CMaps Plugin for SAP Web Intelligence Security Guide

CMaps Analytics is for SAP Web Intelligence comes in 2 forms..

Embedded Element is installed as a service on your BusienssObjects application server as a WAR. This lightweight service is used to provide code assets like JavaScript and CSS to render the map inside of Webi.

Sidebar Extension is installed as a service OR as a JAR file inside of SAP BusienssObjects.

Configuration Steps & Installation

Both extensions are enabled from within the SAP BusienssObjects CMC. Detailed instructions are avaialble on the Webi portal

Server Ports and Connectivity

There are no additional server-specific configurations, ports, or internet connectivity required for CMaps Webi Service

Architecture and Data Flow



BOE Server to CMaps Webi Service: There is no data transacted between BOE server and the CMaps Webi service during runtimg

Client Browser / Webi to CMaps Webi Service: On-load, the Webi custom element (visualization) framework will send a POST request directly to the CMaps Webi Service. This URL is defined one time in the CMC. The contents of the POST include property selections (size, color, styling), and data. The CMaps Webi service will return back to the CMaps Viewer HTML / JavaScript code. The specific code is explained in this document: CMaps integration with 50 lines of code

CMaps Viewer to Google Maps: When the map is initialized it automatically connects to Google servers to retireve the proper base maps so the geographic location reflects teh data displayed on top of the maps.

BOE / Webi to CMaps Viewer: All data loaded into the CMaps viewer is drawn and displayed inside of the browser using JavaScript. With a few exceptions stated below, no sensitive data is transacted from the viewer to the cloud services.

CMaps Viewer to CMaps Cloud Services:

While data displayed on the map is not transacted to any services, the exception is geocoding directions / routing based layers. In these scenarios, the “Location” property data is transacted to a cloud geocoding service for the purpose of converting it to latitude,longitude. This data is cached for subsequent requests but not persisted permanently.  To prevent geocoding, you can use latitude,longitude. Similarly a region geocoding service which returns the boundaries of countries, states, zipcodes, etc will send only the location names for the purpose of drawing the shapes on the screen.

Non-Internet Connected Maps Architecture

There are scenarios where client/ browsers have no access to the internet. For these cases, CMaps Analtics is fully supported for offline use with an enterprise license. However, base maps and geocoding, 2 critical elements for geo-visualization will need to exist behind the firewall. Our team at Cmaps Analytics can work with your organization to implement a number of GIS technologies, which are OpenSource and require no additional licenses, supported commercial OpenSource options, or commercial platforms like Carto and ESRI.


Displaying Sensitive Data

CMaps Plugin will render and visually display latitude/longitude data, data icons, tool tips, info windows, labels, polygons, lines, routes, heatmaps, and other metadata (Maps Content) that is displayed to the end user. Like any other component within a dashboard (charts, tables, etc), the Maps Content is rendered locally on the end user’s computer, secured behind your firewall and user / data security protocols.

Storage and Access of Sensitive Data

CMaps Analytics component, services, and third party services do NOT transact or persist sensitive data.

To adhere to the strictest data security policies for private, public, regulatory, and corporate standards CMaps Analytics was designed to display and process data without requirements of server-software hosted on an internal private network or public cloud. This architecture design as a “native component” typically mitigates a bulk-share of risk factors associated with transmitting and storing sensitive data.

Sharing and access to sensitive data through CMaps Analytics is typically only achieved through the support process where customers may send files containing sensitive data. As a standard operating procedure, customers files are permanently removed from email and file systems. Our support staff is also trained to advise customers the risks and process to avoid unknowingly sharing sensitive data.

Definition of Sensitive Data

Based on the following definitions, CMaps Analytics Plugin for SAP BusinessObjects is architected to NOT transmit, persisted, download, or digitally re-distribute data within the standard features provided by CMaps Plugin. The software is also designed to ensure that end users/ consumers of  dashboards and sensitive data are NOT provided with loophole or mechanism to do so.

To provide a specific definition of sensitive data, we utilize common, recognized government and regulatory definitions to clearly communicate to all Centigon Solutions employees the definition and urgency to protect sensitive data.

Per Data Protection Act (DPA)

  • a health record that consists of information about the physical or mental health or condition of an individual, made by or on behalf of a health professional (another term defined in the Act) in connection with the care of that individual;
  • an educational record that consists of information about a pupil, which is held by a local education authority or special school (see Schedule 11 of the Act for full details); or
  • an accessible public record that consists of information held by a local authority for housing or social services purposes (see Schedule 12 for full details).

Per HIPAA Definition

The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI):

  • Names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • License plate numbers
  • URLs
  • Full-face photographic images
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual

Secured CMaps Analytics Data Properties

At no time will CMaps Plugin transmit any data bound to the following Map Properties outside of the dashboard container:

  • Series Name
  • Labels
  • Values
  • Data Insertion
  • Shapefile definitions
  • Icon Style or color definitions
  • Source Data
  • Destination

Address Property Exclusion

CMaps Analytics includes a property called “Address / Location” which is capable of rendering data natively as latitude,longitude. However, if a developer connects this property to a query with addresses, CMaps Analytics is configured to geocode addressees in real-time using a geocode web service which ultimately transacts data to MapBox, TomTom, and/or Google.

As a general best practice addresses are seldom used for performance reasons because the latency to convert addresses to latitude,longitude in real time can slow down performance.

Various governing or regulatory bodies may or may not define a list of addresses as sensitive data if there is no unique or identifying information attached. However, when Addresses are considered sensitive there are options to eliminate any transmission of data:

1. Use Latitude Longitude data to define locations within the Address / Location property.

2. If no lat,long data is available, aggregate data at an administrative level to display on the map

3. Request CMaps Analytics extension with geocoding disabled (requires Latitude / Longitude)

Cloud Services

CMaps Analytics employs a number of cloud services to further augment a dashboard end users’ exprience.

Cloud services include but are not limited to:

  • Maps Tile Service- (included inside component)
  • License validation (included inside component)
  • Geocoding (included inside component)
  • Drive time polygons (optional)
  • Drive distance calculations (optional)

Maps Tile Service

The maps tile service returns the base layer maps to the component. These service requests occur automatically via HTTP(s). The only information that CMaps Plugin transacts to the MapBox, TomTom, or Google Maps Maps API during SWF runtime is a key, CentigonID, or ClientID, zoom level, pan-to location, map style (satellite, etc). The resulting data returned from the service is PNG images represent tiles that CMaps Analytics will display and align with business data on top.

License Validation

CMaps Plugin uses an authentication key property to validate a component’s license. This authentication key is generated when CMaps Analytics is installed. Upon dashboard initialization, CMaps Plugin will send an authentication key to Centigon license service via HTTPS along with the component version #, and domain to ensure the license is valid. This transaction once, asynchronously with connectivity to MapBox, Google, or TomTom APIs to ensure there is never any delay in performance or interference with user experience.


CMaps Analytics connects directly to TomTom, MapBox, or Google Maps APIs. Address values are transmitting via HTTPS to the geocoding services one at a time. Only the address data contained in the Address/Location property are transacted in order.

Specific CMaps Properties that Use Cloud Services Listed Above

CMaps Plugin Properties that are transacted to the TomTom, MapBox and Google Maps API Services

  • Addresses (Optional)- Address data property will only transact data when it is NOT latitude,longitude data. (See geocoding exception above)
  • Pan-to Property- When using the pan to property, CMaps Plugin will send this single property to the TomTom server so the map can obtain the correct map tile imagery.
  • Zoom Level Property- When using the zoom property, CMaps Plugin will send this single numeric value to the TomTom server so the map can obtain the correct map tile imagery based on the zoom level.

CMaps Analytics Cloud Architecture

CMaps Analytics cloud services are hosted in AWS cloud and was designed and implemented by senior, certified senior AWS professionals with 24/7 IT support and 99.9% uptime. CMaps Analytics cloud services are redundant across multiple global availability zones in Northern California and Virginia data centers. For Disaster recovery scenarios for natural or human caused system outages, additional protocols are in place to ensure the uptime and availability of CMaps Analytics components. Please contact Centigon Solutions for additional disaster recovery details.