Many SAP applications contain sensitive and confidential data. Examples include personal data, product related data with information concerning intellectual property, and many other data types.
Within SAP systems, the access to this information is protected by authorization checks. Only users who are assigned to appropriate roles can access applications in which such data is displayed.
However, usually there is no further protection once this information leaves the SAP system – for example after downloading it as a document in a Microsoft Office format, in PDF or other formats. Without further enforcement, such documents can be copied, forwarded, printed, modified, etc.
This article provides an overview on how such data can be protected by applying Digital Rights Management (DRM). The general procedure is to encrypt the document that is to be protected. The encryption is performed by a dedicated DRM server. The information about the users who may perform which action on this document (such as display, edit, forward, print, etc.) needs to be provided to the DRM server. The DRM server then encrypts the document. When the document recipient wants to access this document, he has to connect to the DRM server first to receive the decryption key.
In the following section, I will describe this scenario in detail. We are still in an evaluation phase, and have not yet implemented this scenario. A separate section describes the feasibility, options, and limitations of an integrated solution of DRM within SAP systems. Finally, I will provide information on how to get involved by participating in the SAP Customer Engagement Initiative.
This section describes more in detail what an integration of a DRM solution into SAP systems could look like. The scenario shows the integration of an SAP NetWeaver Application Server ABAP system. However, the general idea is to enable the integration of other SAP technologies as well. For this reason, the DRM functionality will be a separate component with an open, technology-independent interface. A similar approach was chosen successfully e.g. for SAP’s virus scan interface.
This article talks about DRM functionality in general, without specifying a certain DRM solution. The most common product for business-related documents in this field is the Microsoft Rights Management Services (MS RMS) which mainly handles MS Office files. At SAP, we have realized first proofs of concept with MS RMS such as SAP Product Lifecycle Management. However, the general concept allows us to use any DRM solution, such as for example Adobe LiveCycle.
Figure 1: Components of a DRM scenario for documents originating from an SAP AS ABAP Server
Figure 1 shows the scenario. Documents with sensitive data are created in an SAPNetWeaver Application Server ABAP system by a human document creator or an automatic process in step 1. The configuration within the SAP AS ABAP system has determined that this document needs to be protected by DRM. Information on the document owner (this may be the document creator or another user), as well as the users and their permissions for this document, are sent to the SAP DRM functionality in step 2. Here, DRM maps the SAP user to the domain user. For this purpose, sufficient user information needs to be provided, for example the mail address or SNC name.
In step 3, the SAP DRM functionality provides all necessary information to the DRM server: The domain user information for the document owner and permitted users, the DRM rights to be assigned to these users, and the document itself. The DRM server encrypts the document and sends it back to the SAP DRM functionality in step 4. From here, the encrypted document is forwarded to the SAPNetWeaver Application Server ABAP system in step 5.
The application them makes the encrypted document available to the document recipient, for example by sending it as mail attachment or making it available for download. The access to this document is shown as step 6.
When trying to access this encrypted document for the first time, the recipient needs a connection to the DRM server (step 7). This connection is needed to receive the decryption key. The DRM server identifies the user and what he wants to do with the document. Only if this matches the information available in the document, the decryption key is provided (step 8). Now the recipient can access the document. As appropriate decryption information is saved on the recipient’s device, the same document can be accessed again without further calls to the DRM server until this decryption information expires. Note: If the same user tries to access this document from another device, the access to the DRM server is required again.
Limitations / Out of scope
The scenario described in the previous section allows the integration of DRM into business transactions that are processed in SAP systems. Some limitations have to be considered for the implementation of this scenario. These are described in this section.
The term Digital Rights Management covers a broad range of media. For this article, only business-related documents are considered, such as office documents in formats created by Microsoft Office products, or documents saved in the portable document format (PDF).
Any media formats such as those for films, music, etc. are not considered.
SAP does not plan to develop its own solution for DRM protection itself. Instead we plan to support the integration of existing DRM solutions. The most commonly used products are Microsoft Rights Management and Adobe LiveCycle.
Depending on the DRM product, restrictions may apply to the operating system of the domain. You will also have to configure a mapping between the SAP user and the domain user, for example by using the e-mail address.
Another restriction applies to the first access to a document. When accessing a protected document from a device for the first time, the recipient needs to be able to connect to the DRM server.
SAP Needs Your Help! Plans for Proof of Concept and Request for Feedback
We are planning to implement a proof of concept and publish information on this soon here on SDN. This proof of concept will show how to send a document to a particular DRM solution (planned: Microsoft RMS) for encryption. The planned scenario will not contain solutions for mappings of SAP authorizations to DRM rights, nor for general mappings of SAP users to domain users.
We would like to extend this scenario to include your specific requirements!
Let us know which challenges your organization is faced with when managing the security and privacy of confidential information once it leaves your SAP systems. Get involved and actively influence our development planning by contacting the security development team directly by writing to firstname.lastname@example.org