Show TOC

Security InformationLocate this document in the navigation structure

Use

This section lists the constraints regarding security and data privacy that have to be considered when using the Social Media ABAP Integration Library (SAIL).

User Mapping

All requests directed to SAP Jam are user-centric. The SAIL API maps the SAP user to the SAP Jam user. This mapping is represented by the BAdI: E-Mail Address for Back-End User ( STW_USER_EMAIL_BADI). The default implementation (fallback class) of this BAdI is based on the standard SAP Identity Services. In case of any deviation, this default must be replaced by a system-specific BAdI implementation.

Authentication

The SAIL API performs the authentication in SAP Jam. As the required authentication method depends on the specific Jam REST resource, different methods have to be supported by SAIL as well. The authentication method is assigned to each method of SAIL separately. To allow for more flexibility (for instance, with regard to the cryptographic procedure), the assignment at the time of development only defines an authentication context, and allows each system assign the appropriate authentication method for this context.

The assignment of the authentication context must be fixed in each system and client with transaction CLB_PLATF. For more information, see Customizing for SAP NetWeaver under Start of the navigation path Application Server Next navigation step Basis Services Next navigation step Collaboration Next navigation step SAP Jam Integration Next navigation step Server Settings End of the navigation path.

The authentication contexts that are relevant for the SAIL API are:

  • APPLI: Application context, not user-related

  • APPUSR: Application context with user authentication

  • NONE: No authentication, or already authenticated

  • USER: User context

If a USER context is used, SAIL uses SAML2.0 assertions for the authentication. This means, that the USER context is linked with SAML_20 method in the delivery Customizing. Using SAML2.0 assertions has the advantage that no sensitive personal data needs to be stored in the back end.

The APPLI context is not actively used; for auditing reasons the APPUSR context is used instead. Here the method OAUTH_10_SHA1_3 is assigned in the delivery Customizing. This is a three-legged OAuth 1.0a implementation using an access token which is implicitly retrieved and stored by the library. The user context during the retrieval of the access token is created by a SAML 2.0 assertion.

Note

OAuth 2.0 is currently not supported by SAIL.

Data Privacy

SAIL enables the integration of SAP on-premise systems with external service providers located outside of the firewall. This channel allows sharing of information on business objects with external users that do not have access to the back-end system of the company or organization.

SAP does not assume any warranty or liability for information that is shared and cannot issue a guarantee that neither data privacy regulations nor legal requirements have been violated. The company or organization should consider the additional information channel in their guidelines on security and data privacy.

Notifications

Notifications on Business Object changes are distributed using SAP Gateway. Only registered Gateway users are allowed to subscribe or unsubscribe to such notifications. Ensure to map the SAP user to the external representation (email address in case of SAP Jam) and vice versa at the Gateway hub server.

In addition, all recipients must also be registered at SAP Jam.

Although the notifications are transferred to SAP Gateway by using bgRFC calls under a technical user, SAIL "re-personalizes" the notification at the Gateway system by evaluating the notification header parameters; the original author/actor is established as the person who needs to authenticate at SAP Jam for the specific request. Otherwise the REST call would be refused for security reasons.

As a consequence, all back-end users who could trigger notifications must be registered both at Gateway and SAP Jam. For the authentication at SAP Jam, the SAIL authentication context APPUSR (OAuth1.0a with SAML assertions) is used.

As SAP Jam is a cloud application outside of your firewall, the notifications should not comprise URL links that contain your internal server names. Use the URL mapping of the SAIL Customizing to map OData links so that they address the right portal or reverse proxy.

Spamming of recipients is prevented by

  • Explicit subscription by the end-user

  • Explicit activation of relevant OData services at the Gateway hub (See Customizing for SAP NetWeaver under Start of the navigation path Application Server Next navigation step Basis Services Next navigation step Collaboration Next navigation step Gateway Notifications Next navigation step Activate OData Service for Notification End of the navigation path.)