Skip to Content
avatar image
Former Member

A Portal Security Issue

We have one portal system with two portal applications:SAP

ESS (Employee Self Service) and SAP LMS (learning management system).

Currently when users logs in the portal will use a network LDAP to

authenticate users access. Once users are authenticated they will see one

page (one view) with two buttons:one for ESS (associate Personal Data) and

the other is for Global Learning Center (LMS). We want to implement two

other application TCI (Total Compensation) within ESS and MSS (Manager Self

Service). Several Security issues has been raised. I can describe security

requirements in two categories: One general which is not very security

sensitive and network password is enough. LMS and some features in ESS

will fall in this category. We have very sensitive application like MSS

and TCI (which a component within ESS). For the sensitive application like

MSS and for the TCI component can we add additional level of authentication

or challenge response. For example when I login to my Bank web site not

only I enter my user id or account id and password but I have to answer

another confidential question. Some web site will show you a picture and

asks you to enter additional pin number. Have any one done some thing like

that in SAP portal? Any idea how to add additional security in SAP portal?

How to create custom login module? All components that I described

above belongs to the same portal application and belong to one ECC system?

Do you think we need two portal systems: one for sensitive and another for

non-sensitive components?

We are thinking for two level authentication. One use LDAP to get into

the portal main page but when a user click on MSS their should be another

authentication (a password or something similar to that) ? Is this do

able? What is the best solution for this type of situations? We have someone

suggested to implement MSS on a separate portal and then added it to the

iView which will require UME authentication when someone try to access it.

The UME password will be different from the LDAP password. What you think

of this approach? Any different idea.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Sep 01, 2008 at 07:14 AM


    For the portal page it's possible to define a "Authentication Scheme". It can be some standard or your own scheme. Using this you can ask user for an additional password.



    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 01, 2008 at 08:00 AM

    Hi Amr,

    We also have HR related (sensitive info) integrated into our Portal. One of the main strenght of teh Portal is SSO and if you create more layer of authentication, its taking that Portal strength away from your project. Yes, HR related info are sensitive but I'm also very sure that your company has a STRONG user rule that they have to lock their screen everytime they are away from their hardware. Also, your IT infrastructure and support team can also help to enforce or change the screensaver for the users, such that the screen will lock itself when the screensaver kicks in.

    If the above is not discuss-able and that its a MUST, then I could suggest the below (may not be the best suggestions):

    1) Create another account for the user in the Portal UME. This means that the user will have to login via the Portal login screen, depending on which function he/she wants to use. Thus user will have 2 different accounts.

    2) Develope custom Authentication into Portal with a custom logon application. Search the post with the subject (Custom Authentication into Portal) by Jeff Walberg (Posted: Jun 5, 2008 3:51 PM ).

    Hope that helps.


    Add comment
    10|10000 characters needed characters exceeded