Professional Documents
Culture Documents
Product Standard Compliance (T0167) - CCPM
Product Standard Compliance (T0167) - CCPM
Instructions:
The purpose of this document is to record the compliance with SAP's product standards of your project.
For < Type delivery type, e.g., Initial, Interim, Final, etc. >Version: <Version> < Organization Name>
Initial creation on: <Type date of initial checklist creation>, Created by: <Name of Author>
The user is informed about time limits and time limits can
ACC-278 be switched off, delayed, or extended before the time
limit expires.
Description
The Accessibility Status Document is the only way the accessibility status of an SAP product
can be communicated towards a customer. In the ASD statements are given related to
underlying guidelines or regulations. The ASD is an important prerequisite for selling SAP
products to the Public Sector as well as to large enterprises. At the moment, three ASDs are
offered: VPAT for the US market: related to US Section508 (Act) BITV for the German market
related to Geman BITV 2.0 (Act) WCAG for the entire markets related to WCAG 2.0
(Guideline)
Prerequisite for Applicability: Either data input elements and data output elements are
available or grouped information/grouped elements are available. Explanation: The aim of
this requirement is to ensure that all UI elements for data input, data output and grouped
information (like tables, areas dealing with one topic) are clearly labeled. The topic or purpose
of the field must be clearly indicated by the label. Instructions for user inputs (e.g. input field
contains initial text that shows the correct date format if typing a date is required) supports the
user in entering data correctly.
Prerequisite for Applicability: The application has at least one screen. Explanation: The title
text should indicate what the screen is intended for. Screen titles help all user groups to find
their way around the application. Titles help users to quickly and easily decide whether the
content of a particular screen is relevant for them. Assistive technology makes the title
accessible to the user. Note: Title does not mean the "title" attribute.
Prerequisite for Applicability: Non-text content is available and the non-text content is
important in the application#s context. Explanation: The purpose of this requirement is to
ensure that every important piece of non-text content is also available as text. The advantage
of text is that it has a neutral representation. This means it can be output in visual, auditory or
tactile format - or in any combination of these. Therefore any information created as
electronic text can be represented in the most appropriate way for the user. Non-text
contents include icons, graphics, video streams, audio streams. Note: The following cases are
excluded: - A control element or control, which accepts user input and which has a label that
describes the purpose of the element. - Test or exercises that must be presented in a non-
text format: If tests or exercises are invalid if presented in text, then text alternatives at least
provide descriptive identification of the non-text content. - Specific sensory experiences are
required and text alternatives containing at least one description of the non-text content are
available. - CAPTCHAs: If the purpose of non-text content is to confirm that content is being
accessed by a person rather than a computer, then text alternatives that identify and describe
the purpose of the non-text content are provided, and alternative forms of CAPTCHA using
output modes for different types of sensory perception are provided to accommodate different
disabilities. - Purely decorative elements, or elements only used for visual layout purposes or
where the non-text content is not visible for the user. These elements can be configured so
that they are ignored by assistive technologies.
Prerequisite for Applicability: There are elements with the same functions on multiple screens.
Explanation: If an application contains multiple screens with the same functions, it is important
that these elements (such as menu items, toolbar buttons) are consistently labeled and used.
Prerequisite for Applicability: The application uses technologies or components, which exclude
specific user groups. Explanation: Certain technologies and components can exclude specific
user groups in the application. Charts or flash-based content can often cause problems. If
specific user groups are excluded, the application developers must find a way to provide an
accessible solution with the same content and functionality in the application.
Prerequisite for Applicability: Text content/images of text exists. Explanation: Partially sighted
users who do not use assistive technologies must be able to magnify text by up to 200% of
the minimum font size (see Minimum Fonts Size Concept). Here, the screen layout must be
scaled so that there is no loss of either content or usability and function (for example, no texts
must be truncated). This includes also images of text.
Prerequisite for Applicability: Texts and images of texts exist. Explanation: A minimum
contrast improves legibility for partially sighted users (for example, users with low visual
acuity or color vision deficiencies) and makes content easier to use. In the case of mobile
applications, for example, changing light conditions could have a negative impact on the
legibility of the content and a contrast ratio of 4.5:1 might not be enough. This means that
developers of applications used under changing light conditions need to strive for the widest
possible contrast ratio (at least 7:1 if possible). No minimum contrast is required for texts and
images of texts that are # part of an inactive component of the user interface # purely
decorative # incidental to the main focus of an image or video.
Prerequisite for Applicability: User Interface exists. Explanation: Users with restricted visual
acuity need to be able to adjust the screen display to their individual requirements. For
example, raising the contrast can improve legibility at the onset of presbyopia. Users with a
high level of sensitivity to light, on the other hand, need to reduce the brightness of the
screen. Once a user makes individual screen display settings at the operating system level
(such as selecting a color and design theme, contrast, brightness, or fonts), it is important
that they are applied to the application so that the user only needs top make them once. If
the application itself provides color and contrast setting options, a) the following themes must
be available: high contrast black (7:1) high contrast white b) colors must be available for the
foreground color and background color.
Prerequisite for Applicability: Information and relationships exist that are conveyed using
visual presentation. Explanation: Users perceive the structure and relationships of information
by the different ways it is presented. For example, headers are often in a larger (bold) font;
tables are elements organized in groups sharing row and column names and the
relationships of these rows and columns are vital for understanding the table content;
background colors can be used to indicate that certain content is related. The aim of this
requirement is to ensure that information and relationships conveyed using visual (and
auditory) formatting is preserved when the presentation format is changed. This means it is
important that these structures and relationships are determined technically in the program or
conveyed using text. One way in which the presentation format can be changed is, for
example, when a screen reader is used or when the user replaces the style sheet with his or
her own style sheet or deactivates the style sheet altogether.
Prerequisite for Applicability: User interface elements exist. Explanation: The application
must be programmed using the appropriate rules for assistive technologies that access the
application. It must be possible to identify correctly the name and type (properties, states, and
values) of all UI elements. This is because assistive technologies access these elements,
interact with them, and conveys them accordingly.
Prerequisite for Applicability: Text content exists. Explanation: The aim of this requirement is
to ensure that language attributes are made available to programs so that they can convey
the text content in the correct language. Using these attributes, for example, screen readers
can convey content using the correct accent, media players can show subtitles in the correct
language, and mailboxes can pronounce names properly. Furthermore, users with
impairments can better understand the screen content.
Prerequisite for Applicability: A markup language (such as HTML, Open OfficeXML, or Open
Document) is used, for example in a Web-based application. Explanation: The aim of this
requirement is to ensure that programs accessing the application (mostly assistive
technologies) can read and analyze the content correctly. This can happen only if the markup
language is used in a syntactically correct way. If the content cannot be resolved as a data
structure, it may be the case that different programs present the content in different ways (or
cannot present it at all).
Prerequisite for Applicability: The same navigation areas are repeated across multiple
screens. Explanation: The consistent presentation and arrangement of navigation areas
across multiple screens helps users to navigate quickly and efficiently when using the
application repeatedly. Users who, for example, work with screen magnifiers can only see a
small section of the active screen at a time. They can work more efficiently if the navigation
areas they are used to finding at the top left of the application are in this position across all
screens.
Prerequisite for Applicability: Information objects exist. The user has the option of visiting the
information objects. Explanation: Users must be able to find content in a way that best
matches their needs. It is important that an application offers several options for finding
content directly. Users with visual impairments often find it easier to navigate using "Search"
rather than selecting links.
Prerequisite for Applicability: Repeated elements appear. Explanation: The aim of this
requirement is to ensure that all users can work efficiently with an application. A user must be
able to locate the focus of a page as quickly as possible without, for example, having to
traverse identical content after changing screens. It must also be possible to skip grouped
information, such as tables. Keyboard user must not be subjected to excessive amounts of
tabbing.
Prerequisite for Applicability: Always applicable. Explanation: If all functionality can be
achieved using the keyboard, it can be accomplished by keyboard users, by speech input
(which creates keyboard input), by mouse (using on-screen keyboards), and by a wide variety
of assistive technologies that create simulated keystrokes as their output. No other input form
has this flexibility or is universally supported and operable by people with different disabilities,
as long as the keyboard input is not time-dependent. Note that providing universal keyboard
input does not mean that other types of input should not be supported. Optimized speech
input, optimized mouse/pointer input, etc., are also good. The key is to provide keyboard
input and control as well.
Prerequisite for Applicability: Interactive UI elements exist. Explanation: Users of an
application require a visible keyboard focus to identify which element has the focus.
Prerequisite for Applicability: Logically related interactive elements exist. Explanation: In
applications where the navigation order is important for the user's understanding of the
model, the keyboard focus must also follow this order.
Prerequisite for Applicability Interactive UI elements exist. Explanation: When navigating
through an application, actions must be predictable for the user. When an element is focused
or its state changed, the context must not be changed unless there is further interaction with
the user.
Prerequisite for Applicability: The input of the user is a legal obligation, a financial transaction,
or can cause data to be lost or modified in data repository systems. Explanation: If the input
of a user implies legal obligations or a financial transaction or can cause data to be lost or
modified in data repository systems, the application must ensure that the user can check,
correct, or cancel his or her actions.
Prerequisite for Applicability: Data input elements exist and the application checks user input
for errors automatically. Explanation: If data input is required in the application context, the
user must be informed about any input errors, where they occurred, and be provided with a
text description of the error.
Context-specific suggestions for corrections help groups of users to identify and correct errors
quickly. In an accessibility context, this requirement supports users with impaired vision by
providing them with more specific information about the nature of the input error. The
suggestion contains a precise description of the error.
Prerequisite for Applicability Additional software is required to be able to use the full scope of
the application. Explanation: Many applications uses embedded or external further
applications (e.g. showing pay statements via pdf). If this additional application is not
accessible, a user may not be able to use full scope of an application. This requirement has
three parts: 1. Is there a link to the required software? 2. Does the required software meet
SAP Product Standard Accessibility? 3. Is it possible to change the link to select accessible
software?
Prerequisite for Applicability: Time limits exist that are not part of a real-time event or that are
shorter than 20 hours or that are not required by an activity. Explanation: User with varying
levels of impairment or varying expertise may need more time to complete a task than
specified by the application. If reasonable in the context, it must be possible to switch off or
modify time limits.
Prerequisite for Applicability: There is automatically played content lasting longer than five
seconds (in the case of video content) or three seconds (in the case of audio content) and the
content is presented at the same time as other content and is not related to the activity of the
user. Explanation: Animations and audio streams are designed to attract the attention of the
user. E.g., users of screen readers find it difficult to listen to speech output if other audio files
are played automatically at the same time. Users with hearing impairments are also distracted
by content played automatically. The user must therefore be able to pause, stop, or hide
automatic audio or video content or change the volume independently of the system volume.
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X x
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Quality-Always X X X
Comment
Open
Fulfilled (by
Automated
Tests)
Fulfilled (by
Infrastructur
e)
Fulfilled (by
Manual
Tests)
Planned
Not
Applicable
Not Fulfilled
Product Standard - Business Solution Configuration
Technology
BSC-86 Architecture- All business configuration content of a Only Solution Manager and IMG are x
Always solution/application belonging to SAP allowed means to configure business
Business Suite shall be implemented scenarios, business processes and
by SAP Solution Manager and IMG business process steps in the context
only. Business configuration content of SAP Business Suite.
shall not be part of business function
screens.
BSC-97 Quality- A solution/application belonging to BC Sets are used mainly for: - the x
Specific SAP Business Suite shall support BC- synchronisation of configuration via
sets for automation purposes. SCDT_Mapping between different
implementations of business
processes - automation of tests -
delivery of packaged solutions/Rapid
Deployment Solutions - automation
of configuration process
Not Applicable
Open
Fulfilled (by
Automated
Tests)
Fulfilled (by
Infrastructur
e)
Fulfilled (by
Manual
Planned
Tests)
Not
Applicable
Not Fulfilled
Product Standard - Functional Correctness Link to Wiki page with all CD product standard experts
CDP-FC-1 Corporate Software code shall be developed Each program shall describe a minimum set
according to the mandatory coding of coding rules for the produced software.
rules. These coding rules shall be derived from
rules defined SAP wide for a programming
language (if applicable). To ensure
compliance with the defined rules static
code checks shall be implemented. There
shall be no open violations of coding rules
of priority very high or high.
CDP-FC-2 Corporate Each new functionality shall be The implementation of new functionality in a
tested successfully. product shall be verified successfully in
accordance with the chosen test strategy.
It shall be possible to show, which new
functionality was tested with which test
cases and that these test cases have been
executed successfully (in this context we
use the term "traceability")
CDP-FC-3 Quality- All regression tests of previously tested The regression test shall ensure that defects
Always functionality shall be executed have not been introduced or uncovered in
successfully in accordance with the unchanged areas of the software, as a
chosen test strategy.
result of changes made. It is performed
when the software or its environment is
changed. Ensure traceability from
regression test objects (per default business
scenarios in TOR) to associated tests (per
default in TWB).Depending on the test
strategy for example (a) the regression test
of takt 2 includes the functionality
previously tested in takt 1 and (b) the
regression test includes the functionality
(e.g. scenarios, processes, requirements,
use cases, etc.) previously tested and
shipped in a former release. It has to be
defined and agreed during planning phase
for this product standard how the fulfillment
of the requirement will be proven.
ATC is used
Not
Applicable
Not Fulfilled
Product Standard - Globalization
Unicode compatilbility is the best way to implement the ability to accept user
input in different scripts (ex. Latin, Cyrillic, Asian scripts, etc) and a
prerequisite towards making your software translatable and saleable in all
major markets. Note that Unicode support might still be destroyed by careless
programming, and extra effort needs to be taken to ensure Unicode
compliance. For example: When using Windows APIs, Unicode versions
should be used in spite of the availability of non- Unicode APIs. -
Automatically enforced by NetWeaver ABAP - Supported by NetWeaver
Java, .NET and JRE Additionally, the following tools help you with ensuring
Unicode compliance: - The ccQ Unicode check for your C-code - The jlin
check 'Internationalization' for your Java-code
The product shall be able to display and function in languages such as Arabic
or Japanese in the same way as in English or French.
If a date, time, or number is displayed, the display format shall meet the user's
expectations and avoid misinterpretation. supported in NW ABAP (enforced,
if date, time, and number formatting is left to the framework) supported by
Web Dynpro (Java as well as ABAP), ensure an appropriate personalization
screen is available, ensure correct typing of fields
Formats such as, for example, 'US Letter' in the USA or 'DIN A4' in Germany
must be supported.
This is automatically enforced in SAP spool, ABAP list, SAPscript and
Smartforms. For further information, check section Input, Display and Printing
of the Internationalization (I18n) Guide.
- meta data: e.g. maximum length, domain, target group, string category
(button, label), comment/description - do translators easily see the
relationships between related UI strings (e.g. all entries in a menu)? -
translated strings of a dashboard visible in realtime at the final screen location
This requirement aims to ensure that the traceability information is
automatically available to the translator without the need for him / her to
contact development in event of a bug in translation. When a defective text is
found on the display, a tool or framework supported way to find the
corresponding text element in the database or within the resource bundle files
is very helpful.
If, for some reason, a specific text is not or not yet translated, it should be
displayed in another language. As all texts of SAP Software must be available
at least in English, it is recommended to switch to English text display if the
desired language cannot be selected. This does not refer to a complete
translation, but to special output texts from functions that might not be
translated (e.g. reused components).
Language dependent customer data is for example: product description,
invoice templates, freight accompanying documents, safety instructions for
dangerous goods and other kinds of content. Textual data that is not needed
in other languages does not need to be translatable.
In ABAP systems, customers can use transaction se63 to translate their 'own'
data.
This requirement aims to ensure that resources and languages are packaged
and shipped independently of the software logic / components. There needs
to be a capability to deliver new languages without needing to rebuild and
repackage the entire product or parts thereof, and without needing to wait for
the next support package. When compliant, adding a language will not be like
an upgrade project for the customer. For SAP, compliance will reduce risk
otherwise caused by the complexities in delivering a complete installation
package / service pack.
Products should be prepared to support any currency change/conversion (e.g.
from local currency to EURO). The full support of currency reforms can be very
complex especially (but not exclusively) for the Financials area. For example,
SAP Business Suite customers typically need to run a specific project for
countries where the currency is changed.
Currency reforms are a complex topic, but different products are affected to
different degrees. So the main question you should ask yourself is how the
effects of changing the currency during a currency reform would affect your
customers and their data. How would you enable the customer to change the
currency of business transactions, support a possible dual currency phase or
help convert historic records to the new currency? The answers to these
questions should help you judge to what extent the requirement is (in)-
applicable or where you need to think ahead and develop a concept for
supporting future currency reforms. The examples below are meant to help
understand these different aspects better.
In the Financials area for example, parallel currencies are required for
International companies operating in multiple countries. Those corporations
typically define one enterprise wide currency e.g. for reporting purposes. This
currency is used in parallel to the local currency which is common and legally
required in the countries of the subsidiaries. This requirement is not restricted
to Financials and sometimes can be relevant for other products, in particular if
they contain valuation amounts or prices. For example, if a system contains
material prices (standard price / moving average) or product costing values.
This decoupling will allow us to ship localized versions for different markets
without one version affecting a market it wasn't intended for.
Note: Country specific fields shall only be displayed (or edited) in the relevant
countries. The relevant country needs to be determined according to
underlying business object. There may be cases, where more complex
information needs to be brought to the UI (additional tabs, subscreens, tables,
or even entire new country specific screens).
English is the source language for translation into many languages. Hence,
development should integrate text resources in English (and not in German) to
facilitate good translation.
In languages such as Hebrew or Arabic, the main direction of reading flows
from right to left and the starting point of the screen is in the top right corner.
Bidirectional text can contain text in both text directionalities, right-to-left (RTL)
and left-to-right (LTR). It generally involves text containing different types of
alphabets. Direction dependent icons and images need to be mirrored. Charts
(for example, stock charts) and geographical maps are not mirrored. Bidi
support is also needed for document printing (for example for reports or forms)
from the application.
If your product is or contains a development tool, it shall support the creation of
applications that fulfill the requirements of the product standard globalization.
This includes especially Unicode support and translatability. External
developers using SAP's development tools should also have the possibility to
write applications with text resources in a language of their choice. Internal
developers must follow requirement GLOB-127 and develop in English.
- The product can run during the daylight saving time switch and time
dependent data (especially input) is processed correctly.
- Time duration calculations shall also work with daylight saving time changes.
- Time information shall be stored in a way that the nature of time (global time,
local time or time zone independent data) is unambiguous.
Translatability means that texts are Unicode compliant and that no hardcoded
texts shall be used, among other things. All texts in an SAP product shown to a
user during normal processing (including common error messages) shall be
translated. A translation is not required for technical texts (e.g. texts that if
translated, might break the program), runtime errors or log entries for technical
logs (application logs may require translation, depending on the business
scenario). The development environment system shall be connected to the
SAP translation system. If this is not the case, you shall create and agree
upon a translation technology roadmap with SAP Language Services.
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
NW ABAP
Fulfilled (by
Infrastructure)
ABAP
Not Applicable
Not Applicable
Not Applicable
Fulfilled (by
Infrastructure)
ABAP
Not Applicable
ABAP
Not Applicable
Not Applicable
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
Not Applicable
should be checked
Planned
Fulfilled (by
Infrastructure)
Not Applicable
Not Applicable
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
Not Applicable
Open
Fulfilled (by
Automated
Tests)
Fulfilled (by
Infrastructur
e)
Fulfilled (by
Manual
Tests)
Planned
Not
Applicable
Not Fulfilled
Information Lifecycle Management
Link to Wiki page with all CD product standard experts
Fulfilled (by
X X Supported by Data Aging
Infrastructure)
Fulfilled (by
X X Supported by Data Aging
Infrastructure)
Fulfilled (by
X X Supported by Data Aging
Infrastructure)
Fulfilled (by
X X Supported by Data Aging
Infrastructure)
X Not Applicable
X Not Applicable
Open
Fulfilled (by
Automated
Fulfilled
Tests) (by
Infrastructure)
Fulfilled (by
Manual Tests)
Planned
Not Applicable
Not Fulfilled
Operations and Support
Link to Wiki page with all CD product standard experts
Description On premise
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-1 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-44 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-29 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-54 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-57 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-68 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-55 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-11 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-46 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-17 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-51 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-41 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-31 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-52 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-56 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-58 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-59 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-60 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-61 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-62 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-63 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-64 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-65 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-31 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-33 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-49 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-37 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-36 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-23 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-53 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-6 X
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-66
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-67
https://wiki.wdf.sap.corp/wiki/display/operationssupport/ITSAM-69 X
oeffer, Suhaib Mohammed
rueckendorf
df.sap.corp/wiki/display/operationssupport/Home
Not Applicable
X X
Fulfilled (by Manual Tests)
X X
Fulfilled (by Infrastructure)
X X
Fulfilled (by Infrastructure)
X
Fulfilled (by Infrastructure)
X X
Fulfilled (by Infrastructure)
X
Not Applicable
X X
Not Applicable
X X
Not Applicable
X X
Not Applicable
X X
X X
X X
X X
Fiori
Data Aging Arhive Concept
SAP Gateway.
Front-end components running SAP UI5 already have a
built-in mechanism to activate and record client side
traces. It is possible to enable automatic upload of the
traces to SAP Solution Manager if SAP NW servers and
SAP Cloud Platform are involved.
Open
Fulfilled (by
Automated
Fulfilled
Tests) (by
Infrastructure)
Fulfilled (by
Manual Tests)
Planned
Planned
Not Applicable
Not Fulfilled
Product Standard - Licensing
On
Description Category premise
More information on the request/approval process is
provided in the following blog:
Corporate X
https://jam4.sapjam.com/blogs/show/
Xhv1KxBs3BLlRYyRvtDt37
Link to Wiki page with all CD product standard experts
p/wiki/display/glwikilc/Product+Standard+Licensing
X X Open
Open
Fulfilled (by
Automated
Tests)
Fulfilled (by
Infrastructur
Fulfilled
e) (by
Manual
Planned
Tests)
Not
Applicable
Not Fulfilled
Product Standard - Performance
1. General
1.1. Are performance critical processes part of this CDP?
2. Persistence Layer
2.1 Performance-optimized accesses to persistence layer
3. Application Layer
3.1 Parallel processing enabled
4. Communication
4.1 There shall be no more than 2 synchronous round
trips between front end and application layer per user
interaction step.
4.2 Transferred bytes between frontend and application
layer shall be kept at a minimum
Req.-Description Compliance
This includes:
- Appropriate indexes Fulfilled (by
- Buffers and caches Infrastructure)
- No redundant accesses
Please report the average amount of transferred bytes between Not Applicable
frontend and application layer.
Only applicable for critical processes with user interaction. avg.
End-to-end response time must be below 2 seconds. Planned
Comments
LAN environment
must be tested
Open
Fulfilled (by
Automated
Tests)
Fulfilled (by
Infrastructur
Fulfilled (by
e)
Manual
Planned
Tests)
Not
Applicable
Not Fulfilled
761439183.xlsx
X
X Product Standard Security Target Platform on Premise Information Source: SAP Product Standard Security Wiki
X CD Product Standard Experts
X SEC-102 No data query and manipulation language injection vulnerabilities x Corporate Fulfilled (by Infrastructure) Means provided by platform
X SEC-133 No Cross-Site Scripting vulnerabilities x Corporate Fulfilled (by Infrastructure) Means provided by platform
X SEC-136 No Path Traversal vulnerabilities x Corporate Fulfilled (by Infrastructure) Means provided by platform
X SEC-139 No backdoors x Corporate Fulfilled (by Automated Test) CVA tests and ATC check
X SEC-199
Validate all data in the destination URL when performing URL redirect or
URL forward
x Architecture-specific Fulfilled (by Infrastructure) Means provided by platform
X SEC-220 Protect security sensitive cookies x Architecture-specific Fulfilled (by Infrastructure) Means provided by platform
X SEC-221 Manage security sessions securely x Architecture-specific Fulfilled (by Infrastructure) Means provided by platform
X SEC-223 No Cross-Site Request Forgery vulnerabilities x Architecture-always Fulfilled (by Infrastructure) Means provided by platform
X SEC-226 Encode output properly for the component which is meant to process it x Architecture-specific Fulfilled (by Infrastructure) Means provided by platform
X SEC-229 Validate all data that is used to dynamically generate code x Architecture-specific Fulfilled (by Infrastructure) Means provided by platform
X SEC-236 Do not disclose information to unauthorized receivers x Architecture-specific Fulfilled (by Infrastructure)
X SEC-238 Implement HTTP request and response handling in a secure way x Architecture-specific Fulfilled (by Infrastructure) Generated Smart Templates and ODATA-Services are used
X SEC-243 Load shared libraries and dynamic link libraries (DLLs) safely x Architecture-specific Not Applicable
Not applicable by usage of ABAP
code only
X SEC-263 No operating system command injection vulnerabilities x Architecture-always Fulfilled (by Infrastructure) Means provided by platform
X Secure Communications
X SEC-218 Provide encrypted communication connections x x Architecture-specific Fulfilled (by Infrastructure) Compliant by platform
X Authentication
X SEC-276 Enforce authentication for all non-public resources x x Quality-always Fulfilled (by Infrastructure) Compliant by platform
X SEC-230
Provide standard identity management, authentication and single sign-on
mechanisms
x Architecture-specific Fulfilled (by Infrastructure) Compliant by platform
X SEC-231 Provide secure User ID / Password authentication x Architecture-specific Fulfilled (by Infrastructure) Compliant by platform
X SEC-232 Provide secure X.509 certificate authentication x Architecture-specific Fulfilled (by Infrastructure) Compliant by platform
X Authorization
X SEC-248 Enforce a secure authorization concept x x Quality-specific Fulfilled (by Infrastructure) Means provided by platform
X SEC-250 Provide administration of authorizations based on platform tools x Quality-specific Fulfilled (by Infrastructure) Compliant by platform
X SEC-271 Protect sensitive data when stored persistently x x Quality-always Fulfilled (by Infrastructure) Means provided by platform
X SEC-272 Encrypt sensitive data when stored persistently x Architecture-specific Fulfilled (by Infrastructure) Means provided by platform
X Strong Crypto
X SEC-266 Use recommended cryptography only x Architecture-specific Fulfilled (by Infrastructure) Compliant by platform
X SEC-218 Provide encrypted communication connections x x Architecture-specific Fulfilled (by Infrastructure) See above (Secure Communications) Compliant by platform
X SEC-276 Enforce authentication for all non-public resources x x Quality-always Fulfilled (by Infrastructure) See above (Authentication) Compliant by platform
X SEC-248 Enforce a secure authorization concept x x Quality-specific Fulfilled (by Infrastructure) See above (Authorization) Means provided by platform
X SEC-271 Protect sensitive data when stored persistently x x Quality-always Fulfilled (by Infrastructure) See above (Secure Data at Rest) Means provided by platform
X SEC-224
Capture explicit user consent before collecting any personal data non-
interactively
x Architecture-specific Not Applicable No sensitive personal data processing
X SEC-254 Log read access to sensitive personal data x Quality-specific Not Applicable
X SEC-255
Provide a report or display function which can be used to inform the data
subjects about the personal data stored about them
x Quality-specific Not Applicable
X SEC-256 Erase personal data when all applicable retention periods have expired x Quality-specific Not Applicable
X Secure-by-default
X SEC-244 Deliver with a secure default configuration x Architecture-always Fulfilled (by Infrastructure)
X SEC-275
Enforce address space layout randomization, executable space protection
and buffer overflow protection
x Architecture-specific Fulfilled (by Infrastructure) Compliant by platform
X Secure-by-design
X Provide a risk-adequate second line of defense against malicious input from intranet only access is planned
SEC-219 x Architecture-specific Not Applicable
the Internet
X SEC-228
Protect upload, download and display functions of untrusted files against
MIME-type sniffing and virus attacks
x Architecture-specific Fulfilled (by Infrastructure) Means provided by platform
X Implement security functions based on a consistent and documented standard concepts are used
SEC-240 x Architecture-always Fulfilled (by Infrastructure)
concept
X
CVA-test
SEC-246 All code delivered shall contribute to documented functionality x Quality-always Fulfilled (by Automated Test)
X Provide a security guide explaining how to securely setup, configure, and Fulfilled (by Manual Test or setup&configuration and user guides are provided
SEC-247 x Quality-always
operate Review)
X SEC-262
Do not decrease the security level with updates of security settings or
configurations
x Architecture-specific Not Applicable
X SEC-274
Protect authenticity and integrity of all released executable code and
artifacts
x Quality-specific Fulfilled (by Infrastructure)
X SEC-277 Run with minimal privileges required at all layers x Architecture-always Fulfilled (by Infrastructure)
Compliant by platform with
exception
X
Description
Category
SAP needs to ensure that the source code is available for development and maintenance,
that access is restricted to authorized persons, and that SAP knows what was changed in
which version and by whom (named person). Having central control of all source code is
also needed to fulfill source code escrow requirements (source code deposit at external
escrow agents). Access control and change tracking is important for fulfilling auditing
Corporate
requirements or for legal cases. To ensure that these requirements are fulfilled in an
efficient way, only centrally managed source code systems shall be used, that means they
are provided and operated by SAP-wide central teams, e.g. Perforce operated by TIP
Production. The current list of allowed source code management systems is here:
https://wiki.wdf.sap.corp/wiki/display/pssl/SLC-25#SLC-25-allowedscm
This is about the build/make process that creates installable/executable software during
development phase or for SAP internal testing. The build must fulfill a set of requirements
to ensure a reliable and efficient software production and to fulfill auditing requirements.
The most important of these requirements are: Traceability and documentation for auditing
reasons, reliability, ability to reproduce old versions (maintenance, implies
versioning/archiving of the build environment), ability to build the software outside SAP
Architecture-
(source code escrow), and the ability to run code checks for security and quality on sources
Always
and build results. It is furthermore important that the results are created only from official
versions of the source code and with the correct versions of libraries, compilers,
generators etc. All this can be guaranteed in an efficient way by a standardized build
procedure that is operated by an SAP-wide central team. Using a not centrally provided (=
local) build requires compliance with the build process guideline. In case the local build
does not fully comply to the build process guideline, an approved exception is required.
This is required to enable other development teams who use the development technology to
be compliant with requirement SLC-26 and SLC-29 (automated build). An example would
be the automatic generation of a Java application from a model (model driven Architecture-
development). It is not sufficient to offer this generator as an interactive tool for the Specific
developer, but it also needs to be provided as a batch tool that can be integrated into
central automated build.
This is about the build/make process that creates installable/executable software. The build
must fulfill a set of requirements to ensure a reliable and efficient software production and
to fulfill auditing requirements. The most important of these requirements are: Traceability
and documentation for auditing reasons, reliability, ability to reproduce old versions
(maintenance, implies versioning/archiving of the build environment), ability to build the
software outside SAP (source code escrow), and the ability to run code checks for security
and quality on sources and build results. It is furthermore important that the results are
created only from official versions of the source code and with the correct versions of
Corporate
libraries, compilers, generators etc. All this can only be guaranteed in an efficient way by a
standardized build procedure that is operated by an SAP-wide central team. To ensure a
smooth handover of the build process to Central Assembly, a handover plan is required for
P2D which is approved by Central Assembly. The product team has to provide a contact
person for the Central Assembly team who assists in setting up the central assembly build
system. Using a not centrally provided build is a violation of this requirement and requires
an approved exception and certification of the make/build process and infrastructure. The
certification process is described in the Build System Certification Guideline.
Eclipse is SAP's strategic platform for design time user interfaces. Eclipse plugins should be
used for these use cases. Eclipse plugins may be used for other use cases, too. SAP
Release Train for Eclipse (SRTE) participation is mandatory for every use of Eclipse for
SAP products. SRTE compliance means that every use of Eclipse for SAP products shall: -
be backward compatible to all versions in maintenance of their related backend systems
provide versions which are not bundled with an Eclipse into installers (= unbundled) -
Architecture-
support the current and previous version of Eclipse - be installable together with other
Specific
Eclipse tools from SAP on one Eclipse instance Details on how to achive SRTE
compliance are described here:
https://wiki.wdf.sap.corp/wiki/display/Dx/SAP+Release+Train+for+Eclipse In addition to the
SRTE compliant versions, other versions are allowed. Examples are other deployment
options such as Eclipse-based Rich Client Platforms (RCP) or support of Eclipse versions
outside of the SRTE.
The SAP Web browser platform standard defines what Web browser / Operating System /
Quality-Specific
Devices must be supported or not, depending on the product type.
Link to Wiki page with all CD product standard experts
Fullfilled if ABAP
X X X Fulfilled (by Infrastructure) Workbench is used
Fullfilled if ABAP
X X Fulfilled (by Infrastructure) Workbench is used
Fullfilled if Add-On
X X X Fulfilled (by Infrastructure) Factory is used or
CDP@Customer
N/a if ABAP workbench is
X Fulfilled (by Infrastructure) used
Planned
Not Applicable
Not Fulfilled
Product Standard - Software Lifecycle Part 2 (formerly TICM)
New applications shall be able to run within an existing customer landscape, without the Quality- X
obligatory necessity to add additional technical systems, databases or other landscape Specific
resources. This will help keeping the complexity to run and operate new applications in
system landscapes manageable for customers and therefore ease the adoption of new
innovation. Hence applications shall be able to run in a minimal system landscape
setup at least for demo, test and evaluation purpose. All components mandatorily
required by an application shall be able to be deployed in the minimal system
landscape setup. The default minimal system landscape setup shall consist of at most
the following landscape resources: - a single system respectively a single platform
instance - a single database instance - a single server machine (host) - a common
operating system (e.g. Linux). None of the mentioned landscape resources shall be
technically used exclusively by the application, meaning the landscape resource could
be technically shared with other applications. No mutual software conflicts shall arise
when e.g. different applications run on a common server or in a common system.
Customers shall be able to move their existing application landscape setup to a new Quality- X
application version (e.g. new EhP or new release) in "one step". Any restrictions for the Specific
supported update path or limitations for the selected application landscape setup could
impede the update intent significantly. If customers are forced e.g. to perform a two-step
or multi-step update (e.g. 1.0 => 3.0 => 4.0), the overall downtime increases
significantly, as the first update has to be completed and tested, before the second
update can start. All of the steps in between would result in business downtime. Hence
a complete, consistent & direct update path to the new version of an application must
be available: complete means: An update path from all start releases in maintenance to
the new application version shall exist. consistent means: If different applications are
deployed together in the landscape setup, the update path of one application to the
new version must also be supported by the other applications (e.g. Add-On product
must support all update paths of the underlying product and vice versa). direct
means:The implementation of a certain patch or correction level beforehand as a
prerequisite for the update to the new application version shall not be required.
Applications shall ensure full compatibility with existing customer data and content. Do Quality- X
not introduce any architectural changes that may lead to data inconsistencies. In Always
addition, do not introduce any manual steps during downtime. If such steps are
forgotten or executed in a wrong order, the entire system may become inconsitent, and
hence the upgrade would fail. If application-specific steps have to be included into an
upgrade process, use standard automation procedures such as XPRAS (ABAP) or
Java Migration Controllers.
Be aware that an uncontrolled removal of functions may lead to legal issues, unless the Quality- X
customer contract explicitly allows it. If functions are removed in an uncontrolled maner, Specific
business processes as well as services on customer site can be damaged without
further notice. Also do not remove technical components or services that are consumed
by other components unless they can be easily substituted by other
components/services that provide the same functions.
During software updates (implementing bug or security fixes, corrections, or new Quality- X
features) customers do not expect changes of their system landscape layout that lead Specific
to re-installations, re-configurations or migrations. Changes of the landscape layout are
typically a manual procedure that can not be automated and also cover high risks.
Hence the system landscape setup shall remain stable when applying software updates
for applications. This means that the update shall not force movements (re-
deployments) of software components between different systems, platform instances or
hosts or shall not even require a re-design of the system landscape. If the update
contains new functionality that requires the implementation of additional infrastructure or
landscape resources, then it shall be possible to implement these additional resources
separately and decoupled from the software update process (e.g. adding those
resources to the system landscape before the update takes place).
In order to ensure low TCO on customer side, all SAP products shall be installed with Architecture-
standard tools. This offers the advantage of uniform software lifecycle management, Always
mutual tool integration, as well as entailed compliance with other product standards,
such as Security or Accessibility. The usage of standard tools also helps to reduce
support efforts and costs, as a limited number of well known tools exists and support
colleagues do not have to analyze each problem in a different way.
Permanent data is data, that must be preserved during an upgrade or system cloning Architecture- X
process. Do not store such data on file system level or other non-standard locations. Always
Otherwise data may be lost during operation, upgrade or system copy. Storing
permanent data in a standard database system also has many indispensable benefits
such as: # Data consistency in a multi user environment # Recovery from failure and
disaster # Backup and restore process # Security and access control # Isolation
between users # Auditability a) AS ABAP, AS Java NW application server (AS ABAP,
AS Java) supports a large set of OS/DB combinations. In addition, heterogeneous
system copy procedures are supported, which allow an exchange of the underlying
operating system or database (for example, a replacement of Oracle with DB2). In
order to ensure low porting efforts, as well as full data consistency after upgrade and
system copy, all applications based on these platforms have to use database functions
that are understood by all supported databases (Open SQL). Developers have to
strictly avoid database specific functions (such as Oracle stored procedures, or specific
SQL Server sort order functions) that possibly lead to different results on different
databases, and hence to data inconsistency. b) HANA It is a key goal of HANA to
ensure highest possible computing performance, as well as independence from other
database vendors. Both can only be achieved with an optimized soft- and hardware
architecture, without any need to support other databases or hardware in parallel.
Hence, applications running on top of HANA do not have to take care for any specific
porting guidelines. Adhere to the general HANA development guides instead. c) On-
demand Platforms In an on-demand environment, database-specific optimization is also
common practice, to ensure best possible performance, as well as low cost of
operation. However, platform decisions have to be taken with full consideration of the
overall product strategy and resulting consequences and limitations have to be
transparent (e.g. increased porting efforts when the OD solution will later be made
available as an on- premise product). Also, in order to ensure independence from other
database vendors, it is strongly recommended to support an SAP database, such as
HANA or Sybase ASE/IQ.
Do not store such data (e.g. host name, SID, IP address, logical system name, logical Architecture- X
destinations) in a location that is only known by the application. Otherwise, it will be hard Always
to adapt it to a new environment. Use a pointer to the central storage (e.g. the system
profile) instead. For Mobile applications, strictly avoid hard coded IP-Adresses. Use
logical backend destinations instead.
Otherwise, later standard updates may overwrite these changes without further notice. Architecture- X
In a non-ABAP environment, modification means copying the code, changing it, and Always
deploying the changed version. In an ABAP environment, do not use modifying Add-
Ons. Modifying Add-Ons lead have to be delivered with a delay of several weeks, lead
to increased internal costs and prevent a fast delivery of urgent corrections (CRT
process required). Use modification free extensibility or enhancement concepts
instead. For ABAP development, the ABAP enhancement framework shall be used with
the BAdI as the preferred technology.
This requirement excludes the following cases: (1) All cases where the source is Architecture- X
required in the runtime system for execution (ABAP, interpreted code). Here the source Always
code is part of the normal delivery. (2) Source code delivered is used exclusively as
documentation. Intellectual property is with SAP. (3) Code is not part of the
implementation of the SAP product but is only a template, from which the customer
creates a copy that is owned by the customer. It needs to be clear for the customer that
SAP is not responsible for supporting any adjustments of the customer code after new
versions of the template are released. Intellectual property for the template code must
be with SAP. In all other cases the main purpose of the shipping source code is
modification by customers or partners. This is not allowed, mainly because of problems
related to support and maintenance (updates) of a modified application.
Upgrades, or more general #Release Updates#, are very important for SAP to Architecture- X
safeguard our maintenance revenue and to ensure investment in new SAP functions Always
and products. Therefore, the upgrade process shall bear a minimum of efforts and risks
Clients, including mobile applications, shall preserve all user data (e.g. e-mails,
contacts, pictures, videos), as well as user-specific settings (e.g. date, time, language).
The upgrade procedure needs to make sure that cached data which has not beed
stored in the backend yet is either preserved or stored first. Cached data which can be
restored from the backend system can be deleted during the upgrade.
End user clients may be based on desktops, laptops or mobile devices and typically Architecture- X
occur in large number. In contrast to components that are deployed in a local system Always
landscape, the innovation cycle of such clients is out of control. This means that every
end user can individually decide the time of update, what leads to the situation that
different client / app versions have to be supported in parallel. Hence the update of
clients (patches, security fixes, corrections, new features) must be decoupled from the
update of any connected servers like middleware components or application systems.
Especially, it must be ensured that a server update is fully downward compatible to the
old client version. By doing so, clients can be updated successively after the server
update. If the update of the server offers new features (not corrections or fixes), the
active usage of these new features might require an update of the client as well (e.g.
new mobile app version is required to use new features in the application backend). In
such a case the server must be able to manage requests from old clients (using old
functionality) and new clients (using the new functionality) in parallel. Alternative: The
update of the client is downward compatible to the old server version. This strategy
also allows decoupling, but it must be ensured, that all clients are updated before
starting the server update. Sometimes this strategy is easier to achieve than making
the server downwards compatible, but it requires more effort for customers and,
therefore is not the most recommended one. For cloud based scenarios it is highly
important that interoperability in both directions is ensured (up- and downwards
compatibility). Notes At least one of the two presented ways of decoupling updates
shall be provided. This works fine as long as client and server belong to the same
product and have the same innovation speed (e.g. client is only used to access a
certain functionality offered by the server application). If client and server have different
innovation speeds, because the same client is used against different independent
server (applications) or the client itself is shipped as independent application/product
(like mobile apps or many analytical clients), only one way of decoupled updates is
typically not sufficient. Such situations are addressed within requirement SLC-3
[Independence of Product Updates]. Planning Define the appropriate update strategy
for your application in order to support decoupled updates for your client and server
components. If the client application is typically used as independent component (with
an independent innovation speed) consider the update needs as requested in SLC-3 in
addition. More details how to achieve version interoperability is described in this white
paper. Validation Based on the selected update strategy, run test scenarios in an
environment where #the server is updated and #one client is updated as well,
#whereas another client is not updated, but remains on the older version. Alternative:
Run test scenarios in an environment where #the client is updated and #the server is
not updated but remains on the older version.
Keep in mind that SAP customers apply Support Packages as well as major functional Architecture- X
updates (Enhancement Packages, Upgrades) only once in a while, to avoid business Specific
downtime, costs and test efforts. However, it must be possible to fix critical bugs on
short notice. This especially applies for Security fixes that are often very time-critical,
when a security vulnerability is undisclosed. Therefore, a process must be in place that
allows a fast and independent delivery of patches without any side effects on customer
side. Hence, do not combine such urgent patches with functional updates. Otherwise,
additional regression tests on customer side would be required and customers may be
reluctant to apply such patches.
Do not ship productive software using non-standard channels, such as FTP download, Corporate
e-mail attachments or SDN. The standard way is to deliver the software via SAP
Service Marketplace or with a physical DVD shipment. In addition, ensure that
standard delivery formats are met. ABAP: Standard are Add-On Packages and ABAP
Support Packages. Forbidden: Delivery of ABAP functions via transport. Java:
Standard is shipment of SCA files. Forbidden: Shipment of productive Java source
code to customers. For mobile applications use the standard channel of the
corresponding mobile device.
The update process on a mobile device must be completely automated. After update, all Architecture- X
functions of the device must be instantly working, without any need of manual Specific
adjustments.
This requirement is important for applications running on smart phones, as well as for Architecture- X
those on laptops, netbooks and tablet PCs. In this user segment, it is a common Specific
practice to install and uninstall applications, e.g. for evaluation purposes. Therefore,
uninstall must be simple, safe and "residue free", which means that that no parts of the
application software remain on the device. After uninstalling, the device must be in the
same state as before installing the application. For frontend applications (such as
SAPgui or PC-based applications), an uninstall process shall also be available.
When extending existing on-premise solutions with cloud services and/or Mobile Architecture- X
applications, no additional infrastructure should be required in the on-premise system Specific
landscape. By making the integration of cloud (mobile) services simple and cheap, the
adoption of new innovation will be fostered. A mobile application shall not force
customers to introduce additional individual infrastructure or landscape resources (like
systems, server, platform instances or database instances) in order to run the mobile
application with on-premise applications. Ensure that the mobile application can be
directly connected to an on-premise application at least for demo, test, and evaluation
purpose. Ensure that only standardized and sharable middleware components are
used to meet scale-out or security needs in a productive landscape. An on-demand
application shall not force customers to introduce additional individual infrastructure or
landscape resources (like systems, server, platform instances or database instances) in
order to run the on-demand application with on-premise applications. Ensure that only
standardized and sharable middleware components are used to meet scale-out or
security needs in a productive landscape. The introduction of needed functional
integration components providing e.g. an interface in the on-premise application for the
cloud/on-demand integration is still possible and not addressed by this requirement.
Notes For scale-out or security reasons it might be required to add an additional
infrastructure component or landscape resource (e.g. reverse proxy, application
gateway, cloud connector) into the on-premise landscape in order to connect on-device
or on-demand applications in an efficient and secure way. We strongly recommend to
utilize a common and standardized mobile infrastructure to connect on-device based
applications with any on-premise application. Ensure that your on-device application
does not use this mobile infrastructure exclusively, meaning the mobile infrastructure
could be technically shared with other on-device applications and is also able to serve
multiple on-premise applications (e.g. today Sybase Unwired Platform is the
standardized product component to connect mobile applications with on-premise
applications). We strongly recommend to utilize a common and standardized
infrastructure to connect on-demand based applications with any on-premise
application. Ensure that your on-demand application does not use this infrastructure
exclusively, meaning the infrastructure could be technically shared with other on-
demand applications and is also able to serve multiple on-premise applications (e.g.
today a dedicated SAP Cloud Connector is been developed for connecting on-demand
applications running in the SAP Cloud with on- premise applications). Planning Design
a reference landscape setup for connecting your on-device or on-demand application
with on- premise applications based on the mentioned guiding principles and document
this setup in your architectural documents (e.g. ACD). Make sure that #Typical
scenarios to access on-premise applications by the on-device or on-demand application
are described #No additional individual infrastructure components for connecting your
application with an on-premise application are depicted as mandatorily required #For
Public Cloud solutions provide services that are consumed over the Internet across Architecture- X
different time zones and locations. The consumption of services by end-users is not Specific
limited to a specific time slot, and therefore full business continuity (7 x 24) is a must.
This includes the exclusion of unplanned downtime with appropriate failover
mechanisms (part of PS Operations & Support), as well as zero downtime update and
correction capabilities. In private cloud scenarios, customer specific downtime SLAs
have to be fulfilled.
Keep in mind that all updates in a cloud environment have an immediate impact on end Architecture- X
users. In case of an unforeseen event, such as an interrupted update, a previous state Specific
should be restored, which is consistent and can be used without any functional or
technical limitations.
Deprecation is an attribute applied to a cloud service to indicate that it will be removed Architecture- X
or replaced by another service in future. In general it is not allowed to remove Specific
services / functions that are in use by customers, unless the license contract explicitly
allows it. To avoid such a forbidden removal, an ongoing monitoring of consumed
services is highly recommended. In addition, a quarantine / shadow storage of
deprecated services would allow a service reactivation, if required. A common practice
is to replace the deprecated service with another service that provides the same or
more functionality. In such a case, both services must be available in parallel over a
longer period of time to give customers the opportunity to slowly adopt the new
service(s).
In a cloud environment, the end user innovation cycle is out of control (browser Architecture- X
versions, App versions). Therefore, contract violations shall be avoided, and backwards Specific
compatibility of services must be ensured. In case of contract violations, each case
should be communicated to customers properly via agreed channels. Strongly
recommended: No storage of application data on application clients / apps and
minimum of synchronization (resulting in network traffic).
This means that a cloud update does not force customers to use new functions Architecture- X
instantly, especially if the related changes have a direct end user impact. Instead, each Specific
customer should have the possibility to decide on the point in time when the new
functions become active. In general customers prefer to determine the point in time
when new functionality is used. This allows customers to train end users in advance,
plan regression tests and decide on the point in time when business related changes
become effective. In addition, automated tests on customer side may rely on a specific
UI layout, such as a button that appears on a specific position of the screen. In case that
a screen layout is changed without further notice, automated tests may possibly stop
working. A technical solution could be providing customer-specific toggles / switches
that allow customers to activate new functions at a specific point in time. In addition.
customers shall be actively informed what new functions are available (e.g. with a pop-
up or online message).
e with all CD product standard experts
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
X X X
Fulfilled (by
Infrastructure)
X X
Fulfilled (by
Infrastructure)
X X
Fulfilled (by
Infrastructure)
X X X
Fulfilled (by
Infrastructure)
Fulfilled (by
Infrastructure)
X X X
Not Applicable
X X X
Not Applicable
X X
Not Applicable
X X X
Fulfilled (by
Infrastructure)
X X X
Fulfilled (by
Infrastructure)
X X X
Fulfilled (by
Infrastructure)
X X X
Fulfilled (by
Infrastructure)
X X X
Fulfilled (by
Infrastructure)
X X X
Fulfilled (by
Infrastructure)
X X X
Fulfilled (by
Infrastructure)
X X X
Not Applicable
X
Not Applicable
X
Not Applicable
X X
Not Applicable
Not Applicable
Not Applicable
Not Applicable
X
Not Applicable
Not Applicable
Comments
CDP@Customer
CDP@Customer
CDP@Customer
standart objects are not modified
Packages and transport requests for UI and backend are
decoupled
CDP@Customer
CDP@Customer
CDP@Customer
CDP@Customer
Derived Document(s):
Document Classification:
Version:
Release Date:
Template History
Version 3.0, Feb 08th, 2017
Version 2.9, Jan 10th, 2017
Version 2.8, Sep 21st, 2016
Version 2.7, Jan 5th, 2016
Version 2.6, Dec 8th, 2015
Version 2.5, May 26, 2015
Version 2.4, March 31, 2015
Version 2.3, March 18, 2015
Version 2.2, Dec 20, 2014
Version 2.1 Dec 10, 2014
Version 2.0, Dec 5, 2014
Version 1.16, Nov 28, 2014
Copyright
© 2014
No part of this documentation may be reproduced or transmitted in any form or for any purpose without the expres
permission of SAP AG.
Product Standard Plan / Report (T0167)
confidential
3.0
February 8th, 2017
Technical Correction
Deleted 2 rquirements from security sheet: A1 - 18 and B1 - 15, as these have been deleted from T239 also.
Initial version
this documentation may be reproduced or transmitted in any form or for any purpose without the express
n of SAP AG.
167)
51 and ACC-252
dded "Plan" and "Report" column where missing
nctional Correctness
Added column w/ pre-defined results in case ABAP workbench or AoF
9 also.