SAP Project and Portfolio Management Security Guide

SAP Project and Portfolio Management 4.00
Document Version 2.00 – May 2006

SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, © Copyright 2006 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. These materials are subject to change without notice. These Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. Disclaimer UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Documentation on SAP Service Marketplace Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. You can find this documentation at
service.sap.com/instguidesNW04

and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Some components of this product are based on Java™. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.

Typographic Conventions
Type Style Example Text Represents Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table titles. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Meaning Caution Example Note Recommendation Syntax

EXAMPLE TEXT

Example text

Example text

<Example text>

EXAMPLE TEXT

SAP Project and Portfolio Management Security Guide

May 2006

Contents
1 2 3 SAP PROJECT AND PORTFOLIO MANAGEMENT SECURITY GUIDE........................ 1 TECHNICAL SYSTEM LANDSCAPE ............................................................................... 3 USER ADMINISTRATION AND AUTHENTICATION ....................................................... 4 3.1 3.2 3.3 3.4 4 User Management..................................................................................................... 5 User Management in cFolders .................................................................................. 6 Data Synchronization ................................................................................................ 8 Integration into SSO Environments........................................................................... 9

AUTHORIZATIONS ......................................................................................................... 10 4.1 4.2 Authorization Objects and Roles............................................................................. 11 Access Control Lists................................................................................................ 14

5

NETWORK AND COMMUNICATION SECURITY .......................................................... 17 5.1 5.2 Communication Channel Security........................................................................... 18 Network Security ..................................................................................................... 21 5.2.1 Internet Gateway Types and Setups ............................................................ 23 5.2.2 Scenario A: No Content Server .................................................................... 25 5.2.3 Scenario B: One Hidden Content Server ..................................................... 28 5.2.4 Scenario C: One Public Content Server (cFolders) ..................................... 30 5.2.5 Scenario D (cFolders) .................................................................................. 32 5.2.6 Scenario E (cFolders)................................................................................... 34 5.2.7 Additional Components (cFolders) ............................................................... 35 5.2.8 Integration with Back-End Systems (cFolders) ............................................ 36 5.2.9 Plug-In Security ............................................................................................ 38 Communication Destinations .................................................................................. 39

5.3 6 7 8

DATA STORAGE SECURITY ......................................................................................... 40 SECURITY FOR ADDITIONAL APPLICATIONS ........................................................... 41 MINIMAL INSTALLATION............................................................................................... 42 8.1 8.2 Browser Plug-In for File Handling ........................................................................... 44 ActiveX for Microsoft Project Integration................................................................. 45

9

OTHER SECURITY-RELEVANT INFORMATION .......................................................... 46

10 APPENDIX ....................................................................................................................... 47

SAP Project and Portfolio Management Security Guide

May 2006

1

SAP Project and Portfolio Management Security Guide
This guide is available in English only. It does not replace the daily operations handbook that we recommend customers create for their specific productive operations.

About this Guide
SAP Project and Portfolio Management comprises cProjects, cFolders, and xRPM, all of which are based on the SAP Web Application Server (SAP Web AS). You should therefore take the security information for the SAP Web AS into consideration. This guide only describes the security information that differs from it, as well as additional security information. Related Security Guides Application SAP Web AS SAP Enterprise Portal Guide SAP Security Guide SAP Enterprise Portal Security Guide Most Relevant Sections or Specific Restrictions

Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security also apply to the SAP Project and Portfolio Management Security Guide. We provide this guide to assist you in securing SAP Project and Portfolio Management.

Target Groups
● ●

Technical consultants System administrators

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all time frames.

1

SAP Note Number 216419 128447 517860 517484 Title Multi-Level Caching and Content Server Proxies Trusted/Trusting Systems Logging on to BSP Applications Inactive Services in the Internet Communication Framework 2 .SAP Project and Portfolio Management Security Guide May 2006 Important SAP Notes Check regularly which SAP Notes are available about the security of the application.

technology components such as SAP Web Application Server Security Guide/Tool Master Guide Quick Link to the SAP Service Marketplace instguides security 3 .SAP Project and Portfolio Management Security Guide May 2006 2 Technical System Landscape The following table lists where you can find more information about the technical system landscape. More Information About the Technical System Landscape Topic Application and industryspecific components such as SAP Financials and SAP Retail.

see the following sections: 4 .SAP Project and Portfolio Management Security Guide May 2006 3 ● ● ● ● User Administration and Authentication User Management [Page 4] User Management in cFolders [Page 5] Data Synchronization [Page 8] Integration into SSO Environments [Page 8] For an overview of user administration and authentication in SAP Project and Portfolio Management.

or another central user administration tool. For more information. you can create users with the mySAP Human Resources (mySAP HR) integration scenario. you can use central user administration with the SAP User Management Engine (SAP UME).SAP Project and Portfolio Management Security Guide May 2006 3. 5 . see the SAP Library under SAP NetWeaver → Security → Identity Management → Users and Roles (BC-SEC-USR).1 User Management In cProjects. you use the SAP user administration of the SAP Web Application Server (SAP Web AS) to create all users. see the solution management content for xRPM under Organizational Areas → Product Development and Introduction → Business Processes → Strategic Portfolio Management → Configuration Content for xPRM. you use the SAP user administration of the SAP Web AS to create at least one cFolders administrator who then has authorization to create individual users locally in the cFolders application. In xRPM. In cFolders. see User Management in cFolders [Page 5]. you can also maintain users independently of the mySAP HR integration scenario using transaction RPMUSER. For more information about creating users in the SAP Web AS. You can make the relevant settings in Customizing for SAP xRPM under Global Customizing → Global Settings → Define Global Settings / Override Default Global Settings. For more information. You can generate user names and passwords with the BADI RPM_CREATEUSR_NAME. In xRPM. Alternatively.

Central user administration using SAP User Management Engine (SAP UME) You have created a user with the role “user administrator” in the SAP Web AS. No users are delivered with the software. 6 . see Authorizations [Page 10].SAP Project and Portfolio Management Security Guide May 2006 3. that is. Users and Passwords The user with the role “user administrator” (SAP_CFX_ADMINISTRATOR) is responsible for creating users at the customer site. User Administration Tools Transaction SU01 in the SAP Web Application Server (SAP Web AS) Local user administration in the cFolders application You have created a user with the role “user administrator” and set up the required roles for cFolders in the SAP Web AS. the use of this transaction is optional.2 Tool User Management in cFolders Detailed Description SAP Library under SAP NetWeaver → Security (BC-SEC) → Identity Management → Users and Roles (BC-SECUSR) → User Maintenance Solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4. Thereafter. For more information about the roles used in cFolders.00 → Basic Settings for cFolders → Business Customizing → User Administration in cFolders Solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Central User Management: Integration with SAP UME Prerequisites/Comment You need this transaction to create an initial cFolders administrator. a user with the role “user administrator” (SAP_CFX_USER_ADMINISTRATOR).

For more information about the SRM integration. which enables the cFolders system to log on to the SRM system. However. The user ID of this user can be any valid cFolders ID. a new password is created automatically and sent to the user by e-mail. if you want to use the Supplier Relationship Management (SRM) integration.FAQ: General Questions About Single Sign-On Technical Users In the standard cFolders scenario. with the exception of users with the role “user administrator”. When you do this. 7 . You also need passwords in cFolders for the WebEx meeting service and the FTP box. These passwords are managed by the cFolders application and are stored using the ABAP Secure Store mechanism.SAP Project and Portfolio Management Security Guide May 2006 Individual Users Individual users in cFolders are dialog users. Their authorizations are limited to the cFolders application. both of which are optional functions. This applies to users with a cFolders role only. The password of the user is stored in the ABAP Secure Store mechanism. However.0: Single Sign On using SAP Logon Tickets 550742 . Users created in this way do not have a password in the cFolders system. which is described in more detail in the SAP Web AS Security Guide in the section “Secure Store and Forward Mechanisms (SSF) and Digital Signatures”.EP6. individual users are not authorized to execute any transactions in the SAP Web AS. but they need a mySAP.Generating SSO Tickets 701205 . the user may have authorization for transactions in the SAP Web AS.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology → User Authentication → Authentication and Single Sign-On. the user administrator creates individual users.com logon ticket for the UME. which is described in more detail in the SAP Web AS Security Guide on SAP Service Marketplace at service. see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4. This session password is stored and encrypted as described in the SAP Web AS Security Guide on SAP Service Marketplace at service. In this case. no technical users are required. the UME system logs on to cFolders with a user with the role “user administrator” and creates the required users in cFolders.sap. If you are using SAP UME.sap. you must provide a valid user ID and password. Only user administrators are authorized to reset passwords and can see these functions in the cFolders system. You set up this user when you configure a logical destination in transaction SM59 in the SAP Web AS.00 → Basic Settings for cFolders → Business Customizing → Integration with mySAP SRM. For more information. If a password is reset. The system then creates a password automatically for the initial logon and sends it to the user in an e-mail. communication with the SRM system requires the service user “User ID in an RFC connection”.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “Secure Store and Forward Mechanisms (SSF) and Digital Signatures”. If you are using local user administration in the cFolders application. see the following SAP Notes: ● ● ● 557350 . It is also possible to combine the cFolders roles with other existing authorization roles.

cFolders. from mySAP HR to the cProjects system. see the solution management content for xRPM under Organizational Areas → Product Development and Introduction → Business Processes → Strategic Portfolio Management → Configuration Confent for xRPM → SAP Human Capital Management Integration. In cProjects. 8 . For more information.3 Data Synchronization cProjects. You can integrate xRPM with mySAP HR. and xRPM all use the standard SAP Web Application Server (SAP Web AS) procedure for user data synchronization. you also have the option of integrating mySAP Human Resources (mySAP HR). including the employees. see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes → Project Execution with cProjects → Configuration → Distributing SAP HR Master Data via ALE to cProjects. If you also use Workforce Management Core (WFM Core). This enables you to select your resources according to their availability. which enables you to distribute the organizational plan (structure) in your company. you can replicate data from the mySAP HR system to WFM Core. For more information.SAP Project and Portfolio Management Security Guide May 2006 3.

sap. This means that they accept SAP logon tickets. as well as X. see the SAP Web AS Security Guide on SAP Service Marketplace at service.SAP Project and Portfolio Management Security Guide May 2006 3. Therefore.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “User Authentication”. cFolders. they support the logon mechanisms provided by the SAP Web Application Server (SAP Web AS).509 digital certificates. 9 . and xRPM are all based on HTTP Internet applications. For more information.4 Integration into SSO Environments cProjects.

see the solution management content for cProjects under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4. the user can access all initial views available for his or her role(s). who has authorization to change a particular project definition or collaboration. see the SAP Web AS Security Guide on SAP Service Marketplace at service. User administrators can then assign the corresponding roles via the user master record. In Customizing for cProjects. for example. For example.00 → Basic Settings for cProjects → General Settings → Define Initial Views for cProjects. authorizations are controlled in the following ways: Access control lists [Page 13] These allow you to add another level of security by controlling authorization at object level. For more information.SAP Project and Portfolio Management Security Guide May 2006 4 ● Authorizations ABAP authorization objects and roles [Page 10] This is the standard method for controlling access to transactions and programs in an SAP ABAP system. • 10 . For more information. so that the user can access the appropriate transactions for his or her tasks. and xRPM. you can use two additional authorization mechanisms: • System administrators can grant access to objects via a BSP application. For more information. This is an exception to the normal process and is only used if the administrator of the object is not available due to illness.00 → Basic Settings for cProjects → Business Customizing → Granting Administration Authorization for an Object. see the solution management content for cProjects under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4.com/securityguide → SAP NetWeaver ’04 Component Security Guides → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “SAP Authorization Concept”. In cProjects only.sap. Authorizations are combined in an authorization profile that is associated with a role. If you do not make an entry in Customizing. ● In cFolders. cProjects. you can assign initial views for cProjects to a role. The system sends the "new" and "old" administrators an e-mail to inform them of the new authorization holder.

reset their passwords. This role is not assigned to any actual users. as required. reset system settings and languages). E-mail system user (SAP_CFX_EMAIL_SYSTEM_USER) You can use these SAP standard roles or create your own. and user groups. and also assign all SAP_CFX* roles. There are no other Customizing activities to be carried out in the SAP Web AS. Includes standard user authorizations (see SAP_CFX_USER) and authorization to change all network settings and release batch jobs (for status and e-mail notifications). and delete users. 11 . you carry out all settings for cFolders in the cFolders application. status profiles and so on. cProjects. it is just for the system user. Includes standard user authorizations (see SAP_CFX_USER) and authorization to maintain the features and appearance of cFolders (for example. Includes standard user authorizations (see SAP_CFX_USER) and authorization to start cFolders for the first time. Includes standard user authorizations (see SAP_CFX_USER) and authorization to manage all collaborations. and xRPM using the SAP Profile Generator. Except for creating roles. authorization to create.SAP Project and Portfolio Management Security Guide May 2006 4.1 Authorization Objects and Roles You can maintain the following role authorizations in cFolders. User administrator (SAP_CFX_USER_ADMINISTRATOR) Network administrator (SAP_CFX_NETWORK_ADMINISTRATOR) cFolders administrator (SAP_CFX_CFOLDERS_ADMINISTRATOR) Superuser (SAP_CFX_SUPER_USER_ADMIN) Administrator (SAP_CFX_ADMINISTRATOR) Includes standard user authorizations (see SAP_CFX_USER) and authorization to administer the cFolders application. change. These can include the SAP_CFX roles or you can define your own authorization objects. objects. cFolders Roles The following roles are delivered with cFolders: Role User (SAP_CFX_USER) Authorization Use cFolders in the Internet browser create collaborations. status profiles. Assigned automatically in the background when you create a system user. Authorization to start the jobs for summary e-mails and reminder notifications for status management. In addition.

Use cProjects. cProjects interested party. users with the authorization profile SAP_ALL. To do this users need project-specific authorizations. Only system administrators. change. 12 . Contains the roles SAP_CPR_TEMPLATE_ADMINISTRATOR and SAP_CPR_USER SAP_CPR_USER SAP_CPR_TEMPLATE_RESPONSIBLE You can use these SAP standard roles or create your own.0 in the SAP Library under SAP xApps → SAP xApp Resource and Portfolio Management. This role must be included in every cProjects composite role. Contains the role SAP_CPR_USER. cProjects team member. you carry out Customizing activities in the SAP Web AS.00 → General Settings → Activating Single Roles for cProjects and Creating Roles for the Project-Specific Authorization Checks. SAP delivers one portal role (Portfolio Manager) and three subordinate roles.SAP Project and Portfolio Management Security Guide May 2006 cProjects Roles The following single roles are delivered with cProjects: Role SAP_CPR_PROJECT_ADMINISTRATOR SAP_CPR_TEMPLATE_ADMINISTRATOR Authorization Create projects (project definitions). Create. xRPM Roles In the xRPM frontend application. see the Business Package for Project. and delete all templates in cProjects. Portfolio Management and Design Collaboration 4. which can be distributed either directly or through their assignment to a role. that is. For more information about the front-end roles. are authorized to carry out Customizing for cProjects. The following composite roles are delivered with cProjects: Role SAP_CPR_DECISON_MAKER SAP_CPR_INTERESTED SAP_CPR_MEMBER SAP_CPR_PROJECT_LEAD Authorization cProjects decision maker. In cProjects. but no authorization to perform any activities in a particular project. Contains the role SAP_CPR_PROJECT_ADMINISTRATOR and SAP_CPR_USER cProjects template responsible. cProjects project manager. Contains the role SAP_CPR_USER. read. For more information see the solution management content for cProjects under Solutions → mySAP PLM → Configuration Settings → SAP cProject Suite 4. Contains the role SAP_CPR_USER.

13 . This access must be assigned to the user via ACLs. This role also provides the assigned user full access to all xRPM business objects in the system. SAP_XRPM_USER You can use these SAP standard roles or create your own. For more information about roles in xRPM. All users should be assigned this role. General xRPM user. Has general authorizations to use xRPM. Used to create new portfolios.SAP Project and Portfolio Management Security Guide May 2006 In the xRPM back-end system. see the solution management content for xRPM under Organizational Areas → Product Development and Introduction → Business Processes → Strategic Portfolio Management → Configuration Content for xRPM. but no specific object access. SAP delivers the following roles: Roles SAP_XRPM_ADMINISTRATOR Authorization Superuser authorization in xRPM.

write. This activity simply documents that the user assigned is the person with business ownership of the specified object.SAP Project and Portfolio Management Security Guide May 2006 4. and accounting. Staffing management and candidate management are also available for project roles. write. You can then add other users to the ACL list. phases. administration. areas. There are four general authorization activities: no authorization. which is generated automatically. items. and documents. For more information. for example a collaboration or a project definition. There are three authorization activities for project definitions only: evaluate. cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4. checklists. status profiles. buckets. The first administrator can define additional administrators. and read. and roles. user groups. see the SAP Library under mySAP Business Suite → mySAP Product Lifecycle Management → SAP cProject Suite → ● ● Collaboration Folders (cFolders) → Authorizations [Extern] Collaboration Projects (cProjects) → Authorizations [Extern] See also the section below. HR organizational units. There is one additional activity: owner. also have the superuser role. Access control lists (ACLs) in cFolders. create. resource management. see the solution management content for: ● cProjects under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4. cProjects. Authorization can be granted to users. delete. reviews. ● Users who have the SAP_ALL authorization profile. It is also possible to create authorizations that depend on the status of an object. to other users. admin. and none. The transition from role-based authorization to ACLs is as follows: If you have authorization to create an object. “Authorization Check”. user groups. or give write or read authorization.2 ● Access Control Lists Objects in cFolders are: collaborations. Objects in xRPM are: portfolios. documents. tasks. as defined by your SAP role (see Authorization Objects and Roles in the cProject Suite [Page 10]). for example. project roles. write. ● ● The administrator (creator) of the individual object maintains the ACLs. Objects in cProjects are: project definitions. and user groups. and xRPM are used to define authorizations at object level.00 → Basic Settings for cProjects → Business Customizing → Granting Administration Authorization for an Object. There are four general authorization activities: no authorization. 14 . collections.00 → Basic Settings for cProjects → Business Customizing → Setting Up Administrators for cFolders. checklist items. folders. and roles. There are six authorization activities: read. you are automatically the ACL administrator for the object you create. Authorization can be granted to users. and read. For more information. admin. Superusers cFolders and cProjects both have a superuser concept that overrides ACL authorizations.

The user therefore has write authorization for the project definition. 15 . This also applies to inherited authorizations. the most extensive authorization is valid. it first analyzes direct authorizations to an object and if none exist. it checks whether there is an inherited authorization. User group A has read authorization for a project definition. Organizational units (cProjects only) 4. Roles Individual users take precedence over user groups. and so on. and user group B has write authorization for the same project definition. The system checks the authorization holders in the following order: 1. The following hierarchy is used to determine authorization inheritance: ● ● ● ● ● Portfolio → Bucket Bucket → Bucket Bucket → Item Bucket → Review Bucket → Collection The following activities are supported on the above business objects: ● ● None: The user to which this activity is assigned has no authorization for the business object. Authorizations that are directly assigned always override inherited authorizations. This means that. user groups take precedence over roles. for example. A user is assigned to user groups A and B simultaneously. via several user groups. Additional Information on ACLs in xRPM You can either assign authorizations directly to a user or the user inherits them from parent business objects. for example. If a user is assigned to an object. Read: The user to which this activity is assigned has authorization to read the data of the specified business object. They can also be assigned explicitly to each object. The system executes this process for the different authorization holders until an authorization is found. Users 2.SAP Project and Portfolio Management Security Guide May 2006 Authorization Check in cProject Suite Prerequisites You have implemented SAP Notes 688997 and 788139. When the system carries out an authorization check. Authorization Check Sequence for cProjects and cFolders Authorizations for an object are inherited from top to bottom in the project hierarchy (cProjects) and in the collaboration hierarchy (cFolders). a user’s inherited authorization takes precedence over a user group’s direct authorization. User groups 3.

Admin: The user to which this activity is assigned has write authorization. reviews and collections assigned to the specific bucket. Bucket: Create/delete and administer items.SAP Project and Portfolio Management Security Guide May 2006 ● ● Write: The user to which this activity is assigned has read authorization and also has authorization to change the data of the specified business object. 16 . and can perform the additional activities specific to the following business objects: ○ ○ Portfolio: Create/delete and administer all business objects below the portfolio. Reassign items to other buckets for which the user also has administrative access. He or she also has authorization to assign ACLs to other users for the business object. ● Owner: The user to which this activity is assigned is identified as the business owner or responsible person of the specified business object. This activity is a purely informative activity and provides no specific authorizations for the business object.

if users are not able to connect to the server LAN (local area network). Additionally. or network attacks such as eavesdropping. they cannot exploit well-known bugs and security holes in network services on the server machines. Details that specifically apply to SAP Project and Portfolio Management are described in the following topics: ● ● ● Communication Channel Security [Page 17] Network Security [Page 21] Communication Destinations [Page 38] 17 . then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. If users cannot log on to your application or database servers at the operating system or database layer. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level). Your network needs to support the communication necessary for your business needs without allowing unauthorized access. Therefore. the security guidelines and recommendations described in the SAP Web AS Security Guide also apply to SAP Project and Portfolio Management. The network topology for SAP Project and Portfolio Management is based on the topology used by the SAP Web Application Server.SAP Project and Portfolio Management Security Guide May 2006 5 Network and Communication Security Your network infrastructure is extremely important in protecting your system.

Possible back ends are: SAP PLM 4. for example) to cFolders or cProjects front end (browser) RFC cFolders Metadata. a SAP router can be used to secure the communication. the back end always calls cFolders. HR. cFolders never calls back. user names) Comment/Security Recommendation cProject Suite Communication Channel Security Communication Channel cFolders or cProjects front end (browser) to the SAP Web Application Server (SAP Web AS) WebDAV interface HTTP(S) with WebDAV extension cFolders and cProjects Files and metadata WebDAV interface is used to connect the KM repository. metadata. files For the SRM scenario. CO) RFC cFolders and cProjects Metadata. SAP Web AS to other application servers (for example. If the cFolders system and the SRM system are located in different network segments. cFolders calls the SRM server using a technical user. and user data (passwords.1 Communication Channel Security Communication Technology HTTP(S) Scenario cFolders and cProjects Data Transferred Files. or the cProjects application. files The cFolders backend integration calls the cFolders system from the back end. 18 .SAP Project and Portfolio Management Security Guide May 2006 5.6C and higher. files Back-end systems (PLM cFolders Add-On. In both cases. SRM. and also front-end WebDAV clients cFolders or cProjects front end (browser) to content or cache servers SAP Web AS to content or cache servers HTTP(S) cFolders and cProjects Files HTTP(S) cFolders and cProjects Metadata.

which is an external third-party system used for online meetings.SAP Project and Portfolio Management Security Guide May 2006 cProjects communicates with 3rd party or SAP systems to obtain or create information on object links between cProjects and objects located in the 3rd party/SAP system. HTTP(S) is also used to communicate with the ECL viewer. which is a front-end installation.00 → Basic Settings for cFolders → System Connections → System Configuration for Accessing cFolders → Enabling E-Mails for cFolders. Possible SAP systems are: SAP R/3 4. The communication to 3rd party systems has to be implemented at the customer site. The 3rd party/SAP system never calls back. For information about security measures when using HTTP(S) in the cProject Suite. Since emails are potentially unsafe. see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProjects 4. The user administrator then has to communicate this information to the user by other means. see Network Security [Page 21]. new users receive their user IDs and passwords by e-mail.6C and higher. see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes → Project Planning with cProjects → Setting Up Object Links. HTTP(S) cProjects Metadata In cFolders. files cProjects calls cFolders. cFolders never calls back. For more information. For more information. 19 . and the WebEx meeting service. cProjects front end to cFolders front end cProjects Web AS to SRM via SAP XI RFC cProjects Metadata. In cFolders. this mechanism can be switched off in cFolders.

com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “Protecting Your Productive System (Change and Transport System)”. 20 . and user data (passwords. user names) Files. see the SAP Web AS Security Guide on SAP Service Marketplace at service. metadata RFC / ALE Files.SAP Project and Portfolio Management Security Guide May 2006 xRPM Communication Channel Security Communication Channel xRPM core on the Web AS to the SAP Enterprise Portal xRPM core on the Web AS to SAP cProjects xRPM core on the Web AS to SAP PLM PS xRPM core on the Web AS to SAP HCM xRPM core on the Web AS to SAP BW on the Web AS xRPM core on the Web AS to Microsoft Project xRPM core on the Web AS to SAP Content Management. metadata. SAP Workflow. metadata For information about security measures when using RFC communication channels. metadata. SAP Collaboration Room. metadata ALE RFC Files. user names) Files. and user data (passwords. metadata HTTP / SSL Files. xRPM core on the Web AS to SAP xApp Product Definition xRPM core on the Web AS to SAP FI/CO Communication Technology HTTP JCo RFC RFC / HTTP Data Transferred Files. metadata SAP ALE RFC Files. metadata Comment Security Recommendation RFC Files. metadata RFC RFC / HTTP Files.sap.

com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “Network Security for SAP Web AS ABAP”. Scenarios A and B only can be used for cProjects: ● ● ● ● ● Scenario A: no content server [Page 24] Scenario B: one hidden content server [Page 27] Scenario C: one public content server [Page 29] Scenario D: content servers in different locations. one Internet gateway or multiple Internet gateways [Page 31] Scenario E: installation of cFolders 4.2 Network Security cProject Suite SAP supports three installation variants for the cProject Suite: ● ● Installation of cFolders and cProjects within the intranet For internal collaboration only.sap. More precisely. see SAP Service Marketplace at service.00 on SAP Service Marketplace at service. 21 .00: Master Guide in the “Technical Implementation” section. For more information. Usually only reverse proxies and firewalls are located in the DMZ itself.com/instguides → mySAP Business Suite Solutions → mySAP PLM → using cProject Suite 4. cFolders or cProjects should be installed in a different network segment to the intranet.00 [Page 33] Installation scenario B. For more information.sap. which is easier to reach from the Internet.SAP Project and Portfolio Management Security Guide May 2006 5. In cFolders and cProjects. is the installation scenario with the highest level of security. This installation is not recommended by SAP for security reasons. Installation Scenarios All the following installation scenarios can be used for cFolders.00 → cProject Suite 4. with one hidden content server. Installation of cFolders and cProjects outside the intranet (usually DMZ/demilitarized zone) Mainly for external collaboration. It should be chosen if cProjects is being used for internal project management and cFolders for secure collaboration with external partners.00 on top of ECC 6. ● The term DMZ is used here in a very general way. there is no fixed port for communication and the firewall settings described in the SAP Web AS Security Guide apply. Installation of cFolders outside the intranet (usually DMZ/demilitarized zone) and cProjects within the intranet This scenario is highly recommended by SAP. see the Master Guide for mySAP PLM Using cProject Suite 4.

SAP Project and Portfolio Management Security Guide May 2006 See also: ● ● ● ● ● Internet Gateway Types and Setups [Page 22] Additional Components (cFolders) [Page 34] Integration with Back-End Systems (cFolders) [Page 35] Plug-In Security [Page 37] xRPM For information about network security for xRPM. see the Security Guide for the Web Application Server. 22 .

the second introduces the SAP Web Dispatcher for loadbalancing purposes (this is unnecessary if there is only one application server). the existing server landscape. The first one consists completely of non-SAP components. which accept requests. There are many components such as these in existence. which can be used alone or in conjunction with one another. Inner firewall: restricts connections at IP level and checks the communication on TCP/IP low-level session handling. only HTTPS requests on port 443 are allowed. Reverse proxies or the SAP Web Dispatcher are types of application proxies. the base server must be accessible not only to intranet (or internal) users. Application proxies: servers without their own built-in logic. everything else is blocked. several standard Internet security components can be installed in front of the server. and route the requests towards the real application server. such as the SAP Web Dispatcher or the built-in features in the SAP Web Application Server (SAP Web AS). Internet gateway architecture consists of the following: ● ● Outer firewall: restricts HTTP requests to allowed ports and protocols. and individual security requirements. analyze them in terms of security rules. therefore.SAP Project and Portfolio Management Security Guide May 2006 5. while other components like reverse proxies or hardware load balancers are non-SAP products. This makes it impossible to recommend the best solution: it always depends on company policy. To protect the base server from malicious attacks and distorted requests.1 Internet Gateway Types and Setups cFolders and cProjects are Internet scenarios. are from SAP. forming an Internet gateway. Some of these components. one Internet gateway can be used for several servers because the load on the Internet gateway is not high.2. 23 . In general. but also to Internet (or external) users all over the world. ● The following figures show two typical types of Internet gateway. for example. However. These or similar types of Internet gateways must be placed in front of every HTTP server that can be accessed from the Internet.

g. 1 TCP Session Handling App.g.1 TCP Subnet No.1 (Load Balancing) App. Apache Web server on a Linux machine (can handle load for many servers) Internet Explorer FIREWALL No. 2 FIREWALL No. Server 2 TCP Subnet No. 2 Server No. 2 Server No.if public Internet Gateway Internet Gateway Architecture with Non-SAP Components Directed HTTP Calls HTTP required HTTP optional TCP Subnet No. 2 Content Server . 2 FIREWALL No. 1 TCP Session Handling Port Filter (80/443) Server No.SAP Project and Portfolio Management Security Guide May 2006 Directed HTTP Calls HTTP required HTTP optional TCP Subnet No. 1 cFolders or cProjects + User Management External Location Reverse Proxy e. Apache Web server on a Linux machine (can handle load for many servers) Internet Explorer FIREWALL No. 2 Content Server .if public Internet Gateway Internet Gateway Architecture with the SAP Web Dispatcher 24 . Server 1 Port Filter (80/443) Web Dispatcher External Location Reverse Proxy e.

2 Scenario A: No Content Server In scenario A. see Definition of a Subnet [Page 26]. For more information. this server is designed to be placed in the demilitarized zone (DMZ) of company networks. the complete installation consists only of the cFolders or cProjects server (SAP Web AS).2. ● For cFolders. The server must be placed inside the DMZ and should also be placed inside its own Internet Protocol (IP) subnet. Reverse Proxy. For cProjects.SAP Project and Portfolio Management Security Guide May 2006 5. SAP Web Dispatcher Location 1 SUBNET Internet Explorer External Location Internet Explorer SAP Web AS (cFolders) Location 2 Internet Explorer Internet DMZ FIREWALL Intranet Border Intranet Scenario A: cFolders 25 . ● Directed HTTP Calls HTTP required Internet Gateway Firewalls. the server is located in the intranet.

SAP Project and Portfolio Management Security Guide May 2006 Directed HTTP Calls HTTP required Location 1 Internet Explorer SAP Web AS (cProjects) Location 2 Internet Explorer Intranet Scenario A: cProjects 26 .

but to no other address worldwide. By placing it. ● An important rule for network security states that HTTP calls should only be allowed from network areas with a high security level to network areas with the same or a lower security level.222. it is impossible to gain access to any other system.2. Without the subnet. This means that you can explicitly allow communication between IP 111.111. because the extranet has the lowest security level.222 outside the subnet. the rule would be violated for the external user.SAP Project and Portfolio Management Security Guide May 2006 5. however. This means that a call from the intranet (high security) to a server in the DMZ (lower security) is acceptable. you can ensure that even if a server inside the subnet is hacked and conquered by an external hacker and this server is under complete control of the external hacker. and no HTTP connections. each access can be controlled at IP number level. Another reason for the subnet in the DMZ around the cFolders server (see figure Scenario A: cFolders [Page 24]) has already been mentioned: protection of other servers that already exist in the DMZ. With proxies between the subnet and external addresses. but in this case. each DMZ server. the hacker cannot influence any other system outside the subnet. This is a requirement for the external user. A company usually places all servers that are accessible from the Internet inside the DMZ. You can ensure that the transferred metadata and files are secure by using Secure Sockets Layer (SSL) technology.1 Definition of a Subnet A subnet is an IP address range from which no other IP or Domain Name System (DNS) addresses that are located outside the network segment of the subnet can be reached. The implied consequences of this are as follows: ● ● You cannot reach external addresses from inside the subnet without the explicit use of proxy technology. you must ensure that the external user can only use the HTTPS address and not the HTTP address. The introduction of the IP subnet is therefore recommended because it creates an isolated IP range that can be considered as an artificial area with an even lower level of security. This leads to a network area with several servers. The internal user could use HTTP. or even better. If there is no other server inside the subnet.222. in its own subnet. they are separated from each other on a low network level.2. You can achieve this by configuring the external firewall to allow access only via HTTPS to the IP addresses of the subnet in which the cFolders server is located. 27 . one of which would be the cFolders server. The SAP Web AS can be configured in such a way that it only allows HTTPS connections. In particular.111.111 from inside the subnet to the address 222. never the other way around.

Directed HTTP Calls HTTP required SUBNET Location 1 Internet Explorer External Location SAP Web AS (cFolders) Internet Explorer SUBNET Internet Gateway Content Server FIREWALL Intranet Border Location 2 Internet Explorer Internet DMZ Intranet Scenario B: cFolders 28 .3 ● Scenario B: One Hidden Content Server In the second type of installation.2. This configuration is easier to maintain and almost as secure as the extended configuration. the addition of a content server does not affect the security of the SAP Web AS server because they are located in different subnets [Page 24]. the SAP Web AS can communicate without any restrictions with other servers inside its subnet. because the content server is also placed in its own subnet and the gateway between the SAP Web AS subnet and the content server subnet can be controlled using a separate proxy. ● For cProjects. and not to the content server. possibly with embedded firewall technology. This scenario is even more secure than the SAP Web AS itself. the SAP Web AS and the content server are both located in the intranet.SAP Project and Portfolio Management Security Guide May 2006 5. on the same security level. A proper firewall configuration between the extranet and DMZ must then allow access only to the SAP Web AS. As already explained. If you do not want to use two subnets with a proxy between them. the content server can also be placed inside the SAP Web AS subnet. one content server is added to the network environment. For cFolders.

SAP Project and Portfolio Management Security Guide May 2006 Directed HTTP Calls HTTP required Location 1 SAP Web AS (cProjects) Internet Explorer Location 2 Content Server Internet Explorer Intranet Scenario B: cProjects 29 .

SAP Project and Portfolio Management Security Guide May 2006 5. you end up with two servers that can be accessed by external users. If a user opens a file. The consequences are as follows: ● ● ● One subnet for both servers is sufficient. Both can be reached by external users. User authentication for the content server (and cache server) relies on signed URLs. no known attack by a hacker has succeeded. the URL is quite long: a signed URL can have more than 700 characters. Access to the content server. In cFolders. Access by internal users causes no security problems. however. The SAP Web AS is a completely new server designed for Internet use. not HTTP. At this point. The content server runs as a Microsoft Internet Server API (ISAPI) extension to a Microsoft Internet Information Server (IIS). The signed part of the URL contains a digital signature that 30 . Since IIS is a very popular product. you usually never see these URLs. which means that they are on exactly the same security level. A signed URL for content server access must be created from the cFolders server.4 Scenario C: One Public Content Server (cFolders) In scenario C. it has been the target of many hostile attacks. As a result. does not require authentication by user login. a content server that is accessible from the Internet and/or the intranet is added to the network environment: Directed HTTP Calls HTTP required HTTP optional SUBNET Location 1 External Location SAP Web AS (cFolders) Internet Explorer Internet Explorer Location 2 Internet Gateway Content Server Internet DMZ FIREWALL Intranet Border Internet Explorer Intranet Scenario C: One Public Content Server If you configure the external firewall to allow direct access to both the SAP Web AS and the content server.2. External access to each server must only be possible using HTTPS. and so far. which consists of two elements: normal parameters and authentication. The installation of all relevant security patches for the IIS is therefore highly recommended. it is important to understand that the SAP Web AS and the content server use totally different HTTP technologies. Another big difference between the SAP Web AS and the content server is that access to the cFolders server (SAP Web AS) requires user authentication by login or X509 certificates. they are created on demand in the cFolders server.

.SAP Project and Portfolio Management Security Guide May 2006 repeats the unsigned parameters and allows the content server to check whether the URL has been properly identified by the cFolders server. Furthermore. To access a file from the content server the following steps are required: Download: 5. 31 . 3. 1.. The URL is only valid for 2 hours. 6. The URL also contains a time stamp (default: 2 hours). it can only be used once. The URL is only valid for 2 hours. 7. Logon to the cFolders server (SAP Web AS) with strong user authentication. The upload procedure is similar: . 2. Logon to the cFolders server (SAP Web AS) with strong user authentication. which means that you can only create the document once within a time frame of two hours. User navigates in cFolders and wants to create a document. cFolders creates a signed URL that can be used in a HTTP POST request to the content server. User navigates in cFolders and wants to read a file (download). cFolders creates a signed URL that can be used in a HTTP GET request to the content server.

Directed HTTP Calls HTTP required HTTP optional SUBNET SAP Web AS (cFolders) Location 1 Content Server Cache Server External Location Internet Explorer Internet Explorer SUBNET Internet Gateway Cache Server FIREWALL Intranet Border Location 2 Internet Content Server Internet Explorer DMZ Intranet Scenario D1 Directed HTTP Calls HTTP required HTTP optional SUBNET SAP Web AS (cFolders) Location 1 Internet Explorer Internet Gateway FIREWALL Intranet Border Internet Explorer Content Server Cache Server External Location 1 Internet Gateway External Location 2 SUBNET Cache Server Location 2 (with its own Internet Gateway) Internet Explorer Content Server Internet Explorer Internet DMZ Intranet Scenario D2 32 .SAP Project and Portfolio Management Security Guide May 2006 5. In terms of security. depending on the number of Internet gateways between the intranet/demilitarized zone (DMZ) and the extranet.5 Scenario D (cFolders) Scenario D can be split into two main sub-scenarios.2. D1 and D2 are identical.

but the other way around (Intranet → DMZ) does not cause any problems. Instead of doing this. you might consider the configuration shown for location two in the figures above. DMZ only implies that you cannot reach intranet addresses from DMZ servers.SAP Project and Portfolio Management Security Guide May 2006 The security problem in this scenario (D1 and D2) is caused by placing the internal content/cache servers in the intranet. this does not necessarily mean that you also have an Internet gateway. If you have a DMZ at a location. see SAP Note 216419. In general. For information on configuring proxies. If you really need to put the content server inside the intranet. 33 . make sure that you introduce subnets and control the IP routing by using the appropriate proxies.

6 Scenario E (cFolders) In scenario E.00. 34 . see the SAP NetWeaver Security Guide.com under SAP NetWeaver → SAP NetWeaver 2004s SPS 07 → English → SAP NetWeaver Library → Administrator’s Guide → SAP NetWeaver Security Guide → Network and Communication Security → Using Firewall Systems for Access Control → Using Multiple Network Zones.00 and ECC 6.for access from the extranet . For more information.00 on top) in the intranet.a higher level of security than allowing extranet access to a system (ECC 6.00 with cFolders 4.sap. Location 1 SUBNET Internet Explorer cFolders 4. as both cFolders 4. the complete installation consists only of one server with cFolders installed on ECC. SAP Consulting can offer billable support for risk evaluation.00) Location 2 Internet Explorer Intranet SAP generally recommends variant E only for internal collaboration with cFolders 4. However. Access to cFolders by external users in this scenario would result in access to the intranet by external users.00 with cFolders 4. section “Using Multiple Network Zones” on the SAP Help Portal at help.2.SAP Project and Portfolio Management Security Guide May 2006 5.00 are situated in the intranet.00 (on ECC 6. placing the whole system (ECC 6.00 on top) into the inner DMZ would enable .

which means they have at least the same security level. This means that it is sufficient to put the additional components in the same subnet as the cFolders server (SAP Web AS).7 Additional Components (cFolders) The security of additional cFolders components does not depend on the number of content servers in other network segments. Mail (optional) Location 1 HTTP(s) to WebEx WebEx Site SUBNET Internet Explorer Internet Gateway External Location Internet Explorer SAP Web AS (cFolders) FIREWALL Intranet Border Location 2 Internet Explorer Mail Gateway FTP Box Internet DMZ Intranet Additional Components in cFolders The security of the additional components can be considered uncritical.SAP Project and Portfolio Management Security Guide May 2006 5. these components are summarized in a small installation of type A: Directed HTTP Calls HTTP required FTP. Productive installations communicate with the WebEx service only by being redirected via the user’s browser. The mail server and FTP server are never directly accessed by users. 35 . Therefore.2. especially not by external users. This only occurs in cFolders demo installations. There is one default case where the SAP Web AS acts as a HTTP client and makes external HTTP calls: the SAP WebEx demo site.

8 Integration with Back-End Systems (cFolders) cFolders has two official SAP back-end systems: the cFolders back-end add-on for 4. In both cases. you can move the cFolders server to the intranet.6 PLM + cFolders Back-End Add-On DMZ Back-End Integration Both types of back-end system use SAP’s own protocol “RFC” to communicate. that is.SAP Project and Portfolio Management Security Guide May 2006 5. an RFC connection must be opened from the cFolders server to the back end. Both systems are typically located in the intranet zone. if you do not want to open the firewall temporarily. However.00 (Direct RFC Integration) FIREWALL 2 Intranet Border Internet FIREWALL 1 4. A trusted-trusting system relationship between the cFolders server in the DMZ and the back end in the intranet is the most likely scenario. from a zone with a high level of security to a zone with a lower level of security. However. it is only needed for exchanging system certificates.2. set up the trusted-trusting relationship.6B and 4. Communication between the back-end system(s) and the cFolders server (SAP Web AS) is relevant to security because the cFolders server is located in the demilitarized zone (DMZ). the back-end system always calls the cFolders server. However. and the cProjects application. This connection can be shut down after the system relationship has been set up. see Scenario A: No Content Server [Page 24]. For more information. rather than HTTP. the user also uses the Internet Explorer browser to control the results. This means that the intranet firewall must allow a temporary connection from the outside to the inside for the RFC. establish the connection. The network environment looks like this: HTTP(s) Calls RFC Calls External Location SUBNET Internet Explorer Internet Explorer SAP Router (Optional) SAP Web Application Server (cFolders) cProjects 2. In particular it allows you to restrict calls to certain IP addresses.6C systems. no additional network security is needed. which means that he or she also needs a HTTP(S) connection between the intranet and the DMZ. The cFolders server never calls the back-end system. and then move the 36 . which allows you to control the RFC communication in detail. this can be achieved by using an SAP router. While the trusted-trusting relationship between cFolders and the back end is being set up. This allows Single Sign-On (SSO) for RFC connections and HTTP(S). the direction of communication is from the intranet to the DMZ. if your network policy demands additional control over communication. For this configuration.

SAP Project and Portfolio Management Security Guide May 2006 cFolders system back into the DMZ. 37 . The easiest time to do this is when the systems are being set up initially.

is an applet that provides more convenient file handling than the usual HTML methods. To be able to do this. as provided.9 Plug-In Security The plug-in used in cFolders. Without this. This means that in terms of server security. activate the Always trust content from SAP AG indicator.2. To accept the applet‘s signature. which is also referred to as the “Easyedit” plug-in. important to understand that this plug-in is executed on the front end and that it requests extended authorizations from the user during runtime. With the intact official signature. because it only uses the same HTTP(S) connections as the cFolders application.SAP Project and Portfolio Management Security Guide May 2006 5. the public key of the signature must be imported to the browser. To prevent this from being displayed in the future. it needs permission to read and write files to the local file system and permission to execute them. The applet is located on some HTML pages and communicates via HTTP(S) with the cFolders server (SAP Web AS) and. with content servers. the applet has two versions: the first is digitally signed with the official SAP signature for the Microsoft Java Virtual Machine (JVM) and the second for use with the SUN plug-in JVM. It is. In particular. the browser displays a security warning. no additional network configuration is required to enable the applet. however. SAP guarantees that the applet. optionally. 38 . has not been changed or modified in any way.

the APIs consist of RFC function modules. if you are using the cFolders or cProjects application programming interfaces (APIs) via the SOAP wrapper. The cFolders APIs are required for: ● ● ● ● ● ● ● Back-end integration SRM integration Collaboration room integration Enterprise Portal Knowledge management integration cProjects integration ECL viewer The cProjects APIs are required for: ● ● ● ● ● ● Knowledge management integration Enterprise Portal cFolders integration Object links to SAP R/3 or mySAP ERP Workforce Management Core integration (only if it is run on an external system) mySAP HR integration If a user needs to use the APIs they must have the basic RFC authorization for the relevant API function modules.SAP Project and Portfolio Management Security Guide May 2006 5. 39 . see the roles [Page 10] used for each scenario. However. see the SAP Web AS Security Guide on SAP Service Marketplace at service.com/securityguide → SAP Basis / Web AS → SAP Web Application Server Security Guide (ABAP + JAVA) → SAP Web AS Security Guide for ABAP Technology in the section “SAP Authorization Concept”.3 Communication Destinations For the default cFolders and cProjects scenarios. no RFC destination is required. For more information about authorization objects and roles.sap. for example. The function group names are as follows: ● ● For cFolders: CFX_API For cProjects: CPR_API To view the application-specific and basis authorization objects used in cProjects and cFolders. The SOAP wrapper adheres to the authorization rules that apply if the RFC module is called directly. all relevant authorization objects are assigned to the role SAP_CFX_ADMINISTRATOR and can be viewed using transaction PFCG in the SAP Web Application Server (SAP Web AS). In cFolders.

see Network Security [Page 21]. 40 . In cFolders only. As these XML files may contain sensitive data. xRPM In xRPM. Depending on which installation scenario you have chosen for cFolders or cProjects. files might also be stored on content servers.SAP Project and Portfolio Management Security Guide May 2006 6 Data Storage Security cProject Suite In both cFolders and cProjects. In the default setting for cFolders and cProjects. An exception to this is when files are checked out for editing. data is mainly stored on the SAP Web Application Server (SAP Web AS) database. For information about security measures to be taken in this case. A Web browser is required for both scenarios. In this case. However. data is stored on the SAP Web Application Server (SAP Web AS) database. data is protected using the ACL concept already described in Authorizations [Page 10]. some settings are made using WebDAV access to XML files that are stored on the SAP Web AS database. no cookies are used to store data on the front end. you have the option of switching off WebDAV access. see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4. files are stored locally on the user’s hard drive and it is their responsibility to protect the files according to company security policy.00 → Basic Settings for cFolders → Business Customizing → Changing cFolders Standard Settings Using WebDAV. For more information.

The same security measures as for communication to and from the front end apply. The ECL viewer is installed on the front end (browser) and therefore HTTP(S) is also used to communicate with the ECL viewer. When the user saves the project to his or her hard drive. For more information about security measures for HTTP(S) and RFC communication. 41 .SAP Project and Portfolio Management Security Guide May 2006 7 Security for Additional Applications cProject Suite cFolders cFolders uses the ECL viewer for viewing and redlining graphical formats. Certain types of information can be automatically sent to users by e-mail. see Communication Channel Security [Page 17]. This extender is available on the SAP Developer Network (SDN). for example. as described in the solution management content for cFolders under Solutions → mySAP PLM → SAP cProject Suite 4. or logon information for new users. the system does not perform an authorization check if somebody else opens the project again in Microsoft Project. information about a change to an object. a Project Data Services (PDS) extender is required to support the integration with xRPM. cProjects When transferring projects to Microsoft ® Project only the information for which the user has at least read authorization is transferred. xRPM For the Microsoft Project Server Integration. The protection of this downloaded data is not part of the cProjects security model. all e-mails except those containing logon information contain uncritical information. Since e-mails are potentially unsafe. You can switch off the mechanism for sending logon mails.00 → Basic Settings for cFolders → Business Customizing → Enabling E-Mails for cFolders.

WebEX: see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Changing cFolders Standard Settings Using WebDAV. SRM integration: see the the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4. E-mails for sending information: see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Enabling E-Mails for cFolders.00 → Basic Settings for cFolders → Business Customizing → Configuring the WebEX Meeting Service.SAP Project and Portfolio Management Security Guide May 2006 8 Minimal Installation cFolders The minimal installation for cFolders is Scenario A: No Content Server [Page 24]. The following functions are optional and can be activated if required: ● Microsoft ® Project integration: see Customizing for Collaboration Projects under Connection to External Systems → Microsoft Project Integration → Assign Fields. Access to Microsoft Project is controlled by the use of an ActiveX control [Page 44]. The control has to be accepted by the user on the front end PC. WFM Core integration: see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes ● 42 . ECL viewer: see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Integration with mySAP SRM. ● ● ● ● ● RFC access is required for back-end integration and SRM integration. cProjects The minimal installation for cProjects is Scenario A: No Content Server [Page 24]. Back-end integration: see the SAP Library under mySAP Business Suite → mySAP Product Lifecycle Management → SAP cProject Suite → Collaboration Folders (cFolders) → cFolders Back-End Integration [Extern]. ● mySAP HR integration: see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes → Resource and Time Management with cProjects → Distributing SAP HR Master Data via ALE to cProjects. To allow a user to access these functions it is necessary to assign the authorization object S_RFC in his or her user profile. The following functions in cFolders are optional and can be activated if required: ● WebDAV access: see the solution management content for cFolders under Solutions → mySAP PLM → Configuration Structures → cFolders SAP cProject Suite 4.00 → Basic Settings for cFolders → Business Customizing → Enabling E-Mails for cFolders.

WFM Core integration (if it is run on an external system). 43 .00 → Basic Settings for cProjects → System Connections → Making Settings for xPD Integration. xRPM Information to follow.SAP Project and Portfolio Management Security Guide May 2006 → Resource and Time Management with cProjects → Connecting Workforce Management Core. Object links to xPD application: see the solution management content for cProjects under Solutions → mySAP PLM → Configuration Structures → SAP cProject Suite 4. Accounting integration: see the solution management content for cProjects under Organizational Areas → Financials → Business Processes → Project Accounting with cProjects → Defining Settings for Accounting Integration. ● cFolders integration: see the solution management content for cProjects under Organizational Areas → Product Development and Introduction → Business Processes → Project Execution with cProjects → Preparing Integration with cFolders. To allow a user to access these functions it is necessary to assign the authorization object S_RFC in his or her user profile. and cFolders integration. ● ● RFC access is required for mySAP HR integration.

1 Browser Plug-In for File Handling In both cFolders and cProjects. you have the option of using a browser plug-in (java-based applet). this is not as easy to use. For more information. the end user must accept a signed applet on the front end. however. because the applet only automates some HTTP calls. 44 . which enables user-friendly file handling when checking documents in and out. Without this. unless the user accepts the digital certificate. see Plug-In Security [Page 37]. files can still be edited using plain HTML. However. This is a zero-footprint step that must be confirmed for each browser session. Using the applet does not change the security level on the server.SAP Project and Portfolio Management Security Guide May 2006 8.

the first time you use the integration of Microsoft Project. ActiveX must be installed once only. you can use the Microsoft Project Client. This means that in terms of server security. SAP guarantees that the ActiveX. The ActiveX is digitally signed with the official SAP signature. This occurs automatically in the Internet Explorer. If you cannot use ActiveX. you cannot use the Microsoft Project integration. due to company policy. However. 45 .SAP Project and Portfolio Management Security Guide May 2006 8. other than via the MS Project application.2 ActiveX for Microsoft Project Integration cProjects cProjects provides an ActiveX control for communication with Microsoft ® Project. Subsequent calls to the integration then reuse the installed ActiveX. which is installed or upgraded automatically by an interactive process on your system when the project integration component is used for the first time. has not been changed or modified in any way. xRPM To integrate Microsoft Project with xRPM. The ActiveX is located on some HTML pages and communicates via HTTP(S) with the cProjects server (SAP Web AS) and directly with the Microsoft Project DOM API. no additional network configuration is required to enable ActiveX. The ActiveX control does not access any resources on the front end. This uses an ActiveX control. for example. With the intact official signature. because it uses the same HTTP(S) connections as the cProjects application. as provided. you can activate or deactivate the download and execution of ActiveX components in the standard Internet Explorer browser settings (local front-end settings).

xRPM Microsoft ® Project integration: If you deactivate ActiveX [Page 44]. Microsoft Project integration is not possible.SAP Project and Portfolio Management Security Guide May 2006 9 Other Security-Relevant Information The following functions contain active code. ECL viewer (cFolders): If you do not install this locally. as files can still be processed using plain HTML. no redlining functions are available in cFolders. WebEx meetings service (cFolders): If you deactivate this. no comparable alternative is provided in cFolders. and can be deactivated if your security policy does not allow its use: cProject Suite ● ● ● ● ● Browser plug-in for file handling: Deactivating this does not result in any loss of functionality. data sheet comparison is not possible. Data sheet comparison (cFolders): If you deactivate ActiveX. Microsoft ® Project integration (cProjects): If you deactivate ActiveX [Page 44]. 46 . Microsoft Project Client integration is not possible.

Related Information For more information about topics related to security. Quick Links to Related Information Content Quick Link on the SAP Service Marketplace (service. Solution Management Guides Related SAP Notes Released platforms Network security instguides ibc notes platforms network securityguide SAP Solution Manager solutionmanager 47 .com) Master Guides. Installation Guides. quick link: security. Upgrade Guides. see the links shown in the table below. Security guides are available using the quick link securityguide.SAP Project and Portfolio Management Security Guide May 2006 10 Appendix Related Security Guides You can find more information about the security of SAP applications on the SAP Service Marketplace.sap.

Sign up to vote on this title
UsefulNot useful