Show TOC

Background documentationSecurity Aspects of Enterprise Workspaces Locate this document in the navigation structure

 

This topic discusses the security aspects that you need to consider when implementing enterprise workspaces.

Controlling Access to Workspace Content

Workspace permission policies determine the different levels of access to a workspace. Workspace managers must consider the nature of the content in the workspace and make sure that all of the workspace members are authorized to view or access this content.

When a module template is made available in enterprise workspaces, its underlying application becomes exposed to all users who have access to the workspaces. Certain applications, such as SAP back-end applications, perform their own permission checks and deny access to unauthorized users, but this is not the case with all applications.

If you have accidentally created a module template that exposes sensitive content to all users, delete this template to ensure that the module is not used in any workspace.

To control exposure of sensitive content, define the users who can add this module to workspaces, and instruct these users to restrict access to their workspaces.

Assigning Workspace Administration Roles

The operations performed by workspace administrators are similar to those performed by portal administrators and thus require the same level of permissions. Some of the operations, such as transport or service configuration, require permissions of a portal system administrator. Therefore it is recommended to assign workspace administration roles only to users who have the respective portal administration roles.

Roles and Permissions of Workspace Members

Workspace roles define the permissions and activities of the workspace members, as described in Roles and Personas.

Reassigning Workspaces

When reassigning workspaces, the workspace owner must make sure that the new owner has the required permissions to access the content of the workspace.

When a workspace is reassigned to a new owner, the previous owner and all workspace managers receive an e-mail notification regarding the new assignment. This is done to ensure that a potential unauthorized ownership change does not go undetected.

Data Storage Security

  • All data for the portal resides in the database of the SAP NetWeaver Application Server (AS) Java.

  • The documents are stored in a content management repository of Knowledge Management (KM) under workspaces.

  • KM has an option to perform a virus check of documents for which you have write or read access. To enable it, you have to configure the virus scan interface of the SAP NetWeaver Application Server.

    For detailed information, see Virus Scanner Service: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b8/f5af401efd8f2ae10000000a155106/frameset.htm.

Module Storage

The stored data of modules, such as the Text Pad and Document List, is not encrypted, so theoretically developers who are familiar with the portal internals, can access this data in their applications. However, portal administrators should always ensure that applications running in an enterprise portal can be trusted not to make malicious use of the data.

Transport of Workspaces

The .epa files, in which the workspaces are packaged for transport, may include personal or sensitive information. To protect this information, we recommend the following security measures:

  • If you choose to store the export package in the file system, the .epa files are saved to a folder of your choice. Make sure that this folder is protected by appropriate permissions.

  • After the .epa file has been used and is not required anymore, make sure it is permanently deleted from the file system and all other caches.

  • When transferring the file on a digital storage device such as disk on key or saving it as a backup, make sure the file is protected, for example, archived in a password-protected ZIP file.

More Information

All security considerations, relevant for the SAP NetWeaver Portal, also apply to enterprise workspaces.

For detailed information, see: