DM Security Guide Cloud
Uploaded by
Satabdi SarkarDM Security Guide Cloud
Uploaded by
Satabdi SarkarPUBLIC
SAP Disclosure Management
Document Version: DM Stack 2103 – 2024-05-27
Security Guide (SAP S/4HANA Cloud Specifics)
© 2024 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN
Content
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1 Net Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
4 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.1 Hypertext Transfer Protocol Secure (HTTPS) for SAP Disclosure Management. . . . . . . . . . . . . . . . . 16
How to Configure the TaskEngine Service for HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.2 Disabling Old Protocols (SSL2, SSL3, TLS 1.0, TLS 1.1). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6.3 Password Encryption for Connection Strings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Changing Connection Strings After Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.4 Cross-Origin Resource Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.5 RESTful API and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Enable AD Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
RESTful API Calls Within SAP Disclosure Management (SAP DM). . . . . . . . . . . . . . . . . . . . . . . . 26
RESTful API Calls from Outside SAP Disclosure Management (SAP DM). . . . . . . . . . . . . . . . . . . 28
6.6 RESTful API Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
API Method to Trigger Ad Hoc Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
API Method to Revert the Latest Report Revision. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.7 Information Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Disabling WebService Documentation Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Disabling Asp.NET Version Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Disabling Server Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6.8 Security Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6.9 Configuring Cloud Metering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
7 Changing the Signing Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8 Session Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
9 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
9.1 Cookies in SAP Disclosure Management (SAP DM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Security Guide (SAP S/4HANA Cloud Specifics)
2 PUBLIC Content
10 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
10.1 Configuring HTTP Request Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
11 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
11.1 Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
11.2 Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
11.3 Single Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
11.4 Authenticating Using Security Assertion Markup Language 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
11.5 Preventing Anonymous Access to SAP Disclosure Management Online User Help Files. . . . . . . . . . . 51
11.6 Disabling Debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
11.7 Session Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
11.8 Fiori Launchpad Session Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
12 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Security Guide (SAP S/4HANA Cloud Specifics)
Content PUBLIC 3
1 Introduction
Caution
This document is not included as part of the Installation Guides, Administration Guides, or Upgrade Guides.
Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides
provide information that is relevant for all life cycle phases.
Target Audience
• Technology consultants
• System administrators
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands
on security are also on the rise. When using a distributed system, you need to be sure that your data and
processes support your business needs without allowing unauthorized access to critical information. User
errors, negligence, or attempted manipulation on your system should not result in loss of information or
processing time. These demands on security apply likewise to SAP Disclosure Management. To assist you in
securing SAP Disclosure Management , we provide this Security Guide.
About this Document
The Security Guide provides an overview of the security-relevant information that applies to SAP Disclosure
Management.
The Security Guide comprises the following main sections:
• Before You Start
This section contains information about why security is necessary, how to use this document, and
references to other Security Guides that build the foundation for this Security Guide.
• Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by
SAP Disclosure Management.
• User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
• Recommended tools to use for user management.
Security Guide (SAP S/4HANA Cloud Specifics)
4 PUBLIC Introduction
• User types that are required by SAP Disclosure Management.
• Standard users that are delivered with SAP Disclosure Management.
• Overview of the user synchronization strategy, if several components or products are involved.
• Overview of how integration into Single Sign-On environments is possible.
• Authorizations
This section provides an overview of the authorization concept that applies to SAP Disclosure
Management.
• Network and Communication Security
This section provides an overview of the communication paths used by SAP Disclosure Management and
the security mechanisms that apply. It also includes our recommendations for the network topology to
restrict access at the network level.
• Data Storage Security
This section provides an overview of any critical data that is used by SAP Disclosure Management and the
security mechanisms that apply.
• Security for Third-Party or Additional Applications
This section provides security information that applies to third-party or additional applications that are
used with SAP Disclosure Management.
• Other Security-Relevant Information
This section contains information about the following topics:
• Server Security
• Web Services
• Javascript
• Passwords
Security Guide (SAP S/4HANA Cloud Specifics)
Introduction PUBLIC 5
2 Before You Start
Security Guides
You find the Security Guide of a specific product on the corresponding product page on SAP Help Porta at
https://help.sap.com.
Important SAP Notes
The most important SAP Notes that apply to the security of SAP Disclosure Management are shown in the
table below.
SAP Note Title Comment
1621689 Advice for Server Installation of Disclo-
sure Management 10.0
1318499 Transportability of Web services
2750837 Maintenance strategy for Disclosure
Management
In addition, you can find a list of security-relevant SAP Hot News and SAP Notes on the SAP Service
Marketplace at http://service.sap.com/securitynotes.
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Content Quick Link on the SAP Service Marketplace or SDN
Security http://sdn.sap.com/irj/sdn/security
Security Guides Product pages on SAP Help Portal at https://help.sap.com.
Related SAP Notes
http://support.sap.com/notes
Released platforms http://support.sap.com/pam
Network security Product pages on SAP Help Portal at https://help.sap.com.
SAP NetWeaver https://help.sap.com/nw
Security Guide (SAP S/4HANA Cloud Specifics)
6 PUBLIC Before You Start
3 Technical System Landscape
The figure below shows an overview of the technical system landscape for SAP Disclosure Management:
For more information about the technical system landscape, see the resources listed in the following table:
Topics Guide/Tool Quick Link to the SAP Help Portal
Technical description for SAP Inatallation and Upgrade Guide https://help.sap.com/viewer/p/
Disclosure Management SAP_DISCLOSURE_MANAGEMENT
Security See applicable documents http://
sdn.sap.com/irj/sdn/
security
Note
For a list of the software and hardware requirements for SAP Disclosure Management 10.1 and SAP
Disclosure Management XBRL reporting add-ons 1.0, see the SAP Disclosure Management 10.1 Product
Availability Matrix (PAM). The Product Availability Essentials presentation also contains information for
getting started, and can be found under General Information Details and Dates Essentials .
Security Guide (SAP S/4HANA Cloud Specifics)
Technical System Landscape PUBLIC 7
3.1 Net Framework
Every version of Net Framework has security issues that you can resolve by installing the relevant security
updates.
You can find a list of these security issues, for example, at https://www.cvedetails.com/vulnerability-list/
vendor_id-26/product_id-2002/version_id-190346/Microsoft-.net-Framework-4.6.1.html . You can install
security updates using the Windows Update function or you can install them manually. From DM Stack 11xx
and higher SAP Disclosure Management uses Net Framework Version 4.6.1..
Security Guide (SAP S/4HANA Cloud Specifics)
8 PUBLIC Technical System Landscape
4 Data Protection and Privacy
For more information on data protection and privacy see the Data Protection and Privacy chapter in the
Administration Guide.
Security Guide (SAP S/4HANA Cloud Specifics)
Data Protection and Privacy PUBLIC 9
5 User Administration and Authentication
We include information about user administration and authentication that specifically applies to the SAP
Disclosure Management in the following topic:
• User Management [page 10]
This topic lists the tools to use for user management, the types of users required, and the standard users
that are delivered with SAP Disclosure Management.
5.1 User Management
SAP Disclosure Management has its own user management mechanisms. For an overview of how these
mechanisms apply, see the sections below. In addition, we provide a list of the standard users required for
operating SAP Disclosure Management.
User Administration Tools
The table below shows the tools to use for user management and user administration in SAP Disclosure
Management.
User Management Tools
Tool Detailed Description
User administration in SAP Disclosure Management You can manage users on the Administration tab in the SAP
Disclosure Management application.
For more information, see the section “User Administration”
in the SAP Disclosure Management Administrator's Guide.
Standard Users
The table below shows the standard users that are necessary for operating SAP Disclosure Management.
Security Guide (SAP S/4HANA Cloud Specifics)
10 PUBLIC User Administration and Authentication
System Type Description
Internet Information Server (IIS) Windows Domain Account with read The Windows Domain Account is re-
quired to authenticate SAP Disclosure
permission for Active Directory
Management users against Active Di-
rectory when using Single Sign-On
(SSO).
Note
The login screen of SAP Disclosure Management prompts the user for a user name and password. For
security reasons the user name field does not provide an autocomplete function. The autocomplete
function is provided by modern browsers but is switched off for the login screen.
5.1.1 Authorizations
Standard Roles
The table below shows the standard roles that are used by SAP Disclosure Management:
Role Description
Standard Admin Administers the system, assigned to authorization object
Manages Apps
Standard Manager Manages and edits reports
Standard Editor Can only edit chapters
Standard Readonly Can only read reports and chapters
Standard Transporter Imports and exports content
You can assign roles to users at the following levels:
• Globally
If you assign a role to a user in User Administration, this user gets the corresponding permissions in all
reports and chapters.
• Locally
If you assign a role to a user on the Permissions tab in a report or chapter, this user get the corresponding
permissions for this report or chapter only.
Note
To ensure data protection and prevent unauthorized access to reports or chapters, we recommend that you
use local authorizations rather than global authorizations.
Note
To check user permissions on chapter and report level, you can use the Access Analyzer
app. For more information, see https://help.sap.com/viewer/6fda503523d6413597f5cd81be59fa8a/
DM%20Stack%2013xx/en-US/e684751c5e8b4cd9bd3301277a779716.html.
Security Guide (SAP S/4HANA Cloud Specifics)
User Administration and Authentication PUBLIC 11
Standard Authorization Objects on the SAP Disclosure Management Server
In SAP Disclosure Management, you can create customized roles. When creating a role, you can assign it any
combination of the authorization objects described below.
The table below shows the security-relevant authorization objects that are used on the SAP Disclosure
Management server:
Group Permission Description
Administration system All features available on the
Administration tab on the SAP
Disclosure Management server
Period manage Create, change, and delete periods
Report manage Create, change, and delete reports
view Display report content (read-only)
undo Undo checkout of report content
edit Edit report content
lock Lock all chapters of a report
undo all chapters Undo checkout of all chapters of a re-
port
unlock Unlock all chapters of a report
edit for writeback Write back content from a generated
report document to the chapter docu-
ments
Chapter edit Edit chapter content
view Display report content (read-only)
undo Undo checkout of chapter content
Standard Authorization Objects in the SAP BW System
If you want to use an SAP Business Information Warehouse (SAP BW) system as a data source, you must have
a user in the SAP BW system. To retrieve data from an SAP BW system, you must log on to the SAP BW system
using credentials for this system.
When users create briefing books in the SAP Disclosure Management Microsoft Office add-in, the system
stores these briefing books in the SAP Disclosure Management BW Connector.
The table below shows the security-relevant authorization object that is used in the SAP BW system:
Authorization Object Field Value Description
DCUBIPAUH ACTVT (Activity) 01 (Create or generate) This value is currently not
checked.
Security Guide (SAP S/4HANA Cloud Specifics)
12 PUBLIC User Administration and Authentication
Authorization Object Field Value Description
02 (Change) This value is currently not
checked.
03 (Display) This value is currently not
checked.
16 (Execute) With this authorization,
users can display and use
all briefing books that
have been created in SAP
BusinessObjects Disclosure
Management.
Without this authorization,
users can only display and
use the briefing books that
they have created or that
have been assigned to them
in the SAP BusinessObjects
Disclosure Management Mi-
crosoft Office add-in.
43 (Release) This value is currently not
checked.
This authorization object is available in the SAP BW system after you have installed the SAP Disclosure
Management BW Connector.
You can use this authorization object in an authorization profile, which can be assigned to a role. You can then
assign the role to users. For more information, see the SAP NetWeaver Security Guide.
To assign SAP BW queries to a briefing book, users must also have authorizations for the queries in the SAP
BW system.
To access the replicated data from the SAP BW system in SAP Disclosure Management, users must have view
authorization for chapters.
Security Guide (SAP S/4HANA Cloud Specifics)
User Administration and Authentication PUBLIC 13
6 Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your network needs to support
the communication necessary for your business needs without allowing unauthorized access. A well-defined
network topology can eliminate many security threats based on software flaws (at both the operating system
and application level) or network attacks such as eavesdropping. If users cannot log on to your application or
database servers at the operating system or database layer, then there is no way for intruders to compromise
the machines and gain access to the backend system's database or files. Additionally, if users are not able
to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in
network services on the server machines.
Communication Channel Security
The following table describes the communication paths and protocols used between different components of
the application:
Data Requiring Special Pro-
Communication Path Protocol Used Type of Data Transferred tection
Frontend client using a Web HTTP(S) All application data Passwords
browser to application server
Frontend client using FREC HTTP(S) / SOAP Report content and chapter Report content and chapter
client to application server content content
Frontend client using Micro- HTTP(S) / SOAP Report content and chapter Report content and chapter
soft Office add-in to applica- content content
tion server (via ASP.NET Web
services)
Application server to Micro- TCP/IP All application data Passwords, report content
soft SQL Server database and chapter content
Application server to XBRL TCP/IP XBRL instances XBRL instances
Processing Engine (XPE)
Note
To ensure data protection and privacy, we recommend that you use HTTPS rather than HTTP for the
communication between the frontend client and the application server. In order to use HTTPS, you have to
activate HTTPS on the Microsoft Internet Information Services Server (IIS). For more information about the
activation of HTTPS on IIS, see the information in the Microsoft Knowledge Base.
The following figure shows the communication paths used to get data from different data sources :
Security Guide (SAP S/4HANA Cloud Specifics)
14 PUBLIC Network and Communication Security
The following table describes the communication paths and protocols used to get data from different data
sources:
Data Requiring Special Pro-
Communication Path Protocol Used Type of Data Transferred tection
Microsoft Office add-in to RFC Financial report data Financial report data
SAP ERP data source
Microsoft Office add-in to TCP/IP (MDX / XMLA) Financial report data Financial report data
Microsoft Analysis Services
data source
Microsoft Office add-in to File system Financial report data Financial report data
XML or Microsoft Excel data
source
Microsoft Office add-in to TCP/IP (SQL) Financial report data Financial report data
ODBC or OLEDB data source
Microsoft Office add-in or ap- HTTP(S) / SOAP Financial report data Financial report data
plication server to SAP Busi-
ness Information Warehouse
(BW) data source with the
SAP Disclosure Management
BW Connector
Microsoft Office add-in or ap- TCP/IP (SQL) Financial report data Financial report data
plication server to Microsoft
SQL Server data source
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 15
6.1 Hypertext Transfer Protocol Secure (HTTPS) for SAP
Disclosure Management
HTTPS protocol is used to encrypt and authenticate communication between Web server and client in the
World Wide Web (WWW).
The steps that are required to secure your communication in SAP Disclosure Management (SAP DM) are
described below.
Caution
Do not deploy self-signed certificates in the productive landscape.
Note
Please make sure that any http bindings, certificate issuing, etc. point to the same IP address or Fully
Qualified Domain Name (FQDN). Don't use, for example, localhost in config and 127.0.0.1 for certificate/
binding. We recommend that you use the FQDN for everything.
Configuring Internet Information Service for HTTPS
1. Import/create a (self-signed) certificate.
2. Create a binding for the SAP Disclosure Management site and remove the HTTP binding.
Note
3. To use integrated security with SQL Server, you need a user with read access to the LDAP for App Pool. For
more information, see How to: Configure an IIS-hosted WCF service with SSL .
Configuring SQL Server
Follow the procedure described in How to: Enable Encrypted Connections to the Database Engine (SQL Server
Configuration Manager) .
Note
To have access to the certificate store for SQL Server service, you need a user with read access. To use a
(self-signed) certificate, an Admin user may be required.
Security Guide (SAP S/4HANA Cloud Specifics)
16 PUBLIC Network and Communication Security
Configuring TaskEngine (Netsh Command)
Follow the procedure described in How to Configure the TaskEngine Service for HTTPS [page 19].
• IP Address
Use the following command: netsh http add sslcert ipport=123.123.123.123:2605
certhash=abcdefgh appid={anyGUID} clientcertnegotiation=enable.
• FQDN
Use the following command: netsh http add sslcert hostnameport=<hostname>:2605
certhash=abcdefgh appid={anyGUID} clientcertnegotiation=enable certstorename=MY.
For more information, see How to: Configure a Port with an SSL Certificate .
Changing Connection String for DM
To enable SAP DM for encrypted connections, you must modify the Application Server and TaskEngine
connection strings by using the Encrypt=True command.
To configure AppServer, proceed as follows:
1. Start Microsoft Windows Internet Explorer and go to the installation folder of SAP DM Application Server,
which is generally c:\inetpub\wwwroot\SAP\Disclosure Management.
2. Go to the bin folder and open the file cundus.enterpriseReporting.Services.dll.Config.
3. Find the connection string with the name enterpriseReporting and add Encrypt=True;.
Example
connectionString=connectionString="Data Source=[SQL-Server];Initial Catalog=[DM
Database];Integrated Security=False; User Id=CDMUser;
Password=[password];MultipleActiveResultSets=True; Encrypt=True;"
To configure TaskEngine, proceed as follows:
1. Start Microsoft Windows Internet Explorer and go to the installation folder of SAP DM TaskEngine
C:\Program Files (x86)\SAP\SAP Disclosure Management TaskEngine.
2. Open the file SAP.DM.TaskEngine.WinService.dll.config.
3. Find the connection string with the name taskEngine and add Encrypt=True; to it.
Example
connectionString=connectionString="Data Source=[SQL-Server];Initial Catalog=[DM
Database];Integrated Security=False; User Id=CDMUser;
Password=[password];MultipleActiveResultSets=True; Encrypt=True;"
Configuring XBRL Service
To configure XBRL Service, proceed as follows:
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 17
1. Start Microsoft Windows Internet Explorer and go to the installation folder SAP DM Application Server,
which is generally c:\inetpub\wwwroot\SAP\Disclosure Management.
2. Go to the bin folder and open the file cundus.enterpriseReporting.Services.dll.Config
3. Open the file SAP.DM.XBRL.Services.dll.config.
4. Find the connection string with the name XBRL Service and add Encrypt=True; to it.
Example
connectionString=connectionString="Data Source=[SQL-Server];Initial Catalog=[DM
Database];Integrated Security=False; User Id=CDMUser;
Password=[password];MultipleActiveResultSets=True; Encrypt=True;"
Note
Re-uploading the plugin with updated configuration files does not work as long as the file version stays the
same. In this case, you have to manually edit the configuration files in the extracted plugin folder for any
TaskEngine installation.
Configuring Plugins
Update the URIs to XBRLService in the configuration files SAP.DM.XBRL.Services.dll.config and add
the certificate entry for the following plugins (if the scenario is used):
• SAP.DM.XBRL.Preview.Plugin
• SAP.DM.XBRL.PreviewExcel.Plugin
• SAP.DM.XBRL.USSECCalculationTrace.Plugin
• SAP.DM.XBRL.USSECValidation.Plugin
• SAP.DM.XBRL.Validation.Plugin
Configuring Batch Tool / FC Push
Proceed as follows:
1. Follow the instructions described under Configuring TaskEngine (Netsh Command) to apply the same
settings to the SAP.DM.PublicAPI.Import elements in the <system.serviceModel> section of the
AppServer web.config file:
• Remove the endpoint for "mex".
• Set httpsGetEnabled to "false".
• Replace basicHttpBindbing with basicHttpsBinding. This sets the security mode by default to
"transport".
2. Update the service definition in DMBatchTool.exe.config, similar to the settings for TaskEngine.
Security Guide (SAP S/4HANA Cloud Specifics)
18 PUBLIC Network and Communication Security
6.1.1 How to Configure the TaskEngine Service for HTTPS
Context
To configure the task engine to work with HTTPS, you have to install a certificate on the server and client
machine. Official certificates are issued by the Certificate Authority (CA).
To verify if the certificates are available, proceed as follows:
1. Enter Start Run and enter MMC. This opens the management console.
2. Choose File Add/Remove Snap-in Add...
3. Double-click Certificates
4. Select Computer Account.
5. Choose Next Finish Close OK .
Add a new SSL server certificate binding and the corresponding client certificate policies for the task engine
host name and port. To do this, you must copy the thumbprint of the certificate, as described below:
1. Select the certificate you want to use, open the details tab, and scroll down to the Thumbprint option.
2. Select the thumbprint and copy it.
3. Paste it into Microsoft Notepad or any other text editor, and remove the spaces between the characters.
Example
Once the spaces between the characters have been removed, it should look like this:
d714fdded29a4b58c5ed30f26642d7112af9f8d6
4. To link the certificate to the task engine URL, run the following command in an admin command prompt:
netsh http add sslcert hostnameport=<FQDN>:2605 certhash=<thumbprint>
appid={<GUID>} clientcertnegotiation=enable certstorename=MY
Note
A GUID is a universally unique identifier that can be generated by online generators. It is used to
identify the application for which this mapping is created.
5. Configure the configuration file of the task engine SAP.DM.TaskEngine.WinService.exe.config as
shown below:
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 19
6. Adjust the file web.config of DM SERVER – APPL SERVER 10.1 instance, as shown below:
Security Guide (SAP S/4HANA Cloud Specifics)
20 PUBLIC Network and Communication Security
Results
You have configured the task engine to use SSL with HTTP.
Related Information
http://msdn.microsoft.com/en-us/library/ms733791.aspx
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security
6.2 Disabling Old Protocols (SSL2, SSL3, TLS 1.0, TLS 1.1)
Follow the procedure Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in
Windows .
Note
For SQL Server 2008 R2 (SP3), a patch is need to support TLS1.2 (KB 3144114). For more information, see
TLS 1.2 support for Microsoft SQL Server .
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 21
Note
For Windows Server 2012 R2, a patch is needed to support TLS1.2 (KB 3099842). For more information,
see Hotfix rollup 3099842 for the .NET Framework 4.5.2 and the .NET Framework 4.5.1 on Windows .
Note
For running the registry script for SChannel ciphers (both fixes for 64/64 and 32/64 bit), see Microsoft
Security Advisory 2960358 .
6.3 Password Encryption for Connection Strings
SAP Disclosure Management connection strings can pose a security problem as the login and password are
defined in clear text. Although this information is only visible to the system administrator, this person may not
be the database administrator and therefore should not be allowed to see the database connection login and
password. There is potential for a severe misuse of sensitive data.
The clear text connection strings are currently only used by the application server and task engine service in
the files listed below:
File location: DM AppServer Installation
Folder\Bin\cundus.enterpriseReporting.Services.dll.Config
File location: DM Taskengine Installation Folder \SAP\SAP Disclosure Management
TaskEngine\SAP.DM.TaskEngine.WinService.exe.config
Encryption API
Microsoft provides a standard RSA Encryption Provider called DataProtectionConfigurationProvider, which is
used to encrypt and decrypt connection strings of ASP.NET Web configuration files. The method is called with
the parameter value connectionStrings, which is the section name in the corresponding configuration file.
First the configuration file is loaded, then the section is RSA encrypted, and the configuration file is saved
again.
Encryption Schedule
The encryption runs automatically when the SAP Disclosure Management application or task engine starts.
SAP Disclosure Management application server
The connection string encryption method is called from the global.asax method Application_Start(),
where the encryption process will also be logged. When the method is called after an IISReset, the connection
string is encrypted automatically. If the administrator needs to reset the application, the connection string
information can be changed beforehand. You also have the option to change it if the server, login, or password
changes during productive use of SAP Disclosure Management.
Security Guide (SAP S/4HANA Cloud Specifics)
22 PUBLIC Network and Communication Security
SAP Disclosure Management Task Engine Service
The connection string encryption method is called from the program.cs method OnStart(), where the
encryption process will also be logged. The method is called when the service starts or restarts. The
connection string information can be changed before this is done; you can also change it if the server, login, or
password changes during productive use of SAP Disclosure Management. The same encryption occurs when
the task engine console is started.
6.3.1 Changing Connection Strings After Encryption
Context
If the connection string server or password information has changed, proceed as follows:
Procedure
1. Open the file cundus.enterpriseReporting.Services.dll.config from the \bin folder below the
installation folder of DM SERVER – APPLICATION SERVER 10.1 with a text editor.
2. Replace the tag <connectionStrings> which includes an encrypted section with clear text according to
the example below.
<connectionStrings> <add name="enterpriseReporting" connectionString="Data
Source=server;Initial
Catalog=DisclosureManagementDB;Integrated Security=true; User
Id=CDMUser;
Password=#CDMUserPassword#;MultipleActiveResultSets=True"
providerName="System.Data.SqlClient"></add> </connectionStrings>
3. Do the same for the file SAP.DM.TaskEngine.WinService.exe.config from the installation folder of
DM SERVER - TASK ENGINE 10.1.
4. Alternatively, you can find a template <connectionStrings> section in both configuration files; copy
them and paste them over the existing encrypted section.
5. Reset or restart the application.
6. The new connection string is encrypted again.
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 23
6.4 Cross-Origin Resource Sharing
Context
The SAP Disclosure Management application server does not prevent cross-origin requests, as these are
required to be able to operate within the entire network without being limited to a specific domain. However, if
you do want to limit cross-origin resource sharing, follow the steps below:
Procedure
1. Open Internet Information Service Manager (IIS Manager).
2. Select the SAP Disclosure Management web site.
3. Select the IIS feature HTTP Response Headers.
4. Add a new HTTP response header Access-Control-Allow-Origin and set the value to the required domain.
6.5 RESTful API and Security
SAP Disclosure Management provides and uses many RESTful APIs. These APIs are secured with a signed
access token, which is created during the login procedure or by using an authentication request. The signing is
done with a certificate. By default, a self-signed certificate with the issuer ApiDisclosureManagement is used,
which is delivered with SAP Disclosure Management and imported to the server's certificate store during the
installation of SAP Disclosure Management.
Note
It is strongly recommended to use an officially signed certificate in your productive system. For more
information, see Changing the Signing Certificate [page 37].
Security Guide (SAP S/4HANA Cloud Specifics)
24 PUBLIC Network and Communication Security
6.5.1 Enable AD Authentication
You can use RESTful API with AD Authentication. When using this function, it is necessary to extend the
Web.config file which is located in the SAP Disclosure Management server root folder. Paste the content
below within the section <configuration> to your Web.config file:
Sample Code
<configuration>
<!-- Disable Forms Authentication for this URL -->
<location path="api/AuthenticateAD">
<!-- Disable Forms Authentication -->
<FormsAuthenticationWrapper enabled="false" />
<system.webServer>
<security>
<!-- Enable IIS Windows authentication for the login page -->
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>
Note
Anonymous RESTful API calls are not allowed. In order to get an access token by using AD authentication,
use the parameter UseDefaultCredentials for the command Invoke-WebRequest.
Example
$access_token = Invoke-WebRequest %SERVER%/api/Authenticate -method Post
-UseDefaultCredentials
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 25
6.5.2 RESTful API Calls Within SAP Disclosure Management
(SAP DM)
Context
The figure below describes the process for RESTful API calls within SAP Disclosure Management:
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
• RESTful API Calls Within SAP Disclosure Management (SAP DM) [page 26]
Security Guide (SAP S/4HANA Cloud Specifics)
26 PUBLIC Network and Communication Security
Procedure
1. The client logs on to SAP DM.
2. The application server creates an access token, which is used for each RESTful API call. This access token
contains client-specific information and an expiration date.
3. A certificate is needed to encrypt and sign the above-mentioned data. SAP Disclosure Management
requests the certificate from the personal certificate store of the Windows server.
4. SAP DM receives the certificate from the certificate store of the Windows server .
5. SAP DM encrypts and signs the client's access token and stores it in the client's session.
6. The client consumes a RESTful API.
7. SAP DM reads the access token from the client's session.
8. A certificate is needed to decrypt and validate the access token. SAP DM requests the certificate from the
certificate store of the Windows server.
9. SAP DM receives the certificate from the certificate store of the Windows server.
10. SAP DM decrypts and validates the client's access token.
11. SAP DM sends the response to the client if the access token is valid.
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 27
6.5.3 RESTful API Calls from Outside SAP Disclosure
Management (SAP DM)
Context
SAP DM provides RESTful APIs for external clients that are not logged in to SAP DM. This procedure is shown in
the figure below:
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
Security Guide (SAP S/4HANA Cloud Specifics)
28 PUBLIC Network and Communication Security
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
• RESTful API Calls from Outside SAP Disclosure Management (SAP DM) [page 28]
Procedure
1. 1. The client authenticates itself against SAP DM by using an Authenticate API which allows anonymous
calls.
2. The application server creates an access token, which is used for each RESTful API call. This access token
contains client-specific information and an expiration date.
3. A certificate is needed to encrypt and sign the above-mentioned data. SAP DM requests the certificate
from the certificate store of the Windows server.
4. SAP DM receives the certificate from the personal certificate store of the Windows server.
5. SAP DM encrypts and signs the client's access token and stores it in the client's session.
6. The client receives an encrypted and signed access token.
7. The client consumes a RESTful API and sends the access token from step 6 in the request header.
8. SAP DM reads the access token from the client's request header.
9. A certificate is needed to decrypt and validate the access token. SAP DM requests the certificate from the
certificate store of the Windows server.
10. SAP DM receives the certificate from the certificate store of the Windows server.
11. SAP DM decrypts and validates the client's access token.
12. SAP DM sends the response to the client if the access token is valid.
6.6 RESTful API Methods
6.6.1 API Method to Trigger Ad Hoc Tasks
Prerequisites
• The global permission object Report Edit or object Chapter Edit must be assigned to the
authenticated user. The first API call first checks the permission of the user, then validates the three
parameters, and finally triggers the task creation API call.
• After the method has run successfully and the task is created the second API call can be started to save
the document created by the first API call.
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 29
API 1 CreateAdhocResult
Run the MS PowerShell script without any arguments set as illustrated below:
Sample Code
$system = 'http://localhost:1600/'
$user = 'User'
$pw = 'Password'
$params = @{username=$user;password=$pw} | ConvertTo-Json
$response = Invoke-WebRequest $system/api/Authenticate -method Post -body
$params
if($response.statuscode -ne 200){
"Error: $($response.statuscode)"
exit;
} else {
$at = $response.headers.access_token
"authorization token obtained"
}
$response = ""
$params1 = @{"access_token" = $at;"Content-type" = "application/json";"Accept-
Language" = "en-EN" }
$params2 = @{AdHocLevel='1';ID='30';PluginName='XBRL - Template -
Validate'; } | ConvertTo-Json
$response = Invoke-WebRequest $system/api/CreateAdhocResult -headers $params1
-method Post -body $params2
if($response.statuscode -ne 200){
"Error: $($response.statuscode)"
exit;
} else {
"task has been created"
}
The script first authenticates the user. If this succeeds, the generated access token is used to call the method
using the AdhocLevel parameter. Possible values are 1 (Report ) and 2 (Chapter). The ID parameter specifies
the report or chapter that should be used and the PluginName parameter defines the task to be triggered. It
can be any tak that is visible for the user on the General tab under the Adhoc Actions area. The PluginName
should be copied from this view into the API call or enter exactly as such.
API 2 GetAdhocResult
Run the MS PowerShell script without any arguments set as illustrated below:
Sample Code
$system = 'http://localhost:1600/'
$user = 'User'
$pw = 'Password'
$params = @{username=$user;password=$pw} | ConvertTo-Json
$response = Invoke-WebRequest $system/api/Authenticate -method Post -body
$params
if($response.statuscode -ne 200){
"Error: $($response.statuscode)"
exit;
} else {
$at = $response.headers.access_token
"authorization token obtained. Waiting for task completion"
Security Guide (SAP S/4HANA Cloud Specifics)
30 PUBLIC Network and Communication Security
}
$output = "validateTest.xlsx"
$response = ""
$params1 = @{"access_token" = $at;"Content-type" = "application/json";"Accept-
Language" = "en-EN" }
$params2 = @{AdHocLevel='1';ID='30';FileExtension="xlsx" } | ConvertTo-Json
$response = Invoke-WebRequest $system/api/GetAdhocResult -headers $params1
-method Post -body $params2 -OutFile $output
if($response.response.statuscode -ne 200){
"Finished"
$($response)
exit;
} else {
"file downloaded"
The script first authenticates the user. If this succeeds, the generated access token is used to call the method
using the AdhocLevel parameter. Possible values are 1 (Report ) and 2 (Chapter) . The ID parameter specifies
the report or chapter to be used and the FileExtension parameter defines one of the file types downloaded
to the path $output = "validateTest.xlsx" created by any task triggered by the logged in user.
Note
The file extension must match the parameter here otherwise the file won't be dowloaded. You can trigger
an ad hoc action on the UI once to check the file extension for your case.
Note
Only the last created file is downloaded. Both API calls are meant to be triggered in a single powershell
script. You can even start the second API call first. It will wait for a user task to finish.
6.6.2 API Method to Revert the Latest Report Revision
Prerequisites
• The global permission object Report Edit or object Chapter Edit must be assigned to the
authenticated user. The first API call first checks the permission of the user, then validates the three
parameters, and finally triggers the task creation API call.
• After the method has run successfully and the task is created the second API call can be started to save
the document created by the first API call.
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 31
API REverReportRevision
Run the MS PowerShell script without any arguments set as illustrated below:
Sample Code
$system = 'http://localhost:1600'
$user = 'testuser'
$pw = 't'
$params = @{username=$user;password=$pw} | ConvertTo-Json
$response = Invoke-WebRequest $system/api/Authenticate -method Post -body
$params
if($response.statuscode -ne 200){
"Error: $($response.statuscode)"
exit;
} else {
$at = $response.headers.access_token
"authorization token obtained"
}
$response = ""
$params1 = @{"access_token" = $at;"Content-type" = "application/json";"Accept-
Language" = "en-EN" }
$params2 = @{ReportID='263';Action='RolloutTemplates'; } | ConvertTo-Json
$response = Invoke-WebRequest $system/api/ReverseReportRevision -headers
$params1 -method Post -body $params2
if($response.statuscode -ne 200){
"Error: $($response.statuscode)"
exit;
} else {
"last chapter revisions have been reverted"
}
The script first authenticates the user. If this succeeds, the generated access token is used to call the method
using the ReportID parameter. A possible value is Report ID, which can be viewed on the General tab.
The second parameter Action specifies the last report-triggered action. If it is one of the following options
ContenRefresh, WriteBack, or RolloutTemplates, every chapter of the report may have this last action
run by the buisness user, which can be checked on the Chapter Revision tab. The last revision should be
displayed. If this was done by mystake, this will be reverted to the previous last revision in the revision list.
Restoring all report chapters manually is not required anymore.
Security Guide (SAP S/4HANA Cloud Specifics)
32 PUBLIC Network and Communication Security
6.7 Information Disclosure
6.7.1 Disabling WebService Documentation Protocol
Context
To disable the documentation protocol for ASP.NET Web services apply the settings from the official Microsoft
Documentation, as described in HOW TO: Disable the Documentation Protocol for ASP.NET Web Services .
6.7.2 Disabling Asp.NET Version Header
Context
This setting is used to prevent the web server from sending version information with every http response. To
prevent the web server from sending the Asp.Net Version header in SAP Disclosure Management (SAP
DM), the administrator must manually set this setting as follows:
Procedure
1. Open the web.config file in the application folder of SAP DM.
2. Locate the <httpRuntime> tag directly under <system.web>.
3. Edit the <httpRuntime> tag by adding the enableVersionHeader attribute with the value false.
Note
All other attributes should remain unchanged..
Example
<httpRuntime … enableVersionHeader="false" />
4. Restart the application.
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 33
Note
For installations of SAP Discclsoure Management 10.1 with version SP10 or higher, this setting is
automatically set. No further actions are necessary for the administrator.
6.7.3 Disabling Server Header
Context
To remove server headers in IIS, the following options are available:
• You can install and configure a tool such as Microsoft IIS URL Rewrite.
• You can set the server header to a static value, not exposing information, for example, "-", via IIS.
Proceed as follows:
Procedure
1. Start IIS and go to Servername Sites SAP Disclosure Management .
2. Select the IIS category HTTP Response Headers.
3. In Actions, select Add, then enter the server name Server and the value -, for example.
6.8 Security Headers
Context
We recommend that you add specific security headers to each HTML response. This prevents typical attacks,
such as cross-site scripting and clickjacking.
Security Guide (SAP S/4HANA Cloud Specifics)
34 PUBLIC Network and Communication Security
To set the headers in SAP Disclosure Management (SAP DM), proceed as follows:
Procedure
1. Open the web.config file in the application folder of SAP DM.
2. Locate the <customHeaders> tag directly under <system.webServer>.
3. Add the following lines:
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
4. To prevent cross-site scripting (XXS) attacks, add the following line:
<add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline'
'unsafe-eval'"/>
5. Restart the application.
6.9 Configuring Cloud Metering
Changing IIS Configuration
To enable SSL client certificate negotiation only for the DM metering API, you must change the IIS
configuration file applicationhost.config (default location: %windir%\system32\inetsrv\config\)
as follows:
Alternatively, you can use Powershell:
Security Guide (SAP S/4HANA Cloud Specifics)
Network and Communication Security PUBLIC 35
Changing the DM Web Configuration File
In the SAP Disclosure Management installation folder, you must change the web.config file to enable the SSL
client certificate negotiation only for the metering API path.
Certificate Requirements
To enable SSL certificate negotiation between the SAP S/4HANA metering feature and the SAP Disclosure
Management metering API, the following X.509 certificates must be in place:
• On the S/4HANA Server
If necessary, create a certificate store in transaction STRUST with an X.509 certificate dedicated to the
SAP DM metering process with a client authentication scope and signed by a trusted certificate authority
(CA) on both machines. For more information about the transfer layer security (TLS) enablement steps
and about how to add certificates, please see the official documentation.
• On the DM SERVER - APPL SERVER 10.1 instance
The X.509 certificate must have a server authentication specified and must be created by the same
certificate authority that is used on the SAP S/4HANA client authentication side. This can be the same
X.509 certificate used to enable HTTPS. The X.509 certificate is usually stored in the server certificate
store path ( Local Computer Personal Certificates .
Security Guide (SAP S/4HANA Cloud Specifics)
36 PUBLIC Network and Communication Security
7 Changing the Signing Certificate
Context
The shipped self-sign certificate is used by default to encrypt and sign access tokens. If you want to use a
certificate other than the default one, we strongly recommend that you use a certificate signed by a Trusted
Root Certification Authority. Follow the steps below:
Procedure
1. Using the Microsoft Management Console, import a certificate into the Microsoft Windows Certificate
Manager, to your personal folder on your local computer.
2. Assuming that the issuer of the imported certificate is ‘CN=SAPDisclosureManagement’, it is necessary to
extend the <applicationSettings> in the Web.config file, which is located in the SAP DM root folder
as shown below:
Sample Code
<applicationSettings>
<cundus.enterpriseReporting.Web.Properties.Settings>
<!-- Rest of the applicationSettings -->
<setting name="ApiLocalDMCertificateIssuerName" serializeAs="String">
<value>SAPDisclosureManagement</value>
</setting>
</cundus.enterpriseReporting.Web.Properties.Settings>
</applicationSettings>
Security Guide (SAP S/4HANA Cloud Specifics)
Changing the Signing Certificate PUBLIC 37
8 Session Handling
Log-In/Log-Out Behavior
SAP Disclosure Management and SAP Disclosure Management Fiori Launchpad are both authenticated using
the same user log-in data. This means that when you log out from one application, you’re automatically logged
out from the other one.
Session ID Behavior
The session for all users is handled by the .NET standard mechanism. One session ID is used for both apps
when you switch from the SAP Disclosure Management Web UI to the SAP Disclosure Management Fiori
Launchpad.
Session ID Regeneration
The session ID is generated again after a specific time duration when you change the web.config file via a .NET
standard configuration.
Administrators should change this entry to set the session regeneration timeout to the shortest and most
secure possible value (one minute):
<sessionState mode="InProc" cookieless="false" timeout="1" />
Furthermore, the session ID is renewed if you log in from the SAP Disclosure Management Web UI to the SAP
Disclosure Management Fiori Launchpad.
Note
In SAP Disclosure Management, a regular triggering notification mechanism is used to check for completed
Disclosure Management Task Engine jobs, which automatically renews the session. Therefore, the session
never ends due to user inactivity.
Security Guide (SAP S/4HANA Cloud Specifics)
38 PUBLIC Session Handling
9 Data Storage Security
The data for the SAP Disclosure Management server is stored in a Microsoft SQL server database. This data is
not encrypted - except the users' passwords, which are encrypted. The data is stored at every transaction.
Chapter documents that are uploaded to SAP Disclosure Management are also stored in a Microsoft SQL
server database. These documents are not encrypted. The documents are stored when a chapter document is
uploaded.
Temporary Storage of Data
Data is stored temporarily in the following cases:
• When users use the Upload function on the server, the documents are stored on the file system on the
server machine during the upload process. You can configure the path to the folder under Administration
System Configuration Upload .
• When users use the Compare function on the server, the documents to be compared are stored on the file
system on the server machine. You can configure the path to the folder under Administration System
Configuration Upload .
• When users use the Edit or View function on the server, the requested document is temporarily stored in
the %TEMP% folder on the client machine.
9.1 Cookies in SAP Disclosure Management (SAP DM)
SAP Disclosure Management requires a Web browser as the user interface. The application stores session
cookies on the front end. The session cookies contain a session ID. The cookies are valid until the end of the
session.
Enabling Secure Cookies
It is possible to set the cookies to secure by using a flag . The secure flag is an option that the application
server can set when sending a new cookie to the user within an HTTP response. It is used to prevent cookies
from being observed by unauthorized parties due to the transmission of the cookie in clear text. To accomplish
this goal, browsers that support the secure flag will only send cookies with the secure flag when the request is
going to an HTTPS page.
In other words, the browser will not send a cookie with a secure flag over an unencrypted HTTP request. By
setting the secure flag, the browser prevents the transmission of a cookie over an unencrypted channel.
To set the secure flag in SAP DM, proceed as follows:
1. Open the web.config file in the application folder of SAP DM.
Security Guide (SAP S/4HANA Cloud Specifics)
Data Storage Security PUBLIC 39
2. Locate the tag <system.web> directly under <configuration>.
3. Add the following line: <httpCookies requireSSL="true"/>
4. Restart the application.
If you enable this option the application can only be accessed using Secure Sockets Layer (SSL). Without
SSL, it will no longer be possible to log in.
Note
For more information see SAP note 2206315 .
Note
If you have activated single-sign on (SSO), for example, using the authentication mode forms, you must
also add the attribute requireSSL with the value "true" in the <forms> tag, as illustrated below:
<system.web>
<httpCookies requireSSL="true" />
<authentication>
<forms ... requireSSL="true" />
</authentication>
Security Guide (SAP S/4HANA Cloud Specifics)
40 PUBLIC Data Storage Security
10 Security-Relevant Logging and Tracing
Logging during debugging is switched off by default. For information about how to switch it on, see 2292975 .
Log rotation allows you to prevent denial-of-service (DoS) attacks. Daily logs are split into up to five separate
files if they exceed the size of 20 MB each. Any subsequently created file triggers the deletion of the last of the
five files..
Note
If you have switched logging on, please keep in mind that it could possibly be used for a denial-of-service
(DoS) attack.
10.1 Configuring HTTP Request Logging
Context
By default, the Internet Information Services (IIS) is configured to log the authenticated user name for each
HTTP request. To prevent user information from being logged, follow the steps below:
Procedure
1. Follow the link to Default Log File Settings for Web Sites <logFile> to find information on log file settings.
2. Navigate to the How To section.
3. Follow steps 1 to 5 in the How To section. In step 5, disable the <User Name (cs-username)>field.
4. Apply the settings.
Results
You have configured the default logging for a web site.
Security Guide (SAP S/4HANA Cloud Specifics)
Security-Relevant Logging and Tracing PUBLIC 41
11 Other Security-Relevant Information
Server Security
Technical information about the server that can be received by protocol standards should be adjustable and
suppressible.
The delivery of the server information within the HTTP header can be minimized by editing the file
web.config. For more information, see http://msdn.microsoft.com/en-us/library/e1f13641.aspx.
Web Services on the SAP Dislosure Management Server
SAP Disclosure Management exposes Web services based on ASP.NET. These Web services are used for the
communication between the application server and the Microsoft Office add-in.
The services offered by the application use their own mechanism enabling generation of an authenticated user
at the service consumer user:
1. The user is authenticated in the application.
2. If the client wants to use services offered by the application, the application passes a specific URL to the
client. This URL includes an authentication token (“sessionId”).
3. For each use request, the client transmits this authentication token to the application.
4. If the authentication token is valid, the application grants access to the requested resource. If it is not valid,
the application denies access.
Disabling the Service Help Pages for the Web Services
SAP Disclosure Management automatically displays help pages for its Web Services. For security reasons,
you can disable this feature. To do so you have to modify the webServices section of the Web.config file to
explicitly remove the documentation protocol:
Source Code
<webServices>
<protocols>
<remove name="Documentation" />
</protocols>
</webServices>
It is not necessary to restart the application.
For more information see alsohttps://msdn.microsoft.com/en-us/library/2tyf2t8t(v=vs.80).aspx
Security Guide (SAP S/4HANA Cloud Specifics)
42 PUBLIC Other Security-Relevant Information
Web Service Security in the SAP BW System
If you install the SAP BW adapter provided by SAP Disclosure Management, Web services for communication
with the SAP Disclosure Management server are installed on the SAP BW server. Make sure that the settings
for communication security and channel authentication are identical for all these Web services.
For more information on secure configuration of these Web services, see the section “Installing the SAP BW
Adapter” in the SAP Disclosure Management Installation Guide.
Javascript
When accessing the application in a Web browser, JavaScript code is executed in the frontend.
Enforce File Type Validation
In the Administration/System Configuration/Misc dialog, you can enable or disable enforcement of file type
validations:
• If you enable this setting, uploaded files are checked before they are saved in SAP Disclosure Management.
No files are uploaded if this check fails. The file content is checked against the allowed file types of the
upload target. These file types can be, for example, XML configuration files, Microsoft Word files for report
templates, or defined file types of a report type.
• If you disable this setting, the file type is still checked against but upload restrictions are deactivated.
Instead, an INFO log entry is generated.
Note
By default, this setting is enabled.
Note
Changes to this setting are logged in the audit trail events log.
Enforce Virus Scan
In the Administration/System Configuration/Misc dialog box, you can enable or disable enforcement of virus
scans:
• If you enable this setting, uploaded files are checked before they are saved in SAP Disclosure Management.
No files are uploaded if the scan is positive. The file content is scanned for viruses with the locally installed
antivirus software.
• If you disable this setting, the files are not scanned.
Security Guide (SAP S/4HANA Cloud Specifics)
Other Security-Relevant Information PUBLIC 43
• The vendor of the antivirus software must support the IOfficeAntiVirus interface that is also used to scan
email and messaging attachments.
Note
By default, this setting is enabled.
Note
Changes to this setting are logged in the audit trail events log.
Max Request Restriction for TaskEngine (Throttling)
Throttling has a twofold purpose:
• It prevents the service host from being overrun by a large number of requests.
• It enables the load on the service, as well as the server on which the service is running, to be smoothed out.
In both cases, the intent is to place a limit on the number of incoming requests so that the service is able to
handle them in a timely manner.
The settings in the service behavior control the number of requests the service host is allowed to process
simultaneously. These settings are defined in the ServiceThrottlingBehavior section of the TaskEngine
configuration file:
• MaxConcurrentCalls
The MaxConcurrentCalls value specifies the number of simultaneous calls the service accepts. The
default value is 16 calls. Of the three settings, this is the only one that covers all the types of incoming
requests.
• MaxConcurrentSessions
The MaxConcurrentSessions value determines the maximum number of channels requiring sessions that
the service supports. The default value for this setting is 5 session-aware channels. Any attempt to create a
channel beyond this maximum limit triggers a time-out exception. This setting only handles session-aware
channels. if the binding is not session-aware, for example, the basicHttpBinding, this setting has no impact
on the number of requests that can be processed.
• MaxConcurrentInstances
The MaxConcurrentInstances setting defines the maximum number of instances of the service
implementation object that is created. The default value for this setting is 10 but is currently not used.
Enforce Plugin Validation
In the Administration/System Configuration/Misc dialog, you can enable or disable enforcement of plugin
validations:
• If you enable this setting, uploaded plugins are validated before they are saved in SAP Disclosure
Management. No plugins are uploaded if this validation fails. The plugin content is validated if it is signed
correctly.
Security Guide (SAP S/4HANA Cloud Specifics)
44 PUBLIC Other Security-Relevant Information
• If you disable this setting, the plugin is not validated.
Note
By default, this setting is enabled.
Note
Changes to this setting are logged in the audit trail events log.
Restrict User Account Editing
In the Administration/System Configuration/Misc dialog, you can enable or disable the parameter Restrict
User Editing. If you enable it, it is not possible for other users to edit a user account that does not belong to
an entity yet. You can only deactivate the account.
Note
By default, this setting is enabled.
11.1 Password Policy
To enforce a global password policy, you have to set the Enforce Password Policy parameter to Yes on the
Password Policy tab. Choose Administration System configuration Password Policy . This parameter is
set to No, by default, after you have installed the SAP Disclosure Management. If the parameter is set to Yes,
you can define the following policy parameters:
Global Password Definition
Password Syntax Description Default Value Minimum Value
Minimum length of password Sets the minimum length 0 1
of the password (minimum
number of characters).
Minimum amount of lower- Sets the minimum amount of 0 1
case letters lower-case letters contained
in a password.
Minimum amount of upper- Sets the minimum amount of 0 1
case letters upper-case letters contained
in a password.
Minimum amount of Arabic Sets the minimum amount of 0 1
numerals Arabic numerals contained in
a password.
Security Guide (SAP S/4HANA Cloud Specifics)
Other Security-Relevant Information PUBLIC 45
Password Syntax Description Default Value Minimum Value
Minimum amount of special Sets the minimum amount of 0 1
characters special characters contained
in a password.
Leading positions with Number of leading charac- 0 2
difference to user name ters that must be different in
password and user name.
Number of leading non- Number of positions that 0 2
identical characters must not be identical at the
beginning.
You can also define a lifecycle for the passwords:
Lifecycle of Passwords
Password Lifecycle Definition Default Value
Password maximum Age Validity period of password in days 0
Number of days for password expiration Number of days before actual pass- 7
warning word expiration that a warning message
should appear after successful logon to
the SAP Disclosure Management server
Maximum amount of passwords stored Number of passwords to be stored in 0
in password history the password history. Passwords can-
not be reused while they are stored in
the history.
To deactivate any of the above-mentioned parameters, insert the value 0. The specific requirement will then be
ignored during the password policy validation process. Once you have completed the policy definition, choose
Save to implement all settings. Once the parameters have been set and saved, a pop-up is displayed, where
you can define whether all users should be prompted to change their passwords after their next logon. If you
choose Yes, every user will be redirected to a Change User Information form the next time they log on to SAP
Disclosure Management. On this form, users can change the password according to the enforced password
policy.
If a user's password has expired, they are automatically redirected to the Change User Information form the
next time they log on to the SAP Disclosure Management server. Here, they can change their password, as
required.
The characters below can be used in passwords:
Character Specification
Character Type Character Definition
Lower-Case Letters All lower-case letter characters (a - z, ä, ö, ü, ß)
Upper-Case Letters All upper-case letter characters (A - Z, Ä, Ö, Ü)
Arabic Numerals All Arabic numeral characters (0, 1 - 9)
Special Characters All characters that are neither a letter nor a number (^, °, !, ",
§, $, %, &, /, (, ), =, ?, [, ], )
Security Guide (SAP S/4HANA Cloud Specifics)
46 PUBLIC Other Security-Relevant Information
In addition you can define password hashes.
You can define the password hash algorithm used to generate password hashes. You have the following options:
• SHA-1 (HMACSHA1)
• SHA-2 algorithms :HMACSHA256 and HMACSHA512
• PBKDF2
The PBKDF2 Password Storage Scheme provides a mechanism for encoding user passwords using the
PBKDF2 message digest algorithm. PBKDF2 is the short name for PBKDF2-HMAC-SHA512.
Note
A change of the hash algorithm results in a reset of all user passwords to the default password defined
under Administration System configuration Misc Default Initial Password . Make sure that you edit
this parameter before you change the algorithm.
Password Hashes
Password Hashes Description Default Value
Password Hash Algorithm Select the hash algorithm used for gen- PBKDF2
erating user password hashes.
11.2 Password Security
Passwords are stored using a strong hash. The password hash is designed as follows:
• The application server stores a secret “MachineSalt” on disc. The MachineSalt is a high-quality random
number.
• Every password is salted with a UserSalt (a high-quality random number).
• The salted password is hashed using a user-defined hash algorithm, where MachineSalt is the secret key.
For more information, see the chapter Password Policy [page 45], under Password Hash Algorithm in the
Security Guide.
The MachineSalt is stored in the web.config file. The install.exe tool automatically generates the MachineSalt
and adds it to the web.config file.
Sample Code
<configuration>
<appSettings>
<add Key = "MachineSecret" value = "1231231243443"/>
</appSettings>
<configuration>
Note
If you have multiple application servers, the MachineSalt needs to be identical on all servers.
Security Guide (SAP S/4HANA Cloud Specifics)
Other Security-Relevant Information PUBLIC 47
System Upgrade to SAP Disclosure Management 10.1 SP08
When you upgrade to SAP Disclosure Management 10.1 SP08, passwords are secured as shown in the graphic
below:
• A MachineSalt is generated and added to the web.config file.
• All existing passwords in the users table will be encrypted with this MachineSalt.
Security Guide (SAP S/4HANA Cloud Specifics)
48 PUBLIC Other Security-Relevant Information
11.3 Single Sign-On
You can use single sign-on (SSO) authentication with SAP Disclosure Management. When a web browser or a
SAP Disclosure Management Client sends a login request to SAP Disclosure Management Application Server
the system follows the authentication steps as shown in the figure below:
The system process is as follows:
1. The client sends a request to the application server. The application sever obtains the Windows Identity
which consists of the domain and the user name of the current connected user to Microsoft Internet
Information Server(IIS).
2. The application server tries to authenticate the obtained Windows Identity in the SAP Disclosure
Management database. This is an internal authentication. The internal authentication is considered as
successful if:
• The Windows Identity is a valid user in the SAP Disclosure Management database.
• The user account of the Windows Identity is active.
Security Guide (SAP S/4HANA Cloud Specifics)
Other Security-Relevant Information PUBLIC 49
3. If the internal authentication was successful, the application server tries to validate the Windows Identity
in Microsoft Active Directory. The validation is considered successful if: a. Windows Identity exists in the
Microsoft Active Directory
• Windows Identity exists in the Microsoft Active Directory.
• Domain account of the Windows Identity is not disabled in Windows Active Directory.
11.4 Authenticating Using Security Assertion Markup
Language 2.0
You can use Security Assertion Markup Language 2.0 authentication (SAML 2.0 authentication) as a global
setting for authentication in SAP Disclosure Management. When a Web browser or an SAP Disclosure
Management client sends an authentication request to the SAP Disclosure Management application server,
the system follows the authentication steps as shown below:
Note
SAML 2.0 authentication requires HTTPS.
The process steps are as follows:
• Authenticating Using Security Assertion Markup Language 2.0 [page 50]
• Authenticating Using Security Assertion Markup Language 2.0 [page 50]
• Authenticating Using Security Assertion Markup Language 2.0 [page 50]
• Authenticating Using Security Assertion Markup Language 2.0 [page 50]
• Authenticating Using Security Assertion Markup Language 2.0 [page 50]
Security Guide (SAP S/4HANA Cloud Specifics)
50 PUBLIC Other Security-Relevant Information
• Authenticating Using Security Assertion Markup Language 2.0 [page 50]
• Authenticating Using Security Assertion Markup Language 2.0 [page 50]
1. The client sends a request to the application server.
2. The application server redirects the user request to the defined identity provider (IDP).
3. The redirect works by creating an SAML request and sending this request to the IDP.
4. The IDP follows its configured steps to authenticate the user.
5. The IDP sends an SAML response back to the application server.
6. If the SAML response is a valid response with a successful authentication result, the application server tries
to map the received authentication information to the defined SAP Disclosure Management user. If the
mapping is successful, the application server tries to authenticate the mapped user in the SAP Disclosure
Management database. This is an internal authentication. The internal authentication is considered to be
successful if the following statements apply:
• The mapped user is a valid user in the SAP Disclosure Management database.
• The user account of the mapped user is active.
7. If the internal authentication is successful, the application server creates a signed SSO token, which is
used to authenticate the user against other application servers and data sources in the landscape.
11.5 Preventing Anonymous Access to SAP Disclosure
Management Online User Help Files
Context
You can prevent anonymous access to the help files of SAP Disclosure Management such as http://
mo-8fe9d2668.mo.sap.corp:10170/Content/Help/101/EN/frameset.htm by adding the section
below to the web.config file:
Source Code
<location path="Content/Help">
<system.web>
<authorization>
<deny users="?" />
<allow users="*"></allow>
</authorization>
</system.web>
</location>
After you have added the section above to the web.config file, users can only access the help files if they are
logged into SAP Disclosure Management.
Note
If this is the initial installation of SAP Disclosure Management, then this option is already activated. For
existing installations, you have to modify this option manually
Security Guide (SAP S/4HANA Cloud Specifics)
Other Security-Relevant Information PUBLIC 51
11.6 Disabling Debugging
To disable debugging in SAP Disclosure Management, refer to the following Microsoft article Disable Debugging
for ASP.NET Applications .
11.7 Session Timeout
Context
By default, the session timeout is set to 100 minutes in SAP Disclosure Management (SAP DM). To change this
setting, you can edit the web.config file by following the steps below:
Procedure
1. Open the web.config file in the application folder of SAP DM.
2. Locate the <sessionState> tag directly under <system.web>.
3. Change the attribute value for timeout to another value in minutes.
4. Restart the application.
Security Guide (SAP S/4HANA Cloud Specifics)
52 PUBLIC Other Security-Relevant Information
11.8 Fiori Launchpad Session Timeout
Context
By default, the Fiori session timeout is set to 240 minutes in SAP Disclosure Management (SAP DM). To change
this setting, you can edit the web.config file by following the steps below:
Procedure
1. Open the web.config file in the application folder of SAP DM.
2. Locate the <AccessTokenTimeout> tag directly under .
3. Change the attribute value for timeout to another value in minutes.<system.web><appsetting>
4. Restart the application.
Security Guide (SAP S/4HANA Cloud Specifics)
Other Security-Relevant Information PUBLIC 53
12 Security for Additional Applications
The following frontend clients deviate from the SAP standard:
• Data Connector
No special security settings are required for the Data Connector.
• Microsoft Office Add-In
In order to interact with the SAP Disclosure Management application, the user name and password need to
be set.
The following applications are delivered with SAP Disclosure Management:
• Taxonomy Designer
• SAP Disclosure Management XBRL Mapper.
For information about current improvements or security patches for these applications, see the Taxonomy
Designer Help at http://help.sap.com/bodm100.
If XBRL features are not needed, SAP Disclosure Management can be run without SAP Disclosure Management
XBRL Mapper and Taxonomy Designer.
Security Guide (SAP S/4HANA Cloud Specifics)
54 PUBLIC Security for Additional Applications
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using
such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms
Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features
Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.
Security Guide (SAP S/4HANA Cloud Specifics)
Important Disclaimers and Legal Information PUBLIC 55
www.sap.com/contactsap
© 2024 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for
additional trademark information and notices.
THE BEST RUN
You might also like
- SAP Cloud Identity Access Governance Admin GuideNo ratings yetSAP Cloud Identity Access Governance Admin Guide222 pages
- Salesforce Security Impl Guide 250220 194102No ratings yetSalesforce Security Impl Guide 250220 194102332 pages
- Administration Guide For SAP PaPM 3.0 SP26No ratings yetAdministration Guide For SAP PaPM 3.0 SP2674 pages
- This Documentation As PDF - SAP HANA Cloud PDF100% (1)This Documentation As PDF - SAP HANA Cloud PDF1,472 pages
- SAP Supply Chain Management 70 Security GuideE100% (1)SAP Supply Chain Management 70 Security GuideE45 pages
- Security Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00No ratings yetSecurity Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00204 pages
- SAP Cloud Platform Identity Authentication ServiceNo ratings yetSAP Cloud Platform Identity Authentication Service456 pages
- SAP Supplier Lifecycle Management 2.0: Document Version: 1.1 - 2014-08-18No ratings yetSAP Supplier Lifecycle Management 2.0: Document Version: 1.1 - 2014-08-1863 pages
- Https Theerplearning - Com Free-Materials - 10No ratings yetHttps Theerplearning - Com Free-Materials - 10122 pages
- SmartPlant Electrical SmartPlant 3D Cable Management InterfaceNo ratings yetSmartPlant Electrical SmartPlant 3D Cable Management Interface1 page
- Identity Provider For SAP Single Sign-On and SAP Identity Management PDFNo ratings yetIdentity Provider For SAP Single Sign-On and SAP Identity Management PDF94 pages
- Administration Guide: Public 2023-11-25No ratings yetAdministration Guide: Public 2023-11-25454 pages
- SAP Access Control: Administration GuideNo ratings yetSAP Access Control: Administration Guide258 pages
- Administration Guide For SAP S/4HANA Cloud For Enterprise Contract AssemblyNo ratings yetAdministration Guide For SAP S/4HANA Cloud For Enterprise Contract Assembly40 pages
- Administration Guide For SAP Enterprise Contract AssemblyNo ratings yetAdministration Guide For SAP Enterprise Contract Assembly48 pages
- SAP Access Control 12.0 SP11: User Guide - PUBLIC 2020-12-15No ratings yetSAP Access Control 12.0 SP11: User Guide - PUBLIC 2020-12-15252 pages
- Identity and Authentication Management in SAP Business OneNo ratings yetIdentity and Authentication Management in SAP Business One170 pages
- Modicon LMC078: Motion Controller Programming GuideNo ratings yetModicon LMC078: Motion Controller Programming Guide276 pages
- Design and Implementation of A Computerised Stadium Management Information System100% (8)Design and Implementation of A Computerised Stadium Management Information System32 pages
- Sustainable IT Services: Assessing The Impact of Green Computing PracticesNo ratings yetSustainable IT Services: Assessing The Impact of Green Computing Practices11 pages
- Student Guide Anthropogenic Climate ChangeNo ratings yetStudent Guide Anthropogenic Climate Change9 pages
- 141 Colors That Start With Z (Names, Hex, RGB, CMYK)No ratings yet141 Colors That Start With Z (Names, Hex, RGB, CMYK)77 pages
- Step by Step Procdure by Power Point Presentation 5289MNo ratings yetStep by Step Procdure by Power Point Presentation 5289M34 pages
- Artificial Intelligence 417 Class X Sample Paper Test 02 For Board Exam 2023No ratings yetArtificial Intelligence 417 Class X Sample Paper Test 02 For Board Exam 20236 pages
- Cybersecurity for Executives: A Guide to Protecting Your BusinessFrom EverandCybersecurity for Executives: A Guide to Protecting Your BusinessNo ratings yet
- Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficFrom EverandBlog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficNo ratings yet
- Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsFrom EverandSecuring ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsNo ratings yet
