank" rel="noopener noreferrer">CIO Guide: Identity Lifecycle in SAP Landscapes</A>. This guide explains how identity and access management software from SAP supports building successful system integrations in cloud and hybrid environments. </SPAN></P> 2024-06-26T18:13:52.119000+02:00 https://community.sap.com/t5/human-capital-management-blogs-by-members/vendor-creation-error-after-security-hardening-updates-to-the-system/ba-p/13744230 Vendor creation error after security hardening updates to the system 2024-06-28T16:04:35.970000+02:00 DipakGhorpade https://community.sap.com/t5/user/viewprofilepage/user-id/1477771 <P>Hi,</P><P>We had a session on security hardening done in our ECC system by the SAP Basis team. As it was related to security hardening, from a vendor creation /update process perspective we were not much worried. The assumption was how was security hardening going to impact the process. And we were unpleasantly surprised while we tested in the QA environment.</P><P><STRONG>Initial Analysis</STRONG></P><P>We noticed that vendor update programs were going on error. There are certain programs to convert employee records to vendors. These were the first to go on error.</P><P>The error was something as below.</P><P>“ File ‘Filename’ is not in directory area ‘File path’ .”</P><P><STRONG>Why the errors started?</STRONG></P><P>As a part of the security guidelines by SAP released in 2021, Logical Path and File Names are to be used to protect Access to the File System. This is a part of feature which was already present before the upgrade. But it was backward compatible and was INACTIVE by DEFAULT. To activate this, we need to maintain the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To add the aliases for the view V_FILEALIA, we can use transaction SM31.</P><P>So that security issues due to directory traversal are avoided, it is not possible to specify the target file system for the download directly in the syntax of the operating system. Instead you define one or more target directories as “logical files” and specify them in the configuration of the ABAP download service (see Maintaining Execution Parameters).</P><P><STRONG>What was the config at vendor master which was failing.</STRONG><BR />The vendor master updation program RPRAPA00 uses path “/interface/&lt;SYS ID&gt;/&lt;A FILE NAME&gt; to update some vendor details in a named file in a file path defined on selection screen. This file path set on screen via variants.<STRONG><BR /></STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DipakGhorpade_0-1719417155753.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/129072iAAD7060DD1FD1185/image-size/medium?v=v2&amp;px=400" role="button" title="DipakGhorpade_0-1719417155753.png" alt="DipakGhorpade_0-1719417155753.png" /></span></P><P>&nbsp;</P><P>Access to this path was no longer allowed directly, unless configured the way the system expects it.</P><P>Steps to maintain the config are as below.</P><OL><LI>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Definition of the logical path name<BR />A logical path name is a platform independent file path. It is assigned to logical file name.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DipakGhorpade_1-1719417155758.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/129074i9310B7C8746D08C8/image-size/medium?v=v2&amp;px=400" role="button" title="DipakGhorpade_1-1719417155758.png" alt="DipakGhorpade_1-1719417155758.png" /></span><P>&nbsp;</P></LI><LI>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Definition of the logical file name<BR /><BR />Logical file name is a platform independent name given to the file in file system. At runtime, the logical file name is converted by the FILE_GET_NAME function module to a platform-specific path and file name. It is assigned a logical path. In programs, the logical file name is usually used to access the physical path.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DipakGhorpade_2-1719417155761.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/129073iC8D05267820E8667/image-size/medium?v=v2&amp;px=400" role="button" title="DipakGhorpade_2-1719417155761.png" alt="DipakGhorpade_2-1719417155761.png" /></span><P>&nbsp;</P></LI></OL><OL><LI>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Assignment of the logical fine name to the physical path</LI></OL><P>The physical path is assigned to the logical path on system dependence syntax group(OS) level.<BR />A logical path is mapped to physical path as below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DipakGhorpade_3-1719417155764.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/129076iDC6C5B5C95FCA6C3/image-size/medium?v=v2&amp;px=400" role="button" title="DipakGhorpade_3-1719417155764.png" alt="DipakGhorpade_3-1719417155764.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DipakGhorpade_4-1719417155767.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/129075i233E36E1FC4A370F/image-size/medium?v=v2&amp;px=400" role="button" title="DipakGhorpade_4-1719417155767.png" alt="DipakGhorpade_4-1719417155767.png" /></span></P><P>&nbsp;</P><P>Thus, the vendor programs which were accessing a location “/interface/&lt;SYS ID&gt;/&lt;FILE NAME&gt;, to update vendor records in a named file in the file system were correctly pointed to the correct file.<BR /><BR /></P> 2024-06-28T16:04:35.970000+02:00 https://community.sap.com/t5/technology-blogs-by-members/safeguarding-enterprise-personal-and-financial-data-in-sap-hana-with-ibm/ba-p/13747421 Safeguarding Enterprise Personal and Financial Data in SAP HANA with IBM Security Guardium 2024-07-01T11:41:50.926000+02:00 TusharTrivedi https://community.sap.com/t5/user/viewprofilepage/user-id/150726 <P><STRONG><U>Introduction</U></STRONG></P><P>In the modern digital world, protecting sensitive business data is more important than ever. SAP HANA Cloud databases, known for their high performance and advanced analytics, serve as essential to many organisations' operations. However, the huge amounts of personal and financial data they handle make them potential targets for cyber-attacks. Implementing advanced security measures is critical for protecting these datasets from any possible breaches.</P><P>This blog explains how IBM Security Guardium offers an additional level of safety to SAP HANA Cloud databases. You can ensure that enterprise personal and financial data is secure and meets regulatory standards by leveraging Guardium's complete capabilities. Learn how this powerful combo may improve your data security strategy and safeguard your company's most precious assets.</P><P><STRONG><U>Importance of Data classification and identification for Data security</U></STRONG></P><P>Identifying and classifying data is crucial for maintaining data security and ensuring compliance with regulatory standards. It helps in understanding the sensitivity and value of data, enabling organisations to implement appropriate security measures. Proper classification aids in protecting sensitive information from unauthorised access and potential breaches, while also facilitating efficient data management and retrieval.</P><P><STRONG><U>About this blog </U></STRONG></P><P>In this blog, IBM Guardium can be utilised to discover sensitive data within an SAP HANA DB. By scanning the database, Guardium identifies and classifies sensitive information, such as personal data, financial records, and intellectual property. Once discovered, this data is added to specific groups of fields or objects for continuous observation. This grouping facilitates targeted monitoring and protection, ensuring that sensitive data is safeguarded against unauthorized access and potential breaches. Guardium's scanning and classification capabilities help maintain data security and compliance with regulatory standards for data protection in SAP HANA environments.</P><P><STRONG><U>Prerequisites</U></STRONG></P><UL><LI>SAP BTP Account with access to SAP HANA Cloud Database</LI><LI>IBM Security Guardium</LI></UL><P><STRONG><U>Architecture</U></STRONG></P><P><STRONG><U><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 1.png" style="width: 689px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130662i1C96C12985D06E76/image-dimensions/689x349?v=v2" width="689" height="349" role="button" title="Picture 1.png" alt="Picture 1.png" /></span></U></STRONG></P><P>SAP HANA Cloud, a cloud-based version of the SAP HANA database, offers a multi-model platform for storing and processing diverse data. It integrates with SAP S/4HANA, the latest ERP suite, and SAP Business Technology Platform for application development. SAP HANA itself has a comprehensive set of security measures to ensure data safety. Additionally, security is further enhanced through IBM Security Guardium. IBM Security Guardium will scan the SAP HANA Cloud DB for the identification and classification of sensitive data such as personal details, financial details ... etc. This data classification will enable administrator to keep an eye on specific table fields and help them formulate further business strategies such as data masking of data hiding for the database for the security purpose. Hence, this architecture positions SAP HANA Cloud as a secured and strong foundation for building versatile cloud-based enterprise applications.</P><P><STRONG><U>Steps for integration</U></STRONG></P><P>Log in to Guardium, and you will be directed to the home page as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 2.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130664iAB8A19939626826C/image-size/large?v=v2&amp;px=999" role="button" title="Picture 2.png" alt="Picture 2.png" /></span></P><P>Go to the Discover button on the left-hand panel, open the "Classification" dropdown, and select "Datasource Definitions" as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 3.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130667iD49CB48E29B87678/image-size/large?v=v2&amp;px=999" role="button" title="Picture 3.png" alt="Picture 3.png" /></span></P><P>Click the "New" button, as highlighted below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 4.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130668i54D07CD8604D1017/image-size/large?v=v2&amp;px=999" role="button" title="Picture 4.png" alt="Picture 4.png" /></span></P><P>Enter details such application type, name, database type and other details in the pop-up screen as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 5.png" style="width: 442px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130669i0602A952203E4773/image-size/large?v=v2&amp;px=999" role="button" title="Picture 5.png" alt="Picture 5.png" /></span></P><P>Please keep in mind that the username and password for the SAP HANA Cloud database must be entered here.</P><P><STRONG>Disclaimer</STRONG>: SAP does not recommend their customers to use the DBADMIN user for daily tasks. Please note that the DBADMIN user is used only for demonstration purposes. Refer to <A href="https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-security-guide/deactivate-dbadmin-user?locale=en-US" target="_blank" rel="noopener noreferrer">SAP User Management</A>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 6.png" style="width: 444px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130670iEC3E404D83630A1C/image-dimensions/444x115?v=v2" width="444" height="115" role="button" title="Picture 6.png" alt="Picture 6.png" /></span></P><P>To obtain the host name/IP address and port number, log into your SAP BTP account and click to the space for which you want to integrate Guardium with SAP HANA Cloud DB.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 7.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130671i9D3C2C59C2B62B14/image-size/large?v=v2&amp;px=999" role="button" title="Picture 7.png" alt="Picture 7.png" /></span></P><P><STRONG>Disclaimer</STRONG>: For enhanced security, SAP recommend their customers to adhere to user connect restriction policies. More details on these policies can be found here: <A href="https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-security-guide/connect-restrictions?locale=en-US" target="_blank" rel="noopener noreferrer">SAP HANA Cloud Database Security Guide - Connect Restrictions</A>. This is an important feature that customers should utilise.</P><P>Select "SAP HANA Cloud" as indicated below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 8.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130672iE682F6EE74DE120F/image-size/large?v=v2&amp;px=999" role="button" title="Picture 8.png" alt="Picture 8.png" /></span></P><P>Now, click "Actions" and choose "Copy SQL Endpoint".</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 9.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130673i214DCD76F58479AD/image-size/large?v=v2&amp;px=999" role="button" title="Picture 9.png" alt="Picture 9.png" /></span></P><P>Securing public endpoints is a significant concern for customers. It is relevant to note that SAP HANA Cloud will support these endpoints in the near future.</P><OL><LI>Product Vision roadmap entry for all Platform-as-a-Service (PaaS) support across hyperscalers: <A href="https://roadmaps.sap.com/board?PRODUCT=73554900100800002881&amp;range=CURRENT-LAST#;INNO=000D3ABE772D1EEC91BFC1E05F384551" target="_blank" rel="noopener noreferrer">SAP Roadmap</A></LI><LI>2023-Q4 support for AWS Private Link (PL) connections to HC HDB SQL Endpoints: <A href="https://roadmaps.sap.com/board?PRODUCT=73554900100800002881&amp;range=CURRENT-LAST#;INNO=C10D295AC83C1EDF86C20D403AA10584" target="_blank" rel="noopener noreferrer">SAP Roadmap</A></LI><LI>2023-Q4 support for AWS PL connections to both HDLRE SQL Endpoints and HDLFS REST Endpoints: <A href="https://roadmaps.sap.com/board?PRODUCT=73554900100800002881&amp;range=CURRENT-LAST#;INNO=C10D295AC83C1EDF86C20D403AA10584" target="_blank" rel="noopener noreferrer">SAP Roadmap</A></LI></OL><P>Paste the copied SQL endpoint and receive the hostname/IP data as shown below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 10.png" style="width: 630px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130674iD9FAB81BA3B2D710/image-dimensions/630x26?v=v2" width="630" height="26" role="button" title="Picture 10.png" alt="Picture 10.png" /></span></P><P>And get the port number details displayed follows from the same:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 11.png" style="width: 631px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130678i3AC54F4683FEF2A1/image-dimensions/631x26?v=v2" width="631" height="26" role="button" title="Picture 11.png" alt="Picture 11.png" /></span></P><P>To check the status of your connection, click the "Test Connection" button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 12.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130682i0581D27DA2AA98DE/image-size/large?v=v2&amp;px=999" role="button" title="Picture 12.png" alt="Picture 12.png" /></span></P><P>The SAP HANA Cloud database setup is now complete. You can see the details as follows:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 13.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130684iD75680459DE5B3DD/image-size/large?v=v2&amp;px=999" role="button" title="Picture 13.png" alt="Picture 13.png" /></span></P><P>Click the Discover button on the left-hand panel, then open the drop-down menu by clicking "Classification" and selecting "Discover Sensitive Data". Refer to the image below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 14.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130683i3DE015F555D3B3A6/image-size/large?v=v2&amp;px=999" role="button" title="Picture 14.png" alt="Picture 14.png" /></span></P><P>On the following screen, select "PII [template]". Check out the information as recommended below, then click "Roles" to assign them, and then click the "Next" button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 15.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130688iED3260CCC409BF09/image-size/large?v=v2&amp;px=999" role="button" title="Picture 15.png" alt="Picture 15.png" /></span></P><P>Select the check box for the template pattern you wish to include (for example, birth date, city) and click the "Copy" button as displayed below and click on “Next” button:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 16.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130689i9CD55164881781D0/image-size/large?v=v2&amp;px=999" role="button" title="Picture 16.png" alt="Picture 16.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 17.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130690i305124B397AC2A17/image-size/large?v=v2&amp;px=999" role="button" title="Picture 17.png" alt="Picture 17.png" /></span></P><P>Once we've completed "What to discover," we'll go on to "Where to search" and choose the integrated SAP HANA Cloud database and click on “Next”.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 18.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130691i167A0F76D3C81CED/image-size/large?v=v2&amp;px=999" role="button" title="Picture 18.png" alt="Picture 18.png" /></span></P><P>"Run discovery" is a convenience feature that allows you to conduct classification and check the status. Click "Next".</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 19.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130692i60ED4C391EB54056/image-size/large?v=v2&amp;px=999" role="button" title="Picture 19.png" alt="Picture 19.png" /></span></P><P>We are now in the "Review report" stage, where we select a list of fields and select "Add to Groupof Object/Field" from the "Add to Group" drop-down and click on the “Next” button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 20.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130693iEAC9C79EC6FDEB15/image-size/large?v=v2&amp;px=999" role="button" title="Picture 20.png" alt="Picture 20.png" /></span></P><P>Select group “SAP Sensitive Data” and click on the “OK” button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 21.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130694iB4245B77518DE8C4/image-size/large?v=v2&amp;px=999" role="button" title="Picture 21.png" alt="Picture 21.png" /></span></P><P>Select group “SAP Sensitive Data” and click on the “OK” button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 21.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130695iB011F44C167A0058/image-size/large?v=v2&amp;px=999" role="button" title="Picture 21.png" alt="Picture 21.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 22.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130696iD2FFF1217B180AA1/image-size/large?v=v2&amp;px=999" role="button" title="Picture 22.png" alt="Picture 22.png" /></span></P><P><STRONG><U>Let’s Test</U></STRONG></P><P>Click the "Setup" button on the left-hand panel and choose "Group Builder" from the "Tools and Views" drop-down list.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 23.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130697i13E4480B5D6A5C6E/image-size/large?v=v2&amp;px=999" role="button" title="Picture 23.png" alt="Picture 23.png" /></span></P><P>Select "Object/Field" from the "Action" drop-down, then select "SAP Sensitive Data" from the list. Click the "Edit" button.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 24.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130698iBB7B007EC8767CE0/image-size/large?v=v2&amp;px=999" role="button" title="Picture 24.png" alt="Picture 24.png" /></span></P><P>In the pop-up screen, select "Members".</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 25.png" style="width: 912px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130703iB791CE4DE6419F3B/image-size/large?v=v2&amp;px=999" role="button" title="Picture 25.png" alt="Picture 25.png" /></span></P><P>You will be able to see the relevant personal and financial table and fields from SAP HANA Cloud database.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture 26.png" style="width: 908px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/130704i147988AFC8510852/image-size/large?v=v2&amp;px=999" role="button" title="Picture 26.png" alt="Picture 26.png" /></span></P><P>Now that you identified and categorised that sensitive data in your HANA database, IBM Security Guardium can further help to improve data security by adoption of specialised security measures, such as to</P><P>- Add encryption or access controls, to safeguard important data from unauthorised access and breaches; or by</P><P>- Masking or blocking data access requests that violate regulations or policies</P><P>- Configuring alerts for unauthorised access attempts, e.g. if someone from a non-finance department tries to access financial data, an alert can be triggered.</P><P>In general, classifying data based on its sensitivity in the first place helps to increase visibility and in turn to comply with regulatory obligations (e.g. by generating detailed reports for audits), prevent data loss, and reduce risks associated with data misuse. These features ensure that data handling procedures are consistent with organisational rules and legal standards, hence improving overall data security.</P><P><STRONG><U>Conclusion</U></STRONG></P><P>Securing SAP HANA Cloud databases is critical for safeguarding company personal and financial information from evolving cyber threats. SAP HANA Cloud offers a robust set of security features. More information on these security measures can be found in the <A href="https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-security-guide/connect-restrictions?locale=en-US" target="_blank" rel="noopener noreferrer">SAP HANA Cloud Security Guide</A>.</P><P>IBM Security Guardium complements the existing security capabilities of SAP HANA Cloud by providing additional data protection, continuous monitoring, and compliance features. This enhancement can be particularly valuable for customers seeking extra layers of security or specific functionalities that they feel are necessary.</P><P>Investing in advanced security measures like IBM Security Guardium not only protects essential data but also demonstrates your company's strong commitment to data privacy and compliance. As cyber threats become more sophisticated, leveraging IBM Security Guardium in conjunction with SAP HANA Cloud's comprehensive security offerings is a proactive step toward strengthening your database's security posture and ensuring the integrity and safety of your company data.</P><P>IBM Security Guardium provides enterprise data protection for a variety of databases and data sources, and with the HANA integration, it incorporates it into a corporate-wide data security concept.</P><P><STRONG><U>More Information</U></STRONG></P><P>If you have any question or query about&nbsp;SAP Netweaver please refer to <A href="https://community.sap.com/" target="_blank">SAP Community</A> and for any question or query about IBM Security Guardium refer to <A href="https://community.ibm.com/community/user/security/communities/community-home?CommunityKey=aa1a6549-4b51-421a-9c67-6dd41e65ef85" target="_blank" rel="noopener nofollow noreferrer">IBM Security Guardium Community</A></P> 2024-07-01T11:41:50.926000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/%E3%82%AF%E3%83%A9%E3%82%A6%E3%83%89%E3%82%B5%E3%83%BC%E3%83%93%E3%82%B9%E3%81%AE%E7%81%BD%E5%AE%B3%E5%BE%A9%E6%97%A7%E5%AF%BE%E5%BF%9C%E3%81%A8%E3%81%AF/ba-p/13750438 クラウドサービスの災害復旧対応とは? 2024-07-04T13:37:56.721000+02:00 ShinyaMurakami https://community.sap.com/t5/user/viewprofilepage/user-id/155856 <P>災害インシデント(台風、洪水、火災、地震等)、人為的なインシデント(設定ミス、妨害行為、第三者による意図的なセキュリティ事象等)、及び環境インシデント(機器故障、ソフトウェアエラー、通信ネットワークの切断、停電等)によるITサービスの停止からいち早く復旧することは、企業が被る損害及び被害を抑えるために重要なことです。オンプレミスであれば企業がITシステムを運営・管理するため費用面での折り合いは必要なもののある程度は企業が望む復旧計画を立てることができます。しかし、クラウドサービスではクラウドサービスプロバイダがシステムの運用・管理を担っているため、企業が望む復旧計画を立てることが難しい場合があります。そのため、クラウドサービスを利用する企業においては使用するクラウドサービスの災害復旧を理解しておく必要があります。<BR />本ブログではクラウドサービスの災害復旧を理解する上で必要なポイントについて説明していきます。</P><P>&nbsp;</P><P><STRONG><U>災害復旧の重要な要素</U></STRONG><BR />災害復旧は、迅速にITサービスをインシデントが起きる前と変わらない状態に復旧することを目的としております。その目的を達成する上で欠かせない2つの要素があります。また、その要素はクラウドサービスを利用する企業において重要なものですので、確認をしておくことをおすすめします。</P><P style=" padding-left : 30px; "><U>・目標復旧時間(RTO)</U><BR />RTOはクラウサービスプロバイダが提供するクラウドサービスが復旧するまでに要する時間です。そのため、RTOを知ることでクラウドサービス利用者は事業の再開までの計画を事前に立てることができ、また復旧までの対策や対応も立ておくことができると思います。<BR />また、クラウドサービスプロバイダは示すRTOが達成できない場合、クラウドサービス利用者へ大きな影響を与えてしまいます。クラウドサービスプロバイダは災害復旧における計画を立て、それに従い迅速な復旧を行うための体制を整えるとともに、ITシステムの冗長化などによる備えもしておかなければなりません。</P><P style=" padding-left : 30px; "><U>・目標復旧時点(RPO)</U><BR />RPOはインシデント発生が発生しクラウドサービスが停止した場合に失われるデータの量を示す指標です。例えばRPOが1時間となる場合、クラウドサービス利用者は最大でインシデント発生時点から1時間前までのデータを失うことになります。データ損失を少しでも抑えるため、RPOを短くすることが望ましく、そのためにはバックアップの頻度が重要となります。バックアップをリアルタイムに実施できれば、理論的にはRPOもゼロとなりデータ損失は発生しないとなります。しかし、複雑な処理やデータ量が多い場合、リアルタイムにバックアップを取ることが難しいこともあります。そのため、クラウドサービス利用者はクラウドサービスの特性や性能を理解した上で、RPOを許容していただくことも必要になります。</P><P>災害復旧においてRTOとRPOは大事な指標になります。この2つの要素を知ることで、インシデント発生時における対策や対応も事前に立てておくことができます。また、これらの要素はクラウドサービスプロバイダ側の災害復旧計画の見直しやITシステムの変更などにより変わる可能性もあるため、クラウドサービスを利用する企業においては導入後の定期的な確認を行うことをおすすめします。</P><P>&nbsp;</P><P><STRONG><U>災害復旧計画</U></STRONG><BR />先に説明したRTO及びRPOの目標数値において、クラウドサービスプロバイは災害復旧計画に基づき決めております。そのため、クラウドサービスプロバイはクラウドサービスにおける最適な災害復旧計画の作成を行う必要があります。この災害復旧計画は基本的に計画の作成、実装、継続的なメンテナンスとテストという3つの要素で構成されており、3つの要素について説明していきたいと思います。</P><P style=" padding-left : 30px; "><U>・計画の作成</U><BR />災害復旧計画の作成にはいくつかの重要な構成要素があります。主な構成要素は以下となります。</P><P style=" padding-left : 60px; ">・災害復旧計画の定義とポリシ:<BR />計画が網羅するクラウドサービス、プロセス、機能等を明確にするために、災害復旧計画の目的、範囲、目標を定義したポリシを決める必要があります。また、策定したポリシにおいてはクラウドサービスプロバイダの経営陣によるコミットメントを含めておくことも重要となります。</P><P style=" padding-left : 60px; ">・役割と責任:<BR />策定した定義とポリシをつつがなく遂行するために必要なチームを編成し、必要な役割と責任を定義していきます。また、災害復旧に対応するチームは、クラウドサービスを利用する企業とのコミュニケーションチャンネルの開設を行います。</P><P style=" padding-left : 60px; ">・重要度評価とビジネスインパクト分析:<BR />クラウドサービスを提供する上で必要不可欠なプロセスやシステムなど、また安定して提供する上で必要なリソース要件を特定し、重要度を付けています。その後、必要不可欠なプロセスやシステム及びリソースに対してビジネスインパクト分析を行い、分析結果に従い災害復旧に必要なリソースへの投資、復旧要件(RTO及びRPOの目標数値など)、及び復旧方針などを決めています。</P><P style=" padding-left : 60px; ">・リスク評価とリスク分析:<BR />初めにすべての資産をリストし、それらの資産に関連する脅威と脆弱性を調査します。その後、脅威と脆弱性の各組み合わせの影響と可能性を評価し、リスクのレベルを計算します。最後にリスクレベルに応じた情報セキュリティリスクの管理及びリスクから保護するためのコントロールの実装に関する適切なアクションと優先順位などを決めていきます。尚、リスク評価とリスク分析においては、ISO27001やNISTなどを基にすることで実施の内容に一定の安心を得ることができます。</P><P style=" padding-left : 60px; ">・データのバックアップと復元<BR />データのバックアップと復元はRTO及びRPOに大きな影響を与えるため、とても重要なものとなります。データをバックアップにおいては、ロケーション、頻度、及び方法などを決めます。特にバックアップの頻度はRPOに直接影響を与えるため、重要となります。理想はリアルタイムバックアップとなりますが、トランザクションやデータ量などによってはリアルタイムが難しい場合も出てくるため、各クラウドサービスの性質に合わせて最適な頻度を決めていきます。<BR />バックアップの復元はRTOに直接影響を与えるため、復元の範囲、優先順位、及び手順を日頃から確認しておく必要があります。</P><P style=" padding-left : 30px; "><U>・計画の実装</U><BR />計画の作成で策定した内容をクラウドサービスへ実際に落とし込んでいきます。例えば、重要度評価とビジネスインパクト分析では、クラウドサービスを安定して提供する上で必要なリソース要件を特定し、重要度を付け、クラウドサービスを利用する企業へのビジネスインパクト分析を行います。また、データのバックアップと復元においては、バックアップのロケーションを同じ地域内にある別の建屋にするのか又は離れた地域にするのか、またクラウドサービスの性質及びリソースに合わせて実際のバックアップ頻度を決めていきます。この実装においては作成で決めた内容をクラウドサービスへ当てはめていく作業となります。</P><P style=" padding-left : 30px; "><U>・計画のテスト</U><BR />テストスの目的は、計画の作成が実装され、それが有効的であるかを確認すること、災害復旧が発生したとして計画の作成で決めた内容どおりに災害復旧が行えることの証明、及び災害復旧計画の準備と成熟度を向上させることです。そのため、テストは少なくとも年に1回は実施することが最適とされ、またそのテスト結果を踏まえ、計画の作成の見直しを行い、よりよいものへ改善を行うことが重要となります。</P><P>クラウドサービスプロバイにおいて災害復旧計画は、インシデント発生時に速やかにクラウドサービスを復旧するために必要なプロセス、対応範囲、目標などを決める上で不可欠なものです。また、クラウドサービスを利用する企業に対してインシデント発生時の復旧対応に関する情報(RTO、RPO、復旧対応の内容、及びコンタクト先等)を提供する上でも欠かせないものとなります。</P><P>&nbsp;</P><P><STRONG><U>災害復旧とSAP</U></STRONG><BR />SAPはNIST、ISO 22301及びISO 27001などの国際規格を基に災害復旧計画を策定しております。策定した災害復旧計画に従い各クラウドサービスの管理部門が災害復旧の対策を実施していることを外部監査で確認を行っております。<BR />また、SAPが提供するクラウドサービスのRTO及びRPOは各クラウドサービスが提供するサービス内容、リソース、及び性質により異なるためここでの紹介は控えますが、お客様の業務への影響を最小限に抑えるため、様々な対策を講じていることをお約束します。</P> 2024-07-04T13:37:56.721000+02:00 https://community.sap.com/t5/technology-blogs-by-sap/new-free-learning-journey-implementing-authorizations-in-sap-bw-4hana/ba-p/13754055 New free Learning Journey “Implementing Authorizations in SAP BW/4HANA”” 2024-07-08T10:15:46.802000+02:00 Johann https://community.sap.com/t5/user/viewprofilepage/user-id/137238 <P><SPAN>After starting your SAP BW/4HANA journey either from scratch with our beginner learning journey or with existing SAP BW/4HANA skills,</SPAN><SPAN>&nbsp;</SPAN><SPAN>it is now time to learn how to ensure data security and access control in SAP BW/4HANA.</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>For that, SAP BW/4HANA uses authorizations, which are permissions granted to users to access specific data or perform certain actions within the system.&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Analysis_Authorization_COA_003.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/133543i6D479547C8C7DF2E/image-size/large?v=v2&amp;px=999" role="button" title="Analysis_Authorization_COA_003.png" alt="Analysis_Authorization_COA_003.png" /></span></SPAN></P><P><SPAN>This <A href="https://learning.sap.com/learning-journeys/implementing-authorizations-in-sap-bw-4hana" target="_self" rel="noopener noreferrer">self-paced learning journey</A> is designed for SAP BW/4HANA consultants and administrators who want to learn how to define and implement these authorizations in SAP BW/4HANA.</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>It's also suitable for authorization administrators in SAP ERP or SAP S/4HANA who are extending their responsibility for authorizations to SAP BW/4HANA.&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>I</SPAN><SPAN>t will equip you with the skills to:&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P><UL><LI><SPAN>Differentiate between transactional and analytical security needs in SAP BW/4HANA&nbsp;</SPAN><SPAN>&nbsp;</SPAN></LI><LI>Create and maintain analysis authorizations&nbsp;<SPAN>&nbsp;</SPAN></LI><LI>Create authorizations for Data Modelers, and Data Load Administrators, and &nbsp;<SPAN>&nbsp;</SPAN></LI><LI>Trace standard and analysis authorizations.<SPAN>&nbsp;</SPAN></LI></UL><P>As you embark on your SAP BW/4HANA journey, remember that continuous learning is key.&nbsp;<SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN><SPAN>Ensure data security and access control in SAP BW/4HANA!</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>Your Product Learning CoE Analytics Team</SPAN></P> 2024-07-08T10:15:46.802000+02:00 https://community.sap.com/t5/technology-blogs-by-members/integration-of-sap-task-center-azure-and-servicenow-sso-user-provisioning/ba-p/13766332 Integration of SAP Task Center, Azure and ServiceNow - SSO, User Provisioning and Token exchange 2024-07-19T16:10:57.124000+02:00 ITCE https://community.sap.com/t5/user/viewprofilepage/user-id/1474919 <P>During the configuration of <A href="https://www.itce.com/integrate-your-sap-task-center-with-servicenow/" target="_self" rel="nofollow noopener noreferrer">Task Connect</A>, an integration between ServiceNow and SAP Task center, <SPAN>we devoted significant effort to addressing security concerns</SPAN><SPAN>, particularly focusing on user authentication and user provisioning. Given the widespread use of Azure as an identity and token provider, we developed a method to synchronize users and groups across ServiceNow, SAP Task Center, and Azure.&nbsp;</SPAN></P><P>In this document, you will find the scenario overview, related architectural diagrams presenting the different components and how they interact with each other and what are the steps to follow to configure the connection between ServiceNow, SAP Task Center and Azure.&nbsp;</P><P><FONT size="4"><STRONG>1. Scenario overview</STRONG></FONT></P><P>The starting point in this scenario is the user's authentication and access token issued by the SAP Cloud Identity tenant's authentication service (IAS), indicated as AT (IAS) APP in returned by step 2 in figure 1 below and following the notation &lt;token type&gt; (&lt;issuer&gt;) &lt;audience&gt;. The complete token exchange is orchestrated by the <A href="https://www.rfc-editor.org/rfc/rfc6749" target="_blank" rel="noopener nofollow noreferrer">OAuth 2.0</A> and <A href="https://openid.net/developers/specs/" target="_blank" rel="noopener nofollow noreferrer">OpenID Connect</A> (OIDC) authorization and authentication frameworks and their respective token types, which are <A href="https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens" target="_blank" rel="noopener nofollow noreferrer">access tokens</A> (AT), <A href="https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens" target="_blank" rel="noopener nofollow noreferrer">refresh tokens</A> (RT), and <A href="https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens" target="_blank" rel="noopener nofollow noreferrer">identity tokens</A> (ID). Thus, AT (IAS) IAS is an access token, issued by the IAS tenant's OAuth 2.0 authorization server, with an audience set to the IAS tenant's client ID. All tokens except for refresh tokens are formatted as JWTs. Compared to the token exchange in the previous parts of this blog series (see <A href="https://blogs.sap.com/2020/07/17/principal-propagation-in-a-multi-cloud-solution-between-microsoft-azure-and-sap-cloud-platform-scp/" target="_blank" rel="noopener noreferrer">part I</A>, <EM>Interoperability and standards</EM>, for more details), <A href="https://wiki.oasis-open.org/security/FrontPage#SAML_V2.0_Standard" target="_blank" rel="noopener nofollow noreferrer">SAML 2.0</A> - or more precisely the SAML assertion as an OAuth 2.0 authorization grant defined in section 2.1 of <A href="https://www.rfc-editor.org/rfc/rfc7522#section-2.1" target="_blank" rel="noopener nofollow noreferrer">RFC 7522</A> - is no longer used in this scenario. Instead of transforming between different token formats (JWT to SAML and back to JWT), this scenario only uses JWTs for the token exchange. It is important to note that for this token exchange no direct trust relationship between the application on BTP and Azure AD is required. The application only has a trust relationship to the IAS tenant, and the IAS tenant maintains the trust relationship to the Azure AD tenant (and vice versa).&nbsp;&nbsp;&nbsp;</P><P>All authentication requests for the business application on BTP (SAP TASK CENTER) are forwarded by the IAS tenant to the Azure AD tenant which is configured as a <A href="https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/19f3eca47db643b6aad448b5dc1075ad.html?locale=en-US" target="_blank" rel="noopener noreferrer">corporate identity provider (IdP) in IAS</A>. IAS acts as a proxy and delegates authentication to Azure AD in the role of the relying party to the corporate identity provider. The IAS tenant therefore requires an application registration in Azure AD. &nbsp;</P><P><STRONG>Note</STRONG>: For the TaskConnect integration configuration to work, the SAP Task Center should be configured according to the following documentation: <A href="https://help.sap.com/docs/task-center/sap-task-center/initial-setup" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/task-center/sap-task-center/initial-setup</A></P><P><FONT size="4"><STRONG>2. Users authentication and token exchange</STRONG></FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_0-1721388770253.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139020i40DB8BEAFEB8A62C/image-size/large?v=v2&amp;px=999" role="button" title="ITCE_0-1721388770253.png" alt="ITCE_0-1721388770253.png" /></span></P><OL><LI>The user accesses the BTP business application's SAP Task Center. The app delegates authentication to the IAS tenant using OIDC. It starts the authentication process by redirecting the user' browser to the IAS tenant's OAuth server authorization endpoint at <EM><U>https://&lt;IAS</U> tenant name&gt;.accounts.ondemand.com/oauth2/authorize </EM>and sending an OAuth authorization request.&nbsp;</LI><LI>Because the user is not yet authenticated at the IAS tenant, the user's browser is redirected to the IAS tenant's single sign-on (SSO) endpoint at <EM><U>https://&lt;IAS</U> tenant name&gt;.accounts.ondemand.com/saml2/idp/sso</EM>.&nbsp;</LI><LI>The business application is configured in IAS to pass all authentication requests to Azure AD as its corporate IdP. Therefore, IAS sends an OAuth authorization request to the Azure AD tenant's OAuth authorization endpoint.&nbsp;</LI><LI>The user gets prompted by Azure AD to enter the credentials. Upon successful authentication, Azure AD sends the authorization code to IAS by redirecting the user's web browser to the URI specified in the previous request.&nbsp;</LI><LI>IAS receives the authorization code and sends an access token request to Azure AD's token. Azure AD issues an access token and refresh token (RT(AAD)IAS which is cached for later use in step for the authenticated user with an audience set to the IAS tenant's OIDC name.&nbsp;</LI><LI>The BTP business application requests a <EM>client assertion</EM> from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant's OIDC proxy. The client application sends a token request to the IAS tenant's token endpoint. The POST request is authenticated with the client ID and secret of the business application in IAS. The client assertion from IAS takes the form of a signed JWT that proofs the application's identity to AAD when requesting tokens via the IAS corporate IdP OIDC proxy.&nbsp;</LI><LI>The business application exchanges the IAS-issued ID token into an Azure AD-issued access token via the IAS tenant's OIDC proxy token exchange endpoint. The POST request uses the assertion parameter to pass the base64-encoded IAS ID token of the user.&nbsp;</LI><LI>IAS token service sends a refresh token request using RT(AAD)IAS cached in step 5 to obtain a new access token AT(AAD)APP for the business application,&nbsp;</LI><LI>The business application uses the Azure AD On-behalf-Of (ObO) flow for requesting the access token&nbsp;&nbsp;</LI><LI>Finally, the business application calls the ServiceNow to take actions to the signed-in user's tasks.&nbsp;</LI><LI>ServiceNow validate the token using OIDC provider to verify ID tokens configuration with the same application registered in Azure which issues an access token and refresh token in step 5.&nbsp;</LI></OL><P><FONT size="4"><STRONG>3. User provisioning - Azure SAP</STRONG></FONT></P><P>Use SAP Cloud Identity Services - Identity Provisioning to provision users from Microsoft Azure Active Directory to SAP Cloud Identity Services - Identity Authentication.&nbsp;</P><P><STRONG><FONT size="4">4. User provisioning &amp; SSO - Azure-ServiceNow</FONT></STRONG></P><OL><LI>Use ServiceNow enterprise application in Azure to provision users from Microsoft Azure Active Directory to ServiceNow instance&nbsp;</LI><LI>Use the same ServiceNow enterprise application created in step 13 in Azure to authenticate users from Microsoft Azure Active Directory to ServiceNow instance&nbsp;</LI></OL><P><FONT size="4"><STRONG>5. Technical service flow</STRONG></FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_1-1721389027561.png" style="width: 999px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139026i46BDAAB0DAC790CD/image-size/large?v=v2&amp;px=999" role="button" title="ITCE_1-1721389027561.png" alt="ITCE_1-1721389027561.png" /></span></P><P>You need to create integration user for SAP Technical connection&nbsp;and choose how SAP Task Center will authenticate when technical connection is used (delta jobs in SAP are using this technical connection)</P><P>For example, you can use Basic Auth or OAuth:&nbsp;</P><OL><LI>For basic auth provide username and password to the team who is configuring the connection to ServiceNow.&nbsp;</LI><LI>The BTP business application requests a <EM>client assertion</EM> from the IAS tenant to use it in the subsequent requests for the token exchange via the IAS tenant's OIDC proxy.</LI><LI>For OAuth follow these steps in ServiceNow (account with admin role is required)&nbsp;<OL class="lia-list-style-type-lower-alpha"><LI>Open System OAuth -&gt; Application Registry. Click New and choose "Create an OAuth API endpoint for external clients". Configure the record and share username, user password, client id and client secret with the team configuring the connection to ServiceNow&nbsp;</LI></OL></LI></OL><P><FONT size="4"><STRONG>6. Register the applications in Azure AD for IAS tenant and SN OIDC provider to verify ID tokens.&nbsp;</STRONG></FONT></P><P>The token exchange and OIDC proxy setup between the SN, IAS, and the Azure AD tenant, requires a trust relationship which is established by registering one application in the Azure AD tenant&nbsp;&nbsp;&nbsp;&nbsp;</P><P>“SAPIASTenant” represents the SAP Cloud Identity Service tenant.<BR /><BR /><STRONG>Step 1</STRONG><BR />Login to <A href="https://portal.azure.com/" target="_blank" rel="noopener nofollow noreferrer">Azure Portal</A> (e.g. with your Microsoft 365 E5 developer subscription’s admin account) and select <STRONG>Azure Active Directory </STRONG>from the portal menu.&nbsp;&nbsp;</P><P>Select <STRONG>App registrations </STRONG>from the left-side menu.&nbsp;&nbsp;</P><P><STRONG>Step 2</STRONG><BR />Click <STRONG>+ New registration&nbsp;</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_4-1721391713497.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139143i95F1F1B49D0BDFA3/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_4-1721391713497.png" alt="ITCE_4-1721391713497.png" /></span></P><P><STRONG>Step 3&nbsp;<BR /></STRONG>Enter "&lt;SAP IAS Tenant&gt;" for the <STRONG>Name </STRONG>of the new application registration.&nbsp;&nbsp;</P><P>Replace &lt;SAP IAS Tenant&gt; with your friendly name&nbsp;&nbsp;</P><P>Select "Web" from the dropdown list in the <STRONG>Redirect UR I </STRONG>section.&nbsp;&nbsp;</P><P>Enter your IAS tenant's <STRONG>redirect UR I</STRONG>in the Redirect URI section's text field:<EM><U>https://&lt;IAS</U></EM><EM>tenant name&gt;.accounts.ondemand.com/oauth2/callback.</EM>Replace &lt;IAS tenant name&gt; with your tenant's name.</P><P>Click <STRONG>Register</STRONG>.&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_5-1721391793724.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139144iF19D6555EB9974F6/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_5-1721391793724.png" alt="ITCE_5-1721391793724.png" /></span></P><P><STRONG>Step 4</STRONG><BR /><SPAN>Copy the newly generated <STRONG>Application (client) ID </STRONG>to a temporary text file. You will need it in the next step for deploying the sample application.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_6-1721391924140.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139146i52D8C3E06BC2A392/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_6-1721391924140.png" alt="ITCE_6-1721391924140.png" /></span></P><P><STRONG>Step 5<BR /></STRONG>Select <STRONG>Manifest </STRONG>from the navigation menu to edit the application registration's manifest file.&nbsp;&nbsp;<BR />Change the value for the field "accessTokenAcceptedVersion" from null to <STRONG>2</STRONG>.&nbsp;&nbsp;&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>Save</STRONG>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_7-1721391960742.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139147iFB4CEBAED9F60E2C/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_7-1721391960742.png" alt="ITCE_7-1721391960742.png" /></span></P><P><STRONG><FONT size="4"><BR />7. Configure trust to the IAS tenant in Azure AD</FONT></STRONG></P><P>Trust to the IAS tenant is configured in Azure AD with a new federated identity credential. In addition, a client secret is required for the initial token exchange in step 5 of figure 1. Both credentials will be configured for the application registrations in the following step.&nbsp;&nbsp;</P><P><STRONG>Step 6</STRONG><BR />Select the <EM>SAPIASTenant </EM>app from the list. (created in step 3)&nbsp;&nbsp;<BR />Select <STRONG>Certificates &amp; secrets </STRONG>from the menu and switch to the <STRONG>Client secrets </STRONG>tab.&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>+ New client secret</STRONG>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_8-1721392162592.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139148i69480B049CF5D253/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_8-1721392162592.png" alt="ITCE_8-1721392162592.png" /></span></P><P><STRONG>Step 7<BR /></STRONG>Enter "&lt;SAPOIDCProxy&gt;" for the <STRONG>Description</STRONG>.&nbsp;&nbsp;<BR /><SPAN>Click</SPAN> <STRONG>Add</STRONG><SPAN>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_9-1721392189260.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139149iD7F1930022AE6587/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_9-1721392189260.png" alt="ITCE_9-1721392189260.png" /></span></P><P><STRONG>Step 8</STRONG><BR /><SPAN>Click <STRONG>Copy to clipboard </STRONG>in the <STRONG>Value </STRONG>column and paste it to a temporary text file. You will need it later in the setup process.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_10-1721392218908.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139150i771633F0E6266613/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_10-1721392218908.png" alt="ITCE_10-1721392218908.png" /></span></P><P><STRONG>Step 9<BR /></STRONG>Create another one secret for ServiceNow&nbsp;&nbsp;&nbsp;<BR />Enter "&lt;ServiceNow&gt;" for the <STRONG>Description</STRONG>.&nbsp;&nbsp;<BR />Click <STRONG>Add</STRONG>.&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_11-1721392246014.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139151iF29340E5CB799372/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_11-1721392246014.png" alt="ITCE_11-1721392246014.png" /></span></P><P><FONT size="4"><STRONG><BR />8. Configure permissions and scopes in Azure AD</STRONG></FONT></P><P>To request the Outlook calendar event on behalf of the user, the business application (SAPBTPGraphApp) requires the Graph API permission <EM>Calendars.Read</EM>. SAPBTPGraphApp also exposes the custom scope "<EM>token.exchange".</EM>This scope is referred to as a (downstream) API permission for the SAPIASTenant application registration and required for steps 7 and 8 in figure 1. For the initial token request to Azure AD (see step 5 in figure 1 and figure 2), the SAPIASTenant application exposes the custom scope "<EM>ias.access</EM>".&nbsp;&nbsp;</P><P><STRONG>Step 10</STRONG><BR /><SPAN>Go to </SPAN><STRONG>Expose an API </STRONG><SPAN>in the navigation menu. &nbsp;<BR /></SPAN><SPAN>Click <STRONG>+ Add a scope</STRONG>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_12-1721392320639.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139152iC13AA6059661C3AD/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_12-1721392320639.png" alt="ITCE_12-1721392320639.png" /></span></P><P><STRONG>Step 11<BR /></STRONG>Accept the default value for the <STRONG>Application ID URI</STRONG>.&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>Save and continue</STRONG>.&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_13-1721392351197.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139153i02AC97FECE81EE70/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_13-1721392351197.png" alt="ITCE_13-1721392351197.png" /></span></P><P><STRONG>Step 12<BR /></STRONG>Enter "ias.access" for the new <STRONG>Scope name</STRONG>. Provide an <STRONG>Admin consent display name </STRONG>and <STRONG>description</STRONG>.&nbsp;&nbsp;<BR />Click <STRONG>Add scope</STRONG>. &nbsp;<BR /><SPAN><BR /><U>Scope name:&nbsp;<BR /></U></SPAN>ias.access&nbsp;</P><P><U>Admin consent display name:&nbsp;</U><BR />IAS Tenant Access&nbsp;<BR /><SPAN><BR /><U>Admin consent description:&nbsp;</U><BR />Access to SAP Cloud Identity service Application</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_14-1721392410098.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139154iD03A0444F56921A5/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_14-1721392410098.png" alt="ITCE_14-1721392410098.png" /></span></P><P><STRONG>Step 13</STRONG><BR /><SPAN>Copy the full-qualified URI of the new scope (<I>api://&lt;client id&gt;/ias.access</I>) from the clipboard to temporary text file. It will be used in a later setup step.&nbsp;&nbsp;<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_15-1721392473937.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139155i3270EA357C5861C0/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_15-1721392473937.png" alt="ITCE_15-1721392473937.png" /></span></P><P><STRONG>Step 14<BR /></STRONG>Add <STRONG>Optional</STRONG> claim to the token.&nbsp;&nbsp;<BR />Navigate to <STRONG>Token</STRONG> <STRONG>configuration</STRONG>&nbsp;&nbsp;<BR />+ Add optional claim&nbsp;&nbsp;<BR />Token Type - ID&nbsp;&nbsp;<BR /><SPAN>Select "email" and add&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_16-1721392521039.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139156i6522FD311C891215/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_16-1721392521039.png" alt="ITCE_16-1721392521039.png" /></span></P><P><STRONG>Step 15</STRONG><BR />If message about API permissions required appear&nbsp;&nbsp;<BR />select the checkbox - Turn On Microsoft Graph email permission (required for claim to appear in token)&nbsp;&nbsp;<BR /><SPAN>Click<STRONG> "add"</STRONG></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_17-1721392551461.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139157i7FECBDEB8BF05AEE/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_17-1721392551461.png" alt="ITCE_17-1721392551461.png" /></span></P><P><STRONG>Step 16</STRONG><BR /><SPAN>Grant<STRONG> Admin Consent</STRONG>&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_18-1721392573010.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139158iA2D9063ECC43A14F/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_18-1721392573010.png" alt="ITCE_18-1721392573010.png" /></span></P><P><STRONG>Step 17<BR /></STRONG>Navigate to authentication&nbsp;&nbsp;<BR />Scroll down to Implicit grant and hybrid flows&nbsp;&nbsp;<BR />Select the tokens you would like to be issued by the authorization endpoint:&nbsp;&nbsp;<BR />Select the checkbox<STRONG> ID tokens&nbsp;</STRONG>&nbsp;<BR /><SPAN>Click<STRONG> Save&nbsp;</STRONG></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_19-1721392604385.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139159i48375DDD83A980ED/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_19-1721392604385.png" alt="ITCE_19-1721392604385.png" /></span></P><P><FONT size="4"><STRONG><BR />9. Configure Azure as an OAUTH OIDC provider on ServiceNow</STRONG></FONT></P><P><STRONG>Step 18</STRONG><BR />Open the ServiceNow instance&nbsp;&nbsp;<BR />Navigate to All &gt; System OAuth &gt; Application Registry.&nbsp;&nbsp;<BR /><SPAN>Click New, click Configure an OIDC provider to verify ID tokens.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_20-1721392708919.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139160i510A6B332A47DAE8/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_20-1721392708919.png" alt="ITCE_20-1721392708919.png" /></span></P><P><STRONG>Step 19<BR /></STRONG>Fill the form.&nbsp;&nbsp;&nbsp;&nbsp;</P><TABLE width="590"><TBODY><TR><TD width="154"><P>Field&nbsp;&nbsp;</P></TD><TD width="436"><P>Description&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Name&nbsp;&nbsp;</P></TD><TD width="436"><P>A unique name that identifies the OAuth OIDC entity.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Client ID&nbsp;&nbsp;</P></TD><TD width="436"><P>The client ID of the application registered in Azure in step 4. The instance uses the client ID when requesting an access token.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Client Secret&nbsp;&nbsp;</P></TD><TD width="436"><P>The client secret of the application registered in Azure in step 31.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>OAuth OIDC Provider Configuration&nbsp;&nbsp;</P></TD><TD width="436"><P>The OIDC provider (ADFS, Auth0, Azure AD, Google, Okta) can be used to validate the JWT token. Click the record of your OIDC provider configuration to validate the User Claim and User Field are set appropriately. If you check Enable JTI claim verification, the ServiceNow JWT token validation also validates the JTI sent by the provider.&nbsp;&nbsp;</P><P>See next step for more details&nbsp;&nbsp;</P><P>&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Clock Skew&nbsp;&nbsp;</P></TD><TD width="436"><P>The number, in seconds, for the constraint to be considered valid. The default is 300.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Comments&nbsp;&nbsp;</P></TD><TD width="436"><P>Additional information to associate with the application.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Application&nbsp;&nbsp;</P></TD><TD width="436"><P>The name of the application containing this entity.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Accessible from&nbsp;&nbsp;</P></TD><TD width="436"><P>Select an option to make it accessible from all application scopes, or this application scope only. (all scope by default)&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Enforce Token Restrictions&nbsp;&nbsp;</P></TD><TD width="436"><P>Select to only allow tokens to be used with APIs set to allow the authentication profile. You can set grant access using an API access policy. For more information, see<A href="https://docs.servicenow.com/bundle/washingtondc-platform-security/page/integrate/authentication/task/create-api-access-policy.html" target="_blank" rel="noopener nofollow noreferrer">Create REST API access policy</A>.&nbsp;&nbsp;</P><P>Default: Unselected.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Active&nbsp;&nbsp;</P></TD><TD width="436"><P>Select the check box to make the OAuth application active.&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Redirect URL&nbsp;&nbsp;</P></TD><TD width="436"><P>The URL of the OAuth application for receiving the authorization code. (automatically added when save the application&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>End Session Endpoint URL&nbsp;&nbsp;</P></TD><TD width="436"><P>The URL endpoint which enables after a session ends.(not required&nbsp;&nbsp;</P></TD></TR><TR><TD width="154"><P>Enable force authentication&nbsp;&nbsp;</P></TD><TD width="436"><P>Option to enable force authentication for users. (not required)&nbsp;&nbsp;</P></TD></TR></TBODY></TABLE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_22-1721392758973.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139162iDC77EF643B60AB1A/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_22-1721392758973.png" alt="ITCE_22-1721392758973.png" /></span></P><P><STRONG>Step 20<BR /></STRONG>OAuth OIDC Provider Configuration&nbsp;&nbsp;<BR /><SPAN>Click on the search icon and then New</SPAN></P><P><U>OIDC Provider</U> - A unique name that identifies the OIDC provider&nbsp;&nbsp;</P><P><U>OIDC Metadata URL</U> - the OIDC provider OpenID Connect metadata document&nbsp; (details in next step)&nbsp;&nbsp;</P><P>User claim: email&nbsp;&nbsp;<BR />User Field: the field in SN which contain mail value&nbsp;&nbsp;</P><P><SPAN>Enable JTI claim verification: Disable</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_24-1721392870114.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139164i79DF73CAB66764A6/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_24-1721392870114.png" alt="ITCE_24-1721392870114.png" /></span></P><P><STRONG>Step 21</STRONG><BR /><SPAN>Navigate to azure application which created in step 3 - Overview - Endpoints - OpenID Connect metadata document&nbsp;&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_25-1721392902312.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139165iCF1D5CD29ACA04B2/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_25-1721392902312.png" alt="ITCE_25-1721392902312.png" /></span></P><P><STRONG>Step 22<BR /></STRONG>Navigate to Oauth Entity Scope and add&nbsp;&nbsp;<BR />offline_access,&nbsp;&nbsp;&nbsp;<BR />Open id&nbsp;&nbsp;</P><P><SPAN>Click Update.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_26-1721392944387.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139166i849E44A753A0B5B7/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_26-1721392944387.png" alt="ITCE_26-1721392944387.png" /></span></P><P><STRONG>Step 23<BR /></STRONG>Navigate to the Oauth Entity Profiles which is automatically created when Save Oauth OIDC entity.&nbsp;&nbsp;<BR /><BR />Verify that the Grant type is is Resource Owner Password Credentials&nbsp;<SPAN>and then add the OAuth Entity Scopes created in the above step.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_27-1721392984612.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139167iAC57E49CE9075C33/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_27-1721392984612.png" alt="ITCE_27-1721392984612.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_28-1721392990570.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139168i8C828D24A90815FC/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_28-1721392990570.png" alt="ITCE_28-1721392990570.png" /></span></P><P><STRONG>Step 24</STRONG><BR /><SPAN>Add Auth Scope:&nbsp;<BR />useraccount</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_29-1721393015741.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139169i6D24846BA6911851/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_29-1721393015741.png" alt="ITCE_29-1721393015741.png" /></span></P><P><STRONG>Step 25<BR /></STRONG>Navigate to the created in step 34 Oauth OIDC Entity and copy the redirect url&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_31-1721393042174.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139171i5E7E9D23B1E5C62E/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_31-1721393042174.png" alt="ITCE_31-1721393042174.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_32-1721393043578.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139172i287AE8534394A9EB/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_32-1721393043578.png" alt="ITCE_32-1721393043578.png" /></span></P><P><STRONG>Step 26<BR /></STRONG>Navigate to Azure App registered in step 3&nbsp;&nbsp;<BR />Authentication&nbsp;&nbsp;<BR />Add the url from the previous step. (do not remove or replace the url added in step 3 when create the application)&nbsp;&nbsp;<BR /><SPAN>Save</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_33-1721393081723.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139173i02E0E7383A814392/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_33-1721393081723.png" alt="ITCE_33-1721393081723.png" /></span><BR /><BR /></P><P><FONT size="4"><STRONG>10. Setup user provisioning - Azure &gt;&gt; SAP</STRONG></FONT></P><P><STRONG>Step 27</STRONG><BR /><SPAN>Launch a browser window and access your Azure portal using the URL: </SPAN><SPAN><A href="https://portal.azure.com/" target="_blank" rel="noopener nofollow noreferrer"><STRONG>https://portal.azure.com/</STRONG></A></SPAN><STRONG><SPAN>.&nbsp;</SPAN></STRONG></P><P><FONT color="#3366FF"><STRONG><SPAN>You will need to authenticate to your Azure AD using your admin credentials.</SPAN></STRONG><SPAN>&nbsp;</SPAN></FONT></P><P><STRONG>Step 28<BR /></STRONG>Click <STRONG>Microsoft Entra ID.</STRONG>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_34-1721393313874.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139174i4701DA7957C33F35/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_34-1721393313874.png" alt="ITCE_34-1721393313874.png" /></span></P><P><STRONG>Step 29</STRONG><BR />Click <STRONG>App Registration</STRONG> &gt;&gt;<STRONG> New registration</STRONG>.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_35-1721393339071.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139175i2ED7A7EB0C5AEFBE/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_35-1721393339071.png" alt="ITCE_35-1721393339071.png" /></span></P><P><STRONG>Step 30<BR /></STRONG>Specify a name for your app and click <STRONG>Register</STRONG>&nbsp;</P><P><STRONG>Step 31<BR /></STRONG>Click <STRONG>API permission &gt;&gt; Add a permission</STRONG>.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_36-1721393393375.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139176iD72EC529CCFD1A15/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_36-1721393393375.png" alt="ITCE_36-1721393393375.png" /></span></P><P><STRONG>Step 32</STRONG><BR /><SPAN>Select <STRONG>Microsoft Graph</STRONG>.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_37-1721393415459.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139177i97568B444FAC1AEF/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_37-1721393415459.png" alt="ITCE_37-1721393415459.png" /></span></P><P><STRONG>Step 33<BR /></STRONG>Click <STRONG>Application permissions</STRONG>.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_38-1721393439583.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139178i7F1957CD8E10E786/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_38-1721393439583.png" alt="ITCE_38-1721393439583.png" /></span></P><P><STRONG>Step 34<BR /></STRONG>From the list of API permissions, expand <STRONG>User</STRONG> and select <STRONG>User.Read.All.</STRONG>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_39-1721393458635.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139179i6E39C79EBBAE41A9/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_39-1721393458635.png" alt="ITCE_39-1721393458635.png" /></span></P><P><STRONG>Step 35<BR /></STRONG>From the API list also select <STRONG>Group &gt;&gt; Read.All</STRONG> and <STRONG>Directory &gt;&gt; Read.All</STRONG>.&nbsp; Click <STRONG>Add permissions</STRONG> at the bottom of the screen once done.&nbsp;</P><P><STRONG>Step 36<BR /></STRONG>The permissions are not granted by default.&nbsp; To grant the permissions, click <STRONG>Grant admin consent for Default Directory</STRONG>.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_40-1721393500214.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139181i9C2A8D19DA28A349/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_40-1721393500214.png" alt="ITCE_40-1721393500214.png" /></span></P><P><STRONG>Step 37</STRONG><BR /><SPAN>Click Yes on the popup message and confirm that all permissions are granted.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_41-1721393517168.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139182i38D86F56F4F4B9C4/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_41-1721393517168.png" alt="ITCE_41-1721393517168.png" /></span></P><P><STRONG>Step 38</STRONG><BR /><SPAN>Click <STRONG>Overview </STRONG>from the left panel.&nbsp; Make a note of the <STRONG>Application (client) ID</STRONG>.&nbsp; You will need this later when creating the source system in IPS.&nbsp;&nbsp; Click <STRONG>Add a certificate or secret</STRONG>.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_42-1721393534448.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139183i097E17CB56F3FCE9/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_42-1721393534448.png" alt="ITCE_42-1721393534448.png" /></span></P><P><STRONG>Step 39</STRONG><BR /><SPAN>Click <STRONG>New client secret</STRONG>.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_43-1721393550840.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139184iB3D59E6F975F9978/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_43-1721393550840.png" alt="ITCE_43-1721393550840.png" /></span></P><P><STRONG>Step 40</STRONG><BR /><SPAN>Specify a description and expiry time for the client secret.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_44-1721393570018.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139185i3EE4774B880737D3/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_44-1721393570018.png" alt="ITCE_44-1721393570018.png" /></span></P><P><STRONG>Step 41</STRONG><BR /><SPAN>You should have client secret added successfully.&nbsp; Make a note of the value field as you will need it later when creating the source system in IPS.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_45-1721393595594.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139186iE22B34B9F29FA22D/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_45-1721393595594.png" alt="ITCE_45-1721393595594.png" /></span></P><P><STRONG>Step 42</STRONG><BR /><SPAN>Navigate to the main overview page of Azure AD and make a note of your<STRONG> Primary domain</STRONG>.&nbsp; You will need this value when creating the source system in IPS.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_46-1721393612994.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139187i8653F93DEC94A456/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_46-1721393612994.png" alt="ITCE_46-1721393612994.png" /></span></P><P><STRONG>Step 43<BR /></STRONG>Follow the blog&nbsp; <A href="https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054" target="_blank">https://community.sap.com/t5/technology-blogs-by-sap/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services/ba-p/13546054</A> and specific hint on filtering users by a group in Identiy Provisionning Source system Properties, add aad.group.filter=displayName eq '&lt;group_name&gt;':&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_47-1721393638444.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139188iA3AB7BF33A35871F/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_47-1721393638444.png" alt="ITCE_47-1721393638444.png" /></span></P><P><FONT size="4"><STRONG><BR />11. Establish trust between task sub account and IAS</STRONG></FONT></P><P><STRONG>Step 44</STRONG><BR /><SPAN>Go to BTP Cockpit-&gt;Security-&gt;Trust Configuration&nbsp;</SPAN></P><P><STRONG>Step 45</STRONG><BR /><SPAN>Select "Establish trust" and choose the IAS</SPAN></P><P><STRONG>Step 46</STRONG><BR />Select "Establish trust" and choose the IAS&nbsp;</P><P>Note: This creates an OIDC application in IAS for the subaccount&nbsp;</P><P><SPAN>NB: <STRONG>Task Center/Service Now integration works only with OIDC trust between Task Center subaccount and IAS</STRONG></SPAN></P><P><STRONG>Step 47<BR /></STRONG>This would create an application in iAS&nbsp;</P><P>For more information, you can check: <A href="https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication</A><BR /><BR /></P><P><FONT size="4"><STRONG>12. Setup the corporate identity provider and OIDC proxy in SAP Cloud Identity tenant</STRONG></FONT></P><P><STRONG>Step 48</STRONG><BR />Login as an administrator to your SAP Cloud Identity service administration console at&nbsp;<BR /><EM><U>https://&lt;IAStenant<SPAN> name&gt;.accounts.ondemand.com/admin&nbsp;</SPAN></U></EM></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_48-1721393838179.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139189i3779AF1F8EA76B8B/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_48-1721393838179.png" alt="ITCE_48-1721393838179.png" /></span></P><P><STRONG>Step 49<BR /></STRONG>Go to <STRONG>Identity Providers &gt; Corporate Identity Providers </STRONG>and click <STRONG>Create</STRONG>.&nbsp;&nbsp;<BR /><SPAN>Enter a <STRONG>Display name</STRONG>(e.g. "Azure Active Directory") and click <STRONG>Save</STRONG>.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_0-1721395913437.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139201iC0CD8E38F7476244/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_0-1721395913437.png" alt="ITCE_0-1721395913437.png" /></span></P><P><STRONG>Step 50</STRONG><BR /><SPAN>Click on <STRONG>Identity Provider Type </STRONG>from the Trust settings of the new corporate identity provider.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_1-1721395934806.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139202i579741B52C780B6E/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_1-1721395934806.png" alt="ITCE_1-1721395934806.png" /></span></P><P><STRONG>Step 51<BR /></STRONG>Select <STRONG>OpenID Connect Compliant </STRONG>from the list.&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>Save</STRONG>.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_2-1721395961468.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139203i560EAD88536F6F15/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_2-1721395961468.png" alt="ITCE_2-1721395961468.png" /></span></P><P><STRONG>Step 52</STRONG><BR /><SPAN>Click on <STRONG>OpenID Connect Configuration </STRONG>from the Trust settings of the new corporate identity provider.</SPAN><SPAN> </SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_3-1721395983702.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139204i7020E307084663E1/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_3-1721395983702.png" alt="ITCE_3-1721395983702.png" /></span></P><P><STRONG>Step 53<BR /></STRONG>Enter your Azure AD tenant's OIDC <STRONG>Discovery URL </STRONG><U>(</U><A href="https://login.microsoftonline.com/%3cAAD" target="_blank" rel="noopener nofollow noreferrer">https://login.microsoftonline.com/&lt;AAD</A><U> tenant ID&gt;/v2.0)</U>&nbsp;Click <STRONG>Load</STRONG>.&nbsp;&nbsp;<BR /><BR /><SPAN>The Issuer field gets populated from the loaded Azure AD tenant's OIDC metadata.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_4-1721396016741.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139205i729511E4B37B92F0/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_4-1721396016741.png" alt="ITCE_4-1721396016741.png" /></span></P><P><STRONG>Step 54</STRONG><BR />Enter the SAPIASTenant's client ID in the <STRONG>Client ID </STRONG>field. In the <STRONG>Client Secret </STRONG>field, enter the value of the<EM>OIDCProxy</EM>secret copied in <STRONG>step 8</STRONG>.&nbsp;&nbsp;</P><P><SPAN>Click <STRONG>Validate</STRONG>.&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_5-1721396041390.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139206i1C5E71AA2AE4C9B9/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_5-1721396041390.png" alt="ITCE_5-1721396041390.png" /></span></P><P><STRONG>Step 55<BR /></STRONG>Verify a successful validation of the OIDC configuration.&nbsp;&nbsp;</P><P><SPAN>Click <STRONG>OK</STRONG>.&nbsp;<BR /><BR /></SPAN><STRONG>Step 56</STRONG><BR /><SPAN>Click <STRONG>+ Add&nbsp;</STRONG>&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_6-1721396081656.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139207i45640799A988C0DB/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_6-1721396081656.png" alt="ITCE_6-1721396081656.png" /></span></P><P><STRONG>Step 57<BR /></STRONG>Copy and paste the full-qualified URI of the SAPIASTenant application's custom scope (<EM>api://&lt;client id&gt;/ias.access) </EM>copied in <STRONG>step 13 </STRONG>for the new scope.&nbsp;&nbsp;</P><P><SPAN>Click <STRONG>Save</STRONG>.&nbsp;&nbsp;</SPAN></P><P><SPAN><STRONG>Step 58<BR /></STRONG></SPAN>Click<STRONG>+ Add </STRONG>again and add the scope:&nbsp;<BR />"email"&nbsp;<BR />"openid"&nbsp;<BR />"offline_access"&nbsp;</P><P><SPAN>Click <STRONG>Save</STRONG>.&nbsp;<BR /></SPAN></P><P><SPAN><STRONG>Step 59</STRONG><BR />Click <STRONG>Save</STRONG>.&nbsp;&nbsp;<BR /></SPAN></P><P><SPAN><STRONG>Step 60<BR /></STRONG></SPAN>Go to <STRONG>Applications &amp; Resources &gt; Applications&nbsp;</STRONG>&nbsp;<BR />Select the application from <STRONG><U>"Establish trust between Task subaccount and IAS" step</U></STRONG>&nbsp;– step 47</P><P><SPAN>Click <STRONG>Attributes</STRONG><BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_7-1721396184485.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139208iC3DF6E28598F7F9F/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_7-1721396184485.png" alt="ITCE_7-1721396184485.png" /></span></P><P><STRONG>Step 61<BR /></STRONG>Navigate to Attributes and add&nbsp;&nbsp;<BR /><BR /><U>Name</U>: "xsuaa-persist-corporate-idp-token"&nbsp;<BR /><U>Source</U>: Expression&nbsp;<BR /><U>Value</U>: true&nbsp;</P><P><SPAN>Save</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_8-1721396237130.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139209iC0DBCB9FE1D12035/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_8-1721396237130.png" alt="ITCE_8-1721396237130.png" /></span></P><P><STRONG>Step 62<BR /></STRONG>Select "Conditional Authentication"&nbsp;&nbsp;<BR /><SPAN>In the "Default Identity Provider", choose the Azure provider configured in steps 48-59, Click Save<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_9-1721396411574.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139210i8708634B85151D48/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_9-1721396411574.png" alt="ITCE_9-1721396411574.png" /></span></P><P><BR /><FONT size="4"><STRONG>13. Configure destinations&nbsp;<SPAN>for SAP in the BTP sub-account</SPAN></STRONG></FONT></P><P>SAP Task Center uses destinations to connect to Service Now task provider&nbsp;</P><P> <STRONG>Client Specific configuration:</STRONG>&nbsp;</P><UL><LI><STRONG>aadTokenEndpoint</STRONG>: Azure AD token endpoint at<A href="https://login.microsoftonline.com/%3CAAD" target="_blank" rel="noopener nofollow noreferrer"><EM>https://login.microsoftonline.com/&lt;AAD</EM></A> <EM>tenant ID&gt;/oauth2/v2.0/token&nbsp;</EM>&nbsp;</LI><LI><STRONG>iasTokenEndpoint</STRONG>: SAP Cloud Identity service tenant's token endpoint at<EM><U>https://&lt;IAS</U>tenant name&gt;.accounts.ondemand.com/oauth2/token&nbsp;</EM>&nbsp;</LI><LI><STRONG>iasTokenExchange</STRONG>: SAP Cloud Identity service's token exchange service endpoint at<EM><U>https://&lt;IAS</U>tenant name&gt;.accounts.ondemand.com/oauth2/exchange/corporateidp&nbsp;</EM>&nbsp;</LI></UL><P><STRONG>Step 63<BR /></STRONG>Go back to the <A href="https://cockpit.sap.hana.ondemand.com/" target="_blank" rel="noopener nofollow noreferrer">SAP BTP Cockpit </A>and navigate to your CF subaccount.&nbsp;&nbsp;<BR />Select <STRONG>Connectivity &gt; Destinations </STRONG>from the navigation menu.&nbsp;&nbsp;<BR /><SPAN>Click <STRONG>New Destination</STRONG>.</SPAN></P><P><SPAN><STRONG>Step 64<BR /></STRONG></SPAN>Enter the following values for the first destination:&nbsp;&nbsp;<BR /><STRONG>Refer to 6. TECHNICAL SERVICE FLOW</STRONG></P><P><SPAN>Click <STRONG>Save</STRONG>.<BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_10-1721397811178.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139211i19581BA67D61F34E/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_10-1721397811178.png" alt="ITCE_10-1721397811178.png" /></span></P><P><STRONG>Step 65<BR /></STRONG>Repeat steps 63 and 64 with following values for the second destination:&nbsp;&nbsp;<BR /><BR />Refer to 10.&nbsp;CONFIGURE AZURE AS AN OAUTH OIDC PROVIDER ON THE SERVICENOW , step 21.</P><P><U>AuthnContextClassRef</U> = urn:oasis:names:tc:SAML:2.0:ac:classes:X509&nbsp;<BR /><U>clientKey&nbsp;</U>= token service password=client secret&nbsp;<BR /><U>Token service user</U> = client id&nbsp;</P><P>Task Center documentation for Third Party destination setup: <A href="https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/task-center/sap-task-center/connect-third-party-task-provider-and-sap-task-center</A> &nbsp;</P><P>Click <STRONG>Save</STRONG>.&nbsp;&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ITCE_11-1721397858391.png" style="width: 400px;"><img src="https://community.sap.com/t5/image/serverpage/image-id/139212iB88EAADFF8D1DFD8/image-size/medium?v=v2&amp;px=400" role="button" title="ITCE_11-1721397858391.png" alt="ITCE_11-1721397858391.png" /></span></P><P><FONT size="4"><STRONG>14. Test the scenario&nbsp;</STRONG></FONT></P><P><SPAN><STRONG>Step 66<BR /></STRONG>Use SAP Task Center Administration app to check the status of the configured connector destination, following: <A href="https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/task-center/sap-task-center/working-with-task-center-administration-app</A><STRONG><BR /></STRONG></SPAN></P><P><SPAN><STRONG>Step 67<BR /></STRONG>Use SAP Task Center Web app, to validate that tasks from the new destination are seen by business users (for more information, see: <A href="https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app" target="_blank" rel="noopener noreferrer">https://help.sap.com/docs/task-center/sap-task-center/sap-task-center-web-app</A>)<STRONG><BR /></STRONG></SPAN></P> 2024-07-19T16:10:57.124000+02:00