Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
troy_cronin2
Advisor
Advisor
0 Kudos
476
Introduction

With the Enterprise Portal we have discussed the importance of security in some of my previous blog postings. Ensuring that a Portal Landscape is configured in accordance to security guidelines is the main method of prevention towards security breaches or attacks. In this blog posting we are going to look at the notion of "Security" from the perspective of Knowledge Management & the KM Content Level.

Knowledge Management

KM Folders are utilized as the base platform in which KM Documents are stored. For example through KM End-Users can access, obtain, manage and review data information through documents sourced from the business intranets, external WWW feeds, and file servers. The KM Documents themselves are presented in the standard formats of PPT, excel, word documents and html.

Security Audit - Highlighting KM Security Concerns

Common organizational practice is focused upon a Portal Landscape is configured in accordance to the highest security measures. One way of ensuring this is to have the latest SP’s & Patch Level Releases currently maintained with your EP Setup as this is highly encouraged by SAP.

Implementing and deploying the latest Patches & SP’s often provides a means of preventing easily avoidable issues.

What Can Scans & Audits Reveal?

A Security Scan can highlight vulnerabilities across different technology areas for example:

  • SQL Injection

  • CSS – Cross Site Scripting

  • Indirect retrieval of sensitive information

  • Logon authentication issues

  • Browser Caching

  • Application termination


KM & Security Scans

As a Knowledge Management Setup involves the management and holstering of documents within repositories many end-users will require "Read" access even without other editorial privileges.

There is core documentation to follow in this instance to ensure KM Content is maintained correctly in accordance to security measures (and to prevent vulnerabilities being noted) is outlined below:

  • SAP Note: 1648138 - Insecure default configuration of ACLs in KM repositories

  • SAP Note: 599425 - Permissions for KM repositories

  • SAP Note: 1477597 - Unauthorized modification of stored content in NW KMC


Once the KM Content Level permissions are set in accordance to your requirements and the optimal settings maintained within both notes this will ensure there are no security risks in the underlying makeup.

Important Documentation

If you are utilizing third party security auditing standards and vulnerabilities are noted across the Portal the recommendation would be to follow and review the following KBA. Within this KBA we are given comprehensive insight into some of the most common security concerns & their subsequent resolutions:

  • SAP KBA: 2191528 - Third-party report showing security vulnerabilities


Lastly in terms of KM itself and its associated setup I would recommend following the KM Security guide which has been outlined below for your convenience and cross-reference: