Laserfiche WebLink
Security and Hosting Overview June 2015 <br />1.3.4 Page -Level Access Checking <br />The application has been designed so that every single web page checks for access rights <br />before displaying itself. Additionally, each page performs a second check to ensure that <br />an authorized user will only have access to those data elements and functionality that has <br />been expressly authorized by the system administrator. <br />The post -authentication session ID that is generated and cached server -side is validated <br />prior to showing each page. SAP Fieldglass stores a non -persistent cookie in the browser <br />and compares back to the server -side session ID. If they no longer match due to malicious <br />activity, the user is redirected to a "You are not authorized" page. <br />Authorization is handled through the use of user -defined User Roles. User Roles provide <br />the customer, through its designated administrators, the flexibility to specify the type of <br />access given to a member of that user group based on the definitions configured by the <br />administrator. The User Role controls what areas of the application are accessible to the <br />user group and what actions they can perform in those areas (e.g. job posting create, time <br />sheet approve, etc.). <br />1.3.5 URL Encryption <br />SAP Fieldglass does not pass any sensitive data in its URL query strings. Parameters that <br />are used to identify users in the system are protected by anonymizing the field variable <br />and then encrypting the associated value using AES-256. <br />1.3.6 Activity Logging <br />As users access the system, all of their business significant activities are tracked and <br />logged including failed login attempts, successful logins, approvals, submissions, etc. This <br />activity log provides a full audit trail of what actions a particular user performed within <br />the system and the timestamp as well. <br />1.3.7 Application Testing <br />Upon request, SAP Fieldglass will provide customers with a sandbox environment where <br />system testing can occur outside of production. This is useful when testing out <br />configuration changes, new integrations, and/or new reports prior to making the changes <br />live in the customer's production instance. <br />Upon request, customer's data can be anonymized. SAP Fieldglass has the ability to scrub <br />the data such that it is unrecognizable. Data element replacement is accomplished by an <br />automated SAP Fieldglass utility that replaces the customer's company code, user names, <br />business units, cost centers, and sites from a store of random variables. Any or all of these <br />elements may be chosen for replacement. <br />Sensitive data that has been designated by the customer to be stored in the SAP Fieldglass <br />application is encrypted with AES-256. The encryption and decryption keys are different <br />between production and test environments and are different between the US and EU <br />datacenters. These keys are stored in the corporate password vault and are accessible <br />only by the Database Administrators and the Lead Architect. <br />SAP Fieldglass P a g e 9 1 21 <br />