SAP Leonardo IoT Bridge Security Guide THE BEST RUN. SECURITY GUIDE PUBLIC Document Version:

Transcription

1 SECURITY GUIDE PUBLIC Document Version: SAP SE or an SAP affiliate company. All rights reserved. THE BEST RUN

2 Content 1 Document History Introduction Before You Start User Access Control Role Templates Defined by Bridge Role Templates Not Defined by Bridge Network Communication Secure Store Personal Data Management Configuring the Personal Data Retention Period Applying the Personal Data Retention Policy P U B L I C Content

3 1 Document History View the list of changes to this document. Product Version Document Version Date Comments SAP Leonardo IoT Bridge August 30, 2018 Version release Document History P U BL IC 3

4 2 Introduction SAP Leonardo IoT Bridge, also referred to here as Bridge, is built on the SAP Cloud Platform on Cloud Foundry and inherits the security model of the underlying platform. This includes the use of XS User Account and Authorization (UAA), which allows for the following: Definition of role templates that can be associated to users to grant access to features of applications Separation of UAA and the customer s preferred identity provider (IdP) AppRouter to both redirect all unauthenticated services calls to the IdP for authentication and hide the internal security token from web browser requests SAP Leonardo IoT Bridge does not store personal data and is in full compliance with the General Data Protection Regulation (GDPR). 4 P U B L I C Introduction

5 3 Before You Start Before you start, take the following information into consideration. Important Links Content SAP Community Network Security Information Security Guides Quick Link SAP Community Network (SCN) Information SAP Security Guides Fundamental Security Guides Other SAP security guides can be used as a resource for Bridge, which is comprised of the following components: SAP HANA SAP Cloud Platform (CP) Scenario, Application, or Component Security Guide Cloud Foundry at SAP Cloud Platform Security Guide Relevant Sections/Specific Restrictions SAP Cloud Platform Security The Bridge application is secured by security mechanisms provided by the SAP Cloud Platform (CP). To enable you to integrate SAP CP applications with existing on-premise identity management infrastructures, SAP CP introduces single sign-on (SSO) and identity federation features. In SAP CP, identity information is provided by identity providers (IdP), and is not stored on SAP CP itself. The identity provider is configured using the CP Cockpit for the Bridge application. For more information, see the following guides: Information Configuring Your Cloud Identity Tenant Managing Users in Your Cloud Identity Tenant Link How to Build Roles for Applications Managing Members Before You Start P U B L I C 5

6 4 User Access Control Each user has his or her own tenant of the SAP Cloud Identity (SCI) service. For more information, see the SAP CP Security Guide for Managing Members. 4.1 Role Templates Defined by Bridge Three role templates can be used to grant users access to features of Bridge. Template Name EndUser KeyUser AdminUser Description The end user is limited to viewing a predefined overview page (dashboard) and its subsequent list and object detail pages. The end user can also view notifications, navigate to source systems, and view configured resolution options. The end user cannot access administration or key user screens. Key users can define various configuration artifacts within Bridge. They are responsible for defining the cards that end users see on the overview page; creating personas; and defining notifications, resolution options, and service endpoints. Admin users grant access to various systems. They define the systems from which the key user can define services. They also define the links to external systems that key users can associate with resolution options and notifications. 4.2 Role Templates Not Defined by Bridge A UAA-related role template is required and can be used to segregate access to the UAA administration functions. Template Name AuthorizationAdmin Description These users have the tasks of creating roles from role templates, creating role collections from a set of roles, and providing a SAML mapping from role collections to user groups (defined in the customer s IdP). In addition, the Bridge-specific task of assigning a persona to a set of users (defined in the mapping to user groups) via Scope attributes is required. 6 P U B L I C User Access Control

7 5 Network Communication All network communication is executed over HTTPS. All user-facing Bridge-related services require input via the IdP login screen. If previously authenticated, a JWT token is used internally by UAA to identify those users already logged in. All backing services require a technical user to log in with Basic Authentication. 5.1 Secure Store To make calls to backing services (for example, via HCI), technical user credentials must be entered. These user credentials are stored in the HANA Secure Store and can only be entered by users with the AdminUser privilege. Network Communication P U BL IC 7

8 6 Personal Data Management Some features of Bridge require the storing of Personal Data, including the following: User ID for storing personalization of the Overview screen: Personalization includes adding, editing, removing, hiding, and moving cards on the Overview screen. User ID for association of users to a configured persona: Due to limited APIs to retrieve the set of users with an assigned Persona from UAA, the User s assigned Personas are stored after each login. The association is used when sending notifications to a set of users assigned to a Persona. Bridge implements a configurable retention period and a service for executing the policy, to ensure personal data erasure. The retention period is specified on the General Settings administration screen. All personal data not accessed for a period longer than the retention period will be erased when the retention policy is applied. Note Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. 6.1 Configuring the Personal Data Retention Period Context To set the personal data retention period, do the following. If you do not specify a retention period, the default period is 365 days. Procedure 1. Launch the General Settings screen by navigating to the following URL: 2. If a setting with the name SAP.personalData.retentionPeriod.days does not already exist, add a new setting as follows: a. Choose Add. 8 P U B L I C Personal Data Management

9 b. In the Name field, enter SAP.personalData.retentionPeriod.days. c. In the Value field, enter a positive integer representing the number of days to retain personal data before considering it for erasure. d. Save your changes. 6.2 Applying the Personal Data Retention Policy Manual Application To manually trigger the erasure of personal data exceeding the retention period, navigate to the following URL: This screen provides information about personal data retention, including the configured retention period. Automatic Application To periodically trigger the erasure of personal data, call the following service (with, for example, the CF JobScheduler): 22c2df4d22cb4a05af4c9502a67597ae.html The REST service endpoint is: It must be executed as an HTTP POST. No HTTP body parameters are required. Personal Data Management P U BL IC 9

10 Important Disclaimers and Legal Information Hyperlinks Some links are classified by an icon and/or a mouseover text. These links provide additional information. About the icons: Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this: The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information. SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct. Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information. Beta and Other Experimental Features Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up. The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP. Example Code Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct. Gender-Related Language We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders. 10 P U B L I C Important Disclaimers and Legal Information

11 Important Disclaimers and Legal Information P U BL IC 11

12 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see for additional trademark information and notices. THE BEST RUN