Understanding the Security

Objective

After completing this lesson, you will be able to setup of network access, communication and authorizations​

Security Information

SAP Batch Release Hub for Life Sciences (SAP BRH) is a cloud application, built by SAP on the SAP Business Technology Platform and operated on public cloud, that addresses the life science industry.

The inappropriate decision of releasing a batch of product or intermediate, without all sufficient quality controls, could have detrimental impact on the quality, leading to recalls, and even impacting patients. 

People safety first - is an additional motivation to ensure that all reasonable efforts are done to ensure:

  • Only the right data is used (avoid data tampering)
  • Only the allowed people are taking the Batch Release decision 

While SAP BRH cannot be held responsible for wrong decisions if the data the customer sends to SAP BRH is incorrect or access rights are not properly assigned, SAP BRH does allow customers sufficient controls to ensure that reasonable efforts by malicious users are rendered irrelevant.

A detailed list of all controls applied during all phases of product development and deployment would be itself a potential risk, however at the same time the security administrator of the application must be able to have a clear and detailed understanding of those aspects under her/his responsibility. 

Purpose of this lesson is therefore to summarize the information, in reference to the Security and Data Protection and Privacy | SAP Help Portal with a specific focus on handling credentials. 

Several design patterns for high resilience applications (see Unit 2 Lesson 3) emphasize with the importance of microservice architecture. SAP BRH, being built on the SAP Business Technology Platform (SAP BTP) relies on several Services that the platform provide. An example of those services is the SAP Cloud Identity Services that is used to ensure that only persons having the appropriate credentials are allowed to access a specific Application on SAP BTP like SAP BRH.

As described in Unit 2 Lesson 3, the service interaction is controlled through service specific keys. 

These keys are under control of the SAP BTP Administrator, that at any point in time, can change them.

Whereas following agreed control processes for changes on the SAP BTP.

The SAP BTP Administrator must create one (or more) service keys for each of the services that are needed to be used by the application and are under the customer's control. These are

  1. Minimum - Create an Instance of the Integration Broker

    SAP Batch Release Hub for Life Sciences (Create an Instance of the Integration Service Broker | SAP Help Portal

  2. If using the SAP S/4HANA off-the-shelves integration (also called Integration Hub for Life Sciences)
    • Custom Managed Event Mesh
    • Integration Hub for Life Sciences
    • Integration Hub for Life Sciences, Adapter
    • SAP Cloud ALM API
  3. Additionally following optional services could be used
    • Custom managed Rule Engine (optional)
    • Document management Service (optional)
    • Transport Management Service (optional)

Those customers of SAP BRH, who use SAP S/4HANA, additionally have to manage the security assets in SAP S/4HANA, which relate to:

  • Having the right to use Data Replication Framework
  • Having the right to use the REST client in SAP S/4HANA
  • Receiving ODATA from the outside

With the Integration Hub for Life Science Release LSCH100 SP0001 a specific role for BRH /LSCH/PROCESS_RELEASE_DECISION will be delivered.

This role contains the relevant authorization objects like: 

  • DRF_ADM for the authorization to request and initialize the DRF process for the relevant outbound implementations likeLSCH_BATCH or LSCH_INSPL
  • /AIF/PROC for the authorization to process the inbound request via the AIF. 
  • S_SERVICE to check the status of external service, like RELEASE_DECISION_SRV  

Additionally, also the relevant authorization objects for the business application, like setting the usage decision on the inspections lots. 

This role will be assigned to the technically user, that is assigned to the destination in the SAP BTP. The authorization mapping, determining who will be able to release the different batches in SAP BRH, will be done based on the settings made in the Quality Department. This configuration is described in Module 2 Unit 1 Lesson 2 of this course.

The long-term vision of SAP Batch Release Hub for Life Sciences (BRH) is to enable zero time batch release, i.e., as soon as all the required data meets the user-defined requirements (as described in the business rules we discussed in one of the other lessons in this tutorial), the release decision is automatically generated and passed to the source systems so that the batch can be automatically released.

The release version 2.0 of SAP BRH is still requiring the Authorized Person to manually take the Batch Release Decision, however beyond this Persona also other use cases foresee humans to be involved in SAP BRH. For each of these use cases appropriate rights need to be properly handled.

When dealing with User management one needs to address a double question: WHO is allowed to do WHAT.

AUTHENTICATION = WHO

The Authentication is a process that has the objective that only persons with specific credentials are allowed to use the system - AT ALL.

An analogy could be that of a room with a door to which a key lock is attached. Only the people who have the key can enter the room.

User authentication processes in SAP Batch Release Hub enable users to be identified and verified so that they can access only the resources to which they have the proper permissions. The responsibility of handling the access to BRH is entirely in the hands of the customer, since the "keys" to the SAP BRH "door" are managed by the Customer´s SAP BTP Administrators, who needs to configure credentials for the account of the company in the SAP BTP Cockpit. 

The Customer SAP BTP Administrator must configure the Identity Provider (IDP) to access SAP Batch Release Hub.

Since SAP Batch Release Hub uses the authentication, identity, and access management mechanisms of SAP BTP Cockpit, you can find related information in the SAP BTP, Cloud Foundry environment documentation: SAP Authorization and Trust Management Service in the Cloud Foundry Environment | SAP Help Portal

AUTHORIZATION = WHAT

Business users in an application require different authorizations because they work in different job roles.

For example, in a leave request process, there are employees who want to create and submit leave requests, managers who approve or reject, and payroll administrators who need to see all approved leave requests to calculate the leave reserve.

The authorization concept of a leave request application has to cover the needs of these employee groups. This authorization concept includes elements such as roles, scopes, and attributes.

A role is an instance of a role template; you can build a role based on a role template and assign the role to a role collection.

Role templates refer to attributes and scopes. The role templates contain the authorizations for activities, such as viewing, editing, or deleting data.

Information that is specific to the user is stored in attributes. For each attribute, administrators can specify the value that restricts data access.

Static attributes are stored in the role, whereas in cases in which a custom identity provider provides the business users, you can dynamically reference all the attributes that come with the access token.

Role collections reference role templates.

After the developer has created the role templates and deployed them to the relevant application, it's the administrator's task to use those role templates to build roles with the required attributes, aggregate the roles into role collections, and then assign the role collections to business users in the application.

SAP Batch Release Hub for Life Sciences provides a set of roles that can be granted to users to provide access to the application features. It is recommended that roles are grouped into role collections in SAP Business Technology Platform (SAP BTP) to facilitate consistent rights and the process of granting access to users. Users are mapped to user groups in SAP Identity Authentication (IAS) and then these user groups can be mapped to the role collections in SAP BTP.

The Administration Guide contains all details related to the Role Collections that exist in SAP BRH.

Defining and Bundling Roles | SAP Help Portal

The Customer´s SAP BTP Administrator, needs to assign role collections to identity provider (IdP) users in SAP Business Technology Platform (SAP BTP).

In the SAP BTP cockpit, you must assign role collections to IdP users or user groups. As a prerequisite, users and user groups must have been created in the Identity Authentication service or another IdP.

Note

If you use the SAP ID service, you assign role collections to individual users. If you use the Identity Authentication service or another IdP, you assign them either to individual users or to user groups.

User Management | SAP Help Portal

The whole topic of Data Protection and Privacy for Batch Release Hub for Life Sciences is documented in the online help...

The acronym CRUD is widespread in the information technology field and describes the four possible operations one can do with data:

  • Create: also called write is the data entering process
  • Read: only read out the record without changes
  • Update/Patch: if a record has already some data, one might want to modify it or add additional properties or remove some of them
  • Delete: remove the record

As described in previous lessons, SAP Batch Release Hub for Life Sciences applies the widespread concept of Staging and Active areas.

The purpose of the Staging area is to allow customer to be able to review the data for a final time before it is deployed in the Active area.

Once in the Active area, the data cannot be deleted or modified anymore. 

In the Staging area the customer might decide if wants the data to be deleted or updated (patched), whereby the patching requires using the ODATA PATCH command - that is available also only for specific objects (see ODATA V4 API | SAP Batch Release Hub for Life Sciences | SAP Business Accelerator Hub) .

Data Protection and Privacy | SAP Help Portal

SAP Batch Release Hub for Life Sciences has extensive logging capabilities that include:

  1. For data that is in the staging or active area
  2. The process to monitor the integration with SAP S/4HANA is documented in Monitor Integration Hub for Life Sciences | SAP Help Portal and involves both:
    • SAP S/4HANA specific transactions (DRFLOG)
    • SAP Cloud Application Landscape Management 
  3. The monitoring of the integration with third party sources is beyond the responsibilities of SAP and must be as certain through the tools used for the integration. When integrating with the SAP Advanced Event Mesh  (SAP Integration Suite, Advanced Event Mesh | SAP Help Portal or with SAP Cloud Integration (What Is SAP Cloud Integration? | SAP Help Portal) these tools provide required logging capabilities to monitor the data flow.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn