Storing Access Data in Secure Area

Former Member · ‎07-31-2007

Hi,

Does anyone use SAP's Secure Area on the Support Portal for storing access data for Support accounts that SAP use to resolve issues?

If so, is there much documentation out there about how secure it actually is, how to use it etc.

Thanks,

WolfgangJanzen · ‎07-31-2007

I guess, you are referring to the topic which is described in <a href="https://service.sap.com/sap/support/notes/508140">SAP Note 508140</a>.

Well, I have to admit that I'm not familiar with this specific feature of the SAP Service Marketplace - I have no insights on the implementation. But I can investigate ...

Former Member · ‎08-01-2007

Yes that is exactly the note I am referring to. It would be great if you could find some information.

Former Member · ‎08-09-2007

Does anyone have any more information on this? It would be a great help...

WolfgangJanzen · ‎08-10-2007

Sorry for the late reply.

Well, it took me quite some time to get the information (since the functionality is not in the standard but implemented as "custom development").

The logon data information is stored in a system where only a few persons have the ability to access the database (e.g. via SE16, etc.). The password is <u>not</u> stored as plaintext, so that it is not "apparent to the eye". However, it is <u>not</u> encrypted (using cryptographic algorithms such as 3DES). But actually that's not the relevant point. As long as direct DB access is prevented and as long as every (API based) access is controlled by authorization checks and resulting in audit traces, it is justified to call this a "Secure Area".

Keep in mind, how the data would be handled otherwise:

users might write the plaintext password into the message (where it can be seen without such auditing) or even transmitted via email (where it could be seen by just anyone on the transmission path - like sending a postcard).

Best regards, Wolfgang

PS: I also do not have access to that system (other than the indirect access based on API usage).

Former Member · ‎08-16-2007

Hi Wolfgang,

Much appreciated for you reply, and apologies for the lateness of mine!

So let me get this correct.

When I update the Access Data in the Secure Area, the logon data is stored on SAP's system and is accessible via SE16 (would this be table USR02) to a select few people.

So when a SAP Support person is analysing a customer message, the password that they view is on a web page. This password is being transmitted from SAP's system to the web page, with no encryption method.

Access to the password on the customer side is restricted by the "Maintain System Data" authorisations of the Support Portal logon.

Please correct me here if I am wrong.

Do you know the versions that SAP use for their Support Portal?

Many thanks again

Bernard.

WolfgangJanzen · ‎08-16-2007

>So when a SAP Support person is analysing a customer message, the password

> that they view is on a web page. This password is being transmitted from SAP's

> system to the web page, with no encryption method.

No, that's not correct. The system requires even X.509 client certificates (and not just username and password) - and, of course, the SSL communication is encrypted. In addition, all actions are logged and can be evaluated for audit purposes.

Notice: that (BSP) web application is running on a dedicated inhouse system - not on the SAP Service Marketplace (Portal). Yes, authorizations will be checked - but they are different from those customers can maintain (to control which actions their employees should be able to perform in the SAP Service Marketplace). Only "Support Consultants" and "Developers" (who also have to provide customer support: -> "Development Support") are given the required authorization.

Best regards, Wolfgang