How Winshuttle products enhance and ensure SAP security
Strong protection based on integration
The SAP Business Suite contains sensitive data that is essential for day-to-day business operations and for business initiatives and regulatory compliance requirements. Winshuttle supports the extensive authorization functionality built into the SAP Business Suite that protects SAP transactions and data from unwanted access and use and enhances SAP security.
User-enabled data loading requires application of the proper controls, security, and workflows to ensure that SAP transactional data has full end-to-end protection. Data governance best practices presume that any software that integrates with SAP to perform this process must be SAP-certified.
Tested and certified SAP security
Tested by SAP, Winshuttle Transaction and Query have received the SAP Certified Integration and Powered by SAP NetWeaver certifications. Both work natively with SAP security technology and use standard SAP authorization profiles to restrict user access and preserve SAP security standards. With Winshuttle products, there are no “back doors.”
Complying with SAP Security Using Transaction
This white paper describes how the Winshuttle technology architecture enforces stringent, native SAP security requirements around enterprise data access. The paper is written for technical decision makers (TDMs) in an enterprise to assist in evaluating Winshuttle Transaction compatibility with security policies in the SAP environment.
Transaction authorization for users
Users who do not have access to an SAP transaction cannot use Transaction or Winshuttle Runner for that transaction. These products can only be used for SAP transactions by users who normally have access to those transactions.
- RFC authorization for users
- In addition to Transaction-level access, Winshuttle users need remote function call (RFC) authorizations to make RFCs to SAP.
- Scripts control
- Runner users cannot create or modify the script recordings. Their own SAP credentials and authorizations provide users access to a limited set of available scripts and ensure an extra level of control over enterprise data-loading activities.
- Scripts file locking
- When a script is created, the user who created the file has the option to create a password to protect the file from unauthorized access. Password-protected Shuttle files require users to enter the password each time they want to edit the file.
- Automatic backup copies
- Transaction can automatically store a backup copy of the current SAP data to an Excel worksheet or Access table before it loads data with a script. This setting can also be used to undo mistakes made in mass changes to data.
- Logging and reporting
- SAP maintains an audit trail for all Transaction changes and updates just as it does for manual input. In addition, Transaction maintains an activity log at a summary level for each run on either the user’s computer or on a network share. More details are available in our Integration and Security white paper.
Query security features
Query follows a similar workflow as Transaction for user authentication. Query provides the following security features and products:
- Table-level authorizations
- To access tables in SAP, Query requires users to have table-view access via the S_TABU_DIS authorization object.
- Organization-level security
- Query also allows or blocks access to data based on organization-level authorizations (such as company code-level or plant-level authorizations). Query output results are automatically filtered out so that users only see the data relevant to the organization(s) that they have access to.
- RFC authorization for the user
- In addition to table-level access, Winshuttle users need RFC authorizations to make RFCs to SAP.
- Query file control
- Runner users cannot create or modify the Query files. Their own SAP credentials and authorizations provide users access to a limited set of available Query files and ensure an extra level of control over enterprise data-extraction activities.
- Query file locking
- When a Query file is created, the user who created the file has the option to create a password to protect the file from unauthorized access. Password-protected Query files require users to enter the password each they want to edit the file.
- Logging and reporting
- Query maintains a log of all data extractions for audit purposes.
Addressing Security Performance Usability with Query
An easy and secure way to extract live SAP® ERP data, allowing business users to do ad hoc data analytics and answer specific business questions rapidly would have a significant impact on the enterprise. This white paper describes Winshuttle Query and how it addresses performance, security, and usability concerns while giving users a way to extract live SAP data for ad hoc analysis.