Data Storage Security for the Integration Directory

Data Storage

You use the Integration Directory to configure integration content (specified at design time) for a specific system landscape.

Integration Directory data is structured according to different object types. These objects are referred to as configuration objects .

More information:

• Integration Directory

• Configuration Time

If and which kind of sensitive data can be can be contained in configuration objects, depends on the integration scenarios configured in the Integration Directory. In the following, we list those configuration object types that can contain sensitive data.

• Communication components

  Assigned service users (listed in communication component editor, tab Assigned User , in order to specify ACL-dependent authorizations, see below) might be considered as sensitive information.

• Communication channels

  A communication channel contains the complete configuration settings for an adapter. Therefore, these channels might carry a lot of sensitive information, for example, addresses of systems (host and port names), paths within a file system, and user names.

• Receiver determinations, receiver rules, interface determinations, and integrated configurations

  These objects can contain routing conditions that depend on the message content. In that case, the condition is composed of expressions that contain business data (for example, names of persons, booking numbers). This data is not encrypted and might be highly sensitive.

• Receiver agreements and internal configurations

  These objects can contain header mappings that are used to transform the address fields in the header of outbound messages (in order to mask internal details when communicating with external business partners). In general, it is possible to draw conclusions from header mappings on the internal system landscape of a business partner.

• Value mappings

  Value mappings can contain names of business systems. Therefore, it is possible to draw conclusions from value mapping data on the internal system landscape of a business partner.

Data Protection

There are a number of measures in order to increase data security.

Encrypting Data

Data stored in the Integration Directory database is not encrypted.

Reducing Storage Duration of Data

There is no automation to clean up the Integration Directory database regularly. Configuration objects must be deleted manually.

Deleting Data

Users with the corresponding authorizations can delete configuration objects.

However, make sure that deleted objects are activated after deletion. Otherwise, the data remains in the Integration Directory database.

Access and Change Protection

You can prevent unauthorized users from accessing and changing sensitive data by assigning suitable authorizations.

There are the following options:

• Object type-dependent authorizations

  You can define authorizations for a specific set of objects.

  More information: Role-Based Authorizations in ES Repository and Integration Direc

• ACL-dependent authorizations for configuration objects

  You can define authorizations based on access control lists (ACLs) for configuration objects.

  An ACL is a list of permissions that can be attached to an object or a set of objects.

  More information: ACL-Based Authorizations in ES Repository and Integration Directory

• ACL-dependent authorizations for service user

  You can define that messages containing a specific business system or business component as sender, can only be executed by certain service users. You configure this setting using communication component integrated configuration or sender agreement objects in Integration Directory.

  More information: ACL-Based Authorizations for Service Users

  For communication based on the Web service runtime, you can propagate the Integration Directory configuration settings to the corresponding back-end system using cache notifications. You define the service users that are authorized to trigger cache notifications using the communication component object.

  Caution

  This function is not available for the Advanced Adapter Engine Extended.

  More information: Configuring Business Systems (with Web Service Communication)

Logging Data Access

There are the following options to log access to data:

In the object editor of a configuration object, choose  <name of object type>  History . The versions of the object are displayed as well as information about when the version was created and by which user. You can also open individual versions of an object from the version history.