Professional Documents
Culture Documents
SAP AG Neurottstrae 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Copyright 2005 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. These materials are subject to change without notice. These materials IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Disclaimer Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address:
service.sap.com/securityguide
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Meaning Caution Example Note Recommendation Syntax
EXAMPLE TEXT
Example text
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Example text
<Example text>
EXAMPLE TEXT
Contents
Collaboration Security Guide...............................................................5
1 Technical System Landscape ............................................................6 2 User Management and Authentication .............................................7 3 Permissions.........................................................................................7 4 Security Managers for Collaboration ................................................8 5 Data Security in Rooms......................................................................9 6 Differentiated Display of User Data in External Portals ................12 7 Prevention of Mass E-Mails..............................................................13 8 Communication Channel Security...................................................14 9 Data Storage Security.......................................................................15 10 Active Code .....................................................................................16 11 Trace and Log Files ........................................................................16
October 2005
SAP recommends that you use this general information to create a handbook for daily use that corresponds to your company-specific requirements for production operations. As a component of SAP NetWeaverTM, Collaboration is based on the Portal Platform and Knowledge Management Platform. The J2EE engine of the SAP Web Application Server forms the technical basis. The table below contains links to the security guides for these components. Related Security Guides Application SAP Web Application Server Guide SAP Web Application Server Security Guide [SAP Library] Portal Security Guide [SAP Library] Knowledge Management Security Guide [SAP Library] Relevant Sections/Specific Constraints SAP Web AS Security Guide for J2EE Technology [SAP Library]
Target Audience
Technical consultants System administrators
This security guide applies for the entire software life-cycle. In contrast, the installation guide, configuration guide, technical operations manual, and the upgrade guide are each relevant for one phase of the software life-cycle.
October 2005
SAP Notes
Check frequently to see which SAP notes for the security of your application are available. Important SAP Notes SAP Note Number 721098 701097 Title Central Note for Collaboration in NW04 SAP NetWeaver '04 Documentation Comments Information on software corrections after delivery of NW04 Information on corrections to the documentation after it has been delivered.
Portal Platform
Portal Catalog Conf iguration Nav igation Serv ice ...
October 2005
Collaboration Security Guide 2 User Management and Authentication For more information about the technical system landscape, see the sources that are listed in the following table. More Information About the Technical System Landscape Topic Description of all technical components that are relevant for Collaboration. Guide/Tool Administration guide for the Collaboration component Link Architecture [SAP Library]
3 Permissions
Collaboration uses the permissions concept provided by the SAP Web Application Server. Therefore, the security recommendations and guidelines for permissions apply as described in the SAP Web Application Server security guide. The permissions concept of the SAP Web Application Server is based on the assignment of permissions to users on the basis of roles. For role maintenance on the SAP Web AS Java, you use the administration console for user management [SAP Library] in the User Management Engine (UME).
Standard Roles
The portal-wide permissions for using the Collaboration functions are contained in the following portal roles: Portal Role System Administration Description This portal role contains specific administration functions for Collaboration as a part of Knowledge Management. For example, a system administrator configures the services and the room infrastructure. See the Collaboration Administration Guide [SAP Library]. Content Administration This portal role provides access to administration functions specific to Collaboration, for example: Configuration for making collaboration services available Management of templates for rooms and room parts [SAP Library] Configuration of the room infrastructure [SAP Library]
You can also access specific administration functions for portal content and KM content through this portal role.
October 2005
Description This portal role provides access to Room Administration and to the My Tasks and My Sessions iViews. This portal role provides access to the room creation wizard.
As for the Collaboration Security Manager, but administration permission is assigned only to portal users with the Collaboration service permission. The security manager is an extension of the ACL Security Manager [SAP Library]. It defines the access permission to data that is stored in the repository for attachments. A portal user has the same access permission for an attachment stored here as for the original resource that the respective attachment refers to. The security manager is an extension of the ACL Security Manager [SAP Library]. It defines the access permission to data that is stored in the repository for attachments to workflow tasks. A portal user has the same access permission for an attachment stored here as for the original resource that the respective attachment refers to.
October 2005
Description The security manager defines the access permission to data that is stored in the repository for session records [SAP Library]. It checks whether the user is the owner or a participant in the session. Only the owner of a session has permission to edit and delete session records. If the session record relates to a room and the user is a room member (but neither owner nor session participant), the following rule applies: The user receives permission to display and edit the session record, but not permission to delete it.
The security manager defines the access permission to data that is stored in the repository for Synchronous Collaboration Framework (SCF) sessions.
October 2005
Description In the standard configuration, all room members (user group for the room that corresponds to the access control list) have full access to folders and documents in the room. If the room data is relevant for security, the room owner (for example, the team or project lead) can modify the access permissions to folders and documents. In the standard configuration, room members access to folders and documents in a room is predefined as follows: All room members (members of the user group for the room) are permission owners and can therefore assign permissions themselves.
Permission owners automatically have full access permission. All room members (members of the user group for the room) have full access permission.
To ensure the security of the room data, the room owner can specify him or herself or other room members as the permission owners for folders and documents instead of the entire user group for the room. As soon as the user group for the room (access control list) is no longer the permission owner, it can be assigned a lower access permission level, for example, read permission. The room member who is specified as the permission owner automatically has permission for full access to the folder or document. See also Access Permission for Folders and Documents in the Room [SAP Library].
10
October 2005
Security Concept Permissions for Room Templates and Room Part Templates
Description You can restrict user access to room templates and room part templates by assigning template-specific permissions. This does not affect general access permissions, for example, those for content administrators.
A room owner is allowed to include room parts in a room, but not the room parts for which he or she does not have template-specific permission for the underlying template. To give a user (individual users, user groups, or roles) permission to use a template, enter the user in the permission list for the template. The permission list contains a list of users, separated by semi-colons. Entries in the permission list have the following effect: Permissions for room templates If there is at least one entry in the permission list, only the authorized users can use the template to create rooms. Permissions for room part templates If there is at least one entry in the permission list, only the authorized users can add the room part to a room. No permissions for room templates and room part templates If the permission list for a template is empty, the template is available to all users whose portal role(s) allow them to work with templates and rooms. Access permission for pages in a room Within a room, access to pages is defined using room roles [SAP Library]. You can create room roles in the room template or room part template as required. In the template, you define the access permission for each room role for pages in the room. When registering a user as a room member, a room role with the associated page permissions is assigned to this user. From the technical perspective, the page permission is checked in the Portal Content Directory (PCD) when a user accesses a page. For each page, a property contains the information about which room roles are allowed to access the page. When a user wants to access a room, the system analyses in the PCD which pages the user is allowed to enter based on his or her room role. Specific administration permission in rooms In each room template and room part template, you can define a room role specifically as the administration role. The room role with specific administration permission can only be assigned to other room members by room members who are assigned to this room role. This prevents unauthorized room members from assigning themselves administration permission and changing the room settings (room attributes, room parameters, member list, and so on).
October 2005
11
Security Concept No access to room pages and iViews in the portal catalog
Description Objects (iViews and pages) that are included in rooms are stored in the Portal Content Directory (PCD). To prevent unauthorized access to room data, these objects are hidden in the portal catalog. For more information, see the list of PCD folders for worksets from rooms under Maintenance of Worksets for Templates [SAP Library]. If access to a room is denied, for example, because the room is locked or the user has no permission to enter it, you can provide information on an information page, which appears in this case. For more information, see Information Page If No Access to Room [SAP Library].
Each time a user enters a room, an entry is logged in the Status Engine. You can use this information to find out the last user to enter the room, for example.
12
October 2005
Collaboration Security Guide 7 Prevention of Mass E-Mails Known external users: Restricted view of user data You can include external users who have a particularly close relationship with your company in virtual groups and allow them a restricted view of user data in comparison to internal users within this virtual group. The virtual groups are defined by matching the attribute values. For example, a virtual user group comprises all external users for which the Company attribute contains the same value. All external users that belong to virtual groups receive a portal role that gives them permission for the restricted view of user data. An associated profile for the people finder function defines which user data appears, for example, the e-mail address only (standard configuration). The restricted display has the following effects: The people finder function is active, but finds only users in the virtual group. For external users in the virtual group, the information that is defined in the corresponding profile for the people finder function appears instead of the user name. For external users outside of the virtual group, the minimal display of user data applies (see above). See also: Differentiating the Display of User Data in External Portals [SAP Library] Activating the Extension for the Differentiated Display of User Data [SAP Library] Configuring the Unrestricted Display of User Data [SAP Library] Configuring the Minimal Display of User Data [SAP Library] Configuring the Restricted Display of User Data in Virtual Groups [SAP Library]
October 2005
13
Browser Browser
HTTP(S)
Knowledge Management HTTP(S) HTTP(S) HTTP(S) Lotus Domino HTTP WebEx RTC Application Sharing Server Microsoft Exchange
14
October 2005
Collaboration Security Guide 9 Data Storage Security Components and Communication Channels Communication Partner for Collaboration Browser Knowledge Management Protocol HTTP or HTTPS Depends on the repository implemented (see Communication Channel Security [SAP Library] in the KM security guide) HTTP or HTTPS Your browser settings must allow installation of the ActiveX control. See Creating an Exchange Transport [SAP Library] See Creating a Lotus Transport [SAP Library] Comments
Application sharing server for the Real-Time Collaboration (RTC) subcomponent Microsoft Exchange Lotus Notes WebEx
October 2005
15
10 Active Code
Collaboration uses various types of active code. This is executed on the client host (frontend) in the Web browser. Active Code ActiveX Usage The Application Sharing function in the Collaboration component Real-Time Collaboration (RTC) Comments If your security policy rules out ActiveX controls, you cannot use application sharing. You can configure your browser so that you have to specifically agree to the installation of the Portal Tools for Real-Time Collaboration ActiveX control. If your browser settings allow automatic installation of ActiveX controls, the ActiveX control for Real-Time Collaboration is installed without you noticing it. See Configuring Client Browsers to Accept the RTC ActiveX Control Element [SAP Library] JavaScript The software component HTMLB uses JavaScript, for example, for client-side checking of entries and generating pop-up menus. JavaScript is important for the SAP NetWeaver Portal component.
16
October 2005