Laserfiche WebLink
Security and Hosting Overview <br />June 2015 <br />Once customer testing has been completed, the Environment Management team (a team <br />within Professional Services) destroys the environment. The database is purged and the <br />VM is returned into circulation. <br />1.3.8 Password Management <br />The SAP Fieldglass application provides each customer the ability to define a Password <br />Policy. This policy contains custom -defined password rules that each user in the <br />customer's instance must adhere to. The policy provides 20 different password rules such <br />as minimum length, user lockout preference (hard lockout vs. time -based reset), days to <br />expiration, minimum password age, etc. Also included is the ability to specify a regex <br />pattern(s). This pattern dictates the password value syntax that each user must follow. <br />When customer chooses to use a test instance ("sandbox'), all user password values <br />remain unchanged from their production values. All passwords and visibility restrictions <br />remain unchanged to ensure that users in the test instance are not able to gain access to <br />data they're not privileged to see in production. Also, the password policy that is enforced <br />in in the production instance is also enforced in the test instance. <br />New user invitations are sent via email. Recipients enter their 1-time passcode and are <br />then forced to specify a new password that complies with the customer's password policy <br />rules. User invitations expire after 21-days. <br />1.3.9 Email Approvals <br />In order to better support our growing mobile workforce, SAP Fieldglass offers customers <br />a supplementary method for approving their work items. Via email, approvers are able to <br />submit their approval or rejection response by simply replying to the approval work item <br />that was sent to them. This method has been proven to reduce approval cycle times by <br />several days since the approver does not have to be in the office. This feature has been <br />architected with the following security controls: <br />• Only the original recipient can approve/reject the work item. If the recipient forwards <br />the email to another person, the system will not accept the response. <br />• Email spoofing is not a risk. A unique ID is generated for each approval request. This <br />unique ID along with the person ID of the intended recipient is stored encrypted with <br />AES-256. So even if the email address sending the approval/rejection response is <br />legitimate but the sender is not, the system will detect this anomaly and not accept <br />the response. <br />• A SAP Fieldglass approver can identify another user as their Proxy and/or Delegate <br />when they will be out of the office and unable to handle the approval requests. By <br />design, neither of these roles receive approval work items via email. So only the <br />original recipient can ever submit an approval/rejection response via email. <br />• If the customer created custom fields where sensitive information is stored <br />encrypted, those fields and associated values are not allowed to be selected for <br />inclusion in these email approval notifications. <br />• The system audit trail is updated with all user actions including approval/rejection <br />activities via email. This audit trail is accessible by privileged customer users and can <br />be used to monitor user activity. <br />SAP Fieldglass Page 10 121 <br />