zhongwei/gh-secondsky-sap-skills-skills-sap-btp-build-work-zone-advanced
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9d01254182490ef9880d2727a76ae993d2f2a892
gh-secondsky-sap-skills-ski…/references/security.md
Zhongwei Li 9d01254182 Initial commit
2025-11-30 08:54:49 +08:00

136 lines
3.6 KiB
Markdown
Raw Blame History

# SAP Build Work Zone Security Guide
Security configuration for SAP Build Work Zone, advanced edition.
**Source**: [https://github.com/SAP-docs/sap-btp-build-work-zone-advanced](https://github.com/SAP-docs/sap-btp-build-work-zone-advanced)
## Table of Contents
- [Authentication Methods](#authentication-methods)
- [SAML Identity Providers](#saml-identity-providers)
- [OAuth Clients](#oauth-clients)
- [Single Sign-On (SSO)](#single-sign-on-sso)
- [Access Control](#access-control)
- [Role Collections](#role-collections)
- [Workspace Permissions](#workspace-permissions)
- [HTTP Security Headers](#http-security-headers)
- [Recommended Headers](#recommended-headers)
- [Example Configuration](#example-configuration)
- [Configuration Location](#configuration-location)
- [Compliance Features](#compliance-features)
- [Compliance Monitor](#compliance-monitor)
- [Profanity Monitor](#profanity-monitor)
- [Content Administration](#content-administration)
- [Audit Logging](#audit-logging)
---
## Authentication Methods
### SAML Identity Providers
Configure trusted SAML IdPs for SSO:
1. Navigate to Administration Console
2. Go to Authentication > SAML Trusted IdPs
3. Add IdP metadata
### OAuth Clients
Register OAuth clients for API access:
1. Go to Authentication > OAuth Clients
2. Create new client
3. Configure scopes and permissions
### Single Sign-On (SSO)
SSO is enabled through:
- SAML federation
- SAP Cloud Identity Services
- Corporate IdP integration
---
## Access Control
### Role Collections
Key roles:
- `Workzone_Admin` - Full administration
- `Workzone_User` - Standard access
- `Workzone_HR_Admin` - HR integration
### Workspace Permissions
- Owner
- Admin
- Member
- Viewer
---
## HTTP Security Headers
Configure security headers to protect against common web vulnerabilities.
### Recommended Headers
| Header | Value | Protection |
|--------|-------|------------|
| X-Frame-Options | SAMEORIGIN | Clickjacking |
| Content-Security-Policy | default-src 'self' | XSS, content injection |
| X-Content-Type-Options | nosniff | MIME-type sniffing |
| X-XSS-Protection | 1; mode=block | Cross-site scripting |
| Strict-Transport-Security | max-age=31536000 | Protocol downgrade |
### Example Configuration
```
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
```
### Configuration Location
Security headers are typically configured at:
- BTP Application Router (xs-app.json)
- SAP Cloud Connector
- Load balancer/reverse proxy level
> **Note**: For API security including OAuth flows and token handling, see `references/api-reference.md`.
---
## Compliance Features
### Compliance Monitor
Flags content matching compliance dictionary terms.
### Profanity Monitor
Detects and flags profanity violations.
### Content Administration
Review and manage flagged content.
---
## Audit Logging
Security events logged include:
- Authentication attempts
- Permission changes
- Content modifications
- Administrative actions
For detailed audit logging configuration, see `references/auditing.md`.
---
**Documentation Links**:
- Security Guide: [https://help.sap.com/docs/build-work-zone-advanced-edition/sap-build-work-zone-advanced-edition/security](https://help.sap.com/docs/build-work-zone-advanced-edition/sap-build-work-zone-advanced-edition/security)
- SAP Cloud Identity: [https://help.sap.com/docs/cloud-identity-services](https://help.sap.com/docs/cloud-identity-services)
Reference in New Issue View Git Blame Copy Permalink