Basic Considerations

This chapter is meant to alert the account administrator or application administrator to settings and configurations that are relevant to operating their service in a secure manner, for example, regarding users or authorizations. It provides on how to configure and operate the service. It describes only the recommended procedures that a user or administrator should perform.

<div> <div>Target Group</div> <div>Account administrator, (application administrator)</div> </div> <div> <div>Mandatory / Optional</div> <div>Mandatory</div> </div> <div> <div>Size</div> <div>Multiple topics possible (grouped under root topic )</div> </div>

Basic Considerations

Who Is Responsible for Security Information?

Responsible (Input): Security Expert for the component, scenario, or application (content)
Accountable: Component/Scenario/Application Owner
To be consulted: Developer, Development Manager, Product Manager, Knowledge Manager, User Assistance Developer (for work in Ixiasoft or whatever documentation tool you are using)
To be informed: Product Management Security, Quality Manager, Production Unit

Refer to the product standard requirement for Security

SEC-247: Provide a security guide explaining how to securely setup, configure, and operate.

Usage of Multiple Topics

You can include all information in one topic called Security or create multiple child topics. Your root topic should always be called Security. If you have information about data protection and privacy, include it in a separate topic under the root topic Security.

Topic Content

Make sure you only describe the service-specific aspects in detail. For standard procedures, it is sufficient to link to the relevant chapters in the central SAP BTP documentation. If there is nothing relevant for your service, you can delete the respective subsection.

Title: Security

Use "Security" as title of your (root) topic. Do replace it with another title.

If you have a separate security guide for your service, simply link to it here. Do not repeat the information.

Useful Links

Links to the central SAP BTP documentation that you might want to link to:

Security for SAP BTP (or relevant subchapters)

Security, Neo Environment (or relevant subchapters)

Auditing and Logging Information

It is mandatory to describe whether your service logs any security-relevant events and how these logs are properly configured and analyzed. Template topic - TEMPLATE Auditing and Logging Information - loio43cfee09ad284b61855c8bfa0496071a.

Customers require information what audit log events are written for each service they are using, and how to interpret the logged events. The logged events are service specific and determined by the service itself. The Audit Log service does not know what events services log, it only provides the infrastructure for services to write the logs, and for customers to read them by using the Audit Log Retrieval API and the Audit Log Viewer.

There are two requirements requested by customers:

Compliance Part: The auditor does something in the system. The auditor checks the log viewer. The log viewer confirms what the auditor did. The auditor needs to be able to find the audit log generating events to check.
Security Part: Enterprises want to see all the events that the system can generate, then from this list determine which ones are important to them. Then configure their Security Information Event Management (SIEM) system to generate warnings when these events occur alone or in combination with other events.

To fulfill the requirements each service needs to have the following information as part of a topic (topic name TBD) in the Security section of its service guide:

a list of the audit log events that are being logged by the service,
how to identify related log events,
any additional information that can be helpful to customers.

Links to the topics with provided information will also be listed in the Audit Logging sections of the Core deliverables for Neo and Cloud Foundry.

Examples:

<div> <div>Event grouping</div> <div>What events are logged</div> <div>How to identify related events</div> <div>Additional information</div> </div> <div> <div>Tenant related events</div> <div>Create new tenant</div> <div> <ul> <li>Creation of data for <account> started by <user></li> <li>Creation of data for <account> completed</li> <li>Creation of data for <account> failed. Reason for failing the creation is <Reason></li> </ul> <p>SecurityEventAuditMessage</p> </div> <div></div> </div> <div> <div></div> <div>Delete existing tenant</div> <div> <ul> <li>Deletion (reason: <reason>) of data for <account> requested by <user></li> <li>Deletion (reason: <reason>) of data for <account> started by <user></li> <li>Deletion (reason: <reason>) of data for <account> completed</li> <li>Deletion (reason: <reason>) of data for <account> failed. Reason for failing the deletion is <Reason></li> </ul> <p>SecurityEventAuditMessage</p> </div> <div></div> </div> <div> <div></div> <div>Purge all workflow data of a tenant</div> <div> <ul> <li>User &purgingUser triggered purging of all data (containing &countWorkflowDefinitions WorkflowDefinitions) in tenant &tenant of appTenant &appTenant via channel &channel. In case forms purge is 'enabled': User &purgingUser triggered purging of all data (containing &countWorkflowDefinitions WorkflowDefinitions and all FormDefinitions) in tenant &tenant of appTenant &appTenant via channel &channel.</li> <li>Job triggered by user &purgingUser is now starting to purge all data in tenant &tenant of appTenant &appTenant via channel &channel.</li> <li>Job triggered by user &purgingUser is completed with purging all data in tenant &tenant of appTenant &appTenant via channel &channel.</li> <li>General failure: Job triggered by user &purgingUser has failed while purging all data in tenant &tenant of appTenant &appTenant via channel &channel. Failure during workflow artefacts purge: Job triggered by user &purgingUser has failed while purging all data in tenant &tenant of appTenant &appTenant via channel &channel. &countWorkflowDefinitions Workflow Definitions not purged. Failure during forms artefacts purge: Job triggered by user &purgingUser has failed while purging all forms data in tenant &tenant of appTenant &appTenant via channel &channel.</li> </ul> <p>SecurityEventAuditMessage</p> </div> <div></div> </div> <div> <div></div> <div>Export all workflow data from a tenant</div> <div> <p>about_to_read - User &userId is about to export all data of tenant &tenantDescription.</p> <p>read - User &userId finished exporting all data of tenant &tenantDescription.</p> <p>read-failed - Export of all data of tenant &tenantDescription for user &user failed during zip streaming. [Log-ID: &logId]</p> <p>SecurityEventAuditMessage</p> </div> <div></div> </div> <div> <div>Instance related events</div> <div>Create a new service instance</div> <div> <p>about-to-create-service-instance</p> <ul> <li>Creation of service instance with ID &serviceInstanceId in space &spaceGuid of organization &organizationGuid with parameters &parameters started by &userId</li> </ul> <p>create-service-instance-done</p> <ul> <li>Creation of service instance with ID &serviceInstanceId in space &spaceGuid of organization &organizationGuid with parameters &parameters completed</li> </ul> <p>create-service-instance-failed</p> <ul> <li>Creation of service instance with ID &serviceInstanceId in space &spaceGuid of organization &organizationGuid with parameters &parameters failed with error message: <error></li> </ul> <p>SecurityEventAuditMessage</p> </div> <div></div> </div> <div> <div></div> <div>Delete an existing service instance</div> <div> <p>requested-to-delete-service-instance</p> <ul> <li>Deletion of service instance with ID &serviceInstanceId requested by &userId</li> </ul> <p>about-to-delete-service-instance</p> <ul> <li>Deletion of service instance with ID &serviceInstanceId started by &userId</li> </ul> <p>delete-service-instance-done</p> <ul> <li>Deletion of service instance with ID &serviceInstanceId completed</li> </ul> <p>delete-service-instance-failed</p> <ul> <li>Deletion of service instance with ID &serviceInstanceId failed with error message: <error></li> </ul> <p>SecurityEventAuditMessage</p> </div> <div></div> </div> <div> <div></div> <div>Update an existing service instance</div> <div> <p>about-to-update-service-instance</p> <ul> <li>Update of service instance with ID &serviceInstanceId with requested changes &requestedChanges started by &userId</li> </ul> <p>update-service-instance-done</p> <ul> <li>Update of service instance with ID &serviceInstanceId with updated parameters &parameters completed</li> </ul> <p>update-service-instance-failed</p> <ul> <li>Update of service instance with ID &serviceInstanceId with updated parameters &parameters failed with error message: <error></li> </ul> <p>SecurityEventAuditMessage</p> </div> <div></div> </div> <div> <div></div> <div>Create a new subscription</div> <div> <p>create-subscription-started</p> <ul> <li>Subscription for tenant &tenantId to application &appName started by &userId</li> </ul> <p>create-subscription-completed</p> <ul> <li>Subscription for tenant &tenantId to application &appName completed</li> </ul> <p>create-subscription-failed</p> <ul> <li>Subscription for tenant &tenantId to application &appName failed with error message: <error></li> </ul> <p>SecurityEventAuditMessage</p> </div> <div></div> </div> <div> <div></div> <div>Delete an existing subscription</div> <div> <p>delete-subscription-started</p> <ul> <li>Unsubscription of tenant &tenantId from application &appName started by &userId</li> </ul> <p>delete-subscription-completed</p> <ul> <li>Unsubscription of tenant &tenantId from application &appName completed</li> </ul> <p>delete-subscription-failed</p> <ul> <li>Unsubscription for tenant &tenantId from application &appName failed with error message: <error></li> </ul> <p>SecurityEventAuditMessage</p> </div> <div></div> </div>

How to Create the Topic in Your Service Guide

A template for the topic is provided in the DITA CMS in the ODS_NEO_REUSE container: TEMPLATE Auditing and Logging Information - loio43cfee09ad284b61855c8bfa0496071a.
As a UA developer, use "Copy with new loio" on the latest version of the template topic, to create an Auditing and Logging Information topic in your container (make sure that the dependency between your container and ODS_NEO_REUSE is up to date).
You will find the newly created Auditing and Logging Information topic in the "Recent Operations" section of the "Documents" in the DITA CMS. Rename it according to the naming convention: "Auditing and Logging Information" (Make sure to remove "TEMPLATE" from the title).
Release the Auditing and Logging Information topic.
Include the Auditing and Logging Information topic in the Security Section of your service guide.

Identity and Access Management

This includes aspects such as: delivered default users and user groups, identity management processes, authentication procedures, and underlying authorization concepts as well as critical authorization combinations. If your service uses the standard procedure, link to the central SAP BTP documentation: Authorization and Trust Management in the Cloud Foundry Environment or Authorization and Trust Management in the Neo Environment or relevant subchapters.

If your service delivers that you have described under Configuring <Service Name>. Link to this topic from the security chapter of your guide.

If your service has , describe whether there are any security-relevant aspects. The destinations themselves should be described under Initial Setup. Include a link to your initial setup topic in your security topic.

Network and Communication Security

Describe any special security-relevant aspects for communication channels and interfaces your service uses as well as which protocols are used to encrypt communication.

If your service uses the OAuth 2.0 service, link to the central SAP BTP documentation on this service: OAuth 2.0 Service

If your service uses the Keystore Service, link to the central SAP BTP documentation: Keystore Service

If your service stores data, describe the methods and logging processes here.

Data Protection and Privacy

This chapter gives an overview of the service-specific aspects regarding data protection and privacy.

As a service author, you need to talk to your PO to find out if and how your service processes personal data. If it does, you need to include a section about data protection and privacy in your service guide. If it does not, you do not need the section at all.

Processing personal data might mean the following:

Your service collects, stores, or records personal data.
Your service reads, retrieves, or consults personal data.
Your service deletes personal data.
Your service transfers personal data.
Your service changes or updates personal data.

According to the EU General Data Protection Regulation (GDPR), means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

For more details see this wiki under "What exactly is 'processing' of personal data?" Consulting Hours FAQs

Once you have clarified whether or not your service processes personal data, proceed as follows:

If Your Service Does Process Personal Data in Any Form

Include the topic about data protection and privacy in the Security section of your guide.

If Your Service Does NOT Process Personal Data

You can delete the Data Protection and Privacy section from your service guide.

Topic Content

Title: Data Protection and Privacy

Use "Data Protection and Privacy" as title of your topic. Do not replace it with another topic.

Introduction (without section title)

Start with the following standard formulation

For public cloud documentation:
For general information about data protection and privacy on SAP BTP, see the SAP BTP documentation under Data Protection and Privacy [link to: https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/7e513d31704a4a87831191e504ca850a.html].
For private cloud operator documentation:
For general information about data protection and privacy on SAP BTP, see the SAP BTP, partner-managed Edition documentation under Data Protection and Privacy [link to: https://help.sap.com/viewer/f18c9a27e7324096a66150e1fe0b57d3/latest/en-US/002204af0963448088977d5bc2ad4105.html].

Check with you PO and the security expert in your team whether everything stated here also applies to your service.

Other Sections

In the same topic, explain how your service complies with the DPP requirements (Consent, Read Access Logging, Personal Data Record, Deletion, and Change Log) and exactly how it handles the personal data. You only need to mention those requirements for which you have something specific to say for your service. Include a separate section for each requirement.

In each section, start with the following formulation: