Upload
swamymotappa
View
230
Download
0
Embed Size (px)
Citation preview
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 1/215
SAP ERP Cent ral ComponentSecur i t y Guide
Release 6 .0 , Enhancement Package 3
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 2/215
SAP ERP Central Component Security Guide 6.0, EHP3 2
Copyright
© Copyright 2007 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any
purpose without the express permission of SAP AG. The information contained hereinmay be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390,AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, IntelligentMiner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPowerand PowerPC are trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks orregistered trademarks of Adobe Systems Incorporated in the United States and/or othercountries.Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWinare trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®,World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAPproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several othercountries all over the world. All other product and service names mentioned are thetrademarks of their respective companies. Data contained in this document servesinformational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided bySAP AG and its affiliated companies ("SAP Group") for informational purposes only,without representation or warranty of any kind, and SAP Group shall not be liable forerrors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statementsaccompanying such products and services, if any. Nothing herein should be construedas constituting an additional warranty.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 3/215
SAP ERP Central Component Security Guide 6.0, EHP3 3
Icons in Body Text
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different
types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse onthe first page of any version of SAP Library .
Typographic Conventions
Type Style Description
Example text Words or characters quoted from the screen. These include fieldnames, screen titles, pushbuttons labels, menu names, menu paths,and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text, graphic titles, and tabletitles.
EXAMPLE TEXT Technical names of system objects. These include report names,program names, transaction codes, table names, and key concepts of aprogramming language when they are surrounded by body text, forexample, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and theirpaths, messages, names of variables and parameters, source text, andnames of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in thesystem exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace thesewords and characters with appropriate entries to make entries in thesystem.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 4/215
SAP ERP Central Component Security Guide 6.0, EHP3 4
SAP ERP Central Component Security Guide........................................................................ 10
Introduction .......................................................................................................................... 10
Before You Start .................................................................................................................. 11
Technical System Landscape.............................................................................................. 12
User Management and Authentication ................................................................................ 13
User Administration .......................................................................................................... 13
User Data Synchronization............................................................................................... 16
Integration in Single Sign-On Environments .................................................................... 16
Authorizations ...................................................................................................................... 17
Network and Communication Security................................................................................. 18
Communication Channel Security.................................................................................... 19
Network Security .............................................................................................................. 19
Communication Destinations............................................................................................ 20
Data Storage Security.......................................................................................................... 20
Security for Other Applications ............................................................................................ 20
Trace and Log Files ............................................................................................................. 20
Cross-Application Components ........................................................................................... 21
Cross-Application Time Sheet (CA-TS) ........................................................................... 21
Authorizations ............................................................................................................... 21
Communication Destinations........................................................................................ 22
Digital Signature............................................................................................................... 23
Self-Services .................................................................................................................... 24
Before You Start ........................................................................................................... 24
User Management ........................................................................................................ 26
Authorizations ............................................................................................................... 27
Editing Roles and Authorizations for Web Dynpro Services..................................... 29
Authorizations for Controlling Services (MSS, BUA) ................................................ 29
Authorizations for BW iViews (MSS)......................................................................... 30
Communication Destinations........................................................................................ 30
Enterprise Services .......................................................................................................... 31
Before You Start ........................................................................................................... 31
Authorizations ............................................................................................................... 31
Network and Communication Security ......................................................................... 32
Accounting ........................................................................................................................... 33
Financial Accounting ........................................................................................................ 33
Authorizations in Financial Accounting......................................................................... 34
General Ledger Accounting (FI-GL) ............................................................................. 36
Accounts Payable Accounting (FI-AP) ......................................................................... 39
Accounts Receivable Accounting (FI-AR) .................................................................... 40
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 5/215
SAP ERP Central Component Security Guide 6.0, EHP3 5
Bank Accounting (FI-BL)............................................................................................... 41
Asset Accounting (FI-AA) ............................................................................................. 42
Travel Management (FI-TV) ......................................................................................... 43
Authorizations in the Special Purpose Ledger (FI-SL) ................................................. 45
Treasury........................................................................................................................ 46 Authorizations ........................................................................................................... 46
Controlling ........................................................................................................................ 48
Authorizations in Controlling......................................................................................... 49
Authorizations in Profit Center Accounting................................................................... 53
Network and Communication Security ......................................................................... 54
Communication Destinations .................................................................................... 55
Consolidation (EC-CS)..................................................................................................... 55
Accounting Engine ........................................................................................................... 56
Introduction ................................................................................................................... 56
Before You Start ........................................................................................................... 57
Technical System Landscape....................................................................................... 58
User Administration and Authentication ....................................................................... 59
User Management..................................................................................................... 59
Integration into Single Sign-On Environments.......................................................... 59
Authorizations ............................................................................................................... 60
Network and Communication Security ......................................................................... 61
Communication Channel Security............................................................................. 61
Communication Destinations .................................................................................... 62
Data Storage Security................................................................................................... 62
Financial Supply Chain Management .............................................................................. 63
Management of Internal Controls: Security Guide........................................................... 63
Technical System Landscape....................................................................................... 64
User Management and Authorizations ......................................................................... 64
User Management..................................................................................................... 65
Roles and Authorizations Concept............................................................................ 66
Standard Roles and Authorization Objects ........................................................... 67
Editing MIC-Specific Roles.................................................................................... 68
Tasks: Central Structure Setup.......................................................................... 70
Tasks: Structure Setup Specific to Organizational Units................................... 72
Tasks: Control Assessments and Tests ............................................................ 76
Tasks: Management Control Assessment and Test.......................................... 79
Tasks: Reporting and Sign-Off .......................................................................... 81
Assigning Roles to Persons .................................................................................. 83
Integration with Single Sign-On Environments ......................................................... 84
Communication Channel Security ................................................................................ 84
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 6/215
SAP ERP Central Component Security Guide 6.0, EHP3 6
Data Storage Security................................................................................................... 85
Master Data Framework................................................................................................... 86
Introduction ................................................................................................................... 86
Before You Start ........................................................................................................... 87
Technical System Landscape....................................................................................... 88 User Administration and Authentication ....................................................................... 89
User Management..................................................................................................... 89
Integration into Single Sign-On Environments.......................................................... 89
Authorizations ............................................................................................................... 90
Network and Communication Security ......................................................................... 90
Communication Channel Security............................................................................. 91
SAP Banking .................................................................................................................... 91
SAP Financial Customer Information Management (FS-BP) ....................................... 92
Authorizations ........................................................................................................... 92
Network and Communication Security...................................................................... 92
Communication Destinations................................................................................. 93
Data Storage Security............................................................................................... 93
Bank Customer Accounts (BCA) .................................................................................. 93
Authorizations ........................................................................................................... 93
Network and Communication Security...................................................................... 94
Data Storage Security............................................................................................... 94
Important SAP Notes ................................................................................................ 94
Loans Management (FS-CML)..................................................................................... 95
Authorizations ........................................................................................................... 95
Network and Communication Security...................................................................... 97
Data Storage Security............................................................................................... 97
Collateral Management (CM)........................................................................................ 98
Authorizations ........................................................................................................... 98
Network Communication and Security...................................................................... 99
Strategic Enterprise Management (SEM) for Banks .................................................. 101
Authorizations ......................................................................................................... 101
Network and Communication Security.................................................................... 102
Communication Destinations............................................................................... 103
Data Storage Security............................................................................................. 103
Reserve for Bad Debt (FS-RBD) ................................................................................ 104
Authorizations ......................................................................................................... 104
Network and Communication Security.................................................................... 109
Communication Destinations............................................................................... 109
Trace and Log Files ................................................................................................ 110
Incentive and Commission Management (ICM)............................................................. 110
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 8/215
SAP ERP Central Component Security Guide 6.0, EHP3 8
Authorizations ......................................................................................................... 149
Network and Communication Security.................................................................... 150
Retail .............................................................................................................................. 150
Network and Communication Security ....................................................................... 150
Authorizations ............................................................................................................. 152 Global Trade................................................................................................................... 155
Network and Communication Security ....................................................................... 155
Sales and Distribution (SD) ............................................................................................ 156
Human Capital Management ............................................................................................. 158
Personnel Management (PA)......................................................................................... 158
Before You Start ......................................................................................................... 158
User Management ...................................................................................................... 160
Authorizations ............................................................................................................. 161
Communication Channel Security .............................................................................. 164
Communication Destinations...................................................................................... 165
Data Storage Security................................................................................................. 167
Security for Additional Applications ............................................................................ 169
Other Security-Relevant Information .......................................................................... 169
Personnel Time Management (PT) ................................................................................ 170
User Management ...................................................................................................... 170
Authorizations ............................................................................................................. 170
Communication Destinations...................................................................................... 171
Payroll (PY) .................................................................................................................... 172
Before You Start ......................................................................................................... 172
User Management ...................................................................................................... 172
Authorizations ............................................................................................................. 173
Communication Channel Security .............................................................................. 175
Communication Destinations...................................................................................... 175
Data Storage Security................................................................................................. 175
Security for Additional Applications ............................................................................ 175
Other Security-Relevant Information .......................................................................... 176
SAP Learning Solution/SAP Enterprise Learning .......................................................... 176
SAP: Important Disclaimers and Legal Information.................................................... 177
Technical System Landscape..................................................................................... 177
Persistence ............................................................................................................. 178
Learning Portal (LSOFE)......................................................................................... 180
Instructor/Tutor Role in the SAP Enterprise Portal ................................................. 181
Content Player (LSOCP)......................................................................................... 182
Offline Player (LSOOP)........................................................................................... 183
Authoring Environment (LSOAE) ............................................................................ 184
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 9/215
SAP ERP Central Component Security Guide 6.0, EHP3 9
Environment for the Training Administrator ............................................................ 186
User Management ...................................................................................................... 186
Authorizations ............................................................................................................. 190
Communication Channel Security .............................................................................. 191
Other Security-Relevant Information .......................................................................... 196 SAP E-Recruiting ........................................................................................................... 196
Before You Start ......................................................................................................... 196
Technical System Landscape..................................................................................... 197
User Management ...................................................................................................... 201
Authorizations ............................................................................................................. 203
Communication Channel Security .............................................................................. 208
Communication Destinations...................................................................................... 208
Data Storage Security................................................................................................. 210
Defense Forces & Public Security ..................................................................................... 211
Before You Start............................................................................................................. 211
Technical System Landscape ........................................................................................ 211
User Administration and Authentication......................................................................... 211
User Management ...................................................................................................... 212
Authorizations................................................................................................................. 213
Network and Communication Security........................................................................... 214
Data Storage Security .................................................................................................... 214
Appendix ............................................................................................................................ 215
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 10/215
SAP ERP Central Component Security Guide 6.0, EHP3 10
SAP ERP Central Component Security GuideThe following guide covers the information that you require to operate SAP ERP Central Component securely. To make the information more accessible, it been divided into a
general part, containing information relevant for all components, and a separate part forspecific application areas and their components.
Introduction
This guide should not be regarded as a substitute for a dailyoperational manual as recommended by SAP.
Target Group
● Technology consultants
● System administrators
The information contained in this document is not contained in the installation andconfiguration guides or the technical manuals and upgrade guides of the componentscited below. Such guides are only relevant for a certain phase of the software life cycle,whereas security guides provide information that is relevant for all life cycle phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing businessdata, greater emphasis is being placed on the need for security. When using adistributed system, you need to be sure that your data and processes support your
business needs without allowing unauthorized access to critical information. Usererrors, negligence, or attempted manipulation of your system must not result in loss ofinformation or processing time. These security requirements apply equally to SAP ERP Central Component . This document is designed to help you make SAP ERP Central Component secure.
About this Document
The security guides give you an overview of the information for secure operation of SAP ERP Central Component . SAP Central Component covers the core componentsAccounting, Logistics, and Human Resources and other components used across thesecore components. This guide cross-references information in existing security guideswhere available, or other relevant documentation where security aspects are discussed.
Since SAP ERP Central Component is based on and uses SAP NetWeaver technology,it is essential that you consult the Security Guide for SAP NetWeaver . See SAP Help
Portal at help.sap.com → SAP ERP → Release/Language → SAP NetWeaver
Library → Administrator's Guide → SAP NetWeaver Security Guide .
To view all of the security guides published by SAP, see SAP Service Marketplace at
service.sap.com / securityguide.
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start This section contains information about why security is necessary, how to use
this document, and references to other Security Guides that are a basis for thisSecurity Guide.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 11/215
SAP ERP Central Component Security Guide 6.0, EHP3 11
● Technical System Landscape This section is an overview of the technical components and communicationchannels used by SAP ERP Central Component .
● User Management and Authentication This section provides an overview of the following user management and
authentication aspects:
○ Recommended tools for user management.
○ Required user types for SAP ERP Central Component
○ Standard users delivered with SAP ERP Central Component
○ Overview of the user synchronization strategy if several components orproducts are integrated
○ Overview of integration options in single sign-on environments
● Authorizations
This section provides an overview of the authorization concept that is applicableto SAP ERP Central Component .
● Network and Communication Security This section provides an overview of the communication channels used by SAP ERP Central Component and the security mechanisms to be used. It alsoincludes our recommendations for the network topology to restrict access at thenetwork level.
● Data Storage Security This section provides an overview of the critical data used by SAP ERP Central Component , and also the security mechanisms to be used.
● Security for Third-Party or Additional ApplicationsThis section provides security information that applies to third-party or additionalapplications that are used together with SAP ERP Central Component .
● Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information and that enable you to reproduce activities where, forexample, there has been a breach of security.
● Appendix This section provides references to secondary sources of information.
Before You Start
Fundamental Security Guides
SAP ERP Central Component is based on SAP NetWeaver . This means that thesecurity guide for SAP NetWeaver is also applicable to SAP ERP Central Component .Whenever other guides are relevant, an appropriate reference is included in thedocumentation for the individual components in this guide.
For a complete list of the SAP Security Guides available, see SAP Service Marketplaceat service.sap.com/securityguide.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 12/215
SAP ERP Central Component Security Guide 6.0, EHP3 12
Important SAP Notes
SAP Note 783758 provides any updates for this guide and adds important information.
SAP Note 853497 contains information about saving temporary files when usingAdobe® Acrobat® Reader in SAP applications.
SAP Note 138498 contains information on single sign-on solutions.SAP Notes relating to security for the subcomponents of SAP ERP Central Component are referenced in the documentation for the individual components in this guide.
For further SAP notes on security, see SAP Service Marketplace at
service.sap.com/security → SAP Security Notes .
Additional Information
For more information about specific topics, see the sources in the table below.
Quick links to additional information
Contents SAP Service Marketplace
Security service.sap.com/security
SAP NetWeaver Security Guide service.sap.com/securityguide
SAP NetWeaver d ocumentation help.sap.com → SAPNetWeaver
SAP NetWeaver installation guide service.sap.com → SAP Support Portal →
Downloads → SAP Installations & Upgrades → Installation and Upgrade Guides → SAP NetWeaver
Related SAP notes service.sap.com/notes
Platforms permitted service.sap.com/platforms
Network security service.sap.com/network
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
Technical System LandscapeFor information about the technical system landscape, see the sources listed in thetable below.
More Information about the Technical System Landscape
Subject Guide/Tool SAP Service Marketplace
Technical description of SAP ERP Central Component andthe underlying technicalcomponents, such as SAP NetWeaver
Master Guide service.sap.com/instguides
→ Downloads → SAP Installations
& Upgrades → Installation and
Upgrade Guides → SAP Business Suite Applications → SAP ERP
Technical configuration,
wide availability
Technical Infrastructure
Guide
service.sap.com/ti
Security service.sap.com/security
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 13/215
SAP ERP Central Component Security Guide 6.0, EHP3 13
User Management and AuthenticationSAP ERP Central Component uses the user management and authenticationmechanisms of the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server . Therefore, the security recommendations and guidelines for user
management and authentication that are described in the security guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component.
In addition to these guidelines, SAP also supplies information on user management andauthentication that is especially applicable to the subcomponents of SAP ERP Central Component in the following sections:
● User Management [Seite 13] This section details the user management tools, the required user types, and thestandard users supplied by SAP.
● Synchronization of User Data [Seite 16] The components of SAP ERP Central Component can use user data togetherwith other components. This section describes how theuser data is synchronized
with these other sources.
● Integration in Single Sign-On Environments [Seite 16] This section describes how SAP ERP Central Component supports single sign-on-mechanisms.
User Administration
Use
SAP ERP Central Component user management uses the mechanisms provided bySAP NetWeaver Application Server for ABAP, such as tools, user types, and passwordconcept. For an overview of how these mechanisms apply for SAP ERP Central Component, see the sections below. In addition, we provide a list of the standard usersrequired for operating the subcomponents of SAP ERP Central Component.
User Administration Tools
The following table shows the user management tools for SAP ERP Central Component .
User Management Tools
Tool Description
User maintenance for ABAP-based systems(transaction SU01)
For more information on the authorizationobjects provided by the subcomponents of SAP ERP Central Component, see the relevantcomponent in the section Authorizations .
Role maintenance with the profile generator forABAP-based systems (PFCG)
For more information on the roles provided bythe subcomponents of the SAP ERP Central Component, see the relevant component in thesection Authorizations .
Central User Administration (CUA) for themaintenance of multiple ABAP-based systems
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 14/215
SAP ERP Central Component Security Guide 6.0, EHP3 14
User Management Engine (UME) Administration console for maintenance ofusers, roles, and authorizations in Java-basedsystems and in the Enterprise Portal
The UME also provides persistence options,such as ABAP Engine .
For more information on the tools that SAP provides for usermanagement with SAP NetWeaver, see SAP Service Marketplace at
service.sap.com/securityguide→ SAP NetWeaver 7.0 Security Guides
(Complete) → SAP NetWeaver 2004s Security Guides (Online Version) → User Administration and Authentication .
User Types
It is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not those users under whichbackground processing jobs run.
User types required for SAP ERP Central Component include, for example,
● Individual users:
○ Dialog usersDialog users are used for SAP GUI for Windows .
○ Internet users for Web applicationsSame policies apply as for dialog users, but used for Internet connections.
● Technical users:
○ Service users are dialog users who are available for a large set of
anonymous users (for example, for anonymous system access via an ITSservice).
○ Communication users are used for dialog-free communication betweensystems.
○ Background users can be used for processing in the background.
For additional information about user types, see User Types in the Security Guide forSAP NetWeaver .
Standard Users
The following table shows the standard users that are required to operate SAP ERP Central Component .
Standard Users
System User ID Type Password Description
SAPNetWeaverApplicationServer
<sapsid>adm SAP systemadministrator
Mandatory SAP NetWeaver installationguide
SAPNetWeaverApplicationServer
SAP Service<sapsid>
SAP systemserviceadministrator
Mandatory SAP NetWeaver installationguide
SAPNetWeaver
SAP Standard See SAP NetWeaver
See SAP NetWeaver
help.sap.com → SAP ERP →
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 15/215
SAP ERP Central Component Security Guide 6.0, EHP3 15
ApplicationServer
ABAP Users(SAP*, DDIC,EARLYWATCH,SAPCPIC)
Security Guide Security Guide Release xx/Language → SAP
NetWeaver Library →
Administrator's Guide → SAP
NetWeaver Security Guide → Security Guides for SAP NetWeaver According to Usage
Types → Security Guide for Usage Type AS → SAP NetWeaver Application Server
ABAP Security Guide → User
Authentication → Protecting Standard Users
SAPNetWeaverApplicationServer
SAP Standard
SAPNetWeaverApplicationServer Java
Users
See SAP NetWeaver Security Guide
See SAP NetWeaver Security Guide
help.sap.com → SAP ERP →
Release xx/Language → SAP NetWeaver Library →
Administrator's Guide → SAP
NetWeaver Security Guide → Security Guides for SAP NetWeaver According to Usage
Types → Security Guide for
Usage Type AS → SAP NetWeaver Application Server
Java Security Guide → User Administration and
Authentication → User
Management → User Administration and Standard Users
These users are used inapplications that use Web Dynpro .
SAP ECC SAP Users Dialog users Mandatory The number of users dependson the area of operation and thebusiness data to be processed.
For more information on standard users in SAP NetWeaver, see SAPHelp Portal at help.sap.com → ERP → Release xx/Language → SAP
NetWeaver Library → SAP NetWeaver by Key Capability → Security →
Identity Management → Users and Roles (BC-SEC-USR) → User
Maintenance → Logon and Password Security in the SAP System → Password Rules .
For information about user types, see SAP Service Marketplace atservice.sap.com → SAP ERP → Release/Language → SAP
NetWeaver Library → Administrator's Guide → SAP NetWeaver Security
Guide → User Administration and Authentication → Integration of User Management in Your System Landscape .
The users specified are delivered with SAP ERP Central Component .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 16/215
SAP ERP Central Component Security Guide 6.0, EHP3 16
User Data Synchronization
Use
By synchronizing user data, you can reduce effort and expense in the user
management of your system landscape. Since SAP ERP Central Component is basedon SAP NetWeaver , you can use all of the mechanisms for user synchronization in SAP NetWeaver here. For more information, see the Security Guide for SAP NetWeaver in
SAP Service Marketplace at help.sap.com → SAP ERP → Release/Language
→ SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → User Administration and Authentication → Integration of User Management in Your System Landscape .
You can use user data distributed across systems by replicating thedata in a central directory, for example.
Integration in Single Sign-On Environments
Use
SAP ERP Central Component supports the single sign-on (SSO) mechanisms providedby SAP NetWeaver Application Server for ABAP Technology . Therefore, the securityrecommendations and guidelines for user management and authentication that aredescribed in the Security Guide for SAP NetWeaver Application Server also apply toSAP ERP Central Component.
The supported mechanisms are listed below.
Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment whenusing the SAP GUI for Windows or Remote Function Calls .
For more information, see SAP Service Marketplace at help.sap.com → SAP
ERP ® Release xx/Language → SAP NetWeaver Library → Administrator's Guide →
SAP NetWeaver Security Guide → Network and Communication Security → Transport Layer Security Secure Network Communications (SNC).
SAP Logon Tickets
SAP ERP Central Component supports the use of logon tickets for SSO when using aWeb browser as the front-end client. In this case, users can be issued a logon ticketafter they have authenticated themselves with the initial SAP system. The ticket can
then be submitted to other systems (SAP or external systems) as an authenticationtoken. The user does not need to enter a user ID or password for authentication, butcan access the system directly once it has checked the logon ticket.
For more information, see SAP Logon Tickets in the Security Guide for SAP NetWeaver Application Server .
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using aWeb browser as a front-end client can also provide X.509 client certificates to use forauthentication. In this case, the user is authenticated on the Web server using theSecure Sockets Layer Protocol (SSL protocol). No passwords have to be transferred.User authorizations are valid in accordance with the authorization concept in the SAPsystem.
For more information see Client Certificates in the Security Guide for SAP NetWeaver Application Server .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 17/215
SAP ERP Central Component Security Guide 6.0, EHP3 17
Authorizations
Use
SAP ERP Central Component uses the authorization concept of SAP NetWeaver Application Server . Therefore, the security recommendations and guidelines forauthorizations that are described in the Security Guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component. You can use
authorizations to restrict the access of users to the system, and thereby protecttransactions and programs from unauthorized access.
The SAP NetWeaver Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance in SAP NetWeaver Application Server for ABAP , use the profile generator (transaction PFCG), and in SAP NetWeaver Application Server for Java , the user management console of User Management Engine (UME). You can define user-specific menus using roles.
Standard Roles and Standard Authorization Objects
SAP delivers standard roles covering the most frequent business transactions. You canuse these roles as a template for your own roles.
For a list of the standard roles and authorization objects used by the subcomponents of
SAP ERP Central Component, see the section of this document relevant to eachcomponent.
For information on roles and authorizations in Travel Management (FI-TV) see the section Accounting under Financial Accounting .
Before using the roles listed, you may want to check whether thestandard roles delivered by SAP meet your requirements.For more information about the authorization concept at SAP, see:
■ SAP Help Portal at help.sap.com → SAP ERP → Release
xx/Language → SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → Security Guides for SAP NetWeaver According to Usage Types → Security Guide for Usage
Type AS → SAP NetWeaver Application Server ABAP Security Guide → AS ABAP Authorization Concept .
■ SAP Help Portal at help.sap.com → SAP NetWeaver →
Release/Language → SAP NetWeaver Library → SAP NetWeaver by Key Capability → Security → Identity Management .
Authorizations for Customizing Settings
You can use Customizing roles to control access to the configuration of ERP Central Component in the SAP Customizing Implementation Guide (IMG). For information about
creating roles, see SAP Help Portal at help.sap.com → SAP ERP → Release xx/Language → SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 18/215
SAP ERP Central Component Security Guide 6.0, EHP3 18
Security Guide → Security Guides for SAP NetWeaver According to Usage Types →
Security Guide for Usage Type AS → SAP NetWeaver Application Server ABAP
Security Guide → SAP Authorization Concept → Organizing Authorization
Administration → Organization if You are Using the Profile Generator or Organization Without the Profile Generator.
Network and Communication SecurityYour network infrastructure is extremely important in protecting your system. Yournetwork needs to support the communication necessary for your business and your
needs without allowing unauthorized access. A well-defined network topology caneliminate many security threats based on software flaws (at both the operating systemand application level) or network attacks such as eavesdropping. If users cannot log onto your application or database servers at the operating system or database layer, thenthere is no way for intruders to compromise the machines and gain access to thebackend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network ), they cannot exploit well-known bugs and security holesin network services on the server machines.
The network topology for SAP ERP Central Component is based on the topology usedby the SAP NetWeaver platform. Therefore, the security guidelines andrecommendations described in the SAP NetWeaver security guide also apply to SAP ERP Central Component . Details that relate directly to SAP ERP Central Component
are described in the following sections:● Communication Channel Security [Seite 19]
This section contains a description of the communication channels and protocolsthat are used by subcomponents of SAP ERP Central Component .
● Network Security [Seite 19] This section contains information on the network topology recommended for thesubcomponents of SAP ERP Central Component . It shows the appropriatenetwork segments for the various client and server components and where touse firewalls for access protection. It also contains a list of the ports required foroperating the subcomponents of SAP ERP Central Component.
● Communication Destinations [Seite 20]
This section describes the data needed for the various communication channels,for example, which users are used for which communications.
For more information, see the following sections of the Security Guide for SAP
NetWeaver in SAP Help Portal at help.sap.com → SAP ERP → Release
xx/Language → SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → Security Guides for Connectivity and Interoperability Technologies .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 19/215
SAP ERP Central Component Security Guide 6.0, EHP3 19
Communication Channel Security
Use
Communication channels transfer a wide variety of different business data that needs to
be protected from unauthorized access. SAP makes general recommendations andprovides technology for the protection of your system landscape based on SAP NetWeaver .
The table below shows the communication channels used by SAP ERP Central Component , the protocol used for the connection, and the type of data transferred.
Communication Channels
CommunicationChannels
Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
Application server toapplication server
RFC, HTTP(S) Integration data Business data
Application server tothird-party application
HTTP(S) Application data Passwords, businessdata, for example
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol.
For more information, see the security guide for SAPNetWeaver in SAP Help Portal athelp.sap.com → SAP ERP → Release/Language → SAP NetWeaver Library →
SAP NetWeaver Security Guide → Network and Communication Security → Transport Layer Security .
For information on security aspects if you integrate SAP ERP Central Component with
SAP Business Intelligence and SAP Supply Chain Management , see SAP ServiceMarketplace at service.sap.com/securityguide :
● SAP Supply Chain Management → SAP Supply Chain Management Security
Guide Release SCM xx → Authorizations / Communication Channel Security / Communication Destinations
● SAP Business Information Warehouse Security Guides → SAP Business Information Warehouse Security Guide Release NW xx → Communication
Security → Communication Destinations
Network SecuritySince SAP ERP Central Component is based on SAP NetWeaver technology, forinformation about network security, see the following sections of the SAP NetWeaver
security guide at help.sap.com → SAP ERP → Release/Language → SAP
NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → Network and Communication Security: Network Services .This contains information about services and ports that use SAP NetWeaver .
● Using Firewall Systems for Access Control Here you can see information about firewall settings.
● Using Multiple Network Zones Here you can get information about which parts of your application should be setup in which network segments.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 20/215
SAP ERP Central Component Security Guide 6.0, EHP3 20
If you provide services in the Internet, you should protect your network infrastructurewith at least a firewall. You can further increase the security of your system or group ofsystems by placing the groups in different network segments, each of which you thenprotect from unauthorized access by a firewall. You should bear in mind thatunauthorized access is also possible internally if a malicious user has managed to gaincontrol of one of your systems.
Communication Destinations
Use
The use of users and authorizations in an irresponsible manner can pose security risks.You should therefore follow the security rules below when communicating between ERPsystems:
● Employ the user types system and communicatio n.
● Grant a user only the minimum authorizations.
● Choose a secure password and do not divulge it to anyone else.
● Only store user-specific logon data for users of type system and communication .
● Wherever possible, use trusted system functions instead of user-specific logondata.
For more information, see the application-specific part of this guide.
Data Storage Security
Use
For information on data storage security, see the SAP NetWeaver security guide at
service.sap.com/securityguide in the section Operating System and
Database Platform Security Guides .
Security for Other ApplicationsSee the corresponding sections in the application-specific part of this guide.
Trace and Log Files
Use
The trace and log files of SAP ERP Central Component use the standard mechanismsof SAP NetWeaver. For more information, see the SAP NetWeaver Security Guide at
service.sap.com/securityguide.
If there is no information about trace and log files in the sections for the individual
components of SAP ERP Central Component , you can assume that no sensitive data isupdated in these files.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 21/215
SAP ERP Central Component Security Guide 6.0, EHP3 21
Cross-Application Components
Cross-Application Time Sheet (CA-TS)
AuthorizationsThe Cross-Application Time Sheet uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as
set out in the SAP Web AS ABAP security guide therefore also apply to the Cross- Application Time Sheet.
The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. To maintain roles on the SAP Web AS ABAP,use the profile generator (transaction PFCG).
Standard Roles
The following table shows examples of standard roles that are used by the Cross- Application Time Sheet.
Standard Roles
Role Description
SAP_EMPLOYEE Employee [Extern] Self-Service
SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]
SAP_ISR_RETAIL_STORE SAP Retail Store User
SAP_PS_CONFIRM Confirmations
SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]
SAP_ISR_STORE_PERSONNEL Store Personnel Manager
SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]
Standard Authorization ObjectsIn the Cross-Application Time Sheet environment, you require only the generalauthorizations for the relevant target applications. When assigning authorizations, basethem on the authorizations for the CAT* transactions.
See also:
Note the special points listed in the following section of the SAP Library: Cross-
Application Components → Cross-Application Time Sheet → Assigning Authorizations[Extern].
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 22/215
SAP ERP Central Component Security Guide 6.0, EHP3 22
Communication Destinations
Use
Communication destinations are available for the Cross-Application Time Sheet
component to post recorded data to the target applications.
Communication with Personnel Time Management
To post recorded time data to Personnel Time Management, you use BAPIs that enterthe data in the interface tables PTEXDIR, PTEX2000, and PTEX2010. Data iscommunicated using BAPIs via IDocs:
● If you run your Human Resources system in the same system as the Cross- Application Time Sheet, the data is posted synchronously.
● If you run your Human Resources system in a different system from the Cross- Application Time Sheet, the data is posted asynchronously.
The BAPIs enable you to create, change, or delete Personnel Time Management data.
These BAPIs do not enable you to read or change any Cross-Application Time Sheet data within Personnel Time Management.
Technical Users
You require the following technical users for the communication:
● To fill the interface tables, you require a user with authorizations for ALEcommunication with an SAP system and the relevant table authorizations.
These technical users do not require authorizations specific to the SAP HRsolution.
● For the subsequent background processing job to transfer data from the interfacetables to the infotype databases, you require a technical user with the sameauthorizations that are required for the CAT6 transaction (Transfer Time Data to Time Management ).
To enter time sheet data, you can read information about the time data from Personnel Time Management. You do not require any special users for this. You should base youremployees’ authorizations on the authorizations for the CAT2 transaction.
Posting Data to Other Target Applications
There are no special communication destinations for posting data to the other targetapplications.
See also:
For more information, see the SAP Library:
● For information about transferring time sheet data to the target applications, see:
Cross-Application Components → Cross-Application Time Sheet → Transfer ofTime Sheet Data to the Target Components [Extern].
● For information about the Time Management ALE scenarios and working with
distributed systems, see Scenarios in Applications → ALE / EDI BusinessProcesses [Extern].
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 23/215
SAP ERP Central Component Security Guide 6.0, EHP3 23
Digital Signature
Before You Start
With the digital signature, SAP provides you with a tool for digital signatures in ABAP-
based applications. If you integrate the digital signature, you can sign and approvedigital data. The Implementation Guide for the digital signature (see the attachment toSAP Note 700495, "Implementation of Digital Signature using the Signature Tool")contains detailed information about implementing the digital signature.
The digital signature is based on the functions of the component Secure Store and Forward (BC-SEC-SSF) from SAP NetWeaver . In the SAP system, the digital signatureis realized with the Basis component Secure Store and Forward (SSF). If you use theuser signature as signature method, you also need an external security product that youhave to connect to your SAP system using SSF.
You should not store the personal security environment (PSE) of the user in the filesystem. You can use a Smart Card instead, for example. The software PSE does notfulfill the legal requirements of a digital signature.
For more information, see Approval with Digital Signatures [Extern] in the documentation for
SAP ERP Central Component under Cross-Application Components→ Document Management
→ Document Information Record.
If there is no further information to specific security aspects in this section, the settingsmentioned in the security guide for SAP ERP Central Component and the details in thesecurity guide of SAP NetWeaver Application Server ABAP Security Guide [Extern] inthe section Secure Store & Forward Mechanisms (SSF) and Digital Signatures alwaysapply for the digital signature.
Additional Information
Scenario, Application or Component
Security Guide
Important Sections
Security service.sap.com/security
Security Guides, SAP NetWeaver Security Guide
service.sap.com/securityguide
SAP NetWeaver documentation help.sap.com → Documentation → SAP
NetWeaver
SAP NetWeaver installation guide service.sap.com → SAP Support Portal →
Tools & Methods → Installation Guides → SAP NetWeaver
Related SAP notesservice.sap.com/notes
Platforms permitted service.sap.com/platforms
Network security service.sap.com/network
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
For information about the system landscape and secure operation of SAP ERP Central Component , see mySAP ERP Master Guide at
service.sap.com/instguides → mySAP Business Suite Solutions →
mySAP ERP .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 24/215
SAP ERP Central Component Security Guide 6.0, EHP3 24
Authorizations
The digital signature uses the authorization concept provided by SAP NetWeaver Application Server . Therefore the security recommendations and guidelines forauthorizations as they are described in the security guides for SAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java also apply for
the digital signature.In applications that have implemented the digital signature, in order to actually makedigital signatures, users require the corresponding authorizations from the Customizingof the respective signature object. These cover:
● The relevant authorization for the object to be signed
● If you work with signature strategies, you also need the authorization for thecorresponding individual signature or authorization group (authorization objectC_SIGN_BGR Authorization Group for Digital Signature ). At least theauthorization object C_SIGN must be assigned to the user profile.
For information about the system infrastructure, see the section Digital Signatures and
Encryption in the documentation for SAP NetWeaver under SAP NetWeaver by Key Capability → Security .
Self-Services
Before You StartThis section of the Security Guide provides you with information about the following self-service components:
● Employee Self-Service (ESS)
● Manager Self-Service (MSS)
● Business Unit Analyst (BUA)
● Project Self-Services (PSS)
● E-Recruiting (ECR)
● HR Administrative Services (ASR)
● Higher Education and Research (IS-HER-CSS)
● General Parts (PCUI_GP)
If not stated otherwise, the security settings for user management and authorizationsapply to all components.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 25/215
SAP ERP Central Component Security Guide 6.0, EHP3 25
If there is no special information for particular topics in that section, the settings outlinedin the general SAP ERP Central Component Security Guide [Seite 1] apply also theself-service components.
For information about the system landscape and secure running of the SAP ERPCentral Component, see the mySAP ERP Master Guide at
service.sap.com/instguides → mySAP Business Suite Solutions →
mySAP ERP.
Fundamental Security Guides
Scenario, Application or ComponentSecurity Guide
Important Sections
SAP NetWeaver Application Server ABAP SAP Authorization Concept [Extern]
SAP NetWeaver Application Server JAVA User Administration and Authentication [Extern]
Authorizations [Extern]
SAP ECC Industry Extension HE&R SAP ECC Industry Extension HE&R: Security
Guide [Extern] For a complete list of the SAP Security Guides available, see SAP Service Marketplaceat securityguide.
Important SAP Notes
The following table presents the most important SAP Notes regarding security for theSelf-Service applications:
Important SAP Notes
SAP Note Number Title Comment
857431 ESS: Authorizations and Rolesfor WD Services in ERP 2005.
This note contains theauthorization objects, thedefault values defined forthese objects, and the roles for
Employee Self-Service (component EP-PCT-ESS).
844639 MSS: Authorizations and Rolesfor ERP 2005
This note contains theauthorization objects and thedefault values defined for theHuman Resourcesapplications in Manager Self- Service (component EP-PCT-MGR-HR).
846439 PSS: Authorizations and Rolesfor Web Dynpro
This note contains theauthorization objects and thedefault values defined for the
Web Dynpro applications forProject Self-Services
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 26/215
SAP ERP Central Component Security Guide 6.0, EHP3 26
(component EP-PCT-PLM-PSS).
User Management
Use
User management for Self-Service applications uses the mechanisms (for example,tools, user types, and password concept) provided by SAP Web Application Server. Foran overview of how these mechanisms apply for Self-Service applications, see thesections below. In addition, there is a list of the standard users that are necessary foroperating the self-services.
User Management Tools
The following table presents the tools used for managing users in Self-Service applications:
User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance(transaction PFCG)
You can use the RoleMaintenance (PFCG)transaction to generateprofiles for your self-serviceusers.
For more information, see the Users and Roles [Extern] section in SAP Library for SAP
NetWeaver (see also help.sap.com → Documentation → SAP NetWeaver ).
User Types
For more information about user types [Extern] , see the SAP NetWeaver Application Server Security Guide ABAP .
SAP recommends you set up the connection between the portal and theconnected systems (ECC system, J2EE Engine, BI system) so that eachindividual user has access.
Standard Users
Different standard users exist for the individual Self-Service components.
Components Standard Users
● Employee Self-Service
● Manager Self-Service
● Project Self-Service
● Business Unit Analyst
No standard users exist in the standard SAPsystem for these components.
● E-Recruiting
● HR Administrative Services
For information about the standard users forthese components, see the Human Capital
Management section of the ERP Central Component security guide.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 27/215
SAP ERP Central Component Security Guide 6.0, EHP3 27
● Higher Education and Research For information about the standard users forthis component, see the security guide for thiscomponent.
Authorizations
Use
The Self-Service applications use the authorization concept of SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for authorizationsas described in the SAP NetWeaver Security Guide for ABAP and SAP NetWeaver Security Guide for Java also apply to the Self-Service applications.
The SAP NetWeaver Application Server authorization concept is based on assigningauthorizations to users based on roles. To maintain roles, use the Profile Generator
(transaction PFCG). For more information, see Editing Roles and Authorizations forWeb Dynpro Services [Seite 29].
The Self-Service applications for Human Resources also use theauthorizations of the individual components. For more information, see theHuman Capital Management section of the ERP Central Component Security Guide.
Standard Roles
Employee Self-Service
The following table presents the standard roles used in Employee Self-Service applications:
Standard Roles for Employee Self-Service (ESS):
Role Description
SAP_ESSUSER_ERP05 Single role that comprises all non country-specific functions.
SAP_EMPLOYEE_ERP05_xx Single role comprising country-specificfunctions. A separate role exists for eachcountry version (xx = country ID). Thecorresponding composite role isSAP_EMPLOYEE_ERP05.
In each case, the profile has been copied from the predefined composite role. The datarequired for ERP and the relevant NetWeaver authorizations have been added to thisrole.
The composite role is assigned to the individual employee.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 28/215
SAP ERP Central Component Security Guide 6.0, EHP3 28
Manager Self-Service, Business Unit Analyst, and Project Self-Services
There are no standard roles for these components.
E-Recruiting and HR Administrative Services
For information about the standard roles for these components, see the Human Capital Management section of the ERP Central Component Security Guide.
Higher Education and Research
For information about the standard roles for this component, see the Security Guide forthis component.
Standard Authorization Objects
The following table presents the general authorization objects relevant for security thatare used by the Self-Service applications.
Standard Authorization Objects for Self-Service Applications:
Authorization Object Field Value Description
S_RFC RFC_NAME Depends on service Saves data from RFCaccess to WebDynpro frontend to thebackend system.
S_SERVICE SRV_NAME * Additional object forWeb Dynproapplications. Checkthat is run whenexternal services arestarted.
This authorizationobject is needed whenan employee, projectlead or managerwants to start self-service applications.
When you enter the value * for the authorization object S_SERVICE, you provide userswith the authorization to start all applications. However, you can also assignauthorizations for individual applications. In this case, use the syntaxS_SERVICE-SRV_NAME = <vendor>/<dc>/<Application>, for example,sap.com/pcui_gp~xssexamples/AttendanceExample .
E-Recruiting and HR Administrative Services
For information about the standard authorization objects for these components, see theHuman Capital Management section of the ERP Central Component Security Guide.
Higher Education and Research
For information about the standard authorization objects for this component, see theSecurity Guide for this component.
Internal Service Request and Personnel Change Requests
For information about standard authorization objects for the Internal Service Request (ISR) and Personnel Change Requests, see SAP Note 623650.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 29/215
SAP ERP Central Component Security Guide 6.0, EHP3 29
Editing Roles and Authorizations for WebDynpro Services
Use
Use this procedure to edit roles and the related Web Dynpro services andauthorizations.
Procedure...
1. Create a role in transaction PFCG or select the standard role that exists for thecomponent. Choose Create Role or copy the existing standard role.
2. Assign the required services to the role.
a. Choose the Menu tab page and then Default Authorization.
The Service dialog box appears.
b. Set the External Service indicator.
c. Select WEBDYNPRO as the type of external service.
d. In the Service field, select the Web Dynpro service you require.
e. Choose Save .
The authorization objects and default values maintained for the service aredisplayed in the menu tree.
In the same way, select all Web Dynpro services you want to use.
3. Assign the required authorizations.
Choose the Authorizations tab page to maintain the authorization objects andvalues according to your requirements.
For more information about how to maintain roles, see Role Maintenance [Extern] in the
Users and Roles section in SAP Library for SAP NetWeaver (see help.sap.com →
Documentation → SAP NetWeaver ).
Authorizations for Controlling Services (MSS,BUA)The following table presents the standard authorization objects that are used by thecontrolling services in Manager Self-Service (MSS) and Business Unit Analyst (BUA).
Standard Authorization Objects for Controlling Services:
Authorization Object Description
K_CCA General authorization object for Cost Center Accounting.
Is checked in the relevant Monitor iViews, Master Data iViews, andExpress Planning services.
K_ORDER General authorization object for internal orders.
Is checked in the relevant Monitor iViews, Master Data iViews, andExpress Planning services.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 30/215
SAP ERP Central Component Security Guide 6.0, EHP3 30
K_PCA Area responsible, Profit Center.
Is checked in the relevant Monitor iViews, Master Data iViews, andExpress Planning services.
K_CSKS_PLA Cost element planning.
Is checked in the relevant Express Planning services.K_FPB_EXP Authorization object for Express Planning.
This authorization object checks the Express Planning Frameworkcall and the planning round call. The actual plan data is protected bythe authorization objects for the individual Express Planningservices.
For more information about the fields for the authorization objects K_CCA,K_ORDER, and K_PCA, see SAP Note 15211.
Authorizations for BW iViews (MSS)In the case of BW iViews for Manager Self-Service , users need the standard BWauthorizations for executing queries. For more information, see SAP Library for SAP NetWeaver, under Authorization Check When Executing a Query [Extern] (in the Data Warehouse Management section of the documentation for SAP NetWeaver Business Intelligence ).
In Human Capital Management, BW queries u se a BW variable for personalization.Data is read from the ODS object for personalization 0Pers_VAR. If required, you canfill this ODS object from structural authorizations (see Structural Authorizations - Values[Extern] (0PA_DS02) and Structural Authorizations - Hierarchy [Extern] (0PA_DS03)).For more information, see SAP Library for BI Content for Human Resources under
Organizational Management → ODS Objects.
You can also access SAP Library from the SAP Help Portal (see help.sap.com →
Documentation → SAP NetWeaver ).
Communication DestinationsTo be able to run the individual self-service components, you have to set up the SAPJava Connector (JCo) connections on the Web Dynpro J2EE server. For moreinformation about these connections, see the Business Package documentation for therelevant component (such as Employee Self-Service , Manager Self-Service , Business Unit Analyst ) and choose Setting Up SAP Java Connector (JCo) Connections [Extern]
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 31/215
SAP ERP Central Component Security Guide 6.0, EHP3 31
Enterprise Services
Before You Start
Underlying Security Guides
As SAP ERP ES is provided as an add-on to SAP ERP, the security guidelinesapplicable to SAP ERP also apply to SAP ERP ES.
For more information about authorizations for Web services, see the SAP NetWeaver
documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s →
SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core
Development Tasks → Providing and Consuming Web Services → Web Service Toolset → Web Services Security .
For more information about Enterprise Services and security, see the mySAP Business
Suite: Service Provisioning documentation at service.sap.com/swdc →
Download → Installations and Upgrades → Entry by Application Group → SAP
Application Components → SAP ERP ES → SAP ERP ES <nn> → Installation → ESA
ECC-SE <nn> Add-on Documentation → 00_mySAPServiceProvisioning.pdf → 2.6 Security .
For more information about the security of the exchange infrastructure, see the SAP
NetWeaver security guide at service.sap.com/securityguide → SAP
Process Integration Security Guides → SAP NetWeaver Process Integration Security Guide .
Important SAP Notes
For more information about security, see SAP Service Marketplace atservice.sap.com/security → SAP Security Notes.
Authorizations
Use
Accessing SAP functions via Web services follows the standard SAP authorizationconcept. This concept is based on authorizations for specific authorization objects. Thesystem checks for the required authorization for an authorization object during the
execution of a Web service. If a user does not have this authorization, the execution isterminated, and an error message is returned.
SAP ERP ES uses the standard authorization objects that are available for mySAP ERP , including authorization default values for Web services. In addition, you need theauthorization S_SERVICE to start external services. To create and consume Webservices, you require the authorizations belonging to the roleSAP_BC_WEBSERVICE_ADMIN as well as authorization for the InternetCommunication Framework (S_ICF_ADMIN).
For more information about authorizations for Web services, see the SAP NetWeaver
documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s
→ SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core
Development Tasks →
Providing and Consuming Web Services →
Web Service Toolset → Web Services Security → Authorization .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 32/215
SAP ERP Central Component Security Guide 6.0, EHP3 32
Network and Communication SecurityFor more information about network security for Web services, see the SAP NetWeaver
documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s → SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core
Development Tasks → Providing and Consuming Web Services → Web Service Toolset → Web Services Security .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 33/215
SAP ERP Central Component Security Guide 6.0, EHP3 33
Accounting
Financial AccountingNetwork and Communication Security
Communication with external systems takes place using the standard channelsprovided by SAP basis technology:
● Application Link Enabling (ALE)
● Standard interfaces to BI, CRM, and SRM systems
● Batch Input [Extern]
● Remote Function Call [Extern] (RFC)
● Business Application Programming Interface (BAPI)
● IDOC [Extern]
● SAP Exchange Infrastructure (XI)
● E-mail, fax
● Financial Accounting has interfaces to Taxware and Vertex
software used for performing tax calculations.
● Electronic advance return for tax on sales/purchases:
○ There is an interface for the electronic advancereturn for tax on sales and purchases using Elster .Communication takes place by means of XI.
○ You can digitally sign the electronic advance returnfor tax on sales/purchases.
● Payments and payment advice notes are dispatched usingIDoc, and dunning notices are sent by e-mail or fax.
Communication Destinations
All the technical users generally available can be used.
For payment requests from other components, see SAP Note 303205.
Data Storage Security
Many of the Financial Accounting transactions access sensitive data. Access to thiskind of data, such as financial statements, is protected by standard authorizationobjects.
Important SAP Notes
See SAP Notes 303205 and 497712.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 34/215
SAP ERP Central Component Security Guide 6.0, EHP3 34
Authorizations in Financial Accounting
Authorization Objects in Financial Accounting
Object Name
FAGL_INST Customer Enhancements for General Ledger
F_ACE_DST Accrual Engine: Accrual Objects
F_ACE_PST Accrual Engine: Accrual/Deferral Postings
F_BKPF_BES Accounting Document: Account Authorizationfor G/L Accounts
F_BKPF_BLA Accounting Document: Authorization forDocument Types
F_BKPF_BUK Accounting Document: Authorization forCompany Codes
F_BKPF_BUP Accounting Document: Authorization forPosting Periods
F_BKPF_GSB Accounting Document: Authorization forBusiness Areas
F_BKPF_KOA Accounting Document: Authorization forAccount Types
F_BKPF_VW Accounting Document: Display/Change DefaultValues Document Type/Posting Key
F_FAGL_LDR General Ledger: Authorization for Ledger
F_FAGL_SEG General Ledger: Authorization for Segment
K_TP_VALU General Ledger: Authorization for TransferPrice Valuation
F_FAGL_SKF General Ledger: Authorization for Transactionwith Statistical Key Figures
F_IT_ALV Line Item Display: Change and Save Layouts
F_KMT_MGMT Account Assignment Model: Authorization forMaintenance and Use
F_SKA1_AEN G/L Account: Change Authorization for CertainFields
F_SKA1_BES G/L Account: Account AuthorizationF_SKA1_BUK G/L Account: Authorization for Company
Codes
F_SKA1_KTP G/L Account: Authorization for Charts ofAccounts
F_T011 Balance Sheet: General MaintenanceAuthorization
F_T011E Authorization for Financial Calendar
F_T011_BUK Planning: Authorization for Company Codes
F_T060_ACT Information System: Account Type/Activity for
Evaluation View
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 35/215
SAP ERP Central Component Security Guide 6.0, EHP3 35
F_AVIK_AVA Payment Advice Note: Authorization forPayment Advice Note Types
F_AVIK_BUK Payment Advice Note: Authorization forCompany Codes
F_BKPF_BED Accounting Document: Account Authorizationfor Customers
F_BKPF_BEK Accounting Document: Account Authorizationfor Vendors
F_BL_BANK Authorization for House Banks and PaymentMethods
F_BNKA_BUK Banks: Authorization for Company Codes
F_FBCJ Cash Journal: General Authorization
F_FEBB_BUK Bank Account Statement Company Code
F_FEBC_BUK Check Deposit/Lockbox Company Code
F_KNA1_AEN Customer: Change Authorization for CertainFields
F_KNA1_APP Customer: Application Authorization
F_KNA1_BED Customer: Accounts Authorization
F_KNA1_BUK Customer: Authorization for Company Codes
F_KNA1_GEN Customer: Central Data
F_KNA1_GRP Customer: Accounts Group Authorization
F_KNA1_KGD Customer: Change Authorization for AccountsGroups
F_KNB1_ANA Customer: Authorization for Account Analysis
F_KNKA_AEN Credit Management: Change Authorization forCertain Fields
F_KNKA_KKB Credit Management: Authorization for CreditControl Area
F_BNKA_MAN Banks: General Maintenance Authorization
F_KNKK_BED Credit Management: Accounts Authorization
F_LFA1_AEN Vendor: Change Authorization for CertainFields
F_LFA1_APP Vendor: Application Authorization
F_LFA1_BEK Vendor: Accounts Authorization
F_LFA1_BUK Vendor: Authorization for Company Codes
F_LFA1_GEN Vendor: Central Data
F_LFA1_GRP Vendor: Accounts Group Authorization
F_MAHN_BUK Automatic Dunning: Authorization for CompanyCodesThe documentation for this refers to transactionF150.
F_MAHN_KOA Automatic Dunning: Authorization for AccountTypes
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 36/215
SAP ERP Central Component Security Guide 6.0, EHP3 36
F_PAYRQ Authorization Object for Payment Requests
F_PAYR_BUK Check Management: Action Authorization forCompany Codes
F_REGU_BUK Automatic Payment: Action Authorization forCompany CodesRefers to transaction F110.
F_REGU_KOA Automatic Payment: Action Authorization forAccount Types
F_RPCODE Repetitive Code
F_RQRSVIEW Bank Ledger: Viewer for Request ResponseMessages
F_T042_BUK Customizing Payment Program: Authorizationfor Company Codes
S_BTCH_JOB Background Processing: Operations onBackground JobsUsers you would like to authorize to startbackground processing must haveauthorization for activity RELE.
P_ABAP HR ReportingProtects payments from the payroll. See alsoSAP Note 303205 that describes anenhancement of the checks made using afunction module.
F_WEB_EBPP Participation in EBPP Process via a WebInterface
General Ledger Accounting (FI-GL)
Standard Roles in General Ledger Accounting
Role Name
SAP_AUDITOR_BA_FI_GL AIS - General Ledger (GLT0)
SAP_FI_GL_ACCOUNT_CHANGE_REQUE General Ledger Account/Change Request
SAP_FI_GL_ACCT_MASTER_DATA General Ledger Master Data Maintenance
SAP_FI_GL_BALANCE_CARRYFORWARD Balance Carryforward
SAP_FI_GL_CHANGE_PARKED_DOCUM Change Parked General Ledger Documents
SAP_FI_GL_CLEAR_OPEN_ITEMS Clear Open General Ledger Items
SAP_FI_GL_CONS_PREPARATIONS Preparation for Consolidation
SAP_FI_GL_CURRENCY_VALUATION General Ledger Account Foreign CurrencyValuation
SAP_FI_GL_DISPLAY_ACCT_BALANCE Display General Ledger Account Balances andItems
SAP_FI_GL_DISPLAY_DOCUMENTS Display General Ledger Documents
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 37/215
SAP ERP Central Component Security Guide 6.0, EHP3 37
SAP_FI_GL_DISPLAY_MASTER_DATA Display General Ledger Master Data
SAP_FI_GL_DISPLAY_PARKED_DOCUM Display Parked Documents
SAP_FI_GL_EXCHANGE_RATE_TABLE Maintain Currency Exchange Rates
SAP_FI_GL_FIN_STATEMENT_REPORT Financial Statement Reports
SAP_FI_GL_INTEREST_CALCULATION Interest Calculation for G/L Accounts
SAP_FI_GL_INTEREST_RATE_TABLES Maintain Interest Rates
SAP_FI_GL_KEY_REPORTS Key Reports: General Ledger Accounting
SAP_FI_GL_PARK_DOCUMENT Park General Ledger Documents
SAP_FI_GL_PERIOD_END_CLOSING Closing Procedures in General LedgerAccounting
SAP_FI_GL_PERIODIC_ENTRIES Enter Recurring General Ledger Postings
SAP_FI_GL_POST_ENTRY Make General Ledger Postings
SAP_FI_GL_POST_PARKED_DOCUMENT Post Parked DocumentSAP_FI_GL_RECURRING_DOCUMENTS Process Recurring Documents
SAP_FI_GL_REVERSE-CHANGE Reverse/Change General Ledger Documents
SAP_FI_GL_SAMPLE_ACCT_MASTER_D Sample Accounts
SAP_FI_GL_SAMPLE_DOCUMENTS Edit Sample Documents
Closing Cockpit
Authorizations
Authorization Objects of Closing Cockpit
Authorization Object Description
B_SMAN_WPL Schedule Manager: Authorizations for TaskLists
S_TCODE Transaction Code Check for Transaction Start
F_CLOCO Authorizations for Closing Cockpit
S_BTCH_EXT External Scheduler (SAP Central ProcessScheduling)
You need the S_BTCH_EXT authorization object only if you connectClosing Cockpit to SAP Central Process Scheduling by Redwood (CPS).SAP CPS is not a part of SAP ERP. For more information about SAP CPS,see the SAP Service Marketplace atservice.sap.com/process-scheduling.
Standard Roles of Closing Cockpit
Role Name
SAP_AIO_AP_CLERK-K AP Supervisor
SAP_AIO_AR_CLERK-K AR Supervisor
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 38/215
SAP ERP Central Component Security Guide 6.0, EHP3 38
SAP_AIO_COSTACC-K Central Cost Accountant
SAP_AIO_FINACC-K Account Manager
SAP_AIO_FINACC-S Assets Accountant
SAP_EP_RW_FDMN AC - FI - Customers
SAP_EP_RW_FKMN AC - FI - Vendors
SAP_EP_RW_FSMN_4 AC - General Ledger - Closing
SAP_EP_RW_FSMN_NEW4 AC - General Ledger (New) - Closing
Roles in Closing Cockpit for the Connection to SAP Central Process Scheduling
Role Description
SAP_BC_BATCH_ADMIN_REDWOOD Redwood Scheduler: Add-on for BatchAdministrators
SAP_BC_REDWOOD_COMMUNICATION Role for Redwood Job Scheduling,Communications Users
SAP_BC_REDWOOD_COMM_EXT_SDL Additional Role for Redwood CommunicationsUsers
You need these roles only if you connect Closing Cockpit to SAP Central Process Scheduling by Redwood (CPS).
Network and Communication Security
If you want to connect Closing Cockpit to SAP Central Process Scheduling (CPS), seealso the security notes related to SAP CPS. For more information, see the SAP ServiceMarketplace at service.sap.com/process-scheduling. From there you
can go to the SAP CPS Administration Guide on SAP Developer Network (SDN).
Important SAP Notes
The following table lists the most important SAP Notes that apply to Closing Cockpitsecurity.
SAP Note Title Comment
1057015 CLOCO: Authorization is notchecked
1050929 CLOCOC: Authorization check
for status change1099023 CLOCO - authorization check
for executing transactions
1112590 Authorization object ofapplication interface for SAPCPS
Relevant only if connectingto SAP CPS
1106488 Cronacle 8: SAP process serverdoes not start
Relevant only if connectingto SAP CPS
998833 Release Restrictions SAP ERP6.0 - Enhancement Packages
Relevant only if connectingto SAP CPS
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 39/215
SAP ERP Central Component Security Guide 6.0, EHP3 39
Accounts Payable Accounting (FI-AP)
Standard Roles in Accounts Payable Accounting
Role Name
SAP_FI_AP_BALANCE_CARRYFORWARD Vendor Balance Carryforward
SAP_FI_AP_CHANGE-REVERSE_INV Change/Reverse Vendor Invoices
SAP_FI_AP_CHANGE_LINE_ITEMS Change Vendor Line Items
SAP_FI_AP_CHANGE_PARKED_DOCUM Change Parked Vendor Documents
SAP_FI_AP_CHECK_MAINTENANCE Check Processing
SAP_FI_AP_CLEAR_OPEN_ITEMS Clear Vendor Line Items
SAP_FI_AP_CORRESPONDENCE Correspondence – Vendors
SAP_FI_AP_DISPLAY_BALANCES Display Vendor Balances and Items
SAP_FI_AP_DISPLAY_CHECKS Display Checks
SAP_FI_AP_DISPLAY_DOCUMENTS Display Vendor Documents
SAP_FI_AP_DISPLAY_MASTER_DATA Display Vendor Master Data
SAP_FI_AP_DISPLAY_PARKED_DOCUM Display Parked Vendor Documents
SAP_FI_AP_INTEREST_CALCULATION Vendor Interest Calculation
SAP_FI_AP_INTERNET_FUNCTIONS Internet Functions in Accounts PayableAccounting
SAP_FI_AP_INVOICE_PROCESSING Entry of Vendor Invoices
SAP_FI_AP_KEY_REPORTS Important Reports from Accounts PayableAccounting
SAP_FI_AP_MANUAL_PAYMENT Manual Payment
SAP_FI_AP_PARK_DOCUMENT Park Vendor Documents
SAP_FI_AP_PAYMENT_BILL_OF_EXCH Payment Transaction with Bill of Exchange
SAP_FI_AP_PAYMENT_CHECKS Payment Program with Check Processing
SAP_FI_AP_PAYMENT_PARAMETERS Display of Payment Run Parameters
SAP_FI_AP_PAYMENT_PROPOSAL Create and Process Proposal for a PaymentRun
SAP_FI_AP_PAYMENT_RUN Payment Run Update Run without PrintingPayment Medium
SAP_FI_AP_PCARD Payment Card (Procurement Card)
SAP_FI_AP_PERIOD_END_ACTIVITY Accounts Payable Accounting Period Closing
SAP_FI_AP_POST_PARKED_DOCUM Post Parked Vendor Document
SAP_FI_AP_RECURRING_DOCUMENTS Vendor Recurring Entry Documents
SAP_FI_AP_SAMPLE_DOCUMENTS Edit Sample Documents: Accounts PayableAccounting
SAP_FI_AP_VENDOR_MASTER_DATA Vendor Master Data Maintenance
SAP_FI_AP_WITHHOLDING_TAX Withholding Tax Processing
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 40/215
SAP ERP Central Component Security Guide 6.0, EHP3 40
Accounts Receivable Accounting (FI-AR)Authorizations
Standard Roles in Accounts Receivable Accounting
Role Name
SAP_FI_AR_BALANCE_CARRYFORWARD Customer Balance Carryforward
SAP_FI_AR_BILL_OF_EXCHANGE Process Bill of Exchange
SAP_FI_AR_CHANGE-REVERSE Change/Reverse Customer Postings
SAP_FI_AR_CHANGE_LINE_ITEMS Change Customer Items
SAP_FI_AR_CHANGE_PARKED_DOCUM Change Parked Document
SAP_FI_AR_CLEAR_OPEN_ITEMS Clear Customer Items
SAP_FI_AR_CREDIT_MASTER_DATA Credit Management Master Data
SAP_FI_AR_CUST_DOWN_PAYMENTS Processing of Customer Payments
SAP_FI_AR_DISPLAY_CREDIT_INFO Display Credit Data
SAP_FI_AR_DISPLAY_CUST_INFO Display Customer Information
SAP_FI_AR_DISPLAY_DOCUMENTS Display Customer Documents
SAP_FI_AR_DISPLAY_MASTER_DATA Display Customer Master Data
SAP_FI_AR_DISPLAY_PARKED_DOCUM Display Parked Customer Document
SAP_FI_AR_DUNNING_PROGRAM Dunning Program
SAP_FI_AR_INTEREST_CALCULATION Customer Interest calculation
SAP_FI_AR_INTERNET_FUNCTIONS Internet Functions for Accounts ReceivableAccounting
SAP_FI_AR_KEY_REPORTS Important Reports for Accounts ReceivableAccounting
SAP_FI_AR_MASTER_DATA Customer Master Data Maintenance
SAP_FI_AR_PARK_DOCUMENT Park Customer Documents
SAP_FI_AR_PAYMENT_CARD_PROCESS Payment Card Processing
SAP_FI_AR_PERIOD_END_PROCESS Closing Operations: Accounts Receivable
Accounting
SAP_FI_AR_POST_ENTRIES Post Customer Invoices and Credit Memos
SAP_FI_AR_POST_MANUAL_PAYMENTS Post Incoming Payments Manually
SAP_FI_AR_POST_PARKED_DOCUMENT Post Parked Customer Document
SAP_FI_AR_PRINT_CORRESPONDENCE Correspondence with Customers
SAP_FI_AR_RECURRING_DOCUMENTS Customer Recurring Entry Documents
SAP_FI_AR_SAMPLE_DOCUMENTS Customer Sample Documents
SAP_FI_AR_VALUATION Valuation of Customer Items
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 41/215
SAP ERP Central Component Security Guide 6.0, EHP3 41
Data Storage Security
You can store payment card numbers encoded in the database. For information aboutencoding credit card data, see SAP Note 633462.
Bank Accounting (FI-BL)Authorizations
Standard Roles in Bank Accounting
Role Name
SAP_FI_BL_ACCOUNT_REPORTS Financial Status Information
SAP_FI_BL_BANK_MASTERDAT_DISPL Display of Bank Master Data
SAP_FI_BL_BANK_MASTER_DATA Maintenance of Bank Master Data
SAP_FI_BL_BANK_STATEMENT Process Account Statement
SAP_FI_BL_BILL_OF_EX_PRESENT Bill of Exchange Presentation
SAP_FI_BL_BILL_OF_EX_REPORTS Reports on Bill of Exchange Holdings
SAP_FI_BL_CASHED_CHECKS Cashed Checks
SAP_FI_BL_CASH_JOURNAL Cash Journal
SAP_FI_BL_CHECK_DELETE Deletion of Checks
SAP_FI_BL_CHECK_DEPOSIT Check Deposit
SAP_FI_BL_CHECK_MANAGEMENT Check Management
SAP_FI_BL_CHECK_MGMENT_DISPLAY Display of Managed Checks
SAP_FI_BL_INTRADAY_STATEMENT Import Intraday Account Statement Information(USA)
SAP_FI_BL_LOCKBOX Processing the Lockbox - Data
SAP_FI_BL_ONLINE_PAYMENT Make Online Payments
SAP_FI_BL_PAYMENT_TRANSACTIONS Payment Processing
SAP_FI_BL_PAYME_ADVICE_REPORTS Payment Advice Note Reports
SAP_FI_BL_POR_PROCEDURE Incoming Payments via ISR Procedure(Switzerland)
SAP_FI_BL_RETURNED_BILL_OF_EX Returned Bills of Exchange
Data Storage Security
You can store payment card numbers encoded in the database. For information aboutencoding credit card data, see SAP Note 633462.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 42/215
SAP ERP Central Component Security Guide 6.0, EHP3 42
Asset Accounting (FI-AA)Authorizations
Standard Roles in Asset Accounting
Role Name
SAP_AUDITOR_BA_FI_AA AIS Fixed Assets
SAP_AUDITOR_BA_FI_AA_A AIS Fixed Assets (Authorizations)
SAP_FI_AA_ASSET_ARCHIVING Archiving Activities
SAP_FI_AA_ASSET_CAPITALIZATION Capitalization of Asset under Construction
SAP_FI_AA_ASSET_ENVIRONMENT Worklist and Tools in Asset Accounting
SAP_FI_AA_ASSET_EXPLORER Asset Explorer
SAP_FI_AA_ASSET_INFOSYSTEM Asset Accounting Information System
SAP_FI_AA_ASSET_MASTER_DATA Asset Master Data MaintenanceSAP_FI_AA_ASSET_REVALUATION Revaluation Activities
SAP_FI_AA_ASSET_TRANSACTIONS Asset Transactions
SAP_FI_AA_CURRENT_SETTINGS Current Settings
SAP_FI_AA_EVERY_MANAGER Activities for Cost Center Manager
SAP_FI_AA_GROUP_ASSET Maintain Group Asset
SAP_FI_AA_KEY_REPORTS Important Reports in Asset Accounting
SAP_FI_AA_PERIODIC_PROCESSING Periodic Processing
SAP_FI_AA_PROBLEM_ANALYSIS Tools for Analyzing Problems
SAP_FI_AA_YEAR_END_CLOSING Year-End Closing
Network and Communication Security
Asset Accounting provides BAPIs for communicating with third-party systems.
Communication Destinations
For workflow tasks, you sometimes need either the WF-BATCH user or a user that youcan use for background steps of this kind. To execute the decision steps requiredbefore reaching these background steps, you need a user that is explicitly assigned(rather than a user like WF-BATCH).
Important SAP Notes
Number Short Text
38957 Fields are not displayed/ready for input
335170 Authorization check AW01/AW01N
372724 Maintenance of report variants
460548 AW01N: Depreciation areas are not displayed
540785 FAQ note: Reporting of Asset Accounting
141876 Authorization checks in asset reporting
544703 FAQ Mass change/Mass retirement
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 43/215
SAP ERP Central Component Security Guide 6.0, EHP3 43
Travel Management (FI-TV)Authorizations
Standard Roles in Travel Management
Role Name
SAP_FI_TV_TRAVELER Traveler
SAP_FI_TV_TRAVEL_ASSISTANT Travel Assistant
SAP_FI_TV_ADMINISTRATOR Travel Administrator
SAP_FI_TV_MANAGER_GENERIC Approving Manager
SAP_FI_TV_ADVANCE_PAYER Trip Advance Payer
SAP_FI_TV_TRAVEL_MANAGER Travel Manager
SAP_FI_TV_WEB_POLICY_ADMIN Travel Policy Administrator
The role enables the user to execute guidelinemanagement in SAP NetWeaver BusinessClient (NWBC).
SAP_FI_TV_WEB_APPROVER Approving Manager
The role enables the user to execute theworklist (POWL) of the Approving Manager andthe related applications in NWBC.
The role contains the required authorizationprofile for the Approving Manager for calling
the Webdynpro ABAP applications in theEnterprise Portal .
SAP_FI_TV_WEB_ASSISTANT Travel Assistant
The role enables the user to execute theworklist (POWL) of the Travel Assistant and therelated applications in NWBC.
The role contains the required authorizationprofile for the Travel Assistant for calling theWebdynpro ABAP applications in theEnterprise Portal .
SAP_FI_TV_WEB_TRAVELER Traveler
The role enables the user to execute theworklist (POWL) of the Traveler and the relatedapplications in NWBC.
The role contains the required authorizationprofile for the Traveler for calling theWebdynpro ABAP applications in theEnterprise Portal .
Authorization Profiles
SAP supplies travel profile FI-TV (infotype 0470 in Human Resources (HCM)). You can
also create the authorization profile based on the organizational affiliation using thecharacteristic TRVCP.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 44/215
SAP ERP Central Component Security Guide 6.0, EHP3 44
Authorization Objects
Travel Management uses authorization object P_TRAVL for all general functions.
Transfer of travel expenses to Accounting is protected by authorization objectF_TRAVL.
The status of the travel plan is protected by authorization object F_TRAVL_S.
Network and Communication Security
In Travel Management you can configure connections to the following Global Distribution Systems (GDS):
● Amadeus The Gateway is the responsibility of the partner.
● Galileo The Gateway is the responsibility of the partner.
● AmadeusThe Gateway is the responsibility of the partner.
● Sabre Communication with the Web service uses HTTPS or a Gateway that is theresponsibility of the partner.
Alternatively or in addition, you can configure direct connections to the following travelservice providers using SAP Exchange Infrastructure (XI):
● Flight reservation systems, for example, low cost carrier providersThe communication with the Web services uses HTTPS or HTTP dependent onthe partner.
● Hotel reservation systems, for example, HRSThe communication with the Web services uses HTTPS or HTTP dependent onthe partner.
● Rail portals, for example Deutsche Bahn (BIBE)The communcation with the Web service uses HTTPS.
In Travel Management you can configure XI connections to credit card companies forcredit card clearing. Agree the security of the connection with the respective partner.
For more informaton, see the SAP Library under Travel Management (FI-TV)→ Travel
Expenses (FI-TV-COS) → Credit Card Clearing .
Data Storage Security
Travel Management transmits credit card information to the named partners. It is notpossible to access the data in the SAP system.
In Customizing (IMG) for Travel Management , the passwords andcredit card information are stored in plaintext. The settings are protectedby the standard authorization objects for Customizing.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 45/215
SAP ERP Central Component Security Guide 6.0, EHP3 45
Authorizations in the Special Purpose Ledger(FI-SL)
Standard Roles in Special Purpose Ledger
Role Name
SAP_AUDITOR_BA_FI_SL AIS - Special Purpose Ledger
SAP_AUDITOR_BA_FI_SL_A AIS - Special Purpose Ledger (Authorizations)
SAP_FI_SL_ACTUAL_ASSESSMENT Special Purpose Ledger Actual Assessment
SAP_FI_SL_ACTUAL_DISTRIBUTION Special Purpose Ledger Actual Distribution
SAP_FI_SL_ACTUAL_POSTINGS Special Purpose Ledger Actual Postings
SAP_FI_SL_BATCH_JOBS Run Special Purpose Ledger Jobs inBackground
SAP_FI_SL_CURRENCY_TRANSLATION Special Purpose Ledger Currency TranslationSAP_FI_SL_DISPLAY_DOCUMENTS Display Special Purpose Ledger Balances and
Documents
SAP_FI_SL_DISPLAY_PLAN Display Special Purpose Ledger Plan
SAP_FI_SL_MODIFY_PLAN Modify Special Purpose Ledger Planning
SAP_FI_SL_PLAN_ASSESSMENT Edit Plan Assessment
SAP_FI_SL_PLAN_DISTRIBUTION Plan Distribution
SAP_FI_SL_ROLLUP Special Purpose Ledger Rollup
Authorization Objects in Special Purpose Ledger
Object Name
G_022_GACT FI-SL Customizing: Transactions
G_800S_GSE Special Purpose Ledger Sets: Set
G_802G_GSV Special Purpose Ledger Sets: Variable
G_806H_GRJ FI-SL Rollup
G_820_GPL FI-SL Planning: Planning Parameters
G_821S_GSP FI-SL Planning: Distribution Keys
G_880_GRMP FI-SL Customizing: Global Companies
G_881_GRLD FI-SL Customizing: Ledger
G_888_GFGC FI-SL Customizing: Field Movements
G_ADMI_CUS Central Administrative FI-SL Tools
G_ALLOCTN Special Purpose Ledger -Assessment/Distribution
G_GLTP Special Purpose Ledger - Database (Ledger,Record Type, Version)
G_REPO_GLO FI-SL: Global Reporting (Global Company)
G_REPO_LOC FI-SL: Local Reporting (Company Code)
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 46/215
SAP ERP Central Component Security Guide 6.0, EHP3 46
TreasuryNetwork and Communication Security
Communication with external systems is possible using standard interfaces via BAPI,IDoc, and XI.
Communication Destinations
In certain cases a technical user may be required for applying BAPIs.
Data Storage Security
Treasury accesses financial transaction data that can be particularly sensitive. Accessis protected by the roles described in the Authorizations section.
More Security Information
All authorizations are controlled by means of roles and profiles . In addition you canfurther increase the system security by making a number of Customizing settings suchas trader authorization and posting release. However, the authorization check itselfmust always be run on the basis of roles and profiles.
Important SAP Notes
See SAP Notes 445148 (Access of the tax authorities to stored data ) and 683810(CFM-TM Tax reduction law: Separate authorization ) for information about the German principles of data access and verifiability of digital documentation (GDPdU).
Authorizations
Standard Roles in Corporate Finance Management
Role Name
SAP_CFM_ADMINISTRATOR Administrator
SAP_CFM_DEALER Dealer
SAP_CFM_IHC_SUPERVISOR In-House Cash Supervisor
SAP_CFM_LIMIT_MANAGER Limit Manager
SAP_CFM_RISK_CONTROLLER Risk Controller
SAP_CFM_TM_BACKOFFICE_PROCES Settler
SAP_CFM_TM_FUND_MANAGER Fund Manager
SAP_CFM_TM_STAFF_ACCOUNTANT Accountant
SAP_CFM_TM_TRADE_CONTROLLER Trade Controller
SAP_CFM_TREASURY_MANAGER Treasury Manager
Standard Roles in Treasury
Role Name
SAP_TR_ADMINISTRATOR Administrator
SAP_TR_LO_CREDIT_ANALYST Credit Analyst
SAP_TR_LO_DEPARTM_MANAGER Manager of Loans Department
SAP_TR_LO_LOANS_OFFICER Loans Officer
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 47/215
SAP ERP Central Component Security Guide 6.0, EHP3 47
SAP_TR_LO_ROLLOVER_OFFICER Rollover Officer
SAP_TR_LO_STAFF_ACCOUNTANT Staff Accountant for Loans
SAP_TR_TM_BACKOFFICE_PROCES Settler
SAP_TR_TM_CASH_MANAGER Cash Manager
SAP_TR_TM_FUND_MANAGER Fund Manager
SAP_TR_TM_RISK_CONTROLLER Risk Controller
SAP_TR_TM_STAFF_ACCOUNTANT Accountant
SAP_TR_TM_TRADER Dealer
SAP_TR_TM_TRADE_CONTROLLER Trade Controller
SAP_TR_TREASURY_MANAGER Treasury Manager
Transaction Roles
Role Function
SAP_AUDITOR_BA_CFM
(AIS - Audit Information System)
Makes possible a structured, preconfigured collection ofevaluations in Treasury .
The menu required for this is an integral part of this role.The appropriate authorization role isSAP_AUDITOR_BA_CFM_A (AIS authorizations for SAPapplications except HR).
SAP_AUDITOR_TAX_TR
(AIS - Audit Information System
transaction role)
Offers a structured, preconfigured collection of evaluationsfor the tax audit in Treasury .
The menu required for this is an integral part of this role.
The appropriate authorization roles areSAP_AUDITOR_TAX_TR_A (AIS tax auditor,authorizations) and SAP_AUDITOR_TAX_A (AIS taxauditor central functions, authorizations).
For more information, see SAP Note 503678.
Authorization Roles
Role Function
SAP_AUDITOR_BA_CFM_A
(AIS - Audit Information System)
Enables read access to business audit in Treasury
The appropriate transaction role isSAP_AUDITOR_BA_CFM/AIS transactions for SAPapplications except HR).
SAP_AUDITOR_TAX_TR_A
(AIS - Audit Information System)
Enables read access for the tax auditor
The appropriate transaction role isSAP_AUDITOR_TAX_TR (AIS – tax audit, Treasury)
For more information, see SAP Note 503678.
There is an enhanced authorization check for the roles SAP_AUDITOR_TAX_TR andSAP_AUDITOR_TAX_TR_A. For information, see SAP Notes 445148 and 683810.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 48/215
SAP ERP Central Component Security Guide 6.0, EHP3 48
ControllingImportant SAP Notes
See the following SAP Notes on authorizations in Controlling that do not refer toprogram corrections:
Number Short Text
15211 CO form reports: authorization concept
16371 Authorization for dist. key and plan. parameter
39140 Message KB015 unjustified
49640 More detailed authorization f. summariz.objects
51731 Missing Authorizations for Internal Orders
60522 Author.check B_USERSTAT during business transaction
74676 CO Reports: Extract Authorizations
75970 Missing Authorizations for Internal Orders: Reports
80065 Drill-down reporting: no line items for report line
93695 Authorization for orders with 'release immediately'
98580 Drill-down reporting: Error message KH702
123022 Adv.corr.:authrztn f.reportng in act.-based costing
136325 Report Writer: Authorizatn group for standard repts
155752 Drill-down report: Authorization check mass print
159408 CJ41/CJ43:author. for detailed planning is missing
164166 CO-PA: Planning:Long runtime dur.authorizatn check
165087 Drilldown report: authorization check for intervals
175063 Msg 5A252 whn displying/changing standard hierarchy
211991 Authorizatn objcts, enterprise organizatn generatn
313077 Incorrect long text for error message KC040
317824 Drilldown report: authorizatn check and hierarchies
319858 Grp maintce: profile generator with S_PROGRAM = '*'
337885 ALLOCATION: cycle maintnce authrztn frm Easy Access
359664 Problems with old personalization profiles (KEPM)
370082 Authorizations: information about responsibility area
378687 Authorizations: CO_ACTION field entry
386065 Report shows different data for each user
390214 KEPM: Splitting of "changing" authorizations
402757 Drilldown reporting: Authorization object K_CKBOB
412570 Line item display despite missing authorization
425703 KP06ff.: Authorization object K_KA09_KVS
435072 Authorizations: Enhancement of responsibility area
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 49/215
SAP ERP Central Component Security Guide 6.0, EHP3 49
438079 K_COSTCTR_BAPI_GETLIST must check authoriztn more precisely
438492 Change characteristics possible even though display only
448765 KPR6 - Dump SAPSQL_INVALID_FIELDNAME
451621 Authorization concept in KEPM
459864 Group maintenance: Authorization G_800S_GSE
487762 KE21N: Authoriztn check for entered characteristic values
500012 New authorization check for tax reduction law in CO
506164 ALLOCATION:Information message GA185 during list output
515483 Group maintenance: Authorizations
520193 Transporting CO-PA reports without authorization object
545223 Retractor: Error message RD403
554340 Report Writer: enhancement GRWTAUTH without example code
556090 Drilldown rprtng: incorrect header (graphical output)
560803 Closing billing elements with warning message
564757 Tax reduction law in CO: goto line item report via RRI
578105 Group maintenance: Authorization G_800S_GSE, part II
594899 Authorization check with internal orders K_ORDER RESPAREA
602445 Group maintenance: Authorization G_800S_GSE for 4.5
604107 MPO_PERS_FILL_CC: Explode cost center hierarchy
611798 ALLOCATION: Information message GA185 with list output
616112 KKA2, KKAJ: Enhancement for authorizations
616338 RESPAREA: Maintain group authorizations as intervals
616580 ALLOCATION: Authorizations for the cancellation of cycles
623650 ISR form terminates: Missing authorizations
625873 KSA3/KSA8: Validation on authorization object K_CCA
638364 KJH3: Display mode and authorizations
667123 ALLOCATIONS: Error message GA 776 incomprehensible
673260 KBxxN: Authorization object K_PVARIANT missing in profile
Authorizations in Controlling
Standard Roles in Controlling
Role Description
SAP_CO_DAILY Cross-Application Day-to-Day Activities
SAP_CO_DAILY_CATS Cross-Application Day-to-Day Activities - CATS
SAP_CO_DOCUMENT_LIST Display Accounting Documents
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 51/215
SAP ERP Central Component Security Guide 6.0, EHP3 51
SAP_CO_OM_REPORT_COSTCTR_OM_L Reports for Cost Centers (only OLTP)
SAP_CO_OM_REPORT_COST_ELEMENT Reports for Cost Elements
SAP_CO_OM_REPORT_INTORDER_C Reports for Internal Orders (as with BW)
SAP_CO_OM_REPORT_INTORDER_L Reports for Internal Orders (only OLTP)
SAP_CO_OM_REPORT_PROCESS_C Reports for Business Processes (as with BW)
SAP_CO_OM_REPORT_PROCESS_L Reports for Business Processes (only OLTP)
SAP_CO_OM_REPORT_TOOLS Report Tools for Overhead Cost Controlling
SAP_CO_PA_ADJUSTMENTS Profitability Analysis Adjustments
SAP_CO_PA_BASICDATA_CHARACTER Maintain Characteristic Values/Derivation inProfitability Analysis
SAP_CO_PA_BASICDATA_DISPLAY Display CO-PA Master Data
SAP_CO_PA_BASICDATA_VALUATION Maintain Valuation in Profitability Analysis
SAP_CO_PA_PEREND Profitability Analysis: Period-End ClosingSAP_CO_PA_PLANNING_AIDS Maintain Planning Aids for Sales and Profit
Planning
SAP_CO_PA_PLANNING_EXEC_PROF Execute Sales and Profit Planning
SAP_CO_PA_PLANNING_EXEC_WEB Enter Sales and Profit Planning Data Via theWWW
SAP_CO_PA_PLANNING_INTEGRATION Integrated Data Transfers in Sales and ProfitPlanning
SAP_CO_PA_PLANNING_SETUP Set Up Sales and Profit Planning
SAP_CO_PA_REPORT_DEMO Execute Demo Reports for Profitability Analysis
SAP_CO_PA_REPORT_DESIGN_L_ITEM Define Line-Item-Based Reports for ProfitabilityAnalysis
SAP_CO_PA_REPORT_DESIGN_STD Define Profitability Reports
SAP_CO_PA_REPORT_EXECUTE Execute Profitability Reports
SAP_CO_PA_SET_OPERATINGCONCERN Set Operating Concern
SAP_CO_PA_VALUE_FLOW_ANALYSIS Analyze Value Flows in Profitability Analysis
SAP_CO_PC_ACT_MATERIAL_CONTROL Change Material Price Determination (ActualCosting)
SAP_CO_PC_ACT_MATERIAL_DISPLAY Material Price Analysis (Actual Costing)
SAP_CO_PC_ACT_ORG_MEASURES_SL Organizational Measures (Actual Costing)
SAP_CO_PC_ACT_SETTINGS Set Material Ledger
SAP_CO_PC_DAILY_MAT_DEBIT_CRED Debit/Credit Materials
SAP_CO_PC_DAILY_MAT_PRICEMAINT Maintain and Release Material Prices
SAP_CO_PC_JOB_MANUFORDER Display Manufacturing Orders
SAP_CO_PC_JOB_MANUFORDER_CO Maintain CO Production Orders
SAP_CO_PC_JOB_SALESORDER Display Sales Orders
SAP_CO_PC_MODEL Modeling: Product Cost Controlling
SAP_CO_PC_MODEL_COSTING Costing Models
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 52/215
SAP ERP Central Component Security Guide 6.0, EHP3 52
SAP_CO_PC_MODEL_MATERIAL_CONTR Maintain Material Ledger Update
SAP_CO_PC_OBJECT_COCOLLECTOR Maintain Product Cost Collector
SAP_CO_PC_OBJECT_COOBJHIER Maintain Cost Object Hierarchy
SAP_CO_PC_OBJECT_COOBJID Maintain Cost Object
SAP_CO_PC_PEREND_ACT_MLEVEL Maintain Multilevel Actual Costing
SAP_CO_PC_PEREND_ACT_MLEVEL_DP Display Multilevel Actual Costing
SAP_CO_PC_PEREND_ACT_SLEVEL_PC Closing Entry of Individual Materials
SAP_CO_PC_PEREND_ACT_SLEVEL_PD Single-Level Material Price Determination ofIndividual Materials
SAP_CO_PC_PEREND_COCOLLECT_COL Period-End Closing for Product Cost Collectors- Collective Processing
SAP_CO_PC_PEREND_COCOLLECT_IND Period-End Closing for Product Cost Collectors- Individual Processing
SAP_CO_PC_PEREND_COCOLLECT_WLM Period-End Closing for Product Cost Collectors- Worklist
SAP_CO_PC_PEREND_COOBJHIER_COL Period-End Closing for Cost Object Hierarchy -Collective Processing
SAP_CO_PC_PEREND_COOBJHIER_IND Period-End Closing for Cost Object Hierarchy -Individual Processing
SAP_CO_PC_PEREND_COOBJHIER_WLM Period-End Closing for Cost Object Hierarchy -Worklist
SAP_CO_PC_PEREND_COOBJID_COLL Period-End Closing for Cost Objects -Collective Processing
SAP_CO_PC_PEREND_COOBJID_IND Period-End Closing for Cost Objects -Individual Processing
SAP_CO_PC_PEREND_MANUFORD_COL Period-End Closing for Manufacturing Orders -Collective Processing
SAP_CO_PC_PEREND_MANUFORD_IND Period-End Closing for Manufacturing Orders -Individual Processing
SAP_CO_PC_PEREND_MANUFORD_WLM Period-End Closing for Manufacturing Orders -Worklist
SAP_CO_PC_PEREND_SALESORD Period-End Closing for Sales Orders
SAP_CO_PC_PEREND_SALESORD_WLM Period-End Closing for Sales Orders - Worklist
SAP_CO_PC_PLAN_AUTH_EXPL_FACI Transaction Authorizations for ExplanationFacility
SAP_CO_PC_PLAN_COCOLLECTOR Preliminary Costing for Product Cost Collectors
SAP_CO_PC_PLAN_COOBJID Periodic Planning for Cost Objects (General)
SAP_CO_PC_PLAN_MAT_PRICEDETERM Material Costing / Costing Run
SAP_CO_PC_PLAN_MAT_PRICERELEAS Mark and Release Standard Cost Estimate
SAP_CO_PC_PLAN_REFERENCE_SIMUL Multilevel Unit Costing
SAP_CO_PC_PLAN_SALESORDER_BOM Sales Orders - Order BOM Cost Estimate
SAP_CO_PC_REPORT_COCOLLECTOR Reports for Product Cost Collector
SAP_CO_PC_REPORT_COOBJHIER Reports for Cost Object Hierarchy
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 53/215
SAP ERP Central Component Security Guide 6.0, EHP3 53
SAP_CO_PC_REPORT_COOBJID Reports for Cost Objects
SAP_CO_PC_REPORT_MANUFORDER Reports for Manufacturing Orders
SAP_CO_PC_REPORT_MATERIAL_ESTI Reports for Material Costing
SAP_CO_PC_REPORT_MATERIAL_LEDG Reports for Material Ledger and Actual Costing
SAP_CO_PC_REPORT_PROD_CAMPAIGN Reports for Production Campaigns
SAP_CO_PC_REPORT_PRODUCTDRILL Reports for Product and Plant
SAP_CO_PC_REPORT_REFERENCE_SIM Reports for Base Planning Objects
SAP_CO_PC_REPORT_SALESORDER Reports for Sales Orders
SAP_CO_PC_REPORT_SUMMARIZATION Reports with Object Summarization
SAP_CO_PC_REPORT_TOOLS Product Drilldown Reporting - Create OwnReports
SAP_CO_PEREND_CLOSING_PERIOD Maintain Period Lock
SAP_CO_PEREND_DISPLAY Schedule Manager - Display FunctionsSAP_CO_PEREND_MAINTAIN Schedule Manager - Maintenance Functions
SAP_CO_RECONCILIATION_LEDGER Controlling: Maintain Reconciliation Ledger
SAP_CO_SET_CONTROLLING_AREA Set Controlling Area
SAP_CO_CRM_REP Reports/Master Data for CO Integration ofCRM Services
SAP_CO_CRM_REP_PEC CO Integration CRM Service
SAP_CO_CRM_REP_PEC_IMG CO Integration CRM Service with Modeling
For general information on the authorizations in Controlling , see SAP Help Portal at
help.sap.com on the tab Documentation → SAP ERP Central Component →
Release xx → SAP ERP Central Component → Accounting → Controlling (CO) →
Controlling (CO) → Methods in Controlling → Authorizations and under Accounting →
Controlling (CO) → Profitability Analysis (CO-PA) → Information System → Authorization Objects in the Information System .
Information on the authorizations for the Controlling functions in Manager Self-Service (MSS) and for the role of the Business Unit Analyst (BUA) can be found in this Security
Guide under Cross-Application Components → Self-Services [Seite 24].
Authorizations in Profit Center Accounting
Standard Roles in Profit Center Accounting
Role Name
SAP_AUDITOR_BA_EC_PCA AIS - Profit Center Accounting
SAP_AUDITOR_BA_EC_PCA_A AIS - Profit Center Accounting (Authorizations)
SAP_EC_PCA_ARCHIVING Profit Center Accounting Archiving
SAP_EC_PCA_MODEL Maintain Cycles for Assessment, Distribution,
and Reposting (EC-PCA)SAP_EC_PCA_MODEL_TP_DISPLAY Display Transfer Prices
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 54/215
SAP ERP Central Component Security Guide 6.0, EHP3 54
SAP_EC_PCA_MODEL_TP_MAINTAIN Maintain Transfer Prices
SAP_EC_PCA_OBJECT_DISPLAY Display Profit Center Master Data
SAP_EC_PCA_OBJECT_MAINTAIN Maintain Profit Center Master Data
SAP_EC_PCA_PEREND Period-End Closing in Profit Center Accounting
SAP_EC_PCA_PEREND_POSTINGS Data Entry for Profit Center Accounting
SAP_EC_PCA_PLAN_CLOSING Plan Closing in Profit Center Accounting
SAP_EC_PCA_PLANNING Planning in Profit Center Accounting
SAP_EC_PCA_REPORT Profit Center Accounting - Line Items andTotals Records
SAP_EC_PCA_REPORT1 Profit Center Accounting - Drilldown Reports
SAP_EC_PCA_REPORT2 Profit Center Accounting - Report PainterReports
SAP_EC_PCA_REPORT3 Profit Center Accounting - Reports from Other
Components
Authorization Objects in Profit Center Accounting
Object Name
K_PCA EC-PCA: Responsibility Area, Profit Center
K_PCAB_DEL EC-PCA: Delete Transaction Data
K_PCAD_UM EC-PCA: Assessment/Distribution
K_PCAF_UEB EC-PCA: FI Data Transfer
K_PCAI_UEB EC-PCA: Actual Data Transfer
K_PCAL_GEN EC-PCA: Generate and Activate Ledger
K_PCAM_UEB EC-PCA: MM Data Transfer
K_PCAP_SET EC-PCA: Planning Hierarchy
K_PCAP_UEB EC-PCA: Plan Data Transfer
K_PCAR_REP EC-PCA: Summary and Line Item Reports
K_PCAR_SRP EC-PCA: Standard Reports and Datasets
K_PCAS_PRC EC-PCA: Profit Center
K_PCAS_UEB EC-PCA: SD Data Transfer
K_PCA_REAL EC-PCA: Realignment for PrCtr Assignmentsto CO Master Data
Network and Communication SecurityControlling is integrated with Microsoft Office
® . For information on security aspects with
Microsoft Office ®
applications, refer to the documentation of those products.
Communication in Manager Self-Service (MSS) and in the Web Application for the Business Unit Analyst (BUA) is based on Remote Function Calls (RFCs).
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 55/215
SAP ERP Central Component Security Guide 6.0, EHP3 55
Communication DestinationsTechnical users are required for communication over ALE, for batch reporting, and for
third-party providers that access Controlling data.
Consolidation (EC-CS)Authorizations
Authorization Objects in Consolidation
Authorization Object Description
E_CS_BUNIT Consolidation unit
E_CS_CACTT Consolidation tasks
E_CS_CONGR Consolidation group
E_CS_DEFRM SAP Consolidation: Data entry layout
E_CS_DIMEN View
E_CS_ITCLG Consolidated chart of accounts
E_CS_JEFRM SAP Consolidation: Journal entry layout
E_CS_PERMO Monitor, opening/closing of periods
E_CS_RPTNG Reporting with ReportWriter/Report Painter andDrilldown Reports
E_CS_RVERS Version
For more information, see the Implementation Guide for Enterprise Controlling at
Consolidation → Preparing for Production → Authorization Management.
Authorization Profiles in Consolidation
Authorization profile Description
E_CS_ALL Full Authorization for EC-CS
E_CS_DISPLAY Display Authorization for EC-CS
Standard Roles in Consolidation
Role Name
SAP_AUDITOR_BA_EC_CS AIS – Consolidation
SAP_AUDITOR_BA_EC_CS_A AIS – Consolidation (Authorizations)
SAP_EC_CS_FUNCTIONS_DETAIL Consolidation – Detail Functions
SAP_EC_CS_FUNCTIONS_GENERAL Consolidation – General Functions
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 56/215
SAP ERP Central Component Security Guide 6.0, EHP3 56
SAP_EC_CS_OFFLINE_DATA_ENTRY Consolidation – Offline Data Entry withMicrosoft Access
SAP_EC_CS_RECONCILIATION Consolidation – Reconciliation of IntegratedData
SAP_EC_CS_REPORT_ALL Consolidation – All Reports
SAP_EC_CS_REPORT_CONSDATA Consolidation – Reports with ConsolidatedData
Network and Communication Security
Consolidation allows for offline entry of data using Microsoft ACCESS ® . Communication
takes place via Remote Function Call (RFC).
Data Storage Security
The authorization objects listed earlier protect the data that is processed in
Consolidation when consolidated statements are created.
Accounting Engine
Introduction
This guide does not replace the daily operations handbook that werecommend customers to create for their specific productive operations.
Target Group
● Technology consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for acertain phase of the software life cycle, whereby the Security Guides provideinformation that is relevant for all life cycle phases.
The Need for Security
With the increasing use of distributed systems and the Internet for managing businessdata, the demands on security are also on the rise. When using a distributed system,you need to be sure that your data and processes support your business needs withoutallowing unauthorized access to critical information. User errors, negligence, orattempted manipulation of your system must not result in loss of information orprocessing time. These security requirements apply equally to the Accounting Engine .To assist you in securing the Accounting Engine , we provide this Security Guide.
About this Document
The Security Guide provides an overview of the security-relevant information that
applies to the Accounting Engine .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 57/215
SAP ERP Central Component Security Guide 6.0, EHP3 57
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start
This section contains information about why security is necessary, how to use this
document, and references to other Security Guides that build the foundation forthis Security Guide.
● Technical System Landscape
This section provides an overview of the technical components andcommunication paths that are used by the Accounting Engine .
● User Administration and Authentication
This section provides an overview of the following user administration andauthentication aspects:
○ Recommended tools to use for user management.
○ User types that are required by the Accounting Engine
○ Standard users that are delivered with the Accounting Engine
○ Overview of the user synchronization strategy, if several components orproducts are integrated
○ Overview of integration options in Single Sign-On environments
● Authorizations
This section provides an overview of the authorization concept that applies to theAccounting Engine .
● Network and Communication Security This section provides an overview of the communication paths used by theAccounting Engine and the security mechanisms that apply. It also includes ourrecommendations for the network topology to restrict access at the network level.
● Data Storage Security
This section provides an overview of any critical data that is used by theAccounting Engine and the security mechanisms that apply.
Before You StartSecurity Guides Referenced
For a complete list of the SAP Security Guides available, see SAP Service Marketplace
at service.sap.com/securityguide.
Additional Information
For more information about specific topics, see the sources in the table below.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 58/215
SAP ERP Central Component Security Guide 6.0, EHP3 58
Additional Information
Content SAP Service Marketplace
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Platforms permitted service.sap.com/platforms
Network security service.sap.com/networkservice.sap.com/securityguide
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
Technical System Landscape
Use
The figure below shows an overview of the technical system landscape for theAccounting Engine .
Accounting Engine
Accounting Views
ContributionMargin
Balance
Overhead Costs
Journal
Document
Creation
Services
AP ARProtocol
C&R
Protocol
GJ
Protocol
Document
ViewKnowlg
BusinessTransactions
Security
Transaction
Production
OrderConfirmation
IncomingPayment
Outgoing
Invoice
For more information about the technical system landscape, see the sources listed inthe table below.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 59/215
SAP ERP Central Component Security Guide 6.0, EHP3 59
More Information About the Technical System Landscape
Topic Guide/Tool SAP Service Marketplace
Technical descriptionfor Accounting Engine and the underlying
technical components,such as SAP NetWeaver
Master Guide service.sap.com/instguides
Technical configuration
High availability
Technical InfrastructureGuide
service.sap.com/ti
Security service.sap.com/security
User Administration and AuthenticationThe Accounting Engine uses the user administration and authentication mechanismsprovided with the SAP NetWeaver platform, in particular SAP Web Application Server ABAP . Therefore, the security recommendations and guidelines for user managementand authentication that are described in SAP Web AS Security Guide for ABAP Technology also apply to the Accounting Engine.
In addition to these guidelines, we include information about user administration andauthentication that specifically applies to the Accounting Engine in the following topics:
● User Management
This topic lists the tools to use for user management, the types of users required,and the standard users that are delivered with the Accounting Engine.
● Integration into Single Sign-On Environments
This topic describes how the Accounting Engine supports Single Sign-Onmechanisms.
User Management
UseUser management for the Accounting Engine uses the mechanisms provided by SAP Web Application Server ABAP , for example, tools, user types, and password policies.
Integration into Single Sign-On Environments
Use
The Accounting Engine supports the Single Sign-On (SSO) mechanisms provided bySAP Web Application Server ABAP. Therefore, the security recommendations and
guidelines for user management and authentication that are described in the SecurityGuide for SAP Web Application Server also apply to the Accounting Engine.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 60/215
SAP ERP Central Component Security Guide 6.0, EHP3 60
The mechanisms supported are listed below.
Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment whenusing the SAP GUI for Windows or Remote Function Calls.
For more information, see Secure Network Communications (SNC) in the SAP Web Application Server Security Guide.
SAP Logon Tickets
The Accounting Engine supports the use of logon tickets for SSO when using a Webbrowser as the front end client. In this case, users can be issued a logon ticket afterthey have authenticated themselves with the initial SAP system. The ticket can then besubmitted to other systems (SAP or external systems) as an authentication token. Theuser does not need to enter a user ID or password for authentication but can access thesystem directly after the system has checked the logon ticket.
For more information, see SAP Logon Tickets in the SAP Web Application Server Security Guide.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using aWeb browser as a front end client can also provide X.509 client certificates to use forauthentication. In this case, user authentication is performed on the Web server usingthe Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to betransferred. User authorizations are valid in accordance with the authorization conceptin the SAP system.
For more information, see Client Certificates in the SAP Web Application Server Security Guide.
Authorizations
Use
The Accounting Engine uses the authorization concept provided by SAP Web Application Server . Therefore, the security recommendations and guidelines forauthorizations that are described in the Security Guide for SAP Web AS ABAP alsoapply to the Accounting Engine.
Authorization Objects
The Business Accounting of the Bank Analyzer [Extern] uses the following
authorization groups for IMG activities and adjustment programs:
● A1* = authorization for technical issues (configuration)
● A2* = authorizations for business issues
● *EN = authorization for the accounting entities
● *G1 = authorization for General Ledger Accounting (GL)
● *PM = authorization for Profitability Management
Other individual authorization objects are documented in the system.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 61/215
SAP ERP Central Component Security Guide 6.0, EHP3 61
Network and Communication SecurityYour network infrastructure is extremely important in protecting your system. Yournetwork needs to support the communication necessary for your business and yourneeds without allowing unauthorized access. A well-defined network topology can
eliminate many security threats based on software flaws (at both the operating systemand application level) or network attacks such as eavesdropping. If users cannot log onto your application or database servers at the operating system or database layer, thenthere is no way for intruders to compromise the machines and gain access to thebackend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network), they cannot exploit well-known bugs and security holesin network services on the server machines.
The network topology for the Accounting Engine is based on the topology used by theSAP NetWeaver platform. Therefore, the security guidelines and recommendationsdescribed in the SAP NetWeaver Security Guide also apply to the Accounting Engine .Details that specifically apply to the Accounting Engine are described in the followingtopics:
● Communication Channel SecurityThis topic describes the communication paths and logs used by the Accounting Engine .
● Communication DestinationsThis topic describes the information needed for the various communication paths,for example, which users are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Aspects for Connectivity and Interoperability
Communication Channel Security
Communication Paths
Communication Paths Protocol Used
ERP to BW RFC
ERP to Bank Analyzer RFC
DIAG and RFC connections can be protected using Secure Network Communications(SNC).
For more information, see Transport Layer Security in the SAP NetWeaver SecurityGuide.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 62/215
SAP ERP Central Component Security Guide 6.0, EHP3 62
Communication Destinations
Use
The Accounting Engine uses the communication destination with RFC.
The configuration of the RFC calls is controlled using transaction sm59.
If no technical user was defined, the RFC connection takes place without this defaultsetting.
Data Storage Security
Use
The Accounting Engine accesses sensitive data within the Bank Analyzer [Extern]. The
Bank Analyzer checks the authorizations for this sensitive data with user exits.For more information, see the Bank Analyzer Security Guide.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 63/215
SAP ERP Central Component Security Guide 6.0, EHP3 63
Financial Supply Chain Management
Management of Internal Controls: SecurityGuide
Use
This Security Guide describes the aspects of the Management of Internal Controls (MIC) component that relate to security. MIC forms part of the software componentFINBASIS and uses the application server (AS), Process Integration (XI), and Business Intelligence (BI) from SAP NetWeaver .
Consequently, the following security guides also apply to MIC:
● SAP NetWeaver Security Guide
● SAP Web AS Security Guide ABAP
● SAP Exchange Infrastructure Security Guide
● SAP Business Information Warehouse Security Guide
You find these guides on SAP Service Marketplace atservice.sap.com/securityguide .
For more information relevant to security, see SAP Service Marketplace atservice.sap.com/security .
Target Audience of the Guide● Technical consultants
● System administrators
The security guides provide information on all phases of the software life cycle.
Features
The security guide provides information on the following topics:
● Technical System LandscapeThis section lists the other systems with which MIC can communicate.
● User Management and AuthorizationsThis section provides an overview of the following aspects:
○ User Management
○ Roles and Authorizations Concept Specific to MIC
○ Integration into Single Sign-On Environments
● Communication Channel SecurityThis section provides an overview of the communication paths used by MIC andthe security mechanisms that apply.
● Data Storage Security
This section provides an overview of the various data storage options for MICdata.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 64/215
SAP ERP Central Component Security Guide 6.0, EHP3 64
Technical System LandscapeThe following figure provides an overview of the technical system landscape of the
component Management of Internal Controls (MIC):
MIC XI
BI
AIS
Third-Party
MIC can exchange data with the following systems:
● MIC users can display reports from the Audit Information System (AIS), whichcan be run on the same system as MIC or on a different system.
● MIC data can be extracted into an SAP NetWeaver Business Intelligence system(BI system).
● Via the SAP NetWeaver Process Integration (XI), data can be exchanged withthird-party systems. You can transfer test logs from (semi-)automated tests andstructure data (from the central process catalog, for example) into the MICsystem.
For information about the communication paths, see Communication Channel Security
[Seite 84].
User Management and AuthorizationsMIC uses the user management and the authorization concept delivered with the SAP NetWeaver platform, in particular SAP Web Application Server ABAP . For this reason,the security recommendations and guidelines described in the SAP Web AS Security Guide for ABAP Technology also apply for MIC.
In addition to these guidelines, the following sections include information about usermanagement and the authorizations applying specifically to MIC:
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 65/215
SAP ERP Central Component Security Guide 6.0, EHP3 65
● User Management [Seite 65]
This section lists the user management tools and the necessary user types.
● Roles and Authorizations Concept [Seite 66]
This section describes the MIC-specific roles and authorizations concept that is
based in part on the functions of the SAP Web Application Server ABAP (seeStandard Roles and Authorization Objects [Seite 67]) and in part on the functionsunique to MIC (see Editing MIC-Specific Roles [Seite 68]).
● Integration with Single Sign-On Environment [Seite 84]
This topic describes how MIC supports Single Sign-On mechanisms.
User Management
Use
MIC user management uses the mechanisms provided by SAP NetWeaver , such astools, user types, and the password concept. For an overview of how thesemechanisms affect MIC, see the sections below. Furthermore, the system outputs a listof users that are required for operations.
User Management Tool
MIC uses user and role maintenance from SAP Web AS ABAP (transactions SU01,PFCG) For more information, see Users and Roles (BC-SEC-USR) [Extern]. To find outwhich roles are delivered for MIC, see under Standard Roles and Authorization Objects[Seite 67].
User Types
It is often necessary to create different security policies for different types of users. Forexample, your policy may specify that users who perform their tasks interactively haveto change their passwords on a regular basis, but not those users who perform theirtasks using background processing.
Examples of user types required for MIC:
● Individual users (dialog users)
○ Required for logging on to the SAP GUI for Windows for configuring MICand for MIC administration
○ Required for logging on to the People-Centric User Interface for theoperational use of MIC
○ Required for the RFC connection to the BI system
● Technical users
○ A system user is required for the workflow within MIC, for example (userWF-BATCH must have authorization for authorization profile SAP_ALL)
○ A communications user can be required in order to set up the integrationwith the Audit Information System (AIS) for the RFC connection to the AISsystem. Alternatively, you can define the RFC connection as a trusted
system connection.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 66/215
SAP ERP Central Component Security Guide 6.0, EHP3 66
○ A service user is required for the connection of external applications usingthe Exchange Infrastructure (XI). The user must have the correspondingXI authorization as well as the authorization for the standard roleManagement of Internal Controls – Business User (SAP_CGV_MIC_BUSINESS_USER). For more information, see the SAP Exchange Infrastructure Security Guide under Service Users for Message
Exchange .
Roles and Authorizations Concept
Use
For Management of Internal Controls (MIC), a large number of frequently changing
people need to perform tasks in a variety of functions. Consequently, a special rolesand authorizations concept has been created for this purpose. Besides the general SAPstandard roles that are edited by the system administrator in transaction PFCG, thereare also MIC-specific roles comprising a variety of delivered tasks. These MIC-specificroles and their respective tasks allow you to manage the detailed authorizations and theworkflow between those involved.
Features
For information about the general standard roles delivered with MIC, see StandardRoles and Authorization Objects [Seite 67].
The MIC-specific roles refine the authorizations delivered in the standard roleManagement of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER). An MIC-specific role consists of different taskswith authorizations attached. You can specify which tasks belong to which role. Formore information, see Editing MIC-Specific Roles [Seite 68].
The assignment of am MIC-specific role to one or more persons is dependent on anobject (for example, an organizational unit). The assignment is performed in a Webapplication by different persons throughout the organization hierarchy. The power usertriggers this process for the highest level of the organization hierarchy. For moreinformation, see Assigning Roles to Persons [Seite 83].
To ensure the segregation of duties so that the same person is not authorized toperform an assessment as well as the validation of that assessment, for example, youcan define conflict groups. You include in a conflict group any tasks that must not be
performed by the same person. You can use these conflict groups to run a check toestablish whether the defined segregation of duties is actually reflected in the system.For more information, see Segregation of Duties [Extern].
Activities...
1. The system administrator copies the delivered standard role Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL), makes anynecessary adjustments, and assigns the adjusted copy of the standard role to theMIC power user.
2. The power user edits the MIC-specific roles.
3. The power user defines conflict groups.
4. The power user starts the role assignment procedure in the navigational area onthe start page.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 67/215
SAP ERP Central Component Security Guide 6.0, EHP3 67
5. The power user checks whether the segregation of duties defined in the conflictgroups is enforced by the system.
Standard Roles and Authorization ObjectsUse
The authorization concept of the SAP NetWeaver Application Server uses theassignment of authorizations to users on the basis of roles. Some general SAPstandard roles are delivered with MIC. You can copy and adjust them in Customizing
under SAP NetWeaver → Application Server → System Administration → Users and
Authorizations → Maintain Authorizations and Profiles Using Profile Generator → Maintain Roles (transaction PFCG).
Integration
The standard roles are refined using the MIC-specific Roles and Authorization Concept[Seite 66].
Features
Standard Roles
MIC uses the following standard roles:
● Management of Internal Controls - Customizing (SAP_CGV_MIC_CUSTOMIZING)
This role contains all necessary authorizations to make the Customizing settingsfor MIC. This role does not contain any authorizations for the Web applications.
● Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER)
A user with this role is only authorized to perform those specific tasks prescribedby the detailed role concept for MIC. All users that have this role assigned tothem must also have at least one MIC-specific role assigned to them. A user mayuse the Web applications that are specified by the tasks in the MIC-specific role.
● Management of Internal Controls - Power User (SAP_CGV_MIC_ALL)
When this role is assigned to a user, that user is made a power user. In additionto the authorizations that the business user has, a power user also hasauthorization for administration functions in the MIC Implementation Guide, such
as the expert mode for structure setup [Extern]. Moreover, the user has specialauthorizations in the People-Centric UI, such as those for editing roles and forstarting role assignment to persons (see Assigning Roles to Persons [Seite 83]).
● Management of Internal Controls - Display (SAP_CGV_MIC_DISPLAY)
A user with this role can display Customizing for MIC in the SAP GUI. This role isuseful for external auditors, for example. We recommend using this role inaddition to the business user role.
For more information, see the documentation on the individual roles in transactionPFCG.
Standard Authorization Objects Relevant to Security
Authorizations for objects of applications belonging to the Application Server and usedin MIC are relevant to security in MIC. If you run MIC in a system in which the
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 68/215
SAP ERP Central Component Security Guide 6.0, EHP3 68
applications used by MIC are also used productively in other projects, then you need toensure that you manage the authorizations for the MIC-specific objects separately fromthe other objects.
● Authorization object Personnel Planning (PLOG) from OrganizationalManagement
The general object types Organizational Unit und Person are used in MICtogether with other MIC-specific object types.
Note, therefore, that the organizational units and persons created in otherprojects are also available in MIC (and vice versa).
● Various authorization objects in Case Management and Records Management
Assessments , tests , issues , and remediation plans are stored in Case or RecordsManagement. The RMS ID FOPC_SOA is relevant for MIC.
Activities...
1. Copy the general SAP roles delivered with MIC, and adjust the authorizations in
these roles to suit the circumstances in your system.
2. Assign the roles you have adjusted to the appropriate users. While doing so,ensure that no user has been assigned role Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL) as well as role Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER).
Editing MIC-Specific Roles
Use
An MIC power user can adjust the MIC-specific roles that are delivered in BC Sets andin this way specify the authorizations of a role by assigning the individual tasks.
Features
The power user has the following options for editing MIC-specific roles:
● In Customizing for MIC under Edit Roles
● Using a Web application that can be called up from the MIC start page
SAP delivers sample roles in a BC Set. To be able to use these sample roles, you needto activate the BC Set in Customizing. All other activities for editing roles are possibleboth in Customizing and in the Web application, although the user interface in the Webapplication is easier to use.
When editing a role, you assign all the tasks to it that anybody assigned to that roleshould be allowed to perform. You also specify the role level.
The role level defines whether the tasks can be performed for the entire corporategroup, for a single organizational unit, for a process group, for a process, or for aprocess step.
The tasks are delivered by SAP and cannot be changed. Each task has the followingattributes:
● Minimum Role Level : The only tasks you can assign to a role are those with aminimum role level corresponding to the level entered for the role. For example,
you can only assign the task Perform Sign-Off at Corporate Level (for which theminimum role level = group) to a role with Corporate level.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 69/215
SAP ERP Central Component Security Guide 6.0, EHP3 69
● Restricted to One Role : Tasks for which this indicator is selected can only beassigned to one role. Furthermore, the following restriction applies to roleassignment: When a role contains a task flagged with this indicator, that role mayonly be assigned to just one person for an object.
● Processing by One Work Item Recipient Suffices : Tasks flagged with this
indicator can be performed by more than one user. However, it is sufficient if onlyone user performs the task. As soon as one user has completed the task, it isthen completed for all other users to whom the task is assigned.
● Web application that the task calls up : Different tasks can call up the same Webapplication. For example, the task Assign Process to Organizational Unit and thetask Edit Attributes of Process Groups Specific to Org Units both call up the Webapplication Process Assignment for Org Unit . If a person only has authorizationfor one of the tasks, then that person may only perform that task in thecorresponding Web application. If, however, a person has authorization for bothtasks, then he/she may perform both, regardless of the task from which the Webapplication was called up. In this latter case, it is sufficient for just one of thetasks to be scheduled. In this way, you can restrict the number of tasks that need
to be sent.For an overview of the delivered tasks and their attributes, see the following sections:
● Tasks: Central Structure Setup [Seite 70]
● Tasks: Structure Setup Specific to Organizational Units [Seite 72]
● Tasks: Control Assessments and Tests [Seite 76]
● Tasks: Management Control Assessment and Test [Seite 79]
● Tasks: Reporting and Sign-Off [Seite 81]
The task Create User is handled differently because a specialauthorization is required for this task. For more information, see CreatingUsers and Connecting Users to Persons [Extern].
Analyses
To find out which roles contain a task, you can search for a task in the Web applicationfor processing roles. In this way, you can display all roles that the task is assigned to.Moreover, you can use Authorization Analysis [Extern].
Activities...
1. If you want to use the delivered sample roles, activate the relevant BC Set in
Customizing. For information about the procedure for this, see the documentationon the IMG activity Edit Roles.
2. Change the delivered sample roles or create your own roles.
3. Activate the roles that you would like to use and then save your entries.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 70/215
SAP ERP Central Component Security Guide 6.0, EHP3 70
Tasks: Central Structure SetupTask Group: Central Structure Setup
Task Description Role Level Restricted toOne Role
Processingby One WorkItemRecipientSuffices
WebApplica-tion Called
Display Role(DISP-ROLE)
Display all rolescreated and all tasksassigned by poweruser (see Roles andAuthorizations Concept[Seite 66])
ProcessStep
Edit Roles
EditOrganizational
Hierarchy (EDIT-HIER)
Create/changeorganizational
hierarchy [Extern],insert new nodes, andso forth
Corporate X
Organiza-
tionalHierarchy
DisplayOrganizationalHierarchy (DISP-HIER)
Display entireorganizationalhierarchy and detailedinformation onorganizational units
ProcessStep
Organiza-tionalHierarchy
DocumentOrganizationalUnits in Scope(PERF-SCOPO)
Define reasoning fordecision to includeorganizational units inproject scope [Extern]
(or to exclude themfrom project scope)
Corporate XOrganiza-tional Unitsin Scope
DisplayOrganizationalUnits in Scope(DISP-SCOPO)
Display reasoningbehind decisionsrelating to the projectscope
ProcessStep
Organiza-tional Unitsin Scope
Edit CentralProcess Catalog(EDIT-CPCAT)
Create/changehierarchy andattributes for processgroups and processes,create/change centralprocess steps, define
P-CO-R assignment,assign account groups(see Central ProcessCatalog [Extern])
Corporate XCentralProcess
Catalog
Display CentralProcess Catalog(DISP-CPCAT)
Display entire centralprocess catalog
ProcessStep
CentralProcessCatalog
Edit GeneralControl Attributesin CentralProcess Catalog(EDIT-CCATR)
When central processstep has been definedas a control, define allattributes andassignments for thecontrol centrally (seeDocumenting Controls
CorporateDocumen-tation ofControls
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 71/215
SAP ERP Central Component Security Guide 6.0, EHP3 71
Centrally [Extern])
Edit AccountGroup Hierarchy(EDIT-ACCH)
Create/changehierarchy andattributes of accountgroups (see AccountGroup Hierarchy[Extern])
Corporate XAccountGroupHierarchy
Display AccountGroup Hierarchy(DISP-ACCH)
Display entire accountgroup hierarchy
ProcessStep
AccountGroupHierarchy
Edit ManagementControl Catalog(EDIT-MCCAT)
Create/changehierarchy ofmanagement controlgroups andmanagement controls,define centraldescriptions (see
Management ControlCatalog [Extern])
Corporate X
Manage-mentControlCatalog
Edit Descriptionof Assessment ofa ManagementControl (EDIT-MCASD)
Create centraldescription in catalogof how a managementcontrol should beassessed
Corporate X
Manage-mentControlCatalog
Edit Descriptionof a Test of aManagementControl (EDIT-MCTED)
Create centraldescription in catalogof how a managementcontrol should betested
Corporate X
Manage-mentControlCatalog
DisplayManagementControl Catalog(DISP-MCCAT)
Display entiremanagement controlcatalog
ProcessStep
Manage-mentControlCatalog
Edit CentralSettings forScheduling(EDIT-CSCH)
Specify centrally howoften and whenspecific tasks are to beperformed (see TaskScheduling [Extern])
CorporateCentralSchedulingof Tasks
Display CentralSettings for
Scheduling(DISP-CSCH)
Display central settingsfor task scheduling Process
Step
CentralSchedulingof Tasks
Assign DelegatesCentrally (ASGN-DELC)
Enter delegates[Extern] for oneself andother persons
Corporate X
CentralAssignmentofDelegates
Assign OwnDelegates(ASGN-DELO)
Only enter delegatesfor oneself
ProcessStep
Assignmentof OwnDelegates
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 72/215
SAP ERP Central Component Security Guide 6.0, EHP3 72
Tasks: Structure Setup Specific toOrganizational UnitsTask Group: Structure Setup Dependent on Org Unit
Task Description Role Level Restrictedto One Role
Processingby OneWork ItemRecipientSuffices
Web ApplicationCalled
Assign Roles forCorporate andNext Level Down(ASGN-RLCOR)
Assign roles to personsat the corporate leveland for the subordinateorganizational unitsdirectly beneath it (seeAssigning Roles toPersons [Seite 83])
Corporate X Role Assignment
AssignReplacement atCorporate Level(ASGN-REPLC)
Assign replacements atcorporate level (seeReplacement [Extern])
CorporateAssignment ofReplacements
Assign Roles forGivenOrganizationalUnit and NextLevel Down(ASGN-RLORG)
Assign roles to personsfor an organizationalunit and for thesubordinateorganizational unitsdirectly beneath it
Org Unit X Role Assignment
AssignReplacement atOrg Unit Level(ASGN-REPLO)
Assign replacementsfor the organizationalunit and subordinateobjects
Org UnitAssignment ofReplacements
Assign Roles forTop ProcessGroup in GivenOrganizationalUnit (ASGN-RLOPG)
Assign roles to personsfor the top processgroups of anorganizational unit
Org Unit X Role Assignment
Assign Roles forGiven ProcessGroup and Next
Level Down(ASGN-RLPGR)
Assign roles to personsfor a process groupand for the subordinate
process groups andprocesses directlybeneath it
Process
Group
X Role Assignment
Assign Roles forProcess andSubordinateControls (ASGN-RLPRC)
Assign roles to personsfor a process and forthe process stepsdefined as a control inthe process
Process X Role Assignment
Assign Roles forControl (ASGN-RLCNT)
Assign roles to personsfor a process stepdefined as a control
ProcessStep
Documentation ofControls
Create User(CREA-USRID) Have a user ID createdby the systemadministrator and
Org Unit X Only possible inSAP GUI
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 73/215
SAP ERP Central Component Security Guide 6.0, EHP3 73
connect this user ID tothe person (seeCreating Users andConnecting Users toPersons [Extern])
SpecifySignificance ofAccounts forOrganizationalUnit (EDIT-ACCSO)
Specify for anorganizational unitwhich account groupsare significant (seeSignificance of AccountGroups forOrganizational Unit[Extern]).
Org Unit X
Processes andAccount Groupsfor theOrganizationalUnit
DisplaySignificance ofAccounts forOrganizationalUnit (DISP-
ACCSO)
Display significance ofaccount groups for anorganizational unit Process
Step
Processes andAccount Groupsfor theOrganizational
Unit
Perform Scopingof Processes(PERF-SCOPP)
Specify for anorganizational unitwhich processes fallwithin the projectscope and documentwhy (see Processes inScope [Extern])
Org Unit XProcesses inScope
DisplayProcesses inScope (DISP-SCOPP)
Display processes thatfall within the projectscope for anorganizational unit
ProcessStep
Processes inScope
Assign Processto OrganizationalUnit (ASGN-PRORG)
Accept fororganizational unitprocesses falling inproject scope; editprocess attributesspecific toorganizational unit (seeAccepting Processes[Extern])
Org Unit X
Processes andAccount Groupsfor theOrganizationalUnit
Display ProcessGroup Attributes
Specific to OrgUnits (DISP-OUPGA)
Display process groupattributes specific to
organizational units(such as necessity ofvalidation)
Process
Step
Processes andAccount Groups
for theOrganizationalUnit
Edit ProcessGroup AttributesSpecific to OrgUnits (EDIT-OUPGA)
Edit process groupattributes specific toorg units
ProcessGroup
Processes andAccount Groupsfor theOrganizationalUnit
Display ProcessAttributesSpecific to OrgUnits (DISP-
OUPRA)
Display processattributes specific toorganizational units(such as necessity of
validation)
ProcessStep
Processes andAccount Groupsfor theOrganizational
Unit
Edit Process Edit process attributes Process Processes and
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 74/215
SAP ERP Central Component Security Guide 6.0, EHP3 74
AttributesSpecific to OrgUnits (EDIT-OUPRA)
specific to org units Account Groupsfor theOrganizationalUnit
Edit ProcessSteps Specific toOrg Units (EDIT-OUPRS)
Edit copied processsteps, create/changelocal process steps,edit process stepattributes
Process
Processes andAccount Groupsfor theOrganizationalUnit
ApproveDocumentation ofProcess Change(VALI-PRCHD)
Approve the adoptionof documentedchanges in the process(see DocumentingProcess and ControlChanges [Extern])
Process X
Processes andAccount Groupsfor theOrganizationalUnit
Edit GeneralControl Attributes
(EDIT-GENCA)
Edit the general controlattributes for local or
copied process stepsdefined as controls(excluding assessmentand test attributes)(see DocumentingControls [Extern] )
ProcessStep
XDocumentation ofControls
Assign Control toProcess - ControlObjective - Risk(P-CO-R)(ASGN-CPCOR)
Assign control to the P-CO-R structure definedin the process catalogand select control type
ProcessStep
Documentation ofControls
Assign
ReferencedControl toProcess - ControlObjective - Risk(P-CO-R)(ASGN-CRCOR)
Assign control of a
different process to theP-CO-R structuredefined in the processcatalog and selectcontrol type
Process X
Processes andAccount Groupsfor theOrganizationalUnit
Assign Controlsto FinancialStatementAssertions(ASGN-ASS2C)
Assign control tocontrol groups andtheir FS assertions
ProcessStep
XDocumentation ofControls
General Control
Attributes: EditAssessmentAttributes (EDIT-GCAMT)
Of the general control
attributes, only edit thecontrol assessmentattributes (such ascontrol maturity target)
ProcessStep
XDocumentation ofControls
General ControlAttributes: EditTest Attributes(EDIT-GCATA)
Of the general controlattributes, only edit thecontrol test attributes(such as testingtechnique)
ProcessStep
XDocumentation ofControls
General ControlAttributes: Edit
AIS Reports(EDIT-COAIS)
Assign reports of theAudit Information
System to a control(see Assignment ofAIS Reports [Extern])
Process
Step
Documentation of
Controls
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 75/215
SAP ERP Central Component Security Guide 6.0, EHP3 75
ApproveDocumentation ofControl Change(VALI-PSCHD)
Approve the adoptionof documented changein the control
ProcessStep
XDocumentation ofControls
Display Process
Hierarchies of allOrganizationalUnits (DISP-PRHIE)
Display process
groups, processes, andprocess steps for allorganizational units
ProcessStep
Central ProcessCatalog
Display GeneralControl Attributes(DISP-GENCA)
Display all generalattributes andassignments for thecontrol
ProcessStep
Documentation ofControls
AssignManagementControls toOrganizational
Units (ASGN-MC2OU)
Accept centrally-defined managementcontrols fororganizational unit,
create local description(see AcceptingManagement Controls[Extern]).
Org Unit X
Assignment of
ManagementControls
AssignManagementControls toProcess Group(ASGN-MC2PG)
Accept centrally-defined managementcontrols for processgroup, create localdescription of thecontrol
ProcessGroup
XAssignment ofManagementControls
Edit LocalDescription of
Assessment of aMgmt Control forOrganizationalUnit (EDIT-MADOU)
Create description ofhow the management
control should beassessed specific toorganizational unit
Org Unit XAssignment ofManagementControls
Edit LocalDescription ofTest of a MgmtControl forOrganizationalUnit (EDIT-MTDOU)
Create description ofhow the managementcontrol should betested specific toorganizational unit
Org Unit XAssignment ofManagementControls
Edit LocalDescription ofAssessment of aMgmt Control forProcess Group(EDIT-MADPG)
Create description ofhow the managementcontrol should beassessed specific toprocess group
ProcessGroup
XAssignment ofManagementControls
Edit LocalDescription ofTest of a MgmtControl forProcess Group(EDIT-MTDPG)
Create description ofhow the managementcontrol should betested specific toprocess group
ProcessGroup
XAssignment ofManagementControls
Edit "To BeTested" Attribute
Specify fororganizational unit
Org Unit X Assignment ofManagement
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 76/215
SAP ERP Central Component Security Guide 6.0, EHP3 76
of a ManagementControl forOrganizationalUnit (EDIT-MTAOU)
whether amanagement controlshould be tested
Controls
Edit "To BeTested" Attributeof a ManagementControl forProcess Group(EDIT-MTAPG)
Specify for processgroup whether amanagement controlshould be tested
ProcessGroup
XAssignment ofManagementControls
Edit SchedulingSettings forOrganizationalUnit (EDIT-OUSCH)
Change centralsettings governingTask Scheduling[Extern] fororganizational unit
Org Unit XScheduling Taskfor OrganizationalUnit
Display
SchedulingSettings forOrganizationalUnit (DISP-OUSCH)
Display task
scheduling settingschanged for anorganizational unit
ProcessStep
Scheduling Taskfor OrganizationalUnit
Tasks: Control Assessments and TestsTask Group Assessment of Control Design and Efficiency
Task Description Role Level Restrictedto OneRole
Processingby OneWork ItemRecipientSuffices
WebApplicationCalled
Perform ControlDesignAssessment(PERF-CDASS)
Enter result ofcontrol designassessment insystem,reportingissues wherenecessary(seeAssessment ofControl Designand Efficiency[Extern])
Process Step XControl DesignAssessment
Display ControlDesignAssessment(DISP-CDASS)
Display resultof controldesignassessment
Process StepControl DesignAssessment
ValidateControl Design
Assessment(VALI-CDASS)
Whenvalidation
activated,check result ofcontrol design
Process X
Control Design
Assessment
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 77/215
SAP ERP Central Component Security Guide 6.0, EHP3 77
assessmentand confirm orsend back
Perform ControlEfficiencyAssessment(PERF-CEASS)
Enter result ofcontrolefficiencyassessment,reportingissues wherenecessary
Process Step XControlEfficiencyAssessment
Display ControlEfficiencyAssessment(DISP-CEASS)
Display resultof controlefficiencyassessment
Process StepControlEfficiencyAssessment
ValidateControlEfficiency
Assessment(VALI-CEASS)
Whenvalidationactivated,
check result ofcontrolefficiencyassessmentand confirm orsend back
Process X ControlEfficiencyAssessment
Task Group Process Design Assessment
Task Description Role Level Restrictedto OneRole
Processingby OneWork Item
RecipientSuffices
WebApplicationCalled
PerformProcess DesignAssessment(PERF-PDASS)
Enter result ofprocessdesignassessment insystem,reportingissues wherenecessary(see ProcessDesignAssessment
[Extern])
Process XProcessDesignAssessment
DisplayProcess DesignAssessment(DISP-PDASS)
Display resultof processdesignassessment
ProcessProcessDesignAssessment
ValidateProcess DesignAssessment(VALI-PDASS)
Whenvalidationactivated,check result ofprocessdesignassessmentand confirm orsend back
Process Group XProcessDesignAssessment
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 78/215
SAP ERP Central Component Security Guide 6.0, EHP3 78
Task Group Test Effectiveness of a Control
Task Description Role Level Restrictedto OneRole
Processingby OneWork Item
RecipientSuffices
WebApplicationCalled
MassAssignment ofTesters toControls (ASGN-MT2CN)
Assign testerscentrally for allcontrols of anorg unit orprocess group
ProcessGroup
Mass TesterAssignmentControls/Management Controls
Assign Tester(ASGN-TSTER)
Assign personsfor testingcontroleffectiveness(see Test of
ControlEffectiveness[Extern])
Process XTesterAssignment
DisplayNotification(DISP-NOTE)
Notificationsfrom an externalsystem (usingXI interface) inwhich (semi-)automatedtests areperformed
No role levelbecause taskcannot beassigned toany role
Notifications
Test ControlEffectiveness(PERF-TEST)
Test controleffectiveness;may beperformed by allpersons whowere assignedas testers
No role levelbecause taskcannot beassigned toany role
Testing ControlEffectiveness
Display TestResults (DISP-TSTRE)
Display testlogs foreffectivenesstest of a control
Process StepTesting ControlEffectiveness
Receive Issues
fromEffectivenessTest (RECE-EFISO)
Predefined
processor ofissues reportedduring controleffectivenesstest; can beoverwritten byperson whoreported issue
Process X
Validate TestControlEffectiveness(VALI-TEST)
When validationactivated, checkresult of test ofcontroleffectivenessand confirm orsend back
Process XTesting ControlEffectiveness
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 79/215
SAP ERP Central Component Security Guide 6.0, EHP3 79
Tasks: Management Control Assessment and
TestTask Group Assessment and Test of Management Controls
Task Description Role Level Restrictedto One Role
Processingby OneWork ItemRecipientSuffices
WebApplicationCalled
Mass Assignmentof Testers toManagementControls (ASGN-MT2MC)
Assign testerscentrally for allmanagementcontrols of an orgunit or process group
ProcessGroup
Mass TesterAssignmentControls/ ManagementControls
Assign Testersfor ManagementControls (OrgUnit) (ASGN-MCTOU)
Assign persons fortesting managementcontrols fororganizational unit
Org Unit XTesterAssignment
Assign Testersfor ManagementControls (ProcessGroup) (ASGN-MCTPG)
Assign persons fortesting managementcontrols for processgroup
ProcessGroup
XTesterAssignment
PerformManagementControlAssessment atOrg Unit Level(PERF-MCAOU)
Enter result ofmanagement controlassessment for orgunit in system,reporting issueswhere necessary(see ManagementControl Assessmentand Test [Extern])
Org Unit XManagementControlAssessment
DisplayManagementControl
Assessment atOrg Unit Level(DISP-MCAOU)
Display result ofmanagement controlassessment for
organizational unitOrg Unit
ManagementControlAssessment
PerformManagementControlAssessment atProcess GroupLevel (PERF-MCAPG)
Enter result ofmanagement controlassessment forprocess group insystem, reportissues wherenecessary
ProcessGroup
XManagementControlAssessment
DisplayManagement
ControlAssessment at
Display result ofmanagement control
assessment forprocess group
Process
Group
Management
ControlAssessment
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 80/215
SAP ERP Central Component Security Guide 6.0, EHP3 80
Process GroupLevel (DISP-MCAPG)
ValidateManagementControlAssessment forTopOrganizationalUnit (VALI-MCACP)
When validationactivated, checkresult ofmanagement controlassessment for topnode oforganizationalhierarchy andconfirm or send back
Corporate XManagementControlAssessment
ValidateManagementControlAssessment forSubordinateOrganizational
Unit (VALI-MCAOU)
When validationactivated, checkresult ofmanagement controlassessment forsubordinate
organizational unitsand confirm or sendback
Org Unit XManagementControlAssessment
ValidateManagementControlAssessment forTop ProcessGroup (VALI-MCTPG)
When validationactivated, checkresult ofmanagement controlassessment for topprocess group oforganizational unitand confirm or sendback
Org Unit XManagementControlAssessment
ValidateManagementControlAssessment forSubordinateProcess Group(VALI-MCAPG)
When validationactivated, checkresult ofmanagement controlassessment forsubordinate processgroups and confirmor send back
ProcessGroup
XManagementControlAssessment
PerformManagementControls Test atOrg Unit Level
(PERF-MCTOU)
Create test log aftermanagementcontrols test fororganizational unit;
may be performedby persons whowere assigned astesters
No role levelbecause task
cannot beassigned toany role
Management
Controls Test
DisplayManagementControls Test atOrg Unit Level(DISP-MCTOU)
Display result ofmanagementcontrols test fororganizational unit
Org UnitManagementControls Test
PerformManagementControls Test atProcess GroupLevel (PERF-
Create test log aftermanagementcontrols test forprocess group; maybe performed by
No role levelbecause taskcannot beassigned toany role
Management
Controls Test
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 81/215
SAP ERP Central Component Security Guide 6.0, EHP3 81
MCTPG) persons who wereassigned as testers
DisplayManagementControls Test atProcess GroupLevel (DISP-MCTPG)
Display result ofmanagementcontrols test forprocess group
ProcessGroup
ManagementControls Test
Receive IssuesfromManagementControls Test atOrg Unit Level(RECE-MCISO)
Predefinedprocessor of issuesreported duringmanagementcontrols test; can beoverwritten byperson who reportedissue
Org Unit X
Receive Issues
fromManagementControls Test atProcess GroupLevel (RECE-MCISP)
Predefined
processor of issuesreported duringmanagementcontrols test; can beoverwritten byperson who reportedissue
ProcessGroup
X
Tasks: Reporting and Sign-OffTask Group Reporting
Task Description Role Level Restrictedto OneRole
Processingby OneWork ItemRecipientSuffices
WebApplicationCalled
DisplayHierarchicalReports (DISP-ANALY)
Display data for thearea of responsibility inhierarchical reports inReporting [Extern]
Process Reporting
Display TabularReports (DISP-FLATR)
Display data for thearea of responsibility intabular reports
Process Reporting
DisplayManagementReports (DISP-MNGRE)
Display aggregateddata for the area ofresponsibility inmanagement reports
Process Reporting
Print Report(PERF-PRINT)
Create and print PrintReports [Extern]
Process step Print Reports
Display ChangeAnalysis (DISP-
CHGAN)
Display changes to dataover different
timeframes (seeChange Analysis
Org unitChange
Analysis
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 82/215
SAP ERP Central Component Security Guide 6.0, EHP3 82
[Extern])
DisplayAuthorizationAnalysis (DISP-SCREP)
Display assignments inthe roles andauthorizations concept(see AuthorizationAnalysis [Extern])
ProcessAuthorizationAnalysis
Task Group Sign-Off
Task Description RoleLevel
Restrictedto OneRole
Processingby OneWork ItemRecipientSuffices
WebApplicationCalled
Perform DeficiencyAnalysis onOrganizational Unit
Level (PERF- DFAOU)
Perform deficiencyanalysis [Extern] fororganizational unit and
subordinateorganizational units
Org unitDeficiencyAnalysis
Display DeficiencyAnalysis onOrganizational UnitLevel (DISP-DFAOU)
Display deficiencyanalysis at corporatelevel and level ofsubordinateorganizational units
Org unitDeficiencyAnalysis
Perform DeficiencyAnalysis on CorporateLevel (PERF-DFACP)
Perform deficiencyanalysis at corporatelevel and level ofsubordinateorganizational units
CorporateDeficiencyAnalysis
Display DeficiencyAnalysis on CorporateLevel (DISP-DFACP)
Display deficiencyanalysis at corporatelevel and level ofsubordinateorganizational units
CorporateDeficiencyAnalysis
Perform Sign-Off(PERF-SOFOU)
Perform sign-off[Extern] for anorganizational unit and,once sign-off has beenperformed for allorganizational units,perform corporate sign-off
Org unit Sign-Off
Display Sign-Off(DISP-SIGNO)
Display sign-off fororganizational units inarea of responsibility
Org unit Sign-Off
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 83/215
SAP ERP Central Component Security Guide 6.0, EHP3 83
Assigning Roles to Persons
Purpose
When you assign a person to a role in combination with an object (such as an
organizational unit), that person receives the authorization to perform the tasksbelonging to that role for that object.
You assign roles to persons in one of the Web applications that can be accessed fromthe start page [Extern]. Role assignment takes place using the domino principlethroughout the organizational hierarchy and the assigned processes.
Prerequisites
● The roles have been created and activated (see Roles and AuthorizationsConcept [Seite 66]).
● The organizational hierarchy [Extern] has been defined.
Process Flow...
1. The power user automatically has authorization for the task Start Role Assignment Procedure . He or she starts the assignment procedure by choosingRole Assignment in the navigation area of the start page [Extern]. The power userthen assigns a person (or a user, if already available) to the role containing thetask Assign Roles for Corporate and Next Level Down (ASGN-RLCOR).
○ If the person entered does not yet exist in the system, the system issuesa message, and an additional area appears in the middle of the screen.To create the person, choose Create Person .
You can deactivate the option of creating a person using the IMG activityRestrict Authorization to Create Persons in Customizing for MIC.
○ If a person does not yet exist for the user entered in the system, a personis created automatically.
2. The power user assigns a role with the task Create User (CREA-USRID) to a userthat has already been created.
3. If the power user has created a person in the first step as opposed to assigning auser, a user must be created for that person. For more information, see CreatingUsers and Connecting Users to Persons [Extern].
4. The person who now has authorization for the task Assign Roles for Corporate
and Next Level Down receives this task in their task list on the start page.5. This person assigns persons or users to the role containing the task Assign Roles
for Given Organizational Unit and Next Level Down (ASGN-RLORG). This step isperformed for all organizational units occurring directly beneath the corporategroup level in the organizational hierarchy.
6. If persons instead of users are assigned, users then have to be created for thesepersons (see step 3).
7. The persons who now have authorization for the task Assign Roles for Given Organizational Unit and Next Level Down receive this task in their task list on thestart page. Subordinate organizational units or process groups can be on the nextlevel down. For the process groups to be available, the processes need to havebeen accepted [Extern] for the organizational unit in the meantime.
8. Subsequent role assignments follow the same principle all the way down theorganizational hierarchy and across the assigned process groups, processes,
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 84/215
SAP ERP Central Component Security Guide 6.0, EHP3 84
process steps, and controls. However, you do not perform role assignment for acontrol in the Web application Assignment of Roles to Persons but instead in theWeb application Documenting Controls [Extern].
Integration with Single Sign-On Environments
Use
MIC supports the Single Sign-On (SSO) mechanisms provided by the SAP Web Application Server ABAP . Consequently, the security recommendations and guidelinesfor user management and authentication described in the SAP Web Application Server Security Guide also apply to MIC.
The mechanisms supported are listed below.
Secure Network Communications (SNC)
SNC is available for user authentication and provides an SSO environment when theSAP GUI for Windows or Remote Function Calls (RFC) are used.
For more information, see Secure Network Communications (SNC) in the security guideof the SAP Web Application Server .
SAP Logon Tickets
MIC supports the use of logon tickets for SSO when the Web browser is used as thefront end client. In this case, users can be issued a logon ticket after they haveauthenticated themselves in the original SAP system. The ticket can then be submittedto other systems (SAP or external systems) as an authentication token. The user doesnot need to enter a user ID or password for authentication but can access the system
directly once the system has checked the logon ticket.For more information, see SAP Logon Tickets in the SAP Web Application Server security guide.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using aWeb browser as a front end client can also provide X.509 client certificates to use forauthentication. In this case, user authentication is performed on the Web server usingthe Secure Sockets Layer protocol (SSL protocol), and no passwords need to betransferred. User authorizations apply in accordance with the authorization concept inthe SAP system.
For more information, see Client Certificates in the security guide of the SAP Web
Application Server .
Communication Channel Security
Use
The following table contains the communication paths used by MIC, the protocol usedfor the connection, and the type of data transferred.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 85/215
SAP ERP Central Component Security Guide 6.0, EHP3 85
Communication paths
Communication Path Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
Front end client usingSAP GUI for Windows
to application server
DIAG All application data Passwords
Front end client usinga Web browser toapplication server
HTTP/HTTPS All application data Passwords
Audit Information System (AIS) toapplication server
RFC for setting upAIS integration
HTTP for displayingthe AIS reports
AIS reports
External applicationvia XI interface to
application server
External application – XI: Various protocols
possible (SAPstandard)
XI – applicationserver: RFC
Structure data (suchas central process
catalog)Test logs
Application server toBI system
RFC All application data
DIAG and RFC connections can be protected using Secure Network Communications(SNC). HTTPS connections are protected using the Secure Sockets Layer (SSL)protocol. For more information, see Transport Layer Security in the SAP NetWeaver Security Guide .
For logon to the front end client (Web browser), Single Sign-On (SSO2)must be activated on the server side. For more information, see SAPNote 517860.
Navigation information is communicated between the start page and theWeb applications via the URL.
Data Storage Security
Use
Master data and transaction data is stored in the database of the SAP system onwhich MIC has been installed. Data storage occurs for the most part in Organizational Management , in Case Management , and in separate tables for this purpose. Due to theuse of Organizational Management in particular, we recommend running MIC on aseparate client. For more information and recommendations on the use of clients, seethe application documentation under Management of Internal Controls (FIN-CGV-MIC)[Extern].
MIC requires a Web browser as the user interface. For data storage in the front end,
non-persistent session cookies are used.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 86/215
SAP ERP Central Component Security Guide 6.0, EHP3 86
In some Web applications, MIC users can upload documents into the system.Knowledge Provider (KPro) is used for storing the data. Once uploaded, the documentscan be accessed using an URL. The MIC-specific Roles and Authorizations Concept[Seite 66] governs authorization for accessing the URL directly in the Web application.To prevent unauthorized access to the document through copying and sending theURL, an URL is only valid for a given user and for a restricted amount of time (two
hours).
Master Data Framework
Introduction
This guide does not replace the administration or operation guides thatare available for productive operations.
Target Group
● Technology consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for acertain phase of the software life cycle, whereby the Security Guides provideinformation that is relevant for all life cycle phases.
The Need for Security
With the increasing use of distributed systems and the Internet for managing business
data, the demands on security are also on the rise. When using a distributed system,you need to be sure that your data and processes support your business needs withoutallowing unauthorized access to critical information. User errors, negligence, orattempted manipulation of your system must not result in loss of information orprocessing time. These security requirements apply equally to Master Data Framework .To assist you in securing Master Data Framework , we provide this Security Guide.
About this Document
The Security Guide provides an overview of the security-relevant information thatapplies to Master Data Framework .
Overview of the Main Sections
The security guide comprises the following main sections:
● Before You Start
This section contains information about why security is necessary, how to use thisdocument, and references to other Security Guides that build the foundation forthis Security Guide.
● Technical System Landscape
This section provides an overview of the technical components andcommunication paths that are used by Master Data Framework .
● User Administration and Authentication
This section provides an overview of the following user administration andauthentication aspects:
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 87/215
SAP ERP Central Component Security Guide 6.0, EHP3 87
○ Recommended tools to use for user management.
○ User types that are required by Master Data Framework
○ Standard users that are delivered with Master Data Framework
○ Overview of the user synchronization strategy, if several components orproducts are integrated
○ Overview of integration options in Single Sign-On environments
● Authorizations
This section provides an overview of the authorization concept that applies to theMaster Data Framework .
● Network and Communication Security
This section provides an overview of the communication paths used by Master Data Framework and the security mechanisms that apply. It also includes ourrecommendations for the network topology to restrict access at the network level.
Before You Start
Security Guides Referenced
Master Data Framework is built from SAP NetWeaver Application Server ABAP .Therefore, the corresponding Security Guides also apply to Master Data Framework .
For a complete list of the SAP Security Guides available, see SAP Service Marketplace
at service.sap.com/securityguide.
Additional Information
For more information about specific topics, see the sources in the table below.
Additional Information
Content SAP Service Marketplace
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Platforms permitted service.sap.com/platforms
Network security service.sap.com/network
service.sap.com/securityguide
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 88/215
SAP ERP Central Component Security Guide 6.0, EHP3 88
Technical System Landscape
Use
The following graphic gives an overview of the technical system landscape for the
Master Data Framework .
Framework for
Master Data and HierarchiesTime-Dependent
Version-DependentAttributes for Edges of Hierarchies
Generic Services
Access to
BWSynchronization Tools
Change Management
Local
Tables...R/3
User Interface
WorkbenchMaster Data Hierarchies
Combination Characteristics (such as, Company and Profit Center)
Extensibility of Info Objects by Local Fields (Role Concept)
MetadataRepository
Transport Authorization Checks Buffering Where-Used List
Generic Checks
Read/WriteAccess
Locking Time-DependencyValidity Incl. Version
and Time-Dependency)
Transaction Control
(Commit,Rollback, Save)
Input/Output
Conversion
For more information about the technical system landscape, see the sources listed inthe table below.
More Information about the Technical System Landscape
Subject Guide/Tool SAP Service Marketplace
Technical description ofMaster Data Framework andthe underlying technicalcomponents, such as SAP NetWeaver
Master Guide service.sap.com/instguides
Technical configuration
High availability
Technical InfrastructureGuide
service.sap.com/ti
Security service.sap.com/security
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 89/215
SAP ERP Central Component Security Guide 6.0, EHP3 89
User Administration and AuthenticationMaster Data Framework uses the user administration and authentication mechanismsprovided with the SAP NetWeaver platform, in particular SAP Netweaver Application Server ABAP . Therefore, the security recommendations and guidelines for user
management and authentication that are described in the SAP NetWeaver Application Server ABAP Security Guide also apply to Master Data Framework.
In addition to these guidelines, we include information about user administration andauthentication that specifically applies to Master Data Framework in the following topics:
● User Management
This topic lists the tools to use for user management, the types of users required,and the standard users that are delivered with Master Data Framework.
● Integration into Single Sign-On Environments
This topic describes how Master Data Framework supports Single Sign-Onmechanisms.
User Management
Use
User management for Master Data Framework uses the mechanisms provided by SAP Netweaver Application Server ABAP , for example, tools, user types, and passwordpolicies.
Integration into Single Sign-On Environments
Use
Master Data Framework uses the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver . Therefore, the security recommendations and guidelines for usermanagement and authentication that are described in the SAP NetWeaver SecurityGuide also apply to Master Data Framework.
The mechanisms supported are listed below.
Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment whenusing the SAP GUI for Windows or Remote Function Calls.
For more information, see Secure Network Communications (SNC) in the SAP Netweaver AS ABAP Security Guide.
SAP Logon Tickets
Master Data Framework supports the use of logon tickets for SSO when using a Webbrowser as the front end client. In this case, users can be issued a logon ticket afterthey have authenticated themselves with the initial SAP system. The ticket can then besubmitted to other systems (SAP or external systems) as an authentication token. Theuser does not need to enter a user ID or password for authentication but can access thesystem directly after the system has checked the logon ticket.
For more information, see SAP Logon Tickets in the SAP Netweaver AS ABAP SecurityGuide.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 90/215
SAP ERP Central Component Security Guide 6.0, EHP3 90
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using aWeb browser as a front end client can also provide X.509 client certificates to use forauthentication. In this case, user authentication is performed on the Web server usingthe Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to betransferred. User authorizations are valid in accordance with the authorization conceptin the SAP system.
For more information, see Client Certificates in the SAP Netweaver AS ABAP SecurityGuide.
Authorizations
Use
Master Data Framework uses the authorization concept provided by SAP NetWeaver .
Therefore, the security recommendations and guidelines for authorizations that aredescribed in the SAP NetWeaver AS ABAP Security Guide also apply to Master Data Framework.
The SAP NetWeaver authorization concept is based on assigning authorizations tousers based on roles. For role maintenance, use the profile generator (transactionPFCG) when using ABAP technology and the User Management Engine’s useradministration console when using Java.
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used byMaster Data Framework .
Standard Authorization Objects
Authorization Object Description
R_UGMD_CHA Master data access for all types ofcharacteristics.
R_UGMD_SNG Master data access on the level of singlevalues of combination characteristics
S_TABU_LIN Master data access on the level of individualcharacteristics
FB_SRV_DMS Authorization for data model synchronization(change monitor)
FB_SRV_GC Authorization for MDF Garbage Collector
The authorization objects listed above are also described in the system documentation.
Network and Communication SecurityYour network infrastructure is extremely important in protecting your system. Yournetwork needs to support the communication necessary for your business needswithout allowing unauthorized access. A well-defined network topology can eliminatemany security threats based on software flaws (at both the operating system and
application level) or network attacks such as eavesdropping. If users cannot log on toyour application or database servers at the operating system or database layer, then
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 91/215
SAP ERP Central Component Security Guide 6.0, EHP3 91
there is no way for intruders to compromise the machines and gain access to thebackend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network), they cannot exploit well-known bugs and security holesin network services on the server machines.
The network topology for Master Data Framework is based on the topology used by theSAP NetWeaver platform. Therefore, the security guidelines and recommendationsdescribed in the SAP NetWeaver Security Guide also apply to Master Data Framework .Details that specifically apply to Master Data Framework are described in the topicCommunication Channel Security .
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Aspects for Connectivity and Interoperability
Communication Channel SecurityUse
ERP and Business Information Warehouse (SAP BW ) communicate with each otherusing RFC within Master Data Framework .
RFC connections can be protected using Secure Network Communications (SNC).
For more information, see Transport Layer Security in the SAP NetWeaver SecurityGuide.
SAP BankingThis security guide includes the following components from SAP Banking :
● SAP Financial Customer Information Management (FS-BP)
● Deposits (FS-BCA)
● Loans Management (FS-CML)
● Collateral Management(FS-CMS)
This security guide only contains Collateral Management-specific informationabout Authorizations and Network and Communication Security .
For general information about security in FS-CMS, see SAP Service Marketplace
at service.sap.com/securityguide → mySAP ERP Security
Guides → Security Guide for Collateral Management System (CMS ).
● Strategic Enterprise Management (SEM)
● Reserve for Bad Debt (FS-RBD)
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 92/215
SAP ERP Central Component Security Guide 6.0, EHP3 92
SAP Financial Customer InformationManagement (FS-BP)The security policy with SAP Financial Customer Information Management (FS-BP) isvery similar to the security policy with the central SAP Business Partner (SAP BP).
For more information about authorizations and data storage security in the SAP Business Partner , see the SAP Service Marketplace at
/ service.sap.com/securityguide → SAP NetWeaver Security Guide →
Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application
Server Security Guide → SAP NetWeaver AS Security Guide for ABAP Technology →
Security Aspects When Using Business Objects → SAP Business Partner Security.
Authorizations
You can create roles in the SAP Customizing Implementation Guide (IMG) for SAP Banking under SAP Business Partner for Financial Services → General Settings →
Business Partner → Basic Settings → Authorization Management .
The authorization objects are the responsibility of the SAP Business Partner . SAP Financial Customer Information Management (FS-BP) is only responsible for thefollowing two authorization objects:
● T_BP_DEAL (Standing Instructions / Transactions)
You can use this authorization object to control the company code-dependentauthorizations for displaying/creating/changing standing instructions.
There are standing instructions for:
○ Payment details
○ Derived flows
○ Correspondence
○ Transaction authorizations
● B_BUPA_SLV (Selection variant for total commitment)
A selection variant includes various settings for the total commitment (such aswhich business partner roles and relationships can be used for the selection, orwhether detailed information can be displayed).
Network and Communication SecurityWhen processing total commitment, mySAPERP communicates with other SAPsystems (such as Deposits Management (FS-AM)). In theory, mySAP ERP could alsocommunicate with non-SAP systems here.
Communication takes place via Remote Function Call (RFC).
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 93/215
SAP ERP Central Component Security Guide 6.0, EHP3 93
Communication DestinationsDepending on the scenario, an RFC user is required for communication via RemoteFunction Call (RFC). This user requires the appropriate authorizations for the targetsystem (such as FS-CML or FS-AM).
Data Storage SecurityAuthorization object B_CCARD can be used to control access to credit card informationthat is stored in the business partner. This control falls in the area of responsibility ofcentral SAP Business Partner .
You can protect employee data by using authorization groups (authorization objectB_BUPA_GRP).
Bank Customer Accounts (BCA)
AuthorizationsThe following standard roles are available in Bank Customer Accounts (BCA):
Role Name
SAP_ISB_ACCOUNTS_ADMIN_AG SAP Banking BCA: Account ManagementAdministrator
SAP_ISB_ACCOUNTS_ASSISTANT_AG SAP Banking BCA: Assistant in Account
ManagementSAP_ISB_ACCOUNTS_STAFF_AG SAP Banking BCA: Clerical Staff in Account
Management
For more information on authorization management and the authorization objects in
Bank Customer Accounts, see SAP Help Portal at help.sap.com →
Documentation → mySAP ERP → SAP ERP Central Component → Release 5.0 →
SAP ERP Central Component → Financials → SAP Banking → Bank Customer Accounts (BCA) → General Subjects → Authorization Administration, or Authorization
Administration → Authorization Objects .
Bank Customer Accounts (BCA) also contains the following business transaction eventson the subject of authorizations:
Business Transaction Event Name
SAMPLE_INTERFACE_00011040 AUTH1- Account
SAMPLE_INTERFACE_00011700 Authorization checks/authorization type
SAMPLE_INTERFACE_00010950 Check Management
SAMPLE_INTERFACE_00010210 Payment item dialog
SAMPLE_INTERFACE_00010410 Payment order dialog
SAMPLE_INTERFACE_00010411 Standing order dialog
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 94/215
SAP ERP Central Component Security Guide 6.0, EHP3 94
Network and Communication Security
Bank Customer Accounts (BCA) communicates with the following external systems:
● Payment transaction systems
● Interest income tax
● Financial Accounting (FI), if Financial Accounting (FI) runs on another system
Encrypt communication with external systems in accordance with the SAP standards.
Communication with all external systems is performed via Remote Function Call (RFC).
Data Storage SecurityThe security of sensitive objects such as savings accounts and checking accounts is
guaranteed by the general authorization concept of Bank Customer Accounts (BCA).
For employee accounts, the following security mechanisms are available in addition tothe general authorization concept:
● The following special authorization objects
○ F_EMAC_MTH
○ F_EMAC_TRN
● The following special field modification criterion of the Business Data Toolset(BDT)
○ FMOD1This criterion is applied to employee accounts.
Important SAP NotesConsider the following SAP notes on authorizations in Bank Customer Accounts (BCA):
Note Number Short Text
126494 Authorization f. RFC calls of reconciliationGL/BCA
441020 Value table for authorization group objects
315545 Standing orders: release, dual authoriztnprinciple
731832 Conditions: Authorization objectF_COND_BDC
127591 Authorization group in reports
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 95/215
SAP ERP Central Component Security Guide 6.0, EHP3 95
Loans Management (FS-CML)
AuthorizationsAuthorization management for mortgage loans is based on the existing authorizationconcept in Loans Management (FS-CML).
The authorization check is performed according to the principle of inclusion, that is tosay, if a user has authorization to activate a business transaction, he or she also hasauthorization to delete it. The authorization for making a posting includes theauthorization for making a cancellation.
If other functions are called from a business transaction, the relevant authorizationcheck is performed in this business transaction before the other function is accessed.This avoids any termination of the functions that are being called.
To set up your authorization management for mortgage loans, you can use the followingroles included in the delivery scope:
Role Name Scope
Loans Officer SAP_CML_LOANS_OFFICER● Create, change, display, delete
business partner
● Collateral value calculation,credit standing calculation anddecision-making
● Maintain objects and securities
● Create contracts, or transferfrom application or offer
● Enter disbursements
● Process correspondence
● Release loan (colleague orsuperior)
● Process business operations(such as charges, individualposting, payoff)
Credit Analyst SAP_CML_CREDIT_ANALYST● Create, change, display, delete
business partner
● Maintain loan enquiries,applications and offers
● Calculate credit standing
● Decision-making
● Maintain limits
● Calculate the collateral value
● Maintain objects and securitiesRollover Officer SAP_CML_ROLLOVER_OFFICER
● Loan rollover (individual and
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 96/215
SAP ERP Central Component Security Guide 6.0, EHP3 96
mass)
● Process correspondence
● Management of rollover file
● Maintain condition tables
Staff Accountantfor Loans
SAP_CML_STAFF_ACCOUNTANT● Post transactions
● Clearing
● Create payments
● Post and monitor incomingpayments
● Process waivers and write-offs
● Cancellation
● Accrual/deferral
● Valuation
● Generating accounting reports
Manager ofLoansDepartment
SAP_CML_DEPARTM_MANAGER● Release
● Maintain condition tables
● Change limits
● Risk analysis
● Monitor file (rollover or processmanagement)
● Monitor portfolio and portfoliotrend using reports; reports andqueries
ProductAdministrator
SAP_CML_PRODUCT_ADMIN● Update reference interest rates
● Maintain condition tables
● Maintain new business tables
Technical
Administrator
SAP_CML_TECHNICAL_ADMIN● Perform mass runs (such as
mass print run), set status ofplan to completed, post plannedrecords
● Currency conversion
● Update reference interest ratesand currency rates
● Reorganization and dataarchiving
● Define queries, drilldown
reporting forms and reports● Maintain performance
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 97/215
SAP ERP Central Component Security Guide 6.0, EHP3 97
parameters
● Analyze change pointers
● Define export interfaces
You can assign these roles to the users in your company. Do not make any changes tothe original roles, as these changes would be overwritten by the standard settings whenthe system is upgraded.
If you want to make adjustments, copy these roles. To do so, in the SAP Easy Access
menu, choose Tools → Administration → User Maintenance → Role Administration → Roles . Here you can group together authorizations for consumer loans into your owndefined roles, and assign these to users in your departments, for example. In the firststep you maintain the role menu. You can structure this yourself by adding and, ifnecessary, renaming files, transactions, and reports. In addition to manually groupingtogether the relevant transactions, you can also transfer these from the SAP menu oranother role. You then maintain the authorizations for your role. The system proposescertain authorizations and their characteristics. You can also add more objects. Thenyou need to generate the authorization profile. Finally, you maintain the users who areto have the authorizations contained in the role. You can also use elements fromorganizational management, such as position in the organization. The advantage hereis that you do not have to maintain the user assignment individually in each role if aperson changes jobs. You can also use this function in release.
Network and Communication SecurityLoans Management (FS-CML) does not communicate with other systems. The onlyexception is mySAP Customer Relationship Management (CRM), during the loan
origination process. In this process CRM serves as the entry system and FS-CML asthe backend system. Communication is by means of XI.
Data Storage SecurityThe security of sensitive data in Loans Management (such as loan contracts, consumerloans, collateral values, credit standing calculations, collateral) is guaranteed by thegeneral authorization concept of Loans Management (FS-CML).
It is possible to display business partner data from Loans Management . You can usethe authorization concept of central SAP Business Partner to protect this data.
For more information about authorizations and data storage security in the SAP Business Partner , see the SAP Service Marketplace at / service.sap.com/securityguide → SAP NetWeaver Security Guide →
Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application Server Security Guide → SAP NetWeaver AS Security Guide for ABAP Technology →
Security Aspects When Using Business Objects → SAP Business Partner Security.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 98/215
SAP ERP Central Component Security Guide 6.0, EHP3 98
Collateral Management (CM)
Purpose
The purpose of this guide is to explain the security-specific features built-in for the SAP
Collateral Management (CM ).
To understand the security features provided in CM, you must read the SAP Netweaver Application Server security guide (service.sap.com) that describes the basic securityaspects and measures for SAP systems.
Authorizations
A multitude of standard roles are shipped with SAP Collateral Management (CM ) in theSAP ECC 6.0. These roles are of exemplary character. The standard roles must be
modified by the Customers based on their requirements.The Customers must not use the standard roles in their production
systems only with some medications. It is advisable without anymodifications. Use the Profile Generator (transaction PFCG) to identify thestandard roles and create additional roles.
The following roles are available in CM for banks:
Role Purpose
SAP_FS_CMS_DISPLAY_ALL Displaying all the entity objects inCM .
SAP_FS_CMS_MAINTAIN_ALL Maintaining (Create, change anddisplay only) all entity objects.
SAP_FS_CMS_MAINTAIN_ALL_PRC Executing all the process relatedactivities in addition to maintenanceof objects
SAP_FS_CMS_CUST_ALL Customizing
SAP_FS_CMS_ADMIN CM administrator role
SAP_FS_CMS_COL_AUDITOR Maintaining all the entity objects andthe access to run all the reports inCM.
SAP_FS_CMS_CREDIT_MANAGER Displaying collateral objects andcollateral agreements.
SAP_FS_CMS_CREDIT_RISK_MANAGER Maintaining collateral objects andcollateral agreements and displayingreceivables.
SAP_FS_CMS_LIQUIDATION_OFFICER Maintaining liquidation measures.
Authorization Objects in CM
Technical name Name
CMS_PCN_02 Authorization for activities (changerequest mode)
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 99/215
SAP ERP Central Component Security Guide 6.0, EHP3 99
CMS_PCN_01 Authorization for activities (normal mode)
CMS_OMS1 Authorization for all collateral objects otherthan real estate (replace CMS_OMS fromECC 6.0 onwards
CMS_OMS Authorization for all collateral objects otherthan real estate (obsolete from ECC 6.0onwards)
CMS_CAG Authorization object for collateralagreements
CMS_RE Authorization object for real estate objectsin CM.
CMS_RBL Authorization object for receivable in CM.
Characteristic Based Authorizations
In the Collateral Management, all the objects must belong to an administrationorganizational unit. The authorization objects for collateral objects(real estate and othercollateral objects) and collateral agreements are based on a combination of theadministration organizational unit and the entity type(assigned using a process controlkey). For receivables, the authorizations are based on the receivable organizationalunit, the receivable status and the product. Authorizations for receivables is valid onlyfor the receivables created in the CM or even the local copies of the receivables inexternal credit systems.
For example, you can use the attribute administration organization unitto differentiate between employee ,VIP and normal customers objects.You can also create objects in these organizational units ascharacteristics, which can then also be used to protect application data.
Network Communication and Security
The table below shows the communication paths used by the SAP Collateral Management (CM ), the protocol used for the connections and the type of datatransferred.
CommunicationPath
Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
Financial CustomerInformation System(FS- BusinessPartner)
RFC Business partnermaster data
SAP DocumentManagement System(DMS)
RFC Document data
Loans Management(CML)
RFC Loan data
SAP BusinessInformationWarehouse (BIW)
IDoc and RFC Collateralagreements,collateral objects,
charges, collateralagreement –
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 100/215
SAP ERP Central Component Security Guide 6.0, EHP3 100
receivableassignment andcalculations data
SAP Bank Analyzer(Basel II)
IDoc and RFC Collateralagreements,collateral objects,charges, collateralagreement – receivableassignment andcalculations data
The following RFC connections have to be set up for operating the CM . You are advisednot to create the users belonging to these as dialog users.
● RFC communication with the Tool BW
● RFC communication within the Tool BW
● RFC communication in the context of import methods for the client copy. Therelevant authorization objects are:
● S_TABU_DIS; S_RS_ICUBE; S_RS_ADMWB; S_RS_ISOUR; S_BTCH_ADM;S_ADMI_FCD; S_BTCH_JOB; S_RS_ODSO; S_RS_ISET
CM provides the following business application programming interfaces (BAPIs) forallowing external systems to connect to it:
● BAPI_CM_AST_GET_MULTI
● BAPI_CM_CAG_CREATE
● BAPI_CM_CAG_GETDETAIL_MULTI
● BAPI_CM_CAG_GET_BY_RBL
● BAPI_CM_GENLNK_RBL_ON_RBL_01
● BAPI_CM_GENLNK_RBL_ON_RBL_02
● BAPI_CM_SEC_GETDETAIL_MULTI
● BAPI_CM_RE_GETDETAIL_MULTI
● BAPI_CM_RIG_GETDETAIL_MULTI
● BAPI_CM_MOV_GETDETAIL_MULTI
BAPIs are standard SAP interfaces and are important in the technical integration and inexchange of business data between SAP components and between the SAP and non-SAP components. BAPIs enable you to integrate these components. They are thereforean important part of developing integration scenarios where multiple components areconnected to each other, either on a local network or on the internet.
BAPIs allow integration at the business level and not at the technical level. Thisprovides for greater stability of the linkage and independence from the underlyingcommunication technology.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 101/215
SAP ERP Central Component Security Guide 6.0, EHP3 101
The current requirement for BAPIs in CM caters mainly to the migration scenarios.Hence these BAPIs are not protected by special authorizations. Authorization checks forBAPIs can be provided (in the future releases), if there are requirements for them.
CM also provides an extensive enhancement concept that offers user exits in the formof Business Add-Ins (BADIs).
Network Security and Communication Channels
Collateral Management (CM ) uses the same communication channels that aredescribed in the SAP Netweaver AS security guide. No further customer-specificcommunication channels are provided. Hence the aspects and actions described in theSAP Netweaver AS security guide (such as use of SAPRouter in combination withFirewall, use of Secure Network Communication (SNC), Communication Front-End-Application Server, connection to the database) also apply for CM .
Strategic Enterprise Management (SEM) forBanks
AuthorizationsThe following standard roles are available in Strategic Enterprise Management (SEM)for Banks :
Roles Description
SEM-PA
SAP_ISB_PA_CONTROLLER_AG SAP Banking Profitability Analysis:Profitability Controller
SEM-MRA
SAP Treasury and Risk Management
SAP_CFM_RISK_CONTROLLER Risk Controller
SAP_CFM_TM_TRADE_CONTROLLER Trade Controller
SAP_CFM_TREASURY_MANAGER Treasury Manager
Bank Applications
SAP_ISB_STRATEGIC_PLANNER_AG SAP Banking Asset Liability Management:Strategic Balance Sheet Planner
SAP_ISB_MAR_RISK_CONTROLLER_AG SAP Banking Risk Analysis:Market Risk Controller
SEM-KL
SAP Treasury and Risk Management
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 102/215
SAP ERP Central Component Security Guide 6.0, EHP3 102
SAP_CFM_RISK_CONTROLLER Risk Controller
SAP_CFM_TM_TRADE_CONTROLLER Trade Controller
SAP_CFM_TREASURY_MANAGER Treasury Manager
SAP_CFM_ADMINISTRATOR Administrator
SAP_CFM_DEALER Treasury: Trader
SAP_CFM_LIMIT_MANAGER Limit Manager
For more information about the individual roles in SAP Treasury and Risk Management (TRM),
see the SAP Library , under SAP ERP Central Component → Financials → SAP Treasury and
Risk Management → Basic Functions → Roles in Treasury and Risk Management (TRM).
Bank Applications
SAP_ISB_CRE_RISK_CONTROLLER_AG SAP Banking Default Risk and Limit System:Default Risk Controller
SAP_ISB_CRE_RISK_MANAGER_AG SAP Banking Default Risk and Limit System:
Default Risk ManagerSAP_ISB_CRE_RISK_TRADER_AG SAP Banking Default Risk and Limit System:
Trader
In addition, take account of the following activities in the SAP Customizing Implementation Guide (IMG):
● for SEM-PA:
Under SAP Banking → SEM Banking → Profitability Analysis → Tools → Authorization Management
● for SEM-MRAUnder SAP Banking → SEM Banking → Common Settings for Market Risk and
Asset/Liability Management → Maintain Authorizations/Profiles/Users
Network and Communication Security
● Transfer of external data
You can use external data transfer to transfer bank transactions not performedvia SAP transactions to the SAP system.
Transfer takes place via Remote Function Call (RFC).
● Transfer of market data
Market data for a risk analysis is transferred to the SAP system via a datafeed.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 103/215
SAP ERP Central Component Security Guide 6.0, EHP3 103
mySAP ERP2005 contains SEM extractors. These extractors arebusiness application programming interfaces (BAPIs) for selectedbusiness, market data, and SEM-own data (financial object, limitdefinitions, cash flow). They can also be used as utilities for integrationwith systems for Basel II/IAS.
These BAPIs are delivered to customers, but they have not been releasedofficially. There is no documentation available for the SEM extractors, justnotes. The collective note on this subject is note 608292.
The development of SEM extractors does not contain any authorizationchecks at all. Therefore, until the interface has been released officially, acustomer-specific authorization concept must be created if theseextractors are used. In this event, customers must use the modificationassistant to implement suitable authorization checks themselves. As theinterface has not been released officially, SAP bears no responsibility formissing authorization checks.
Communication DestinationsSome evaluations in SEM Banking will normally be started by customers as batchprocessing. This applies particularly to drilldown reports and the calculation of keyfigures of the results databases. If this batch processing is started by a technical user,only the authorizations for the relevant transaction are required. You can usetransaction SU22 to determine these authorizations.
If the workflow is activated when limits are exceeded, the sender of the workflow musthave the authorization S_OC_SEND. To make this assignment, execute the IMGactivity Assign Senders of Workflows to Recipients in the SAP Customizing
Implementation Guide (IMG) und Financial Supply Chain Management → Treasury and
Risk Management →
Credit Risk Analyzer →
Basic Settings →
Assignments →
Assignment of Senders to Recipients .
Data Storage SecurityThe data in Strategic Enterprise Management (SEM) for Banks can be regarded asbeing not particularly sensitive.
However, from Strategic Enterprise Management (SEM) for Banks you can accessbusiness information of other components, including:
● Bank Customer Accounts (BCA)
● Loans Management (CML)
This access is protected in that the authorization for the relevant transaction is checked.
Display of risk key figures is always performed on the basis of asummarization of multiple financial transactions. Users can access adetailed view to see the transactions in question. In doing so, the displaytransactions of the corresponding components are called. A user can onlydisplay business transactions if he or she has the correspondingauthorization for this business.
You can also use the authorization objects of Strategic Enterprise Management (SEM)for Banks to ensure that users cannot draw conclusions on financial transactionsindirectly (by selecting specific parameters of risk evaluation). For example, you can useauthorization object T_RMCHAR_V to restrict the financial transactions for which users
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 104/215
SAP ERP Central Component Security Guide 6.0, EHP3 104
can perform certain risk evaluations. This authorization is then used in the display ofstored key figure values.
However, these authorization objects are not applied to the SEMextractors. If you use SEM extractors, you must use the modificationassistant to implement suitable authorization checks yourself.
Reserve for Bad Debt (FS-RBD)
AuthorizationsThe procedure of the authorization concept used by Reserve for Bad Debt (FS-RBD) isthe same as that of the SAP authorization concept.
The authorization checks in FS-RBD differentiate between the following dimensions:
● Activities:
You use the activity to control what a user is permitted to do. For example:
○ Create a RBD account
○ Post value adjustment proposals
○ Display evaluations
● Organization
The organization at RBD area level determines which data the user is permittedto display or process.
Standard Profile
In FS-RBD you do not use RBD-specific profiles, but the standard profiles delivered withevery SAP system.
The standard profiles are as follows:
Roles Description
S_A.SYSTEM Authorizations for the basis system only
S_A.ADMIN Authorizations for the administration of the operational SAP system,but without authorization for:
● ABAP/4 Development Workbench
● maintaining superusers
● maintaining the standard profiles beginning with “S_A”
S_A.DEVELOP Authorizations for developers working with ABAP/4 DevelopmentWorkbench
S_A.CUSTOMIZ Authorizations for basis settings in the Customizing system.
S_A.USER Authorizations for end users (without authorization for SAP workareas)
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 105/215
SAP ERP Central Component Security Guide 6.0, EHP3 105
Authorization Objects
Reserve for Bad Debt (FS-RBD) has the following authorization objects:
Critical combination: Creating and posting value adjustment proposals (plannedrecords) within a role.
AuthorizationObject
Description AuthorizationField
Valuespermitted
for theauthorizationfield
RBD_CUST RBD:Customizing
Activity 16 (Execute)
RBD_EDIT RBD Dialog &Batch
Activity
RBD area
01 (Create)
02 (Change)
03 (Display)10 (Post)
85 (Reverse)
91 (Reactivate)
According toRBDCustomizing
RBD_REPO RBD: Reporting RBD area According toRBDCustomizing
Description of these authorization objects:
● The assignment of authorization object RBD_CUST with activity 16 gives theuser authorization to use an RBD Customizing tool.
● The assignment of authorization object RBD_EDIT with activity 02 and RBD area0005, enables the user to change data for an RBD account in the RBD area0005.
● The assignment of authorization object RBD_EDIT with activities 02 and 10 andthe RBD area 0004 enables the user to post planned records for an RBD accountin the RBD area 0004.
● The assignment of the authorization object RBD_EDIT with the activities 02, 85,91 and the RBD area 0003 enables a user to reverse actual records for an RBDaccount in RBD area 0003, and to reactivate a deactivated account in the RBDarea 0003.
● The assignment of the authorization object RBD_REPO in RBD area 0006enables a user to display the RBD standard evaluations for the data in the RBDarea 0006.
Note that the activities Create Value Adjustment Proposals (Planned Records) and Post Value Adjustment Proposals (Planned Records) arepossible within one role.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 106/215
SAP ERP Central Component Security Guide 6.0, EHP3 106
Use of RBD Authorization Objects
RBD_CUST
Program Description Permitted Activities
/IBS/MRB_CUST_KTOFI RBD Tool Customizing:
Duplicate AccountDetermination
16 (Execute)
RBD_EDIT
Program Description Permitted Activities
/IBS/MRB_SAPMKTO RBD: Dialog account masterdata
01 (Create)
02 (Change)
03 (Display)
10 (Post)
85 (Reverse)
/IBS/MRB_EWB_UPDATE CML Position monitoringupdate run
02 (Change)
10 (Post)
/IBS/MRB_KONTO_REACTIVATE
Reactivate RBD account 91 (Reactivate)
/IBS/MRB_LOG_POST RBD Posting log 03 (Display)
/IBS/MRB_PEWB_REFRESH RBD:CML Monitoring ofarrears: Planned recordgeneration (FIVA) andposting
10 (Post)
/IBS/MRB_PEWB_RESET RBD: CML monitoring ofarrears: Clearing actualrecords (reversal FIVA)
85 (Reverse)
RBD_REPO
Program Description Permitted Activities
/IBS/DRB_ENTWICKLUNG RBD development list,development reserve for baddebt position
According to RBDCustomizing
/IBS/DRB_HINT_LIST Position monitoring: List ofnotes
According to RBDCustomizing
/IBS/DRB_REFERENZ RBD Drilldown reporting withreferences
According to RBDCustomizing
Definition of Customer-Specific Roles
The following information is required for the definition of customer-specific roles for
functions in FS-RBD:
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 107/215
SAP ERP Central Component Security Guide 6.0, EHP3 107
● SAP logon names of all employees that are to work in FS-RBD
● RBD areas affected
● Decisions as to which employee is permitted to execute which functions in theRBD Tool
To avoid having to assign a separate role for each employee, we recommend that youform groups of employees that are permitted to execute the same functions. You canthen assign a defined role to all of the employees in the group.
Example of generation of user-specific roles:
Activities
RBD area Activity Employee Role in SAP
All All Adams RBD_ALLES
All Customizing: Duplicate Account
Determination
Armstrong RBD_CUST
1 Create, change, and display RBDaccount
Miller RBD_SACH_01
1 Create, change, and display RBDaccount
Martin RBD_SACH_01
1 Create, change, and display RBDaccount
Smith RBD_SACH_01
1 Change RBD account, postplanned records
Glenn RBD_BUCH_01
1 Change RBD account, post
planned records
O’Hara RBD_BUCH_01
1 Change RBD account, reverseactual records
Glenn RBD_STOR_01
1 Change RBD account, reverseactual records
Bertolini RBD_STOR_01
1 Display evaluations Santos RBD_AUSWERT_01
1 Display evaluations Hunter RBD_AUSWERT_01
1 Display evaluations Miller RBD_AUSWERT_01
1 Display evaluations Martin RBD_AUSWERT_01
1 Display evaluations Smith RBD_AUSWERT_01
2 Create, change, and display RBDaccount
Nielsen RBD_SACH_02
2 Create, change, and display RBDaccount
Moore RBD_SACH_02
2 Create, change, and display RBDaccount
Smith RBD_SACH_02
2 Change RBD account, postplanned records
Glenn RBD_BUCH_02
2 Change RBD account, postplanned records
O’Hara RBD_BUCH_02
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 108/215
SAP ERP Central Component Security Guide 6.0, EHP3 108
2 Change RBD account, reverseactual records
Glenn RBD_STOR_02
2 Change RBD account, reverseactual records
Nielsen RBD_STOR_02
2 Display evaluations Santos RBD_AUSWERT_02
2 Display evaluations Hunter RBD_AUSWERT_02
2 Display evaluations Nielsen RBD_AUSWERT_02
2 Display evaluations Moore RBD_AUSWERT_02
2 Display evaluations Smith RBD_AUSWERT_02
Roles
Role in SAP RBD AuthorizationObject Required
Authorization Field Field Value
RBD_ALLES RBD_CUST ACTVT *
RBD_ALLES RBD_EDIT ACTVT *
RBD_ALLES RBD_EDIT RBDID *
RBD_ALLES RBD_REPO ACTVT *
RBD_CUST RBD_CUST ACTVT 16
RBD_SACH_01 RBD_EDIT ACTVT 1,2,3
RBD_SACH_01 RBD_EDIT RBDID 1
RBD_BUCH_01 RBD_EDIT ACTVT 2,10
RBD_BUCH_01 RBD_EDIT RBDID 1
RBD_STOR_01 RBD_EDIT ACTVT 2,85
RBD_STOR_01 RBD_EDIT RBDID 1
RBD_AUSWERT_01 RBD_REPO RBDID 1
RBD_SACH_02 RBD_EDIT ACTVT 1,2,3
RBD_SACH_02 RBD_EDIT RBDID 2
RBD_BUCH_02 RBD_EDIT ACTVT 2,10
RBD_BUCH_02 RBD_EDIT RBDID 2
RBD_STOR_02 RBD_EDIT ACTVT 2,85RBD_STOR_02 RBD_EDIT RBDID 2
RBD_AUSWERT_02 RBD_REPO RBDID 2
As a result, roles are assigned to the user master records as follows:
Employee Role in SAP
Armstrong RBD_CUST
Bertolini RBD_STOR_01
Adams RBD_ALLES
Glenn RBD_BUCH_01
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 109/215
SAP ERP Central Component Security Guide 6.0, EHP3 109
Glenn RBD_STOR_01
Glenn RBD_BUCH_02
Glenn RBD_STOR_02
O’Hara RBD_BUCH_01
O’Hara RBD_BUCH_02
Hunter RBD_AUSWERT_01
Hunter RBD_AUSWERT_02
Martin RBD_SACH_01
Martin RBD_AUSWERT_01
Moore RBD_SACH_02
Moore RBD_AUSWERT_02
Miller RBD_SACH_01
Miller RBD_AUSWERT_01
Nielsen RBD_SACH_02
Nielsen RBD_STOR_02
Nielsen RBD_AUSWERT_02
Smith RBD_SACH_01
Smith RBD_AUSWERT_01
Smith RBD_SACH_02
Smith RBD_AUSWERT_02
Santos RBD_AUSWERT_01
Santos RBD_AUSWERT_02
Network and Communication SecurityIn Reserve for Bad Debt (FS-RBD) the following systems communicate with each other:
● Enterprise Resource Planning (ERP) with Loans Management (FS-CML)
● ERP with Deposits Management (FS-AM)
● ERP with Collateral Management System (FS-CMS)
● ERP with Flexible General Ledger/ Financials (FLEXGL/FI)
Communication takes place via Remote Function Call (RFC).
Communication DestinationsTechnical users are required for Remote Function Call (RFC) connections to Deposits Management (FS-AM).
These technical users require read authorization (for reading balances and accountmaster data, for example).
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 110/215
SAP ERP Central Component Security Guide 6.0, EHP3 110
Trace and Log FilesThe change documents (master data from the source system) can be used as trace orlog files, that contain information relevant for security.
Incentive and Commission Management (ICM)Für detailed information about security in Incentive and Commission Management (ICM), see the security guide for Incentive and Commission Management in the SAP
Library under Security → mySAP ERP Security Guides .
Statutory Reporting for Insurance (FS-SR)
AuthorizationsAuthorizations are assigned using the authorization objects from the authorizationobject class ISSR.
Data Storage SecuritySensitive data, such as financial transactions, is protected from unauthorized accessusing the authorization objects in the authorization object class ISSR.
Real Estate ManagementAuthorizations
Standard Roles of Real Estate Management
Roles Description
SAP_RE_APPL Real Estate Specialist
SAP_RE_CONTROLLER_AND_PLANER RE Controller
SAP_RE_CONTROLLING_ANALYST RE Controlling Analyst
SAP_RE_LESSEE_CONTRACT_SUPPORT Lessee Contract Support
SAP_RE_LESSOR_CONTRACT_SUPPORT Lessor Contract Support
SAP_RE_MASTER_DATA_ANALYST Master Data Analyst
SAP_RE_MASTER_DATA_SUPPORT Master Data Support
SAP_RE_RENT_LEVEL_EXPERT Rent Level Expert
SAP_RE_RENTAL_ACC_SUPPORT Rental Account Support
SAP_RE_SC_SUPPORT Service Charge Support
Network and Communication Security
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 111/215
SAP ERP Central Component Security Guide 6.0, EHP3 111
External heating expenses settlement is available In Real Estate Management. Tomake this settlement possible, the necessary files must be generated in the SAPsystem in an internal SAP format. Then you need to send the data medium to thesettlement company.
Trace and Log Files
The change documents provide information on changes to the authorization group andto the person responsible for the object.
Public Sector Management
Authorizations
Standard Roles for Public Sector Management (PSM)
Role Name
SAP_IS_PS_CENTRAL_FUNCTION Funds Management Central Function
SAP_IS_PS_PO_CONSUMPTION Postings: Consume Funds
SAP_IS_PS_MD_STRUCTURE Master Data Funds Management:Maintain Structure
SAP_IS_PS_DECK_CREA Cover Eligibility: Rule Maintenance
SAP_IS_PS_BCS_AVC_TOOLS Availability Control - Tools
SAP_IS_PS_BU_RULES Maintain Budget RulesSAP_IS_PS_BCS_BUD_TOOLS Budgeting - Tools
SAP_IS_PS_PO_RECONCILE Reconciling Data with FeederApplications
SAP_IS_PS_BCS_BUD_MAINTENANCE Maintain Budget Data
SAP_IS_PS_BCS_BUD_PLANNING Plan Budget Data
SAP_IS_PS_BCS_DISPLAY Display Budget Values (BCS)
SAP_IS_PS_BCS_STATUS_MAINTAIN Budgeting – Assign Status
SAP_IS_PS_BCS_STRUCT_DEF Maintain Budget Structure
SAP_IS_PS_BCS_STRUCT_TOOLS Budget Structure - Tools
SAP_IS_PS_BU_CONTROL Controlling Budget Execution
SAP_IS_PS_BU_DISPLAY Budget Values Display
SAP_IS_PS_BU_PLANNING Budget Planning
SAP_IS_PS_BU_UPDATE Update Budget: Transactions
SAP_IS_PS_BU_UPDATE_TOOLS Update Budget: Tools
SAP_IS_PS_BU_UPDATE_VERSION Update Budget: Edit Versions
SAP_IS_PS_CASH_DESK Payment at Cash Desk
SAP_IS_PS_CF_BU_EXECUTE Execute Budget Carryforward
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 112/215
SAP ERP Central Component Security Guide 6.0, EHP3 112
SAP_IS_PS_CF_BU_PREPARE Prepare Budget Carryforward
SAP_IS_PS_CF_CHECK Check Budget Closing
SAP_IS_PS_CF_OI_EXECUTE Carry Forward Consumable Budget
SAP_IS_PS_CF_OI_PREPARE Prepare Carryforward of Consumable
Budget
SAP_IS_PS_DECK_DISP Display Data for Reporting and MasterData Cover Eligibility
SAP_IS_PS_MD_DISPLAY Funds Management Master Data:Display Functions
SAP_IS_PS_MD_ZUOB Funds Management Master Data:Assignment to CO Structures
SAP_IS_PS_PO_COMMITMENTS Postings: Commit Funds
SAP_IS_PS_PO_CONSUMPTION_DISP Postings: Consumed Funds Display
SAP_IS_PS_PO_FOR Postings: Forecast of RevenueSAP_IS_PS_PO_TRANSFERS Postings: Transfer Consumable Budget
Public Sector Management uses the name convention SAP_FI_GM_* andSAP_IS_PS_* for its roles.
Standard Roles for Grants Management (PSM-GM)
Role Name Function
SAP_FI_GM_GRANT_ANALYST Grants Management:Grant Analyst
Master data maintenance,execution of reports
SAP_FI_GM_GRANT_MANAGER Grants Management:
Grant Manager
New entry, check, and
approval of master data,execution of billing program
SAP_FI_GM_PROGRAM_ANALYST
Grants Management:Program Analyst
Creation of master data,processing of proposalsand budget
SAP_FI_GM_PROGRAM_MANAGER
Grants Management:Program Manager
Check and approval ofproposals and budget
SAP_FI_GM_PROJECT_MANAGER
Grants Management:Project Manager
Management of grants andbudget, execution of reports
Standard Roles for Grantor Management (PSM-GM)
Role Name Function
SAP_PSM_GTR_PROGRAM_MANAGER Instructor forGrantor ProgramManagement
The main task of theinstructors forGrantor ProgramManagement is tolook after thescenarios of GrantorManagement. Theinstructor forGrantor ProgramManagement notonly works with
CRM transactionsbut is also
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 113/215
SAP ERP Central Component Security Guide 6.0, EHP3 113
responsible forcreating budget forthe Grantorprograms in PSMand the processingof accounting
transactions inPublic Sector Contract Accounting .Additional tasks inthe area are masterdata maintenance,reporting andarchiving.
SAP_PSM_GTR_PROGRAM_CLERK Clerk for GrantorProgramManagement
The main task of theclerk for GrantorProgram
Management is theprocessing ofscenarios in GrantorManagement. Theclerk works not onlywith CRMtransactions for theGrantorManagement butalso accessesbudget, PSM masterdata and businesspartner data in
Public Sector Contract Accounting . A userin this role is alsoauthorized toexecute PSMreports.
Standard Roles for Expenditure Certification (PSM-EC)
Expenditure Certification (PSM-EC) is available on the portal and contains the followingportal roles:
Role Name Function
com.sap.pct.erp.expcert.certif_manager Certification manager The certificationmanager managesthe data for theproject (such asbudget, deadlines,links to financingsources, and theprogress of theproject), checks thebudget consumption
of the projects andfinancing sources,monitors all
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 114/215
SAP ERP Central Component Security Guide 6.0, EHP3 114
certificates andissues approval for acertification run.
com.sap.pct.erp.expcert.cert_admin Certificationaccountant
The certificationaccountant executesthe certification runfor financing sourcesand forwards theprovisionalcertification results tothe peopleresponsible forfurther checks; theyalso make manualchanges incertifications andsave the closingversion of a
certification.
Authorization Objects for Grants Management (PSM-GM)
Authorization object Name
F_FIGM_BUD Grants Management: Authority for Budget
F_FIGM_CLS Grants Management: Authority for Class
F_FIGM_GNG GM: Grant Groups
F_FIGM_GNT Grants Management: Authority for Grant
F_FIGM_PRG Grants Management: Authority forPrograms
F_FIGM_SCG GM: Sponsored Class Groups
F_FIGM_SPG GM: Sponsored Program Groups
The master data objects and business processes of Grants Management are protectedby standard authorization objects.
US Federal Government uses the authorization concept of the components that it usessuch as Funds Management and Material Management. See also the documentation forFunds Management on the SAP Help Portal at help.sap.com SAP ERP Central
Component → Accounting → Public Sector Management → Funds Management → Authorizations .
Authorization Objects for Grantor Management (PSM-GM)
Authorization object Name
F_PSM_DRUL Rules of Account Assignment Derivation
F_PSM_DSTR Strategy of Account AssignmentDerivation
Authorization Objects for Expenditure Certification (PSM-EC)
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 115/215
SAP ERP Central Component Security Guide 6.0, EHP3 115
Authorization object Name
F_PSMEC_CR Expenditure certification: Certification Run
F_PSMEC_FS Expenditure Certification: FinancingSource
F_PSMEC_OP Expenditure Certification: Operation
F_PSM_DSTR Strategy of Account AssignmentDerivation
F_PSM_DRUL Rules of Account Assignment Derivation
Network and Communication SecurityPublic Sector Management communicates with the following components:
● Human Capital Management (HCM) as part of the scenario Position Budgeting and Control
● SAP Enterprise Buyer (EBP)
● Customer Relationship Management (CRM) as part of the Scenario Grantor Management
The communication with these internal SAP components takes place per Remote Function Call (RFC). See the corresponding sections in the RFC/ICF Security Guide on
SAP Service Marketplace at service.sap.com/securityguide → SAP
NetWeaver Security Guide → Security Aspects for Connectivity and Interoperability.
The US Federal Government has both payment and collection outbound interfaces at itsdisposal for Treasury Confirmation and Intragovernment Payment and Collections (IPAC). This outbound interface uses payment methods and flat files.
The inbound interface of the Central Contractor Registration (CCR) uses IDocs.
Expenditure certification (PSM-EC) communicates with the:
● Portal which displays the Workcenter
● Backend system in which the FI invoice documents were certified
● System in which the launchpad is configured (logical systemSAP_R3_SelfServiceGenerics)
This system can be the same as the backend system.
For registering portal users in the backend system, we recommend that the user isassigned in both the portal and the backend system. In other words, the user ID of auser in the portal and the backend system should match.
Data Storage SecurityPublic Sector Management supports payments by payment card. As this process doesnot have a key role in Public Sector Management and customers have not yet requiredthe encryption of card numbers, Public Sector Management does not provide encryption
for payment card numbers at the moment.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 116/215
SAP ERP Central Component Security Guide 6.0, EHP3 116
More Security InformationAuthorization checks only take place in Public Sector Management and Funds Management when the authorization group of a master data object is entered. Toensure that an adequate check is carried out, SAP recommends that you define the
affected fields as required entry fields in the field status control. You define this settingin the implementation guide of Public Sector Management:
● Funds Management-Specific Postings → Earmarked Funds and Funds Transfers → Field Control for Earmarked Funds and Funds Transfers → Define Field Status Variant /Assign Field Status Variant to Company Code / Define Field Status Groups
● Actual and Commitment Update/Integration → Integration → Maintain Field Status for Assigning FM Account Assignments
For more information, see the documentation on Funds Management on the SAP HelpPortal at help.sap.com → ERP Central Component → Accounting → Public
Sector Management .
For Grants Management, note the following system settings in the implementation guide
of Public Sector Management, under Funds Management Government → Master Data→ Grant
● GM Grant Control: Field Group for Authorizations
● Maintain Grant Authorization Types
● Maintain Grant Authorization Groups
You can enhance the authorization concept using the following BAdI:
BAdI Name
GM_AUTHORITY_CHECK Grants Management:Authorization Check
GM_BILL_AUTHORITY GM: User authorization for billing for DP90 inGM
GM_POST_AUTHORITY Grants Management coding block authorizationcheck
Joint Venture Accounting
Before You Start
Fundamental Security Guides
JVA is related to components of the SAP ERP Central Component Security Guide.Therefore, the corresponding Security Guides also apply to JVA component. Payparticular attention to the most relevant sections or specific restrictions as indicated inthe table below.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 117/215
SAP ERP Central Component Security Guide 6.0, EHP3 117
Fundamental Security Guides
Application Guide Most Relevant Sections orSpecific Restrictions
SAP NetWeaverApplication Server
SAP NetWeaver Security Guide In the SAP NetWeaver Security Guide , choose Security Guides for
SAP NetWeaver according to Usage Types → Security Guides for Usage Type AS.
SAP ECC SAP ERP Central Component Security Guide
All sections.
OperatingSystems andDatabasePlatforms
SAP NetWeaver Security Guide In the SAP NetWeaver Security Guide , choose Security Guides for the Operating System and Database Platforms .
For a complete list of the available SAP Security Guides, see the SAP ServiceMarketplace at service.sap.com/securityguide .
Additional Information
For more information about specific topics, see the addresses on the SAP ServiceMarketplace as shown in the table below.
Content SAP Service Marketplace Address
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Released platforms service.sap.com/platforms
Network security service.sap.com/securityguide
SAP Solution Manager service.sap.com/solutionmanager
Technical System LandscapeJVA runs as an integrated application within the central system landscape.
It is closely connected to the FI, MM, AM and CO components and must run on a serverwhere these components are installed. An ALE scenario is not fully supported. Please
refer to note 214435.For more information about the technical system landscape, see the resources listed inthe table below.
Topic Guide/Tool Quick Link to the SAP ServiceMarketplace
Technical description of SAP ERP Central Component andthe underlying technicalcomponents, such as SAP NetWeaver
Master guide service.sap.com/instguides
→ mySAP Business Suite Solutions → mySAP ERP
Technical configuration highavailability
Technical infrastructureguide
service.sap.com/ti
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 118/215
SAP ERP Central Component Security Guide 6.0, EHP3 118
Security service.sap.com/security
User Management
Use
User management for JVA uses the mechanisms provided with the SAP NetWeaverApplication Server ABAP, for example, tools, user types, and password policies. For anoverview of how these mechanisms apply for JVA, see the sections below.
User Administration Tools
The table below shows the tools to use for user management and user administrationwith the JVA component.
User Management Tools
Tool Description
User maintenance for ABAP-based systems(transaction SU01)
For more information about the authorizationobjects provided by the subcomponents of SAP ERP Joint venture accounting, see the relevantsubsection under Authorizations .
Role maintenance with the profile generator forABAP-based systems (PFCG)
For more information about the roles providedby the subcomponents of SAP ERP Joint venture accounting, see the relevantsubsection under Authorizations .
User Types
It is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not those users under whichbackground processing jobs run.
The user types that are required for JVA include:
● Individual users:
○ Dialog users are used for SAP GUI for Windows
○ Internet users are used for Web applications.Same policies apply as for dialog users, but used for Internet connections.
● Technical users:
○ Background users are used for certain (mainly periodically running)programs which have extended authorizations.
○ For more information on these user types, see User Types in the SAP NetWeaver ASABAP Security Guide.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 119/215
SAP ERP Central Component Security Guide 6.0, EHP3 119
Standard Users
JVA doesn’t deliver standard users.
However, users with specific authorizations must be created to fulfill certain tasks for:
● Customizing
● Masterdata
● Processing
● Reporting
Authorizations
Standard Roles
The table below shows the standard roles that are used by JVA.
Standard Roles
Role Description
SAP_EP_RW_GJVP RW - Joint Venture Accounting
Standard Authorization Objects
The table below shows the security-relevant authorization objects that are used by JVA.
Standard Authorization Objects
AuthorizationObject Description
J_JVA_CUS Joint Venture Accounting: Customizing
J_JVA_JOA Joint Venture Accounting: Joint Operating Agreement Master
J_JVA_PRC Joint Venture Accounting: Processing
J_JVA_REP Joint Venture Accounting: Reporting
J_JVA_VNT Joint Venture Accounting: Venture Master
Communication Channel Security
Use
The table below shows the communication channels used by JVA, the protocol used forthe connection, and the type of data transferred.
CommunicationPath
Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
Front-end client usingSAP GUI for Windowsto application server
DIAG All application data For example,passwords, businessdata, credit cardinformation
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 120/215
SAP ERP Central Component Security Guide 6.0, EHP3 120
Front-end client usinga Web browser toapplication server
HTTP(S) All application data For example,passwords, businessdata, credit cardinformation
Application server to
application server
RFC, HTTP(S) Integration data Business data, credit
card information
DIAG and RFC connections can be protected using Secure Network Communications(SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol.
For more information, see the section on Transport Layer Security in the SAPNetWeaver Security Guide:
service.sap.com/securityguide SAP NetWeaver Security Guide Æ
Transport Layer Security
Logistics
Materials Management (MM)
Purchasing and Service Industries (MM-PUR,
MM SRV)
Authorizations
Standard Roles
You can implement the following standard roles for the components Purchasing (MM- PUR) and Service Industries (MM-SRV) in the SAP Enterprise Portal :
● Description: Purchasing Agent
● Technical name:pcd:portal_content/com.sap.pct/specialist/com.sap.pct.purch.purchasingagent/com.sap.pct.purch.roles/com.sap.pct.purch.purchasingAgent
Note that this is a role that can only be used in the SAP Enterprise Portal .There are no corresponding roles in the SAP ECC backend.
Profile
The following table shows security-relevant profiles that use the componentsPurchasing and Service Industries.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 121/215
SAP ERP Central Component Security Guide 6.0, EHP3 121
Profiles: Purchasing, Service Industries
Profile Description
M_ANFR_ALL MM Purchasing – RFQs: Maintenance Authorization
M_ANFR_ANZ MM Purchasing – RFQs: Display Authorization
M_ANGE_ALL MM Purchasing: Quotations: Maintenance Authorization
M_ANGE_ANZ MM Purchasing: Quotations: Display Authorization
M_BANF_ALL MM Purchasing – Requisitions: Maintenance Authorization
M_BANF_ANZ MM Purchasing: Requisitions: Display Authorization
M_BEST_ALL MM Purchasing – Purchase Orders: Maintenance Authorization
M_BEST_ANZ MM Purchasing: Purchase Orders: Display Authorization
M_EBEL_ANZ MM Purchasing – Display Order Documents
M_EINF_ALL MM Purchasing: Info Records: Maintenance Authorization
M_EINF_ANZ MM Purchasing: Info Records: Display Authorization
M_EINK_ALL MM Purchasing – Complete: Maintenance Authorizations
M_EINK_ANZ MM Purchasing – Complete: Display Authorizations
M_LPET_ALL MM Purchasing: Sched. Agmt. Delivery Schedules: Maint.Auth.
M_LPET_ANZ MM Purchasing: Sched. Agmt. Delivery Schedules: Displ. Auth.
M_RAHM_ALL MM Purchasing: Outline Agreements: MaintenanceAuthorization
M_RAHM_ANZ MM Purchasing: Outline Agreement: Display Authorization
M_SRV_ALL Service Master Data: All Authorizations
Standard Authorization Objects
The following table shows security-relevant authorization objects that use thecomponents Purchasing and Service Industries.
Standard Authorization Objects: Purchasing, Service Industries
Authorization Object Description
M_AMPL_ALL Approved Manufacturer Parts List
M_AMPL_WRK Approved Manufacturer Parts List - Plant
M_ANFR_BSA Document Type in RFQ
M_ANFR_EKG Purchasing Group in RFQ
M_ANFR_EKO Purchasing Organization in RFQ
M_ANFR_WRK Plant in RFQ
M_ANGB_BSA Document Type in Quotation
M_ANGB_EKG Purchasing Group in Quotation
M_ANGB_EKO Purchasing Organization in Quotation
M_ANGB_WRK Plant in Quotation
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 122/215
SAP ERP Central Component Security Guide 6.0, EHP3 122
M_BANF_BSA Document Type in Purchase Requisition
M_BANF_EKG Purchasing Group in Purchase Requisition
M_BANF_EKO Purchasing Organization in Purchase Requisition
M_BANF_FRG Release Code in Purchase Requisition
M_BANF_WRK Plant in Purchase Requisition
M_BEST_BSA Document Type in Order
M_BEST_EKG Purchasing Group in Purchase Order
M_BEST_EKO Purchasing Organization in Purchase Order
M_BEST_WRK Plant in Purchase Order
M_EINF_EKG Purchasing Group in Purchasing Info Record
M_EINF_EKO Purchasing Organization in Purchasing Info Record
M_EINF_WRK Plant in Purchasing Info Record
M_EINK_FRG Release Code and Group (Purchasing)
M_LFM1_EKO Purchasing Organization in Vendor Master Record
M_LIBE_EKO Vendor Evaluation
M_LPET_BSA Document Type in Scheduling Agreement Delivery Schedule
M_LPET_EKG Purchasing Group in Scheduling Agreement Delivery Schedule
M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
M_LPET_WRK Plant in Scheduling Agreement Delivery Schedule
M_ORDR_EKO Purchasing Organization in Source List
M_ORDR_WRK Plant in Source List
M_QUOT_EKO Purchasing Organization (Quotas)
M_QUOT_WRK Plant (Quotas)
M_RAHM_BSA Document Type in Outline Agreement
M_RAHM_EKG Purchasing Group in Outline Agreement
M_RAHM_EKO Purchasing Organization in Outline Agreement
M_RAHM_WRK Plant in Outline Agreement
M_SRV_LS Authorization for Maintenance of Service Master
M_SRV_LV Authorization for Maintenance of Model Serv. Specifications
M_SRV_ST Authorization for Maintenance of Standard Service Catalog
S_ME_SYNC Mobile Engine: Synchronization of Offline Applications
V_KONH_EKO Purchasing Organization in Master Condition
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 123/215
SAP ERP Central Component Security Guide 6.0, EHP3 123
Network and Communication Security
General
Your network infrastructure is extremely important in protecting your system. All special
aspects that are relevant for the network and communication security for thecomponents Purchasing (MM-PUR) and Service Industries (MM-SRV) are describedbelow. See also information about SAP ECC under Network and CommunicationSecurity [Seite 18].
Communication Channel Security
The table below shows the communication paths used by the Purchasing and Service Industries component, the protocol used for the connection, and the type of datatransferred.
Communication Paths
Communication Path Protocol Used Type of Data Transferred Data RequiringSpecial Protection
SAP ECC system – Non-SAP system
RFC, HTTP Application data/Idocs(messages for store order,store goods receipt,outgoing purchase order)
-
SAP ECC system – Adobe Document Services (ADS )
HTTP Application data (printeroutput from ERPpurchase, for example,purchase order printout)
Price, delivery andpayment conditions,and contract numbers,for example, should beable to be transferredencrypted. The
necessary securitymeasures aredependent on whetheryou have installed ADSbehind or in front of thefirewall.
Supplier Portal (mySAP Supplier Relationship Management ) → SAP ECC system
RFC, HTTP Application data (purchaseorder confirmations) forSupplier Self-Service (SUS )
Quantities, dates,prices
SAP ECC system –
SAP APO system
RFC Application data
(conditions/purchaseorders)
Dependent on whether
you have placed SAP SCM and SAP ECC infront of, or behind thefirewall.
SAP ECC system – SAP SCM system(Event Manager)
RFC Application data Quantities, dates
You can protect RFC connections using Secure Network Communications (SNC). HTTPconnections are protected using the Secure Sockets Layer (SSL) protocol. For moreinformation about encryption, see:
● General information about encryption
SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 124/215
SAP ERP Central Component Security Guide 6.0, EHP3 124
● Encryption of ALE data
SAP NetWeaver- security guide under Security Aspects for Connectivity and
Interoperability → Security Guide ALE (ALE Applications)
● Encryption via SUS output
mySAP SRM Application security guide on SAP Service Marketplace atservice.sap.com/securityguide → mySAP Supplier Relationship
Management (SRM) Security Guide → Network and Communication Security
For more information about communication channel security between SAP ECC systems and SAP Supply Chain Management systems (SAP SCM systems), see theSAP SCM security guide on the SAP Service Marketplace atservice.sap.com/securityguide → SAP Supply Chain Management → SAP
Supply Chain Management Security Guide → Network and Communication Security.
Data Storage SecurityCheck whether the conditions are classified as sensitive data. You can protectconditions with the following authorization objects:
Authorization Objects for Conditions
Authorization Object Description
V_KONH_EKO Purchasing Organization in Master Condition
V_KONH_VKS Condition: Authorization for Condition Types
Inventory Management (MM-IM): Authorizations
Standard Roles
The following table shows the standard roles that you can use for the Inventory Management (MM-IM) component.
Standard Roles
Role Description
SAP_MM_IM_ARCHIVING Archive Material Documents
SAP_MM_IM_BALANCE_LIST GR/IR Balance List
SAP_MM_IM_CYCLE_COUNTING Cycle Counting
SAP_MM_IM_DISPLAY List Display
SAP_MM_IM_GM_FOR_RETAIL Goods Movement (Retail)
SAP_MM_IM_GOODS_MOVEMENTS Goods Movement
SAP_MM_IM_GOODS_MOVEMENT_EMPTY Goods Movement
SAP_MM_IM_INVENTORY_ARCHIVE Physical Inventory Archiving
SAP_MM_IM_INVENTORY_CONTROL Physical Inventory
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 125/215
SAP ERP Central Component Security Guide 6.0, EHP3 125
SAP_MM_IM_INVENTORY_EXECUTION Physical Inventory Execution
SAP_MM_IM_INVENTORY_REPORTING Physical Inventory - Reporting
SAP_MM_IM_INVENTORY_SAMPLING Physical Inventory Sampling
SAP_MM_IM_PERIODIC_PROCESSING Periodic Processing
SAP_MM_IM_REPORTS Reports
SAP_MM_IM_RESERVATION_MAINTAIN Reservations
SAP_MM_IM_VENDOR_CONSIGNMENT Vendor Consignment
Standard Authorization Objects
The following table shows the standard authorization objects that you can use for theInventory Management (MM-IM) component.
Standard Authorization Objects: Inventory Management
Authorization Object Description
M_ISEG_WDB Phys. Inv: Difference Posting in Plant
M_ISEG_WIB Phys. Inv: Phys. Inv Document in Plant
M_ISEG_WZL Phys. Inv: Count in Plant
M_ISEG_WZB Phys. Inv: Count and Difference Posting inPlant
M_MSEG_BMB Material Documents: Movement Type
M_MBNK_ALL Material Documents: Number RangeMaintenance
M_MSEG_WMB Material Documents: Plant
M_MRES_BWA Reservations: Movement Type
M_MRES_WWA Reservations: Plant
M_MWOF_ACT Control for Split Valuation of Value (MBWO)
M_SKPF_VGA Inventory Sampling: Transaction
M_SKPF_WRK Inventory Sampling: Plant
M_MSEG_BWA Goods Movement: Movement Type
M_MSEG_LGO Goods Movement: Storage Location
M_MSEG_WWA Goods Movements: Plant
M_MSEG_BWF Goods Receipt for Production Order:Movement Type
M_MSEG_WWF Goods Receipt for Production Order: Plant
M_MSEG_BWE Goods Receipt for Purchase Order: MovementType
M_MSEG_WWE Goods Receipt for Purchase Order: Plant
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 126/215
SAP ERP Central Component Security Guide 6.0, EHP3 126
Logistics Invoice Verification (MM-IV):Authorizations
Standard Roles
The following table shows the standard roles that you can use for the Logistics Invoice Verification (MM-IV) component.
Standard Roles: Logistics Invoice Verification
Role Description
SAP_MM_IV_CLERK_AUTO Automatic Settlements
SAP_MM_IV_CLERK_BATCH1 Enter Invoices for Verification in theBackground
SAP_MM_IV_CLERK_BATCH2 Manual Processing of Invoices Verified in theBackground
SAP_MM_IV_CLERK_GRIR_MAINTAIN GR/IR Clearing Account Maintenance
SAP_MM_IV_CLERK_GRIR_MAITAIN GR/IR Clearing Account Maintenance
SAP_MM_IV_CLERK_ONLINE Online Invoice Verification
SAP_MM_IV_CLERK_PARK Park Invoices
SAP_MM_IV_CLERK_RELEASE Invoice Release
SAP_MM_IV_SUPPLIER_FINANCE Settlement Information for Vendor (ExternalSupplier) on the Internet
SAP_MM_IV_CLERK_AUTO Automatic Settlements
Standard Authorization Objects
The following table shows the standard authorization objects that you can use for theLogistics Invoice Verification (MM-IV) component.
Standard Authorization Objects: Logistics Invoice Verification
Authorization Object Description
M_RECH_WRK Invoices: Plant
M_RECH_AKZ Invoices: Accept Invoice VerificationDifferences Manually
M_RECH_EKG Invoice Release: Purchasing Group
M_RECH_SPG Invoices: Blocking Reasons
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 127/215
SAP ERP Central Component Security Guide 6.0, EHP3 127
Product Lifecycle Management (PLM)
AuthorizationsThe applications in Product Lifecycle Management (PLM) use the following objects forthe authorization checks:
● Composite roles
● Standard roles
● Profile
● Authorization objects
Composite roles
The following table shows the composite roles used by applications in PLM.
Composite Role Description
SAP_EHS_IHS_SPECIALIST Industrial Hygiene and Safety Professional
SAP_WP_BD_ADMIN EH&S Administrator
Standard roles
The following tables show the standard roles used by applications in PLM.
Roles: Cross-Application (CA)
Role Description
SAP_CA_CL_DISPLAY Product Data Management – Display ClassificationInformation
SAP_CA_CL_MAINTAIN Product Data Management: Classification
SAP_CA_DMS_ADMIN Administration Tasks in DMS
SAP_CA_DMS_DISPLAY Product Data Management: Displaying Documents
SAP_CA_DMS_MAINTAIN Product Data Management: Classification
SAP_CA_NO_NOTIF_GENERAL General Notification Processing
SAP_CA_NO_NOTIF_ISR Creation of Internal Service Request
SAP_CA_NO_NOTIFVIAWEB_EXT General Notification Creation on Web
SAP_CA_NO_NOTIFVIAWEB_INT General Notification Creation on the Web - Link
Roles: Customer Service (CS)
Role Description
SAP_CS_AG_CUST_ORDER_COMPLETE Processing of Sales Order Settlement and BillingDocument
SAP_CS_AG_CUST_ORDER_DISPLAY Display of Service Agreements, Sales Orders and
Billing Documents
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 128/215
SAP ERP Central Component Security Guide 6.0, EHP3 128
SAP_CS_AG_CUST_ORDER_PROCESS Processing of Sales Order and Customer RepairOrder
SAP_CS_AG_PROCESS Processing of Service Agreements
SAP_CS_AG_WARRANTIES_DISPLAY Display Warranties
SAP_CS_AG_WARRANTIES_PROCESS Processing of Warranties
SAP_CS_CI_ADMIN Customer Interaction Center Administration
SAP_CS_CI_AGENT Customer Interaction Center (Front Office)
SAP_CS_CI_INFOSYSTEM Contact History for Groups and Agents
SAP_CS_CM_SOL_DATA_BASE_PROC Processing of Solution Database
SAP_CS_IB_INSTALLED_BASE_DISPL Display of Installed Base
SAP_CS_IB_INSTALLED_BASE_PROC Processing of Installed Base
SAP_CS_SE_DISPLAY_NOTIF_ORDERS Display of Service Notifications and Orders
SAP_CS_SE_PROCESS_NOTIF_ORDERS Processing of Service Notifications and Orders
Roles: Environment, Health & Safety (EH&S)
Role Description
SAP_EHS_BD_UTIL Tools
SAP_EHS_DGP_DATABASEFILLING Dangerous Goods Master Filling
SAP_EHS_DGP_DATASENDING Data Distribution – Dangerous Goods
SAP_EHS_DGP_DATATRANSFER Data Transfer, External – Dangerous Goods
SAP_EHS_DGP_DISPLAYLIST Dangerous Goods Master Lists
SAP_EHS_DGP_MASTERDATA Dangerous Goods Master Management
SAP_EHS_DGP_MASTERDATASHOW Dangerous Goods Master Information
SAP_EHS_DGP_PHRASES Dangerous Goods Text Module Management
SAP_EHS_DGP_REPORTINFO Report Information System – DangerousGoods
SAP_EHS_DGP_SUBSTANCEDATA Dangerous Goods Basic Data Management
SAP_EHS_HSM_AGENT Agent
SAP_EHS_HSM_INFO Reporting
SAP_EHS_HSM_LABEL Global Label Management
SAP_EHS_HSM_MATERIA Material
SAP_EHS_HSM_REPORT Report
SAP_EHS_HSM_SUBSTANCE Substance
SAP_EHS_HSM_WORKAREA Work Area
SAP_EHS_IHS_AGENT Agent Management
SAP_EHS_IHS_AMOUNTDETERMIATION Amount Determination
SAP_EHS_IHS_BUSINESSPARTNER Business Partners – Industrial Hygiene andSafety
SAP_EHS_IHS_EXPOSURELOG Exposure Log
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 129/215
SAP ERP Central Component Security Guide 6.0, EHP3 129
SAP_EHS_IHS_INCIDENTLOG Incident/Accident Management
SAP_EHS_IHS_INFOSYSTEM Industrial Hygiene and Safety Reporting
SAP_EHS_IHS_INJURYLOG Injury/Illness Log
SAP_EHS_IHS_PHRASES Phrase Management – Industrial Hygiene and
Safety
SAP_EHS_IHS_REPORTINFO Report Information System – Industrial Hygieneand Safety
SAP_EHS_IHS_RISKASSESSMENT Risk Assessment
SAP_EHS_IHS_SERVICE Service
SAP_EHS_IHS_WORKAREA Industrial Hygiene and Safety Professional
SAP_EHS_OH_AMBSERV Work Area Management
SAP_EHS_OH_ASSIGN Person Assignment
SAP_EHS_OH_BUPT Business Partners – Occupational Health
SAP_EHS_OH_EVAL Reporting
SAP_EHS_OH_EVAL_NEW Reporting
SAP_EHS_OH_EXAM Examinations and Tests
SAP_EHS_OH_IMPORT Medical Data Import
SAP_EHS_OH_INJURYLOG Incident/Accident Log and Injury/Illness Log
SAP_EHS_OH_MEDSERV Medical Services
SAP_EHS_OH_PERSSEL Person Selection and Scheduling
SAP_EHS_OH_QUEST Question Catalogs and Questionnaires
SAP_EHS_OH_SERVICE Industrial Hygiene and Safety Link
SAP_EHS_OH_SET Current Settings
SAP_EHS_SAF_UTIL Tools
SAP_EHS_SAF_SUBSTANCESHOW Specification Display
SAP_EHS_SAF_SUBSTANCEINFO Specification Information System
SAP_EHS_SAF_SUBSTANCEDATA Substance
SAP_EHS_SAF_REPORTSHOW EH&S Report Information System
SAP_EHS_SAF_REPORTSHIPPING Report Shipping
SAP_EHS_SAF_REPORTINFO Report Information System – Product Safety
SAP_EHS_SAF_REPORTGENERATION Report Definition
SAP_EHS_SAF_REPORTEDIT Report
SAP_EHS_SAF_PHRASES Phrase Management – Product Safety
SAP_EHS_SAF_LABEL Global Label Management
SAP_EHS_SAF_DATATRANSFER Data Transfer, External – Product Safety
SAP_EHS_SAF_DATASENDING Data Distribution
SAP_EHS_SAF_BOMBOS Bill of Materials Composition
SAP_EHS_WA_BUSINESSPARTNER Waste Management Business Partner
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 130/215
SAP ERP Central Component Security Guide 6.0, EHP3 130
SAP_EHS_WA_DATATRANSFER Data Transfer, External – Waste Management
SAP_EHS_WA_DISPOSAL_DOCUMENTS Disposal Documents
SAP_EHS_WA_DISPOSAL_PROCESSING Disposal Processing
SAP_EHS_WA_EHSW_1 Report Tree – Waste Management
SAP_EHS_WA_INFOSYSTEM Waste Information System
SAP_EHS_WA_REPORTEDIT Report Management - Waste Management
SAP_EHS_WA_REPORTGENERATION Report Creation – Waste Management
SAP_EHS_WA_REPORTSHIPPING Report Shipping - Waste Management
SAP_EHS_WA_WASTE_SPEZIFICATION Master Data - Specification
SAP_EHS_WA_WASTECODE Waste Codes
SAP_EHS_WA_WASTEINFO Waste Information
SAP_WP_BD_ADMIN EH&S Administrator
SAP_WP_DG_SPECIALIST Dangerous Goods Specialist
SAP_WP_HSM_SPECIALIST Hazardous Substance Manager
SAP_WP_IHS_SPECIALIST Industrial Hygiene and Safety Professional
SAP_WP_OH_PHYSICIAN Occupational Physician
SAP_WP_PS_SPECIALIST Product Safety Specialist
Roles: Logistics (LO)
Role Description
SAP_LO_ECH_MAINTAIN Engineering Change Management
SAP_LO_EMPLOYEE Employee Self-Service (LO)
SAP_LO_MD_BOM_DISPLAY Complete BOM Display
SAP_LO_MD_BOM_MAINTAIN Complete BOM Processing
SAP_LO_MD_CUSTOMER_DISPLAY Display Customer Master
SAP_LO_MD_CUSTOMER_MAINTAIN Customer Master Maintenance
SAP_LO_MD_MBOM_MAINTAIN Material BOM Processing
SAP_LO_MD_MM_MATERIAL_DISPLAY Display Material Master Data
SAP_LO_MD_MM_MATERIAL_DISPLAY Maintain Material Master
SAP_LO_MD_OBOM_MAINTAIN Order BOM Processing
SAP_LO_MD_PBOM_MAINTAIN WBS BOM Processing
SAP_LO_MD_SERIAL_NO_DISPLAY Display of Serial Numbers
SAP_LO_MD_SERIAL_NO_PROCESS Processing of Serial Numbers
SAP_LO_MD_VENDOR_DISPLAY Display Vendor Master
SAP_LO_MD_VENDOR_MAINTAIN Vendor Master Maintenance
SAP_LO_PP_RTG_DISPLAY Routing Display
SAP_LO_PP_RTG_MAINTAIN Routing Maintenance
SAP_LO_VC_DEP_MAINTAIN Variant Configuration Modeling
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 131/215
SAP ERP Central Component Security Guide 6.0, EHP3 131
SAP_LO_VC_ESALES Connection to CRM
SAP_LO_VC_MAINTAIN Complete Variant Configuration
SAP_LO_VC_ORDER_PROC Order Processing – Variant Configuration
SAP_LO_VC_SIMULATION Variant Configuration Simulation
Roles: Plant Maintenance (PM)
Role Description
SAP_PM_ALM_ME_ADMINISTRATOR Asset Life-Cycle Management - Administrator(Mobile Engine)
SAP_PM_ALM_ME_ENGINEER Asset Life-Cycle Management - Administrator(Mobile Engine)
SAP_PM_DATATRANSFER Data Transfer and Download Structure for PlantMaintenance
SAP_PM_EQM_BILL_OF_MAT_DISPL Display of Bill of Material
SAP_PM_EQM_BILL_OF_MAT_PROC Processing of Bill of Material
SAP_PM_EQM_EQUIPMENT_DISPLAY Display of Equipment
SAP_PM_EQM_EQUIPMENT_PROCESS Processing of Equipment
SAP_PM_EQM_FUNC_LOC_DISPLAY Display of Functional Location
SAP_PM_EQM_FUNC_LOC_PROCESS Processing of Functional Location
SAP_PM_EQM_ME_READ_LIST_DISPL Display of Measurement Reading Entry List
SAP_PM_EQM_ME_READ_LIST_PROC Processing of Measurement Reading Entry List
SAP_PM_EQM_MEAS_POINTS_DISPLAY Display of Measuring Points
SAP_PM_EQM_MEAS_POINTS_PROCESS Processing of Measuring Points
SAP_PM_EQM_PERMITS_ISSUE_DISPL Issue and Display of Permits
SAP_PM_EQM_PERMITS_PROCESS Processing of Permits
SAP_PM_EQM_PROCESS_OBJECT_LINK Processing of Object Link
SAP_PM_EQM_PROD_RESOURC_DISPL Display of Production Resources and Tools
SAP_PM_EQM_PROD_RESOURC_PROC Processing of Production Resources and Tools
SAP_PM_EQM_REF_FUNC_LOC_PROC Processing of Reference Location
SAP_PM_EQM_WORK_CENT_EVALUATE Evaluation of Work Centers
SAP_PM_EQM_WORK_CENTERS_DISPL Display of Work Centers
SAP_PM_EQM_WORK_CENTERS_PROC Processing of Work Centers
SAP_PM_IS_INFO-SYSTEM_CONFIG Configuration of Information System
SAP_PM_IS_TASKS_ANALYSIS_PERF Execution of Analyses
SAP_PM_PRM_MAIN_PLANS_DISPLAY Display of Maintenance Plans
SAP_PM_PRM_MAIN_PLANS_REV_PROC Processing of Maintenance Plans andRevisions
SAP_PM_PRM_MAIN_PLANS_SCHEDULE Scheduling of Maintenance Plans
SAP_PM_PRM_TASKS_LISTS_DISPLAY Display of Task Lists
SAP_PM_PRM_TASKS_LISTS_PROCESS Processing of Task Lists
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 132/215
SAP ERP Central Component Security Guide 6.0, EHP3 132
SAP_PM_WOC_COMP_CONF_DIS Display of Completion Confirmation
SAP_PM_WOC_COMP_CONF_PROC_CANC Processing and Cancellation of CompletionConfirmation
SAP_PM_WOC_CONF_POSTPROC Postprocessing of Completion Confirmation
SAP_PM_WOC_HISTORICAL_ORD_DISP Display of Historical Orders
SAP_PM_WOC_HISTORICAL_ORD_PROC Processing of Historical Orders
SAP_PM_WOC_MEAS_DOC_DISPLAY Display of Measurement Documents
SAP_PM_WOC_MEAS_DOC_MAINTAIN Processing of Measurement Documents
SAP_PM_WOC_NOTIFICATION_DISPL Display of Notification
SAP_PM_WOC_NOTIFICATION_PP Creation of Notification
SAP_PM_WOC_NOTIFICATION_PROC Processing of Notification
SAP_PM_WOC_ORDER_DISPLAY Display of Order
SAP_PM_WOC_ORDER_PROCESS Processing of OrderSAP_PM_WOC_ORDER_SCHEDULE Scheduling of Order
SAP_PM_WOC_PROCESS_PLANNING Resource Planning
SAP_PM_WOC_REFURBISHM_ORD_PROC Processing of Refurbishment Order
SAP_PM_WOC_WCM_ENGINEER Safety Engineer
SAP_PM_WOC_WCM_INFO Information Functions for Work ClearanceManagement
SAP_PM_WOC_WCM_PLANNER Work Clearance Planner
SAP_PM_WOC_WCM_REQUESTER Work Clearance Requester
SAP_PM_WOC_WORK_MANAGEMENT Work Management in Plant Maintenance andCustomer Service
Roles: Project System
Role Description
SAP_PS_ARCHIVING Archive Project Data
SAP_PS_BASIC_WRKPL Work Center Master Data
SAP_PS_BASIC_WRKPL_DISPL Display Work Center Master Data
SAP_PS_BUDGET_PROJ Project Budgeting
SAP_PS_CLAIM Collaboration
SAP_PS_CEP Claim Management
SAP_PS_CO_MODEL_PROJ Allocation Templates
SAP_PS_CONFIRM Confirm
SAP_PS_DATES Project Dates
SAP_PS_DATES_DISPLAY Display Project Dates
SAP_PS_DOCUMENTS Documents
SAP_PS_DOCUMENTS_DISPLAY Display Documents
SAP_PS_EXECUTE_CO_REPORTS Execute Controlling Reports
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 133/215
SAP ERP Central Component Security Guide 6.0, EHP3 133
SAP_PS_FUNDS_COMMITMENT Display Project Dates
SAP_PS_GROUPING Requirements Grouping
SAP_PS_LINE_MANAGER PS Input for the Line Manager Generic Role
SAP_PS_MASS_CHANGE Mass Change
SAP_PS_MATERIAL Material in Projects
SAP_PS_MATERIAL_DISPL Display Material in Projects
SAP_PS_MONITOR_MAT_DATES Monitoring Dates for Material
SAP_PS_OVERALL_CO_PLAN_PROJ Overall CO Planning for Projects
SAP_PS_PAYMENTS_ACTUAL Actual Project Payments
SAP_PS_PAYMENTS_PLAN Planned Project Payments
SAP_PS_PER_CO_PLAN_PROJ Periodic CO Planning for Projects
SAP_PS_PEREND_PROJ_COLL Period-End Closing – Collective Project Processing
SAP_PS_PEREND_PROJ_IND Period-End Closing – Individual Project Processing
SAP_PS_PEREND_PROJ_PAYMENT Payment Transfer to Period
SAP_PS_PEREND_PROJ_WLM Worklist for Period
SAP_PS_PERS_RES_EVAL Evaluate Personnel Resources
SAP_PS_PERS_RES_PLAN Plan Personnel Resources
SAP_PS_PROGRESS Progress Determination
SAP_PS_PROJ_YEAREND Year-End Closing for Projects
SAP_PS_REP_CLAIM Claim Reports
SAP_PS_REP_COST_SUMMARIZ Summarized Cost Reports
SAP_PS_REP_COSTS Cost Reports
SAP_PS_REP_LINE_ITEM Line Item Reports
SAP_PS_REP_MATERIAL Material Reports
SAP_PS_REP_PAYMENTS Payment Reports
SAP_PS_REP_PROGRESS Progress Reports
SAP_PS_REP_REVENUES Revenue and Profitability Reports
SAP_PS_REP_STRUCT Structure Reports
SAP_PS_REP_TOOLS Information System - Tools
SAP_PS_RM_ADMINISTRATOR Administrator for Public Sector Records Management
SAP_PS_RM_HEAD Manager Public Sector Records Management
SAP_PS_RM_REGISTRAR Recorder for Public Sector Records Management
SAP_PS_RM_USER Processor Public Sector Records Management
SAP_PS_SALES_PRICING Calculate Sales Price
SAP_PS_STD_STRUCT Standard Structures
SAP_PS_STD_STRUCT_DISPL Display Standard Structures
SAP_PS_STRUCT Project StructuresSAP_PS_STRUCT_DISPL Display Project Structures
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 134/215
SAP ERP Central Component Security Guide 6.0, EHP3 134
SAP_PS_TRANSFER_PRICE_ACTUAL Actual Transfer Prices
SAP_PS_TRANSFER_PRICE_PLAN Plan Transfer Prices
Roles: Quality Management (QM)
Role Description
SAP_QM_ADMIN Administrator
SAP_QM_BATCH_INFO Display of Batch Data
SAP_QM_CA_CERTVIAWEB_EXT Processing Certificates on the Web
SAP_QM_CA_CERTVIAWEB_INT Link: Certificates on the Web
SAP_QM_CA_INCOMING_CERT Monitoring of Certificate Receipt
SAP_QM_CA_OUTCERT_MAINT Administration of Certificate Master Data
SAP_QM_CA_OUTGOING_CERT Creation of Certificates in Sales andDistribution
SAP_QM_IM_COSTS Administration of QM Orders
SAP_QM_IM_COSTS_DISPLAY Display of Quality-Related Costs
SAP_QM_IM_DEFECTS_REC Defects Recording
SAP_QM_IM_LOT_COMPLETION Inspection Lot Completion
SAP_QM_IM_LOT_MAINTAIN Processing of Inspection Lots
SAP_QM_IM_QMANAG_WORKLIST Worklist for Quality Managers
SAP_QM_IM_QPLANNER_INSP Inspection Processing by Quality Planner
SAP_QM_IM_RES_REC Results Recording
SAP_QM_IM_RESULTSVIAWEB_EXT Results Recording on the Web
SAP_QM_IM_RESULTSVIAWEB_INT Link: Results Recording on the Web
SAP_QM_IM_SAMPLE Sample Management
SAP_QM_IT_CALIB_INFO Calibration Information
SAP_QM_IT_CALIB_INSP Calibration Inspection
SAP_QM_IT_CALIB_PLANNING Calibration Planning
SAP_QM_IT_CALIB_PROCUREMENT Procurement of Test Equipment
SAP_QM_IT_EQUI_MAINTAIN Maintenance of Test Equipment
SAP_QM_IT_PM_NOTIF Processing of Maintenance NotificationsSAP_QM_PP_OPERATOR Production Worker
SAP_QM_PP_SUPERVISOR Production Supervisor
SAP_QM_PT_BASIC_DATA Maintenance of Basic Data
SAP_QM_PT_CHANGE_MANAG_DISPLAY Change Management - Display
SAP_QM_PT_IPLANNING Inspection Planning
SAP_QM_PT_LOG_MASTER_DISPLAY Logistics Master Data - Display
SAP_QM_PT_LOG_MASTER_MAINT Logistics Master Data - Edit
SAP_QM_PT_MAT_MANAG_DISPLAY Display of Materials Management Information
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 135/215
SAP ERP Central Component Security Guide 6.0, EHP3 135
SAP_QM_PT_QMANAG_MASTER_DISP Display of Logistics Master Data for QualityManagers
SAP_QM_QC_CONTROL_ALL General Quality Control
SAP_QM_QC_QMIS Quality Evaluations (QMIS)
SAP_QM_QC_QMIS_ALL General Quality Evaluations (QMIS)
SAP_QM_QMANAG_GR Quality Manager – Goods Receipt
SAP_QM_QMANAG_PP Quality Manager - Production
SAP_QM_QN_NOTIF_BASIC Extended Processing of Notifications
SAP_QM_QN_NOTIF_DISPLAY Display of Quality Notifications
SAP_QM_QN_NOTIF_MAINT Processing of Notifications
SAP_QM_QN_NOTIFVIAWEB_EXT Notifications on the Web – Processing
SAP_QM_QN_NOTIFVIAWEB_INT Link: Notifications on the Web
SAP_QM_QN_TASK_MAINT Processing of TasksSAP_QM_QN_TASK_PROCESSOR Task Processor
Roles: General
Role Description
SAP_MM_SE_CLERK Service Entry Clerk
SAP_PLMIFO_MAT_MAINTAIN Material Master Maintenance plus RFCAuthorization
SAP_PP_BD_RTG_DISPLAY Routing Display
SAP_PP_BD_RTG_MAINTAIN Work Scheduling - Maintenance
SAP_PP_PS_PRT Project System – Production Resources/Tools
SAP_PP_SFC_OCM Production Order - Order Change Management
Profiles
The following table shows the profiles used by applications in PLM. There are severalprofiles, beginning with the same character string, for some applications. In this case,the table contains the table the starting character string and the wildcard character*
(wild card). You can display all the profiles in the profile list (transaction SU02).
Profile Description
B_MASSMAIN Mass maintenance tool
C_A.AV Composite profile for person in charge of work scheduling
C_A.KONSTRUK Composite profile for person in charge of engineering/design
C_AENR_* List of profiles for change management
C_ALL PP: All authorizations for master data/classif. system
C_CAP_ALL All authorizations for standard value calculation with CAPP
C_CV_ALL All authorizations for Document Management
C_EHSH_* List of profiles for occupational health
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 136/215
SAP ERP Central Component Security Guide 6.0, EHP3 136
C_EHSH_* List of profiles for EH&S
C_FHMI_* List of profiles for production resources/tools
C_MSTL_* List of profiles for material BOMs
C_PS_* List of profiles for Project Systems
C_ROUT_* List of profiles for task lists
C_SHE_* List of profile for list of profiles for EH&S
E_CS_* List of profiles for EC-CS
I_PM_* List of profiles for Plant Maintenance
M_* List of profiles for Materials Management
Q_* List of profiles for Quality Management
Z_CUSMM01 Maintain Customizing for MM
Z_CUSMM02 Display Customizing for MM
Z_CUSPM01 Maintain Customizing for PM
Z_CUSPM02 Display Customizing for PM
Z_CUSPP01 Maintain Customizing for PP
Z_CUSPP02 Display Customizing for PP
Z_CUSPS01 Maintain Customizing for PS
Z_CUSPS02 Display Customizing for PS
Z_CUSQM01 Maintain Customizing for QM
Z_CUSQM02 Display Customizing for QM
Authorization objects
All the authorization objects of an application are grouped into one object class. Youcan display the authorization objects by choosing Role Maintenance (transaction PFCG)
Environment → Authorization Objects → Display .
The following table shows the object classes for the authorization objects used byapplications in PLM.
Object Classes for Authorization Objects
Object Class Description
CLAS Classification
CV Document Management
EHS EH&S
LO Logistics - General
Exclusively the authorization objects for the variant configuration(character string C_LOVC_*).
MM_G Materials Management – Master Data
MM_S Materials Management – External Services
PM Plant Maintenance
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 137/215
SAP ERP Central Component Security Guide 6.0, EHP3 137
PP Production Planning
Authorization objects for the following applications:
• Change management (character string C_AENR_*)
• Task lists (character string C_ROUT*)
• BOMs (character string C_STUE_*)
PS Project System
QA Quality Management
Communication DestinationsThe SAP standard system does not supply any communication destinations for ProductLifecycle Management (PLM). In the area of CAD integration, an external CAD system
starts communication with the SAP system. Acall back
calls the SAP system back.This communication take place via Remote Function Call (RFC).
Important SAP NotesNote the following SAP Notes with security-related information.
SAP Note Short Text
13128 General info on authorizations in Project System
24441 CR134 No authorization to reflect change in HR
35100 Changing BOMs with hist. requirement w/o change no.
40586 No authorization for maintaining view V_QDEB
61886 SAP enhancement CNEX0002: No authorization
67713 Authorization check in routing with C_ROUT
192748 Creating PM order for notif. w/o IW34 authorization
198079 No check of authorization S_TCODE for CALL
327801 IW22: Authorization K_ORDER
332997 PS-IS: Authorization check for BEBD
368574 PM/CS Authorization Check
371269 ECH: Authorizations for Customizing parameter
379041 Authorization check for multi-level equipment list
385510 Authorization for EDI translator/middleware
407758 Authorization for evaluations of notifications
414858 Authorization check for mass change
420878 BOM change without change number possible
424731 Component assignment without BOM history
426494 Differentiation of history requirement
457086 OINI: No authorization for changing
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 138/215
SAP ERP Central Component Security Guide 6.0, EHP3 138
522426 Consulting: Authorizations in the Project System
532231 Data transfer and authorization concept
554415 FAQ 2: Authorization check
555812 CDESK: CAD desktop: Required authorizations
558586 Authorization check for mass change II
568313 CJ20N, CN22: General layout
568522 Undoing changes in BOM
569048 Undoing changes in BOM
638781 Project authorization via partner functions
671580 PS Cash Management: Customizing for commitment items
755020 Authorization check for EHS.report & report tempatle
Manufacturing
AuthorizationsThe applications in Manufacturing use the following objects for the authorization checks:
● Standard Roles
● Profile
● Authorization Objects
Standard Roles
The following table shows the standard roles used by applications in Manufacturing .
Roles: Basic Data
Role Description
SAP_PP_BD_RTG_MAINTAIN Work Scheduling - Maintenance
SAP_PP_BD_WKC_DISPLAY Work Center Display
SAP_PP_BD_WKC_MAINTAIN Work Center Maintenance
SAP_PP_MATERIAL_MANAGEMENT Materials Management Production
SAP_PP_PS_PRT Project System – Production Resources/Tools
SAP_LO_PP_RTG_DISPLAY Routing Display
SAP_LO_PP_RTG_MAINTAIN Routing Maintenance
SAP_LO_PP_WRKC_DISPLAY Work Center Display
SAP_LO_PP_WRKC_MAINTAIN Work Center Maintenance
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 139/215
SAP ERP Central Component Security Guide 6.0, EHP3 139
Roles: Capacity Planning (PP-CRP)
Role Description
SAP_PP_CAPA_PLAN Plan Capacities
SAP_PP_CAPA_PLAN Evaluate Capacity Planning
Roles: Kanban (PP-KAB)
Role Description
SAP_PP_KAB_CONTROL KANBAN Control
SAP_PP_KAB_REPORTING KANBAN Evaluation
Roles: Production Planning (PP-MP)
Role Description
SAP_PP_MP_FORECAST Material Forecast
SAP_PP_MP_LONG_TERM_PLANNING Long-Term PlanningSAP_PP_MP_MPS_PLANNING Master Production Scheduling
Roles: Requirements Planning (PP-MRP)
Role Description
SAP_PP_MRP_COORDINATION MRP PP - Coordination
SAP_PP_MRP_EVALUATIONS MRP PP - Evaluation
SAP_PP_MRP_MASTER_DATA MRP PP – Master Data
SAP_PP_MRP_PLANNED_ORDER MRP PP – Planned Order
SAP_PP_MRP_PLANNING MRP PP – Planning Execution
Roles: Production Orders (PP-SFC)
Role Description
SAP_PP_SFC_CONFIRMATIONS Production Order - Confirmations
SAP_PP_SFC_GM Production Order – Goods Movements
SAP_PP_SFC_MAT_MANAGEMENT Production Order – Materials Management
SAP_PP_SFC_OCM Production Order - Order Change Management
SAP_PP_SFC_ORDER_EXCEPTIONS Production Order – Reprocessing
SAP_PP_SFC_ORDERS Production Order – Processing
SAP_PP_SFC_PERFORMANCE Production Order – Production InformationSystem
SAP_PP_SFC_PRODUCTION_OPERATOR Production Operator in Production
SAP_PP_SFC_PRT Production Order – Production Resource/Tool
SAP_PP_SFC_WM Production Order - Warehouse Management
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 140/215
SAP ERP Central Component Security Guide 6.0, EHP3 140
Roles: Repetitive Manufacturing (PP-REM)
Role Description
SAP_PP_REM_CONFIRMATION Repetitive Manufacturing - Backflushing
SAP_PP_REM_MASTERDATACHANGE Repetitive Manufacturing – Change Master Data
SAP_PP_REM_MASTERDATADISPL Repetitive Manufacturing – Display Master Data
SAP_PP_REM_PLANNING Repetitive Manufacturing - Planning
SAP_PP_REM_PRODUCTION Repetitive Manufacturing - Production
SAP_PP_REM_REPORTING Repetitive Manufacturing - Evaluations
Roles: Process Industries (PI)
Role Description
SAP_PP_PI_BATCH_RECORD_EXP Edit Batch Record
SAP_PP_PI_BATCH_RECORD_SUPER Approve Batch Record
SAP_PP_PI_CAPA_EVAL_STD Perform Capacity Evaluations
SAP_PP_PI_CAPACITY_EXP Edit Capacity
SAP_PP_PI_CTRL_RECIPE_EXP Monitor Control Recipe
SAP_PP_PI_CUST_PROCMGMT Customizing for Process Management
SAP_PP_PI_DOWNTIME_EXP Record Downtime
SAP_PP_PI_DOWNTIME_SUPER Settings for Downtimes
SAP_PP_PI_GOODS_MOVE_EXP Enter Goods Movement for Order
SAP_PP_PI_GOODS_MOVE_HU_EXP Enter Goods Movements with Handling Units
SAP_PP_PI_GOODS_MOVE_HU_SUPER Cancel Goods Movements with Handling Units
SAP_PP_PI_MA_BATCH_REC_WL_CUM MiniApp: Worklist for Batch Records - Accumulated
SAP_PP_PI_MA_PI_SHEET_WL_CUM MiniApp: Worklist for PI Sheets - Accumulated
SAP_PP_PI_MA_PROC_ORDER_WL_CUM MiniApp: Worklist for Process Orders - Accumulated
SAP_PP_PI_MASTER_RECIPE_EXP Edit Master Recipe
SAP_PP_PI_MASTER_RECIPE_STD Display Master Recipe
SAP_PP_PI_MAT_STAGING_EXP Execute Material Staging for Order
SAP_PP_PI_MAT_STAGING_STD Display Material Staging for Order
SAP_PP_PI_MFG_COCKPIT_1_EXP Edit Manufacturing Cockpit for Manager/Engineer
SAP_PP_PI_MFG_COCKPIT_2_EXP Edit Manufacturing Cockpit for Plant Manager
SAP_PP_PI_MPARTS_INFO_STD Evaluate Missing Parts Info System
SAP_PP_PI_ORDER_CONF_EXP Enter Order Confirmation
SAP_PP_PI_ORDER_CONF_STD Display Order Confirmation
SAP_PP_PI_ORDER_CONF_SUPER Correct Order Confirmations
SAP_PP_PI_ORDER_INFO_STD Evaluate Order Info System
SAP_PP_PI_ORDER_RECORD_EXP Store Order Record
SAP_PP_PI_ORDER_RECORD_STD Display Order Record
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 141/215
SAP ERP Central Component Security Guide 6.0, EHP3 141
SAP_PP_PI_PI_SHEET_EXP Maintain PI Sheet
SAP_PP_PI_PI_SHEET_SUPER Check PI Sheet and Set to “Technically Complete”
SAP_PP_PI_PROC_MESSAGE_EXP Edit Process Message
SAP_PP_PI_PROC_ORDER_EXP_CHNG Change Process Order
SAP_PP_PI_PROC_ORDER_EXP_CREA Create Process Order
SAP_PP_PI_PROC_ORDER_STD Display Process Order
SAP_PP_PI_PROD_CAMPAIGN_EXP Edit Production Campaign
SAP_PP_PI_PROD_CAMPAIGN_STD Display Production Campaign
SAP_PP_PI_PROD_VERSION_EXP Edit Production Version
SAP_PP_PI_PROD_VERSION_STD Display Production Version
SAP_PP_PI_RESOURCE_EXP Edit Resource
SAP_PP_PI_RESOURCE_STD Display Resource
SAP_PP_PI_RESOURCE_SUPER Resource Settings
SAP_PP_PI_SF_INFO_STD Evaluate Shop Floor Information System
SAP_PP_PI_STD_TEXT_EXP Edit Standard Text
Profiles
The following table shows the profiles used by applications in Manufacturing .
Profile Description
C_KANBAN_ALL Profile with All Authorizations for KANBAN Production ControlC_KAPA_ALL PP: Capacity Planning
C_KAPA_ANZ PP Capacity Planning Display Authorizations
C_KAPA_CUST PP: Set & Variables Maintenance for Capacity Planning
C_LFPL_ALL Long-Term Planning: All Authorizations
C_MESS_ALL PP-PI Process Messages: All Authorizations
C_MREC_ALL PP-PI Master Recipe: Authorizations for All Transactions
C_MREC_CHA PP-PI Master Recipe: Change Authorization
C_MREC_CRE PP-PI Master Recipe: Create Authorization
C_MREC_MAT PP-PI Master Recipe: Material Master Update
C_MREC_RPL PP-PI Master Recipe: Authorization for Mass Replacement
C_MREC_SHO PP-PI Master Recipe: Display Authorization
C_MREC_USE PP-PI Master Recipe: Authorization for Where-Used Lists
C_MSTL_ALL PP Material BOMs: Maintenance and Display Authorizations
C_MSTL_ANZ PP Material BOMs: Display Authorizations
C_PBED_ANZ Display Profile for Demand Management
C_PB_ALL Maintenance and Display Authorizations for Demand Mgmt
C_PB_REO Authorization for Reorganization in Demand Management
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 142/215
SAP ERP Central Component Security Guide 6.0, EHP3 142
C_POI_ALL All Authorizations for POI Interface
C_PPPI_ALL PP-PI: All Authorizations for Processing Manufacturing
C_PRCHAR_ALL PP-PI: All Authorizations for Ext. Access to Proc. Charact.
Authorization ObjectsAll the authorization objects of an application are grouped into one object class. Youcan display the authorization objects by choosing Role Maintenance (transaction PFCG)
Environment → Authorization Objects → Display .
The following table shows the object classes for the authorization objects used byapplications in Manufacturing .
Object Classes for Authorization Objects
Authorization Object Description
PP Production Planning
PPE Integrated Product and Process EngineeringLO Logistics - General
Authorization objects
• C_CF_QUEUEAuthorization object for displaying/maintaining contents of CIFqueue
• C_PPE_PSiPPE: PS -iPPE interface (Component assignment)
• C_PPE_PSiPPE: PS -iPPE interface (Interface)
Communication DestinationsIn Manufacturing, the following programming elements are used for communicating withexternal systems:
● Remote Function Call (RFC)
● Business Integration Programming Interface (BAPI)
It is not necessary to encrypt the data.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 143/215
SAP ERP Central Component Security Guide 6.0, EHP3 143
Logistics Execution (LE)
Decentralized Warehouse Management (LE-IDW), Shipping (LE-SHP), Transportation (LE-TRA)
Authorizations
Standard Roles
The following table shows the standard roles used by the components Decentralized Warehouse Management (LE-IDW), Transportation (LE-TRA), and Shipping (LE-SHP).
Standard Roles
Role Description
SAP_LE_BASIC_DATA_DISPLAY Logistics Execution : Display Master Data
SAP_LE_GATE_KEEPER Register Persons and Means of Transport atCheckpoint
SAP_LE_GATE_KEEPER_WEB Register Persons and Means of Transport atCheckpoint (WEB)
SAP_LE_GOODS_ISSUE_DELIVERY Post Goods Issue for Outbound Deliveries
SAP_LE_GOODS_RECEIPT_DELIVERY Post Goods Receipt for Inbound DeliveriesSAP_LE_INB_DELIVERY_DISPLAY Display Inbound Deliveries
SAP_LE_INB_DEL_PROCESSING Process Inbound Deliveries
SAP_LE_INB_MONITORING Monitor Inbound Delivery Process
SAP_LE_INB_STATISTICS Standard Analyses for the Inbound Delivery
SAP_LE_LOAD_DELIVERY Load Outbound Deliveries
SAP_LE_MASTER_DATA_MAINTENANCE Master Data Maintenance
SAP_LE_OUTBOUND_POD Proof of Delivery for Outbound Deliveries(POD)
SAP_LE_OUTB_DELIVERY_DISPLAY Display Outbound Deliveries
SAP_LE_OUTB_DEL_PROCESSING Process Outbound Deliveries
SAP_LE_OUTB_MONITORING Monitor Outbound Delivery Process
SAP_LE_OUTB_STATISTICS Standard Analyses for the Outbound Delivery
SAP_LE_PACKING_DELIVERY Pack Deliveries
SAP_LE_PACKING_STATION Packing Station (WEB)
SAP_LE_PICKING_WAVES Process Wave Picks
SAP_LE_POD_HANDHELD Proof of Delivery in Handheld Terminal from
Customer’s View
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 144/215
SAP ERP Central Component Security Guide 6.0, EHP3 144
SAP_LE_POD_WEB Proof of Delivery in Internet from Customer’sView
SAP_LE_R2R3_DECENTRAL_SHIPPING R/2-R/3 Link: Decentralized Shipping
SAP_LE_R2R3_MONITORING R/2-R/3 Link: Monitoring
SAP_LE_SHIPPING_NOTIFICATION Process Inbound Deliveries from Supplier’sView in Internet
SAP_LE_TMS_ARCHIVING Archiving of Transportation and Shipment CostDocuments
SAP_LE_TMS_BACKGROUND Background Transactions in Shipment
SAP_LE_TMS_CAPACITY_ANALYSIS Perform Analyses for Utilization and FreeCapacity
SAP_LE_TMS_CARRIER_WEB Internet Transactions for the Forwarding Agent
SAP_LE_TMS_CURRENT_ANALYSIS Perform Current Evaluations for Shipments
SAP_LE_TMS_DISPLAY Display Documents in ShipmentSAP_LE_TMS_EXECUTION Execute Planned Shipments
SAP_LE_TMS_EXTERNAL_TPS Interface to External Transportation PlanningSystem
SAP_LE_TMS_MAINTAIN_SCD Create, Process, and Display Shipment Costs
SAP_LE_TMS_MAINTAIN_SCD_COND Maintain Conditions in Shipment CostsEnvironment
SAP_LE_TMS_MAINT_SHP_MASTER Maintain Master Data in the TransportationEnvironment
SAP_LE_TMS_MONITOR_PLANNING Monitor Shipment Planning
SAP_LE_TMS_MONITOR_SHPCOSTS Monitor Shipment Costs Calculation andSettlement
SAP_LE_TMS_OTHERS Other Transportation Transactions (WithoutComposite Role)
SAP_LE_TMS_PLANNING Create, Change, and Display Shipments
SAP_LE_TMS_RULES Define Rules for Multiple Shipment Creation
SAP_LE_TMS_STATISTIC_ANALYSIS Perform Statistical Analyses for Shipments
SAP_LE_TMS_TP_SERVICE_AGENT Interface for Shipment Planning in Cooperationwith Forwarding Agents
SAP_LE_WMS_APPOINTMENTS Door Appointments
SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM
SAP_LE_WMS_INFORMATION Warehouse Information
SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data
SAP_LE_WMS_LOAD Workload in Warehouse
SAP_LE_WMS_MONITORING Warehouse Monitoring
SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM
SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM
SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 145/215
SAP ERP Central Component Security Guide 6.0, EHP3 145
SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM
SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring inWM
SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management
SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM
SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP
SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment
SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM
SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM
SAP_LE_WMS_STATISTICS Analysis in WM
SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM
SAP_LE_WMS_TO_CONFIRM Confirm Transfer Order in WM
SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WMSAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM
SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM
SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance
Standard Authorization Objects
The following tables show security-relevant authorization objects used by thecomponents Decentralized Warehouse Management, Transportation , and Shipment .
Standard Authorization Objects: Decentralized Warehouse Management
Authorization Object Description
L_BWLVS Movement Type in the WarehouseManagement System
L_LGNUM Warehouse Number/Storage Type
L_SFUNC Special Functions in Warehouse Management
L_TCODE Transaction Codes in the WarehouseManagement System
Standard Authorization Objects: Transportation
Authorization Object Description
V_VFKK_FKA Shipment Cost Processing: Auth. for Shipment Cost Type
V_VTTK_SHT Shipment Processing: Authorization for Shipment Type
V_VTTK_TDL Shipment Processing: Authorization for Forwarding Agents
V_VTTK_TDS Shipment Processing: Auth. for Transport Planning Points
V_VTTK_TSA Transportation Proc.: Authorization for Shipment Type Status
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 146/215
SAP ERP Central Component Security Guide 6.0, EHP3 146
Standard Authorization Objects: Shipping
Authorization Object Description
V_LECI_CKP Checkpoint: Authorization for Checkpoint
V_LIKP_VST Delivery: Authorization for Shipping Points
V_VBSK_GRA Deliveries: Authorization for Delivery GroupType
Network and Communication Security
General
Your network infrastructure is extremely important in protecting your system. Thereforerefer to the general notes for SAP ECC under Network and Communication Security
[Seite 18].
Communication Channel Security
The following table shows the communication paths that the components Decentralized Warehouse Management, Transportation (LE-TRA), and Shipping (LE-SHP) use, theprotocol used for the connection, and the type of data transferred.
Communication Paths
CommunicationPath
Protocol Used Type of DataTransferred
Data RequiringSpecialProtection
Note
SAP ECC system – anotherSAP ECC system orexternal system
RFC Application data(inbound andoutbounddeliveries)
- DecentralizedWarehouseManagement,communicationvia BAPI IDocinterface
You can protect RFC connections using Secure Network Communications (SNC). Formore information, see the SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security .
Technical Users:
You can use the workflow user WF-BATCH to generate inbound and outbound
deliveries. The user must have authorization to create an inbound delivery.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 147/215
SAP ERP Central Component Security Guide 6.0, EHP3 147
Warehouse Management System (LE-WMS)
Authorizations
Standard Roles
The following table shows the standard roles you can use for Warehouse Management.
Standard Roles: Warehouse Management
Role Description
SAP_LE_BASIC_DATA_DISPLAY Logistics Execution: Display Master Data
SAP_LE_GATE_KEEPER Register Persons and Means of Transport atCheckpoint
SAP_LE_GATE_KEEPER_WEB Register Persons and Means of Transport at
Checkpoint (WEB)
SAP_LE_PACKING_DELIVERY Pack Deliveries
SAP_LE_PACKING_STATION Packing Station (WEB)
SAP_LE_PICKING_WAVES Process Wave Picks
SAP_LE_WMS_APPOINTMENTS Door Appointments
SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM
SAP_LE_WMS_INFORMATION Warehouse Information
SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data
SAP_LE_WMS_LOAD Workload in Warehouse
SAP_LE_WMS_MONITORING Warehouse Monitoring
SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM
SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM
SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM
SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM
SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring inWM
SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management
SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM
SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment
SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP
SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM
SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM
SAP_LE_WMS_STATISTICS Analysis in WM
SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM
SAP_LE_WMS_TO_CONFIRM Confirm Transfer Order in WM
SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WM
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 148/215
SAP ERP Central Component Security Guide 6.0, EHP3 148
SAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM
SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM
SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance
SAP_LO_HU_GOODS_MOVEMENTS Goods Movements with Handling Units
SAP_LO_HU_MASTER_DATA Master Data for Handling Units
SAP_LO_HU_PACKING Pack Handling Units
Network and Communication Security
GeneralYour network infrastructure is extremely important in protecting your system. Thereforerefer to the general notes for SAP ECC under Network and Communication Security[Seite 18].
Communication Channel Security
The table below shows the communication paths used by the Warehouse Management System (LE-WMS) component, the protocol used for the link, and the type of datatransferred.
Communication Paths
CommunicationPath Protocol Used Type of DataTransferred Data RequiringSpecial Protection
SAP ECC System – Non-SAP System(external WarehouseManagementSystem)
RFC Application data(ALE distribution)
-
RFC connections can be protected using Secure Network Communications (SNC). Formore information, see:
● General information about encryption
SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security
● Security of Application Link Enabling (ALE)
SAPNetWeaver- Security Guide under Security Aspects for Connectivity and
Interoperability → Security Guide ALE (ALE Applications)
Technical Users:
To use ALE, create one or several users with authorization for the standard ALEtransactions.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 149/215
SAP ERP Central Component Security Guide 6.0, EHP3 149
Task and Resource Management (LE-TRM),Yard Management (LE-YM), Cross Docking (LE-WM-CDK), Additional Logistical Services
Authorizations
Standard Roles
You can use standard roles for the Warehouse Management System. For moreinformation about these standard roles for the Warehouse Management System, seeAuthorizations [Seite 147].
Standard Authorization Objects
The following table shows the security-relevant authorization objects that thecomponent Logistics Execution (EA-APPL) uses:
Application Authorization Object Description
Task and ResourceManagement
L_EXECUTE Execution activities in TRM
L_MONITOR Monitoring activities in TRM
Value-Added Services: L_MON_VAS L_MON_VAS
Cross-docking L_MON_XDCK L_MON_XDCK
Yard Management L_MON_YARD L_MON_YARD
L_VEHICLE L_VEHICLE
L_YARD L_YARD
L_YRD_MTHD L_YRD_MTHD
For more information, see the SAP ECC documentation in the SAP Help Portal at
help.sap.com → Documentation → mySAP ERP → SAP ERP Central
Component :
● Task and Resource Management:
SAP ERP Central Component → Logistics → Logistics Execution (LE) → Task
and Resource Management (LE-TRM) → Other Functions → Authorization Checks
● Value-Added Services:
SAP ERP Central Component → Logistics → Logistics Execution (LE) →
Warehouse Management System (WMS) → Value-Added Services (LE-WM-
VAS) → Other Functions → Authorization Objects
● Cross-docking
SAP ERP Central Component → Logistics → Logistics Execution (LE) →
Warehouse-Management-System (WMS) → Cross-Docking (LE-WM-DCK) →
Other Functions → Authorization Checks
● Yard Management:
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 150/215
SAP ERP Central Component Security Guide 6.0, EHP3 150
SAP ERP Central Component → Logistics → Logistics Execution (LE) → Yard
Management → Other Functions → Authorization Checks
Network and Communication SecurityGeneral
Your network infrastructure is extremely important in protecting your system. Thereforerefer to the general notes for SAP ECC under Network and Communication Security[Seite 18].
Communication Channel Security
The following table shows the communication paths that the component Task and Resource Management (as part of Logistics Execution, EA_APPL 500) uses, theprotocol used for the connection, and the type of data transferred:
Communication Paths
CommunicationPath
Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
SAP ECC system – external system (SAPor non-SAP system)
RFC Application data -
You can protect RFC connections using Secure Network Communications (SNC). Formore information, see the SAP NetWeaver security guide under Network and
Communication Security → Transport Layer Security .
Retail
Network and Communication Security
General
Your network infrastructure is extremely important in protecting your system. Therefore
refer to the general notes for SAP ECC under Network and Communication Security[Seite 18].
DIAG and RFC connections can be protected using Secure Network Communications(SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol. For more information, see the SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security .
Communication Channel Security
Link to Mobile Data Entry in SAP Retail Store
The following table shows the communication paths that you use when you implementSAP Retail Store by linking to a mobile device (non-SAP product). You can find more
information about the link to SAP Retail Store in the SAP Help Portal athelp.sap.com → Documentation → SAP ERP Central Component → ECC →
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 151/215
SAP ERP Central Component Security Guide 6.0, EHP3 151
Logistics → SAP Retail → Distributed Data Processing → SAP Retail Store → PDC link in SAP Retail Store .
Communication Paths
Communication Path Protocol Used Type of Data
Transferred
Data Requiring
Special ProtectionSAP ECC System – SAPExchange Infrastructure (SAP XI)
RFC Application data -
SAP Exchange Infrastructure – Server for Mobile Data Entry
RFC Application data -
You need a technical user for SAP Exchange Infrastructure for the RFC inboundinterface when implementing mobile data. Assign the authorizations for the relevantapplication to the user.
Communication Paths for Forecasting and Replenishment
For more information about the security of communication paths for the Business
Scenario Forecasting & Replenishment, see the Forecasting and Replenishment Security Guide on the SAP Service Marketplace at
service.sap.com/securityguide → Industry Scenario Security Guides →
SAP Forecasting and Replenishment: Security Guide .
Other Communication Paths for SAP for Retail
The following table shows the communication paths for all remaining systemconnections for SAP for Retail.
Communication Paths
Application CommunicationPath
Protocol Used Type of DataTransferred
Data RequiringSpecialProtection
PRICAT SAP ECCSystem – Manufacturer’ssystem
RFC (or other logthat supportsIDocs)
Application data -
Store physicalinventory
SAP ECCSystem – Store’ssystem
RFC (or other logthat supportsIDocs)
Application data -
POS interface SAP ECCSystem – POSSystem
RFC (or other logthat supportsIDocs)
Application data Credit cardinformation
AFS/SAP Retailinterface
SAP ECCSystem – AFSSystem
RFC ALE messages -
Interface forspacemanagementsystems
SAP ECCSystem – SpaceOptimizationSystem
RFC Application data -
Interface to SAPBusinessInformationWarehouse ( SAP
BW )
SAP ECCSystem – SAPBW System
RFC Application data -
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 152/215
SAP ERP Central Component Security Guide 6.0, EHP3 152
For more information about communication paths, see the SAP Help Portal at
help.sap.com → Documentation → mySAP ERP → ECC → Logistics → SAP for
Retail as follows:
● PRICAT
SAP Retail → Distributed Data Processing → Transfer of PRICAT Messages
● Store Physical Inventory
SAP Retail → Merchandise Logistics → Physical Inventory → Physical Inventory: Support for Carrying Out a Store Physical Inventory
● POS Interface
SAP Retail → Distributed Data Processing → POS Interface
● AFS/SAP Retail interface
SAP Retail → Distributed Data Processing → AFS to SAP Retail Interface
● Interface for space management systemsSAP Retail → Distributed Data Processing → Application Link Enabling (ALE) → Interface for Space Management Systems
For more information about communication security with SAP BW Systems, see theNetWeaver Security Guide on the SAP Service Marketplace atservice.sap.com/securityguide → SAP NetWeaver 04 Security Guide
(Complete) → Security Guides for SAP NetWeaver According to Usage Types →
Security Guides for Usage Type BI → SAP Business Information Warehouse Security
Guide → Communication Security .
Authorizations
Standard Authorization Objects
The following tables show the authorization objects used by the Retail component.However, you use other SAP ECC authorization objects in the Retail component. Youcan find more information about these authorization objects in other sections of the SAPECC Security Guide.
Standard Authorization Objects: Retail (Software Component SAP-APPL)
Authorization Object Description
W_APPT IS-R Authorization Appointment
W_ASORT Authorization for Assortment Maintenance
W_ASORT_ST Authorization for the Assignment ofAssortments to Plants
W_AUFT_BAA IS-R Authorization Document Type AllocationTable
W_AUFT_BAR IS-R Authorization Document Type AllocationRule
W_AUFT_RMB IS-R Authorization Allocation Table:Display/Confirmation per Plant
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 153/215
SAP ERP Central Component Security Guide 6.0, EHP3 153
W_CM_CDT IS-R Authorization for Maintenance of ArticleHierarchies
W_FRM IS-R Authorization for Merchandise Distribution
W_GROUPTYP Authorization to Manage Site Grouping
W_LISTVERF IS-R Authorization to Use Listing Procedure
W_LIST_EAC Authorization Acceptance for Listing Errors
W_MARKDOWN IS-R Markdown Planning Authorization: MTYP,MATCL, SOrg, DChl
W_ONLSTORE Authorization for Starting Online Store
W_PCAT_LAY Authorization: Product Catalog - Layout Area
W_PCAT_MTN Authorization: Product Catalog - Maintenance
W_PRICATIN Retail Authorization: Create and MaintenancePRICAT per Purchasing Group
W_REF_SITE Authorization to Clean MMSITEREF Table
W_SRS_POS Authorizations for Open Store PhysicalInventory
W_SRS_VKPF Retail Store – Authorization for Daily PriceMaintenance
W_STRU_CHG IS-R Authorization: Allow Changes toStructured Material
W_STWB_WRK SAP Retail Store: Stores
W_TRAN_CCR IS-R Authorization: SAP Transaction
W_VKPR_PLT IS-R Authorization Sales Price Calculation:Distribution Chain/Price List
W_VKPR_VKO IS-R Authorization Sales Price CalculationDistribution Chain
W_VKPR_VTL IS-R Authorization Sales Price Calculation:Distribution Chain
W_VKPR_WRK IS-R Authorization Sales Price Calculation:Distribution Chain/Plant
W_WAKH_EKO IS-R Authorization Action: PurchasingOrganization/Purchasing Group
W_WAKH_MAT IS-R Authorization Action: Material NumberW_WAKH_THE IS-R Authorization Promotion: Theme
W_WAKH_VKO IS-R Authorization Action: SalesOrganization/Distribution Channel
W_WBEF_WRK IS-R Authorization Sales Price Revaluation:Distribution Chain/Plant
W_WIND_TYP IS-R Automatic Document Adjustment:Authorization for Document Type
W_WTAD_AM IS-R Authorization for Additionals Monitor
W_WTAD_ASL IS-R Authorization Additionals:Vendor/Purchase Order List
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 154/215
SAP ERP Central Component Security Guide 6.0, EHP3 154
W_WTAD_IR Request Additionals-IDoc via BAPI CallFunction
W_WTAD_ISU IS-R Authorization: Status Update forAdditionals IDoc
W_WTRA_LOG Runtime Measurement - Authorization toDelete Data Records
W_WXP_DESI MAP: Design Planning Scenario
W_WXP_HIER Merchandise and Assortment Planning:Planning Hierarchy
W_WXP_INT Merchandise and Assortment Planning:Planning Interfaces
W_WXP_LAY MAP: Planning Layouts and Variants
W_WXP_PLAN MAP: Planning Scenario Planning
Standard Authorization Objects: Retail (Software Component EA-RETAIL)
Authorization Object Description
WLM Assignment of Articles for Layout Modules
WLMLOCLIST Creation of Assortments per Layout Moduleand Store
WLMVREL Release of Layout Module Version
WLMVV Layout Module Version Variant Maintenance
WLWBENT Access to Layout Workbench
WPLGACT Call External Space Management
WRF_CDT_H Article Hierarchy: Horizontal HierarchyMaintenance
WRF_CDT_V Article Hierarchy: Vertical Hierarchy andAttribute Maintenance
WRF_FOLUP Authorization Follow-Up/Replacement MaterialRelationships
WRF_GH_AUT Generic Hierarchy: Authorization Check
WRF_OTBSPR Authorization Check OTB Special Release
W_BUDG_TY Budget TypeW_COCO Authorization for Condition Contract
W_RFAPC_GN Authorization for Operative SPS: General
W_RFAPC_RL Authorization for Operative SPS: Release
W_RF_MPA Authorization Object for Markdown ProfileAssignment
W_RF_WLAY Authorization Object Layout
C_WRFCHVAL Authorization: Characteristic ValueMaintenance
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 155/215
SAP ERP Central Component Security Guide 6.0, EHP3 155
Global Trade
Network and Communication Security
General
Your network infrastructure is extremely important in protecting your system. Thereforerefer to the general notes for SAP ECC under Network and Communication Security[Seite 18].
Communication Channel Security
Connection to a SAP FSCM System
For Global Trade Management (EA-GLTRADE), you can also use an external SAPFSCM System to create forward exchange transactions. If you install SAP FSCM on aseparate system, you need a RFC connection. If you install SAP FSCM together withGlobal Trade Management on a system, you do not need an RFC connection.
Communication Path
Communication Path Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
SAP ERP System – SAP FSCM System(Financial SupplyChain Management)
RFC Application data -
RFC connections can be protected using Secure Network Communications (SNC). Formore information about setting up RFC connections and the prerequisites
(authorizations), see the ERP Implementation Guide (IMG) under Logistics General → SAP Global Trade Management → Currency Hedges → Maintain RFC Destination of the CFM System . For more information about encryption, see the SAP NetWeaver
Security Guide under Network and Communication Security → Transport Layer Security .
Connection to an External Global Trade Services System (GTSSystem)
For Global Trade Management (EA-CLTRADE), you can opt to connect an externalGTS system. You can use this to check whether the contract data for Global TradeManagement adheres to the existing legal requirements (import/export controls, globaltrade data).
Communication Path
Communication Path Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
SAP ERP System – GTS System
RFC Application data -
All users in the SAP ECC system can call the functions on the GTS server using anRFC entry In this RFC entry, you specify a user that is used uniquely for communicationwith GTS. Assign this communication user to the following roles for SAP ComplianceManagement:
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 156/215
SAP ERP Central Component Security Guide 6.0, EHP3 156
Role Description
/SAPSLL/LEG_ARCH GTS Archiving
/SAPSLL/LEG_LCE_APP GTS Legal Control Export: Specialist
/SAPSLL/LEG_LCI_APP GTS Legal Control Import: Specialist
/SAPSLL/LEG_SPL_APP GTS Sanctioned Party List: Specialist
/SAPSLL/LEG_SYS_COMM GTS (Technical) System Communication
The RFC connection can be protected using Secure Network Communications (SNC).For more information about encryption, see the SAP NetWeaver Security Guide under
Network and Communication Security → Transport Layer Security .
Sales and Distribution (SD)Before You Start
Important SAP Notes
The most important SAP Notes that apply to component security are shown in the tablebelow.
Important SAP Notes
SAP Note Number Title Comment
766703 FAQ: Credit card encryption in
R/3 system633462 Encrypting credit card data
791178 Credit card encryption in ARback end
727839 Authorization role for the SAPSCM - SAP R/3 integration
128447 Trusted/Trusting Systems Necessary for Customizing ofthe RFC relationship fortrusted/trusting systems
Authorizations
Standard Roles
The following table shows the standard roles that are used by the SD component.
Standard Roles
Role Name
SAP_AUDITOR_BA_SD Audit Information System - Sales Revenue
SAP_AUDITOR_BA_SD_A Audit Information System - Sales Revenue
SAP_AUDITOR_TAX_SD AIS - Tax Audit Sales and Distribution
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 157/215
SAP ERP Central Component Security Guide 6.0, EHP3 157
SAP_AUDITOR_TAX_SD_A AIS - Tax Audit Sales and Distribution(Authorization)
SAP_LO_SD_BACKORDERS Backorder Processing
SAP_LO_SD_BILLING_BATCH Process Billing by Batch
SAP_LO_SD_BILLING_DISPLAY Display Billing Documents
SAP_LO_SD_BILLING_PROCESSING Billing Processing Online
SAP_LO_SD_BLOCKED_BILLING_DOC Release Blocked Billing Documents
SAP_LO_SD_CONTRACT_PROCESSING Contract Processing
SAP_LO_SD_CREDIT_MANAGEMENT Credit Management in Sales Documents
SAP_LO_SD_DEALS_PROMOTI_PROCES Sales Deals & Promotions
SAP_LO_SD_INFORMATION_DISPLAY Display Customer & Material Information
SAP_LO_SD_INFORMATION_PROCESSI Maintaining Customer & Material Information
SAP_LO_SD_INQUIRY_PROCESSING Inquiry ProcessingSAP_LO_SD_INVOICELIST_PROCESSI Invoice List Processing
SAP_LO_SD_OUTPUT_PROCESS Output Process
SAP_LO_SD_PRICING_DISPLAY Display Pricing
SAP_LO_SD_PRICING_MAINTAIN Maintain Pricing
SAP_LO_SD_QUOTATION_PROCESSING Quotation Processing
SAP_LO_SD_REBATE_PROCESSING Rebate Processing
SAP_LO_SD_RELEASE_FOR_DELIVERY Release Orders for Delivery
SAP_LO_SD_RETURN_PROCESSING Return Order Processing
SAP_LO_SD_SALES_DISPLAY Display Sales Information
SAP_LO_SD_SALES_ORD_PROCESSING Sales Order Processing
SAP_LO_SD_SALES_PERFORMANCE Sales Performance
SAP_LO_SD_SALES_SUPPORT Sales Support
SAP_LO_SD_SCHED_AGR_PROCESSING Scheduling Agreement Processing
Network and Communication Security
SD calls the ERP availability check, and this communicates with APO. The relevantcomponent is SD-BF-AC. First, master and planning data are exchanged between APOand ERP, and then planning transactions in APO are called up from ERP. Technically,this proceeds as follows: The APO – ATP dialog is called up from the sales order indialog mode. The APO view of the ATP (transaction /SAPAPO/AC03) is displayed usingthe view Availability Overview (transaction CO09).
For more information, see SAP Service Marketplace at
service.sap.com/securityguide → SAP Supply Chain Management →
SAP Supply Chain Management Security Guide SCM 4.1 → Authorization → Integration
with SAP Components → Integration of SAP APO and SAP R/3 → Authorization Roles for SAP APO – SAP R/3 Integration → Available to Promise (ATP).
Communication DestinationsCreate a batch input user as required. This is not included in the standard delivery.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 158/215
SAP ERP Central Component Security Guide 6.0, EHP3 158
For more information, see Batch Input Authorizations [Extern].
Data Storage Security
Credit card numbers are stored in the SAP component SD. As this data is particularlysensitive, it requires additional protection and encryption.
For more information on credit card number encryption, see SAP Note 766703.
Human Capital Management
Personnel Management (PA)
Before You Start
Important SAP Notes
The following table presents the most important SAP Notes regarding security forPersonnel Management.
Important SAP Notes
SAP Note Number Title Comment
138526 Authorization check in reportsincorrect
PA-PA-XX
138533 Authorization check for SUBTYdoes not function
PA-PA-XX
138706 Authorization problems, analysis
preparations
PA-PA-XX
142865 SAPDBPNP authorization check PA-PA-XX
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 159/215
SAP ERP Central Component Security Guide 6.0, EHP3 159
is too strict
142896 No access on personnel numberdespite authorization
PA-PA-XX
148525 Search help selects too little data PA-PA-XX
151207 Authorization check symmetricdouble-check PA-XX
362675 Deactivating P_ORIGIN;activating P_PERNR
PA-PA-XX
383290 External object types andstructural authorizations
PA-BC
385319 Change of master data in aproductive Payroll
PA-PA-IT
385635 Authorization check withemployee subgroup change
PA-BC
390373 External relationships: Creationof classes PA-BC
495971 Workflow 01000015 is nottriggered when changing address
PA-PA-XX
514893 Ad hoc query: Hit list differs fromthe output
PA-IS
552184 Information on the object type ofthe central person
PA
693156 Authorization check for reentry PA-PA-XX
724149 HRALX: Masking sensitive data BC-BMT-OM-CRM
23611 Collective Note: Security in SAPProducts
BC-SEC
30724 Data protection and security inSAP Systems
BC-SEC
Additional Information
● For extensive documentation on authorization objects in Personnel Management,
see SAP Library or SAP Help Portal under ERP Central Component → Human
Resources → Personnel Management → Personnel Administration → Technical
Processes in Personnel Administration → Authorizations for Human Resources[Extern].
● For some country versions, additional information is also available:
Country version Germany
○ Leitfaden Datenschutz für SAP R/3 in SAP Service Marketplace atservice.sap.com for the country version Germany
Country version Great Britain (PA-PA-GB)
○ For an Implementation and User Guide for E-Filing Incoming, see SAPService Marketplace at service.sap.com under the customer page forthe country version Payroll Great Britain in the Media Center.
Country version Switzerland (PA-PF-CH)
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 160/215
SAP ERP Central Component Security Guide 6.0, EHP3 160
○ For documentation on the settings and functions for the authorizationobject P_CH_PK for Pension Fund Switzerland, see SAP Library or SAP
Help Portal under ERP Central Component → Human Resources →
Payroll → Payroll Switzerland → Pension Fund → Reference Guide for the Pension Fund → Authorizations → Authorization Object P_CH_PK[Extern].
User ManagementUser management for Personnel Management uses the mechanisms provided by SAP Web Application Server (ABAP, Java, or ABAP and Java), for example, tools, usertypes, and password policies. For an overview of how these mechanisms apply forPersonnel Management , see the sections below. In addition, there is a list of thestandard users that are necessary for operating Personnel Management .
User Management Tools
The table below shows the tools for user management in Personnel Management .
User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance(transaction PFCG)
You can use the RoleMaintenance transactionPFCG to generate profiles foryour Personnel Management users.
User Types
It is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not users who run backgroundprocessing jobs.
The user types required for Personnel Management include:
● Individual users
○ Administration users for
■ Personnel Administration
■ Benefits Administration
○ Managers for
■ Personnel Administration
■ Benefits Administration
■ Compensation Administration
■ Training and Event Management
○ Specialists for
■ Personnel Administration
■ Benefits Administration
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 161/215
SAP ERP Central Component Security Guide 6.0, EHP3 161
■ Compensation Administration
■ Training and Event Management
● Technical users
Technical users are required for the following business processes:
○ WF-BATCH user
If you want to use the workflow functions for the different Personnel Management functions, you must create a WF-BATCH system user in thestandard system.
○ Distribution of master data through ALE technology. For more information,see the documentation for the report RHALEINI (HR: ALE Distribution of HR Master Data ).
○ Compensation Management (PA-CM): For the integration with the Award function, the technical user requires authorization for the followingfunctions:
■ Call RFC function moduleHRCM_RFC_LTI_ACCRUALDATA_GET (Determine awards data for accumulating accruals )
■ Read the Award infotype (0382), authorization object P_ORGIN
○ Budget Management (PA-PM)
■ You use background processing to create commitments inaccounting with a RFC connection. Depending on the process andthe system landscape used, it may be necessary to set up a userfor the background processing. You can use your own user (an
additional logon is required) or set up a special commitment engineuser.
For more information about these user types, see the SAP Web AS ABAP SecurityGuide under User Types.
AuthorizationsPersonnel Management uses the authorization provided by SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as describedin the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also
apply to Personnel Management .
The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance, use the profile generator(transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s usermanagement console for SAP Web AS Java.
Standard Roles
The following table shows the standard roles that are used by Personnel Management.
Standard Roles
Function Description
SAP_HR_BN* Roles assigned to component PA-BN(Benefits )
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 162/215
SAP ERP Central Component Security Guide 6.0, EHP3 162
SAP_HR_CM* Roles assigned to component PA-CM(Compensation Management )
SAP_HR_CP* Roles assigned to component PA-CM-CP(Personnel Cost Planning)
SAP_ESSUSER_ERP05 Role with all non country-specificfunctions for Employee Self-Service.
For more information, see the SecurityGuide for Self-Services [Seite 24].
SAP_EMPLOYEE_ERP05_xx Roles related to the Employee Self- Service country versions
SAP_HR_OS* Roles assigned to component PA-OS(Organizational Management )
SAP_HR_PA_xx_* Roles related to international and countryversions of the component PA-PA
(Personnel Administration )
SAP_HR_PA_XF* Roles assigned to the component CA-GTF-XF (SAP Expert Finder)
SAP_HR_PA_PF_xx_* Roles assigned to component PA-PF(Pension Fund )
SAP_HR_PD* Roles assigned to component PA-PD(Personnel Development )
SAP_HR_RC* Roles assigned to component PA-RC(Recruitment )
SAP_HR_REPORTING Role for Human Resources Analyst
SAP_AUDITOR_TAX_HR This role is relevant for Germany only.
Role HR-DE Steuerprüfung § 147 AO (Muster) assigned to the component PA-PA-DE (Personnel Administration Germany).
SAP_ASR_EMPLOYEE Enhancement of the roleSAP_ESSUSER_ERP05 for theemployees that use the functions of thecomponent PA-AS (HR Administrative
Services )SAP_ASR_MANAGER Enhancement of the role
SAP_ESSUSER_ERP05 with functionsfor the persons with personnelresponsibility that use the functions of thecomponent PA-AS (HR Administrative Services )
SAP_ASR_ADMINISTRATOR Enhancement of the roleSAP_HR_PA_xx_* for the HRadministrators that use the functions ofthe component PA-AS (HR Administrative Services )
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 163/215
SAP ERP Central Component Security Guide 6.0, EHP3 163
For the roles marked with an asterisk (*), several roles exist for each of the components.For roles with “xx”, where “xx” represents the SAP country key, various roles exist foreach of the country versions.
Standard Authorization Objects
The following table shows the most important central security-relevant authorizationobjects used by Personnel Management.
For more information about Personnel Management authorizations, see
SAP Library under ERP Central Component → Human Resources →
Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for HumanResources [Extern].
Most Important Standard Authorization Objects
Authorization
Object
Field Value Description
P_ORGIN HR Master Data Used when checkingauthorizations for HRinfotypes. The check takesplace when HR infotypes areedited or read.
P_ORGINCON HR Master Datawith Context
This authorization objectconsists of the same fields asthe authorization objectP_ORGIN, and also includesthe field PROFL (structuralprofile). The check for this
object means that user-specific contexts can beincluded in the HR masterdata.
P_ORGXX HR Master Data – Extended Check
With this object you candetermine whether otherfields are also to be checked.You can determine whetherthis check is to be performedin addition to or instead of theHR Master Data authorizationcheck.
P_P_ORGXXCON HR Master Data – Extended Checkwith Context
This authorization objectconsists of the same fields asthe authorization objectP_ORGXX, and also includesthe field PROFL (structuralprofile). The check for thisobject means that user-specific contexts can beincluded in the HR masterdata.
P_TCODE HR: TransactionCode
This authorization objectchecks certain specific
transactions in SAP HumanResources Management.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 164/215
SAP ERP Central Component Security Guide 6.0, EHP3 164
PLOG Personnel Planning Used to indicate the types ofinformation processing a useris authorized to perform.
PLOG_CON Personnel Planningwith Context
This authorization objectconsists of the same fields as
the object PLOG, and alsoincludes the field PROFL(structural profile). The checkfor this object means thatuser-specific contexts can beincluded in the HR masterdata.
P_ASRCONT Authorization forProcess Content
The Authorization for ProcessContent object is used by theauthorization check for HR Administrative Services . Itchecks the authorization foraccess to various processcontents and also runsthrough the authorizationobjects that you havespecified in Customizing inT77S0 (see note below). Formore information, seeAuthorization Concept ofHCM Processes and Forms[Extern].
In Customizing, you can determine whether specific authorization objects
are to be checked. All central switches and settings for the Human Resources authorization check are summarized in table T77S0 in the
Group for semantic short text for PD Plan AUTSW . Note that changes to
the settings severely affect your authorization concept.
For more information about changing the main authorization switch, seethe Implementation Guide (IMG) for Personnel Administration under Tools → Authorization Management .
Communication Channel SecurityUse
The table below shows the communication paths used by Personnel Management , theprotocol used for the connection, and the type of data transferred.
Communication Path
CommunicationPath
Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
Interface Toolbox(Transaction PU12)
ALE Master data, Benefits data, Organizational
data as defined by theuser
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 165/215
SAP ERP Central Component Security Guide 6.0, EHP3 165
SAP BW Extractor Program Master data,Organizational data,Personnel Development data
SAP CO
(for distributedsystems)
RFC Cost centers, orders,
and so on
Authorizations for CO
objects are requiredhere
External Files ASCII Personnel Administration data
Applicable only forcountry versionsAustralia and NewZealand
Microsoft Word Report Interface withSAP NetWeaver
Office Integration
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide .
Communication Destinations
Use
Specific communication destinations are available for some Personnel Management
components and Personnel Administration country-specific components.
Benefits (PA-BN)
When evaluating retirement benefits for employees, service-related data is sent to anexternal system using IDocs. The Benefits system places the IDocs in a special port.External systems can collect the IDocs from this port. The external systems evaluatethe retirement benefits based on the transferred data and then send them with aninbound IDoc back to the SAP system.
There are no special functions from the Benefits system side to protect this data.
Enterprise Compensation Management (PA-EC)
Using IDocs, you communicate with banks and brokers through the SAP Business Connector . The transferred data must be encrypted.
For more information, see the documentation for the following reports:
● RHECM_GRANT_IDOC_OUT (Export LTI Grant Data )
● RHECM_PARTICIPANT_IDOC_OUT (Export LTI Participant Data )
● RHECM_EXERCISE_IDOC_IN (Import LTI Exercise Data )
Compensation Management (PA-CM)
The self-service scenario Salary Benchmarking (HRCMP0053) exchanges data withexternal benchmarking providers. You communicate synchronously and online using
HTTPS.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 166/215
SAP ERP Central Component Security Guide 6.0, EHP3 166
SAP Expert Finder (CA-GTF-XF)
The component SAP Expert Finder can exchange data with external systems usingRFC.
Personnel Administration
● HR Administrative Services
HR Administrative Services can transfer personal data from SAP E-Recruiting and return data to SAP E-Recruiting . For more information, see the SecurityGuide for SAP E-Recruiting under Technical System Landscape [Seite 197] andCommunication Destinations [Seite 208].
● B2A Manager – Authorities Communication
Some country versions use the B2A Manager to exchange data with theauthorities. For example, in the German country version (PA-PA-DE) you canexchange data with social insurance bodies and health insurance funds.
The B2A Manager supports the following communication channels and encryptionprocedures, depending on the recipient:
○ Communication channels
■ E-mail with file attachments
■ HTTPS (Hyper Text Transfer Protocol Secure Sockets)
○ Encryption procedures
■ PEM (Privacy Enhanced Mail)
■ PKCS#7 (Public Key Cryptography Standard No.7)
● Pension Fund (PA-PF)
○ You can create files with SAP List Viewer (ALV) and TemSe (Temporary Sequential Objects ).
○ There is no encryption of data in the standard system.
○ Country version Netherlands (PA-PF-NL): You can upload the inbounddata using the GBA interface (Gemeentelijke Basis Administratie ).
● Country version Germany (PA-PA-DE)
Employees can submit their tax returns in electronic form (ELSTER). Data iscommunicated using HTTP. The data is encrypted with PKCS#7. The taxauthorities specify the procedure.
● Country version USA
For the VET and EEO reports for the country version USA, you can exchangedata with local servers or terminals. With this function you can download filesfrom the application server to a presentation server. This results in text files with
the output format .txt, as required by the authorities. This output format is
legally compliant.
The data is not encrypted in the standard system. You decide to what extent youwant to encrypt data if you want to send data to the Federal Commission or theDepartment of Labor.
● Country version Great Britain
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 167/215
SAP ERP Central Component Security Guide 6.0, EHP3 167
You can communicate with the GB Inland Revenue Gateway . The communicationchannel is encrypted with 128 SSL. Employee tax data is transferred with RFCconnections and HTTPS.
Data Storage SecurityThe infotypes in Personnel Management contain particularly sensitive data. This data isprotected by central authorization objects.
For more information about authorization objects, see Authorizations[Seite 161].
Examples of infotypes containing particularly sensitive data:
● International infotypes for Personnel Administration (PA-PA)
○ Personal Data (0002)
○ Basic Pay (0008)
○ Bank Details (0009)
○ Family Member/Dependents (0021)
● Personnel Development (PA-PD)
○ Qualifications
○ Appraisals
● Personnel Cost Planning and Simulation (PA-CP)
○ Planning of Personnel Costs (0666), contains salary-based information
● Enterprise Compensation Management (PA-EC)
○ LTI Grant (0761)
○ LTI Exercise (0762)
● Management of Global Employees (PA-GE)
○ Compensation Package Offer (0706)
Other sensitive Personnel Management data
● Budget Management
The Budget Management component accesses the salary data of employees anddisplays data from the Controlling (CO) and Funds Management (FI-FM)components. The standard authorization concept for Human Resources ,Controlling , and Funds Management is used for these processes. The followingauthorization objects are also available to protect the data:
○ P_ENCTYPE (HR: PBC - Financing ): Determines which funds reservationtypes a user can access and which activities the user is allowed toperform.
○ P_ENGINE (HR: Authorization for Automatic Commitment Creation ):Determines which activities a user is allowed to perform when creatingcommitments.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 168/215
SAP ERP Central Component Security Guide 6.0, EHP3 168
● Pension Fund (PA-PF)
Access to salary data, pensions and benefits entitlements is protected by thefollowing authorization objects:
○ P_ORIGIN (HR: Master Data )
○ P_CH_CK (HR-CH: Pension Fund: Account Access )
○ P_NL_PKEV (Bevoegdheidsobject voor PF-gebeurtenissen )
● SAP Expert Finder (CA-GTF-XF)
For the connection with the external LDAP system, the user should only haveread access to the data. The role SAP_HR_PA_XF_SERVICE_USER_DOC (HR Expert Finder: Service User for Access Search Engine ) is available for this.
● Personnel Cost Planning (PA-CM-CP and PA-CP)
The old Personnel Cost Planning (PA-CM-CP) and the new Personnel Cost Planning and Simulation (PA-CP) components both save salary-relevant
information to the clusters of the database PCL5. You can control access rightsusing the authorization object P_TCODE (HR: Transaction Code ).
● Employee Interaction Center (PA-EIC)
The EIC Authentication infotype (0816) enables question and response pairs tobe saved that an agent of Employee Interaction Center then uses to identify acalling employee. You can only maintain the infotype with the Authentication for EIC Employee Self-Service.
● HR Administrative Services (PA-AS)
The personnel file and all process instances are saved with intermediate statusesand history to the Case Management databases.
● Particularly sensitive data in the country versions
○ The transfer of salary and tax data using the B2A Manager is protected bythe authorization object P_B2A (HR-B2A: B2A Manager ).
○ Country version USA (PA-PA-US)
The social security number (SSN) in the Personal Data infotype (0002)
○ Country version Canada (PA-PA-CA)
The social insurance number (SNI) in the Personal Data infotype (0002)
○ Country version Australia (PA-PA-AU)
The Tax File Number (TFN) in the TFN Australia infotype (0227)
○ Country version New Zealand (PA-PA-NZ)
The Employee IRD Number in the IRD Nbr New Zealand infotype (0309).There are several ways to access this number:
■ Directly, using the IRD Nbr New Zealand infotype (0309) with thetransaction Maintain HR Master Data (PA30)
■ Using the IRD Number pushbutton in the Tax New Zealand
infotype (0313)
The necessary authorizations to read or change the IRD number depend
on the authorizations in the user profile.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 169/215
SAP ERP Central Component Security Guide 6.0, EHP3 169
Security for Additional ApplicationsPersonnel Administration country-specific components use several reports that storesecurity-relevant and sensitive data. This data includes employee data relating tosalary, tax, social insurance, pension contributions, and garnishments.
The data is stored in temporary sequential (TemSe) files and used when printing legalforms, statistics, and business reports. Access to TemSe is controlled by theauthorization object S_TMS_ACT. Data encryption is not necessary here. For a list of allreports and programs using TemSe, see the Personnel Administration documentationfor your country version.
You can also download data directly from the front-end server (for example,PC/terminal) or application server without first storing the data records in the TemSe. Todo so, you copy the data to a data carrier that you can then send to the authorities.
Other Security-Relevant Information
Use
Other security-relevant Customizing for infotype records
With the field Access Auth. (Access Authorization) in Table V_T582A (Infotype attributes (Customizing)), you can control access to an infotype record depending onwhether the record belongs to the area of responsibility of a person responsible on thecurrent date. For more information, see the Implementation Guide for Personnel
Management under Personnel Administration → Customizing Procedures → Infotypes → Infotypes . Note in particular the help for the Access Authorization field.
Technical utilities without integrated authorization check
The following technical utilities read data without the user’s authorizations beingchecked. You should therefore only assign relevant report authorizations to rolescontaining system administrator functions.
● Reports with the prefix RHDBST*: Database statistics
● Reports with the prefix RHCHECK*: Consistency checks for Organizational Management and Personnel Development data.
If required, you can use the following reports (developed for SAP internal use) fortesting purposes. However, SAP does not accept any responsibility for these reports:
● Report RPCHKCONSISTENCY: (Consistency check for HR master data)
● Report RPUSCNTC (Find Inconsistencies in Time Constraints )
Authorizations for the Implementation Guide for HR Administrative Services
The views in the Implementation Guide for HR Administrative Services are protectedseparately by a grouping for the authorization check to prevent users withoutauthorization maintaining person-related data. Under the field name DICBERCLS(Authorization Group), you can set the following in the authorization objectS_TABU_DIS:
● Switch PASC: Authorization check for all views of HR Administrative Services in
which no Customizing settings were made that affect authorization checks for theusers of HR Administrative Services .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 170/215
SAP ERP Central Component Security Guide 6.0, EHP3 170
● Switch PASA: Additional authorization check for the views that may possiblyaffect the authorization check for users of HR Administrative Services .
Personnel Time Management (PT)
User ManagementIt is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not those users under whichbackground processing jobs run.
You require technical users for the following tasks in Personnel Time Management :
● To upload time events from the external time recording system you use the
RPTCC106 report (HR-PDC: Download Upload Request for Time Events ). Youwill normally schedule the report as a background processing job. For this yourequire a technical user. The authorizations of the technical user should bebased on the authorizations for the PT80 transaction (Subsystem Connection ).
Time events are uploaded from the subsystem by an IDOC, which stores the timeevents in the CC1 TEV interface table. For the upload, you require a technicaluser with authorizations for communication with an SAP system via ApplicationLink Enabling (ALE) and the required table authorizations. The technical userdoes not require authorizations specific to the SAP HR solution.
You require a technical user with authorizations for the PT45 transaction (HR- PDC: Post Person Time Events ) for the background processing job that transfersthe time events from the interface table to the relevant Time Management tables.
● You require two types of technical users for BAPIs that store data in one of thePTEXDIR, PTEX2000, PTEX2003, or PTEX2010 interface tables.
○ To fill the interface tables, you require a user with authorizations for ALEcommunication with an SAP system and the relevant table authorizations.
○ For the subsequent background processing job to transfer data from theinterface tables to the infotype database tables, you require a technicaluser with the same authorizations that are required for the CAT6transaction (Transfer Time Data to Time Management ).
○ For technical users for the BAPIs that have read access to the infotypes,you can use the same authorizations as contained in theSAP_HR_PT_TIME-ADMINISTRATOR role.
● You also require technical users for all other ALE scenarios and BAPIs inPersonnel Time Management.
For more information, see Communication Destinations [Seite 171].
Authorizations
The Personnel Time Management component uses the authorization provided by the
SAP Web Application Server. Therefore, the recommendations and guidelines forauthorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to the Time Management component.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 171/215
SAP ERP Central Component Security Guide 6.0, EHP3 171
The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. To maintain roles on the SAP Web AS ABAP,use the profile generator (transaction PFCG).
Standard Roles
The following table shows examples of standard roles that are used by the Time Management component.
Standard Roles
Role Description
SAP_HR_PT_SHIFT-PLANNER Shift Planner [Extern]
SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]
SAP_HR_PT_TIME-LABOR-ANALYST Time and Labor Analyst [Extern]
SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]
SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]
SAP_ESSUSER_ERP05 Employee [Extern] Self-Service
SAP_HR_PT_US_PS_TIME-ADM Time Recording Administrator
This role is used only in the Public Sector in thecountry version for the USA.
Authorization Objects
The Time Management component uses the Personnel Management authorizationobjects; it does not have any of its own.
For more information about the authorizations, see:
● The SAP Library. Choose Human Resources → Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for Human Resources [Extern].
● The Implementation Guide for Personnel Time Management: Choose Management of Roles and Authorizations.
Communication Destinations
Use
Special communication destinations are available for some Time Management components.
Connection to External Time Recording Terminals
Time Management supports a connection to external time recording systems (using theHR-PDC interface). Data is communicated using asynchronous BAPIs via IDocs.
For more information, see the SAP Library and choose Personnel Time Management →
Integration with Other Components → Connection to External Time ManagementSystems [Extern].
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 173/215
SAP ERP Central Component Security Guide 6.0, EHP3 173
User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance(transaction PFCG)
You can use the RoleMaintenance transactionPFCG to generate profiles for
your Payroll users.
User Types
It is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not those users under whichbackground processing jobs run.
The user types required for Payroll include:
● Individual users
○ Administration user
○ Payroll manager
○ Payroll specialist
● Technical users
○ Payroll procedure administrator
○ ALE user for posting payroll results to Accounting
For more information about these user types, see the SAP Web AS ABAP SecurityGuide under User Types.
AuthorizationsThe Payroll component uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as set out inthe SAP Web AS ABAP security guide therefore also apply to Payroll.
The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. To maintain roles on the SAP Web AS ABAP,use the profile generator (transaction PFCG).
Standard Roles
The following table shows examples of standard roles that are used by the Payroll component.
Standard Roles
Role Description
SAP_HR_PY_xx_PAYROLL-ADM Payroll administrator <xx>
SAP_HR_PY_xx_PAYROLL-MANAGER Payroll manager <xx>
SAP_HR_PY_xx_PAYROLL-PROC-ADM Payroll procedure administrator <xx>
SAP_HR_PY_xx_PAYROLL-SPEC Payroll specialist <xx>
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 174/215
SAP ERP Central Component Security Guide 6.0, EHP3 174
SAP_HR_PY_xx_* Roles for mapping country-specific tasks withinpayroll.
SAP_HR_PY_PAYROLL-LOAN-ADM Loan accounting administrator
xx stands for the country key. For the roles marked with an asterisk (*), additional rolesexist for each of the countries.
You can find additional roles in the description of Personnel Management standardroles.
Standard Authorization Objects
The following table displays the security-relevant authorization objects used by payroll.
Standard Authorization Objects
Authorization Objects Description Value Description
P_PBSPWE Process WorkbenchEngine (PWE)
authorization
Authorizations for the ProcessWorkbench Engine (PWE)
P_PCLX HR: Cluster Check when accessing HR fileson the PCLx (x = 1, 2, 3, 4)databases
P_PCR HR: Personnel controlrecord
Authorization check for thepersonnel control record(transaction PA03)
P_PE01 HR: Authorization forpersonnel calculationschemes
Authorization check forpersonnel calculation schemes
P_PE02 HR: Authorization forpersonnel calculationrule
Authorization check forpersonnel calculation rules
P_PYEVDOC HR: Posting document Protection of actions on payrollposting documents
P_PYEVRUN HR: Posting run Control of actions that arepossible for posting runs
P_OCWBENCH HR: Activities in the Off-Cycle Workbench
Used for the authorization checkin the Off-Cycle Workbench.
P_B2A HR-B2A: B2A Manager Used to determine theauthorization check for the B2A
Manager. The B2A Managermust first be employed.
P_USTR Tax report authorization(only the USA countryversion)
Authorizations for the tax report(only the USA country version)
S_TMS_ACT Actions to/on TemSeobjects
The authorization determineswho may execute whichoperations on which TemSeobjects
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 175/215
SAP ERP Central Component Security Guide 6.0, EHP3 175
Communication Channel Security
Use
The table below shows the communication paths used by Payroll , the protocol used for
the connection, and the type of data transferred.
Communication Paths
CommunicationPath
Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
Interface Toolbox(Transaction PU12)
ALE Determined by theuser
Display posting runs(transaction PCP0)
ALE Data for costaccounting
BSI Tax Factory fortax calculation
RFC Tax data for the USAcountry version
RFC connections can be protected using Secure Network Communication (SNC). Formore information, see Transport Layer Security in the SAP NetWeaver Security Guide .
Communication DestinationsThe following table provides an overview of the communication destinations that Payroll uses.
Communication Destinations
Destination Delivered Type Description
BSI For USAcountryversion
RFC with thefunction modulePAYROLL_TAX_ CALC_US
PAYROLL_TAX_CALC_US_50
PAYROLL_TAX_CALC_US_60
PAYROLL_TAX_CALC_US_70
Data Storage Security
Use
Payroll results are condensed and stored on an INDX-type table Access is protected byread and write authorizations in the standard system for the infotypes andauthorizations for the required clusters.
Security for Additional Applications
Use
The country versions for payroll use reports in which sensitive data is displayed. Forexample, this data can be from the following sensitive areas:
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 176/215
SAP ERP Central Component Security Guide 6.0, EHP3 176
● Salary
● Tax
● Social insurance
● Pension contributions
● Court orders
This data is stored in temporary sequential (TemSe) files to create and output legalforms, statistics, and analyses. Likewise, this technology is used to download data forthe front end or application server directly, without storing the data as TemSe objectsbeforehand. The data can then be transferred from the front end or the applicationserver to a data medium that can be transferred to the authorities.
You can control access to the TemSe objects within the ECC system using theauthorization object S_TMS_ACT (TemSe: Actions at/to TemSe objects). Dataencryption is not necessary here.
You can find information about the TemSe objects for your country version in the Payroll
documentation for your country version.
Other Security-Relevant Information
Use
There is the following security-relevant information for the USA country-version:
● You can update the Taxability model using the Interface Toolbox (transactionPU12). There are currently no special authorizations for this.
● You have the option of preventing unauthorized or accidental updates to thePCL4 database.
○ You can activate or deactivate the authorization checks for the tax returnusing the feature UTXSS.
○ You can determine the codes for spool authorizations depending on thetax company and the tax class using the feature UTXSP.
For more information, see the documentation for these features.
SAP Learning Solution/SAP EnterpriseLearning
The following sections apply to SAP Learning Solution and SAP Enterprise Learning .
If you also implement the SAP Enterprise Learning product, you can findsecurity-relevant notes on Adobe Connect Enterprise Server 6 in section 6- Securing Connect Enterprise - of the Installation and Configuration Guide from Adobe (part of the delivery).
You can also find further information on the Adobe Connect Enterprise Server 6 in the SSL Configuration Handbook from Adobe (part of the
delivery).
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 177/215
SAP ERP Central Component Security Guide 6.0, EHP3 177
SAP: Important Disclaimers and LegalInformationSAP offers a basic learning solution software product called SAP Learning Solution anda premium learning solution software product with additional features and functionalitycalled SAP Enterprise Learning . The license to use the SAP Learning Solution productdoes not include a license to use the HCM, Enterprise Learning business function,which is exclusively available to customers who have purchased a separate license touse the SAP Enterprise Learning product. If you would like to acquire the use rights tothe HCM, Enterprise Learning business function, contact your SAP Account Executivefor additional information regarding pricing and availability of the SAP Enterprise Learning product.
Technical System Landscape
SAP Learning Solution provides very versatile installation and integration options. Thedistributed system architecture enables a scalable solution. Knowledge of thecommunication channels and of the relationships between the individual components isimportant to enable you to select the optimum security strategy.
The following graphic provides an overview of the technical system landscape of SAP Learning Solution .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 178/215
SAP ERP Central Component Security Guide 6.0, EHP3 178
Technical System Landscape
Enterprise Portal NW Application Server ABAP
ClientComputer
Learning PortalBP for Learning
Instructor PortalBP for Instructor/
Tutor
SAP BW
Analytical
Reporting
SAP XI
ProcessIntegration
Learner
Instructor
Author
Administrator
NW Application Server Java
Content Player
LSOCP
ClientComputer
O f f l i n e P l a y e r L S O O P
S t a n d a l o n e J a v a A p p l i c a t i o
n
NWApplication
Server ABAP
L S O F E
( A d d - o n )
C o l l a b o r a t i o n
K M C
( o p t i o n a l )
EnterprisePortal
S e a r c h m a c h i n e
T R E X
L e a r n i n g C o n t e n t
C M S
A u t h o r i n g E n v i r o n m e n t
L S O A E
S t a n d a l o n e J a v a A p p l i c a t i o n
E x t e r n a l L M S
SAP ECC HCM Extension
EA-HR 602contains
LSO Training Management
SAP ECC 6.02
containsHR master data
Performance ManagementPersonnel Development
Communication between the individual components is handled using RFC and HTTP.This enables you to distribute the components on multiple servers and thus tosafeguard individual communication channels and servers specifically. If there are nospecifically critical security requirements, you can combine all components on oneserver. The advantage of using a distributed system landscape is that it enables you tomaximize security for individual components. The advantage of using a single server isthat it enables you to reduce costs and improve system performance.
Persistence
Use
The following table contains a classification of the data that is saved in SAP Learning Solution and specifies the tables in which it is saved. SAP Learning Solution stores alldata centrally in the ERP system.
Persistence of the Training Catalog
Table● Objects and their attributes: HRPnnnn
● Relationships: HRP1001 or additionaldata in HRPADnnnn
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 179/215
SAP ERP Central Component Security Guide 6.0, EHP3 179
Remarks PD infotype framework. Courses, course types,and course groups are object types for whichdata is stored in infotypes. Links between theobjects are realized using relationships.Relationship data is stored in transparenttables.
Components Used● LSOFE (read/write)
● ERP system (read/write)
● LSOCP (read/write)
Most Important Authorization Objects● P_ORGIN
● P_APPL
● PLOG
Persistence of Completion Information, Progress Data, SCORM Data
Table LSOLEARN* tables of packageLSO_LEARNERACCOUNT
Remarks LSOLEARNING_C contains data for resultsfeedback from the Content Player to the ERPsystem. All other data is used by the ContentPlayer only.
Components Used● LSOCP (read/write)
● ERP system (read)
Persistence of Test Results
Table LSOTACLRN* tables of packageLSO_TAC_DD
Components Used● LSOCP (write)
● ERP system (read)
Persistence of Publishing Information
Table● LSOTACAS* tables of package
LSO_TAC_DD for tests
● LSOLU* tables of packageLSO_LEARNERACCOUNT
Components Used● LSOAE (read/write)
● LSOCP (read)
● ERP system (read/write)
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 180/215
SAP ERP Central Component Security Guide 6.0, EHP3 180
Persistence of Digital Signatures
Table LSOLEARNESIGN* tables of packageLSO_LEARNERACCOUNT
Components Used● LSOFE (read)
● ERP system (read/write)
Learning Portal (LSOFE)The Learning Portal (LSOFE) is the entry point for learners in SAP Learning Solution .The Learning Portal can be called directly by the SAP WAS or it can be integrated as aniView in SAP Enterprise Portal .
The following graphic provides an overview of the technical system landscape for theLearning Portal.
Learning Portal
Browser
SAP Enterprise
Portal
(optional)LSOFE mySAP ERP
HTTPHTTPS
HTTPHTTPS
HTTPHTTPS
+SSO2
Trusted
RFC
RFC
External
LMS
SOAP
Learner 1
Learner 3Learner 2 Learner 4
Learner 7
Learner 5Learner 6
The learner requires a user in SAP Web AS. No special authorizations are required forthe user since the front end does not contain a persistence layer. All data is stored inthe ERP system.
Configuration Settings
Components Remarks
Browser● JavaScript must be active.
● SAP Web AS requires cookies forsession handling.
● HTTP 1.1 is strongly recommended.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 181/215
SAP ERP Central Component Security Guide 6.0, EHP3 181
SAP Enterprise Portal● It may be necessary to map users
between the user in the SAP EnterprisePortal and the Web AS user .
● You must maintain the RFC connectionwith the ERP system.
SAP ERP● Trusted relationship is required between
SAP Web AS and the ERP system.
● If you want to implement the Objective Setting and Appraisals component, anHTTP/HTTPS channel is also required.
Instructor/Tutor Role in the SAP EnterprisePortalThe Instructor/Tutor 1.02 business package provides a workset for instructors and tutorsin SAP Learning Solution .
The following graphic provides an overview of the technical system landscape for thebusiness package in the Enterprise Portal.
Business Package for Instructor/Tutor
Browser Enterprise Portal SAP ERP
External
CollaborationServer
HTTP
HTTPS
SOAP
Instructor1 Instructor2 Instructor3
Instructor4Instructor7
Instructor 5
Instructor 6
HTTP
HTTPS
HTTP
HTTPS
RFCInstructor8
Instructors require a user in the SAP Enterprise Portal and a user in the ERP system.The portal user must be assigned to the user in the ERP system.
The role com.sap.pct.erp.instructor.instructor must be assigned to the portal user. Theuser in the ERP system must have the authorizations as they are described in theSAP_HR_LSO_INSTRUCTOR role template.
All data is stored in the ERP system.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 182/215
SAP ERP Central Component Security Guide 6.0, EHP3 182
Configuration Settings
Component Remarks
Browser • Java script must be active.
• SAP Web AS requires cookies for
session handling.
• HTTP 1.1 is strongly recommended.
SAP Enterprise Portal • It is necessary to map users betweenthe user in the SAP Enterprise Portaland the SAP Web AS user.
• You must maintain the RFC connectionwith the ERP system.
SAP ERP • If you want to use collaboration in theSAP Enterprise Portal, you must haveconfigured the RFC connectionbetween the ERP system and theEnterprise Portal.
• If you want to use an externalcollaboration server, you must set upthe SOAP connection for the purpose.
Content Player (LSOCP)The Content Player (LSOCP) is called using a URL from the Learning Portal to playWeb-based training courses (WBTs). The Content Player does not have a persistencelayer. It reads and writes all data to the ERP system.
The following graphic provides an overview of the technical system landscape for theContent Player .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 183/215
SAP ERP Central Component Security Guide 6.0, EHP3 183
Content Player
Browser
Content
ManagementSystem
LSOCP mySAP ERP
HTTPHTTPS
HTTP
HTTPSRFC
Content Player 1
Content Player 2Content Player 4 Content Player 3
Configuration Settings
Components Remarks
Browser● JavaScript must be active.
● Java VM must be active.
● SUN Java Plug-In 1.4.2 must beinstalled (but only if you want to usetests created with LSO Test Author).
● HTTP 1.1 is strongly recommended.
● Cookies are required for SessionHandling.
Offline Player (LSOOP)The Offline Player enables you to play instructional content offline without networkaccess. It reads the instructional content and synchronizes the learner’s progress usingthe Content Player . Instructional content and learning progress are stored in the localfile system. In the standard system, this is the learner’s home directory.
The following graphic provides an overview of the technical system landscape for theOffline Player .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 184/215
SAP ERP Central Component Security Guide 6.0, EHP3 184
Content Player
Browser LSOOP LSOCPHTTPHTTP
HTTPS
Offline Player 1 Offline Player 1 Offline Player 2
Configuration Settings
Components Remarks
Browser● JavaScript must be active.
● Java VM must be active.
● SUN Java Plug-In 1.4.2 must beinstalled (but only if you want to usetests created with LSO Test Author).
● HTTP 1.1 is strongly recommended.
● Cookies are required for sessionhandling.
LSOOP● Java 2 SDK 1.4.2 must be installed.
Authoring Environment (LSOAE)The Authoring Environment (LSOAE) must be installed locally on the author’s PC. TheAuthoring Environment can be used online or offline. In online mode, you require aconnection to the ERP system and the Content Management System. If you use it inoffline mode, all data is stored in the local file system. You can choose the directory inwhich to store data. The data comprises course content and configuration data. You can
protect this data at operating system level.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 185/215
SAP ERP Central Component Security Guide 6.0, EHP3 185
The following graphic provides an overview of the technical system landscape for theAuthoring Environment .
Authoring Environment
Browser
Content
Management
System
LSOAE SAP ERP
HTTP
WEBDAV
RFC
Author 1
Author 2 Author 1 Author 3
TREX
HTTP
Author 4
The Authoring Environment contains a special version of the Content Player that plays
course content locally that is currently being played using the Authoring Environment .Similar to the Offline Player , you cannot use this local Content Player remotely. You canonly call it from the PC on which it is installed.
Configuration Settings
Component Remarks
Browser● Internal ArchiveX objects must be
activated.
● JavaScript must be active.
● Java VM must be active.
● SUN Java Plug-In from version 1.4.2must be installed (but only if you want touse tests created with LSO Test Author).
● HTTP 1.1 is strongly recommended.
● Cookies are required for sessionhandling.
LSOAE● Java JRE 1.4.2 or JRE 1.5.0 must be
installed.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 186/215
SAP ERP Central Component Security Guide 6.0, EHP3 186
Environment for the Training AdministratorThe SAP GUI transactions required for the training administrator role are available inthe ERP system.
The following graphic provides an overview of the technical system landscape for the
back end.
Environment for the Training Administrator
SAP GUI
SAP Enterprise
Portal
(optional)
mySAP ERPDIAG
User2User1 User3 User4
ProcessIntegration
(PI/XI)
RFC
User5
User Management
User management for SAP Learning Solution uses the mechanisms provided by theSAP Web Application Server (ABAP and Java), for example, tools, user types, andpassword policies. See the sections below for an overview of how these mechanismsapply to SAP Learning Solution . In addition, there is a list of the standard users that arenecessary for operating SAP Learning Solution .
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 187/215
SAP ERP Central Component Security Guide 6.0, EHP3 187
User Management Tools
The table below shows the tools implemented for user management in SAP Learning Solution .
User Management Tools
Tool Detailed Description Prerequisites
User and role maintenance inSAP Web AS ABAP(transactions SU01, PFCG)
For more information, seeUsers and Roles (BC-SEC-USR) [Extern].
User Management Engine ofSAP Web AS Java
For more information, seeUser Management Engine[Extern].
User Types
It is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not users who run backgroundprocessing jobs.
The user types required for SAP Learning Solution include:
● Individual users
○ Access to Training Management (LSOTM) is done by means of dialogusers. Access is either directly through SAP GUI or indirectly through theAuthoring Environment (LSOAE).
○ Access to the Learning Portal (LPO) is handled by means of Internetusers. The required users must exist in the front-end system (LSOFE) andin the Training Management system (LSOTM) if the components areinstalled on separate systems.
○ Access to SAP Enterprise Portal (EP) is handled by means of Internetusers. Authors access the Content Management System (CMS) in SAPEnterprise Portal indirectly from the Authoring Environment (LSOAE).Learners access it via the browser if the LPO is embedded in EP or if youuse Collaboration in EP.
● Technical users:
○ A communication user is used to access Training Management (LSOTM)when playing courses on the Content Player (LSOCP).
○ A communication user is used to access the Content ManagementSystem in SAP Enterprise Portal when playing courses on the ContentPlayer (LSOCP).
○ A communication user is used for communication with external learningmanagement systems (LMS) from the Training Management system(LSOTM) to access the Exchange Infrastructure (XI).
For more information on these user types, see User Types [Extern] in the SAP Web ASABAP Security Guide.
This table contains details of user management for the various user types in thedifferent tools of SAP Learning Solution.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 188/215
SAP ERP Central Component Security Guide 6.0, EHP3 188
User Types in the Learning Portal
User Type Description Role / Authorization Name inGraphic ofTechnologyLandscape
Depends onoperating systemused
Learner in localoperating system
Browser authorization Learner 1
Portal user Learner in SAPEnterprise Portal
No special authorizationfor SAP Learning Solution
Learner 2
Dialog user Learner in SAPWeb AS
No special authorizationfor SAP Learning Solution
Learner 3
Communicationuser
Learner in ERPsystem
SAP_HR_LSO_LEARNER Learner 4
Service user Collaboration inthe ERP system
No special authorizationfor SAP Learning Solution
Learner 5
Portal user Collaboration inSAP EnterprisePortal
No special authorizationfor SAP Learning Solution
Learner 6
Anonymous External LMS Depends on LMS used Learner 7
User Types in the Content Player
User Type Description Role / Authorization Name inGraphic ofTechnologyLandscape
Depends onoperatingsystem used
Learner inlocal operatingsystem
Browser authorization ContentPlayer 1
Anonymous ContentPlayer in SAPJ2EE
ContentPlayer 2
Communicationuser
ContentPlayer in theERP system
SAP_HR_LSO_COURSEPLAYER ContentPlayer 3
Depends on the
CMS used
Content
Player in theContentManagementSystem (CMS)
Read access via HTTP/HTTPS Content
Player 4
User Types in the Offline Player
User Type Description Role /Authorization
Name in Graphicof TechnologyLandscape
Depends on operatingsystem used
Learner in localoperating system
Browserauthorization
Offline Player 1
Anonymous Content Player in SAPJ2EE
Offline Player 2
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 189/215
SAP ERP Central Component Security Guide 6.0, EHP3 189
User Types in the Authoring Environment
User Type Description Role / Authorization Name in Graphicof TechnologyLandscape
Depends onoperating systemused
Learner in localoperating system
Browser authorization
Authorization for Java 2SDK 1.4.2
Author 1
Depends on theCMS used
Author in theCMS
Authorization to lock,unlock, read, create,delete, and write data viaWEB-DAV
Author 2
Communicationuser
Author in theERP system
SAP_HR_LSO_AUTHOR Author 3
Anonymous Author Author 4
User Types in the Training Coordinator’s Environment
User Type Description Role / Authorization Name inGraphic ofTechnologyLandscape
Dependsonoperatingsystemused
Learner inlocaloperatingsystem
SAP GUI authorization User 1
Dialog user Administratorin ERPsystem
SAP_HR_LSO_DEVELOPMANAGER
SAP_HR_LSO_HRMANAGER
SAP_HR_LSO_SPECIALIST
SAP_HR_LSO_TRAININGADMIN
SAP_HR_LSO_TRAININGMANAGER
AP_HR_LSO_ACCOUNTINGADMIN
SAP_HR_LSO_FOLLOWUPADMIN
SAP_HR_LSO_PARTICIPADMIN
SAP_HR_LSO_RESOURCEADMIN
User 2
Collaborationin the ERPsystem
No special authorization for SAP Learning Solution
User 3Serviceuser
XI user XI access authorization User 5
Portal user Collaborationin SAPEnterprisePortal
No special authorization for SAP Learning Solution
User 4
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 190/215
SAP ERP Central Component Security Guide 6.0, EHP3 190
User Types in the Instructor’s Environment
User Type Description Role / Authorization Name inGraphic ofTechnologyLandscape
Depends onoperatingsystem used
Learner in localoperatingsystem
Browser authorization Instructor 1
Portal user Instructor in theEnterprisePortal
com.sap.pct.erp.instructor.instructor Instructor 2
Dialog user Instructor inERP system
SAP_HR_LSO_INSTRUCTOR Instructor 3
Service user Administrator inERP system
No special authorization for SAP Learning Solution
Instructor 4
Depends onexternalsystem used
Administrator inexternal system No special authorization for SAP Learning Solution Instructor 5
Depends onexternalsystem used
Instructor inexternal system
No special authorization for SAP Learning Solution
Instructor 6
Service user Collaboration inthe ERPsystem
No special authorization for SAP Learning Solution
Instructor 7
Portal user Instructor in theEnterprise
Portal
com.sap.pct.erp.instructor.instructor Instructor 8
AuthorizationsSAP Learning Solution component uses the authorization provided by the SAP Web Application Server. Therefore, the security recommendations and guidelines forauthorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to SAP Learning Solution .
The SAP Web Application Server authorization concept is based on assigningauthorizations to users on the basis of roles. For role maintenance, use the profile
generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user management console for SAP Web AS Java.
Standard Authorization Objects
The following table shows the security-relevant authorization objects that are used bySAP Learning Solution.
Standard Authorization Objects
Authorization Object Field Value Description
P_ORGIN HRPnnn PD InfotypeFramework: course,
course types, andcourse groups
Used to determine and check auser’s authorizations at the level
of HR master data
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 191/215
SAP ERP Central Component Security Guide 6.0, EHP3 191
P_APPL Used to control read and writeauthorizations for ApplicantManagement infotypes.
PLOG Used at the level of PersonnelPlanning data to specify the
types of information a user mayreceive.
Standard Roles
The following table shows the standard roles that are used by SAP Learning Solution. For more information, see User Management [Seite 186].
Standard Roles
Role Description
SAP_HR_LSO_ACCOUNTINGADMIN Training accounting
SAP_HR_LSO_AUTHOR Course author
SAP_HR_LSO_COURSEPLAYER User of the Content Player
SAP_HR_LSO_DEVELOPMANAGER Personnel Development Manager Training
SAP_HR_LSO_FOLLOWUPADMIN Course follow-up
SAP_HR_LSO_HR-MANAGER HR Manager Training
SAP_HR_LSO_LEARNER Learner
SAP_HR_LSO_MANAGER Manager
SAP_HR_LSO_PARTICIPADMIN Participation administration
SAP_HR_LSO_RESOURCEADMIN Resource Management
SAP_HR_LSO_SPECIALIST System Specialist Training
SAP_HR_LSO_TRAININGADMIN Training Administrator
SAP_HR_LSO_TRAININGMANAGER Training Manager
SAP_HR_LSO_INSTRUCTOR Instructor/Tutor
Communication Channel SecurityThe following graphic displays an overview of the communication channels listed in the
tables below.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 192/215
SAP ERP Central Component Security Guide 6.0, EHP3 192
Technical System Landscape and Communication Channels
LSOFE LSOAELSOOPECC
SAP Web AS ABAP SAP Web AS JAVA
LSOCP EP 6.0
Java 2 SDK
RFC
RFC / JCo
RFC / JCo
TrustedRFC
HTTPHTTPS
WEBDAV
HTTPHTTPS
HTTP
HTTPHTTPS
The tables below show the communication channels used by SAP Learning Solution ,the protocol used for the connection, and the type of data transferred.
For a better understanding of the table, you should also display the graphics, whichprovide an overview of the technology landscape.
Learning Portal
See also: Learning Portal (LSOFE) [Seite 180]
Communication Paths for the Learning Portal: Inbound Relationships
Communication Path Protocol Used Authentication Remarks
Browser HTTP, HTTPS All authenticationssupported by the SAPWeb AS, typically form-based-logon or standardauthentication.
Anonymous is supported.
However, you should notuse it since uniquelearner assignment is notpossible in the back end.
With standardauthentication,passwords aretransferred in plaintext. Consequently,you should protectthe transports
using SSL.
SAP Enterprise Portal,iView Server
HTTP, HTTPS All authenticationssupported by the SAPWeb AS. Typically, youcan use the Single-Sign-On Ticket (SSO) heresince logon has beendone in the EnterprisePortal already.
For SSO, you mustimport theEnterprise Portalcertificate into theSAP Web AS.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 193/215
SAP ERP Central Component Security Guide 6.0, EHP3 193
Communication Paths for the Learning Portal: Outbound Relationships
Communication Path Protocol Used Authentication Remarks
ERP system RFC Trusted RFC
SAP Enterprise Portal /
Collaboration
RFC Ticket User4 for
authentification, User3for RFC authorization
Content Player
See also: Content Player (LSOCP) [Seite 182]
Communication Paths for the Learning Portal: Inbound Relationships
Communication Path Protocol Used Authentication Remarks
Browser HTTP, HTTPS All authenticationssupported by the SAPWeb AS/J2EE. Thestandard system usesanonymous. You donot require advancedauthentication in thestandard system sinceaccess is protected bya ticket.
Access to the ContentPlayer is protected bya ticket. The ticketensures that contentcan only be called onetime using the URL.Only one ticket is validat any one time.
Communication Paths for the Content Player: Outbound Relationships
Communication Path Protocol Used Authentication Remarks
Content ManagementSystem
HTTP, HTTPS Anonymous, Basic You store the user forauthentication whenyou configure theContent Player.
If you use HTTPS,you must set upHTTPS Support of theJ2EE Engine. X509certificatemanagement isrealized using theJ2EE Engine.
ERP system RFC (JCo) User/Password You store the user forauthentication whenyou configure theContent Player.
You must create aservice user for theContent Player in theERP system.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 194/215
SAP ERP Central Component Security Guide 6.0, EHP3 194
Offline Player
See also: Offline Player (LSOOP) [Seite 183]
Communication Paths for the Offline Player: Inbound Relationships
Communication Path Protocol Used Authentication Remarks
Browser HTTP Anonymous The Offline Player canbe called from a localPC only.
Communication Paths for the Offline Player: Outbound Relationships
Communication Path Protocol Used Authentication Remarks
LSOCP HTTP, HTTPS All authentications of
the SAP WebAS/J2EE.
Authoring Environment
See also: Authoring Environment (LSOAE) [Seite 184]
Communication Paths for the Authoring Environment: Inbound Relationships
Communication Path Protocol Used Authentication Remarks
Browser HTTP Anonymous The Offline Player canbe called from a local
PC only.
Communication Paths for the Authoring Environment: Outbound Relationships
Communication Path Protocol Used Authentication Remarks
Content ManagementSystem
WebDAV, viaHTTP, HTTPS
Basic,Anonymous
WebDav is anenhancement of the HTTPprotocol.
The AuthoringEnvironment does not
contain a separatetruststore for X509certificates.
The Security Provider andthe truststore of the Java 2SDK installation is used.X509 certificates may haveto be imported from theContent ManagementSystem if you want to useencrypted communicationwith SSL.
ERP system RFC (JCo) User/Password Credentials must beentered in a dialog box
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 195/215
SAP ERP Central Component Security Guide 6.0, EHP3 195
when switching to onlinemode.
Environment for the Training Administrator in the Back
EndSee also: Environment for the Training Administrator [Seite 186]
Communication Paths for the Back End: Inbound Relationships
Communication Path Protocol Used Authentication Remarks
SAP GUI DIAG Standard SAP GUI
Communication Paths for the Back End: Outbound Relationships
Communication Path Protocol Used Authentication RemarksSAP Enterprise Portal RFC With an SSO 2 Ticket.
You store the userand password forgenerating the ticketin Customizing.
Only necessary ifintegration withCollaboration for SAPNetWeaver is active.
External LearningManagement System(via XI)
SOAP Anonymous
DIAG and RFC connections can be protected using Secure Network Communications
(SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide .
Instructor/Tutor
Communication Paths for the Instructor/Tutor Role in the SAP Enterprise Portal:Inbound Relationships
Communication
Path
Protocol Used Authentication Remarks
Browser HTTP, HTTPS All authentications of the SAPWeb AS/J2EE.
Communication Paths for the Instructor/Tutor Role in the SAP Enterprise Portal:Outbound Relationships
CommunicationPath
Protocol Used Authentication Remarks
ERP system HTTP, HTTPS Single Sign-OnTicket (SSO)
The portal user is assigned to acorresponding user in the ERPsystem.
You must create a user in theERP system for the instructor.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 196/215
SAP ERP Central Component Security Guide 6.0, EHP3 196
Other Security-Relevant Information
Profile Parameters
To ensure communication between the systems, you must set the following profile
parameters using the Profile Parameter Maintenance transaction (RZ11):
mySAP ERP
● For communication with Single Sign-On Tickets (SSO) via RFC connections, youmust set the login/accept_sso2_ticket (Accept SSO ticket logon for this
(component) system ) in the ERP system.
● For communication with cookies using connections via http protocols, you mustset the parameter login/create_sso2_ticket in the ERP system.
SAP Web AS ABAP
● For authentication with SSO2, you must set the login/accept_sso2_ticket
(Accept SSO ticket logon for this (component) system ) in the ERP system.
● If you want to implement the Objective Setting and Appraisals component, you
must also set the parameter login/create_sso2_ticket.
For more information, see the documentation for the parameters in transaction RZ11.
SAP E-Recruiting
Before You Start
Important SAP Notes
The following table presents the most important SAP Notes regarding security for SAP E-Recruiting .
Important SAP Notes
SAP Note Number Title Comment
711701 Composite SAP note: Securityin E-Recruiting
957038 Security gap in cross-sitescripting
960728 Security gap in Cross-SiteScripting
1017866 Consulting note: Candidatescenarios using ABAP WebDynpro
Includes information about thepossible systemconstellations, changing fromBSP to Web Dynpro, securingthe backend system
For more relevant SAP Notes, see the Security Guide for Personnel Management under Before You Start [Seite 158].
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 197/215
SAP ERP Central Component Security Guide 6.0, EHP3 197
Technical System LandscapeThe following graphics provide an overview of the technical system landscape for SAP E-Recruiting .
Functional Architecture
Non SAP
SAP
Backend ERP
Recruitment service
providers
Job boards
Internal
career page
Other tools
Back office
Non-ERP system
External career page
E-Recruiting
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 198/215
SAP ERP Central Component Security Guide 6.0, EHP3 198
The “E-Recruiting Box”
System for text
retrieval TREX
KPRO
SAP Web AS
DB
Business partner
SAP E-RecruitingIndex
Technologies used:
• Presentation layer: Business Server Pages (BSP), Web DynproABAP, HTML, HTMLB, JavaScript
• Business Logic: ABAP/OO
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 200/215
SAP ERP Central Component Security Guide 6.0, EHP3 200
Front-End and Backend on One System
Firewall
Internal user(browser -
SSOoptional)
Systemadministrator
(SAP GUI)
HTTP(S) SMTP (Mail)
Internet
HTTP(S)
Candidate(Web
browser)
RFC RFC (ALE)
TREXSAP E-
Recruiting
DB
DMZ Intranet
Application
gateway /
proxy
gateway
SMTP
(Mail)
mySAPERP
mySAPERP
PA-AS*
* HR Admini strative Services
SAP XI
SAP XI Non-SAPsystem
Front-endcandidate
SAP E-Recruiting.
Front-End and Backend on Different Systems
Firewall
Internal user(browser -
SSOoptional)
Systemadministrator
(SAP GUI)
HTTP(S) SMTP (Mail)
Internet
HTTP(S)
Candidate(Web
browser)
RFC RFC (ALE)
TREXSAP E-
Recruiting
DB
DMZ Intranet
Application
gateway /
proxy
gateway
SMTP
(Mail)
mySAPERP
mySAPERP
PA-AS*
* HR Admini strative Services
SAP XI
SAP XI Non-SAP
system
Front-end
candidate
SAP E-Recruiting
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 201/215
SAP ERP Central Component Security Guide 6.0, EHP3 201
Front-End and Backend on Different Systems (SAP E-Recruiting Integrated withERP)
Firewall
Internal user(browser -SSO
optional)
Systemadministrator
(SAP GUI)
HTTP(S)
SMTP (Mail)
Internet
HTTP(S)
Candidate(Web
browser)
Backend SAP E-Recruiting
Front-end internal candidate
DB
DMZ Intranet
Application
gateway /
proxy
gateway
SMTP (Mail)
ERP / SAP NetWeaver
Front-end
external
candidate
SAP E-Recruiting
SAPNetWeaver
DBNo relevant data in the
database
RFC
User ManagementUser management for SAP E-Recruiting uses the mechanisms provided by SAP Web Application Server (ABAP, Java, or ABAP and Java) such as tools, user types, andpassword policies. For an overview of how these mechanisms apply for SAP E- Recruiting , see the sections below. In addition, there is a list of the standard users thatare necessary for operating SAP E-Recruiting .
User Management Tools
The following table shows the user management tools for SAP E-Recruiting .
User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance(transaction PFCG)
You can use the RoleMaintenance transactionPFCG to generate profiles foryour SAP E-Recruiting users.
Technical Settings for UserManagement in SAP E- Recruiting
For more information on userprofiles and the roles, see theImplementation Guide forSAP E-Recruiting under
Technical Settings → User Administration.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 202/215
SAP ERP Central Component Security Guide 6.0, EHP3 202
Workflow Settings For more information, see theImplementation Guide forSAP E-Recruiting under
Technical Settings →
Workflow → Workflow in E- Recruiting .
You use the SAP Workflow.
User Types
It is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not users who run backgroundprocessing jobs.
The user types required for SAP E-Recruiting are:
For more information, see the Implementation Guide for SAP E-Recruiting
under Technical Settings → User Administration → Create Special Users .
● Reference user
You can create reference users to simplify authorization maintenance. You assigndifferent roles to each reference user. If you then assign a reference user to auser, the user inherits all of the reference user’s role attributes and authorizationprofile.
...
● Communication user
To enable access to documents in the document area, you create a user that isassigned to the contentserver service (IMG activity: Set Up Access to Documents ). This user is a purely technical user, only required for communicationwith the Web Application Server.
● Service user
Some scenarios are accessible for registered users only; other scenarios are alsoaccessible for unregistered users (registration, job postings, direct application).You must assign a service user to these services so that an unregistered usercan use them.
● Background user for workflow
To be able to use the workflow functions, you must create a system user (such asWF-BATCH) in the standard system.
For more information, see the Implementation Guide for SAP E-Recruiting under
Technical Settings → Workflow → Workflow in E-Recruiting .
In SAP E-Recruiting you must also assign this user (in addition to the other users)to a candidate. You can do this by using the RCF_CREATE_USER report.
● Standard user
For information about the following themes, see the Implementation Guide for
SAP E-Recruiting under Technical Settings → User Administration :
○ User profile
○ Roles (transaction PFCG)
○ Special users
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 203/215
SAP ERP Central Component Security Guide 6.0, EHP3 203
AuthorizationsSAP E-Recruiting uses the authorization provided by SAP Web Application Server. Therefore, the security recommendations and guidelines for authorizations as describedin the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also
apply to SAP E-Recruiting .The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s usermanagement console for SAP Web AS Java .
Standard Roles
The following table shows the standard roles that are used by SAP E-Recruiting.
Standard Roles for User Interfaces with BSP Technology
Role Description
SAP_RCF_BUSINESS_ADMINISTRATOR Administrator [Extern]
Administrator for SAP E-Recruiting
SAP_RCF_CONTENT_SERVER Search Engine Access [Extern]
Access to the Search and Classification (TREX) search engine
SAP_RCF_DATA_TYPIST Data Entry Clerk [Extern]
The role contains the authorization forminimum data entry for incoming paperapplications.
SAP_RCF_DECISION_MAKER Decision Maker [Extern] The decision maker answers questionnaires about candidates who are assigned torequisitions . In the questionnaires, the decisionmaker is asked for his or her opinion.
SAP_RCF_EXTERNAL_CANDIDATE External Candidate [Extern]
This role may only display its own data. Therole can only see job postings that youpublished via publications using the externalposting channels.
SAP_RCF_INTERNAL_CANDIDATE Internal Candidate [Extern]
This role may only display its own data. Therole can only see job postings that youpublished via publications using the internalposting channels.
The role does not have access to the followingdata:
● Requisition data
● Posting data
● Application data
● Data for the selection process
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 204/215
SAP ERP Central Component Security Guide 6.0, EHP3 204
SAP_RCF_MANAGER Manager [Extern]
This role is required so that managers canaccess SAP E-Recruiting from the Portal(Manager Self Service ).
The manager wants to fill the vacant jobs in his
or her area. To do this, the manager createsrequisitions with the status In Process that arethen processed further by recruiters.
The role has access to the following data:
● Candidate data: The manager can seeonly the candidate data that is assignedto requisitions for which the manager isresponsible.
● Requisition data and data for selectionprocesses: The manager can only seedata for which he or she is responsible.
The role also contains the authorization torespond to questionnaires about candidatesthat are assigned to the relevant requisitions.
SAP_RCF_MANAGER_ASSISTANT Manager’s Assistant
This role is only used for the Career Portal andis no longer in use in the standard SAP E- Recruiting system.
SAP_RCF_RECRUITER Recruiter [Extern]
The role has access to the following data:
● Candidate data: The data is displayedfor all candidates who stored their datain the Talent Pool.
● All publications
● All requisition data
● All application data
● All data for the selection processes
The role also contains the authorization forminimum data entry for incoming paper
applications.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 205/215
SAP ERP Central Component Security Guide 6.0, EHP3 205
SAP_RCF_SUCCESSION_PLANNER Succession Planner [Extern]
This role contains the following aspects:
● Display of all candidates that are part ofthe Talent Pool
● Requisition data (succession plan data):Shows all requisitions of the Succession Planning subarea in the system
● Candidacy data: Shows all candidaciesthat were created in the system withinSuccession Planning
Applications, job postings, and publications arenot required for this role.
SAP_RCF_REST_SUCCESSIONPLANNER Restricted Succession Planner [Extern]
Succession planner without the authorization to
release succession plans. An approval processis required for this.
SAP_RCF_REQUISITION_REQUESTER Requester [Extern]
The requester creates requisitions and sendsthem with the status In Process to a recruiterwho then completes the requisition, phrasesthe job posting, and releases both.
SAP_RCF_RESTRICTED_RECRUITER Restricted Recruiter [Extern]
Recruiter without the authorization to releaserequisitions. An approval process is requiredfor this.
SAP_RCF_TALENT_CONSULTANT Talent Consultant
This role is only used for the Career Portal andis no longer in use in the standard SAP E- Recruiting system.
SAP_RCF_UNREGISTERED_CANDIDATE Unregistered Candidate (Service User) [Extern]
Standard Roles for User Interfaces with Web Dynpro ABAP
Role Description
SAP_RCF_UNREG_CANDIDATE_CLIENT Unregistered Candidate (Client) [Extern]
This role contains the necessary authorizationsfor unregistered candidates/service users thatare required on the front-end system whenusing a separated system (front-end andbackend on different systems).
SAP_RCF_UNREG_CANDIDATE_SERVER Unregistered Candidate (Server) [Extern]
This role provides the necessary authorizationsfor an unregistered candidate/service user inSAP E-Recruiting that are required on thebackend system when using a separatedsystem (front-end and backend on differentsystems).
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 207/215
SAP ERP Central Component Security Guide 6.0, EHP3 207
of direct access a user can have tothe candidates in the Talent Pool.
The following ways to access thecandidate pool directly areavailable:
● Status-Independent Accessto Candidates(DIRECT_ACC)
● Recognition of MultipleApplicants (DUPL_CHECK)
● Maintenance of CandidateData (CAND_MAINT)
P_RCF_STAT RCF_STAT Authorization object that specifieswithin SAP E-Recruiting theauthorization for status changes to
SAP E-Recruiting objects (forexample, candidate, application,candidacy).
P_RCF_ACT ACTVT● Add or
Create
● Change
● Delete
Authorization object that specifieswithin SAP E-Recruiting which typeof access a user can have toactivities. An activity in SAP E- Recruiting is therefore identifiedthrough the assigned process andthrough the activity type.
P_RCF_WL RCF_WL_ID Authorization object that specifieswithin SAP E-Recruiting which
worklists a user can access in theDashboard [Extern].
Additional Standard Authorization Objects when Using Web Dynpro ABAP
Authorization Object Field Value Description
S_RCF ACTTVRFC_NAMERFC_TYPE
Authorization objectfor RFC access
(For more information,see thedocumentation forAuthorization Object
S_RFC [Extern].)S_RFCALC ACTTV
RFC_CLIENTRFC_EQUSERRFC_INFORCF_SYSIDRCF_TCODERCF_USER
Authorization checkfor RFC users (forexample, Trusted System )
(For more information,see thedocumentation forAuthorization ObjectS_RFCACL [Extern].)
S_ICF ICF_FIELD SERVICE Authorization checksfor using services in
InternetCommunication
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 208/215
SAP ERP Central Component Security Guide 6.0, EHP3 208
Framework (SICF), forcalling remotefunction modulesusing an RFCdestination (SM59),and for configuring
proxy settings (SICF).(For more information,see thedocumentation forAuthorization ObjectS_ICF [Extern].)
Communication Channel Security
Use
The table below shows the communication paths used by SAP E-Recruiting , theprotocol used for the connection, and the type of data transferred.
Communication Paths
CommunicationPath
Protocol Used Type of DataTransferred
Data RequiringSpecial Protection
Front-end client that
uses SAP GUI for Windows for theapplication server
DIAG All Customizing data Passwords
Front-end client thatuses a Web browserfor the applicationserver
HTTP, HTTPS All application data Passwords
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide .
Communication DestinationsThe following table provides an overview of the communication destinations that SAP E- Recruiting uses.
You use the following communication destinations depending on which application youuse to manage your HR master data:
● If you use the SAP GUI transactions to maintain HR master data (for example,transactions PA*), communication with SAP E-Recruiting runs via RFCconnections.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 209/215
SAP ERP Central Component Security Guide 6.0, EHP3 209
● If you use the HR Administrative Services application, communication with SAP E-Recruiting runs via SAP NetWeaver PI (Process Integration).
Communication Destinations
Destination Delivered Type User,Authorizations
Description
SAP E- Recruiting toSAP Human Resources Management
No RFC SeeImplementationGuide (IMG)
IMG: SAP E-Recruiting
→ Recruitment →
Applicant Tracking → Activities → Set Up Data Transfer for New Employees
From SAP Human Resources
Management toSAP E- Recruiting
No RFC See IMG SAP E-Recruiting → Technical Settings → SAP ERP Central
Component (ECC)Integration → Software Runs on Different
Instances → Set Up Data Transfer from SAP ECC
From SAP E- Recruiting toTREX
No RFC See IMG SAP E-Recruiting →
Technical Settings → User Administration → Create Special Users
SAP E-Recruiting → Technical Settings → Search Engine → Set Up Search Engine for E-Recruiting
From SAP E- Recruiting toHR Administrative Services
No XI messages Transfer externalcandidate's data whenhiring
From HR Administrative Services toSAP E- Recruiting
No XI messages Return personnelnumber of formerexternal candidate toSAP E-Recruiting
Changes to the HR master data are transferred to SAP E-Recruiting usingthe master data distribution in the ALE scenario.
The following table provides an overview of the communication destinations that SAP E- Recruiting uses if you want to use Web Dynpro ABAP to separate the front-end from thebackend for the candidate scenarios (front-end and backend on different systems).
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 210/215
SAP ERP Central Component Security Guide 6.0, EHP3 210
Communication Destinations for Separated Systems
Destination Delivered Type User,Authorizations
Description
SAP E-Recruiting (front-
end) to SAP E-Recruiting(backend)
No RFC See IMG SAP E-
Recruiting → Technical
Settings → User
Interfaces → Settings for User Interfaces with Web Dynpro
ABAP → Front- End Candidate
→ Enter RFC Destination of Receiving Backend System
You enter theRFC destinationas a value of the
RECFA UI2BL
parameter.
SAP E-Recruiting(backend) toSAP E-Recruiting (front-end)
No RFC See IMG SAP E-
Recruiting → Technical
Settings → User
Interfaces → Settings for User Interfaces with Web Dynpro
ABAP → Backend
Candidate → Specify System Parameters for Web Dynpro
You enter theRFC destinationas a value of the
RECFA
BL2UI
parameter.
Data Storage SecurityThe SAP E-Recruiting data is saved as follows:
● If you use SAP E-Recruiting integrated with other SAP applications, the data is
saved in the SAP Web AS or SAP ECC databases.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 211/215
SAP ERP Central Component Security Guide 6.0, EHP3 211
● If you use SAP E-Recruiting as a standalone application, the data is saveddirectly in the SAP E-Recruiting databases. You do not require any otherdatabases in addition to this standard.
The application uses a Web browser. The SAP Web AS must issue cookies as well asaccepting them.
When you use Web Dynpro ABAP as the interface technology and the front-end andbackend are separated on different systems, the system generates the URLs based onthe backend system, as the data is stored there. When generating the URL, you can
use the database table HTTPURLLOC (HTTP URL Location Exception Table) to
replace the actual server name with another one. In this way, it is possible to use aproxy server or similar to access documents.
Defense Forces & Public Security
Before You Start
Basic Recommendations
The Defense Forces & Public Security component is based on the SAP ERP Central component. For this reason, the relevant Security Guide also applies. The Security
Guide for the Defense Forces & Public Security component contains only informationabout component-specific features.
Technical System Landscape
Use
For a presentation of the multilevel system landscape, see the documentation for
mySAP ERP in SAP Library under Defense Forces & Public Security → Support for the
Domestic Base and Operations and Exercises → System Architecture and Offline Capabilities .
User Administration and AuthenticationThe Defense Forces & Public Security component uses the user administration andauthentication mechanisms of the SAP NetWeaver platform, in particular of the SAP NetWeaver Application Server . Therefore, the recommendations and guidelines for useradministration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the Defense Forces & Public Security component.
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 213/215
SAP ERP Central Component Security Guide 6.0, EHP3 213
● The personnel development process
User group for defining the qualification block hierarchy, that is, the grouping ofqualifications according to business criteria
For master data maintenance, the guidelines in the Security Guide forPersonnel Management (PA) [Seite 158] apply.
.
AuthorizationsThe Defense Forces & Public Security component uses the authorization provided bythe SAP Web Application Server. Therefore, the recommendations and guidelines forauthorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to Defense Forces & Public Security .
The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance, use the profile generator(transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s useradministration console for SAP Web AS Java.
Standard Roles
Roles and authorization profiles are not defined for Defense Forces & Public Security .
Standard Authorization Objects
The following table presents the authorization objects relevant for security that are usedby the Defense Forces & Public Security applications.
Standard Authorization Objects
Authorization Object Class Value Description
C_DRAW_TCD CV Authorization for DocumentActivities
C_KLAH_BKP CLAS Authorization for ClassMaintenance
C_TCLA_BKA CLAS Authorization for Class Types
EXTBAT_CRE LO Create External Batch Structurefor Purchase Orders
EXTBAT_MNT LO Change External Batch Structures
I_ROUT PM PM: Task Lists
I_TCODE PM PM: Transaction Code
PLOG HR Personnel Planning
C_PVS_PNID PPE iPPE Node: External Key
C_PVS_PNTY PPE iPPE Node: Type
C_PVS_PVID PPE iPPE Variant: External Key
C_PPE_PAID PPE iPPE Alternative: External Key
C_PVS_PATY PPE iPPE Alternative: Type
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 214/215
SAP ERP Central Component Security Guide 6.0, EHP3 214
C_PVS_PVTY PPE iPPE Variant: Type
S_SCD0 BC_Z Change Documents
S_TCODE AAAB Transaction Code Check atTransaction Start
DF_FOR_REL DFPS Force Element: Relationships
M_MATE_STA MM_G Material Master: MaintenanceStatuses
M_MATE_WRK MM_G Material Master: Plants
M_MSEG_BMB MM_B Material Documents: MovementType
M_MSEG_MWB MM_B Material Documents: Plant
M_MSEG_BWA MM_B Goods Movements: MovementType
M_MSEG_LGO MM_B Goods Movements: StorageLocation
M_MSEG_WWA MM_B Goods Movements: Plant
In addition, Defense Forces & Public Security uses the Human Resources authorizationobjects. For more information, see the description of the Human Resources authorization objects, in particular those for Personnel Management .
Network and Communication SecuritySubareas of Defense Forces & Public Security use the standard functions in theinfotype framework for Personnel Administration and Personnel Development. For moreinformation, see the Security Guide for Personnel Management .
In the case of the material assignment function, the existing interfaces (BAPIs) are usedto communicate with applications outside of Human Resources, such as Materials Management.
Data Storage SecurityData is stored in databases in the SAP system. For general information about thesecurity of the data storage, see the Security Guide for Personnel Management , forexample.
Note that the following infotypes may contain sensitive data:
● Personal Features (0804)
● Sanctions (0802)
7/31/2019 Secguide Ecc 60ehp3 En
http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 215/215
AppendixFor more information about the security of SAP applications see SAP ServiceMarketplace at service.sap.com/security.
You can also access additional security guides via SAP Service Marketplace atservice.sap.com/securityguide.
For more information about security issues, see SAP Service Marketplace at
service.sap.com followed by:
Topic SAP Service Marketplace
Master guides, installation guides, upgradeguides, and Solution Management guides
/instguides
/ibc
Related notes /notes
Platforms /platforms