HCPODP - Security

Context

SAP HCP OData provisioning application (HCPODP a.k.a Gwaas - Gateway as a Service) is equipped with the security features in line with the requirements outlined by SAP security product standard. In order to meet the security requirements HCPODP leverages the standard security mechanisms available from HCP (Hana Cloud Platform)

Features

The following security features are available in HCPODP :

• FORM based authentication for protecting HCIODP application
  
  
  
  • GW_Admin and GW_User role for accessing HCIODP cockpit
  
  
  • GW_User role for accessing OData endpoints (/odata/*url pattern)(This includes Repository Service,Catalog Service, Error Log Service and Business Odata Service)
  
  
  • By default HCP supports AppToAppSSO for FORM based authentication and so does HCIODP
  
  
  • BY default HCP supports browser based SSO via SAML 2.0  Assertion.(Every HCP account is by default configured with SAML based SAP Idp so default protocol is over SAML 2.0 token)
  
  
  
  

• Protection against CSRF(Cross Site Request Forgery) attacks.

• All odata endpoints available from HCIODP application are protected against CSRF

• Security features available from odata consumption perspective

• HCIODP makes available two types of odata endpoints for outside consumption
  
  
  
  • Business OData Endpoints for backend connectivity/data
  
  
  • CATALOGSERVICE for service exploration by consumption tools
  
  
  
  

• Channels of outside consumption

• Direct endpoint consumption via Rest Client (Browser Plugin)


• Direct endpoint Access via Browser


• Direct endpoint Consumption by Tools like SAP Web IDE


• SAP UI5 / Java based Application deployed in SAP HCP (Hana Cloud  Platform)

Consumption Support Feature Matrix