Security concept of communication – Archiving client to Outboard

To prevent unauthorized access, Datavard Outboard DataTiering is built to comply with the SAP authorization concepts where each connection carries out an authorization check.

Authorization object being validated when operating with the Outboard is:

/DVD/CRP – permitted activities:
- 03 – Display
- 16 – Execute
- 23 – Maintain

However, an access is gained via open HTTP or HTTPS interface. URLs are secured with the signature allowing only authorized access to the stored content and, correspondingly, so that forged requests are rejected.

Datavard Outboard DataTiering decodes the signature and compares it with received URL. The service only executes the request if the URL and the signature are matching.

Level of security at this border is generally lower than at the outbound border towards the external storage because its typically within internal corporate network.

Security concept of communication – Outboard to External Storage

Outbound communication with an external storage MUST be secured. This can be achieved by using of secured protocol that is a storage platform-specific and therefore depends on API utilized by corresponding Storage Management connector implementation (e.g. HTTPS, Secured NFS, etc.). Additionally, authorized access is controlled by using of platform-specific authentication / authorization concept, e.g. using Kerberos, Active Directory and others, together with user permission management.

Authorizations & Segregation of duties

The Outboard Service requires 2 users

Maintenance: Administrator dialog user
Operation on data: Service user – used in Outboard HTTP Service definition

User Type	SAP Transaction Codes	Datavard Transaction Codes	Specific Authorizations
Archiving Administrator dialog user	OAC0, SE38, SICF, SM59, SU53, SLG1, SE16, SM37, SM50, SM51, STMS, OAC2, OAC3, OAAD, OAA3, OAG1, SARA, SARI, TAANA [OPTIONAL]: SMICM, STRUST	/DVD/SM_SETUP, /DVD/CRP_SRC, /DVD/CRP_SRC_SM, /DVD/CRP_HAL_CERT, /DVD/AM_TH, /DVD/AM_AL_TH, /DVD/RL_TM	Authorization for debugging (for deep issue analysis) To operate Outboard: --> /DVD/CRP - ACTVT = *
System Service user	N/A	N/A	To execute commands in the Outboard: --> /DVD/CRP - ACTVT = 16 To execute RFC calls to external service: --> S_RFC - ACTVT = 16, RFC_TYPE = G Proper authorizations to release job: -- > S_BTCH_JOB - JOBGROUP = *, JOBACTION = RELE -- > S_BTCH_ADM - BTCADMIN = Y

User Type

SAP Transaction Codes

Datavard Transaction Codes

Specific Authorizations

Archiving Administrator dialog user

OAC0, SE38, SICF, SM59, SU53, SLG1, SE16,

SM37, SM50, SM51, STMS, OAC2, OAC3,

OAAD, OAA3, OAG1, SARA, SARI, TAANA

[OPTIONAL]:
SMICM, STRUST

/DVD/SM_SETUP,

/DVD/CRP_SRC,

/DVD/CRP_SRC_SM,

/DVD/CRP_HAL_CERT,

/DVD/AM_TH,

/DVD/AM_AL_TH,

/DVD/RL_TM

Authorization for debugging (for deep issue analysis)

To operate Outboard:

--> /DVD/CRP - ACTVT = *

System Service user

N/A

To execute commands in the Outboard:

--> /DVD/CRP - ACTVT = 16

To execute RFC calls to external service:

--> S_RFC - ACTVT = 16, RFC_TYPE = G

Proper authorizations to release job:

-- > S_BTCH_JOB - JOBGROUP = *, JOBACTION = RELE

-- > S_BTCH_ADM - BTCADMIN = Y

Browser not supported