Security topics

CIS mobile addresses the following security topics:
  • Authentication
  • Secure communication
  • Authorization
  • Data integrity
Authentication

"Authentication" confirms the identity of the person using the system. In CIS mobile the user's identity is checked by requiring the user to enter his or her
  • SAP user name
  • SAP password
  • CIS mobile logon ticket

The "ticket" mechanism prevents the SAP user credentials from getting locked by false logon attempts. It also allows us to disable CIS mobile access for a particular device (e.g. one that has been reported lost) by disabling a logon ticket on the server. See Logon Ticket for details.

Secure communication

"Secure communication" means that no third party can intercept and make use of the data sent to the mobile device, or sent from the mobile device to the server. 
Today HTTPS (secure HTTP) is the technique of choice for secure communication. It is used  for critical applications such us banking or credit card purchasing, and can be used for CIS mobile without any special configuration. You install an SSL certificate on the server and activate HTTPS in the IIS manager (Microsoft Internet Information Services).

In addition you may disable unsecure HTTP communication for CIS mobile or you can redirect any HTTP request for CIS mobile to use HTTPS instead; see How to redirect requests from HTTP to HTTPS in IIS 7.

 

Authorization

"Authorization" means that a user is allowed to view certain data, to create or change data, or to perform particular functions. CIS mobile observes the user authorizations that are already specified in the SAP system; there is no additional "CIS mobile authorization system" that you would need to configure. With one exception: the CIS configuration parameter "Select 'My customers' only" which restricts the customer selection to "My customers" i.e. the customers for whom the user is the responsible contact person.

Please see the next chapter SAP authorizations for a detailed list of all authority checks.

Data integrity

CIS mobile offers "create" and "update" functions, e.g. for contacts, visit reports and orders. In addition to the authorization aspect it is important that all changes in the database observe the SAP rules of data integrity, e.g. all input data is checked and all dependent database tables are updated correctly.

This is guaranteed in CIS mobile by using the SAP standard transactions for all "create" and "update" functions. When a CIS mobile user presses the "Save" button, we start a SAP GUI session for the current user and execute the corresponding standard transaction in the same way as if the user had entered all values manually. See SAP GUI Scripting for the technical details.