For NetWeaver version 7.

0 and higher, it is recommended to activate HTTP securit
y session management using transaction SICF_SESSIONS. In particular it is recomm
ended to activate extra protection of security-related cookies.?
The HttpOnly flag instructs the browser to deny access to the cookie through cli
ent side script. As a result, even if a cross-site scripting (XSS) flaw exists,
and a user accidentally accesses a link that exploits this flaw, the browser wil
l not reveal the cookie to a third party.?
The Secure flag tells the browser to send the cookie only if the request is bein
g sent over a secure channel such as HTTPS. This helps protect the cookie from b
eing passed over unencrypted requests.
These additional flags are configured through the following profile parameters:
Profile Parameter
Recommended Value
Add HttpOnly flag
Add Secure flag
Not client-dependentNote
Logout is not available to users on NetWeaver versions below 7.02. Upgrading to
NetWeaver 7.02 or higher is recommended.
Related LinksActivating HTTP Security Session Management on AS ABAP
SAP Fiori Security
Communication © 2013 SAP AG or an SAP affiliate company. All rights reserved. 7
4 Users4.1 User Administration and Authentication
SAP Fiori applications adopt the user management and authentication mechanisms p
rovided by the SAP NetWeaver platform, specifically SAP NetWeaver Application Se
rver ABAP.
Therefore, the security recommendations and guidelines for user administration a
nd authentication as described in the SAP NetWeaver Application Server ABAP Secu
rity Guide also apply to the applications except in certain aspects such as auth
entication. The SAP NetWeaver Application Server ABAP Security Guide contains th
e following information:?
User management?
The user management concept, the tools used for user management, and the types o
f users required?
User Authentication and Single Sign-On?
The authentication options supported and how they are integrated with SAP Single
Sign-On mechanisms?
Authorization and roles?
An overview of the authorization concept for mobile applications, authorization
settings, network and communication security, and standard authorization roles?
Standard Authorization Objects?
A summary of password-related security issues
The SAP NetWeaver Application Server ABAP Security Guide is available on the SAP
Help Portal, or via the link in Related Links.
The applications use the following user management concepts:Users in the Backend
System (SU01, PFCG) Existing users are relevant for the backend system. The aut
horizations required for a particular application are provided using a PFCG role
delivered for each application. For more information, see Authorizations and Ro
les in this guide.Note
If you enable users who never directly access the backend system, you should cre
ate these users in the backend system without a password. This protects them aga
inst attacks that exploit incorrect or insecure password handling (these users a
re unlikely to change the initial password if they do not actually need to).User
s in SAP NetWeaver Gateway (SU01, PFCG)
Users also require a user ID for the SAP NetWeaver Gateway layer. They must have
the same username as the users in the backend system. The user requires certain

For SAP Fiori. Related LinksSAP NetWeaver Application Server ABAP Security GuideUser Authentica tion and Single Sign-On [page 10]SAP Fiori applications support the following au thentication and single sign-on mechanisms. 2 User Management Tools For information about the tools used for user management and user administration with these applications.Note For user notification about initial logon and activation. Decide on your preferred mechanism for user authentication and SSO.1 User Creation and Authorization Assignment Follow this procedure to create users and assign authorizations to them:1. You can use the Central User Administration . SAP Fiori Security Users ? If you use SSO2 logon tickets to authenticate the requests from the mobile devic e on SAP NetWeaver Gateway. the following minimum user types are required:? Individual user Individual users provide access to an application and to administrative tasks. User and Role Administrati on of AS ABAP. If you copy the users from the backend users.3 User Types You may have to employ different security policies for different types of users. these steps are not relevant. Related LinksUser Types4.? The same recommendations apply if you prefer to create users from scratch.1. Create users on the SAP NetWeaver Gateway system and on the application backend system. 9 ? Technical user Technical users enable data communication between systems.2.4. The user name in the system that iss ues the logon tickets has to be the same as the user name for the Gateway system and backend system. refer to the documentation. Authen tication can be carried out with the same credentials as for the existing applic ation. All rights reserved. Related LinksUser and Role Administration of AS ABAP4. Create dedicated authorizations for application users in the Gateway system. you should copy the user without any password. note the following reco mmendations: 8 © 2013 SAP AG or an SAP affiliate company.authorizations that allow the services of the application to be triggered in th e backend. you can set up integration with your existing SSO s olution based on SAP Logon Tickets or SAML. This protects against attacks based on incorrect or insecure password handling. All rights reserved.To authenticate users. a user management tool is often used to send out an e-mail containing the necessary logon information.1. If us ers already exist in SAP NetWeaver Gateway.4 User Data Synchronization Users must have the same user name in SAP NetWeaver Gateway as they do in the ba ckend system. SAP Fiori Security Users © 2013 SAP AG or an SAP affiliate company.