You are on page 1of 16

SAP NetWeaver 2004s SPS 4 Security Guide

Collaboration Security Guide


Document Version 1.00 October 24, 2005

SAP AG Neurottstrae 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Copyright 2005 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. These materials are subject to change without notice. These materials IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Disclaimer Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address:
service.sap.com/securityguide

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.

Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.

Icons
Icon Meaning Caution Example Note Recommendation Syntax

EXAMPLE TEXT

Example text

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Example text

<Example text>

EXAMPLE TEXT

Collaboration Security Guide

Contents
Collaboration Security Guide...............................................................5
1 Technical System Landscape ............................................................6 2 User Management and Authentication .............................................7 3 Permissions.........................................................................................7 4 Security Managers for Collaboration ................................................8 5 Data Security in Rooms......................................................................9 6 Differentiated Display of User Data in External Portals ................12 7 Prevention of Mass E-Mails..............................................................13 8 Communication Channel Security...................................................14 9 Data Storage Security.......................................................................15 10 Active Code .....................................................................................16 11 Trace and Log Files ........................................................................16

October 2005

Collaboration Security Guide 1 Technical System Landscape

Collaboration Security Guide


About this Guide
This guide describes the aspects of the Collaboration component that are relevant to security.

SAP recommends that you use this general information to create a handbook for daily use that corresponds to your company-specific requirements for production operations. As a component of SAP NetWeaverTM, Collaboration is based on the Portal Platform and Knowledge Management Platform. The J2EE engine of the SAP Web Application Server forms the technical basis. The table below contains links to the security guides for these components. Related Security Guides Application SAP Web Application Server Guide SAP Web Application Server Security Guide [SAP Library] Portal Security Guide [SAP Library] Knowledge Management Security Guide [SAP Library] Relevant Sections/Specific Constraints SAP Web AS Security Guide for J2EE Technology [SAP Library]

SAP Enterprise Portal SAP Knowledge Management

Why Is Security Necessary?


SAP Collaboration allows access to company-internal personal data, information, and documents that may not be equally accessible to all portal users. Settings for data security prevent unauthorized access and data manipulation.

Target Audience
Technical consultants System administrators

This security guide applies for the entire software life-cycle. In contrast, the installation guide, configuration guide, technical operations manual, and the upgrade guide are each relevant for one phase of the software life-cycle.

October 2005

Collaboration Security Guide 1 Technical System Landscape

SAP Notes
Check frequently to see which SAP notes for the security of your application are available. Important SAP Notes SAP Note Number 721098 701097 Title Central Note for Collaboration in NW04 SAP NetWeaver '04 Documentation Comments Information on software corrections after delivery of NW04 Information on corrections to the documentation after it has been delivered.

1 Technical System Landscape


The SAP NetWeaverTM component Collaboration is based on fundamental components of the Portal Platform and the Knowledge Management Platform. Collaboration is installed along with Knowledge Management (KM) in one procedure. Like the portal platform and the KM platform, Collaboration is based on the SAP NetWeaver Java development platform (Java 2, Enterprise Edition abbreviated to J2EE). The graphic below contains an overview of the technical system landscape that Collaboration is included in:
Collaboration Technical System Landscape
Collaboration
PeopleCentric Components Room Inf rastructure Asy nchronous Tools & Components Sy nchronous Collaboration Framework Group ware Framework

Knowledge Management Platform


Content Manag ement Repository Framework Search & Classif ication KM iVie ws Conf iguration ...

Portal Platform
Portal Catalog Conf iguration Nav igation Serv ice ...

SAP NetWeaver (J2EE Engine)


User Management HTML B (UI) ...

October 2005

Collaboration Security Guide 2 User Management and Authentication For more information about the technical system landscape, see the sources that are listed in the following table. More Information About the Technical System Landscape Topic Description of all technical components that are relevant for Collaboration. Guide/Tool Administration guide for the Collaboration component Link Architecture [SAP Library]

2 User Management and Authentication


Collaboration uses the user management and user authentication mechanisms in the SAP NetWeaver platform, in particular those in the SAP Web Application Server (Java). Therefore, the security recommendations and guidelines for user management and authentication apply as described in the SAP Web Application Server security guide.

3 Permissions
Collaboration uses the permissions concept provided by the SAP Web Application Server. Therefore, the security recommendations and guidelines for permissions apply as described in the SAP Web Application Server security guide. The permissions concept of the SAP Web Application Server is based on the assignment of permissions to users on the basis of roles. For role maintenance on the SAP Web AS Java, you use the administration console for user management [SAP Library] in the User Management Engine (UME).

Standard Roles
The portal-wide permissions for using the Collaboration functions are contained in the following portal roles: Portal Role System Administration Description This portal role contains specific administration functions for Collaboration as a part of Knowledge Management. For example, a system administrator configures the services and the room infrastructure. See the Collaboration Administration Guide [SAP Library]. Content Administration This portal role provides access to administration functions specific to Collaboration, for example: Configuration for making collaboration services available Management of templates for rooms and room parts [SAP Library] Configuration of the room infrastructure [SAP Library]

You can also access specific administration functions for portal content and KM content through this portal role.

October 2005

Collaboration Security Guide 4 Security Managers for Collaboration

Portal Role Collaboration Collaboration Room Creation

Description This portal role provides access to Room Administration and to the My Tasks and My Sessions iViews. This portal role provides access to the room creation wizard.

4 Security Managers for Collaboration


The following security managers are delivered for Collaboration: Security Manager Collaboration Security Manager Description The security manager is an extension of the ACL Security Manager [SAP Library]. It defines the access permissions for data on discussions, feedback, and comments that are stored in the Collaboration repository, as follows: A portal user with read permission for the original resource has write permission for dependent data. A portal user with write permission or the Collaboration service permission for the original resource has administrator permissions for dependent data (including deletion).

Collaboration Security Manager Restricted Attachment Security Manager for Collaboration

As for the Collaboration Security Manager, but administration permission is assigned only to portal users with the Collaboration service permission. The security manager is an extension of the ACL Security Manager [SAP Library]. It defines the access permission to data that is stored in the repository for attachments. A portal user has the same access permission for an attachment stored here as for the original resource that the respective attachment refers to. The security manager is an extension of the ACL Security Manager [SAP Library]. It defines the access permission to data that is stored in the repository for attachments to workflow tasks. A portal user has the same access permission for an attachment stored here as for the original resource that the respective attachment refers to.

Workflow Attachment Security Manager for Collaboration

October 2005

Collaboration Security Guide 5 Data Security in Rooms

Security Manager Session Data Security Manager

Description The security manager defines the access permission to data that is stored in the repository for session records [SAP Library]. It checks whether the user is the owner or a participant in the session. Only the owner of a session has permission to edit and delete session records. If the session record relates to a room and the user is a room member (but neither owner nor session participant), the following rule applies: The user receives permission to display and edit the session record, but not permission to delete it.

Collaboration Sessions Security Manager

The security manager defines the access permission to data that is stored in the repository for Synchronous Collaboration Framework (SCF) sessions.

5 Data Security in Rooms


Collaboration allows the use of virtual rooms for collaboration within the company. If internal confidential information is stored in the rooms, the security of this information and data is particularly important. Access to information and data in rooms is ensured by means of the following security concepts: Security Concept Access controls Description When creating a room, the system creates an access control list (ACL) for the room. All members of a room are listed in the access control list. Each change made to the member list is recorded in the access control list. From the data security perspective, the access control list has the following effects: Only those portal users who are listed in the access control list for a room are allowed to enter that room. Documents that are stored in the room can only be opened by users who are listed in the access control list. This also applies if a user tries to open a room document from within the KM repository.

October 2005

Collaboration Security Guide 5 Data Security in Rooms

Security Concept Security of the data in CM folders for rooms

Description In the standard configuration, all room members (user group for the room that corresponds to the access control list) have full access to folders and documents in the room. If the room data is relevant for security, the room owner (for example, the team or project lead) can modify the access permissions to folders and documents. In the standard configuration, room members access to folders and documents in a room is predefined as follows: All room members (members of the user group for the room) are permission owners and can therefore assign permissions themselves.

Permission owners automatically have full access permission. All room members (members of the user group for the room) have full access permission.

To ensure the security of the room data, the room owner can specify him or herself or other room members as the permission owners for folders and documents instead of the entire user group for the room. As soon as the user group for the room (access control list) is no longer the permission owner, it can be assigned a lower access permission level, for example, read permission. The room member who is specified as the permission owner automatically has permission for full access to the folder or document. See also Access Permission for Folders and Documents in the Room [SAP Library].

10

October 2005

Collaboration Security Guide 5 Data Security in Rooms

Security Concept Permissions for Room Templates and Room Part Templates

Description You can restrict user access to room templates and room part templates by assigning template-specific permissions. This does not affect general access permissions, for example, those for content administrators.

A room owner is allowed to include room parts in a room, but not the room parts for which he or she does not have template-specific permission for the underlying template. To give a user (individual users, user groups, or roles) permission to use a template, enter the user in the permission list for the template. The permission list contains a list of users, separated by semi-colons. Entries in the permission list have the following effect: Permissions for room templates If there is at least one entry in the permission list, only the authorized users can use the template to create rooms. Permissions for room part templates If there is at least one entry in the permission list, only the authorized users can add the room part to a room. No permissions for room templates and room part templates If the permission list for a template is empty, the template is available to all users whose portal role(s) allow them to work with templates and rooms. Access permission for pages in a room Within a room, access to pages is defined using room roles [SAP Library]. You can create room roles in the room template or room part template as required. In the template, you define the access permission for each room role for pages in the room. When registering a user as a room member, a room role with the associated page permissions is assigned to this user. From the technical perspective, the page permission is checked in the Portal Content Directory (PCD) when a user accesses a page. For each page, a property contains the information about which room roles are allowed to access the page. When a user wants to access a room, the system analyses in the PCD which pages the user is allowed to enter based on his or her room role. Specific administration permission in rooms In each room template and room part template, you can define a room role specifically as the administration role. The room role with specific administration permission can only be assigned to other room members by room members who are assigned to this room role. This prevents unauthorized room members from assigning themselves administration permission and changing the room settings (room attributes, room parameters, member list, and so on).

October 2005

11

Collaboration Security Guide 6 Differentiated Display of User Data in External Portals

Security Concept No access to room pages and iViews in the portal catalog

Description Objects (iViews and pages) that are included in rooms are stored in the Portal Content Directory (PCD). To prevent unauthorized access to room data, these objects are hidden in the portal catalog. For more information, see the list of PCD folders for worksets from rooms under Maintenance of Worksets for Templates [SAP Library]. If access to a room is denied, for example, because the room is locked or the user has no permission to enter it, you can provide information on an information page, which appears in this case. For more information, see Information Page If No Access to Room [SAP Library].

Information page if no access to room

Logging access to rooms

Each time a user enters a room, an entry is logged in the Status Engine. You can use this information to find out the last user to enter the room, for example.

6 Differentiated Display of User Data in External Portals


You can use your enterprise portal as an external portal, for example, to allow B2B processes. However, opening the portal for access from outside means that external users have access to users and the associated functions (link to user details, context menu with collaboration services). To ensure data security, you can define a differentiated view of user data. SAP delivers an extension for this purpose. When you configure the extension, you define for different user groups the extent to which they can display user data, for example: Internal users: Unrestricted display of all user data You group your company employees the internal users in a portal role that has permission to search and display user data without restriction. Unknown external users: Minimal view of all user data All users that are not assigned to a portal role with permission to search and display user data are considered to be external users. For security reasons, these users have only a minimal view of user data: The people finder function is not active. Instead of user names (with a link to the user details and the context menu with collaboration services), only a dummy text appears (standard configuration of the corresponding profile for the people finder function).

12

October 2005

Collaboration Security Guide 7 Prevention of Mass E-Mails Known external users: Restricted view of user data You can include external users who have a particularly close relationship with your company in virtual groups and allow them a restricted view of user data in comparison to internal users within this virtual group. The virtual groups are defined by matching the attribute values. For example, a virtual user group comprises all external users for which the Company attribute contains the same value. All external users that belong to virtual groups receive a portal role that gives them permission for the restricted view of user data. An associated profile for the people finder function defines which user data appears, for example, the e-mail address only (standard configuration). The restricted display has the following effects: The people finder function is active, but finds only users in the virtual group. For external users in the virtual group, the information that is defined in the corresponding profile for the people finder function appears instead of the user name. For external users outside of the virtual group, the minimal display of user data applies (see above). See also: Differentiating the Display of User Data in External Portals [SAP Library] Activating the Extension for the Differentiated Display of User Data [SAP Library] Configuring the Unrestricted Display of User Data [SAP Library] Configuring the Minimal Display of User Data [SAP Library] Configuring the Restricted Display of User Data in Virtual Groups [SAP Library]

7 Prevention of Mass E-Mails


You can prevent certain users (for example, external users) of your enterprise portal using the email functions in your portal to send mass e-mails.

Portal Role with Restricted E-Mail Permission


Parallel to the configuration of a restricted display of user data (for external users), you require a portal role with appropriately restricted e-mail permission. You assign all users who are only allowed to send e-mails to a restricted number of recipients to this portal role (see Assigning Restricted Mail Permissions for Users [SAP Library]).

Maximum Number of E-Mail Recipients


You define the maximum number of recipients that users with restricted e-mail permission can send e-mails to in the configuration for the service for sending e-mails (see Restricting the Number of Mail Recipients [SAP Library]).

October 2005

13

Collaboration Security Guide 8 Communication Channel Security

8 Communication Channel Security


Collaboration uses the following protocols to communicate with other components and subcomponents: Hypertext Transfer Protocol (HTTP) HTTP is the established protocol for data transfer on the World Wide Web. The users Web browser is an HTTP client. When the user opens a Web site by entering the URL (uniform resource locator) or by clicking a hyperlink, the client sends a request to the server IP address (Internet protocol address) that is specified in the URL. The server returns the requested file or files (that the Web site consists of) to the client. Hypertext Transfer Protocol over Secure Socket Layer (HTTP over SSL, abbreviated to HTTPS) HTTPS encrypts and decrypts both the Web pages that users request and the Web pages that the Web server returns to users. To do this, the Secure Socket Layer (SSL) is executed as a subordinate layer within the HTTP application. The URL of Web pages that are encrypted according to the HTTPS protocol start with https://. The graphic below illustrates the possible communication channels within Collaboration and the protocols used.

Browser Browser
HTTP(S)

J2EE Engine (Portal server) Collaboration Collaboration

Knowledge Management HTTP(S) HTTP(S) HTTP(S) Lotus Domino HTTP WebEx RTC Application Sharing Server Microsoft Exchange

14

October 2005

Collaboration Security Guide 9 Data Storage Security Components and Communication Channels Communication Partner for Collaboration Browser Knowledge Management Protocol HTTP or HTTPS Depends on the repository implemented (see Communication Channel Security [SAP Library] in the KM security guide) HTTP or HTTPS Your browser settings must allow installation of the ActiveX control. See Creating an Exchange Transport [SAP Library] See Creating a Lotus Transport [SAP Library] Comments

Application sharing server for the Real-Time Collaboration (RTC) subcomponent Microsoft Exchange Lotus Notes WebEx

HTTP or HTTPS HTTP or HTTPS HTTP

9 Data Storage Security


The data used in Collaboration is managed in the Content Management (CM) area of SAP Knowledge Management (KM). See also: Data Storage Security [SAP Library] in the Knowledge Management security guide.

October 2005

15

Collaboration Security Guide 10 Active Code

10 Active Code
Collaboration uses various types of active code. This is executed on the client host (frontend) in the Web browser. Active Code ActiveX Usage The Application Sharing function in the Collaboration component Real-Time Collaboration (RTC) Comments If your security policy rules out ActiveX controls, you cannot use application sharing. You can configure your browser so that you have to specifically agree to the installation of the Portal Tools for Real-Time Collaboration ActiveX control. If your browser settings allow automatic installation of ActiveX controls, the ActiveX control for Real-Time Collaboration is installed without you noticing it. See Configuring Client Browsers to Accept the RTC ActiveX Control Element [SAP Library] JavaScript The software component HTMLB uses JavaScript, for example, for client-side checking of entries and generating pop-up menus. JavaScript is important for the SAP NetWeaver Portal component.

11 Trace and Log Files


The logs for the Collaboration functions are stored in the central log file of the Web Application Server (Web AS). These are described in the Web AS for Java security guide. See also: Trace and Log Files [SAP Library] in the Knowledge Management security guide.

16

October 2005

You might also like