Welcome to the first edition of our new blog series “Technology Bytes” which aims at uncovering foundational topics and underlying technology behind SAP Enterprise Product (EPD).
In foundational topics, in contrast to product capabilities and features, I keep the focus on recent technologies we leverage when we develop SAP EPD, what benefits we bring to customers and how our customers benefit from them. In this blog series, you will be able to find recent technological advancements behind the development of SAP EPD, including topics like SAP Intelligent Enterprise Suite qualities that enable our customers’ intelligent and integrated enterprises. This first blog starts with Security and Identity Access Management as security is top priority for customers and for our internal product development. This blog is written in an interview format where I ask questions to subject matter expert- Security Lead of EPD Development. You will uncover some commonly asked questions around security.
SAP has defined several Intelligent Enterprise Suite Qualities that contribute to a simplified experience and deliver immediate value to our customers. The suite qualities are implemented across end-to-end business processes delivered by the SAP Business Technology Platform (BTP) to unify user experience, security, workflow inboxes, data semantics, analytics, lifecycle management, and process architectures.
Cloud Identity Services: what is in it for SAP ?
SAP Cloud Identity Services include Identity Authentication, Identity Provisioning, Identity Directory and Authorization Management services. These services enable you to manage identities and single sign-on across all our solutions. SAP Cloud Identity reduces manual administration efforts for user management and identity provisioning and enables a seamless login process with SSO. When you adopt SAP cloud products like SAP EPD and integrate them into your system landscape, you choose an approach for identity access management (IAM). The approach you choose depends on the integration you want from the perspective of single sign-on, whether you have a unified, simple IAM landscape or a complex landscape in place.
Concepts for Identity Authentication and Single Sign-On (SSO), Identity Provisioning and Lifecycle Management, Business User Role Management are all provided by BTP so that all SAP applications can provide the same features all customers in the same way. Here you can also find an overview of how SAP makes the Intelligent Enterprise secure.
How authentication works in SAP EPD?
Identity providers provide the business users. The default platform identity provider SAP BTP is SAP ID service. If you use external identity providers, you must configure the trust relationship using the SAP BTP cockpit. The respective subaccount must have a trust relationship with the identity provider. Using the SAP BTP cockpit, you, as an administrator of the Cloud Foundry environment, establish this trust relationship. SAP EPD relies completely on BTP for user management. Most authentication issues can be traced back to the usage of passwords. To be on safe side, X.509 client certificate-based authentication coupled with (Multi Factor Authentication) should be preferred to eliminate the need for password management and limit the blast radius of compromised credentials. You can find the details on User Administration, Authentication, and Authorizations | SAP Help Portal.
How authorizations have been managed in SAP EPD?
In the Cloud Foundry environment, application developers create and deploy application-based authorization artifacts for business users. Administrators use this information to assign roles, build role collections, and assign these collections to business users or user groups. By doing so, they control the users' permissions. SAP EPD does not have an own authorization concept but relies on BTP services (XSUAA). It is mostly use cases in some capabilities such as Collaboration or Specification Management.
What is the maintenance and update strategy of SAP EPD to safeguard customers when they benefit from open-source components?
In SAP EPD, we leveraged sorts of open-source components. Open-source components are regularly scanned for vulnerabilities and security patches are deployed as needed. This happens with centrally driven SLAs, based on issue priority.
In upcoming blogs and with new technology advancements over the releases, we plan to uncover the rest of questions on the foundational side of the house of SAP EPD iteratively. Your feedbacks matter! Please do ask whatever you’d like to get an answer for, and we’ll pick it up in the next blog.
Till then, please also:
Follow the SAP Enterprise Product Development tag,
Check the SAP Enterprise Product Development topic page,