2187183 - SFTP Account Standards for SAP SuccessFactors

This KB article explains the standards for SuccessFactors SFTP accounts. The account related topics include:

• How do I request an SFTP account?
• Is there a limit to how many accounts a customer can have?
• How are accounts named?
• Do SFTP accounts have expiration dates?
• Do SFTP passwords have to be changed?
• If I have forgotten my password, can it be recovered?
• Is password-less authentication possible?
• Can I create my own key pair to authenticate on your SFTP servers?
• What methods can be used to connect to SFTP resources?
• How does the customer Data Retention Standard works?
• What is the File Naming Standard?
• What is the Maximum File Count Restrictions?
• Client Root Folder Volume Size
• Attempt to block the SFTP account
• Read Only access to SFTP folder
• SFTP Allowlisting / IP Restriction requests
• Are SFTP clients allowed?

SAP SuccessFactors HXM Suite

How to Request an SFTP Account & What are the Number of Accounts?

• Please follow KB article 2278826.

Connecting Test SFTP Development Instance

• A customer's test SFTP account details can be used to set up the scheduled jobs of their development instance.
• The customer/Partner/Professional Services consultant working on their behalf needs to configure this set up.
• To do this, the customer/Partner enters the test SFTP account username and password into the scheduled job in their development instance, and alters the file path URL so that the files are saving to a different location in the FTP folder.

Establishing Connection

• Establish connection only if an operation needs to be performed
• Close connection once the operation is performed and no operations are expected within 10 minutes

Reason for guidance: There is a tendency that clients connecting inbound are opening multiple connections at once, not transferring files and not closing their connections gracefully. The number of these type of connections can be of a large amount (>1mill / 24h) and this results in overloading the EFT service. Every time a user connects to the EFT server it results in a read to the network file share. EFT requests this information so it can return the file listing (folders and files) to the user upon successfully logging in. Depending on the amount of data in the folders and how many requests are coming in to the server this will put a large load on the network file share storage which is why the EFT service can struggle to respond.

Account Naming

• New SFTP account names will typically match the existing customer Company ID or customer account number.

Password Details

• The password will be autogenerated with the following conditions:

  • Minimum 12 character length
  • At least 4 [a-z], [upper case A-Z] [numeric (digits 0-9)], [non-alpha numeric (e.g., !,#,$)]

  Note #1: Currently the password change only available via a support ticket, web interface is not allowed.
  
  Note #2: Temp account is for activity related (implementation or migration), it will be excluded from standard file retention policy

  Note #3: As of 2H 2022 release in order to make consistent between creation and update, we added the check criteria also in creation that password can not contains any of the characters .,|/:

Account Expiration Dates

• SFTP account expiration depends on account type:
  
  
• Standard SFTP Accounts - All files from all folders including customer folders and directories stored in SuccessFactors SFTP accounts(s) will be purged 14 days after creation. It is not possible to extend this time.
• Temporary SFTP Accounts - For activity related to implementation or migration, a request for a Temporary SFTP account, which will be excluded from the standard file retention policy, can be requested.
  
  NOTE: This SFTP account will have a preset expiration date after which the entire SFTP account will be automatically deactivated and deleted.

• For more information, reference KB article 2620488.

Password Reset/Change Policy

• Because of the ‘service account’ nature of SFTP accounts, and the significant role they play in automation, we do not currently enforce a password reset policy.
  
  Note: Please be aware by resetting the original password of the SFTP account it will cause any existing jobs using this password to fail to connect to the SFTP.

• See KB article 2149831 - To contact Professional Services, Partner and Account Management Team to arrange any existing jobs with new SFTP account passwords from partner/consulting.
• Furthermore, please note that per our security guidelines, SFTP passwords need to be complex, and therefore, contain both alphanumeric and special characters. We cannot manually generate SFTP passwords that will exclude special characters. 

Password-less Authentication

• The use of key pairs to provide password-less authentication is supported.
• SuccessFactors strongly recommends the use of password-less authentication. This is especially useful for enabling automation functionality while avoiding scripts which contain references to secure passwords.
• For more information about the steps to connect to SuccessFactors hosted SFTP servers using the SSH Key, please refer to KB article 2653173.

Customer Data Retention Standard

• Timeline: All SFTP stored data has a lifecycle of 14 days maximum. This rule is implemented to maintain a reasonable storage availability.
• Encryption: All SFTP stored data is kept in the same form as it is sent by the customer. No encryption on stored files is currently implemented.

Extend Lifecycle

• This is currently not possible.

Large File Removal Standard

• SF/SAP SFTP Support maintains the right to remove large data files, either in single file or in aggregate form which causes significant negative impact on our storage availability.
• If stored files are presenting a critical issue to other customers because of exhausted storage volume resources, we may remove these files with express approval of Management.
• Management will notify the customer prior to service request fulfillment.

Globalscape File Naming Standard

• GlobalScape products follow the standard Windows naming conventions, with a few exceptions (such as no support for Unicode characters).
• You can name files using almost any character for a name, except for the following reserved characters: < > : " / \ | ? *
• The maximum length for the file path+name is 255 characters.
• This 255 character length limit is for the entire path on the FTP server, which includes:
• A prefix path before the customer visible path, which is not visible for the customer or external systems;
• The length of these prefix is not identical for all different datacenters, these prefixes can be 60-80 characters. 
• The path provided by the customer for the file;
• The file name;
• This limitation includes the drive letter, colon, backslash, directories, subdirectories, filename, and extension
• Due to limitation, the file path+name+extension should be under 175 (so that at least 80 characters are kept from the total limit for the prefix path)

Maximum File Count Restrictions

• All user folders are monitored for total file count
• If a folder is found to contain more than 20k files without the use of subfolders, the account runs the risk of being disabled until the files are organized into smaller separated containers
• This restriction is in place due to the large memory hit which occurs when automation must iterate the metadata associated with files located in a target directory
• If concurrent connections exist for a single user with high file counts, this can negatively impact the performance, and can result in a service degradation for all users.

Attempt to block the SFTP account

• SFTP accounts are restricted to a maximum of 10 concurrent connection.

Read Only access to SFTP folder

• Right now the EFT server doesn't support this.
• Create or grant read-only access cannot be granted to a specific folder.

SFTP Allowlisting / IP Restriction requests

Due to security reasons and server performance impact, we no longer support new requests for SuccessFactors SFTP Allowlisting / IP Restriction.

• If there is an existing IP allowlist opened in the past for a SuccessFactors SFTP account, and there is a business need to add new IP addresses or ranges to it, those requests can be accommodated through support ticket (LOD-SF-PLT-FTPS). These requests include also enabling IP filtering to allow specific addresses and block all others. 
• But request to open a brand new allowlist for any SFTP account cannot be supported.

Are SFTP Client Allowed?

SFTP Client such as FileZilla, WinSCP, etc. are allowed to be used. Please refer to Establishing Connection for more guidance.

• SAP Support does not provide assistance with utilizing 3rd party SFTP Clients.

• KB article 2278826 - SuccessFactors SFTP account details
• KB article 2620488 - SuccessFactors SFTP service Purge Policy update
• KB article 2653173  - Generating SSH Key pair and uploading on SuccessFactors SFTP Servers

sf, success factors, FTP, Retention Accounts, block, block account, naming, account naming, Allowlisting, allow list, whitelisting, white list, RITM0975901 , KBA , LOD-SF-PLT-FTPS , SFTP Account Creation, Reset Password & Install SSH Service , How To