How UserXpress Handles Security
Submitted by 1905 Team on Mon, 27/04/2020 - 07:58
Of course security is of paramount importance to all companies – and understandably so. In this blog we will talk about security within UserXpress, how UserXpress communicates with your SAP systems, how it accesses the data, manages change history and more.
- UserXpress installs directly on the user’s workstation. There are no transports, repairs or changes needed for your SAP systems.
- No SAP Users are storedin memory when the application is running – they’re not cached anywhere else.
- The only communication from the application is to the designated SAP Client – there are no other ‘emissions’. (As can be verified with Wireshark)
How Does UserXpress Communicate with SAP?
We use an SAP certified interface to communicate with all SAP Systems and Clients. The library we use was developed by a German company called Theobald Software. The software is certified for all communications by SAP itself. A copy of the certificate is located here.
We use this company specifically because of the SAP Certification, because then we’re assured that all communication to an SAP System is precisely as SAP intended.
What about accessing SAP Data?
UserXpress will retrieve all available systems from the saplogon.ini file and present them to you. Since you use your own user ID to log on to the SAP system, your restrictions are based on what roles or profiles you have been assigned.
So how do you access UserXpress? Via a passphrase, that must be a minimum of 12 characters. Moreinformation on the passphrase:
- The hashing function/algorithm is Microsoft’s implementation of PBKDF2 that uses the pseudo random function HMAC-SHA1.
- Salt size is 256 bits and generated by Microsoft Windows’ Cryptographically Secure Pseudo-Random Number Generator – RNGCryptoServiceProvider() from their provider “Microsoft Enhanced RSA and AES Cryptographic Provider”
- The hashing function uses an iteration count of 22,000
- The resulting hash is 512 bits long
Where is Change history stored?
Changes to your data are made directly within SAP and stored within SU01. Did you know you can accessSU01 directly from UserXpress? Simply double click on any user and it will open up SU01 for that particular user.
We hope that answers any questions you may have about security and UserXpress. If you have any questions, please let us know. We are always happy to talk to the SAP community.
The 1905 Team