security-configuration-ba0484b.md

Security Configuration

Get to know app security and sensitive data protection.

Security has always been an important element for the complete product life cycle of all SAP products, including product development, planning, and quality assurance. SAP takes care of some of the security focus areas, while others have to be handled by you.

Consider the following security aspects:

• If you're using CAP, you must ensure the security configurations in the back end are compatible with the design and configuration of your app.

  Example:

  You must ensure that the setting for the total number of requests of OData batches is high enough in case you want to use the InvocationGrouping: Changeset.

  For more information, see CAP Security And Data Privacy and the Grouping of Multiple Invocations of the Same Action Using Multiple Selections in the Table section in Actions.

• If you're using ABAP, see Implementing Search in an Unmanaged Query and Implementing Filtering in an Unmanaged Query for more information about security-related configurations.

• To use the upload feature, application developers must define @Core.AcceptableMediaTypes. This avoids security issues by enabling SAP Fiori elements to check for allowed file types. The back-end service framework must ensure a virus scan and other security measures, such as maximum file size limitations and MIME-type restrictions, are in place. This also includes protecting entities from being created or processed using malicious content.

  For more information, see Enabling Stream Support and Enabling the Upload Functionality.

Protecting Potentially Sensitive Data

To protect potentially sensitive data, annotate properties as potentially sensitive as described in PersonalData Vocabulary and consider the following:

• Using the Export Button

  The export button can be disabled at the table level or specific columns that contain sensitive data can be excluded from the export.

  For more information, see Using the Export Button.

• Showing or Hiding the Copy to Clipboard Button

  To prevent exposing sensitive data, you can disable copying to clipboard.

  For more information, see Tables.

• Enabling the History of Recently Entered Values

  On fields annotated as potentially sensitive, the storing of data in the history is disabled.

  For more information, see Enabling the History of Recently Entered Values.

• Caching the Last Executed Request

  Caching the last executed request is disabled if the request contains a filter on properties that are annotated with PersonalData.IsPotentiallySensitive.

  For more information, see Caching the Last Executed Request.

• Store/Restore the Application State

  If a field annotated as potentially sensitive is changed, SAP Fiori elements doesn't store/restore this information. Any changes added by users are therefore lost when refreshing. This limitation doesn't apply to fields used in filter context.

  For more information, see Store/Restore the Application State.

• Using Extensions to Modify External Outbound Navigation

  Use app extensions with caution and only if you cannot produce the required behavior by other means, such as manifest settings or annotations.

  To correctly integrate your app extension coding with SAP Fiori elements, use only the extensionAPI of SAP Fiori elements. The adaptNavigationContext extension method allows you to modify which information available in the navigation context is passed to the target application, excluding sensitive information.

  For more information, see Creating an Extension to Modify Properties in the Navigation Context.

• Navigation from an App (Outbound Navigation)

  During external outbound navigation, sensitive data is removed from the navigation context. However, sensitive properties of navigation entities beyond one level aren't removed from the navigation context.

  For more information, see Navigation from an App (Outbound Navigation).

• Using the Share: Microsoft Teams Functionality

  If your application contains sensitive and personal data, enabling the Share: Microsoft Teams › As Card option results in the transfer of this information outside the SAP S/4HANA environment. Application teams need to carefully consider whether such data should be excluded by providing the corresponding annotation.

  For more information, see The Share: Microsoft Teams Functionality.

• Masking Input Fields

  Input fields can be masked using the Common.Masked annotation. This feature only hides the text on the UI and doesn't mask the data before it is sent to the back end.

  For more information, see Different Representations of a Field.