Security Guide for SAP Variant Configuration and Pricing

PUBLICSAP Variant Configuration and PricingDocument Version: Latest – 2022-05-04

Security Guide for SAP Variant Configuration and Pricing

© 2

022

SAP

SE o

r an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

1 Security Guide for SAP Variant Configuration and Pricing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.1 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Security Mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Connecting SAP back end with the SAP Business Technology Platform. . . . . . . . . . . . . . . . . . . . .4Connecting SAP Back end with the SAP Business Technology Platform for SAP S/4HANA Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Administration UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Enable Single-Sign-On and Multi-Factor-Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Cloud Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.3 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Data Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Data Return. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.4 Manual Knowledge Base Upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121.5 Extensions for SAP Variant Configuration and Pricing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121.6 Engine Traces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121.7 Audit Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2 PUBLICSecurity Guide for SAP Variant Configuration and Pricing

Content

1 Security Guide for SAP Variant Configuration and Pricing

CautionThis guide does not replace the administration or operation guides that are available for productive operations.

This Security Guide provides an overview of the security-relevant information that applies to the single components of SAP Variant Configuration and Pricing, which are the Variant Configuration service, the Pricing Service, and an administration UI for data replication.

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security also apply to SAP Variant Configuration and Pricing. To assist you in securing the software, we provide this Security Guide.

1.1 Before You Start

Paths to fundamental Security Guides.

Fundamental Security Guides

SAP Variant Configuration and Pricing is built on the SAP Business Technology Platform and SAP HANA. Find relevant information and specific restrictions in this link https://help.sap.com following the paths below.

● Browse by Product Technology Platform SAP Business Technology Platform (SAP BTP) OperateSecurity

● Audit Logging:Browse by Product Technology Platform SAP Business Technology Platform (SAP BTP) Operate

Administration Administration and Operation in the Cloud Foundry Environment Audit Logging in the Cloud Foundry Environment

● Open standard for access delegation (OAuth):Browse by Product Technology Platform SAP Business Technology Platform (SAP BTP) Operate

Security SAP Cloud Platform Authorization and Trust Management Service in the Cloud Foundry Environment What is Authorization and Trustmanagement Access Management in the Cloud Foundry Environment Web Access ControlAlso see the Administration Guide for SAP Variant Configuration and Pricing: Browse by ProductSAP Variant Configuration and Pricing Administration

Security Guide for SAP Variant Configuration and PricingSecurity Guide for SAP Variant Configuration and Pricing PUBLIC 3

https://help.sap.com

● SAP HANA Service Security:Browse by Product SAP HANA Service for SAP BTP AWS and DCP Regions Implement Security

SAP HANA Cloud Browse by Product Technology Platform SAP HANA Cloud Services SAP HANA Cloud Security

● SAP Hana Cloud Security:Browse by Product SAP HANA Cloud Security

● SAP HANA Smart Data Integration:Browse by Product SAP HANA Smart Data Integration and SAP HANA Smart Data Quality

1.2 Security Mechanisms

SAP Variant Configuration and Pricing comprises two cloud services for product configuration and pricing. These services are provided on the SAP Business Technology Platform's Cloud Foundry Environment. They do not have their own runtime user interface, it must be provided by the calling application. These services share a common infrastructure for data replication based on SAP HANA smart data integration.

SAP Variant Configuration and Pricing relies completely on the following security mechanisms provided by the SAP Business Technology Platform, Cloud Foundry Environment:

● Application router for the administration UI● Authentication either with user and password (BASIC and FORM) or Security Assertion Markup Language

(SAML) 2.0 Service Provider● Multifactor authentication (MFA )● Service brokers for Variant Configuration service and Pricing service● Authentication using open standard for access delegation (OAuth) 2.0 for both services

The credentials for the OAuth – authentication/authorization must be sent by the client application.

To use configuration and pricing services, customizing and master data for pricing and variant configuration needs to be available in the underlying cloud database.

The administration UI and SAP HANA smart data integration are used to replicate the necessary data from SAP ERP or SAP S/4HANA on-premise.

Tenant data is isolated via a strict schema separation of the SAP HANA Cloud data base of each of the services. Additionally, the customers' data is further isolated via dedicated SAP HANA Cloud instances for replications based on SAP HANA smart data integration.

1.2.1 Connecting SAP back end with the SAP Business Technology Platform

The Variant Configuration service and Pricing service share a common infrastructure for data replication based on SAP HANA smart data integration.

The Alert Notification service can be used to get notified in case of issues with the Data Provisioning Agent.



The following diagram shows the security relevant aspects of the system landscape which are further explained in the subsequent sections:

From the end of January 2021, all new tenants will be setup on SAP HANA Cloud, which uses JDBC/SSL for communication with the Data Provisioning Agent. Older tenants have been setup on SAP HANA Service, which uses Websocket/SSL for communication with the Data Provisioning Agent.

Advanced Variant Configuration

Variant Configuration service can bypass its own configuration engine and forward calls to SAP S/4HANA for advanced variant configuration (AVC). Using the S/4HANA on-premise back end, Variant Configuration service


connects to S/4HANA via the Cloud Connector, Connectivity service and Destination service as shown in the following diagram:

Please refer to next chapter for information about S/4HANA Cloud back end.



1.2.2 Connecting SAP Back end with the SAP Business Technology Platform for SAP S/4HANA Cloud

It is possible to use the built-in data replication mechanism to connect an SAP S/4HANA Cloud, essentials edition system to SAP Variant Configuration and Pricing:

The Administration UI connects to S/4HANA Cloud via S/4HANA Extensibility service and Destination service.

To establish the connection a temporary json with the necessary information is generated. Each time a new token is generated, the old one becomes invalid.

Variant Configuration service can bypass its own configuration engine and forward calls to SAP S/4HANA for advanced variant configuration (AVC). If enabled in the administration UI, Variant Configuration service uses the same destination as the one used for data replication to connect to S/4HANA Cloud and to forward calls to AVC.

1.2.3 Administration UI

Administration of roles.

The administration UI uses the application router to ensure that only users with authorization can log in. The authorized users are administered by the customer as users in his tenant-related identity provider. The customer adds the administration users to the user group as documented in the Administration Guide. There are two roles: Administrator and BusinessExpert.

The Administrator manages the URLs and credentials needed to establish the connection for data replication (see the Administration Guide for SAP Variant Configuration and Pricing). The BusinessExpert can start the replication.

Customers are responsible to retract roles and authorizations again from their employees when not needed anymore.


1.2.3.1 Communication Channels

Use of REST and SDI or built-in data replication mechanism of SAP S/4HANA Cloud.

REST

The administration UI communicates with its business logic layer using REST over HTTPS. All communication is authenticated and authorized.

User credentials are stored and accessed in HANA Secure Store. All communication is authenticated and authorized as well.

SAP HANA Smart Data Integration (SDI)

On the source database side, an agent needs to be installed to open a connection from the source database to the SAP HANA database in the SAP Business Technology Platform. The communication between the agent and the cloud database via websocket is encrypted by default. During the first logon the valid SSL certificates are downloaded and stored in the secure store of the agent.

The SDI Installation and Configuration Guide reccommends installing the SDI DP Agent on a different server than the source database. The default setting for SSL (Secure Socket Layer) creates an unencrypted connection between the source database and the SDI database adapter. Therefore, it is recommended to establish a secure connection between the source database and the database adapter, and indicate this in the advanced setting by activating the Use SSL check box.

For details, see the SDI Installation and Configuration Guide or see the SAP HANA Security Guide.

SAP S/4HANA Cloud

SAP S/4HANA Cloud, essentials edition system is connected to SAP Variant Configuration and Pricing via the system's built-in data replication mechanism instead of using SAP HANA smart data integration. See also the Administration Guide for SAP Variant Configuration and Pricing. The communication between SAP S/4HANA Cloud and SAP Variant Configuration and Pricing on SAP Business Technology Platform is encrypted by default.

1.2.3.2 Web Security

Measures taken against security breaches.

These are the measures taken against possible security breaches. The UI is not embedded, and iFrames are not used.

Aspect Measure

CORS (Cross-Origin Resource Sharing) SOP (Same-Origin Policy) supported



https://help.sap.com/viewer/f67b66eae9e7401e89917f9791051ce4/Cloud/en-US

Aspect Measure

Cross-Site Scripting The SAPUI5 framework takes care of proper output escaping for all content which is created and displayed on the screen, using the controls provided by SAPUI5. The application does not have to HTML-escape user data. The control API expects all data to be unescaped, so that it can be escaped as needed for the context in which it is visualized. See chapter Securing Apps of SAPUI5: UI Development Toolkit for HTML5.

CSRF (Cross Site Request Forgery) The App router offers CSRF protection

The CORS setting can be maintained via administration UI to enable own browser-based applications to work with configuration and pricing services with different domains. It is highly recommended to change the default setting according to the web application's URL.

1.2.4 Enable Single-Sign-On and Multi-Factor-Authentication

You can enable single-sign-on and multi-factor-authentication by using the SAP Business Technology Platform Identity Authentication Service

In order to enable your SAP Identity and Authentication Service tenant for the Administration UI of SAP Variant Configuration and Pricing you have to setup a trust relationship between your Sub-Account, the SAP Identity and the Authentication Service tenant as described in Trust and Federation with Identity Providers.

1.2.5 Cloud Services

Variant Configuration service and Pricing service use the broker plan of the service User Authorization and Authentication (UAA).

Customers need to create a service instance of the needed cloud service. Once it is created, they obtain the client credentials that are necessary to retrieve the OAuth token. They can then access the service using the OAuth token.

The OAuth token will include the permission, also called scopes, to call the endpoints.

The validity of the OAuth token for the services is up to 30 minutes.

Securing of the endpoints

● all service endpoints providing business logic are secured.● access to pricing customizing endpoints is secured by a dedicated scope● health endpoint can be called secured with full details.● health endpoint can be called unsecured receiving only status UP or DOWN.


https://help.sap.com/viewer/p/SAPUI5%20-%3E%20SAPUI5%20Documentation

https://help.sap.com/viewer/p/SAPUI5%20-%3E%20SAPUI5%20Documentation

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/d17a116432d24470930ebea41977a888.html

https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/d17a116432d24470930ebea41977a888.html

https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/cb1bc8f1bd5c482e891063960d7acd78.html

Communication with clients is done via HTTPS. The content of all incoming requests to the services is validated.

The applications that call the services must implement a proper role and authorization concept to ensure that only intended data is displayed to its users.

The Variant Configuration service allows to persist configurations. The Pricing service allows to persist pricing documents. Depending on the license, the available database size might be limited. The services return the HTTP code 507 when a database reaches the critical storage level, which prevents further creation of new configurations or pricing documents.

1.3 Data Protection

Description of features and functions that SAP provides to support compliance with legal requirements and data privacy.

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy.

This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.

NoteIn the majority of cases, compliance with data privacy laws is not a product feature.

SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data.

SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source

Glossary

Term Definition

Personal Data Information about an identified or identifiable natural person

Business Purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts

Blocking A method of restricting access to data for which the primary business purpose has ended.



Term Definition

Deletion Deletion of personal data so that the data is no longer usable

CautionThe extent to which data protection is ensured depends on secure system operation. Network security, security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation

1.3.1 Data Privacy

SAP Variant Configuration and Pricing must not be used to process sensitive personal data that is subject to the data protection laws applicable in specific countries.

Characteristics and pricing records are not intended for storing any sensitive personal data.

The application that integrates configuration and pricing services must deal with blocked business partners and any other personal data according to the applicable privacy policy.

1.3.2 Data Return

This chapter is an overview of what customer data we store, and how customers can request an extract of that data.

The Administration UI stores purely administrative data like:

● Connection details to the customer database including credentials, database schema names, and client of the SAP system.

● Description of the customer's tenant.● Pricing procedures and knowledge bases to be replicated initially, or a start date for the initial load of

knowledge bases.

All that data is available via the administration UI and is not subject to data return.

A detailed list of replicated back end tables can be found in the appendix of the administration guide. Replicated data is not subject to data return either, because it is originally available in the customer's back end system.

The Variant Configuration service stores configuration results that are created while using the service. The following data is included:

● A unique ID identifying the configuration.● Timestamps for creation, change, and expiration time.● The list of selected product items and their characteristic values in the configuration, represented as a

JSON string.


Customers can request an extract of the stored configurations by creating a ticket on application component LOD-CPS.

The Pricing service stores pricing results that are created while using the service. The following data is included:

● A unique ID identifying the pricing document● Timestamps for creation, change, and expiration time● Document header and item details such as used pricing procedure and currency, calculation status,

products, passed attribute values, subtotals, and header and item conditions represented as a JSON string

Customers can request an extract of the stored pricing data by creating a ticket on application component LOD-CPS.

1.4 Manual Knowledge Base Upload

Manual knowledge base upload is offered only to non-productive tenants. It is possible to upload knowledge bases manually from a local file system to the Variant Configuration service through the administration UI. The upload is done via https. The uploaded content is scanned by SAP Malware Scanning service and input validation is done.

Deleting uploaded knowledge bases is possible too. See Knowledge Base Upload for Variant Configuration Service.

1.5 Extensions for SAP Variant Configuration and Pricing

The extension implementations should perform an authorization check to prevent unauthorized calls. SAP Variant Configuration and Pricing supports the use of Basic Authentication, OAuth and API Keys. See the Authentication section of the Extension Guide for SAP Variant Configuration and Pricing

1.6 Engine Traces

In exceptional situations, the data output in trace files may expose certain security-relevant data. Trace files are used to troubleshoot problems in the corresponding services. Under normal circumstances, security-relevant data is not written to the files. The traces usually contain business related data provided by the customer. They are stored in the database. After 24 hours the traces are deleted automatically.

Traces can be activated, deactivated, and downloaded by users that have the role BusinessExpert and by SAP DevOps.

There is a 200 MB storage limit for engine traces and extension calls traces for each, Variant Configuration service, and Pricing service. Old traces should be deleted before new ones are created. The activation and



https://help.sap.com/viewer/f67b66eae9e7401e89917f9791051ce4/Cloud/en-US/1b3d1829bcd442e8be4696df7b18dbd8.html

https://help.sap.com/viewer/f67b66eae9e7401e89917f9791051ce4/Cloud/en-US/1b3d1829bcd442e8be4696df7b18dbd8.html

https://help.sap.com/viewer/884c2153170d446888da6dbc33ce970c/Cloud/en-US/2b772ddabac24148ab7a7a1a859abd50.html

writing of traces are prohibited if the storage limit is reached. A message about reaching that limit is shown in the administration UI and a notification is sent via the Alert Notification service. Changing trace settings, downloading, and deleting traces is subject to audit logging.

NotePasswords are never included in the output.

1.7 Audit Logging

The audit logs for Variant Configuration service, Pricing service and its application for data replication and administration log relevant events to meet modern requirements of regulatory standards. There are two types of logs:

● Security event logLogging of security relevant events supports the discovery and analysis of security-critical incidents. Security relevant events comprise all those events which may impact the confidentiality, the integrity, and/or the availability (CIA) of the system. The application for data replication and administration logs successful logins and failed authorization and authentication checks.

● Configuration change logLogging of configuration changes makes it possible to log changes to configuration data which are used in attack detection and for auditing reasons. Change Logging is a requirement of many regulations, including regulations not related to privacy, but security in general, auditing, and food and drug administration. The term configuration changes may apply to personal data, confidential data, and a lot of system configurations. The application for data replication and administration logs what kind of CRUD operation have been done, on which table, by who, and when.Customer actions and SAP-related actions are logged in separated areas. Configuration changes to a tenant are logged in both areas. Customer-driven actions are logged with the user id in the customer area and the anonymized customer-named entries in the SAP area. Changes asked to be done by SAP are logged with the user id in the SAP area, and the anonymized SAP-named entries are logged in the customer area. To find corresponding audit log entries in both areas, a common message-guid field was added to each audit log.The logs can be accessed as described in the section Before You Start [page 3] and following this path

Browse by Product Technology Platform SAP Business Technology Platform (SAP BTP) Operate Administration Administration and Operation Audit Logging in the Cloud Foundry Environment

The following are the security and configuration change events written in the audit logs:


Event Grouping Logged EventsHow to Identify Related Log Events Additional Information

audit.security-events Data retrieval audit logs Security event message. Security event message "successful login event" on <time>. Security event was related to user "<user>".

Data Access message. Attribute with name "data read event" was read. The attribute is a part of an object with type "data read event" and id consisting of: tenant_id "<>". It belongs to a subject with type "account", role "account", and id consisting of: id "<user>". The message has the following attachments: .

Security event message. Security event message "{"level":"INFO","origin":"ldap","msgNo":1,"msgId":"<>","message":"TokenIssuedEvent ('[\"openid\",\"auditlog-management<>.ReadAuditLogs\"]'): principal=<>, origin=[client=<>, user=<>, details=(remoteAddress=<ip-address>, tokenType=BearertokenValue=<TOKEN>, sub=<>, iss=<http://>)], identityZoneId=[<>]","user":"<>","version":"1.0"}" on <time>. Security event was related to user "<user>".

Security event message. Security event message "{"level":"INFO","origin":null,"msgNo":1,"msgId":"<>","message":"ClientAuthenticationSuccess ('Client authentication success'): principal=<>|

The following security events are related to the retrieval of the audit logs.




auditlog-management<>, origin=[remoteAddress=<ip-address>, clientId=<>|auditlog-management<>], identityZoneId=[<>]","user":"<>|auditlog-management<>","version":"1.0"}" on <time>. Security event was related to user "<>|auditlog-management<>".



AdminUI Configuration related events, audit.configura-tion,Configuration modifica-tion message

Connect to SAP Cloud RS_FILE_ADAPTER_CREATION_LOGS - Attribute with name "<>" was changed. The attribute is a part of an object with type "RemoteSource" and id consisting of: objectId "<>"

RS_FILE_ADAPTER_CREATION -

Attribute with name "<>" was changed. The attribute is a part of an object with type "RemoteSource" and id consisting of: objectId "<>"

RS_CREATION -

Attribute with name "<>" was changed. The attribute is a part of an object with type "RemoteSource" and id consisting of: objectId "<>".

CUSTOMER:SECRETS Delete –

Attribute with name "CUSTOMER:SECRETS" was changed from "" to "". The attribute is a part of an object with type "securestore" and id consisting of: objectId "CUSTOMER:SECRETS", operation "Delete".

CUSTOMER:SECRETS Write -

Attribute with name "CUSTOMER:SECRETS" was changed from "" to "{"username":"<>","password":"xxxxx","oraCommonUsername":"<>","oraCommonPassword":"xxxxx","accessToken":"xxxxx","maintUser":null}". The attribute is a part of an object with type

Please note that the customer password is not stored, only the user name is.

TRIM_POOL_TABLES is set if pool tables exist on source systems (except HANA DB)

TRIM_CHAR_FIELDS is set to true for DBs except HANA DB. It is used by configura-tion and pricing services to determine if empty strings must be replaced by a space character, the value is set automatically based on the adapter selected in the administration UI.




"securestore" and id consisting of: objectId "CUSTOMER:SECRETS", operation "Write".

UPDATE_REMOTE_SOURCE_CONFIGURATION –

Attribute with name "AdapterParameter" and value "{}" was added. The attribute is a part of an object with type "RemoteSourceConfigura-tion-AdvancedInfo - id(<>)" and id consisting of: objectId "AdapterParameter"

CLIENT - [updatedAt, updatedBy] –

Attribute with name "CLIENT - [updatedAt, updatedBy]" was changed from "<>" to "<>". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CLIENT - [updatedAt, updatedBy]", operation "UPDATE"

TRIM_POOL_TABLES - [updatedAt, updatedBy] -

Attribute with name "TRIM_POOL_TABLES - [updatedAt, updatedBy]" was changed from “<>" to "<>". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "TRIM_POOL_TABLES - [updatedAt, updatedBy]", operation "UPDATE".

TRIM_CHAR_FIELDS - [updatedAt, updatedBy]



Attribute with name "TRIM_CHAR_FIELDS - [updatedAt, updatedBy]" was changed from "[<time>, <>]" to "[<time>, <>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "TRIM_CHAR_FIELDS - [updatedAt, updatedBy]", operation "UPDATE".

Replication Ping START_LATENCY_MONITORING -

Attribute with name "<> -><>" was changed. The attribute is a part of an object with type "<>" and id consisting of: objectId "<> -><>"

LATENCY_MONITORING_LAST_CHANGES_RECEIVED_AT update -

Attribute with name "LATENCY_MONITORING_LAST_CHANGES_RECEIVED_AT - [updatedAt, value]" was changed from "[<Time > ]" to "[<Time>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "LATENCY_MONITORING_LAST_CHANGES_RECEIVED_AT - [updatedAt, value]", operation "UPDATE".




Settings CORS_DOMAIN -

Attribute with name "CORS_DOMAIN - [updatedAt, value]" was changed from "[<Time>, <from>]" to "[<Time>,<to>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CORS_DOMAIN - [updatedAt, value]", operation "UPDATE".

AlertNotification ACTIVATED -

Attribute with name "ACTIVATED - [updatedAt]" was changed from "[<Time>],true/false" to "[<Time>, false/true]". The attribute is a part of an object with type "AlertNotification-Setting" and id consisting of: objectId "ACTIVATED - [updatedAt]", operation "UPDATE"

SDI_AGENT_STATUS –

"SDI_AGENT_STATUS - [updatedAt]" was changed from "[<Time>], true/false" to "[<Time>, false/true]". The attribute is a part of an object with type "AlertNotification-Setting" and id consisting of: objectId "SDI_AGENT_STATUS - [updatedAt]", operation "UPDATE".

REPLICATION_FAILURE -

Attribute with name "REPLICATION_FAILURE - [updatedAt]" was changed from "[<Time>, true/false]" to "[<Time>, false/true]". The



attribute is a part of an object with type "AlertNotification-Setting" and id consisting of: objectId "REPLICATION_FAILURE - [updatedAt]", operation "UPDATE".

SAP_SUPPORT -

Attribute with name "SAP_SUPPORT - [updatedAt]" was changed from "[<Time>, true/false]" to "[<Time>, false/true]". The attribute is a part of an object with type "AlertNotification-Setting" and id consisting of: objectId "SAP_SUPPORT - [updatedAt]", operation "UPDATE".

STORAGE_LIMIT_CHECKS -

Attribute with name "STORAGE_LIMIT_CHECKS - [updatedAt]" was changed from "[<Time>, true/false]" to "[<Time>, false/true]". The attribute is a part of an object with type "AlertNotification-Setting" and id consisting of: objectId "STORAGE_LIMIT_CHECKS - [updatedAt]", operation "UPDATE".

APPROVED -

Attribute with name "APPROVED - [updatedAt]" was changed from "[<Time>, true/false]" to "[<Time>, false/true]". The attribute is a part of an object with type "AlertNotificationSetting" and id consisting of: objectId "APPROVED - [updatedAt]", operation "UPDATE".




SUBACCOUNT_ID -

Attribute with name "SUBACCOUNT_ID - [createdBy, updatedAt, value]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "AlertNotificationSetting" and id consisting of: objectId "SUBACCOUNT_ID - [createdBy, updatedAt, value]", operation "UPDATE".



Configuration Restart-INITIAL_RELOAD_STD -

Attribute with name "tasks with guids/payload: {"type":"DATE","payload":{"date":<>},"ignoreAgentStatus":<>,"reload":<>,"variant":<>}" was changed. The attribute is a part of an object with type "QueueTask.CONFIGURATION.INITIAL_RELOAD_STD.<>" and id consisting of: objectId "tasks with guids/payload: {"type":"DATE","payload":{"date":<>},"ignoreAgentStatus":<>,"reload":<>,"variant":<>}", operation "Restart-INITIAL_RELOAD_STD".

ConfigurationReplicationSe-lection -

Attribute with name "[createdAt, createdBy, updatedAt, updatedBy]" was changed from "[<>]" to "[<>l]". The attribute is a part of an object with type "ConfigurationRe-plicationSelection" and id consisting of: objectId "[createdAt, createdBy, updatedAt, updatedBy]", operation "UPDATE".

Depending on your selection there can be other entries of typeRELOAD_WITH_LOAD_KBS_BY_ID

Knowledge Base Upload Configuration Configuration modification message. Attribute with name "CpsKnowledgeBaseUpload" and value "-80" was added. The attribute is a part of an object with type "CpsKnowledgeBaseUpload" and id consisting of: objectId "CpsKnowledgeBaseUpload", operation "CREATE".

Upload a Knowledge Base




Configuration modification message. Attribute with name "CpsKnowledgeBaseUpload" and value "-80" was added. The attribute is a part of an object with type "CpsKnowledgeBaseUpload" and id consisting of: objectId "CpsKnowledgeBaseUpload", operation "DELETE".



Configuration Extensions CFG_USER_EXITS_VERSION -

Attribute with name "CFG_USER_EXITS_VERSION - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_USER_EXITS_VERSION - [updatedAt]", operation "UPDATE"

CFG_USER_EXITS_TIMEOUT -

Attribute with name "CFG_USER_EXITS_TIMEOUT - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_USER_EXITS_TIMEOUT - [updatedAt]", operation "UPDATE".

CFG_USER_EXITS_CACHE_ACTIVE -

Attribute with name "CFG_USER_EXITS_CACHE_ACTIVE - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_USER_EXITS_CACHE_ACTIVE - [updatedAt]", operation "UPDATE".

CFG_USER_EXITS_AUTHENTICATION_API_KEY_VALUE -




Attribute with name "CFG_USER_EXITS_AUTHENTICATION_API_KEY_VALUE - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_USER_EXITS_AUTHENTICATION_API_KEY_VALUE - [updatedAt]", operation "UPDATE".

CFG_USER_EXITS_AUTHENTICATION_API_KEY_NAME-

Attribute with name "CFG_USER_EXITS_AUTHENTICATION_API_KEY_NAME - [updatedAt, value]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_USER_EXITS_AUTHENTICATION_API_KEY_NAME - [updatedAt, value]", operation "UPDATE

CFG_USER_EXITS_URL -

Configuration modification message. Attribute with name "CFG_USER_EXITS_URL - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_USER_EXITS_URL - [updatedAt]", operation "UPDATE".



CFG_USER_EXITS_ACTIVE -

Attribute with name "CFG_USER_EXITS_ACTIVE - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_USER_EXITS_ACTIVE - [updatedAt]", operation "UPDATE".

processSetTrace -

Configuration modification message. Attribute with name "ID" was changed from "" to "cfgUserFunctionTrace". Attribute with name "Content" was changed from "<>" to "<>". The attributes are a part of an object with type "com.sap.drs.controller.LogAndTraceController" and id consisting of: objectId "<>", class "com.sap.drs.controller.LogAndTraceController", method "processSetTrace", operation "POST".

CFG_LOGBACK -

Attribute with name "CFG_LOGBACK - [updatedAt, value]" was changed from "[<>, ]" to "[<>, ^°=DEBUG]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_LOGBACK - [updatedAt, value]", operation "UPDATE".

CFGUSERFUNCTIONTRACE -




Attribute with name "CFGUSERFUNCTIONTRACE - TenantServiceSettings" and value "<>" was added. The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFGUSERFUNCTIONTRACE - TenantServiceSettings", operation "CREATE".

Pricing Replication QueueTask.PRICING.INITIAL_RELOAD¬ -

Attribute with name "tasks with guids/payload: {"type":"SET","payload":["<>","<>"],"ignoreAgentStatus":<>,"reload":<>,"variant":<>}" was changed. The attribute is a part of an object with type "QueueTask.PRICING.INITIAL_RELOAD_FILTER_PP.<>" and id consisting of: objectId "tasks with guids/payload: {"type":"SET","payload":["<>","<>"],"ignoreAgentStatus":<>,"reload":<>,"variant":<>}", operation "Restart-INITIAL_RELOAD_FILTER_PP".



Pricing Extensions PRC_USER_EXITS_VERSION -

Attribute with name "PRC_USER_EXITS_VERSION - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_USER_EXITS_VERSION - [updatedAt]", operation "UPDATE".

PRC_USER_EXITS_TIMEOUT -

Attribute with name "PRC_USER_EXITS_TIMEOUT - [updatedAt, value]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_USER_EXITS_TIMEOUT - [updatedAt, value]", operation "UPDATE".

PRC_USER_EXITS_CACHE_ACTIVE -

Attribute with name "PRC_USER_EXITS_CACHE_ACTIVE - [updatedAt, value]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_USER_EXITS_CACHE_ACTIVE - [updatedAt, value]", operation "UPDATE".

PRC_USER_EXITS_AUTHENTICATION_API_KEY_VALUE -




Attribute with name "PRC_USER_EXITS_AUTHENTICATION_API_KEY_VALUE - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_USER_EXITS_AUTHENTICATION_API_KEY_VALUE - [updatedAt]", operation "UPDATE".

PRC_USER_EXITS_AUTHENTICATION_API_KEY_NAME -

Attribute with name "PRC_USER_EXITS_AUTHENTICATION_API_KEY_NAME - [updatedAt, value]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_USER_EXITS_AUTHENTICATION_API_KEY_NAME - [updatedAt, value]", operation "UPDATE".

PRC_USER_EXITS_URL -

Attribute with name "PRC_USER_EXITS_URL - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_USER_EXITS_URL - [updatedAt]", operation "UPDATE".

PRC_USER_EXITS_ACTIVE -



Attribute with name "PRC_USER_EXITS_ACTIVE - [updatedAt]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_USER_EXITS_ACTIVE - [updatedAt]", operation "UPDATE".

processSetTrace -

Changes to attribute "ID" from value "" to value "prcUserFunctionTrace". Changes to attribute "Content" from value "" to value "<>". The attributes are a part of an object with type "com.sap.drs.controller.LogAndTraceController" and id consisting of: objectId "<>", class "com.sap.drs.controller.LogAndTraceController", method "processSetTrace", operation "POST".

PRC_LOGBACK -

Attribute with name "PRC_LOGBACK - [updatedAt, value]" was changed from "[<>, com.sap.sxe.service.spring.config.CPSRequestLoggingFilter=INFO]" to "[<>, com.sap.sxe.service.spring.config.CPSRequestLoggingFilter=INFO com.sap.sxe.service.userexit.trace.UserFunctionTrace=DEBUG]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_LOGBACK - [updatedAt, value]", operation "UPDATE".




PRCUSERFUNCTIONTRACE -

Attribute with name "PRCUSERFUNCTIONTRACE - TenantServiceSettings" and value "06.09.2021 15:44:29" was added. The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRCUSERFUNCTIONTRACE - TenantServiceSettings", operation "CREATE".



Monitoring Replication QueueTask.ADMIN.RESTART -

Attribute with name "tasks with guids/payload: {"type":"SET","payload":["<>"],"ignoreAgentStatus":<>,"reload":<>,"variant":<>}" was changed. The attribute is a part of an object with type "QueueTask.ADMIN.RESTART.<>" and id consisting of: objectId "tasks with guids/payload: {"type":"SET","payload":["<>"],"ignoreAgentStatus":<>,"reload":<>,"variant":<>}", operation "Restart-RESTART".

Suspend

Attribute with name "Replication Process" was changed. The attribute is a part of an object with type "QueueTask" and id consisting of: objectId "Replication Process", operation "Suspend".

Resume

Attribute with name "Replication Process" was changed. The attribute is a part of an object with type "QueueTask" and id consisting of: objectId "Replication Process", operation "Resume".

All executing or initial Tasks -

Attribute with name "tenant: All executing or initial Tasks" was changed. The attribute is a part of an object with type "Queue" and id consisting of: objectId "tenant: All execut




ing or initial Tasks", operation "Stop/Cancel".

Monitoring Advanced Settings

RS_SUSPEND -

Configuration modification message. Attribute with name "<>" was changed. The attribute is a part of an object with type "RemoteSource" and id consisting of: objectId "<>", operation "RS_SUSPEND"

RS_RESUME -

Configuration modification message. Attribute with name "<>" was changed. The attribute is a part of an object with type "RemoteSource" and id consisting of: objectId "<>", operation "RS_RESUME".

UPDATE_ADAPTER_CAPABILITIES -

Attribute with name "<>" was changed. The attribute is a part of an object with type "RemoteSource" and id consisting of: objectId "<>", operation "UPDATE_ADAPTER_CAPABILITIES".



Dropping Remote Source RS_FILE_ADAPTER_LOGS_DROP - The attribute is a part of an object with type

"RemoteSource" and id consisting of: objectId "<>”

RS_DROP

The attribute is a part of an object with type "RemoteSource" and id consisting of: objectId "<>"

RS_FILE_ADAPTER_DROP –

Attribute with name "<>" was changed. The attribute is a part of an object with type "RemoteSource" and id consisting of: objectId "<>"

Monitoring Table Settings, Upgrade Table/Recreate Trigger,

Stop Delta Replication/Drop Trigger

QueueTask.TABLESMONITORING.RESTART -

Attribute with name "tasks with guids/payload: {"type":"CUSTOM","payload{“<>}" was changed. The attribute is a part of an

object with type "QueueTask.TABLESMONITORING.RESTART.<>" and id consisting of: objectId "tasks with guids/payload: {"type":"CUSTOM","payload":{"<>}", operation "Restart-RESTART".




Engine Traces CONFIGURATIONTRACE -

Configuration modification message. Attribute with name "CONFIGURATIONTRACE - TenantServiceSettings" and value "<>" was added. The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CONFIGURATIONTRACE - TenantServiceSettings", operation "CREATE".

CFG_LOGBACK -

Configuration modification message. Attribute with name "CFG_LOGBACK - [updatedAt, value]" was changed from "[<> ]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CFG_LOGBACK - [updatedAt, value]", operation "UPDATE".

processSetTrace -

Attribute with name "ID" was changed from "" to "configu-rationTrace". Attribute with name "Content" was changed from "<>" to "<>". The attributes are a part of an object with type "<>" and id consisting of: objectId "<>", class "controller", method "processSetTrace", operation "POST/Delete".

PRC_LOGBACK -

Configuration modification message. Attribute with name "PRC_LOGBACK - [up



datedAt, value]" was changed from "[<>]" to "[<>]". The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "PRC_LOGBACK - [updatedAt, value]", operation "UPDATE".

conditionFindingTrace -

Configuration modification message. Changes to attribute "ID" from value "" to value "conditionFindingTrace". Changes to attribute "Content" from value "" to value "<>". The attributes are a part of an object with type "com.sap.drs.controller.LogAndTraceController" and id consisting of: objectId "<>", class "com.sap.drs.controller.LogAndTraceController", method "processSetTrace", operation "POST".

CONDITIONCALCULATIONTRACE -

Attribute with name "CONDITIONCALCULATIONTRACE - TenantServiceSettings" and value "<>" was added. The attribute is a part of an object with type "TenantServiceSettings" and id consisting of: objectId "CONDITIONCALCULATIONTRACE - TenantServiceSettings", operation "CREATE".

conditionCalculationTrace -

Changes to attribute "ID" from value "<>" to value "conditionCalculationTrace".




Changes to attribute "Content" from value "" to value "<>". The attributes are a part of an object with type "<>" and id consisting of: objectId "<>", class "<>r", method "processSetTrace", operation "POST".


Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free LanguageSAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders, and abilities.


Important Disclaimers and Legal Information

Security Guide for SAP Variant Configuration and PricingImportant Disclaimers and Legal Information PUBLIC 39

www.sap.com/contactsap

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

https://www.sap.com/about/legal/trademark.html

Security Guide for SAP Variant Configuration and Pricing

Documents