Outboard integration - Security concept for centralized deployment

Outboard’s security concept distinguishes two borders of data flow:

Archiving client to Outboard,
Outboard to External Storage

Security concept of communication – Archiving client to Outboard

To prevent unauthorized access, SNP OutBoard™ ERP Archiving is built to comply with the SAP authorization concepts where each connection carries out an authorization check.

Authorization object being validated when operating with the Outboard is:

/DVD/CRP – permitted activities:
- 03 – Display
- 16 – Execute
- 23 – Maintain

However, access is gained via an open HTTP or HTTPS interface. URLs are secured with the signature allowing only authorized access to the stored content and, correspondingly, so that forged requests are rejected.

SNP OutBoard™ ERP Archiving decodes the signature and compares it with the received URL. The service only executes the request if the URL and the signature are matching.

Level of security at this border is generally lower than at the outbound border towards the external storage because it's typically within an internal corporate network.

Security concept of communication – Outboard to External Storage

Outbound communication with external storage MUST be secured. This can be achieved by using of secured protocol that is a storage platform-specific and therefore depends on API utilized by corresponding Storage Management connector implementation (e.g. HTTPS, Secured NFS, etc.). Additionally, authorized access is controlled by using platform-specific authentication/authorization concepts, e.g. using Kerberos, Active Directory, and others, together with user permission management.

Authorizations and the Division of duties

The Outboard Service requires two users:

Maintenance: Archiving administrator dialog user
Data operations: System service user – used in the Outboard HTTP service definition

User Type	Delivered Role	SAP Transaction Codes	Own Transaction Codes	Specific Authorizations
Archiving Administrator dialog user	/DVD/CRP_ADMIN	OAC0, SE38, SICF, SM59, SU53, SLG1, SE16, SM37, SM50, SM51, STMS, OAC2, OAC3, OAAD, OAA3, OAG1, SARA, SARI, TAANA [OPTIONAL]: SMICM, STRUST	/DVD/SM_SETUP, /DVD/CRP_SRC, /DVD/CRP_SRC_SM, /DVD/CRP_HAL_CERT, /DVD/AM_TH, /DVD/AM_AL_TH, /DVD/RL_TM, /DVD/CRP, /DVD/CRP_RM_SETUP, /DVD/CRP_VLDT, /DVD/CRP_LOGEXP, /DVD/RMX_OBJLIST, /DVD/RMX_SARA_SETUP	Authorization for debugging (for deep issue analysis) To operate Outboard: /DVD/CRP - ACTVT = * /DVD/CRP_R - REPORT = * /DVD/CRP_E - REPORT = * S_ADMI_FCD - S_ADMI_FCD = PADM S_APPL_LOG - ACTVT= 03 ALG_OBJECT = /DVD/CRP ALG_SUBOBJ = /DVD/CRP* /DVD/TH - All authorisations * S_TABU_NAM - ACTVT = * TABLE = /DVD/CRP_* S_TABU_DIS - ACTVT = * DICBERCLS = &NC& S_GUI - ACTVT = * S_TABU_CLI - CLIIDMAINT = X What is not included: Authorizations for maintaining transport requests STRUST related authorizations
System Service user	/DVD/CRP_SERVICE	N/A	N/A	To execute commands in the Outboard: /DVD/CRP - ACTVT = 16 To execute RFC calls to external service: S_RFC - ACTVT = 16, RFC_TYPE = G Proper authorizations to release job: S_BTCH_JOB - JOBGROUP = *, JOBACTION = RELE S_BTCH_ADM - BTCADMIN = Y

User Type

Delivered Role

SAP Transaction Codes

Own Transaction Codes

Specific Authorizations

Archiving Administrator dialog user

/DVD/CRP_ADMIN

OAC0, SE38, SICF, SM59, SU53, SLG1, SE16, SM37, SM50, SM51, STMS, OAC2, OAC3, OAAD, OAA3, OAG1, SARA, SARI, TAANA

[OPTIONAL]:
SMICM, STRUST

/DVD/SM_SETUP,

/DVD/CRP_SRC,

/DVD/CRP_SRC_SM,

/DVD/CRP_HAL_CERT,

/DVD/AM_TH,

/DVD/AM_AL_TH,

/DVD/RL_TM,

/DVD/CRP,

/DVD/CRP_RM_SETUP,

/DVD/CRP_VLDT,

/DVD/CRP_LOGEXP,

/DVD/RMX_OBJLIST,

/DVD/RMX_SARA_SETUP

Authorization for debugging (for deep issue analysis)

To operate Outboard:

/DVD/CRP - ACTVT = *

/DVD/CRP_R - REPORT = *

/DVD/CRP_E - REPORT = *

S_ADMI_FCD - S_ADMI_FCD = PADM

S_APPL_LOG - ACTVT= 03
ALG_OBJECT = /DVD/CRP
ALG_SUBOBJ = /DVD/CRP*

/DVD/TH - All authorisations *

S_TABU_NAM - ACTVT = *
TABLE = /DVD/CRP_*

S_TABU_DIS - ACTVT = *
DICBERCLS = &NC&

S_GUI - ACTVT = *

S_TABU_CLI - CLIIDMAINT = X

What is not included:

Authorizations for maintaining transport requests
STRUST related authorizations

System Service user

/DVD/CRP_SERVICE

N/A

To execute commands in the Outboard:

/DVD/CRP - ACTVT = 16

To execute RFC calls to external service:

S_RFC - ACTVT = 16, RFC_TYPE = G

Proper authorizations to release job:

S_BTCH_JOB - JOBGROUP = *, JOBACTION = RELE

S_BTCH_ADM - BTCADMIN = Y

Outboard integration - Security concept for decentralized deployment

Outboard integration - Security concept for centralized deployment

Security concept of communication – Archiving client to Outboard

Security concept of communication – Outboard to External Storage

Authorizations and the Division of duties

Browser not supported