This section lists the constraints regarding security and data privacy that have to be considered when using the Social Media ABAP Integration Library (SAIL).
User Mapping
All requests directed to SAP Jam are user-centric. The SAIL API maps the SAP user to the SAP Jam user. This mapping is represented by the BAdI: E-Mail Address for Back-End User ( STW_USER_EMAIL_BADI). The default implementation (fallback class) of this BAdI is based on the standard SAP Identity Services. In case of any deviation, this default must be replaced by a system-specific BAdI implementation.
Authentication
The SAIL API performs the authentication in SAP Jam. As the required authentication method depends on the specific Jam REST resource, different methods have to be supported by SAIL as well. The authentication method is assigned to each method of SAIL separately. To allow for more flexibility (for instance, with regard to the cryptographic procedure), the assignment at the time of development only defines an authentication context, and allows each system assign the appropriate authentication method for this context.
The assignment of the authentication context must be fixed in each system and client with transaction CLB_PLATF. For more information, see Customizing for SAP NetWeaver under .
The authentication contexts that are relevant for the SAIL API are:
APPLI: Application context, not user-related
APPUSR: Application context with user authentication
NONE: No authentication, or already authenticated
USER: User context
If a USER context is used, SAIL uses SAML2.0 assertions for the authentication. This means, that the USER context is linked with SAML_20 method in the delivery Customizing. Using SAML2.0 assertions has the advantage that no sensitive personal data needs to be stored in the back end.
The APPLI context is not actively used; for auditing reasons the APPUSR context is used instead. Here the method OAUTH_10_SHA1_3 is assigned in the delivery Customizing. This is a three-legged OAuth 1.0a implementation using an access token which is implicitly retrieved and stored by the library. The user context during the retrieval of the access token is created by a SAML 2.0 assertion.
OAuth 2.0 is currently not supported by SAIL.
Data Privacy
SAIL enables the integration of SAP on-premise systems with external service providers located outside of the firewall. This channel allows sharing of information on business objects with external users that do not have access to the back-end system of the company or organization.
SAP does not assume any warranty or liability for information that is shared and cannot issue a guarantee that neither data privacy regulations nor legal requirements have been violated. The company or organization should consider the additional information channel in their guidelines on security and data privacy.
Notifications
Notifications on Business Object changes are distributed using SAP Gateway. Only registered Gateway users are allowed to subscribe or unsubscribe to such notifications. Ensure to map the SAP user to the external representation (email address in case of SAP Jam) and vice versa at the Gateway hub server.
In addition, all recipients must also be registered at SAP Jam.
Although the notifications are transferred to SAP Gateway by using bgRFC calls under a technical user, SAIL "re-personalizes" the notification at the Gateway system by evaluating the notification header parameters; the original author/actor is established as the person who needs to authenticate at SAP Jam for the specific request. Otherwise the REST call would be refused for security reasons.
As a consequence, all back-end users who could trigger notifications must be registered both at Gateway and SAP Jam. For the authentication at SAP Jam, the SAIL authentication context APPUSR (OAuth1.0a with SAML assertions) is used.
As SAP Jam is a cloud application outside of your firewall, the notifications should not comprise URL links that contain your internal server names. Use the URL mapping of the SAIL Customizing to map OData links so that they address the right portal or reverse proxy.
Spamming of recipients is prevented by
Explicit subscription by the end-user
Explicit activation of relevant OData services at the Gateway hub (See Customizing for SAP NetWeaver under .)