Secguide Ecc 60ehp3 En

7/31/2019 Secguide Ecc 60ehp3 En

http://slidepdf.com/reader/full/secguide-ecc-60ehp3-en 1/215

SAP ERP Cent ral ComponentSecur i t y Guide

Release 6 .0 , Enhancement Package 3



SAP ERP Central Component Security Guide 6.0, EHP3 2

Copyright

© Copyright 2007 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any

purpose without the express permission of SAP AG. The information contained hereinmay be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietarysoftware components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of MicrosoftCorporation.IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390,AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, IntelligentMiner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPowerand PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks orregistered trademarks of Adobe Systems Incorporated in the United States and/or othercountries.Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWinare trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®,World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license fortechnology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAPproducts and services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and in several othercountries all over the world. All other product and service names mentioned are thetrademarks of their respective companies. Data contained in this document servesinformational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided bySAP AG and its affiliated companies ("SAP Group") for informational purposes only,without representation or warranty of any kind, and SAP Group shall not be liable forerrors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statementsaccompanying such products and services, if any. Nothing herein should be construedas constituting an additional warranty.




Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different

types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse onthe first page of any version of SAP Library .

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include fieldnames, screen titles, pushbuttons labels, menu names, menu paths,and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and tabletitles.

EXAMPLE TEXT Technical names of system objects. These include report names,program names, transaction codes, table names, and key concepts of aprogramming language when they are surrounded by body text, forexample, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and theirpaths, messages, names of variables and parameters, source text, andnames of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in thesystem exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace thesewords and characters with appropriate entries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.




SAP ERP Central Component Security Guide........................................................................ 10

Introduction .......................................................................................................................... 10

Before You Start .................................................................................................................. 11

Technical System Landscape.............................................................................................. 12

User Management and Authentication ................................................................................ 13

User Administration .......................................................................................................... 13

User Data Synchronization............................................................................................... 16

Integration in Single Sign-On Environments .................................................................... 16

Authorizations ...................................................................................................................... 17

Network and Communication Security................................................................................. 18

Communication Channel Security.................................................................................... 19

Network Security .............................................................................................................. 19

Communication Destinations............................................................................................ 20

Data Storage Security.......................................................................................................... 20

Security for Other Applications ............................................................................................ 20

Trace and Log Files ............................................................................................................. 20

Cross-Application Components ........................................................................................... 21

Cross-Application Time Sheet (CA-TS) ........................................................................... 21

Authorizations ............................................................................................................... 21

Communication Destinations........................................................................................ 22

Digital Signature............................................................................................................... 23

Self-Services .................................................................................................................... 24

Before You Start ........................................................................................................... 24

User Management ........................................................................................................ 26

Authorizations ............................................................................................................... 27

Editing Roles and Authorizations for Web Dynpro Services..................................... 29

Authorizations for Controlling Services (MSS, BUA) ................................................ 29

Authorizations for BW iViews (MSS)......................................................................... 30

Communication Destinations........................................................................................ 30

Enterprise Services .......................................................................................................... 31

Before You Start ........................................................................................................... 31

Authorizations ............................................................................................................... 31

Network and Communication Security ......................................................................... 32

Accounting ........................................................................................................................... 33

Financial Accounting ........................................................................................................ 33

Authorizations in Financial Accounting......................................................................... 34

General Ledger Accounting (FI-GL) ............................................................................. 36

Accounts Payable Accounting (FI-AP) ......................................................................... 39

Accounts Receivable Accounting (FI-AR) .................................................................... 40




Bank Accounting (FI-BL)............................................................................................... 41

Asset Accounting (FI-AA) ............................................................................................. 42

Travel Management (FI-TV) ......................................................................................... 43

Authorizations in the Special Purpose Ledger (FI-SL) ................................................. 45

Treasury........................................................................................................................ 46 Authorizations ........................................................................................................... 46

Controlling ........................................................................................................................ 48

Authorizations in Controlling......................................................................................... 49

Authorizations in Profit Center Accounting................................................................... 53


Communication Destinations .................................................................................... 55

Consolidation (EC-CS)..................................................................................................... 55

Accounting Engine ........................................................................................................... 56

Introduction ................................................................................................................... 56

Before You Start ........................................................................................................... 57

Technical System Landscape....................................................................................... 58

User Administration and Authentication ....................................................................... 59

User Management..................................................................................................... 59

Integration into Single Sign-On Environments.......................................................... 59

Authorizations ............................................................................................................... 60


Communication Channel Security............................................................................. 61

Communication Destinations .................................................................................... 62

Data Storage Security................................................................................................... 62

Financial Supply Chain Management .............................................................................. 63

Management of Internal Controls: Security Guide........................................................... 63

Technical System Landscape....................................................................................... 64

User Management and Authorizations ......................................................................... 64

User Management..................................................................................................... 65

Roles and Authorizations Concept............................................................................ 66

Standard Roles and Authorization Objects ........................................................... 67

Editing MIC-Specific Roles.................................................................................... 68

Tasks: Central Structure Setup.......................................................................... 70

Tasks: Structure Setup Specific to Organizational Units................................... 72

Tasks: Control Assessments and Tests ............................................................ 76

Tasks: Management Control Assessment and Test.......................................... 79

Tasks: Reporting and Sign-Off .......................................................................... 81

Assigning Roles to Persons .................................................................................. 83

Integration with Single Sign-On Environments ......................................................... 84

Communication Channel Security ................................................................................ 84




Data Storage Security................................................................................................... 85

Master Data Framework................................................................................................... 86

Introduction ................................................................................................................... 86

Before You Start ........................................................................................................... 87

Technical System Landscape....................................................................................... 88 User Administration and Authentication ....................................................................... 89

User Management..................................................................................................... 89

Integration into Single Sign-On Environments.......................................................... 89

Authorizations ............................................................................................................... 90


Communication Channel Security............................................................................. 91

SAP Banking .................................................................................................................... 91

SAP Financial Customer Information Management (FS-BP) ....................................... 92

Authorizations ........................................................................................................... 92

Network and Communication Security...................................................................... 92

Communication Destinations................................................................................. 93

Data Storage Security............................................................................................... 93

Bank Customer Accounts (BCA) .................................................................................. 93

Authorizations ........................................................................................................... 93



Important SAP Notes ................................................................................................ 94

Loans Management (FS-CML)..................................................................................... 95

Authorizations ........................................................................................................... 95



Collateral Management (CM)........................................................................................ 98

Authorizations ........................................................................................................... 98

Network Communication and Security...................................................................... 99

Strategic Enterprise Management (SEM) for Banks .................................................. 101

Authorizations ......................................................................................................... 101

Network and Communication Security.................................................................... 102

Communication Destinations............................................................................... 103

Data Storage Security............................................................................................. 103

Reserve for Bad Debt (FS-RBD) ................................................................................ 104

Authorizations ......................................................................................................... 104


Communication Destinations............................................................................... 109

Trace and Log Files ................................................................................................ 110

Incentive and Commission Management (ICM)............................................................. 110






Authorizations ......................................................................................................... 149


Retail .............................................................................................................................. 150

Network and Communication Security ....................................................................... 150

Authorizations ............................................................................................................. 152 Global Trade................................................................................................................... 155

Network and Communication Security ....................................................................... 155

Sales and Distribution (SD) ............................................................................................ 156

Human Capital Management ............................................................................................. 158

Personnel Management (PA)......................................................................................... 158

Before You Start ......................................................................................................... 158

User Management ...................................................................................................... 160

Authorizations ............................................................................................................. 161

Communication Channel Security .............................................................................. 164

Communication Destinations...................................................................................... 165

Data Storage Security................................................................................................. 167

Security for Additional Applications ............................................................................ 169

Other Security-Relevant Information .......................................................................... 169

Personnel Time Management (PT) ................................................................................ 170

User Management ...................................................................................................... 170

Authorizations ............................................................................................................. 170


Payroll (PY) .................................................................................................................... 172

Before You Start ......................................................................................................... 172

User Management ...................................................................................................... 172

Authorizations ............................................................................................................. 173




Security for Additional Applications ............................................................................ 175

Other Security-Relevant Information .......................................................................... 176

SAP Learning Solution/SAP Enterprise Learning .......................................................... 176

SAP: Important Disclaimers and Legal Information.................................................... 177

Technical System Landscape..................................................................................... 177

Persistence ............................................................................................................. 178

Learning Portal (LSOFE)......................................................................................... 180

Instructor/Tutor Role in the SAP Enterprise Portal ................................................. 181

Content Player (LSOCP)......................................................................................... 182

Offline Player (LSOOP)........................................................................................... 183

Authoring Environment (LSOAE) ............................................................................ 184




Environment for the Training Administrator ............................................................ 186

User Management ...................................................................................................... 186

Authorizations ............................................................................................................. 190


Other Security-Relevant Information .......................................................................... 196 SAP E-Recruiting ........................................................................................................... 196

Before You Start ......................................................................................................... 196

Technical System Landscape..................................................................................... 197

User Management ...................................................................................................... 201

Authorizations ............................................................................................................. 203




Defense Forces & Public Security ..................................................................................... 211

Before You Start............................................................................................................. 211

Technical System Landscape ........................................................................................ 211

User Administration and Authentication......................................................................... 211

User Management ...................................................................................................... 212

Authorizations................................................................................................................. 213

Network and Communication Security........................................................................... 214

Data Storage Security .................................................................................................... 214

Appendix ............................................................................................................................ 215




SAP ERP Central Component Security GuideThe following guide covers the information that you require to operate SAP ERP Central Component securely. To make the information more accessible, it been divided into a

general part, containing information relevant for all components, and a separate part forspecific application areas and their components.

Introduction

This guide should not be regarded as a substitute for a dailyoperational manual as recommended by SAP.

Target Group

● Technology consultants

● System administrators

The information contained in this document is not contained in the installation andconfiguration guides or the technical manuals and upgrade guides of the componentscited below. Such guides are only relevant for a certain phase of the software life cycle,whereas security guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing businessdata, greater emphasis is being placed on the need for security. When using adistributed system, you need to be sure that your data and processes support your

business needs without allowing unauthorized access to critical information. Usererrors, negligence, or attempted manipulation of your system must not result in loss ofinformation or processing time. These security requirements apply equally to SAP ERP Central Component . This document is designed to help you make SAP ERP Central Component secure.

About this Document

The security guides give you an overview of the information for secure operation of SAP ERP Central Component . SAP Central Component covers the core componentsAccounting, Logistics, and Human Resources and other components used across thesecore components. This guide cross-references information in existing security guideswhere available, or other relevant documentation where security aspects are discussed.

Since SAP ERP Central Component is based on and uses SAP NetWeaver technology,it is essential that you consult the Security Guide for SAP NetWeaver . See SAP Help

Portal at help.sap.com → SAP ERP → Release/Language → SAP NetWeaver

Library → Administrator's Guide → SAP NetWeaver Security Guide .

To view all of the security guides published by SAP, see SAP Service Marketplace at

service.sap.com / securityguide.

Overview of the Main Sections

The Security Guide comprises the following main sections:

● Before You Start This section contains information about why security is necessary, how to use

this document, and references to other Security Guides that are a basis for thisSecurity Guide.




● Technical System Landscape This section is an overview of the technical components and communicationchannels used by SAP ERP Central Component .

● User Management and Authentication This section provides an overview of the following user management and

authentication aspects:

○ Recommended tools for user management.

○ Required user types for SAP ERP Central Component

○ Standard users delivered with SAP ERP Central Component

○ Overview of the user synchronization strategy if several components orproducts are integrated

○ Overview of integration options in single sign-on environments

● Authorizations

This section provides an overview of the authorization concept that is applicableto SAP ERP Central Component .

● Network and Communication Security This section provides an overview of the communication channels used by SAP ERP Central Component and the security mechanisms to be used. It alsoincludes our recommendations for the network topology to restrict access at thenetwork level.

● Data Storage Security This section provides an overview of the critical data used by SAP ERP Central Component , and also the security mechanisms to be used.

● Security for Third-Party or Additional ApplicationsThis section provides security information that applies to third-party or additionalapplications that are used together with SAP ERP Central Component .

● Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information and that enable you to reproduce activities where, forexample, there has been a breach of security.

● Appendix This section provides references to secondary sources of information.

Before You Start

Fundamental Security Guides

SAP ERP Central Component is based on SAP NetWeaver . This means that thesecurity guide for SAP NetWeaver is also applicable to SAP ERP Central Component .Whenever other guides are relevant, an appropriate reference is included in thedocumentation for the individual components in this guide.

For a complete list of the SAP Security Guides available, see SAP Service Marketplaceat service.sap.com/securityguide.




Important SAP Notes

SAP Note 783758 provides any updates for this guide and adds important information.

SAP Note 853497 contains information about saving temporary files when usingAdobe® Acrobat® Reader in SAP applications.

SAP Note 138498 contains information on single sign-on solutions.SAP Notes relating to security for the subcomponents of SAP ERP Central Component are referenced in the documentation for the individual components in this guide.

For further SAP notes on security, see SAP Service Marketplace at

service.sap.com/security → SAP Security Notes .

Additional Information

For more information about specific topics, see the sources in the table below.

Quick links to additional information

Contents SAP Service Marketplace

Security service.sap.com/security

SAP NetWeaver Security Guide service.sap.com/securityguide

SAP NetWeaver d ocumentation help.sap.com → SAPNetWeaver

SAP NetWeaver installation guide service.sap.com → SAP Support Portal →

Downloads → SAP Installations & Upgrades → Installation and Upgrade Guides → SAP NetWeaver

Related SAP notes service.sap.com/notes

Platforms permitted service.sap.com/platforms

Network security service.sap.com/network

Technical infrastructure service.sap.com/ti

SAP Solution Manager service.sap.com/solutionmanager

Technical System LandscapeFor information about the technical system landscape, see the sources listed in thetable below.

More Information about the Technical System Landscape

Subject Guide/Tool SAP Service Marketplace

Technical description of SAP ERP Central Component andthe underlying technicalcomponents, such as SAP NetWeaver

Master Guide service.sap.com/instguides

→ Downloads → SAP Installations

& Upgrades → Installation and

Upgrade Guides → SAP Business Suite Applications → SAP ERP

Technical configuration,

wide availability

Technical Infrastructure

Guide

service.sap.com/ti





User Management and AuthenticationSAP ERP Central Component uses the user management and authenticationmechanisms of the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server . Therefore, the security recommendations and guidelines for user

management and authentication that are described in the security guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component.

In addition to these guidelines, SAP also supplies information on user management andauthentication that is especially applicable to the subcomponents of SAP ERP Central Component in the following sections:

● User Management [Seite 13] This section details the user management tools, the required user types, and thestandard users supplied by SAP.

● Synchronization of User Data [Seite 16] The components of SAP ERP Central Component can use user data togetherwith other components. This section describes how theuser data is synchronized

with these other sources.

● Integration in Single Sign-On Environments [Seite 16] This section describes how SAP ERP Central Component supports single sign-on-mechanisms.

User Administration

Use

SAP ERP Central Component user management uses the mechanisms provided bySAP NetWeaver Application Server for ABAP, such as tools, user types, and passwordconcept. For an overview of how these mechanisms apply for SAP ERP Central Component, see the sections below. In addition, we provide a list of the standard usersrequired for operating the subcomponents of SAP ERP Central Component.

User Administration Tools

The following table shows the user management tools for SAP ERP Central Component .

User Management Tools

Tool Description

User maintenance for ABAP-based systems(transaction SU01)

For more information on the authorizationobjects provided by the subcomponents of SAP ERP Central Component, see the relevantcomponent in the section Authorizations .

Role maintenance with the profile generator forABAP-based systems (PFCG)

For more information on the roles provided bythe subcomponents of the SAP ERP Central Component, see the relevant component in thesection Authorizations .

Central User Administration (CUA) for themaintenance of multiple ABAP-based systems




User Management Engine (UME) Administration console for maintenance ofusers, roles, and authorizations in Java-basedsystems and in the Enterprise Portal

The UME also provides persistence options,such as ABAP Engine .

For more information on the tools that SAP provides for usermanagement with SAP NetWeaver, see SAP Service Marketplace at

service.sap.com/securityguide→ SAP NetWeaver 7.0 Security Guides

(Complete) → SAP NetWeaver 2004s Security Guides (Online Version) → User Administration and Authentication .

User Types

It is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not those users under whichbackground processing jobs run.

User types required for SAP ERP Central Component include, for example,

● Individual users:

○ Dialog usersDialog users are used for SAP GUI for Windows .

○ Internet users for Web applicationsSame policies apply as for dialog users, but used for Internet connections.

● Technical users:

○ Service users are dialog users who are available for a large set of

anonymous users (for example, for anonymous system access via an ITSservice).

○ Communication users are used for dialog-free communication betweensystems.

○ Background users can be used for processing in the background.

For additional information about user types, see User Types in the Security Guide forSAP NetWeaver .

Standard Users

The following table shows the standard users that are required to operate SAP ERP Central Component .

Standard Users

System User ID Type Password Description

SAPNetWeaverApplicationServer

<sapsid>adm SAP systemadministrator

Mandatory SAP NetWeaver installationguide


SAP Service<sapsid>

SAP systemserviceadministrator

Mandatory SAP NetWeaver installationguide

SAPNetWeaver

SAP Standard See SAP NetWeaver

See SAP NetWeaver

help.sap.com → SAP ERP →




ApplicationServer

ABAP Users(SAP*, DDIC,EARLYWATCH,SAPCPIC)

Security Guide Security Guide Release xx/Language → SAP

NetWeaver Library →

Administrator's Guide → SAP

NetWeaver Security Guide → Security Guides for SAP NetWeaver According to Usage

Types → Security Guide for Usage Type AS → SAP NetWeaver Application Server

ABAP Security Guide → User

Authentication → Protecting Standard Users


SAP Standard

SAPNetWeaverApplicationServer Java

Users

See SAP NetWeaver Security Guide

See SAP NetWeaver Security Guide

help.sap.com → SAP ERP →

Release xx/Language → SAP NetWeaver Library →

Administrator's Guide → SAP

NetWeaver Security Guide → Security Guides for SAP NetWeaver According to Usage

Types → Security Guide for

Usage Type AS → SAP NetWeaver Application Server

Java Security Guide → User Administration and

Authentication → User

Management → User Administration and Standard Users

These users are used inapplications that use Web Dynpro .

SAP ECC SAP Users Dialog users Mandatory The number of users dependson the area of operation and thebusiness data to be processed.

For more information on standard users in SAP NetWeaver, see SAPHelp Portal at help.sap.com → ERP → Release xx/Language → SAP

NetWeaver Library → SAP NetWeaver by Key Capability → Security →

Identity Management → Users and Roles (BC-SEC-USR) → User

Maintenance → Logon and Password Security in the SAP System → Password Rules .

For information about user types, see SAP Service Marketplace atservice.sap.com → SAP ERP → Release/Language → SAP

NetWeaver Library → Administrator's Guide → SAP NetWeaver Security

Guide → User Administration and Authentication → Integration of User Management in Your System Landscape .

The users specified are delivered with SAP ERP Central Component .




User Data Synchronization

Use

By synchronizing user data, you can reduce effort and expense in the user

management of your system landscape. Since SAP ERP Central Component is basedon SAP NetWeaver , you can use all of the mechanisms for user synchronization in SAP NetWeaver here. For more information, see the Security Guide for SAP NetWeaver in

SAP Service Marketplace at help.sap.com → SAP ERP → Release/Language

→ SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → User Administration and Authentication → Integration of User Management in Your System Landscape .

You can use user data distributed across systems by replicating thedata in a central directory, for example.

Integration in Single Sign-On Environments

Use

SAP ERP Central Component supports the single sign-on (SSO) mechanisms providedby SAP NetWeaver Application Server for ABAP Technology . Therefore, the securityrecommendations and guidelines for user management and authentication that aredescribed in the Security Guide for SAP NetWeaver Application Server also apply toSAP ERP Central Component.

The supported mechanisms are listed below.

Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment whenusing the SAP GUI for Windows or Remote Function Calls .

For more information, see SAP Service Marketplace at help.sap.com → SAP

ERP ® Release xx/Language → SAP NetWeaver Library → Administrator's Guide →

SAP NetWeaver Security Guide → Network and Communication Security → Transport Layer Security Secure Network Communications (SNC).

SAP Logon Tickets

SAP ERP Central Component supports the use of logon tickets for SSO when using aWeb browser as the front-end client. In this case, users can be issued a logon ticketafter they have authenticated themselves with the initial SAP system. The ticket can

then be submitted to other systems (SAP or external systems) as an authenticationtoken. The user does not need to enter a user ID or password for authentication, butcan access the system directly once it has checked the logon ticket.

For more information, see SAP Logon Tickets in the Security Guide for SAP NetWeaver Application Server .

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using aWeb browser as a front-end client can also provide X.509 client certificates to use forauthentication. In this case, the user is authenticated on the Web server using theSecure Sockets Layer Protocol (SSL protocol). No passwords have to be transferred.User authorizations are valid in accordance with the authorization concept in the SAPsystem.

For more information see Client Certificates in the Security Guide for SAP NetWeaver Application Server .




Authorizations

Use

SAP ERP Central Component uses the authorization concept of SAP NetWeaver Application Server . Therefore, the security recommendations and guidelines forauthorizations that are described in the Security Guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component. You can use

authorizations to restrict the access of users to the system, and thereby protecttransactions and programs from unauthorized access.

The SAP NetWeaver Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance in SAP NetWeaver Application Server for ABAP , use the profile generator (transaction PFCG), and in SAP NetWeaver Application Server for Java , the user management console of User Management Engine (UME). You can define user-specific menus using roles.

Standard Roles and Standard Authorization Objects

SAP delivers standard roles covering the most frequent business transactions. You canuse these roles as a template for your own roles.

For a list of the standard roles and authorization objects used by the subcomponents of

SAP ERP Central Component, see the section of this document relevant to eachcomponent.

For information on roles and authorizations in Travel Management (FI-TV) see the section Accounting under Financial Accounting .

Before using the roles listed, you may want to check whether thestandard roles delivered by SAP meet your requirements.For more information about the authorization concept at SAP, see:

■ SAP Help Portal at help.sap.com → SAP ERP → Release

xx/Language → SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → Security Guides for SAP NetWeaver According to Usage Types → Security Guide for Usage

Type AS → SAP NetWeaver Application Server ABAP Security Guide → AS ABAP Authorization Concept .

■ SAP Help Portal at help.sap.com → SAP NetWeaver →

Release/Language → SAP NetWeaver Library → SAP NetWeaver by Key Capability → Security → Identity Management .

Authorizations for Customizing Settings

You can use Customizing roles to control access to the configuration of ERP Central Component in the SAP Customizing Implementation Guide (IMG). For information about

creating roles, see SAP Help Portal at help.sap.com → SAP ERP → Release xx/Language → SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver




Security Guide → Security Guides for SAP NetWeaver According to Usage Types →

Security Guide for Usage Type AS → SAP NetWeaver Application Server ABAP

Security Guide → SAP Authorization Concept → Organizing Authorization

Administration → Organization if You are Using the Profile Generator or Organization Without the Profile Generator.

Network and Communication SecurityYour network infrastructure is extremely important in protecting your system. Yournetwork needs to support the communication necessary for your business and your

needs without allowing unauthorized access. A well-defined network topology caneliminate many security threats based on software flaws (at both the operating systemand application level) or network attacks such as eavesdropping. If users cannot log onto your application or database servers at the operating system or database layer, thenthere is no way for intruders to compromise the machines and gain access to thebackend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network ), they cannot exploit well-known bugs and security holesin network services on the server machines.

The network topology for SAP ERP Central Component is based on the topology usedby the SAP NetWeaver platform. Therefore, the security guidelines andrecommendations described in the SAP NetWeaver security guide also apply to SAP ERP Central Component . Details that relate directly to SAP ERP Central Component

are described in the following sections:● Communication Channel Security [Seite 19]

This section contains a description of the communication channels and protocolsthat are used by subcomponents of SAP ERP Central Component .

● Network Security [Seite 19] This section contains information on the network topology recommended for thesubcomponents of SAP ERP Central Component . It shows the appropriatenetwork segments for the various client and server components and where touse firewalls for access protection. It also contains a list of the ports required foroperating the subcomponents of SAP ERP Central Component.

● Communication Destinations [Seite 20]

This section describes the data needed for the various communication channels,for example, which users are used for which communications.

For more information, see the following sections of the Security Guide for SAP

NetWeaver in SAP Help Portal at help.sap.com → SAP ERP → Release

xx/Language → SAP NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → Security Guides for Connectivity and Interoperability Technologies .




Communication Channel Security

Use

Communication channels transfer a wide variety of different business data that needs to

be protected from unauthorized access. SAP makes general recommendations andprovides technology for the protection of your system landscape based on SAP NetWeaver .

The table below shows the communication channels used by SAP ERP Central Component , the protocol used for the connection, and the type of data transferred.

Communication Channels

CommunicationChannels

Protocol Used Type of DataTransferred

Data RequiringSpecial Protection

Application server toapplication server

RFC, HTTP(S) Integration data Business data

Application server tothird-party application

HTTP(S) Application data Passwords, businessdata, for example

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol.

For more information, see the security guide for SAPNetWeaver in SAP Help Portal athelp.sap.com → SAP ERP → Release/Language → SAP NetWeaver Library →

SAP NetWeaver Security Guide → Network and Communication Security → Transport Layer Security .

For information on security aspects if you integrate SAP ERP Central Component with

SAP Business Intelligence and SAP Supply Chain Management , see SAP ServiceMarketplace at service.sap.com/securityguide :

● SAP Supply Chain Management → SAP Supply Chain Management Security

Guide Release SCM xx → Authorizations / Communication Channel Security / Communication Destinations

● SAP Business Information Warehouse Security Guides → SAP Business Information Warehouse Security Guide Release NW xx → Communication

Security → Communication Destinations

Network SecuritySince SAP ERP Central Component is based on SAP NetWeaver technology, forinformation about network security, see the following sections of the SAP NetWeaver

security guide at help.sap.com → SAP ERP → Release/Language → SAP

NetWeaver Library → Administrator's Guide → SAP NetWeaver Security Guide → Network and Communication Security: Network Services .This contains information about services and ports that use SAP NetWeaver .

● Using Firewall Systems for Access Control Here you can see information about firewall settings.

● Using Multiple Network Zones Here you can get information about which parts of your application should be setup in which network segments.




If you provide services in the Internet, you should protect your network infrastructurewith at least a firewall. You can further increase the security of your system or group ofsystems by placing the groups in different network segments, each of which you thenprotect from unauthorized access by a firewall. You should bear in mind thatunauthorized access is also possible internally if a malicious user has managed to gaincontrol of one of your systems.

Communication Destinations

Use

The use of users and authorizations in an irresponsible manner can pose security risks.You should therefore follow the security rules below when communicating between ERPsystems:

● Employ the user types system and communicatio n.

● Grant a user only the minimum authorizations.

● Choose a secure password and do not divulge it to anyone else.

● Only store user-specific logon data for users of type system and communication .

● Wherever possible, use trusted system functions instead of user-specific logondata.

For more information, see the application-specific part of this guide.

Data Storage Security

Use

For information on data storage security, see the SAP NetWeaver security guide at

service.sap.com/securityguide in the section Operating System and

Database Platform Security Guides .

Security for Other ApplicationsSee the corresponding sections in the application-specific part of this guide.

Trace and Log Files

Use

The trace and log files of SAP ERP Central Component use the standard mechanismsof SAP NetWeaver. For more information, see the SAP NetWeaver Security Guide at

service.sap.com/securityguide.

If there is no information about trace and log files in the sections for the individual

components of SAP ERP Central Component , you can assume that no sensitive data isupdated in these files.




Cross-Application Components

Cross-Application Time Sheet (CA-TS)

AuthorizationsThe Cross-Application Time Sheet uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as

set out in the SAP Web AS ABAP security guide therefore also apply to the Cross- Application Time Sheet.

The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. To maintain roles on the SAP Web AS ABAP,use the profile generator (transaction PFCG).

Standard Roles

The following table shows examples of standard roles that are used by the Cross- Application Time Sheet.

Standard Roles

Role Description

SAP_EMPLOYEE Employee [Extern] Self-Service

SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]

SAP_ISR_RETAIL_STORE SAP Retail Store User

SAP_PS_CONFIRM Confirmations

SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]

SAP_ISR_STORE_PERSONNEL Store Personnel Manager

SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]

Standard Authorization ObjectsIn the Cross-Application Time Sheet environment, you require only the generalauthorizations for the relevant target applications. When assigning authorizations, basethem on the authorizations for the CAT* transactions.

See also:

Note the special points listed in the following section of the SAP Library: Cross-

Application Components → Cross-Application Time Sheet → Assigning Authorizations[Extern].





Use

Communication destinations are available for the Cross-Application Time Sheet

component to post recorded data to the target applications.

Communication with Personnel Time Management

To post recorded time data to Personnel Time Management, you use BAPIs that enterthe data in the interface tables PTEXDIR, PTEX2000, and PTEX2010. Data iscommunicated using BAPIs via IDocs:

● If you run your Human Resources system in the same system as the Cross- Application Time Sheet, the data is posted synchronously.

● If you run your Human Resources system in a different system from the Cross- Application Time Sheet, the data is posted asynchronously.

The BAPIs enable you to create, change, or delete Personnel Time Management data.

These BAPIs do not enable you to read or change any Cross-Application Time Sheet data within Personnel Time Management.

Technical Users

You require the following technical users for the communication:

● To fill the interface tables, you require a user with authorizations for ALEcommunication with an SAP system and the relevant table authorizations.

These technical users do not require authorizations specific to the SAP HRsolution.

● For the subsequent background processing job to transfer data from the interfacetables to the infotype databases, you require a technical user with the sameauthorizations that are required for the CAT6 transaction (Transfer Time Data to Time Management ).

To enter time sheet data, you can read information about the time data from Personnel Time Management. You do not require any special users for this. You should base youremployees’ authorizations on the authorizations for the CAT2 transaction.

Posting Data to Other Target Applications

There are no special communication destinations for posting data to the other targetapplications.

See also:

For more information, see the SAP Library:

● For information about transferring time sheet data to the target applications, see:

Cross-Application Components → Cross-Application Time Sheet → Transfer ofTime Sheet Data to the Target Components [Extern].

● For information about the Time Management ALE scenarios and working with

distributed systems, see Scenarios in Applications → ALE / EDI BusinessProcesses [Extern].




Digital Signature

Before You Start

With the digital signature, SAP provides you with a tool for digital signatures in ABAP-

based applications. If you integrate the digital signature, you can sign and approvedigital data. The Implementation Guide for the digital signature (see the attachment toSAP Note 700495, "Implementation of Digital Signature using the Signature Tool")contains detailed information about implementing the digital signature.

The digital signature is based on the functions of the component Secure Store and Forward (BC-SEC-SSF) from SAP NetWeaver . In the SAP system, the digital signatureis realized with the Basis component Secure Store and Forward (SSF). If you use theuser signature as signature method, you also need an external security product that youhave to connect to your SAP system using SSF.

You should not store the personal security environment (PSE) of the user in the filesystem. You can use a Smart Card instead, for example. The software PSE does notfulfill the legal requirements of a digital signature.

For more information, see Approval with Digital Signatures [Extern] in the documentation for

SAP ERP Central Component under Cross-Application Components→ Document Management

→ Document Information Record.

If there is no further information to specific security aspects in this section, the settingsmentioned in the security guide for SAP ERP Central Component and the details in thesecurity guide of SAP NetWeaver Application Server ABAP Security Guide [Extern] inthe section Secure Store & Forward Mechanisms (SSF) and Digital Signatures alwaysapply for the digital signature.


Scenario, Application or Component

Security Guide

Important Sections


Security Guides, SAP NetWeaver Security Guide

service.sap.com/securityguide

SAP NetWeaver documentation help.sap.com → Documentation → SAP

NetWeaver

SAP NetWeaver installation guide service.sap.com → SAP Support Portal →

Tools & Methods → Installation Guides → SAP NetWeaver

Related SAP notesservice.sap.com/notes





For information about the system landscape and secure operation of SAP ERP Central Component , see mySAP ERP Master Guide at

service.sap.com/instguides → mySAP Business Suite Solutions →

mySAP ERP .




Authorizations

The digital signature uses the authorization concept provided by SAP NetWeaver Application Server . Therefore the security recommendations and guidelines forauthorizations as they are described in the security guides for SAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java also apply for

the digital signature.In applications that have implemented the digital signature, in order to actually makedigital signatures, users require the corresponding authorizations from the Customizingof the respective signature object. These cover:

● The relevant authorization for the object to be signed

● If you work with signature strategies, you also need the authorization for thecorresponding individual signature or authorization group (authorization objectC_SIGN_BGR Authorization Group for Digital Signature ). At least theauthorization object C_SIGN must be assigned to the user profile.

For information about the system infrastructure, see the section Digital Signatures and

Encryption in the documentation for SAP NetWeaver under SAP NetWeaver by Key Capability → Security .

Self-Services

Before You StartThis section of the Security Guide provides you with information about the following self-service components:

● Employee Self-Service (ESS)

● Manager Self-Service (MSS)

● Business Unit Analyst (BUA)

● Project Self-Services (PSS)

● E-Recruiting (ECR)

● HR Administrative Services (ASR)

● Higher Education and Research (IS-HER-CSS)

● General Parts (PCUI_GP)

If not stated otherwise, the security settings for user management and authorizationsapply to all components.




If there is no special information for particular topics in that section, the settings outlinedin the general SAP ERP Central Component Security Guide [Seite 1] apply also theself-service components.

For information about the system landscape and secure running of the SAP ERPCentral Component, see the mySAP ERP Master Guide at

service.sap.com/instguides → mySAP Business Suite Solutions →

mySAP ERP.


Scenario, Application or ComponentSecurity Guide

Important Sections

SAP NetWeaver Application Server ABAP SAP Authorization Concept [Extern]

SAP NetWeaver Application Server JAVA User Administration and Authentication [Extern]

Authorizations [Extern]

SAP ECC Industry Extension HE&R SAP ECC Industry Extension HE&R: Security

Guide [Extern] For a complete list of the SAP Security Guides available, see SAP Service Marketplaceat securityguide.

Important SAP Notes

The following table presents the most important SAP Notes regarding security for theSelf-Service applications:

Important SAP Notes

SAP Note Number Title Comment

857431 ESS: Authorizations and Rolesfor WD Services in ERP 2005.

This note contains theauthorization objects, thedefault values defined forthese objects, and the roles for

Employee Self-Service (component EP-PCT-ESS).

844639 MSS: Authorizations and Rolesfor ERP 2005

This note contains theauthorization objects and thedefault values defined for theHuman Resourcesapplications in Manager Self- Service (component EP-PCT-MGR-HR).

846439 PSS: Authorizations and Rolesfor Web Dynpro

This note contains theauthorization objects and thedefault values defined for the

Web Dynpro applications forProject Self-Services




(component EP-PCT-PLM-PSS).

User Management

Use

User management for Self-Service applications uses the mechanisms (for example,tools, user types, and password concept) provided by SAP Web Application Server. Foran overview of how these mechanisms apply for Self-Service applications, see thesections below. In addition, there is a list of the standard users that are necessary foroperating the self-services.


The following table presents the tools used for managing users in Self-Service applications:


Tool Detailed Description Prerequisites

User and Role Maintenance(transaction PFCG)

You can use the RoleMaintenance (PFCG)transaction to generateprofiles for your self-serviceusers.

For more information, see the Users and Roles [Extern] section in SAP Library for SAP

NetWeaver (see also help.sap.com → Documentation → SAP NetWeaver ).

User Types

For more information about user types [Extern] , see the SAP NetWeaver Application Server Security Guide ABAP .

SAP recommends you set up the connection between the portal and theconnected systems (ECC system, J2EE Engine, BI system) so that eachindividual user has access.

Standard Users

Different standard users exist for the individual Self-Service components.

Components Standard Users

● Employee Self-Service

● Manager Self-Service

● Project Self-Service

● Business Unit Analyst

No standard users exist in the standard SAPsystem for these components.

● E-Recruiting

● HR Administrative Services

For information about the standard users forthese components, see the Human Capital

Management section of the ERP Central Component security guide.




● Higher Education and Research For information about the standard users forthis component, see the security guide for thiscomponent.

Authorizations

Use

The Self-Service applications use the authorization concept of SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for authorizationsas described in the SAP NetWeaver Security Guide for ABAP and SAP NetWeaver Security Guide for Java also apply to the Self-Service applications.

The SAP NetWeaver Application Server authorization concept is based on assigningauthorizations to users based on roles. To maintain roles, use the Profile Generator

(transaction PFCG). For more information, see Editing Roles and Authorizations forWeb Dynpro Services [Seite 29].

The Self-Service applications for Human Resources also use theauthorizations of the individual components. For more information, see theHuman Capital Management section of the ERP Central Component Security Guide.

Standard Roles

Employee Self-Service

The following table presents the standard roles used in Employee Self-Service applications:

Standard Roles for Employee Self-Service (ESS):

Role Description

SAP_ESSUSER_ERP05 Single role that comprises all non country-specific functions.

SAP_EMPLOYEE_ERP05_xx Single role comprising country-specificfunctions. A separate role exists for eachcountry version (xx = country ID). Thecorresponding composite role isSAP_EMPLOYEE_ERP05.

In each case, the profile has been copied from the predefined composite role. The datarequired for ERP and the relevant NetWeaver authorizations have been added to thisrole.

The composite role is assigned to the individual employee.




Manager Self-Service, Business Unit Analyst, and Project Self-Services

There are no standard roles for these components.

E-Recruiting and HR Administrative Services

For information about the standard roles for these components, see the Human Capital Management section of the ERP Central Component Security Guide.

Higher Education and Research

For information about the standard roles for this component, see the Security Guide forthis component.

Standard Authorization Objects

The following table presents the general authorization objects relevant for security thatare used by the Self-Service applications.

Standard Authorization Objects for Self-Service Applications:

Authorization Object Field Value Description

S_RFC RFC_NAME Depends on service Saves data from RFCaccess to WebDynpro frontend to thebackend system.

S_SERVICE SRV_NAME * Additional object forWeb Dynproapplications. Checkthat is run whenexternal services arestarted.

This authorizationobject is needed whenan employee, projectlead or managerwants to start self-service applications.

When you enter the value * for the authorization object S_SERVICE, you provide userswith the authorization to start all applications. However, you can also assignauthorizations for individual applications. In this case, use the syntaxS_SERVICE-SRV_NAME = <vendor>/<dc>/<Application>, for example,sap.com/pcui_gp~xssexamples/AttendanceExample .

E-Recruiting and HR Administrative Services

For information about the standard authorization objects for these components, see theHuman Capital Management section of the ERP Central Component Security Guide.

Higher Education and Research

For information about the standard authorization objects for this component, see theSecurity Guide for this component.

Internal Service Request and Personnel Change Requests

For information about standard authorization objects for the Internal Service Request (ISR) and Personnel Change Requests, see SAP Note 623650.




Editing Roles and Authorizations for WebDynpro Services

Use

Use this procedure to edit roles and the related Web Dynpro services andauthorizations.

Procedure...

1. Create a role in transaction PFCG or select the standard role that exists for thecomponent. Choose Create Role or copy the existing standard role.

2. Assign the required services to the role.

a. Choose the Menu tab page and then Default Authorization.

The Service dialog box appears.

b. Set the External Service indicator.

c. Select WEBDYNPRO as the type of external service.

d. In the Service field, select the Web Dynpro service you require.

e. Choose Save .

The authorization objects and default values maintained for the service aredisplayed in the menu tree.

In the same way, select all Web Dynpro services you want to use.

3. Assign the required authorizations.

Choose the Authorizations tab page to maintain the authorization objects andvalues according to your requirements.

For more information about how to maintain roles, see Role Maintenance [Extern] in the

Users and Roles section in SAP Library for SAP NetWeaver (see help.sap.com →

Documentation → SAP NetWeaver ).

Authorizations for Controlling Services (MSS,BUA)The following table presents the standard authorization objects that are used by thecontrolling services in Manager Self-Service (MSS) and Business Unit Analyst (BUA).

Standard Authorization Objects for Controlling Services:

Authorization Object Description

K_CCA General authorization object for Cost Center Accounting.

Is checked in the relevant Monitor iViews, Master Data iViews, andExpress Planning services.

K_ORDER General authorization object for internal orders.





K_PCA Area responsible, Profit Center.


K_CSKS_PLA Cost element planning.

Is checked in the relevant Express Planning services.K_FPB_EXP Authorization object for Express Planning.

This authorization object checks the Express Planning Frameworkcall and the planning round call. The actual plan data is protected bythe authorization objects for the individual Express Planningservices.

For more information about the fields for the authorization objects K_CCA,K_ORDER, and K_PCA, see SAP Note 15211.

Authorizations for BW iViews (MSS)In the case of BW iViews for Manager Self-Service , users need the standard BWauthorizations for executing queries. For more information, see SAP Library for SAP NetWeaver, under Authorization Check When Executing a Query [Extern] (in the Data Warehouse Management section of the documentation for SAP NetWeaver Business Intelligence ).

In Human Capital Management, BW queries u se a BW variable for personalization.Data is read from the ODS object for personalization 0Pers_VAR. If required, you canfill this ODS object from structural authorizations (see Structural Authorizations - Values[Extern] (0PA_DS02) and Structural Authorizations - Hierarchy [Extern] (0PA_DS03)).For more information, see SAP Library for BI Content for Human Resources under

Organizational Management → ODS Objects.

You can also access SAP Library from the SAP Help Portal (see help.sap.com →

Documentation → SAP NetWeaver ).

Communication DestinationsTo be able to run the individual self-service components, you have to set up the SAPJava Connector (JCo) connections on the Web Dynpro J2EE server. For moreinformation about these connections, see the Business Package documentation for therelevant component (such as Employee Self-Service , Manager Self-Service , Business Unit Analyst ) and choose Setting Up SAP Java Connector (JCo) Connections [Extern]




Enterprise Services

Before You Start

Underlying Security Guides

As SAP ERP ES is provided as an add-on to SAP ERP, the security guidelinesapplicable to SAP ERP also apply to SAP ERP ES.

For more information about authorizations for Web services, see the SAP NetWeaver

documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s →

SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core

Development Tasks → Providing and Consuming Web Services → Web Service Toolset → Web Services Security .

For more information about Enterprise Services and security, see the mySAP Business

Suite: Service Provisioning documentation at service.sap.com/swdc →

Download → Installations and Upgrades → Entry by Application Group → SAP

Application Components → SAP ERP ES → SAP ERP ES <nn> → Installation → ESA

ECC-SE <nn> Add-on Documentation → 00_mySAPServiceProvisioning.pdf → 2.6 Security .

For more information about the security of the exchange infrastructure, see the SAP

NetWeaver security guide at service.sap.com/securityguide → SAP

Process Integration Security Guides → SAP NetWeaver Process Integration Security Guide .

Important SAP Notes

For more information about security, see SAP Service Marketplace atservice.sap.com/security → SAP Security Notes.

Authorizations

Use

Accessing SAP functions via Web services follows the standard SAP authorizationconcept. This concept is based on authorizations for specific authorization objects. Thesystem checks for the required authorization for an authorization object during the

execution of a Web service. If a user does not have this authorization, the execution isterminated, and an error message is returned.

SAP ERP ES uses the standard authorization objects that are available for mySAP ERP , including authorization default values for Web services. In addition, you need theauthorization S_SERVICE to start external services. To create and consume Webservices, you require the authorizations belonging to the roleSAP_BC_WEBSERVICE_ADMIN as well as authorization for the InternetCommunication Framework (S_ICF_ADMIN).

For more information about authorizations for Web services, see the SAP NetWeaver

documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s

→ SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core

Development Tasks →

Providing and Consuming Web Services →

Web Service Toolset → Web Services Security → Authorization .




Network and Communication SecurityFor more information about network security for Web services, see the SAP NetWeaver

documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s → SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core

Development Tasks → Providing and Consuming Web Services → Web Service Toolset → Web Services Security .




Accounting

Financial AccountingNetwork and Communication Security

Communication with external systems takes place using the standard channelsprovided by SAP basis technology:

● Application Link Enabling (ALE)

● Standard interfaces to BI, CRM, and SRM systems

● Batch Input [Extern]

● Remote Function Call [Extern] (RFC)

● Business Application Programming Interface (BAPI)

● IDOC [Extern]

● SAP Exchange Infrastructure (XI)

● E-mail, fax

● Financial Accounting has interfaces to Taxware and Vertex

software used for performing tax calculations.

● Electronic advance return for tax on sales/purchases:

○ There is an interface for the electronic advancereturn for tax on sales and purchases using Elster .Communication takes place by means of XI.

○ You can digitally sign the electronic advance returnfor tax on sales/purchases.

● Payments and payment advice notes are dispatched usingIDoc, and dunning notices are sent by e-mail or fax.


All the technical users generally available can be used.

For payment requests from other components, see SAP Note 303205.


Many of the Financial Accounting transactions access sensitive data. Access to thiskind of data, such as financial statements, is protected by standard authorizationobjects.

Important SAP Notes

See SAP Notes 303205 and 497712.




Authorizations in Financial Accounting

Authorization Objects in Financial Accounting

Object Name

FAGL_INST Customer Enhancements for General Ledger

F_ACE_DST Accrual Engine: Accrual Objects

F_ACE_PST Accrual Engine: Accrual/Deferral Postings

F_BKPF_BES Accounting Document: Account Authorizationfor G/L Accounts

F_BKPF_BLA Accounting Document: Authorization forDocument Types

F_BKPF_BUK Accounting Document: Authorization forCompany Codes

F_BKPF_BUP Accounting Document: Authorization forPosting Periods

F_BKPF_GSB Accounting Document: Authorization forBusiness Areas

F_BKPF_KOA Accounting Document: Authorization forAccount Types

F_BKPF_VW Accounting Document: Display/Change DefaultValues Document Type/Posting Key

F_FAGL_LDR General Ledger: Authorization for Ledger

F_FAGL_SEG General Ledger: Authorization for Segment

K_TP_VALU General Ledger: Authorization for TransferPrice Valuation

F_FAGL_SKF General Ledger: Authorization for Transactionwith Statistical Key Figures

F_IT_ALV Line Item Display: Change and Save Layouts

F_KMT_MGMT Account Assignment Model: Authorization forMaintenance and Use

F_SKA1_AEN G/L Account: Change Authorization for CertainFields

F_SKA1_BES G/L Account: Account AuthorizationF_SKA1_BUK G/L Account: Authorization for Company

Codes

F_SKA1_KTP G/L Account: Authorization for Charts ofAccounts

F_T011 Balance Sheet: General MaintenanceAuthorization

F_T011E Authorization for Financial Calendar

F_T011_BUK Planning: Authorization for Company Codes

F_T060_ACT Information System: Account Type/Activity for

Evaluation View




F_AVIK_AVA Payment Advice Note: Authorization forPayment Advice Note Types

F_AVIK_BUK Payment Advice Note: Authorization forCompany Codes

F_BKPF_BED Accounting Document: Account Authorizationfor Customers

F_BKPF_BEK Accounting Document: Account Authorizationfor Vendors

F_BL_BANK Authorization for House Banks and PaymentMethods

F_BNKA_BUK Banks: Authorization for Company Codes

F_FBCJ Cash Journal: General Authorization

F_FEBB_BUK Bank Account Statement Company Code

F_FEBC_BUK Check Deposit/Lockbox Company Code

F_KNA1_AEN Customer: Change Authorization for CertainFields

F_KNA1_APP Customer: Application Authorization

F_KNA1_BED Customer: Accounts Authorization

F_KNA1_BUK Customer: Authorization for Company Codes

F_KNA1_GEN Customer: Central Data

F_KNA1_GRP Customer: Accounts Group Authorization

F_KNA1_KGD Customer: Change Authorization for AccountsGroups

F_KNB1_ANA Customer: Authorization for Account Analysis

F_KNKA_AEN Credit Management: Change Authorization forCertain Fields

F_KNKA_KKB Credit Management: Authorization for CreditControl Area

F_BNKA_MAN Banks: General Maintenance Authorization

F_KNKK_BED Credit Management: Accounts Authorization

F_LFA1_AEN Vendor: Change Authorization for CertainFields

F_LFA1_APP Vendor: Application Authorization

F_LFA1_BEK Vendor: Accounts Authorization

F_LFA1_BUK Vendor: Authorization for Company Codes

F_LFA1_GEN Vendor: Central Data

F_LFA1_GRP Vendor: Accounts Group Authorization

F_MAHN_BUK Automatic Dunning: Authorization for CompanyCodesThe documentation for this refers to transactionF150.

F_MAHN_KOA Automatic Dunning: Authorization for AccountTypes




F_PAYRQ Authorization Object for Payment Requests

F_PAYR_BUK Check Management: Action Authorization forCompany Codes

F_REGU_BUK Automatic Payment: Action Authorization forCompany CodesRefers to transaction F110.

F_REGU_KOA Automatic Payment: Action Authorization forAccount Types

F_RPCODE Repetitive Code

F_RQRSVIEW Bank Ledger: Viewer for Request ResponseMessages

F_T042_BUK Customizing Payment Program: Authorizationfor Company Codes

S_BTCH_JOB Background Processing: Operations onBackground JobsUsers you would like to authorize to startbackground processing must haveauthorization for activity RELE.

P_ABAP HR ReportingProtects payments from the payroll. See alsoSAP Note 303205 that describes anenhancement of the checks made using afunction module.

F_WEB_EBPP Participation in EBPP Process via a WebInterface

General Ledger Accounting (FI-GL)

Standard Roles in General Ledger Accounting

Role Name

SAP_AUDITOR_BA_FI_GL AIS - General Ledger (GLT0)

SAP_FI_GL_ACCOUNT_CHANGE_REQUE General Ledger Account/Change Request

SAP_FI_GL_ACCT_MASTER_DATA General Ledger Master Data Maintenance

SAP_FI_GL_BALANCE_CARRYFORWARD Balance Carryforward

SAP_FI_GL_CHANGE_PARKED_DOCUM Change Parked General Ledger Documents

SAP_FI_GL_CLEAR_OPEN_ITEMS Clear Open General Ledger Items

SAP_FI_GL_CONS_PREPARATIONS Preparation for Consolidation

SAP_FI_GL_CURRENCY_VALUATION General Ledger Account Foreign CurrencyValuation

SAP_FI_GL_DISPLAY_ACCT_BALANCE Display General Ledger Account Balances andItems

SAP_FI_GL_DISPLAY_DOCUMENTS Display General Ledger Documents




SAP_FI_GL_DISPLAY_MASTER_DATA Display General Ledger Master Data

SAP_FI_GL_DISPLAY_PARKED_DOCUM Display Parked Documents

SAP_FI_GL_EXCHANGE_RATE_TABLE Maintain Currency Exchange Rates

SAP_FI_GL_FIN_STATEMENT_REPORT Financial Statement Reports

SAP_FI_GL_INTEREST_CALCULATION Interest Calculation for G/L Accounts

SAP_FI_GL_INTEREST_RATE_TABLES Maintain Interest Rates

SAP_FI_GL_KEY_REPORTS Key Reports: General Ledger Accounting

SAP_FI_GL_PARK_DOCUMENT Park General Ledger Documents

SAP_FI_GL_PERIOD_END_CLOSING Closing Procedures in General LedgerAccounting

SAP_FI_GL_PERIODIC_ENTRIES Enter Recurring General Ledger Postings

SAP_FI_GL_POST_ENTRY Make General Ledger Postings

SAP_FI_GL_POST_PARKED_DOCUMENT Post Parked DocumentSAP_FI_GL_RECURRING_DOCUMENTS Process Recurring Documents

SAP_FI_GL_REVERSE-CHANGE Reverse/Change General Ledger Documents

SAP_FI_GL_SAMPLE_ACCT_MASTER_D Sample Accounts

SAP_FI_GL_SAMPLE_DOCUMENTS Edit Sample Documents

Closing Cockpit

Authorizations

Authorization Objects of Closing Cockpit


B_SMAN_WPL Schedule Manager: Authorizations for TaskLists

S_TCODE Transaction Code Check for Transaction Start

F_CLOCO Authorizations for Closing Cockpit

S_BTCH_EXT External Scheduler (SAP Central ProcessScheduling)

You need the S_BTCH_EXT authorization object only if you connectClosing Cockpit to SAP Central Process Scheduling by Redwood (CPS).SAP CPS is not a part of SAP ERP. For more information about SAP CPS,see the SAP Service Marketplace atservice.sap.com/process-scheduling.

Standard Roles of Closing Cockpit

Role Name

SAP_AIO_AP_CLERK-K AP Supervisor

SAP_AIO_AR_CLERK-K AR Supervisor




SAP_AIO_COSTACC-K Central Cost Accountant

SAP_AIO_FINACC-K Account Manager

SAP_AIO_FINACC-S Assets Accountant

SAP_EP_RW_FDMN AC - FI - Customers

SAP_EP_RW_FKMN AC - FI - Vendors

SAP_EP_RW_FSMN_4 AC - General Ledger - Closing

SAP_EP_RW_FSMN_NEW4 AC - General Ledger (New) - Closing

Roles in Closing Cockpit for the Connection to SAP Central Process Scheduling

Role Description

SAP_BC_BATCH_ADMIN_REDWOOD Redwood Scheduler: Add-on for BatchAdministrators

SAP_BC_REDWOOD_COMMUNICATION Role for Redwood Job Scheduling,Communications Users

SAP_BC_REDWOOD_COMM_EXT_SDL Additional Role for Redwood CommunicationsUsers

You need these roles only if you connect Closing Cockpit to SAP Central Process Scheduling by Redwood (CPS).

Network and Communication Security

If you want to connect Closing Cockpit to SAP Central Process Scheduling (CPS), seealso the security notes related to SAP CPS. For more information, see the SAP ServiceMarketplace at service.sap.com/process-scheduling. From there you

can go to the SAP CPS Administration Guide on SAP Developer Network (SDN).

Important SAP Notes

The following table lists the most important SAP Notes that apply to Closing Cockpitsecurity.

SAP Note Title Comment

1057015 CLOCO: Authorization is notchecked

1050929 CLOCOC: Authorization check

for status change1099023 CLOCO - authorization check

for executing transactions

1112590 Authorization object ofapplication interface for SAPCPS

Relevant only if connectingto SAP CPS

1106488 Cronacle 8: SAP process serverdoes not start


998833 Release Restrictions SAP ERP6.0 - Enhancement Packages





Accounts Payable Accounting (FI-AP)

Standard Roles in Accounts Payable Accounting

Role Name

SAP_FI_AP_BALANCE_CARRYFORWARD Vendor Balance Carryforward

SAP_FI_AP_CHANGE-REVERSE_INV Change/Reverse Vendor Invoices

SAP_FI_AP_CHANGE_LINE_ITEMS Change Vendor Line Items

SAP_FI_AP_CHANGE_PARKED_DOCUM Change Parked Vendor Documents

SAP_FI_AP_CHECK_MAINTENANCE Check Processing

SAP_FI_AP_CLEAR_OPEN_ITEMS Clear Vendor Line Items

SAP_FI_AP_CORRESPONDENCE Correspondence – Vendors

SAP_FI_AP_DISPLAY_BALANCES Display Vendor Balances and Items

SAP_FI_AP_DISPLAY_CHECKS Display Checks

SAP_FI_AP_DISPLAY_DOCUMENTS Display Vendor Documents

SAP_FI_AP_DISPLAY_MASTER_DATA Display Vendor Master Data

SAP_FI_AP_DISPLAY_PARKED_DOCUM Display Parked Vendor Documents

SAP_FI_AP_INTEREST_CALCULATION Vendor Interest Calculation

SAP_FI_AP_INTERNET_FUNCTIONS Internet Functions in Accounts PayableAccounting

SAP_FI_AP_INVOICE_PROCESSING Entry of Vendor Invoices

SAP_FI_AP_KEY_REPORTS Important Reports from Accounts PayableAccounting

SAP_FI_AP_MANUAL_PAYMENT Manual Payment

SAP_FI_AP_PARK_DOCUMENT Park Vendor Documents

SAP_FI_AP_PAYMENT_BILL_OF_EXCH Payment Transaction with Bill of Exchange

SAP_FI_AP_PAYMENT_CHECKS Payment Program with Check Processing

SAP_FI_AP_PAYMENT_PARAMETERS Display of Payment Run Parameters

SAP_FI_AP_PAYMENT_PROPOSAL Create and Process Proposal for a PaymentRun

SAP_FI_AP_PAYMENT_RUN Payment Run Update Run without PrintingPayment Medium

SAP_FI_AP_PCARD Payment Card (Procurement Card)

SAP_FI_AP_PERIOD_END_ACTIVITY Accounts Payable Accounting Period Closing

SAP_FI_AP_POST_PARKED_DOCUM Post Parked Vendor Document

SAP_FI_AP_RECURRING_DOCUMENTS Vendor Recurring Entry Documents

SAP_FI_AP_SAMPLE_DOCUMENTS Edit Sample Documents: Accounts PayableAccounting

SAP_FI_AP_VENDOR_MASTER_DATA Vendor Master Data Maintenance

SAP_FI_AP_WITHHOLDING_TAX Withholding Tax Processing




Accounts Receivable Accounting (FI-AR)Authorizations

Standard Roles in Accounts Receivable Accounting

Role Name

SAP_FI_AR_BALANCE_CARRYFORWARD Customer Balance Carryforward

SAP_FI_AR_BILL_OF_EXCHANGE Process Bill of Exchange

SAP_FI_AR_CHANGE-REVERSE Change/Reverse Customer Postings

SAP_FI_AR_CHANGE_LINE_ITEMS Change Customer Items

SAP_FI_AR_CHANGE_PARKED_DOCUM Change Parked Document

SAP_FI_AR_CLEAR_OPEN_ITEMS Clear Customer Items

SAP_FI_AR_CREDIT_MASTER_DATA Credit Management Master Data

SAP_FI_AR_CUST_DOWN_PAYMENTS Processing of Customer Payments

SAP_FI_AR_DISPLAY_CREDIT_INFO Display Credit Data

SAP_FI_AR_DISPLAY_CUST_INFO Display Customer Information

SAP_FI_AR_DISPLAY_DOCUMENTS Display Customer Documents

SAP_FI_AR_DISPLAY_MASTER_DATA Display Customer Master Data

SAP_FI_AR_DISPLAY_PARKED_DOCUM Display Parked Customer Document

SAP_FI_AR_DUNNING_PROGRAM Dunning Program

SAP_FI_AR_INTEREST_CALCULATION Customer Interest calculation

SAP_FI_AR_INTERNET_FUNCTIONS Internet Functions for Accounts ReceivableAccounting

SAP_FI_AR_KEY_REPORTS Important Reports for Accounts ReceivableAccounting

SAP_FI_AR_MASTER_DATA Customer Master Data Maintenance

SAP_FI_AR_PARK_DOCUMENT Park Customer Documents

SAP_FI_AR_PAYMENT_CARD_PROCESS Payment Card Processing

SAP_FI_AR_PERIOD_END_PROCESS Closing Operations: Accounts Receivable

Accounting

SAP_FI_AR_POST_ENTRIES Post Customer Invoices and Credit Memos

SAP_FI_AR_POST_MANUAL_PAYMENTS Post Incoming Payments Manually

SAP_FI_AR_POST_PARKED_DOCUMENT Post Parked Customer Document

SAP_FI_AR_PRINT_CORRESPONDENCE Correspondence with Customers

SAP_FI_AR_RECURRING_DOCUMENTS Customer Recurring Entry Documents

SAP_FI_AR_SAMPLE_DOCUMENTS Customer Sample Documents

SAP_FI_AR_VALUATION Valuation of Customer Items





You can store payment card numbers encoded in the database. For information aboutencoding credit card data, see SAP Note 633462.

Bank Accounting (FI-BL)Authorizations

Standard Roles in Bank Accounting

Role Name

SAP_FI_BL_ACCOUNT_REPORTS Financial Status Information

SAP_FI_BL_BANK_MASTERDAT_DISPL Display of Bank Master Data

SAP_FI_BL_BANK_MASTER_DATA Maintenance of Bank Master Data

SAP_FI_BL_BANK_STATEMENT Process Account Statement

SAP_FI_BL_BILL_OF_EX_PRESENT Bill of Exchange Presentation

SAP_FI_BL_BILL_OF_EX_REPORTS Reports on Bill of Exchange Holdings

SAP_FI_BL_CASHED_CHECKS Cashed Checks

SAP_FI_BL_CASH_JOURNAL Cash Journal

SAP_FI_BL_CHECK_DELETE Deletion of Checks

SAP_FI_BL_CHECK_DEPOSIT Check Deposit

SAP_FI_BL_CHECK_MANAGEMENT Check Management

SAP_FI_BL_CHECK_MGMENT_DISPLAY Display of Managed Checks

SAP_FI_BL_INTRADAY_STATEMENT Import Intraday Account Statement Information(USA)

SAP_FI_BL_LOCKBOX Processing the Lockbox - Data

SAP_FI_BL_ONLINE_PAYMENT Make Online Payments

SAP_FI_BL_PAYMENT_TRANSACTIONS Payment Processing

SAP_FI_BL_PAYME_ADVICE_REPORTS Payment Advice Note Reports

SAP_FI_BL_POR_PROCEDURE Incoming Payments via ISR Procedure(Switzerland)

SAP_FI_BL_RETURNED_BILL_OF_EX Returned Bills of Exchange


You can store payment card numbers encoded in the database. For information aboutencoding credit card data, see SAP Note 633462.




Asset Accounting (FI-AA)Authorizations

Standard Roles in Asset Accounting

Role Name

SAP_AUDITOR_BA_FI_AA AIS Fixed Assets

SAP_AUDITOR_BA_FI_AA_A AIS Fixed Assets (Authorizations)

SAP_FI_AA_ASSET_ARCHIVING Archiving Activities

SAP_FI_AA_ASSET_CAPITALIZATION Capitalization of Asset under Construction

SAP_FI_AA_ASSET_ENVIRONMENT Worklist and Tools in Asset Accounting

SAP_FI_AA_ASSET_EXPLORER Asset Explorer

SAP_FI_AA_ASSET_INFOSYSTEM Asset Accounting Information System

SAP_FI_AA_ASSET_MASTER_DATA Asset Master Data MaintenanceSAP_FI_AA_ASSET_REVALUATION Revaluation Activities

SAP_FI_AA_ASSET_TRANSACTIONS Asset Transactions

SAP_FI_AA_CURRENT_SETTINGS Current Settings

SAP_FI_AA_EVERY_MANAGER Activities for Cost Center Manager

SAP_FI_AA_GROUP_ASSET Maintain Group Asset

SAP_FI_AA_KEY_REPORTS Important Reports in Asset Accounting

SAP_FI_AA_PERIODIC_PROCESSING Periodic Processing

SAP_FI_AA_PROBLEM_ANALYSIS Tools for Analyzing Problems

SAP_FI_AA_YEAR_END_CLOSING Year-End Closing


Asset Accounting provides BAPIs for communicating with third-party systems.


For workflow tasks, you sometimes need either the WF-BATCH user or a user that youcan use for background steps of this kind. To execute the decision steps requiredbefore reaching these background steps, you need a user that is explicitly assigned(rather than a user like WF-BATCH).

Important SAP Notes

Number Short Text

38957 Fields are not displayed/ready for input

335170 Authorization check AW01/AW01N

372724 Maintenance of report variants

460548 AW01N: Depreciation areas are not displayed

540785 FAQ note: Reporting of Asset Accounting

141876 Authorization checks in asset reporting

544703 FAQ Mass change/Mass retirement




Travel Management (FI-TV)Authorizations

Standard Roles in Travel Management

Role Name

SAP_FI_TV_TRAVELER Traveler

SAP_FI_TV_TRAVEL_ASSISTANT Travel Assistant

SAP_FI_TV_ADMINISTRATOR Travel Administrator

SAP_FI_TV_MANAGER_GENERIC Approving Manager

SAP_FI_TV_ADVANCE_PAYER Trip Advance Payer

SAP_FI_TV_TRAVEL_MANAGER Travel Manager

SAP_FI_TV_WEB_POLICY_ADMIN Travel Policy Administrator

The role enables the user to execute guidelinemanagement in SAP NetWeaver BusinessClient (NWBC).

SAP_FI_TV_WEB_APPROVER Approving Manager

The role enables the user to execute theworklist (POWL) of the Approving Manager andthe related applications in NWBC.

The role contains the required authorizationprofile for the Approving Manager for calling

the Webdynpro ABAP applications in theEnterprise Portal .

SAP_FI_TV_WEB_ASSISTANT Travel Assistant

The role enables the user to execute theworklist (POWL) of the Travel Assistant and therelated applications in NWBC.

The role contains the required authorizationprofile for the Travel Assistant for calling theWebdynpro ABAP applications in theEnterprise Portal .

SAP_FI_TV_WEB_TRAVELER Traveler

The role enables the user to execute theworklist (POWL) of the Traveler and the relatedapplications in NWBC.

The role contains the required authorizationprofile for the Traveler for calling theWebdynpro ABAP applications in theEnterprise Portal .

Authorization Profiles

SAP supplies travel profile FI-TV (infotype 0470 in Human Resources (HCM)). You can

also create the authorization profile based on the organizational affiliation using thecharacteristic TRVCP.




Authorization Objects

Travel Management uses authorization object P_TRAVL for all general functions.

Transfer of travel expenses to Accounting is protected by authorization objectF_TRAVL.

The status of the travel plan is protected by authorization object F_TRAVL_S.


In Travel Management you can configure connections to the following Global Distribution Systems (GDS):

● Amadeus The Gateway is the responsibility of the partner.

● Galileo The Gateway is the responsibility of the partner.

● AmadeusThe Gateway is the responsibility of the partner.

● Sabre Communication with the Web service uses HTTPS or a Gateway that is theresponsibility of the partner.

Alternatively or in addition, you can configure direct connections to the following travelservice providers using SAP Exchange Infrastructure (XI):

● Flight reservation systems, for example, low cost carrier providersThe communication with the Web services uses HTTPS or HTTP dependent onthe partner.

● Hotel reservation systems, for example, HRSThe communication with the Web services uses HTTPS or HTTP dependent onthe partner.

● Rail portals, for example Deutsche Bahn (BIBE)The communcation with the Web service uses HTTPS.

In Travel Management you can configure XI connections to credit card companies forcredit card clearing. Agree the security of the connection with the respective partner.

For more informaton, see the SAP Library under Travel Management (FI-TV)→ Travel

Expenses (FI-TV-COS) → Credit Card Clearing .


Travel Management transmits credit card information to the named partners. It is notpossible to access the data in the SAP system.

In Customizing (IMG) for Travel Management , the passwords andcredit card information are stored in plaintext. The settings are protectedby the standard authorization objects for Customizing.




Authorizations in the Special Purpose Ledger(FI-SL)

Standard Roles in Special Purpose Ledger

Role Name

SAP_AUDITOR_BA_FI_SL AIS - Special Purpose Ledger

SAP_AUDITOR_BA_FI_SL_A AIS - Special Purpose Ledger (Authorizations)

SAP_FI_SL_ACTUAL_ASSESSMENT Special Purpose Ledger Actual Assessment

SAP_FI_SL_ACTUAL_DISTRIBUTION Special Purpose Ledger Actual Distribution

SAP_FI_SL_ACTUAL_POSTINGS Special Purpose Ledger Actual Postings

SAP_FI_SL_BATCH_JOBS Run Special Purpose Ledger Jobs inBackground

SAP_FI_SL_CURRENCY_TRANSLATION Special Purpose Ledger Currency TranslationSAP_FI_SL_DISPLAY_DOCUMENTS Display Special Purpose Ledger Balances and

Documents

SAP_FI_SL_DISPLAY_PLAN Display Special Purpose Ledger Plan

SAP_FI_SL_MODIFY_PLAN Modify Special Purpose Ledger Planning

SAP_FI_SL_PLAN_ASSESSMENT Edit Plan Assessment

SAP_FI_SL_PLAN_DISTRIBUTION Plan Distribution

SAP_FI_SL_ROLLUP Special Purpose Ledger Rollup

Authorization Objects in Special Purpose Ledger

Object Name

G_022_GACT FI-SL Customizing: Transactions

G_800S_GSE Special Purpose Ledger Sets: Set

G_802G_GSV Special Purpose Ledger Sets: Variable

G_806H_GRJ FI-SL Rollup

G_820_GPL FI-SL Planning: Planning Parameters

G_821S_GSP FI-SL Planning: Distribution Keys

G_880_GRMP FI-SL Customizing: Global Companies

G_881_GRLD FI-SL Customizing: Ledger

G_888_GFGC FI-SL Customizing: Field Movements

G_ADMI_CUS Central Administrative FI-SL Tools

G_ALLOCTN Special Purpose Ledger -Assessment/Distribution

G_GLTP Special Purpose Ledger - Database (Ledger,Record Type, Version)

G_REPO_GLO FI-SL: Global Reporting (Global Company)

G_REPO_LOC FI-SL: Local Reporting (Company Code)




TreasuryNetwork and Communication Security

Communication with external systems is possible using standard interfaces via BAPI,IDoc, and XI.


In certain cases a technical user may be required for applying BAPIs.


Treasury accesses financial transaction data that can be particularly sensitive. Accessis protected by the roles described in the Authorizations section.

More Security Information

All authorizations are controlled by means of roles and profiles . In addition you canfurther increase the system security by making a number of Customizing settings suchas trader authorization and posting release. However, the authorization check itselfmust always be run on the basis of roles and profiles.

Important SAP Notes

See SAP Notes 445148 (Access of the tax authorities to stored data ) and 683810(CFM-TM Tax reduction law: Separate authorization ) for information about the German principles of data access and verifiability of digital documentation (GDPdU).

Authorizations

Standard Roles in Corporate Finance Management

Role Name

SAP_CFM_ADMINISTRATOR Administrator

SAP_CFM_DEALER Dealer

SAP_CFM_IHC_SUPERVISOR In-House Cash Supervisor

SAP_CFM_LIMIT_MANAGER Limit Manager

SAP_CFM_RISK_CONTROLLER Risk Controller

SAP_CFM_TM_BACKOFFICE_PROCES Settler

SAP_CFM_TM_FUND_MANAGER Fund Manager

SAP_CFM_TM_STAFF_ACCOUNTANT Accountant

SAP_CFM_TM_TRADE_CONTROLLER Trade Controller

SAP_CFM_TREASURY_MANAGER Treasury Manager

Standard Roles in Treasury

Role Name

SAP_TR_ADMINISTRATOR Administrator

SAP_TR_LO_CREDIT_ANALYST Credit Analyst

SAP_TR_LO_DEPARTM_MANAGER Manager of Loans Department

SAP_TR_LO_LOANS_OFFICER Loans Officer




SAP_TR_LO_ROLLOVER_OFFICER Rollover Officer

SAP_TR_LO_STAFF_ACCOUNTANT Staff Accountant for Loans

SAP_TR_TM_BACKOFFICE_PROCES Settler

SAP_TR_TM_CASH_MANAGER Cash Manager

SAP_TR_TM_FUND_MANAGER Fund Manager

SAP_TR_TM_RISK_CONTROLLER Risk Controller

SAP_TR_TM_STAFF_ACCOUNTANT Accountant

SAP_TR_TM_TRADER Dealer

SAP_TR_TM_TRADE_CONTROLLER Trade Controller

SAP_TR_TREASURY_MANAGER Treasury Manager

Transaction Roles

Role Function

SAP_AUDITOR_BA_CFM

(AIS - Audit Information System)

Makes possible a structured, preconfigured collection ofevaluations in Treasury .

The menu required for this is an integral part of this role.The appropriate authorization role isSAP_AUDITOR_BA_CFM_A (AIS authorizations for SAPapplications except HR).

SAP_AUDITOR_TAX_TR

(AIS - Audit Information System

transaction role)

Offers a structured, preconfigured collection of evaluationsfor the tax audit in Treasury .

The menu required for this is an integral part of this role.

The appropriate authorization roles areSAP_AUDITOR_TAX_TR_A (AIS tax auditor,authorizations) and SAP_AUDITOR_TAX_A (AIS taxauditor central functions, authorizations).

For more information, see SAP Note 503678.

Authorization Roles

Role Function

SAP_AUDITOR_BA_CFM_A


Enables read access to business audit in Treasury

The appropriate transaction role isSAP_AUDITOR_BA_CFM/AIS transactions for SAPapplications except HR).

SAP_AUDITOR_TAX_TR_A


Enables read access for the tax auditor

The appropriate transaction role isSAP_AUDITOR_TAX_TR (AIS – tax audit, Treasury)

For more information, see SAP Note 503678.

There is an enhanced authorization check for the roles SAP_AUDITOR_TAX_TR andSAP_AUDITOR_TAX_TR_A. For information, see SAP Notes 445148 and 683810.




ControllingImportant SAP Notes

See the following SAP Notes on authorizations in Controlling that do not refer toprogram corrections:

Number Short Text

15211 CO form reports: authorization concept

16371 Authorization for dist. key and plan. parameter

39140 Message KB015 unjustified

49640 More detailed authorization f. summariz.objects

51731 Missing Authorizations for Internal Orders

60522 Author.check B_USERSTAT during business transaction

74676 CO Reports: Extract Authorizations

75970 Missing Authorizations for Internal Orders: Reports

80065 Drill-down reporting: no line items for report line

93695 Authorization for orders with 'release immediately'

98580 Drill-down reporting: Error message KH702

123022 Adv.corr.:authrztn f.reportng in act.-based costing

136325 Report Writer: Authorizatn group for standard repts

155752 Drill-down report: Authorization check mass print

159408 CJ41/CJ43:author. for detailed planning is missing

164166 CO-PA: Planning:Long runtime dur.authorizatn check

165087 Drilldown report: authorization check for intervals

175063 Msg 5A252 whn displying/changing standard hierarchy

211991 Authorizatn objcts, enterprise organizatn generatn

313077 Incorrect long text for error message KC040

317824 Drilldown report: authorizatn check and hierarchies

319858 Grp maintce: profile generator with S_PROGRAM = '*'

337885 ALLOCATION: cycle maintnce authrztn frm Easy Access

359664 Problems with old personalization profiles (KEPM)

370082 Authorizations: information about responsibility area

378687 Authorizations: CO_ACTION field entry

386065 Report shows different data for each user

390214 KEPM: Splitting of "changing" authorizations

402757 Drilldown reporting: Authorization object K_CKBOB

412570 Line item display despite missing authorization

425703 KP06ff.: Authorization object K_KA09_KVS

435072 Authorizations: Enhancement of responsibility area




438079 K_COSTCTR_BAPI_GETLIST must check authoriztn more precisely

438492 Change characteristics possible even though display only

448765 KPR6 - Dump SAPSQL_INVALID_FIELDNAME

451621 Authorization concept in KEPM

459864 Group maintenance: Authorization G_800S_GSE

487762 KE21N: Authoriztn check for entered characteristic values

500012 New authorization check for tax reduction law in CO

506164 ALLOCATION:Information message GA185 during list output

515483 Group maintenance: Authorizations

520193 Transporting CO-PA reports without authorization object

545223 Retractor: Error message RD403

554340 Report Writer: enhancement GRWTAUTH without example code

556090 Drilldown rprtng: incorrect header (graphical output)

560803 Closing billing elements with warning message

564757 Tax reduction law in CO: goto line item report via RRI

578105 Group maintenance: Authorization G_800S_GSE, part II

594899 Authorization check with internal orders K_ORDER RESPAREA

602445 Group maintenance: Authorization G_800S_GSE for 4.5

604107 MPO_PERS_FILL_CC: Explode cost center hierarchy

611798 ALLOCATION: Information message GA185 with list output

616112 KKA2, KKAJ: Enhancement for authorizations

616338 RESPAREA: Maintain group authorizations as intervals

616580 ALLOCATION: Authorizations for the cancellation of cycles

623650 ISR form terminates: Missing authorizations

625873 KSA3/KSA8: Validation on authorization object K_CCA

638364 KJH3: Display mode and authorizations

667123 ALLOCATIONS: Error message GA 776 incomprehensible

673260 KBxxN: Authorization object K_PVARIANT missing in profile

Authorizations in Controlling

Standard Roles in Controlling

Role Description

SAP_CO_DAILY Cross-Application Day-to-Day Activities

SAP_CO_DAILY_CATS Cross-Application Day-to-Day Activities - CATS

SAP_CO_DOCUMENT_LIST Display Accounting Documents






SAP_CO_OM_REPORT_COSTCTR_OM_L Reports for Cost Centers (only OLTP)

SAP_CO_OM_REPORT_COST_ELEMENT Reports for Cost Elements

SAP_CO_OM_REPORT_INTORDER_C Reports for Internal Orders (as with BW)

SAP_CO_OM_REPORT_INTORDER_L Reports for Internal Orders (only OLTP)

SAP_CO_OM_REPORT_PROCESS_C Reports for Business Processes (as with BW)

SAP_CO_OM_REPORT_PROCESS_L Reports for Business Processes (only OLTP)

SAP_CO_OM_REPORT_TOOLS Report Tools for Overhead Cost Controlling

SAP_CO_PA_ADJUSTMENTS Profitability Analysis Adjustments

SAP_CO_PA_BASICDATA_CHARACTER Maintain Characteristic Values/Derivation inProfitability Analysis

SAP_CO_PA_BASICDATA_DISPLAY Display CO-PA Master Data

SAP_CO_PA_BASICDATA_VALUATION Maintain Valuation in Profitability Analysis

SAP_CO_PA_PEREND Profitability Analysis: Period-End ClosingSAP_CO_PA_PLANNING_AIDS Maintain Planning Aids for Sales and Profit

Planning

SAP_CO_PA_PLANNING_EXEC_PROF Execute Sales and Profit Planning

SAP_CO_PA_PLANNING_EXEC_WEB Enter Sales and Profit Planning Data Via theWWW

SAP_CO_PA_PLANNING_INTEGRATION Integrated Data Transfers in Sales and ProfitPlanning

SAP_CO_PA_PLANNING_SETUP Set Up Sales and Profit Planning

SAP_CO_PA_REPORT_DEMO Execute Demo Reports for Profitability Analysis

SAP_CO_PA_REPORT_DESIGN_L_ITEM Define Line-Item-Based Reports for ProfitabilityAnalysis

SAP_CO_PA_REPORT_DESIGN_STD Define Profitability Reports

SAP_CO_PA_REPORT_EXECUTE Execute Profitability Reports

SAP_CO_PA_SET_OPERATINGCONCERN Set Operating Concern

SAP_CO_PA_VALUE_FLOW_ANALYSIS Analyze Value Flows in Profitability Analysis

SAP_CO_PC_ACT_MATERIAL_CONTROL Change Material Price Determination (ActualCosting)

SAP_CO_PC_ACT_MATERIAL_DISPLAY Material Price Analysis (Actual Costing)

SAP_CO_PC_ACT_ORG_MEASURES_SL Organizational Measures (Actual Costing)

SAP_CO_PC_ACT_SETTINGS Set Material Ledger

SAP_CO_PC_DAILY_MAT_DEBIT_CRED Debit/Credit Materials

SAP_CO_PC_DAILY_MAT_PRICEMAINT Maintain and Release Material Prices

SAP_CO_PC_JOB_MANUFORDER Display Manufacturing Orders

SAP_CO_PC_JOB_MANUFORDER_CO Maintain CO Production Orders

SAP_CO_PC_JOB_SALESORDER Display Sales Orders

SAP_CO_PC_MODEL Modeling: Product Cost Controlling

SAP_CO_PC_MODEL_COSTING Costing Models




SAP_CO_PC_MODEL_MATERIAL_CONTR Maintain Material Ledger Update

SAP_CO_PC_OBJECT_COCOLLECTOR Maintain Product Cost Collector

SAP_CO_PC_OBJECT_COOBJHIER Maintain Cost Object Hierarchy

SAP_CO_PC_OBJECT_COOBJID Maintain Cost Object

SAP_CO_PC_PEREND_ACT_MLEVEL Maintain Multilevel Actual Costing

SAP_CO_PC_PEREND_ACT_MLEVEL_DP Display Multilevel Actual Costing

SAP_CO_PC_PEREND_ACT_SLEVEL_PC Closing Entry of Individual Materials

SAP_CO_PC_PEREND_ACT_SLEVEL_PD Single-Level Material Price Determination ofIndividual Materials

SAP_CO_PC_PEREND_COCOLLECT_COL Period-End Closing for Product Cost Collectors- Collective Processing

SAP_CO_PC_PEREND_COCOLLECT_IND Period-End Closing for Product Cost Collectors- Individual Processing

SAP_CO_PC_PEREND_COCOLLECT_WLM Period-End Closing for Product Cost Collectors- Worklist

SAP_CO_PC_PEREND_COOBJHIER_COL Period-End Closing for Cost Object Hierarchy -Collective Processing

SAP_CO_PC_PEREND_COOBJHIER_IND Period-End Closing for Cost Object Hierarchy -Individual Processing

SAP_CO_PC_PEREND_COOBJHIER_WLM Period-End Closing for Cost Object Hierarchy -Worklist

SAP_CO_PC_PEREND_COOBJID_COLL Period-End Closing for Cost Objects -Collective Processing

SAP_CO_PC_PEREND_COOBJID_IND Period-End Closing for Cost Objects -Individual Processing

SAP_CO_PC_PEREND_MANUFORD_COL Period-End Closing for Manufacturing Orders -Collective Processing

SAP_CO_PC_PEREND_MANUFORD_IND Period-End Closing for Manufacturing Orders -Individual Processing

SAP_CO_PC_PEREND_MANUFORD_WLM Period-End Closing for Manufacturing Orders -Worklist

SAP_CO_PC_PEREND_SALESORD Period-End Closing for Sales Orders

SAP_CO_PC_PEREND_SALESORD_WLM Period-End Closing for Sales Orders - Worklist

SAP_CO_PC_PLAN_AUTH_EXPL_FACI Transaction Authorizations for ExplanationFacility

SAP_CO_PC_PLAN_COCOLLECTOR Preliminary Costing for Product Cost Collectors

SAP_CO_PC_PLAN_COOBJID Periodic Planning for Cost Objects (General)

SAP_CO_PC_PLAN_MAT_PRICEDETERM Material Costing / Costing Run

SAP_CO_PC_PLAN_MAT_PRICERELEAS Mark and Release Standard Cost Estimate

SAP_CO_PC_PLAN_REFERENCE_SIMUL Multilevel Unit Costing

SAP_CO_PC_PLAN_SALESORDER_BOM Sales Orders - Order BOM Cost Estimate

SAP_CO_PC_REPORT_COCOLLECTOR Reports for Product Cost Collector

SAP_CO_PC_REPORT_COOBJHIER Reports for Cost Object Hierarchy




SAP_CO_PC_REPORT_COOBJID Reports for Cost Objects

SAP_CO_PC_REPORT_MANUFORDER Reports for Manufacturing Orders

SAP_CO_PC_REPORT_MATERIAL_ESTI Reports for Material Costing

SAP_CO_PC_REPORT_MATERIAL_LEDG Reports for Material Ledger and Actual Costing

SAP_CO_PC_REPORT_PROD_CAMPAIGN Reports for Production Campaigns

SAP_CO_PC_REPORT_PRODUCTDRILL Reports for Product and Plant

SAP_CO_PC_REPORT_REFERENCE_SIM Reports for Base Planning Objects

SAP_CO_PC_REPORT_SALESORDER Reports for Sales Orders

SAP_CO_PC_REPORT_SUMMARIZATION Reports with Object Summarization

SAP_CO_PC_REPORT_TOOLS Product Drilldown Reporting - Create OwnReports

SAP_CO_PEREND_CLOSING_PERIOD Maintain Period Lock

SAP_CO_PEREND_DISPLAY Schedule Manager - Display FunctionsSAP_CO_PEREND_MAINTAIN Schedule Manager - Maintenance Functions

SAP_CO_RECONCILIATION_LEDGER Controlling: Maintain Reconciliation Ledger

SAP_CO_SET_CONTROLLING_AREA Set Controlling Area

SAP_CO_CRM_REP Reports/Master Data for CO Integration ofCRM Services

SAP_CO_CRM_REP_PEC CO Integration CRM Service

SAP_CO_CRM_REP_PEC_IMG CO Integration CRM Service with Modeling

For general information on the authorizations in Controlling , see SAP Help Portal at

help.sap.com on the tab Documentation → SAP ERP Central Component →

Release xx → SAP ERP Central Component → Accounting → Controlling (CO) →

Controlling (CO) → Methods in Controlling → Authorizations and under Accounting →

Controlling (CO) → Profitability Analysis (CO-PA) → Information System → Authorization Objects in the Information System .

Information on the authorizations for the Controlling functions in Manager Self-Service (MSS) and for the role of the Business Unit Analyst (BUA) can be found in this Security

Guide under Cross-Application Components → Self-Services [Seite 24].

Authorizations in Profit Center Accounting

Standard Roles in Profit Center Accounting

Role Name

SAP_AUDITOR_BA_EC_PCA AIS - Profit Center Accounting

SAP_AUDITOR_BA_EC_PCA_A AIS - Profit Center Accounting (Authorizations)

SAP_EC_PCA_ARCHIVING Profit Center Accounting Archiving

SAP_EC_PCA_MODEL Maintain Cycles for Assessment, Distribution,

and Reposting (EC-PCA)SAP_EC_PCA_MODEL_TP_DISPLAY Display Transfer Prices




SAP_EC_PCA_MODEL_TP_MAINTAIN Maintain Transfer Prices

SAP_EC_PCA_OBJECT_DISPLAY Display Profit Center Master Data

SAP_EC_PCA_OBJECT_MAINTAIN Maintain Profit Center Master Data

SAP_EC_PCA_PEREND Period-End Closing in Profit Center Accounting

SAP_EC_PCA_PEREND_POSTINGS Data Entry for Profit Center Accounting

SAP_EC_PCA_PLAN_CLOSING Plan Closing in Profit Center Accounting

SAP_EC_PCA_PLANNING Planning in Profit Center Accounting

SAP_EC_PCA_REPORT Profit Center Accounting - Line Items andTotals Records

SAP_EC_PCA_REPORT1 Profit Center Accounting - Drilldown Reports

SAP_EC_PCA_REPORT2 Profit Center Accounting - Report PainterReports

SAP_EC_PCA_REPORT3 Profit Center Accounting - Reports from Other

Components

Authorization Objects in Profit Center Accounting

Object Name

K_PCA EC-PCA: Responsibility Area, Profit Center

K_PCAB_DEL EC-PCA: Delete Transaction Data

K_PCAD_UM EC-PCA: Assessment/Distribution

K_PCAF_UEB EC-PCA: FI Data Transfer

K_PCAI_UEB EC-PCA: Actual Data Transfer

K_PCAL_GEN EC-PCA: Generate and Activate Ledger

K_PCAM_UEB EC-PCA: MM Data Transfer

K_PCAP_SET EC-PCA: Planning Hierarchy

K_PCAP_UEB EC-PCA: Plan Data Transfer

K_PCAR_REP EC-PCA: Summary and Line Item Reports

K_PCAR_SRP EC-PCA: Standard Reports and Datasets

K_PCAS_PRC EC-PCA: Profit Center

K_PCAS_UEB EC-PCA: SD Data Transfer

K_PCA_REAL EC-PCA: Realignment for PrCtr Assignmentsto CO Master Data

Network and Communication SecurityControlling is integrated with Microsoft Office

® . For information on security aspects with

Microsoft Office ®

applications, refer to the documentation of those products.

Communication in Manager Self-Service (MSS) and in the Web Application for the Business Unit Analyst (BUA) is based on Remote Function Calls (RFCs).




Communication DestinationsTechnical users are required for communication over ALE, for batch reporting, and for

third-party providers that access Controlling data.

Consolidation (EC-CS)Authorizations

Authorization Objects in Consolidation


E_CS_BUNIT Consolidation unit

E_CS_CACTT Consolidation tasks

E_CS_CONGR Consolidation group

E_CS_DEFRM SAP Consolidation: Data entry layout

E_CS_DIMEN View

E_CS_ITCLG Consolidated chart of accounts

E_CS_JEFRM SAP Consolidation: Journal entry layout

E_CS_PERMO Monitor, opening/closing of periods

E_CS_RPTNG Reporting with ReportWriter/Report Painter andDrilldown Reports

E_CS_RVERS Version

For more information, see the Implementation Guide for Enterprise Controlling at

Consolidation → Preparing for Production → Authorization Management.

Authorization Profiles in Consolidation

Authorization profile Description

E_CS_ALL Full Authorization for EC-CS

E_CS_DISPLAY Display Authorization for EC-CS

Standard Roles in Consolidation

Role Name

SAP_AUDITOR_BA_EC_CS AIS – Consolidation

SAP_AUDITOR_BA_EC_CS_A AIS – Consolidation (Authorizations)

SAP_EC_CS_FUNCTIONS_DETAIL Consolidation – Detail Functions

SAP_EC_CS_FUNCTIONS_GENERAL Consolidation – General Functions




SAP_EC_CS_OFFLINE_DATA_ENTRY Consolidation – Offline Data Entry withMicrosoft Access

SAP_EC_CS_RECONCILIATION Consolidation – Reconciliation of IntegratedData

SAP_EC_CS_REPORT_ALL Consolidation – All Reports

SAP_EC_CS_REPORT_CONSDATA Consolidation – Reports with ConsolidatedData


Consolidation allows for offline entry of data using Microsoft ACCESS ® . Communication

takes place via Remote Function Call (RFC).


The authorization objects listed earlier protect the data that is processed in

Consolidation when consolidated statements are created.

Accounting Engine

Introduction

This guide does not replace the daily operations handbook that werecommend customers to create for their specific productive operations.

Target Group



This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for acertain phase of the software life cycle, whereby the Security Guides provideinformation that is relevant for all life cycle phases.

The Need for Security

With the increasing use of distributed systems and the Internet for managing businessdata, the demands on security are also on the rise. When using a distributed system,you need to be sure that your data and processes support your business needs withoutallowing unauthorized access to critical information. User errors, negligence, orattempted manipulation of your system must not result in loss of information orprocessing time. These security requirements apply equally to the Accounting Engine .To assist you in securing the Accounting Engine , we provide this Security Guide.

About this Document

The Security Guide provides an overview of the security-relevant information that

applies to the Accounting Engine .





The Security Guide comprises the following main sections:

● Before You Start

This section contains information about why security is necessary, how to use this

document, and references to other Security Guides that build the foundation forthis Security Guide.

● Technical System Landscape

This section provides an overview of the technical components andcommunication paths that are used by the Accounting Engine .

● User Administration and Authentication

This section provides an overview of the following user administration andauthentication aspects:

○ Recommended tools to use for user management.

○ User types that are required by the Accounting Engine

○ Standard users that are delivered with the Accounting Engine

○ Overview of the user synchronization strategy, if several components orproducts are integrated

○ Overview of integration options in Single Sign-On environments

● Authorizations

This section provides an overview of the authorization concept that applies to theAccounting Engine .

● Network and Communication Security This section provides an overview of the communication paths used by theAccounting Engine and the security mechanisms that apply. It also includes ourrecommendations for the network topology to restrict access at the network level.

● Data Storage Security

This section provides an overview of any critical data that is used by theAccounting Engine and the security mechanisms that apply.

Before You StartSecurity Guides Referenced

For a complete list of the SAP Security Guides available, see SAP Service Marketplace

at service.sap.com/securityguide.







Content SAP Service Marketplace


Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes


Network security service.sap.com/networkservice.sap.com/securityguide



Technical System Landscape

Use

The figure below shows an overview of the technical system landscape for theAccounting Engine .

Accounting Engine

Accounting Views

ContributionMargin

Balance

Overhead Costs

Journal

Document

Creation

Services

AP ARProtocol

C&R

Protocol

GJ

Protocol

Document

ViewKnowlg

BusinessTransactions

Security

Transaction

Production

OrderConfirmation

IncomingPayment

Outgoing

Invoice

For more information about the technical system landscape, see the sources listed inthe table below.




More Information About the Technical System Landscape

Topic Guide/Tool SAP Service Marketplace

Technical descriptionfor Accounting Engine and the underlying

technical components,such as SAP NetWeaver


Technical configuration

High availability

Technical InfrastructureGuide

service.sap.com/ti


User Administration and AuthenticationThe Accounting Engine uses the user administration and authentication mechanismsprovided with the SAP NetWeaver platform, in particular SAP Web Application Server ABAP . Therefore, the security recommendations and guidelines for user managementand authentication that are described in SAP Web AS Security Guide for ABAP Technology also apply to the Accounting Engine.

In addition to these guidelines, we include information about user administration andauthentication that specifically applies to the Accounting Engine in the following topics:

● User Management

This topic lists the tools to use for user management, the types of users required,and the standard users that are delivered with the Accounting Engine.

● Integration into Single Sign-On Environments

This topic describes how the Accounting Engine supports Single Sign-Onmechanisms.

User Management

UseUser management for the Accounting Engine uses the mechanisms provided by SAP Web Application Server ABAP , for example, tools, user types, and password policies.

Integration into Single Sign-On Environments

Use

The Accounting Engine supports the Single Sign-On (SSO) mechanisms provided bySAP Web Application Server ABAP. Therefore, the security recommendations and

guidelines for user management and authentication that are described in the SecurityGuide for SAP Web Application Server also apply to the Accounting Engine.




The mechanisms supported are listed below.


SNC is available for user authentication and provides for an SSO environment whenusing the SAP GUI for Windows or Remote Function Calls.

For more information, see Secure Network Communications (SNC) in the SAP Web Application Server Security Guide.

SAP Logon Tickets

The Accounting Engine supports the use of logon tickets for SSO when using a Webbrowser as the front end client. In this case, users can be issued a logon ticket afterthey have authenticated themselves with the initial SAP system. The ticket can then besubmitted to other systems (SAP or external systems) as an authentication token. Theuser does not need to enter a user ID or password for authentication but can access thesystem directly after the system has checked the logon ticket.

For more information, see SAP Logon Tickets in the SAP Web Application Server Security Guide.

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using aWeb browser as a front end client can also provide X.509 client certificates to use forauthentication. In this case, user authentication is performed on the Web server usingthe Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to betransferred. User authorizations are valid in accordance with the authorization conceptin the SAP system.

For more information, see Client Certificates in the SAP Web Application Server Security Guide.

Authorizations

Use

The Accounting Engine uses the authorization concept provided by SAP Web Application Server . Therefore, the security recommendations and guidelines forauthorizations that are described in the Security Guide for SAP Web AS ABAP alsoapply to the Accounting Engine.


The Business Accounting of the Bank Analyzer [Extern] uses the following

authorization groups for IMG activities and adjustment programs:

● A1* = authorization for technical issues (configuration)

● A2* = authorizations for business issues

● *EN = authorization for the accounting entities

● *G1 = authorization for General Ledger Accounting (GL)

● *PM = authorization for Profitability Management

Other individual authorization objects are documented in the system.




Network and Communication SecurityYour network infrastructure is extremely important in protecting your system. Yournetwork needs to support the communication necessary for your business and yourneeds without allowing unauthorized access. A well-defined network topology can

eliminate many security threats based on software flaws (at both the operating systemand application level) or network attacks such as eavesdropping. If users cannot log onto your application or database servers at the operating system or database layer, thenthere is no way for intruders to compromise the machines and gain access to thebackend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network), they cannot exploit well-known bugs and security holesin network services on the server machines.

The network topology for the Accounting Engine is based on the topology used by theSAP NetWeaver platform. Therefore, the security guidelines and recommendationsdescribed in the SAP NetWeaver Security Guide also apply to the Accounting Engine .Details that specifically apply to the Accounting Engine are described in the followingtopics:

● Communication Channel SecurityThis topic describes the communication paths and logs used by the Accounting Engine .

● Communication DestinationsThis topic describes the information needed for the various communication paths,for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:

● Network and Communication Security

● Security Aspects for Connectivity and Interoperability


Communication Paths

Communication Paths Protocol Used

ERP to BW RFC

ERP to Bank Analyzer RFC

DIAG and RFC connections can be protected using Secure Network Communications(SNC).

For more information, see Transport Layer Security in the SAP NetWeaver SecurityGuide.





Use

The Accounting Engine uses the communication destination with RFC.

The configuration of the RFC calls is controlled using transaction sm59.

If no technical user was defined, the RFC connection takes place without this defaultsetting.


Use

The Accounting Engine accesses sensitive data within the Bank Analyzer [Extern]. The

Bank Analyzer checks the authorizations for this sensitive data with user exits.For more information, see the Bank Analyzer Security Guide.




Financial Supply Chain Management

Management of Internal Controls: SecurityGuide

Use

This Security Guide describes the aspects of the Management of Internal Controls (MIC) component that relate to security. MIC forms part of the software componentFINBASIS and uses the application server (AS), Process Integration (XI), and Business Intelligence (BI) from SAP NetWeaver .

Consequently, the following security guides also apply to MIC:

● SAP NetWeaver Security Guide

● SAP Web AS Security Guide ABAP

● SAP Exchange Infrastructure Security Guide

● SAP Business Information Warehouse Security Guide

You find these guides on SAP Service Marketplace atservice.sap.com/securityguide .

For more information relevant to security, see SAP Service Marketplace atservice.sap.com/security .

Target Audience of the Guide● Technical consultants


The security guides provide information on all phases of the software life cycle.

Features

The security guide provides information on the following topics:

● Technical System LandscapeThis section lists the other systems with which MIC can communicate.

● User Management and AuthorizationsThis section provides an overview of the following aspects:

○ User Management

○ Roles and Authorizations Concept Specific to MIC

○ Integration into Single Sign-On Environments

● Communication Channel SecurityThis section provides an overview of the communication paths used by MIC andthe security mechanisms that apply.

● Data Storage Security

This section provides an overview of the various data storage options for MICdata.




Technical System LandscapeThe following figure provides an overview of the technical system landscape of the

component Management of Internal Controls (MIC):

MIC XI

BI

AIS

Third-Party

MIC can exchange data with the following systems:

● MIC users can display reports from the Audit Information System (AIS), whichcan be run on the same system as MIC or on a different system.

● MIC data can be extracted into an SAP NetWeaver Business Intelligence system(BI system).

● Via the SAP NetWeaver Process Integration (XI), data can be exchanged withthird-party systems. You can transfer test logs from (semi-)automated tests andstructure data (from the central process catalog, for example) into the MICsystem.

For information about the communication paths, see Communication Channel Security

[Seite 84].

User Management and AuthorizationsMIC uses the user management and the authorization concept delivered with the SAP NetWeaver platform, in particular SAP Web Application Server ABAP . For this reason,the security recommendations and guidelines described in the SAP Web AS Security Guide for ABAP Technology also apply for MIC.

In addition to these guidelines, the following sections include information about usermanagement and the authorizations applying specifically to MIC:




● User Management [Seite 65]

This section lists the user management tools and the necessary user types.

● Roles and Authorizations Concept [Seite 66]

This section describes the MIC-specific roles and authorizations concept that is

based in part on the functions of the SAP Web Application Server ABAP (seeStandard Roles and Authorization Objects [Seite 67]) and in part on the functionsunique to MIC (see Editing MIC-Specific Roles [Seite 68]).

● Integration with Single Sign-On Environment [Seite 84]

This topic describes how MIC supports Single Sign-On mechanisms.

User Management

Use

MIC user management uses the mechanisms provided by SAP NetWeaver , such astools, user types, and the password concept. For an overview of how thesemechanisms affect MIC, see the sections below. Furthermore, the system outputs a listof users that are required for operations.

User Management Tool

MIC uses user and role maintenance from SAP Web AS ABAP (transactions SU01,PFCG) For more information, see Users and Roles (BC-SEC-USR) [Extern]. To find outwhich roles are delivered for MIC, see under Standard Roles and Authorization Objects[Seite 67].

User Types

It is often necessary to create different security policies for different types of users. Forexample, your policy may specify that users who perform their tasks interactively haveto change their passwords on a regular basis, but not those users who perform theirtasks using background processing.

Examples of user types required for MIC:

● Individual users (dialog users)

○ Required for logging on to the SAP GUI for Windows for configuring MICand for MIC administration

○ Required for logging on to the People-Centric User Interface for theoperational use of MIC

○ Required for the RFC connection to the BI system

● Technical users

○ A system user is required for the workflow within MIC, for example (userWF-BATCH must have authorization for authorization profile SAP_ALL)

○ A communications user can be required in order to set up the integrationwith the Audit Information System (AIS) for the RFC connection to the AISsystem. Alternatively, you can define the RFC connection as a trusted

system connection.




○ A service user is required for the connection of external applications usingthe Exchange Infrastructure (XI). The user must have the correspondingXI authorization as well as the authorization for the standard roleManagement of Internal Controls – Business User (SAP_CGV_MIC_BUSINESS_USER). For more information, see the SAP Exchange Infrastructure Security Guide under Service Users for Message

Exchange .

Roles and Authorizations Concept

Use

For Management of Internal Controls (MIC), a large number of frequently changing

people need to perform tasks in a variety of functions. Consequently, a special rolesand authorizations concept has been created for this purpose. Besides the general SAPstandard roles that are edited by the system administrator in transaction PFCG, thereare also MIC-specific roles comprising a variety of delivered tasks. These MIC-specificroles and their respective tasks allow you to manage the detailed authorizations and theworkflow between those involved.

Features

For information about the general standard roles delivered with MIC, see StandardRoles and Authorization Objects [Seite 67].

The MIC-specific roles refine the authorizations delivered in the standard roleManagement of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER). An MIC-specific role consists of different taskswith authorizations attached. You can specify which tasks belong to which role. Formore information, see Editing MIC-Specific Roles [Seite 68].

The assignment of am MIC-specific role to one or more persons is dependent on anobject (for example, an organizational unit). The assignment is performed in a Webapplication by different persons throughout the organization hierarchy. The power usertriggers this process for the highest level of the organization hierarchy. For moreinformation, see Assigning Roles to Persons [Seite 83].

To ensure the segregation of duties so that the same person is not authorized toperform an assessment as well as the validation of that assessment, for example, youcan define conflict groups. You include in a conflict group any tasks that must not be

performed by the same person. You can use these conflict groups to run a check toestablish whether the defined segregation of duties is actually reflected in the system.For more information, see Segregation of Duties [Extern].

Activities...

1. The system administrator copies the delivered standard role Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL), makes anynecessary adjustments, and assigns the adjusted copy of the standard role to theMIC power user.

2. The power user edits the MIC-specific roles.

3. The power user defines conflict groups.

4. The power user starts the role assignment procedure in the navigational area onthe start page.




5. The power user checks whether the segregation of duties defined in the conflictgroups is enforced by the system.

Standard Roles and Authorization ObjectsUse

The authorization concept of the SAP NetWeaver Application Server uses theassignment of authorizations to users on the basis of roles. Some general SAPstandard roles are delivered with MIC. You can copy and adjust them in Customizing

under SAP NetWeaver → Application Server → System Administration → Users and

Authorizations → Maintain Authorizations and Profiles Using Profile Generator → Maintain Roles (transaction PFCG).

Integration

The standard roles are refined using the MIC-specific Roles and Authorization Concept[Seite 66].

Features

Standard Roles

MIC uses the following standard roles:

● Management of Internal Controls - Customizing (SAP_CGV_MIC_CUSTOMIZING)

This role contains all necessary authorizations to make the Customizing settingsfor MIC. This role does not contain any authorizations for the Web applications.

● Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER)

A user with this role is only authorized to perform those specific tasks prescribedby the detailed role concept for MIC. All users that have this role assigned tothem must also have at least one MIC-specific role assigned to them. A user mayuse the Web applications that are specified by the tasks in the MIC-specific role.

● Management of Internal Controls - Power User (SAP_CGV_MIC_ALL)

When this role is assigned to a user, that user is made a power user. In additionto the authorizations that the business user has, a power user also hasauthorization for administration functions in the MIC Implementation Guide, such

as the expert mode for structure setup [Extern]. Moreover, the user has specialauthorizations in the People-Centric UI, such as those for editing roles and forstarting role assignment to persons (see Assigning Roles to Persons [Seite 83]).

● Management of Internal Controls - Display (SAP_CGV_MIC_DISPLAY)

A user with this role can display Customizing for MIC in the SAP GUI. This role isuseful for external auditors, for example. We recommend using this role inaddition to the business user role.

For more information, see the documentation on the individual roles in transactionPFCG.

Standard Authorization Objects Relevant to Security

Authorizations for objects of applications belonging to the Application Server and usedin MIC are relevant to security in MIC. If you run MIC in a system in which the




applications used by MIC are also used productively in other projects, then you need toensure that you manage the authorizations for the MIC-specific objects separately fromthe other objects.

● Authorization object Personnel Planning (PLOG) from OrganizationalManagement

The general object types Organizational Unit und Person are used in MICtogether with other MIC-specific object types.

Note, therefore, that the organizational units and persons created in otherprojects are also available in MIC (and vice versa).

● Various authorization objects in Case Management and Records Management

Assessments , tests , issues , and remediation plans are stored in Case or RecordsManagement. The RMS ID FOPC_SOA is relevant for MIC.

Activities...

1. Copy the general SAP roles delivered with MIC, and adjust the authorizations in

these roles to suit the circumstances in your system.

2. Assign the roles you have adjusted to the appropriate users. While doing so,ensure that no user has been assigned role Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL) as well as role Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER).

Editing MIC-Specific Roles

Use

An MIC power user can adjust the MIC-specific roles that are delivered in BC Sets andin this way specify the authorizations of a role by assigning the individual tasks.

Features

The power user has the following options for editing MIC-specific roles:

● In Customizing for MIC under Edit Roles

● Using a Web application that can be called up from the MIC start page

SAP delivers sample roles in a BC Set. To be able to use these sample roles, you needto activate the BC Set in Customizing. All other activities for editing roles are possibleboth in Customizing and in the Web application, although the user interface in the Webapplication is easier to use.

When editing a role, you assign all the tasks to it that anybody assigned to that roleshould be allowed to perform. You also specify the role level.

The role level defines whether the tasks can be performed for the entire corporategroup, for a single organizational unit, for a process group, for a process, or for aprocess step.

The tasks are delivered by SAP and cannot be changed. Each task has the followingattributes:

● Minimum Role Level : The only tasks you can assign to a role are those with aminimum role level corresponding to the level entered for the role. For example,

you can only assign the task Perform Sign-Off at Corporate Level (for which theminimum role level = group) to a role with Corporate level.




● Restricted to One Role : Tasks for which this indicator is selected can only beassigned to one role. Furthermore, the following restriction applies to roleassignment: When a role contains a task flagged with this indicator, that role mayonly be assigned to just one person for an object.

● Processing by One Work Item Recipient Suffices : Tasks flagged with this

indicator can be performed by more than one user. However, it is sufficient if onlyone user performs the task. As soon as one user has completed the task, it isthen completed for all other users to whom the task is assigned.

● Web application that the task calls up : Different tasks can call up the same Webapplication. For example, the task Assign Process to Organizational Unit and thetask Edit Attributes of Process Groups Specific to Org Units both call up the Webapplication Process Assignment for Org Unit . If a person only has authorizationfor one of the tasks, then that person may only perform that task in thecorresponding Web application. If, however, a person has authorization for bothtasks, then he/she may perform both, regardless of the task from which the Webapplication was called up. In this latter case, it is sufficient for just one of thetasks to be scheduled. In this way, you can restrict the number of tasks that need

to be sent.For an overview of the delivered tasks and their attributes, see the following sections:

● Tasks: Central Structure Setup [Seite 70]

● Tasks: Structure Setup Specific to Organizational Units [Seite 72]

● Tasks: Control Assessments and Tests [Seite 76]

● Tasks: Management Control Assessment and Test [Seite 79]

● Tasks: Reporting and Sign-Off [Seite 81]

The task Create User is handled differently because a specialauthorization is required for this task. For more information, see CreatingUsers and Connecting Users to Persons [Extern].

Analyses

To find out which roles contain a task, you can search for a task in the Web applicationfor processing roles. In this way, you can display all roles that the task is assigned to.Moreover, you can use Authorization Analysis [Extern].

Activities...

1. If you want to use the delivered sample roles, activate the relevant BC Set in

Customizing. For information about the procedure for this, see the documentationon the IMG activity Edit Roles.

2. Change the delivered sample roles or create your own roles.

3. Activate the roles that you would like to use and then save your entries.




Tasks: Central Structure SetupTask Group: Central Structure Setup

Task Description Role Level Restricted toOne Role

Processingby One WorkItemRecipientSuffices

WebApplica-tion Called

Display Role(DISP-ROLE)

Display all rolescreated and all tasksassigned by poweruser (see Roles andAuthorizations Concept[Seite 66])

ProcessStep

Edit Roles

EditOrganizational

Hierarchy (EDIT-HIER)

Create/changeorganizational

hierarchy [Extern],insert new nodes, andso forth

Corporate X

Organiza-

tionalHierarchy

DisplayOrganizationalHierarchy (DISP-HIER)

Display entireorganizationalhierarchy and detailedinformation onorganizational units

ProcessStep

Organiza-tionalHierarchy

DocumentOrganizationalUnits in Scope(PERF-SCOPO)

Define reasoning fordecision to includeorganizational units inproject scope [Extern]

(or to exclude themfrom project scope)

Corporate XOrganiza-tional Unitsin Scope

DisplayOrganizationalUnits in Scope(DISP-SCOPO)

Display reasoningbehind decisionsrelating to the projectscope

ProcessStep

Organiza-tional Unitsin Scope

Edit CentralProcess Catalog(EDIT-CPCAT)

Create/changehierarchy andattributes for processgroups and processes,create/change centralprocess steps, define

P-CO-R assignment,assign account groups(see Central ProcessCatalog [Extern])

Corporate XCentralProcess

Catalog

Display CentralProcess Catalog(DISP-CPCAT)

Display entire centralprocess catalog

ProcessStep

CentralProcessCatalog

Edit GeneralControl Attributesin CentralProcess Catalog(EDIT-CCATR)

When central processstep has been definedas a control, define allattributes andassignments for thecontrol centrally (seeDocumenting Controls

CorporateDocumen-tation ofControls




Centrally [Extern])

Edit AccountGroup Hierarchy(EDIT-ACCH)

Create/changehierarchy andattributes of accountgroups (see AccountGroup Hierarchy[Extern])

Corporate XAccountGroupHierarchy

Display AccountGroup Hierarchy(DISP-ACCH)

Display entire accountgroup hierarchy

ProcessStep

AccountGroupHierarchy

Edit ManagementControl Catalog(EDIT-MCCAT)

Create/changehierarchy ofmanagement controlgroups andmanagement controls,define centraldescriptions (see

Management ControlCatalog [Extern])

Corporate X

Manage-mentControlCatalog

Edit Descriptionof Assessment ofa ManagementControl (EDIT-MCASD)

Create centraldescription in catalogof how a managementcontrol should beassessed

Corporate X


Edit Descriptionof a Test of aManagementControl (EDIT-MCTED)

Create centraldescription in catalogof how a managementcontrol should betested

Corporate X


DisplayManagementControl Catalog(DISP-MCCAT)

Display entiremanagement controlcatalog

ProcessStep


Edit CentralSettings forScheduling(EDIT-CSCH)

Specify centrally howoften and whenspecific tasks are to beperformed (see TaskScheduling [Extern])

CorporateCentralSchedulingof Tasks

Display CentralSettings for

Scheduling(DISP-CSCH)

Display central settingsfor task scheduling Process

Step

CentralSchedulingof Tasks

Assign DelegatesCentrally (ASGN-DELC)

Enter delegates[Extern] for oneself andother persons

Corporate X

CentralAssignmentofDelegates

Assign OwnDelegates(ASGN-DELO)

Only enter delegatesfor oneself

ProcessStep

Assignmentof OwnDelegates




Tasks: Structure Setup Specific toOrganizational UnitsTask Group: Structure Setup Dependent on Org Unit

Task Description Role Level Restrictedto One Role

Processingby OneWork ItemRecipientSuffices

Web ApplicationCalled

Assign Roles forCorporate andNext Level Down(ASGN-RLCOR)

Assign roles to personsat the corporate leveland for the subordinateorganizational unitsdirectly beneath it (seeAssigning Roles toPersons [Seite 83])

Corporate X Role Assignment

AssignReplacement atCorporate Level(ASGN-REPLC)

Assign replacements atcorporate level (seeReplacement [Extern])

CorporateAssignment ofReplacements

Assign Roles forGivenOrganizationalUnit and NextLevel Down(ASGN-RLORG)

Assign roles to personsfor an organizationalunit and for thesubordinateorganizational unitsdirectly beneath it

Org Unit X Role Assignment

AssignReplacement atOrg Unit Level(ASGN-REPLO)

Assign replacementsfor the organizationalunit and subordinateobjects

Org UnitAssignment ofReplacements

Assign Roles forTop ProcessGroup in GivenOrganizationalUnit (ASGN-RLOPG)

Assign roles to personsfor the top processgroups of anorganizational unit

Org Unit X Role Assignment

Assign Roles forGiven ProcessGroup and Next

Level Down(ASGN-RLPGR)

Assign roles to personsfor a process groupand for the subordinate

process groups andprocesses directlybeneath it

Process

Group

X Role Assignment

Assign Roles forProcess andSubordinateControls (ASGN-RLPRC)

Assign roles to personsfor a process and forthe process stepsdefined as a control inthe process

Process X Role Assignment

Assign Roles forControl (ASGN-RLCNT)

Assign roles to personsfor a process stepdefined as a control

ProcessStep

Documentation ofControls

Create User(CREA-USRID) Have a user ID createdby the systemadministrator and

Org Unit X Only possible inSAP GUI




connect this user ID tothe person (seeCreating Users andConnecting Users toPersons [Extern])

SpecifySignificance ofAccounts forOrganizationalUnit (EDIT-ACCSO)

Specify for anorganizational unitwhich account groupsare significant (seeSignificance of AccountGroups forOrganizational Unit[Extern]).

Org Unit X

Processes andAccount Groupsfor theOrganizationalUnit

DisplaySignificance ofAccounts forOrganizationalUnit (DISP-

ACCSO)

Display significance ofaccount groups for anorganizational unit Process

Step

Processes andAccount Groupsfor theOrganizational

Unit

Perform Scopingof Processes(PERF-SCOPP)

Specify for anorganizational unitwhich processes fallwithin the projectscope and documentwhy (see Processes inScope [Extern])

Org Unit XProcesses inScope

DisplayProcesses inScope (DISP-SCOPP)

Display processes thatfall within the projectscope for anorganizational unit

ProcessStep

Processes inScope

Assign Processto OrganizationalUnit (ASGN-PRORG)

Accept fororganizational unitprocesses falling inproject scope; editprocess attributesspecific toorganizational unit (seeAccepting Processes[Extern])

Org Unit X


Display ProcessGroup Attributes

Specific to OrgUnits (DISP-OUPGA)

Display process groupattributes specific to

organizational units(such as necessity ofvalidation)

Process

Step

Processes andAccount Groups

for theOrganizationalUnit

Edit ProcessGroup AttributesSpecific to OrgUnits (EDIT-OUPGA)

Edit process groupattributes specific toorg units

ProcessGroup


Display ProcessAttributesSpecific to OrgUnits (DISP-

OUPRA)

Display processattributes specific toorganizational units(such as necessity of

validation)

ProcessStep

Processes andAccount Groupsfor theOrganizational

Unit

Edit Process Edit process attributes Process Processes and




AttributesSpecific to OrgUnits (EDIT-OUPRA)

specific to org units Account Groupsfor theOrganizationalUnit

Edit ProcessSteps Specific toOrg Units (EDIT-OUPRS)

Edit copied processsteps, create/changelocal process steps,edit process stepattributes

Process


ApproveDocumentation ofProcess Change(VALI-PRCHD)

Approve the adoptionof documentedchanges in the process(see DocumentingProcess and ControlChanges [Extern])

Process X


Edit GeneralControl Attributes

(EDIT-GENCA)

Edit the general controlattributes for local or

copied process stepsdefined as controls(excluding assessmentand test attributes)(see DocumentingControls [Extern] )

ProcessStep

XDocumentation ofControls

Assign Control toProcess - ControlObjective - Risk(P-CO-R)(ASGN-CPCOR)

Assign control to the P-CO-R structure definedin the process catalogand select control type

ProcessStep


Assign

ReferencedControl toProcess - ControlObjective - Risk(P-CO-R)(ASGN-CRCOR)

Assign control of a

different process to theP-CO-R structuredefined in the processcatalog and selectcontrol type

Process X


Assign Controlsto FinancialStatementAssertions(ASGN-ASS2C)

Assign control tocontrol groups andtheir FS assertions

ProcessStep


General Control

Attributes: EditAssessmentAttributes (EDIT-GCAMT)

Of the general control

attributes, only edit thecontrol assessmentattributes (such ascontrol maturity target)

ProcessStep


General ControlAttributes: EditTest Attributes(EDIT-GCATA)

Of the general controlattributes, only edit thecontrol test attributes(such as testingtechnique)

ProcessStep


General ControlAttributes: Edit

AIS Reports(EDIT-COAIS)

Assign reports of theAudit Information

System to a control(see Assignment ofAIS Reports [Extern])

Process

Step

Documentation of

Controls




ApproveDocumentation ofControl Change(VALI-PSCHD)

Approve the adoptionof documented changein the control

ProcessStep


Display Process

Hierarchies of allOrganizationalUnits (DISP-PRHIE)

Display process

groups, processes, andprocess steps for allorganizational units

ProcessStep

Central ProcessCatalog

Display GeneralControl Attributes(DISP-GENCA)

Display all generalattributes andassignments for thecontrol

ProcessStep


AssignManagementControls toOrganizational

Units (ASGN-MC2OU)

Accept centrally-defined managementcontrols fororganizational unit,

create local description(see AcceptingManagement Controls[Extern]).

Org Unit X

Assignment of

ManagementControls

AssignManagementControls toProcess Group(ASGN-MC2PG)

Accept centrally-defined managementcontrols for processgroup, create localdescription of thecontrol

ProcessGroup

XAssignment ofManagementControls

Edit LocalDescription of

Assessment of aMgmt Control forOrganizationalUnit (EDIT-MADOU)

Create description ofhow the management

control should beassessed specific toorganizational unit

Org Unit XAssignment ofManagementControls

Edit LocalDescription ofTest of a MgmtControl forOrganizationalUnit (EDIT-MTDOU)

Create description ofhow the managementcontrol should betested specific toorganizational unit

Org Unit XAssignment ofManagementControls

Edit LocalDescription ofAssessment of aMgmt Control forProcess Group(EDIT-MADPG)

Create description ofhow the managementcontrol should beassessed specific toprocess group

ProcessGroup


Edit LocalDescription ofTest of a MgmtControl forProcess Group(EDIT-MTDPG)

Create description ofhow the managementcontrol should betested specific toprocess group

ProcessGroup


Edit "To BeTested" Attribute

Specify fororganizational unit

Org Unit X Assignment ofManagement




of a ManagementControl forOrganizationalUnit (EDIT-MTAOU)

whether amanagement controlshould be tested

Controls

Edit "To BeTested" Attributeof a ManagementControl forProcess Group(EDIT-MTAPG)

Specify for processgroup whether amanagement controlshould be tested

ProcessGroup


Edit SchedulingSettings forOrganizationalUnit (EDIT-OUSCH)

Change centralsettings governingTask Scheduling[Extern] fororganizational unit

Org Unit XScheduling Taskfor OrganizationalUnit

Display

SchedulingSettings forOrganizationalUnit (DISP-OUSCH)

Display task

scheduling settingschanged for anorganizational unit

ProcessStep

Scheduling Taskfor OrganizationalUnit

Tasks: Control Assessments and TestsTask Group Assessment of Control Design and Efficiency

Task Description Role Level Restrictedto OneRole


WebApplicationCalled

Perform ControlDesignAssessment(PERF-CDASS)

Enter result ofcontrol designassessment insystem,reportingissues wherenecessary(seeAssessment ofControl Designand Efficiency[Extern])

Process Step XControl DesignAssessment

Display ControlDesignAssessment(DISP-CDASS)

Display resultof controldesignassessment

Process StepControl DesignAssessment

ValidateControl Design

Assessment(VALI-CDASS)

Whenvalidation

activated,check result ofcontrol design

Process X

Control Design

Assessment




assessmentand confirm orsend back

Perform ControlEfficiencyAssessment(PERF-CEASS)

Enter result ofcontrolefficiencyassessment,reportingissues wherenecessary

Process Step XControlEfficiencyAssessment

Display ControlEfficiencyAssessment(DISP-CEASS)

Display resultof controlefficiencyassessment

Process StepControlEfficiencyAssessment

ValidateControlEfficiency

Assessment(VALI-CEASS)

Whenvalidationactivated,

check result ofcontrolefficiencyassessmentand confirm orsend back

Process X ControlEfficiencyAssessment

Task Group Process Design Assessment


Processingby OneWork Item

RecipientSuffices


PerformProcess DesignAssessment(PERF-PDASS)

Enter result ofprocessdesignassessment insystem,reportingissues wherenecessary(see ProcessDesignAssessment

[Extern])

Process XProcessDesignAssessment

DisplayProcess DesignAssessment(DISP-PDASS)

Display resultof processdesignassessment

ProcessProcessDesignAssessment

ValidateProcess DesignAssessment(VALI-PDASS)

Whenvalidationactivated,check result ofprocessdesignassessmentand confirm orsend back

Process Group XProcessDesignAssessment




Task Group Test Effectiveness of a Control


Processingby OneWork Item

RecipientSuffices


MassAssignment ofTesters toControls (ASGN-MT2CN)

Assign testerscentrally for allcontrols of anorg unit orprocess group

ProcessGroup

Mass TesterAssignmentControls/Management Controls

Assign Tester(ASGN-TSTER)

Assign personsfor testingcontroleffectiveness(see Test of

ControlEffectiveness[Extern])

Process XTesterAssignment

DisplayNotification(DISP-NOTE)

Notificationsfrom an externalsystem (usingXI interface) inwhich (semi-)automatedtests areperformed

No role levelbecause taskcannot beassigned toany role

Notifications

Test ControlEffectiveness(PERF-TEST)

Test controleffectiveness;may beperformed by allpersons whowere assignedas testers


Testing ControlEffectiveness

Display TestResults (DISP-TSTRE)

Display testlogs foreffectivenesstest of a control

Process StepTesting ControlEffectiveness

Receive Issues

fromEffectivenessTest (RECE-EFISO)

Predefined

processor ofissues reportedduring controleffectivenesstest; can beoverwritten byperson whoreported issue

Process X

Validate TestControlEffectiveness(VALI-TEST)

When validationactivated, checkresult of test ofcontroleffectivenessand confirm orsend back

Process XTesting ControlEffectiveness




Tasks: Management Control Assessment and

TestTask Group Assessment and Test of Management Controls

Task Description Role Level Restrictedto One Role



Mass Assignmentof Testers toManagementControls (ASGN-MT2MC)

Assign testerscentrally for allmanagementcontrols of an orgunit or process group

ProcessGroup

Mass TesterAssignmentControls/ ManagementControls

Assign Testersfor ManagementControls (OrgUnit) (ASGN-MCTOU)

Assign persons fortesting managementcontrols fororganizational unit

Org Unit XTesterAssignment

Assign Testersfor ManagementControls (ProcessGroup) (ASGN-MCTPG)

Assign persons fortesting managementcontrols for processgroup

ProcessGroup

XTesterAssignment

PerformManagementControlAssessment atOrg Unit Level(PERF-MCAOU)

Enter result ofmanagement controlassessment for orgunit in system,reporting issueswhere necessary(see ManagementControl Assessmentand Test [Extern])

Org Unit XManagementControlAssessment

DisplayManagementControl

Assessment atOrg Unit Level(DISP-MCAOU)

Display result ofmanagement controlassessment for

organizational unitOrg Unit

ManagementControlAssessment

PerformManagementControlAssessment atProcess GroupLevel (PERF-MCAPG)

Enter result ofmanagement controlassessment forprocess group insystem, reportissues wherenecessary

ProcessGroup

XManagementControlAssessment

DisplayManagement

ControlAssessment at

Display result ofmanagement control

assessment forprocess group

Process

Group

Management

ControlAssessment




Process GroupLevel (DISP-MCAPG)

ValidateManagementControlAssessment forTopOrganizationalUnit (VALI-MCACP)

When validationactivated, checkresult ofmanagement controlassessment for topnode oforganizationalhierarchy andconfirm or send back

Corporate XManagementControlAssessment

ValidateManagementControlAssessment forSubordinateOrganizational

Unit (VALI-MCAOU)

When validationactivated, checkresult ofmanagement controlassessment forsubordinate

organizational unitsand confirm or sendback


ValidateManagementControlAssessment forTop ProcessGroup (VALI-MCTPG)

When validationactivated, checkresult ofmanagement controlassessment for topprocess group oforganizational unitand confirm or sendback


ValidateManagementControlAssessment forSubordinateProcess Group(VALI-MCAPG)

When validationactivated, checkresult ofmanagement controlassessment forsubordinate processgroups and confirmor send back

ProcessGroup

XManagementControlAssessment

PerformManagementControls Test atOrg Unit Level

(PERF-MCTOU)

Create test log aftermanagementcontrols test fororganizational unit;

may be performedby persons whowere assigned astesters

No role levelbecause task

cannot beassigned toany role

Management

Controls Test

DisplayManagementControls Test atOrg Unit Level(DISP-MCTOU)

Display result ofmanagementcontrols test fororganizational unit

Org UnitManagementControls Test

PerformManagementControls Test atProcess GroupLevel (PERF-

Create test log aftermanagementcontrols test forprocess group; maybe performed by


Management

Controls Test




MCTPG) persons who wereassigned as testers

DisplayManagementControls Test atProcess GroupLevel (DISP-MCTPG)

Display result ofmanagementcontrols test forprocess group

ProcessGroup

ManagementControls Test

Receive IssuesfromManagementControls Test atOrg Unit Level(RECE-MCISO)

Predefinedprocessor of issuesreported duringmanagementcontrols test; can beoverwritten byperson who reportedissue

Org Unit X

Receive Issues

fromManagementControls Test atProcess GroupLevel (RECE-MCISP)

Predefined

processor of issuesreported duringmanagementcontrols test; can beoverwritten byperson who reportedissue

ProcessGroup

X

Tasks: Reporting and Sign-OffTask Group Reporting




DisplayHierarchicalReports (DISP-ANALY)

Display data for thearea of responsibility inhierarchical reports inReporting [Extern]

Process Reporting

Display TabularReports (DISP-FLATR)

Display data for thearea of responsibility intabular reports

Process Reporting

DisplayManagementReports (DISP-MNGRE)

Display aggregateddata for the area ofresponsibility inmanagement reports

Process Reporting

Print Report(PERF-PRINT)

Create and print PrintReports [Extern]

Process step Print Reports

Display ChangeAnalysis (DISP-

CHGAN)

Display changes to dataover different

timeframes (seeChange Analysis

Org unitChange

Analysis




[Extern])

DisplayAuthorizationAnalysis (DISP-SCREP)

Display assignments inthe roles andauthorizations concept(see AuthorizationAnalysis [Extern])

ProcessAuthorizationAnalysis

Task Group Sign-Off

Task Description RoleLevel

Restrictedto OneRole



Perform DeficiencyAnalysis onOrganizational Unit

Level (PERF- DFAOU)

Perform deficiencyanalysis [Extern] fororganizational unit and

subordinateorganizational units

Org unitDeficiencyAnalysis

Display DeficiencyAnalysis onOrganizational UnitLevel (DISP-DFAOU)

Display deficiencyanalysis at corporatelevel and level ofsubordinateorganizational units

Org unitDeficiencyAnalysis

Perform DeficiencyAnalysis on CorporateLevel (PERF-DFACP)

Perform deficiencyanalysis at corporatelevel and level ofsubordinateorganizational units

CorporateDeficiencyAnalysis

Display DeficiencyAnalysis on CorporateLevel (DISP-DFACP)

Display deficiencyanalysis at corporatelevel and level ofsubordinateorganizational units

CorporateDeficiencyAnalysis

Perform Sign-Off(PERF-SOFOU)

Perform sign-off[Extern] for anorganizational unit and,once sign-off has beenperformed for allorganizational units,perform corporate sign-off

Org unit Sign-Off

Display Sign-Off(DISP-SIGNO)

Display sign-off fororganizational units inarea of responsibility

Org unit Sign-Off




Assigning Roles to Persons

Purpose

When you assign a person to a role in combination with an object (such as an

organizational unit), that person receives the authorization to perform the tasksbelonging to that role for that object.

You assign roles to persons in one of the Web applications that can be accessed fromthe start page [Extern]. Role assignment takes place using the domino principlethroughout the organizational hierarchy and the assigned processes.

Prerequisites

● The roles have been created and activated (see Roles and AuthorizationsConcept [Seite 66]).

● The organizational hierarchy [Extern] has been defined.

Process Flow...

1. The power user automatically has authorization for the task Start Role Assignment Procedure . He or she starts the assignment procedure by choosingRole Assignment in the navigation area of the start page [Extern]. The power userthen assigns a person (or a user, if already available) to the role containing thetask Assign Roles for Corporate and Next Level Down (ASGN-RLCOR).

○ If the person entered does not yet exist in the system, the system issuesa message, and an additional area appears in the middle of the screen.To create the person, choose Create Person .

You can deactivate the option of creating a person using the IMG activityRestrict Authorization to Create Persons in Customizing for MIC.

○ If a person does not yet exist for the user entered in the system, a personis created automatically.

2. The power user assigns a role with the task Create User (CREA-USRID) to a userthat has already been created.

3. If the power user has created a person in the first step as opposed to assigning auser, a user must be created for that person. For more information, see CreatingUsers and Connecting Users to Persons [Extern].

4. The person who now has authorization for the task Assign Roles for Corporate

and Next Level Down receives this task in their task list on the start page.5. This person assigns persons or users to the role containing the task Assign Roles

for Given Organizational Unit and Next Level Down (ASGN-RLORG). This step isperformed for all organizational units occurring directly beneath the corporategroup level in the organizational hierarchy.

6. If persons instead of users are assigned, users then have to be created for thesepersons (see step 3).

7. The persons who now have authorization for the task Assign Roles for Given Organizational Unit and Next Level Down receive this task in their task list on thestart page. Subordinate organizational units or process groups can be on the nextlevel down. For the process groups to be available, the processes need to havebeen accepted [Extern] for the organizational unit in the meantime.

8. Subsequent role assignments follow the same principle all the way down theorganizational hierarchy and across the assigned process groups, processes,




process steps, and controls. However, you do not perform role assignment for acontrol in the Web application Assignment of Roles to Persons but instead in theWeb application Documenting Controls [Extern].

Integration with Single Sign-On Environments

Use

MIC supports the Single Sign-On (SSO) mechanisms provided by the SAP Web Application Server ABAP . Consequently, the security recommendations and guidelinesfor user management and authentication described in the SAP Web Application Server Security Guide also apply to MIC.



SNC is available for user authentication and provides an SSO environment when theSAP GUI for Windows or Remote Function Calls (RFC) are used.

For more information, see Secure Network Communications (SNC) in the security guideof the SAP Web Application Server .

SAP Logon Tickets

MIC supports the use of logon tickets for SSO when the Web browser is used as thefront end client. In this case, users can be issued a logon ticket after they haveauthenticated themselves in the original SAP system. The ticket can then be submittedto other systems (SAP or external systems) as an authentication token. The user doesnot need to enter a user ID or password for authentication but can access the system

directly once the system has checked the logon ticket.For more information, see SAP Logon Tickets in the SAP Web Application Server security guide.

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using aWeb browser as a front end client can also provide X.509 client certificates to use forauthentication. In this case, user authentication is performed on the Web server usingthe Secure Sockets Layer protocol (SSL protocol), and no passwords need to betransferred. User authorizations apply in accordance with the authorization concept inthe SAP system.

For more information, see Client Certificates in the security guide of the SAP Web

Application Server .


Use

The following table contains the communication paths used by MIC, the protocol usedfor the connection, and the type of data transferred.




Communication paths

Communication Path Protocol Used Type of DataTransferred


Front end client usingSAP GUI for Windows

to application server

DIAG All application data Passwords

Front end client usinga Web browser toapplication server

HTTP/HTTPS All application data Passwords

Audit Information System (AIS) toapplication server

RFC for setting upAIS integration

HTTP for displayingthe AIS reports

AIS reports

External applicationvia XI interface to

application server

External application – XI: Various protocols

possible (SAPstandard)

XI – applicationserver: RFC

Structure data (suchas central process

catalog)Test logs

Application server toBI system

RFC All application data

DIAG and RFC connections can be protected using Secure Network Communications(SNC). HTTPS connections are protected using the Secure Sockets Layer (SSL)protocol. For more information, see Transport Layer Security in the SAP NetWeaver Security Guide .

For logon to the front end client (Web browser), Single Sign-On (SSO2)must be activated on the server side. For more information, see SAPNote 517860.

Navigation information is communicated between the start page and theWeb applications via the URL.


Use

Master data and transaction data is stored in the database of the SAP system onwhich MIC has been installed. Data storage occurs for the most part in Organizational Management , in Case Management , and in separate tables for this purpose. Due to theuse of Organizational Management in particular, we recommend running MIC on aseparate client. For more information and recommendations on the use of clients, seethe application documentation under Management of Internal Controls (FIN-CGV-MIC)[Extern].

MIC requires a Web browser as the user interface. For data storage in the front end,

non-persistent session cookies are used.




In some Web applications, MIC users can upload documents into the system.Knowledge Provider (KPro) is used for storing the data. Once uploaded, the documentscan be accessed using an URL. The MIC-specific Roles and Authorizations Concept[Seite 66] governs authorization for accessing the URL directly in the Web application.To prevent unauthorized access to the document through copying and sending theURL, an URL is only valid for a given user and for a restricted amount of time (two

hours).

Master Data Framework

Introduction

This guide does not replace the administration or operation guides thatare available for productive operations.

Target Group



This document is not included as part of the Installation Guides, Configuration Guides,Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for acertain phase of the software life cycle, whereby the Security Guides provideinformation that is relevant for all life cycle phases.

The Need for Security

With the increasing use of distributed systems and the Internet for managing business

data, the demands on security are also on the rise. When using a distributed system,you need to be sure that your data and processes support your business needs withoutallowing unauthorized access to critical information. User errors, negligence, orattempted manipulation of your system must not result in loss of information orprocessing time. These security requirements apply equally to Master Data Framework .To assist you in securing Master Data Framework , we provide this Security Guide.

About this Document

The Security Guide provides an overview of the security-relevant information thatapplies to Master Data Framework .


The security guide comprises the following main sections:

● Before You Start

This section contains information about why security is necessary, how to use thisdocument, and references to other Security Guides that build the foundation forthis Security Guide.

● Technical System Landscape

This section provides an overview of the technical components andcommunication paths that are used by Master Data Framework .

● User Administration and Authentication

This section provides an overview of the following user administration andauthentication aspects:




○ Recommended tools to use for user management.

○ User types that are required by Master Data Framework

○ Standard users that are delivered with Master Data Framework

○ Overview of the user synchronization strategy, if several components orproducts are integrated

○ Overview of integration options in Single Sign-On environments

● Authorizations

This section provides an overview of the authorization concept that applies to theMaster Data Framework .


This section provides an overview of the communication paths used by Master Data Framework and the security mechanisms that apply. It also includes ourrecommendations for the network topology to restrict access at the network level.

Before You Start

Security Guides Referenced

Master Data Framework is built from SAP NetWeaver Application Server ABAP .Therefore, the corresponding Security Guides also apply to Master Data Framework .

For a complete list of the SAP Security Guides available, see SAP Service Marketplace

at service.sap.com/securityguide.




Content SAP Service Marketplace






service.sap.com/securityguide







Use

The following graphic gives an overview of the technical system landscape for the

Master Data Framework .

Framework for

Master Data and HierarchiesTime-Dependent

Version-DependentAttributes for Edges of Hierarchies

Generic Services

Access to

BWSynchronization Tools

Change Management

Local

Tables...R/3

User Interface

WorkbenchMaster Data Hierarchies

Combination Characteristics (such as, Company and Profit Center)

Extensibility of Info Objects by Local Fields (Role Concept)

MetadataRepository

Transport Authorization Checks Buffering Where-Used List

Generic Checks

Read/WriteAccess

Locking Time-DependencyValidity Incl. Version

and Time-Dependency)

Transaction Control

(Commit,Rollback, Save)

Input/Output

Conversion

For more information about the technical system landscape, see the sources listed inthe table below.

More Information about the Technical System Landscape

Subject Guide/Tool SAP Service Marketplace

Technical description ofMaster Data Framework andthe underlying technicalcomponents, such as SAP NetWeaver


Technical configuration

High availability

Technical InfrastructureGuide

service.sap.com/ti





User Administration and AuthenticationMaster Data Framework uses the user administration and authentication mechanismsprovided with the SAP NetWeaver platform, in particular SAP Netweaver Application Server ABAP . Therefore, the security recommendations and guidelines for user

management and authentication that are described in the SAP NetWeaver Application Server ABAP Security Guide also apply to Master Data Framework.

In addition to these guidelines, we include information about user administration andauthentication that specifically applies to Master Data Framework in the following topics:

● User Management

This topic lists the tools to use for user management, the types of users required,and the standard users that are delivered with Master Data Framework.

● Integration into Single Sign-On Environments

This topic describes how Master Data Framework supports Single Sign-Onmechanisms.

User Management

Use

User management for Master Data Framework uses the mechanisms provided by SAP Netweaver Application Server ABAP , for example, tools, user types, and passwordpolicies.

Integration into Single Sign-On Environments

Use

Master Data Framework uses the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver . Therefore, the security recommendations and guidelines for usermanagement and authentication that are described in the SAP NetWeaver SecurityGuide also apply to Master Data Framework.



SNC is available for user authentication and provides for an SSO environment whenusing the SAP GUI for Windows or Remote Function Calls.

For more information, see Secure Network Communications (SNC) in the SAP Netweaver AS ABAP Security Guide.

SAP Logon Tickets

Master Data Framework supports the use of logon tickets for SSO when using a Webbrowser as the front end client. In this case, users can be issued a logon ticket afterthey have authenticated themselves with the initial SAP system. The ticket can then besubmitted to other systems (SAP or external systems) as an authentication token. Theuser does not need to enter a user ID or password for authentication but can access thesystem directly after the system has checked the logon ticket.

For more information, see SAP Logon Tickets in the SAP Netweaver AS ABAP SecurityGuide.




Client Certificates

As an alternative to user authentication using a user ID and passwords, users using aWeb browser as a front end client can also provide X.509 client certificates to use forauthentication. In this case, user authentication is performed on the Web server usingthe Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to betransferred. User authorizations are valid in accordance with the authorization conceptin the SAP system.

For more information, see Client Certificates in the SAP Netweaver AS ABAP SecurityGuide.

Authorizations

Use

Master Data Framework uses the authorization concept provided by SAP NetWeaver .

Therefore, the security recommendations and guidelines for authorizations that aredescribed in the SAP NetWeaver AS ABAP Security Guide also apply to Master Data Framework.

The SAP NetWeaver authorization concept is based on assigning authorizations tousers based on roles. For role maintenance, use the profile generator (transactionPFCG) when using ABAP technology and the User Management Engine’s useradministration console when using Java.


The table below shows the security-relevant authorization objects that are used byMaster Data Framework .



R_UGMD_CHA Master data access for all types ofcharacteristics.

R_UGMD_SNG Master data access on the level of singlevalues of combination characteristics

S_TABU_LIN Master data access on the level of individualcharacteristics

FB_SRV_DMS Authorization for data model synchronization(change monitor)

FB_SRV_GC Authorization for MDF Garbage Collector

The authorization objects listed above are also described in the system documentation.

Network and Communication SecurityYour network infrastructure is extremely important in protecting your system. Yournetwork needs to support the communication necessary for your business needswithout allowing unauthorized access. A well-defined network topology can eliminatemany security threats based on software flaws (at both the operating system and

application level) or network attacks such as eavesdropping. If users cannot log on toyour application or database servers at the operating system or database layer, then




there is no way for intruders to compromise the machines and gain access to thebackend system’s database or files. Additionally, if users are not able to connect to theserver LAN (local area network), they cannot exploit well-known bugs and security holesin network services on the server machines.

The network topology for Master Data Framework is based on the topology used by theSAP NetWeaver platform. Therefore, the security guidelines and recommendationsdescribed in the SAP NetWeaver Security Guide also apply to Master Data Framework .Details that specifically apply to Master Data Framework are described in the topicCommunication Channel Security .

For more information, see the following sections in the SAP NetWeaver Security Guide:


● Security Aspects for Connectivity and Interoperability

Communication Channel SecurityUse

ERP and Business Information Warehouse (SAP BW ) communicate with each otherusing RFC within Master Data Framework .

RFC connections can be protected using Secure Network Communications (SNC).

For more information, see Transport Layer Security in the SAP NetWeaver SecurityGuide.

SAP BankingThis security guide includes the following components from SAP Banking :

● SAP Financial Customer Information Management (FS-BP)

● Deposits (FS-BCA)

● Loans Management (FS-CML)

● Collateral Management(FS-CMS)

This security guide only contains Collateral Management-specific informationabout Authorizations and Network and Communication Security .

For general information about security in FS-CMS, see SAP Service Marketplace

at service.sap.com/securityguide → mySAP ERP Security

Guides → Security Guide for Collateral Management System (CMS ).

● Strategic Enterprise Management (SEM)

● Reserve for Bad Debt (FS-RBD)




SAP Financial Customer InformationManagement (FS-BP)The security policy with SAP Financial Customer Information Management (FS-BP) isvery similar to the security policy with the central SAP Business Partner (SAP BP).

For more information about authorizations and data storage security in the SAP Business Partner , see the SAP Service Marketplace at

/ service.sap.com/securityguide → SAP NetWeaver Security Guide →

Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application

Server Security Guide → SAP NetWeaver AS Security Guide for ABAP Technology →

Security Aspects When Using Business Objects → SAP Business Partner Security.

Authorizations

You can create roles in the SAP Customizing Implementation Guide (IMG) for SAP Banking under SAP Business Partner for Financial Services → General Settings →

Business Partner → Basic Settings → Authorization Management .

The authorization objects are the responsibility of the SAP Business Partner . SAP Financial Customer Information Management (FS-BP) is only responsible for thefollowing two authorization objects:

● T_BP_DEAL (Standing Instructions / Transactions)

You can use this authorization object to control the company code-dependentauthorizations for displaying/creating/changing standing instructions.

There are standing instructions for:

○ Payment details

○ Derived flows

○ Correspondence

○ Transaction authorizations

● B_BUPA_SLV (Selection variant for total commitment)

A selection variant includes various settings for the total commitment (such aswhich business partner roles and relationships can be used for the selection, orwhether detailed information can be displayed).

Network and Communication SecurityWhen processing total commitment, mySAPERP communicates with other SAPsystems (such as Deposits Management (FS-AM)). In theory, mySAP ERP could alsocommunicate with non-SAP systems here.

Communication takes place via Remote Function Call (RFC).




Communication DestinationsDepending on the scenario, an RFC user is required for communication via RemoteFunction Call (RFC). This user requires the appropriate authorizations for the targetsystem (such as FS-CML or FS-AM).

Data Storage SecurityAuthorization object B_CCARD can be used to control access to credit card informationthat is stored in the business partner. This control falls in the area of responsibility ofcentral SAP Business Partner .

You can protect employee data by using authorization groups (authorization objectB_BUPA_GRP).

Bank Customer Accounts (BCA)

AuthorizationsThe following standard roles are available in Bank Customer Accounts (BCA):

Role Name

SAP_ISB_ACCOUNTS_ADMIN_AG SAP Banking BCA: Account ManagementAdministrator

SAP_ISB_ACCOUNTS_ASSISTANT_AG SAP Banking BCA: Assistant in Account

ManagementSAP_ISB_ACCOUNTS_STAFF_AG SAP Banking BCA: Clerical Staff in Account

Management

For more information on authorization management and the authorization objects in

Bank Customer Accounts, see SAP Help Portal at help.sap.com →

Documentation → mySAP ERP → SAP ERP Central Component → Release 5.0 →

SAP ERP Central Component → Financials → SAP Banking → Bank Customer Accounts (BCA) → General Subjects → Authorization Administration, or Authorization

Administration → Authorization Objects .

Bank Customer Accounts (BCA) also contains the following business transaction eventson the subject of authorizations:

Business Transaction Event Name

SAMPLE_INTERFACE_00011040 AUTH1- Account

SAMPLE_INTERFACE_00011700 Authorization checks/authorization type

SAMPLE_INTERFACE_00010950 Check Management

SAMPLE_INTERFACE_00010210 Payment item dialog

SAMPLE_INTERFACE_00010410 Payment order dialog

SAMPLE_INTERFACE_00010411 Standing order dialog





Bank Customer Accounts (BCA) communicates with the following external systems:

● Payment transaction systems

● Interest income tax

● Financial Accounting (FI), if Financial Accounting (FI) runs on another system

Encrypt communication with external systems in accordance with the SAP standards.

Communication with all external systems is performed via Remote Function Call (RFC).

Data Storage SecurityThe security of sensitive objects such as savings accounts and checking accounts is

guaranteed by the general authorization concept of Bank Customer Accounts (BCA).

For employee accounts, the following security mechanisms are available in addition tothe general authorization concept:

● The following special authorization objects

○ F_EMAC_MTH

○ F_EMAC_TRN

● The following special field modification criterion of the Business Data Toolset(BDT)

○ FMOD1This criterion is applied to employee accounts.

Important SAP NotesConsider the following SAP notes on authorizations in Bank Customer Accounts (BCA):

Note Number Short Text

126494 Authorization f. RFC calls of reconciliationGL/BCA

441020 Value table for authorization group objects

315545 Standing orders: release, dual authoriztnprinciple

731832 Conditions: Authorization objectF_COND_BDC

127591 Authorization group in reports




Loans Management (FS-CML)

AuthorizationsAuthorization management for mortgage loans is based on the existing authorizationconcept in Loans Management (FS-CML).

The authorization check is performed according to the principle of inclusion, that is tosay, if a user has authorization to activate a business transaction, he or she also hasauthorization to delete it. The authorization for making a posting includes theauthorization for making a cancellation.

If other functions are called from a business transaction, the relevant authorizationcheck is performed in this business transaction before the other function is accessed.This avoids any termination of the functions that are being called.

To set up your authorization management for mortgage loans, you can use the followingroles included in the delivery scope:

Role Name Scope

Loans Officer SAP_CML_LOANS_OFFICER● Create, change, display, delete

business partner

● Collateral value calculation,credit standing calculation anddecision-making

● Maintain objects and securities

● Create contracts, or transferfrom application or offer

● Enter disbursements

● Process correspondence

● Release loan (colleague orsuperior)

● Process business operations(such as charges, individualposting, payoff)

Credit Analyst SAP_CML_CREDIT_ANALYST● Create, change, display, delete

business partner

● Maintain loan enquiries,applications and offers

● Calculate credit standing

● Decision-making

● Maintain limits

● Calculate the collateral value

● Maintain objects and securitiesRollover Officer SAP_CML_ROLLOVER_OFFICER

● Loan rollover (individual and




mass)

● Process correspondence

● Management of rollover file

● Maintain condition tables

Staff Accountantfor Loans

SAP_CML_STAFF_ACCOUNTANT● Post transactions

● Clearing

● Create payments

● Post and monitor incomingpayments

● Process waivers and write-offs

● Cancellation

● Accrual/deferral

● Valuation

● Generating accounting reports

Manager ofLoansDepartment

SAP_CML_DEPARTM_MANAGER● Release


● Change limits

● Risk analysis

● Monitor file (rollover or processmanagement)

● Monitor portfolio and portfoliotrend using reports; reports andqueries

ProductAdministrator

SAP_CML_PRODUCT_ADMIN● Update reference interest rates


● Maintain new business tables

Technical

Administrator

SAP_CML_TECHNICAL_ADMIN● Perform mass runs (such as

mass print run), set status ofplan to completed, post plannedrecords

● Currency conversion

● Update reference interest ratesand currency rates

● Reorganization and dataarchiving

● Define queries, drilldown

reporting forms and reports● Maintain performance




parameters

● Analyze change pointers

● Define export interfaces

You can assign these roles to the users in your company. Do not make any changes tothe original roles, as these changes would be overwritten by the standard settings whenthe system is upgraded.

If you want to make adjustments, copy these roles. To do so, in the SAP Easy Access

menu, choose Tools → Administration → User Maintenance → Role Administration → Roles . Here you can group together authorizations for consumer loans into your owndefined roles, and assign these to users in your departments, for example. In the firststep you maintain the role menu. You can structure this yourself by adding and, ifnecessary, renaming files, transactions, and reports. In addition to manually groupingtogether the relevant transactions, you can also transfer these from the SAP menu oranother role. You then maintain the authorizations for your role. The system proposescertain authorizations and their characteristics. You can also add more objects. Thenyou need to generate the authorization profile. Finally, you maintain the users who areto have the authorizations contained in the role. You can also use elements fromorganizational management, such as position in the organization. The advantage hereis that you do not have to maintain the user assignment individually in each role if aperson changes jobs. You can also use this function in release.

Network and Communication SecurityLoans Management (FS-CML) does not communicate with other systems. The onlyexception is mySAP Customer Relationship Management (CRM), during the loan

origination process. In this process CRM serves as the entry system and FS-CML asthe backend system. Communication is by means of XI.

Data Storage SecurityThe security of sensitive data in Loans Management (such as loan contracts, consumerloans, collateral values, credit standing calculations, collateral) is guaranteed by thegeneral authorization concept of Loans Management (FS-CML).

It is possible to display business partner data from Loans Management . You can usethe authorization concept of central SAP Business Partner to protect this data.

For more information about authorizations and data storage security in the SAP Business Partner , see the SAP Service Marketplace at / service.sap.com/securityguide → SAP NetWeaver Security Guide →

Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application Server Security Guide → SAP NetWeaver AS Security Guide for ABAP Technology →

Security Aspects When Using Business Objects → SAP Business Partner Security.




Collateral Management (CM)

Purpose

The purpose of this guide is to explain the security-specific features built-in for the SAP

Collateral Management (CM ).

To understand the security features provided in CM, you must read the SAP Netweaver Application Server security guide (service.sap.com) that describes the basic securityaspects and measures for SAP systems.

Authorizations

A multitude of standard roles are shipped with SAP Collateral Management (CM ) in theSAP ECC 6.0. These roles are of exemplary character. The standard roles must be

modified by the Customers based on their requirements.The Customers must not use the standard roles in their production

systems only with some medications. It is advisable without anymodifications. Use the Profile Generator (transaction PFCG) to identify thestandard roles and create additional roles.

The following roles are available in CM for banks:

Role Purpose

SAP_FS_CMS_DISPLAY_ALL Displaying all the entity objects inCM .

SAP_FS_CMS_MAINTAIN_ALL Maintaining (Create, change anddisplay only) all entity objects.

SAP_FS_CMS_MAINTAIN_ALL_PRC Executing all the process relatedactivities in addition to maintenanceof objects

SAP_FS_CMS_CUST_ALL Customizing

SAP_FS_CMS_ADMIN CM administrator role

SAP_FS_CMS_COL_AUDITOR Maintaining all the entity objects andthe access to run all the reports inCM.

SAP_FS_CMS_CREDIT_MANAGER Displaying collateral objects andcollateral agreements.

SAP_FS_CMS_CREDIT_RISK_MANAGER Maintaining collateral objects andcollateral agreements and displayingreceivables.

SAP_FS_CMS_LIQUIDATION_OFFICER Maintaining liquidation measures.

Authorization Objects in CM

Technical name Name

CMS_PCN_02 Authorization for activities (changerequest mode)




CMS_PCN_01 Authorization for activities (normal mode)

CMS_OMS1 Authorization for all collateral objects otherthan real estate (replace CMS_OMS fromECC 6.0 onwards

CMS_OMS Authorization for all collateral objects otherthan real estate (obsolete from ECC 6.0onwards)

CMS_CAG Authorization object for collateralagreements

CMS_RE Authorization object for real estate objectsin CM.

CMS_RBL Authorization object for receivable in CM.

Characteristic Based Authorizations

In the Collateral Management, all the objects must belong to an administrationorganizational unit. The authorization objects for collateral objects(real estate and othercollateral objects) and collateral agreements are based on a combination of theadministration organizational unit and the entity type(assigned using a process controlkey). For receivables, the authorizations are based on the receivable organizationalunit, the receivable status and the product. Authorizations for receivables is valid onlyfor the receivables created in the CM or even the local copies of the receivables inexternal credit systems.

For example, you can use the attribute administration organization unitto differentiate between employee ,VIP and normal customers objects.You can also create objects in these organizational units ascharacteristics, which can then also be used to protect application data.

Network Communication and Security

The table below shows the communication paths used by the SAP Collateral Management (CM ), the protocol used for the connections and the type of datatransferred.

CommunicationPath



Financial CustomerInformation System(FS- BusinessPartner)

RFC Business partnermaster data

SAP DocumentManagement System(DMS)

RFC Document data

Loans Management(CML)

RFC Loan data

SAP BusinessInformationWarehouse (BIW)

IDoc and RFC Collateralagreements,collateral objects,

charges, collateralagreement –




receivableassignment andcalculations data

SAP Bank Analyzer(Basel II)

IDoc and RFC Collateralagreements,collateral objects,charges, collateralagreement – receivableassignment andcalculations data

The following RFC connections have to be set up for operating the CM . You are advisednot to create the users belonging to these as dialog users.

● RFC communication with the Tool BW

● RFC communication within the Tool BW

● RFC communication in the context of import methods for the client copy. Therelevant authorization objects are:

● S_TABU_DIS; S_RS_ICUBE; S_RS_ADMWB; S_RS_ISOUR; S_BTCH_ADM;S_ADMI_FCD; S_BTCH_JOB; S_RS_ODSO; S_RS_ISET

CM provides the following business application programming interfaces (BAPIs) forallowing external systems to connect to it:

● BAPI_CM_AST_GET_MULTI

● BAPI_CM_CAG_CREATE

● BAPI_CM_CAG_GETDETAIL_MULTI

● BAPI_CM_CAG_GET_BY_RBL

● BAPI_CM_GENLNK_RBL_ON_RBL_01

● BAPI_CM_GENLNK_RBL_ON_RBL_02

● BAPI_CM_SEC_GETDETAIL_MULTI

● BAPI_CM_RE_GETDETAIL_MULTI

● BAPI_CM_RIG_GETDETAIL_MULTI

● BAPI_CM_MOV_GETDETAIL_MULTI

BAPIs are standard SAP interfaces and are important in the technical integration and inexchange of business data between SAP components and between the SAP and non-SAP components. BAPIs enable you to integrate these components. They are thereforean important part of developing integration scenarios where multiple components areconnected to each other, either on a local network or on the internet.

BAPIs allow integration at the business level and not at the technical level. Thisprovides for greater stability of the linkage and independence from the underlyingcommunication technology.




The current requirement for BAPIs in CM caters mainly to the migration scenarios.Hence these BAPIs are not protected by special authorizations. Authorization checks forBAPIs can be provided (in the future releases), if there are requirements for them.

CM also provides an extensive enhancement concept that offers user exits in the formof Business Add-Ins (BADIs).

Network Security and Communication Channels

Collateral Management (CM ) uses the same communication channels that aredescribed in the SAP Netweaver AS security guide. No further customer-specificcommunication channels are provided. Hence the aspects and actions described in theSAP Netweaver AS security guide (such as use of SAPRouter in combination withFirewall, use of Secure Network Communication (SNC), Communication Front-End-Application Server, connection to the database) also apply for CM .

Strategic Enterprise Management (SEM) forBanks

AuthorizationsThe following standard roles are available in Strategic Enterprise Management (SEM)for Banks :

Roles Description

SEM-PA

SAP_ISB_PA_CONTROLLER_AG SAP Banking Profitability Analysis:Profitability Controller

SEM-MRA

SAP Treasury and Risk Management




Bank Applications

SAP_ISB_STRATEGIC_PLANNER_AG SAP Banking Asset Liability Management:Strategic Balance Sheet Planner

SAP_ISB_MAR_RISK_CONTROLLER_AG SAP Banking Risk Analysis:Market Risk Controller

SEM-KL

SAP Treasury and Risk Management







SAP_CFM_ADMINISTRATOR Administrator

SAP_CFM_DEALER Treasury: Trader

SAP_CFM_LIMIT_MANAGER Limit Manager

For more information about the individual roles in SAP Treasury and Risk Management (TRM),

see the SAP Library , under SAP ERP Central Component → Financials → SAP Treasury and

Risk Management → Basic Functions → Roles in Treasury and Risk Management (TRM).

Bank Applications

SAP_ISB_CRE_RISK_CONTROLLER_AG SAP Banking Default Risk and Limit System:Default Risk Controller

SAP_ISB_CRE_RISK_MANAGER_AG SAP Banking Default Risk and Limit System:

Default Risk ManagerSAP_ISB_CRE_RISK_TRADER_AG SAP Banking Default Risk and Limit System:

Trader

In addition, take account of the following activities in the SAP Customizing Implementation Guide (IMG):

● for SEM-PA:

Under SAP Banking → SEM Banking → Profitability Analysis → Tools → Authorization Management

● for SEM-MRAUnder SAP Banking → SEM Banking → Common Settings for Market Risk and

Asset/Liability Management → Maintain Authorizations/Profiles/Users


● Transfer of external data

You can use external data transfer to transfer bank transactions not performedvia SAP transactions to the SAP system.

Transfer takes place via Remote Function Call (RFC).

● Transfer of market data

Market data for a risk analysis is transferred to the SAP system via a datafeed.




mySAP ERP2005 contains SEM extractors. These extractors arebusiness application programming interfaces (BAPIs) for selectedbusiness, market data, and SEM-own data (financial object, limitdefinitions, cash flow). They can also be used as utilities for integrationwith systems for Basel II/IAS.

These BAPIs are delivered to customers, but they have not been releasedofficially. There is no documentation available for the SEM extractors, justnotes. The collective note on this subject is note 608292.

The development of SEM extractors does not contain any authorizationchecks at all. Therefore, until the interface has been released officially, acustomer-specific authorization concept must be created if theseextractors are used. In this event, customers must use the modificationassistant to implement suitable authorization checks themselves. As theinterface has not been released officially, SAP bears no responsibility formissing authorization checks.

Communication DestinationsSome evaluations in SEM Banking will normally be started by customers as batchprocessing. This applies particularly to drilldown reports and the calculation of keyfigures of the results databases. If this batch processing is started by a technical user,only the authorizations for the relevant transaction are required. You can usetransaction SU22 to determine these authorizations.

If the workflow is activated when limits are exceeded, the sender of the workflow musthave the authorization S_OC_SEND. To make this assignment, execute the IMGactivity Assign Senders of Workflows to Recipients in the SAP Customizing

Implementation Guide (IMG) und Financial Supply Chain Management → Treasury and

Risk Management →

Credit Risk Analyzer →

Basic Settings →

Assignments →

Assignment of Senders to Recipients .

Data Storage SecurityThe data in Strategic Enterprise Management (SEM) for Banks can be regarded asbeing not particularly sensitive.

However, from Strategic Enterprise Management (SEM) for Banks you can accessbusiness information of other components, including:

● Bank Customer Accounts (BCA)

● Loans Management (CML)

This access is protected in that the authorization for the relevant transaction is checked.

Display of risk key figures is always performed on the basis of asummarization of multiple financial transactions. Users can access adetailed view to see the transactions in question. In doing so, the displaytransactions of the corresponding components are called. A user can onlydisplay business transactions if he or she has the correspondingauthorization for this business.

You can also use the authorization objects of Strategic Enterprise Management (SEM)for Banks to ensure that users cannot draw conclusions on financial transactionsindirectly (by selecting specific parameters of risk evaluation). For example, you can useauthorization object T_RMCHAR_V to restrict the financial transactions for which users




can perform certain risk evaluations. This authorization is then used in the display ofstored key figure values.

However, these authorization objects are not applied to the SEMextractors. If you use SEM extractors, you must use the modificationassistant to implement suitable authorization checks yourself.

Reserve for Bad Debt (FS-RBD)

AuthorizationsThe procedure of the authorization concept used by Reserve for Bad Debt (FS-RBD) isthe same as that of the SAP authorization concept.

The authorization checks in FS-RBD differentiate between the following dimensions:

● Activities:

You use the activity to control what a user is permitted to do. For example:

○ Create a RBD account

○ Post value adjustment proposals

○ Display evaluations

● Organization

The organization at RBD area level determines which data the user is permittedto display or process.

Standard Profile

In FS-RBD you do not use RBD-specific profiles, but the standard profiles delivered withevery SAP system.

The standard profiles are as follows:

Roles Description

S_A.SYSTEM Authorizations for the basis system only

S_A.ADMIN Authorizations for the administration of the operational SAP system,but without authorization for:

● ABAP/4 Development Workbench

● maintaining superusers

● maintaining the standard profiles beginning with “S_A”

S_A.DEVELOP Authorizations for developers working with ABAP/4 DevelopmentWorkbench

S_A.CUSTOMIZ Authorizations for basis settings in the Customizing system.

S_A.USER Authorizations for end users (without authorization for SAP workareas)





Reserve for Bad Debt (FS-RBD) has the following authorization objects:

Critical combination: Creating and posting value adjustment proposals (plannedrecords) within a role.

AuthorizationObject

Description AuthorizationField

Valuespermitted

for theauthorizationfield

RBD_CUST RBD:Customizing

Activity 16 (Execute)

RBD_EDIT RBD Dialog &Batch

Activity

RBD area

01 (Create)

02 (Change)

03 (Display)10 (Post)

85 (Reverse)

91 (Reactivate)

According toRBDCustomizing

RBD_REPO RBD: Reporting RBD area According toRBDCustomizing

Description of these authorization objects:

● The assignment of authorization object RBD_CUST with activity 16 gives theuser authorization to use an RBD Customizing tool.

● The assignment of authorization object RBD_EDIT with activity 02 and RBD area0005, enables the user to change data for an RBD account in the RBD area0005.

● The assignment of authorization object RBD_EDIT with activities 02 and 10 andthe RBD area 0004 enables the user to post planned records for an RBD accountin the RBD area 0004.

● The assignment of the authorization object RBD_EDIT with the activities 02, 85,91 and the RBD area 0003 enables a user to reverse actual records for an RBDaccount in RBD area 0003, and to reactivate a deactivated account in the RBDarea 0003.

● The assignment of the authorization object RBD_REPO in RBD area 0006enables a user to display the RBD standard evaluations for the data in the RBDarea 0006.

Note that the activities Create Value Adjustment Proposals (Planned Records) and Post Value Adjustment Proposals (Planned Records) arepossible within one role.




Use of RBD Authorization Objects

RBD_CUST

Program Description Permitted Activities

/IBS/MRB_CUST_KTOFI RBD Tool Customizing:

Duplicate AccountDetermination

16 (Execute)

RBD_EDIT


/IBS/MRB_SAPMKTO RBD: Dialog account masterdata

01 (Create)

02 (Change)

03 (Display)

10 (Post)

85 (Reverse)

/IBS/MRB_EWB_UPDATE CML Position monitoringupdate run

02 (Change)

10 (Post)

/IBS/MRB_KONTO_REACTIVATE

Reactivate RBD account 91 (Reactivate)

/IBS/MRB_LOG_POST RBD Posting log 03 (Display)

/IBS/MRB_PEWB_REFRESH RBD:CML Monitoring ofarrears: Planned recordgeneration (FIVA) andposting

10 (Post)

/IBS/MRB_PEWB_RESET RBD: CML monitoring ofarrears: Clearing actualrecords (reversal FIVA)

85 (Reverse)

RBD_REPO


/IBS/DRB_ENTWICKLUNG RBD development list,development reserve for baddebt position

According to RBDCustomizing

/IBS/DRB_HINT_LIST Position monitoring: List ofnotes


/IBS/DRB_REFERENZ RBD Drilldown reporting withreferences


Definition of Customer-Specific Roles

The following information is required for the definition of customer-specific roles for

functions in FS-RBD:




● SAP logon names of all employees that are to work in FS-RBD

● RBD areas affected

● Decisions as to which employee is permitted to execute which functions in theRBD Tool

To avoid having to assign a separate role for each employee, we recommend that youform groups of employees that are permitted to execute the same functions. You canthen assign a defined role to all of the employees in the group.

Example of generation of user-specific roles:

Activities

RBD area Activity Employee Role in SAP

All All Adams RBD_ALLES

All Customizing: Duplicate Account

Determination

Armstrong RBD_CUST

1 Create, change, and display RBDaccount

Miller RBD_SACH_01


Martin RBD_SACH_01


Smith RBD_SACH_01

1 Change RBD account, postplanned records

Glenn RBD_BUCH_01

1 Change RBD account, post

planned records

O’Hara RBD_BUCH_01

1 Change RBD account, reverseactual records

Glenn RBD_STOR_01


Bertolini RBD_STOR_01

1 Display evaluations Santos RBD_AUSWERT_01

1 Display evaluations Hunter RBD_AUSWERT_01

1 Display evaluations Miller RBD_AUSWERT_01

1 Display evaluations Martin RBD_AUSWERT_01

1 Display evaluations Smith RBD_AUSWERT_01


Nielsen RBD_SACH_02


Moore RBD_SACH_02


Smith RBD_SACH_02


Glenn RBD_BUCH_02







Glenn RBD_STOR_02


Nielsen RBD_STOR_02

2 Display evaluations Santos RBD_AUSWERT_02

2 Display evaluations Hunter RBD_AUSWERT_02

2 Display evaluations Nielsen RBD_AUSWERT_02

2 Display evaluations Moore RBD_AUSWERT_02

2 Display evaluations Smith RBD_AUSWERT_02

Roles

Role in SAP RBD AuthorizationObject Required

Authorization Field Field Value

RBD_ALLES RBD_CUST ACTVT *

RBD_ALLES RBD_EDIT ACTVT *

RBD_ALLES RBD_EDIT RBDID *

RBD_ALLES RBD_REPO ACTVT *

RBD_CUST RBD_CUST ACTVT 16

RBD_SACH_01 RBD_EDIT ACTVT 1,2,3

RBD_SACH_01 RBD_EDIT RBDID 1

RBD_BUCH_01 RBD_EDIT ACTVT 2,10

RBD_BUCH_01 RBD_EDIT RBDID 1

RBD_STOR_01 RBD_EDIT ACTVT 2,85

RBD_STOR_01 RBD_EDIT RBDID 1

RBD_AUSWERT_01 RBD_REPO RBDID 1

RBD_SACH_02 RBD_EDIT ACTVT 1,2,3

RBD_SACH_02 RBD_EDIT RBDID 2

RBD_BUCH_02 RBD_EDIT ACTVT 2,10

RBD_BUCH_02 RBD_EDIT RBDID 2

RBD_STOR_02 RBD_EDIT ACTVT 2,85RBD_STOR_02 RBD_EDIT RBDID 2

RBD_AUSWERT_02 RBD_REPO RBDID 2

As a result, roles are assigned to the user master records as follows:

Employee Role in SAP

Armstrong RBD_CUST

Bertolini RBD_STOR_01

Adams RBD_ALLES

Glenn RBD_BUCH_01




Glenn RBD_STOR_01

Glenn RBD_BUCH_02

Glenn RBD_STOR_02



Hunter RBD_AUSWERT_01

Hunter RBD_AUSWERT_02

Martin RBD_SACH_01

Martin RBD_AUSWERT_01

Moore RBD_SACH_02

Moore RBD_AUSWERT_02

Miller RBD_SACH_01

Miller RBD_AUSWERT_01

Nielsen RBD_SACH_02

Nielsen RBD_STOR_02

Nielsen RBD_AUSWERT_02

Smith RBD_SACH_01

Smith RBD_AUSWERT_01

Smith RBD_SACH_02

Smith RBD_AUSWERT_02

Santos RBD_AUSWERT_01

Santos RBD_AUSWERT_02

Network and Communication SecurityIn Reserve for Bad Debt (FS-RBD) the following systems communicate with each other:

● Enterprise Resource Planning (ERP) with Loans Management (FS-CML)

● ERP with Deposits Management (FS-AM)

● ERP with Collateral Management System (FS-CMS)

● ERP with Flexible General Ledger/ Financials (FLEXGL/FI)

Communication takes place via Remote Function Call (RFC).

Communication DestinationsTechnical users are required for Remote Function Call (RFC) connections to Deposits Management (FS-AM).

These technical users require read authorization (for reading balances and accountmaster data, for example).




Trace and Log FilesThe change documents (master data from the source system) can be used as trace orlog files, that contain information relevant for security.

Incentive and Commission Management (ICM)Für detailed information about security in Incentive and Commission Management (ICM), see the security guide for Incentive and Commission Management in the SAP

Library under Security → mySAP ERP Security Guides .

Statutory Reporting for Insurance (FS-SR)

AuthorizationsAuthorizations are assigned using the authorization objects from the authorizationobject class ISSR.

Data Storage SecuritySensitive data, such as financial transactions, is protected from unauthorized accessusing the authorization objects in the authorization object class ISSR.

Real Estate ManagementAuthorizations

Standard Roles of Real Estate Management

Roles Description

SAP_RE_APPL Real Estate Specialist

SAP_RE_CONTROLLER_AND_PLANER RE Controller

SAP_RE_CONTROLLING_ANALYST RE Controlling Analyst

SAP_RE_LESSEE_CONTRACT_SUPPORT Lessee Contract Support

SAP_RE_LESSOR_CONTRACT_SUPPORT Lessor Contract Support

SAP_RE_MASTER_DATA_ANALYST Master Data Analyst

SAP_RE_MASTER_DATA_SUPPORT Master Data Support

SAP_RE_RENT_LEVEL_EXPERT Rent Level Expert

SAP_RE_RENTAL_ACC_SUPPORT Rental Account Support

SAP_RE_SC_SUPPORT Service Charge Support





External heating expenses settlement is available In Real Estate Management. Tomake this settlement possible, the necessary files must be generated in the SAPsystem in an internal SAP format. Then you need to send the data medium to thesettlement company.

Trace and Log Files

The change documents provide information on changes to the authorization group andto the person responsible for the object.

Public Sector Management

Authorizations

Standard Roles for Public Sector Management (PSM)

Role Name

SAP_IS_PS_CENTRAL_FUNCTION Funds Management Central Function

SAP_IS_PS_PO_CONSUMPTION Postings: Consume Funds

SAP_IS_PS_MD_STRUCTURE Master Data Funds Management:Maintain Structure

SAP_IS_PS_DECK_CREA Cover Eligibility: Rule Maintenance

SAP_IS_PS_BCS_AVC_TOOLS Availability Control - Tools

SAP_IS_PS_BU_RULES Maintain Budget RulesSAP_IS_PS_BCS_BUD_TOOLS Budgeting - Tools

SAP_IS_PS_PO_RECONCILE Reconciling Data with FeederApplications

SAP_IS_PS_BCS_BUD_MAINTENANCE Maintain Budget Data

SAP_IS_PS_BCS_BUD_PLANNING Plan Budget Data

SAP_IS_PS_BCS_DISPLAY Display Budget Values (BCS)

SAP_IS_PS_BCS_STATUS_MAINTAIN Budgeting – Assign Status

SAP_IS_PS_BCS_STRUCT_DEF Maintain Budget Structure

SAP_IS_PS_BCS_STRUCT_TOOLS Budget Structure - Tools

SAP_IS_PS_BU_CONTROL Controlling Budget Execution

SAP_IS_PS_BU_DISPLAY Budget Values Display

SAP_IS_PS_BU_PLANNING Budget Planning

SAP_IS_PS_BU_UPDATE Update Budget: Transactions

SAP_IS_PS_BU_UPDATE_TOOLS Update Budget: Tools

SAP_IS_PS_BU_UPDATE_VERSION Update Budget: Edit Versions

SAP_IS_PS_CASH_DESK Payment at Cash Desk

SAP_IS_PS_CF_BU_EXECUTE Execute Budget Carryforward




SAP_IS_PS_CF_BU_PREPARE Prepare Budget Carryforward

SAP_IS_PS_CF_CHECK Check Budget Closing

SAP_IS_PS_CF_OI_EXECUTE Carry Forward Consumable Budget

SAP_IS_PS_CF_OI_PREPARE Prepare Carryforward of Consumable

Budget

SAP_IS_PS_DECK_DISP Display Data for Reporting and MasterData Cover Eligibility

SAP_IS_PS_MD_DISPLAY Funds Management Master Data:Display Functions

SAP_IS_PS_MD_ZUOB Funds Management Master Data:Assignment to CO Structures

SAP_IS_PS_PO_COMMITMENTS Postings: Commit Funds

SAP_IS_PS_PO_CONSUMPTION_DISP Postings: Consumed Funds Display

SAP_IS_PS_PO_FOR Postings: Forecast of RevenueSAP_IS_PS_PO_TRANSFERS Postings: Transfer Consumable Budget

Public Sector Management uses the name convention SAP_FI_GM_* andSAP_IS_PS_* for its roles.

Standard Roles for Grants Management (PSM-GM)

Role Name Function

SAP_FI_GM_GRANT_ANALYST Grants Management:Grant Analyst

Master data maintenance,execution of reports

SAP_FI_GM_GRANT_MANAGER Grants Management:

Grant Manager

New entry, check, and

approval of master data,execution of billing program

SAP_FI_GM_PROGRAM_ANALYST

Grants Management:Program Analyst

Creation of master data,processing of proposalsand budget

SAP_FI_GM_PROGRAM_MANAGER

Grants Management:Program Manager

Check and approval ofproposals and budget

SAP_FI_GM_PROJECT_MANAGER

Grants Management:Project Manager

Management of grants andbudget, execution of reports

Standard Roles for Grantor Management (PSM-GM)

Role Name Function

SAP_PSM_GTR_PROGRAM_MANAGER Instructor forGrantor ProgramManagement

The main task of theinstructors forGrantor ProgramManagement is tolook after thescenarios of GrantorManagement. Theinstructor forGrantor ProgramManagement notonly works with

CRM transactionsbut is also




responsible forcreating budget forthe Grantorprograms in PSMand the processingof accounting

transactions inPublic Sector Contract Accounting .Additional tasks inthe area are masterdata maintenance,reporting andarchiving.

SAP_PSM_GTR_PROGRAM_CLERK Clerk for GrantorProgramManagement

The main task of theclerk for GrantorProgram

Management is theprocessing ofscenarios in GrantorManagement. Theclerk works not onlywith CRMtransactions for theGrantorManagement butalso accessesbudget, PSM masterdata and businesspartner data in

Public Sector Contract Accounting . A userin this role is alsoauthorized toexecute PSMreports.

Standard Roles for Expenditure Certification (PSM-EC)

Expenditure Certification (PSM-EC) is available on the portal and contains the followingportal roles:

Role Name Function

com.sap.pct.erp.expcert.certif_manager Certification manager The certificationmanager managesthe data for theproject (such asbudget, deadlines,links to financingsources, and theprogress of theproject), checks thebudget consumption

of the projects andfinancing sources,monitors all




certificates andissues approval for acertification run.

com.sap.pct.erp.expcert.cert_admin Certificationaccountant

The certificationaccountant executesthe certification runfor financing sourcesand forwards theprovisionalcertification results tothe peopleresponsible forfurther checks; theyalso make manualchanges incertifications andsave the closingversion of a

certification.

Authorization Objects for Grants Management (PSM-GM)

Authorization object Name

F_FIGM_BUD Grants Management: Authority for Budget

F_FIGM_CLS Grants Management: Authority for Class

F_FIGM_GNG GM: Grant Groups

F_FIGM_GNT Grants Management: Authority for Grant

F_FIGM_PRG Grants Management: Authority forPrograms

F_FIGM_SCG GM: Sponsored Class Groups

F_FIGM_SPG GM: Sponsored Program Groups

The master data objects and business processes of Grants Management are protectedby standard authorization objects.

US Federal Government uses the authorization concept of the components that it usessuch as Funds Management and Material Management. See also the documentation forFunds Management on the SAP Help Portal at help.sap.com SAP ERP Central

Component → Accounting → Public Sector Management → Funds Management → Authorizations .

Authorization Objects for Grantor Management (PSM-GM)


F_PSM_DRUL Rules of Account Assignment Derivation

F_PSM_DSTR Strategy of Account AssignmentDerivation

Authorization Objects for Expenditure Certification (PSM-EC)





F_PSMEC_CR Expenditure certification: Certification Run

F_PSMEC_FS Expenditure Certification: FinancingSource

F_PSMEC_OP Expenditure Certification: Operation

F_PSM_DSTR Strategy of Account AssignmentDerivation

F_PSM_DRUL Rules of Account Assignment Derivation

Network and Communication SecurityPublic Sector Management communicates with the following components:

● Human Capital Management (HCM) as part of the scenario Position Budgeting and Control

● SAP Enterprise Buyer (EBP)

● Customer Relationship Management (CRM) as part of the Scenario Grantor Management

The communication with these internal SAP components takes place per Remote Function Call (RFC). See the corresponding sections in the RFC/ICF Security Guide on

SAP Service Marketplace at service.sap.com/securityguide → SAP

NetWeaver Security Guide → Security Aspects for Connectivity and Interoperability.

The US Federal Government has both payment and collection outbound interfaces at itsdisposal for Treasury Confirmation and Intragovernment Payment and Collections (IPAC). This outbound interface uses payment methods and flat files.

The inbound interface of the Central Contractor Registration (CCR) uses IDocs.

Expenditure certification (PSM-EC) communicates with the:

● Portal which displays the Workcenter

● Backend system in which the FI invoice documents were certified

● System in which the launchpad is configured (logical systemSAP_R3_SelfServiceGenerics)

This system can be the same as the backend system.

For registering portal users in the backend system, we recommend that the user isassigned in both the portal and the backend system. In other words, the user ID of auser in the portal and the backend system should match.

Data Storage SecurityPublic Sector Management supports payments by payment card. As this process doesnot have a key role in Public Sector Management and customers have not yet requiredthe encryption of card numbers, Public Sector Management does not provide encryption

for payment card numbers at the moment.




More Security InformationAuthorization checks only take place in Public Sector Management and Funds Management when the authorization group of a master data object is entered. Toensure that an adequate check is carried out, SAP recommends that you define the

affected fields as required entry fields in the field status control. You define this settingin the implementation guide of Public Sector Management:

● Funds Management-Specific Postings → Earmarked Funds and Funds Transfers → Field Control for Earmarked Funds and Funds Transfers → Define Field Status Variant /Assign Field Status Variant to Company Code / Define Field Status Groups

● Actual and Commitment Update/Integration → Integration → Maintain Field Status for Assigning FM Account Assignments

For more information, see the documentation on Funds Management on the SAP HelpPortal at help.sap.com → ERP Central Component → Accounting → Public

Sector Management .

For Grants Management, note the following system settings in the implementation guide

of Public Sector Management, under Funds Management Government → Master Data→ Grant

● GM Grant Control: Field Group for Authorizations

● Maintain Grant Authorization Types

● Maintain Grant Authorization Groups

You can enhance the authorization concept using the following BAdI:

BAdI Name

GM_AUTHORITY_CHECK Grants Management:Authorization Check

GM_BILL_AUTHORITY GM: User authorization for billing for DP90 inGM

GM_POST_AUTHORITY Grants Management coding block authorizationcheck

Joint Venture Accounting

Before You Start


JVA is related to components of the SAP ERP Central Component Security Guide.Therefore, the corresponding Security Guides also apply to JVA component. Payparticular attention to the most relevant sections or specific restrictions as indicated inthe table below.





Application Guide Most Relevant Sections orSpecific Restrictions

SAP NetWeaverApplication Server

SAP NetWeaver Security Guide In the SAP NetWeaver Security Guide , choose Security Guides for

SAP NetWeaver according to Usage Types → Security Guides for Usage Type AS.

SAP ECC SAP ERP Central Component Security Guide

All sections.

OperatingSystems andDatabasePlatforms

SAP NetWeaver Security Guide In the SAP NetWeaver Security Guide , choose Security Guides for the Operating System and Database Platforms .

For a complete list of the available SAP Security Guides, see the SAP ServiceMarketplace at service.sap.com/securityguide .


For more information about specific topics, see the addresses on the SAP ServiceMarketplace as shown in the table below.

Content SAP Service Marketplace Address




Released platforms service.sap.com/platforms

Network security service.sap.com/securityguide


Technical System LandscapeJVA runs as an integrated application within the central system landscape.

It is closely connected to the FI, MM, AM and CO components and must run on a serverwhere these components are installed. An ALE scenario is not fully supported. Please

refer to note 214435.For more information about the technical system landscape, see the resources listed inthe table below.

Topic Guide/Tool Quick Link to the SAP ServiceMarketplace

Technical description of SAP ERP Central Component andthe underlying technicalcomponents, such as SAP NetWeaver

Master guide service.sap.com/instguides

→ mySAP Business Suite Solutions → mySAP ERP

Technical configuration highavailability

Technical infrastructureguide

service.sap.com/ti





User Management

Use

User management for JVA uses the mechanisms provided with the SAP NetWeaverApplication Server ABAP, for example, tools, user types, and password policies. For anoverview of how these mechanisms apply for JVA, see the sections below.

User Administration Tools

The table below shows the tools to use for user management and user administrationwith the JVA component.


Tool Description

User maintenance for ABAP-based systems(transaction SU01)

For more information about the authorizationobjects provided by the subcomponents of SAP ERP Joint venture accounting, see the relevantsubsection under Authorizations .

Role maintenance with the profile generator forABAP-based systems (PFCG)

For more information about the roles providedby the subcomponents of SAP ERP Joint venture accounting, see the relevantsubsection under Authorizations .

User Types


The user types that are required for JVA include:

● Individual users:

○ Dialog users are used for SAP GUI for Windows

○ Internet users are used for Web applications.Same policies apply as for dialog users, but used for Internet connections.


○ Background users are used for certain (mainly periodically running)programs which have extended authorizations.

○ For more information on these user types, see User Types in the SAP NetWeaver ASABAP Security Guide.




Standard Users

JVA doesn’t deliver standard users.

However, users with specific authorizations must be created to fulfill certain tasks for:

● Customizing

● Masterdata

● Processing

● Reporting

Authorizations

Standard Roles

The table below shows the standard roles that are used by JVA.

Standard Roles

Role Description

SAP_EP_RW_GJVP RW - Joint Venture Accounting


The table below shows the security-relevant authorization objects that are used by JVA.


AuthorizationObject Description

J_JVA_CUS Joint Venture Accounting: Customizing

J_JVA_JOA Joint Venture Accounting: Joint Operating Agreement Master

J_JVA_PRC Joint Venture Accounting: Processing

J_JVA_REP Joint Venture Accounting: Reporting

J_JVA_VNT Joint Venture Accounting: Venture Master


Use

The table below shows the communication channels used by JVA, the protocol used forthe connection, and the type of data transferred.

CommunicationPath



Front-end client usingSAP GUI for Windowsto application server

DIAG All application data For example,passwords, businessdata, credit cardinformation




Front-end client usinga Web browser toapplication server

HTTP(S) All application data For example,passwords, businessdata, credit cardinformation

Application server to

application server

RFC, HTTP(S) Integration data Business data, credit

card information

DIAG and RFC connections can be protected using Secure Network Communications(SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol.

For more information, see the section on Transport Layer Security in the SAPNetWeaver Security Guide:

service.sap.com/securityguide SAP NetWeaver Security Guide Æ

Transport Layer Security

Logistics

Materials Management (MM)

Purchasing and Service Industries (MM-PUR,

MM SRV)

Authorizations

Standard Roles

You can implement the following standard roles for the components Purchasing (MM- PUR) and Service Industries (MM-SRV) in the SAP Enterprise Portal :

● Description: Purchasing Agent

● Technical name:pcd:portal_content/com.sap.pct/specialist/com.sap.pct.purch.purchasingagent/com.sap.pct.purch.roles/com.sap.pct.purch.purchasingAgent

Note that this is a role that can only be used in the SAP Enterprise Portal .There are no corresponding roles in the SAP ECC backend.

Profile

The following table shows security-relevant profiles that use the componentsPurchasing and Service Industries.




Profiles: Purchasing, Service Industries

Profile Description

M_ANFR_ALL MM Purchasing – RFQs: Maintenance Authorization

M_ANFR_ANZ MM Purchasing – RFQs: Display Authorization

M_ANGE_ALL MM Purchasing: Quotations: Maintenance Authorization

M_ANGE_ANZ MM Purchasing: Quotations: Display Authorization

M_BANF_ALL MM Purchasing – Requisitions: Maintenance Authorization

M_BANF_ANZ MM Purchasing: Requisitions: Display Authorization

M_BEST_ALL MM Purchasing – Purchase Orders: Maintenance Authorization

M_BEST_ANZ MM Purchasing: Purchase Orders: Display Authorization

M_EBEL_ANZ MM Purchasing – Display Order Documents

M_EINF_ALL MM Purchasing: Info Records: Maintenance Authorization

M_EINF_ANZ MM Purchasing: Info Records: Display Authorization

M_EINK_ALL MM Purchasing – Complete: Maintenance Authorizations

M_EINK_ANZ MM Purchasing – Complete: Display Authorizations

M_LPET_ALL MM Purchasing: Sched. Agmt. Delivery Schedules: Maint.Auth.

M_LPET_ANZ MM Purchasing: Sched. Agmt. Delivery Schedules: Displ. Auth.

M_RAHM_ALL MM Purchasing: Outline Agreements: MaintenanceAuthorization

M_RAHM_ANZ MM Purchasing: Outline Agreement: Display Authorization

M_SRV_ALL Service Master Data: All Authorizations


The following table shows security-relevant authorization objects that use thecomponents Purchasing and Service Industries.

Standard Authorization Objects: Purchasing, Service Industries


M_AMPL_ALL Approved Manufacturer Parts List

M_AMPL_WRK Approved Manufacturer Parts List - Plant

M_ANFR_BSA Document Type in RFQ

M_ANFR_EKG Purchasing Group in RFQ

M_ANFR_EKO Purchasing Organization in RFQ

M_ANFR_WRK Plant in RFQ

M_ANGB_BSA Document Type in Quotation

M_ANGB_EKG Purchasing Group in Quotation

M_ANGB_EKO Purchasing Organization in Quotation

M_ANGB_WRK Plant in Quotation




M_BANF_BSA Document Type in Purchase Requisition

M_BANF_EKG Purchasing Group in Purchase Requisition

M_BANF_EKO Purchasing Organization in Purchase Requisition

M_BANF_FRG Release Code in Purchase Requisition

M_BANF_WRK Plant in Purchase Requisition

M_BEST_BSA Document Type in Order

M_BEST_EKG Purchasing Group in Purchase Order

M_BEST_EKO Purchasing Organization in Purchase Order

M_BEST_WRK Plant in Purchase Order

M_EINF_EKG Purchasing Group in Purchasing Info Record

M_EINF_EKO Purchasing Organization in Purchasing Info Record

M_EINF_WRK Plant in Purchasing Info Record

M_EINK_FRG Release Code and Group (Purchasing)

M_LFM1_EKO Purchasing Organization in Vendor Master Record

M_LIBE_EKO Vendor Evaluation

M_LPET_BSA Document Type in Scheduling Agreement Delivery Schedule

M_LPET_EKG Purchasing Group in Scheduling Agreement Delivery Schedule

M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule

M_LPET_WRK Plant in Scheduling Agreement Delivery Schedule

M_ORDR_EKO Purchasing Organization in Source List

M_ORDR_WRK Plant in Source List

M_QUOT_EKO Purchasing Organization (Quotas)

M_QUOT_WRK Plant (Quotas)

M_RAHM_BSA Document Type in Outline Agreement

M_RAHM_EKG Purchasing Group in Outline Agreement

M_RAHM_EKO Purchasing Organization in Outline Agreement

M_RAHM_WRK Plant in Outline Agreement

M_SRV_LS Authorization for Maintenance of Service Master

M_SRV_LV Authorization for Maintenance of Model Serv. Specifications

M_SRV_ST Authorization for Maintenance of Standard Service Catalog

S_ME_SYNC Mobile Engine: Synchronization of Offline Applications

V_KONH_EKO Purchasing Organization in Master Condition





General

Your network infrastructure is extremely important in protecting your system. All special

aspects that are relevant for the network and communication security for thecomponents Purchasing (MM-PUR) and Service Industries (MM-SRV) are describedbelow. See also information about SAP ECC under Network and CommunicationSecurity [Seite 18].


The table below shows the communication paths used by the Purchasing and Service Industries component, the protocol used for the connection, and the type of datatransferred.

Communication Paths

Communication Path Protocol Used Type of Data Transferred Data RequiringSpecial Protection

SAP ECC system – Non-SAP system

RFC, HTTP Application data/Idocs(messages for store order,store goods receipt,outgoing purchase order)

-

SAP ECC system – Adobe Document Services (ADS )

HTTP Application data (printeroutput from ERPpurchase, for example,purchase order printout)

Price, delivery andpayment conditions,and contract numbers,for example, should beable to be transferredencrypted. The

necessary securitymeasures aredependent on whetheryou have installed ADSbehind or in front of thefirewall.

Supplier Portal (mySAP Supplier Relationship Management ) → SAP ECC system

RFC, HTTP Application data (purchaseorder confirmations) forSupplier Self-Service (SUS )

Quantities, dates,prices

SAP ECC system –

SAP APO system

RFC Application data

(conditions/purchaseorders)

Dependent on whether

you have placed SAP SCM and SAP ECC infront of, or behind thefirewall.

SAP ECC system – SAP SCM system(Event Manager)

RFC Application data Quantities, dates

You can protect RFC connections using Secure Network Communications (SNC). HTTPconnections are protected using the Secure Sockets Layer (SSL) protocol. For moreinformation about encryption, see:

● General information about encryption

SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security




● Encryption of ALE data

SAP NetWeaver- security guide under Security Aspects for Connectivity and

Interoperability → Security Guide ALE (ALE Applications)

● Encryption via SUS output

mySAP SRM Application security guide on SAP Service Marketplace atservice.sap.com/securityguide → mySAP Supplier Relationship

Management (SRM) Security Guide → Network and Communication Security

For more information about communication channel security between SAP ECC systems and SAP Supply Chain Management systems (SAP SCM systems), see theSAP SCM security guide on the SAP Service Marketplace atservice.sap.com/securityguide → SAP Supply Chain Management → SAP

Supply Chain Management Security Guide → Network and Communication Security.

Data Storage SecurityCheck whether the conditions are classified as sensitive data. You can protectconditions with the following authorization objects:

Authorization Objects for Conditions


V_KONH_EKO Purchasing Organization in Master Condition

V_KONH_VKS Condition: Authorization for Condition Types

Inventory Management (MM-IM): Authorizations

Standard Roles

The following table shows the standard roles that you can use for the Inventory Management (MM-IM) component.

Standard Roles

Role Description

SAP_MM_IM_ARCHIVING Archive Material Documents

SAP_MM_IM_BALANCE_LIST GR/IR Balance List

SAP_MM_IM_CYCLE_COUNTING Cycle Counting

SAP_MM_IM_DISPLAY List Display

SAP_MM_IM_GM_FOR_RETAIL Goods Movement (Retail)

SAP_MM_IM_GOODS_MOVEMENTS Goods Movement

SAP_MM_IM_GOODS_MOVEMENT_EMPTY Goods Movement

SAP_MM_IM_INVENTORY_ARCHIVE Physical Inventory Archiving

SAP_MM_IM_INVENTORY_CONTROL Physical Inventory




SAP_MM_IM_INVENTORY_EXECUTION Physical Inventory Execution

SAP_MM_IM_INVENTORY_REPORTING Physical Inventory - Reporting

SAP_MM_IM_INVENTORY_SAMPLING Physical Inventory Sampling

SAP_MM_IM_PERIODIC_PROCESSING Periodic Processing

SAP_MM_IM_REPORTS Reports

SAP_MM_IM_RESERVATION_MAINTAIN Reservations

SAP_MM_IM_VENDOR_CONSIGNMENT Vendor Consignment


The following table shows the standard authorization objects that you can use for theInventory Management (MM-IM) component.

Standard Authorization Objects: Inventory Management


M_ISEG_WDB Phys. Inv: Difference Posting in Plant

M_ISEG_WIB Phys. Inv: Phys. Inv Document in Plant

M_ISEG_WZL Phys. Inv: Count in Plant

M_ISEG_WZB Phys. Inv: Count and Difference Posting inPlant

M_MSEG_BMB Material Documents: Movement Type

M_MBNK_ALL Material Documents: Number RangeMaintenance

M_MSEG_WMB Material Documents: Plant

M_MRES_BWA Reservations: Movement Type

M_MRES_WWA Reservations: Plant

M_MWOF_ACT Control for Split Valuation of Value (MBWO)

M_SKPF_VGA Inventory Sampling: Transaction

M_SKPF_WRK Inventory Sampling: Plant

M_MSEG_BWA Goods Movement: Movement Type

M_MSEG_LGO Goods Movement: Storage Location

M_MSEG_WWA Goods Movements: Plant

M_MSEG_BWF Goods Receipt for Production Order:Movement Type

M_MSEG_WWF Goods Receipt for Production Order: Plant

M_MSEG_BWE Goods Receipt for Purchase Order: MovementType

M_MSEG_WWE Goods Receipt for Purchase Order: Plant




Logistics Invoice Verification (MM-IV):Authorizations

Standard Roles

The following table shows the standard roles that you can use for the Logistics Invoice Verification (MM-IV) component.

Standard Roles: Logistics Invoice Verification

Role Description

SAP_MM_IV_CLERK_AUTO Automatic Settlements

SAP_MM_IV_CLERK_BATCH1 Enter Invoices for Verification in theBackground

SAP_MM_IV_CLERK_BATCH2 Manual Processing of Invoices Verified in theBackground

SAP_MM_IV_CLERK_GRIR_MAINTAIN GR/IR Clearing Account Maintenance

SAP_MM_IV_CLERK_GRIR_MAITAIN GR/IR Clearing Account Maintenance

SAP_MM_IV_CLERK_ONLINE Online Invoice Verification

SAP_MM_IV_CLERK_PARK Park Invoices

SAP_MM_IV_CLERK_RELEASE Invoice Release

SAP_MM_IV_SUPPLIER_FINANCE Settlement Information for Vendor (ExternalSupplier) on the Internet

SAP_MM_IV_CLERK_AUTO Automatic Settlements


The following table shows the standard authorization objects that you can use for theLogistics Invoice Verification (MM-IV) component.

Standard Authorization Objects: Logistics Invoice Verification


M_RECH_WRK Invoices: Plant

M_RECH_AKZ Invoices: Accept Invoice VerificationDifferences Manually

M_RECH_EKG Invoice Release: Purchasing Group

M_RECH_SPG Invoices: Blocking Reasons




Product Lifecycle Management (PLM)

AuthorizationsThe applications in Product Lifecycle Management (PLM) use the following objects forthe authorization checks:

● Composite roles

● Standard roles

● Profile

● Authorization objects

Composite roles

The following table shows the composite roles used by applications in PLM.

Composite Role Description

SAP_EHS_IHS_SPECIALIST Industrial Hygiene and Safety Professional

SAP_WP_BD_ADMIN EH&S Administrator

Standard roles

The following tables show the standard roles used by applications in PLM.

Roles: Cross-Application (CA)

Role Description

SAP_CA_CL_DISPLAY Product Data Management – Display ClassificationInformation

SAP_CA_CL_MAINTAIN Product Data Management: Classification

SAP_CA_DMS_ADMIN Administration Tasks in DMS

SAP_CA_DMS_DISPLAY Product Data Management: Displaying Documents

SAP_CA_DMS_MAINTAIN Product Data Management: Classification

SAP_CA_NO_NOTIF_GENERAL General Notification Processing

SAP_CA_NO_NOTIF_ISR Creation of Internal Service Request

SAP_CA_NO_NOTIFVIAWEB_EXT General Notification Creation on Web

SAP_CA_NO_NOTIFVIAWEB_INT General Notification Creation on the Web - Link

Roles: Customer Service (CS)

Role Description

SAP_CS_AG_CUST_ORDER_COMPLETE Processing of Sales Order Settlement and BillingDocument

SAP_CS_AG_CUST_ORDER_DISPLAY Display of Service Agreements, Sales Orders and

Billing Documents




SAP_CS_AG_CUST_ORDER_PROCESS Processing of Sales Order and Customer RepairOrder

SAP_CS_AG_PROCESS Processing of Service Agreements

SAP_CS_AG_WARRANTIES_DISPLAY Display Warranties

SAP_CS_AG_WARRANTIES_PROCESS Processing of Warranties

SAP_CS_CI_ADMIN Customer Interaction Center Administration

SAP_CS_CI_AGENT Customer Interaction Center (Front Office)

SAP_CS_CI_INFOSYSTEM Contact History for Groups and Agents

SAP_CS_CM_SOL_DATA_BASE_PROC Processing of Solution Database

SAP_CS_IB_INSTALLED_BASE_DISPL Display of Installed Base

SAP_CS_IB_INSTALLED_BASE_PROC Processing of Installed Base

SAP_CS_SE_DISPLAY_NOTIF_ORDERS Display of Service Notifications and Orders

SAP_CS_SE_PROCESS_NOTIF_ORDERS Processing of Service Notifications and Orders

Roles: Environment, Health & Safety (EH&S)

Role Description

SAP_EHS_BD_UTIL Tools

SAP_EHS_DGP_DATABASEFILLING Dangerous Goods Master Filling

SAP_EHS_DGP_DATASENDING Data Distribution – Dangerous Goods

SAP_EHS_DGP_DATATRANSFER Data Transfer, External – Dangerous Goods

SAP_EHS_DGP_DISPLAYLIST Dangerous Goods Master Lists

SAP_EHS_DGP_MASTERDATA Dangerous Goods Master Management

SAP_EHS_DGP_MASTERDATASHOW Dangerous Goods Master Information

SAP_EHS_DGP_PHRASES Dangerous Goods Text Module Management

SAP_EHS_DGP_REPORTINFO Report Information System – DangerousGoods

SAP_EHS_DGP_SUBSTANCEDATA Dangerous Goods Basic Data Management

SAP_EHS_HSM_AGENT Agent

SAP_EHS_HSM_INFO Reporting

SAP_EHS_HSM_LABEL Global Label Management

SAP_EHS_HSM_MATERIA Material

SAP_EHS_HSM_REPORT Report

SAP_EHS_HSM_SUBSTANCE Substance

SAP_EHS_HSM_WORKAREA Work Area

SAP_EHS_IHS_AGENT Agent Management

SAP_EHS_IHS_AMOUNTDETERMIATION Amount Determination

SAP_EHS_IHS_BUSINESSPARTNER Business Partners – Industrial Hygiene andSafety

SAP_EHS_IHS_EXPOSURELOG Exposure Log




SAP_EHS_IHS_INCIDENTLOG Incident/Accident Management

SAP_EHS_IHS_INFOSYSTEM Industrial Hygiene and Safety Reporting

SAP_EHS_IHS_INJURYLOG Injury/Illness Log

SAP_EHS_IHS_PHRASES Phrase Management – Industrial Hygiene and

Safety

SAP_EHS_IHS_REPORTINFO Report Information System – Industrial Hygieneand Safety

SAP_EHS_IHS_RISKASSESSMENT Risk Assessment

SAP_EHS_IHS_SERVICE Service

SAP_EHS_IHS_WORKAREA Industrial Hygiene and Safety Professional

SAP_EHS_OH_AMBSERV Work Area Management

SAP_EHS_OH_ASSIGN Person Assignment

SAP_EHS_OH_BUPT Business Partners – Occupational Health

SAP_EHS_OH_EVAL Reporting

SAP_EHS_OH_EVAL_NEW Reporting

SAP_EHS_OH_EXAM Examinations and Tests

SAP_EHS_OH_IMPORT Medical Data Import

SAP_EHS_OH_INJURYLOG Incident/Accident Log and Injury/Illness Log

SAP_EHS_OH_MEDSERV Medical Services

SAP_EHS_OH_PERSSEL Person Selection and Scheduling

SAP_EHS_OH_QUEST Question Catalogs and Questionnaires

SAP_EHS_OH_SERVICE Industrial Hygiene and Safety Link

SAP_EHS_OH_SET Current Settings

SAP_EHS_SAF_UTIL Tools

SAP_EHS_SAF_SUBSTANCESHOW Specification Display

SAP_EHS_SAF_SUBSTANCEINFO Specification Information System

SAP_EHS_SAF_SUBSTANCEDATA Substance

SAP_EHS_SAF_REPORTSHOW EH&S Report Information System

SAP_EHS_SAF_REPORTSHIPPING Report Shipping

SAP_EHS_SAF_REPORTINFO Report Information System – Product Safety

SAP_EHS_SAF_REPORTGENERATION Report Definition

SAP_EHS_SAF_REPORTEDIT Report

SAP_EHS_SAF_PHRASES Phrase Management – Product Safety

SAP_EHS_SAF_LABEL Global Label Management

SAP_EHS_SAF_DATATRANSFER Data Transfer, External – Product Safety

SAP_EHS_SAF_DATASENDING Data Distribution

SAP_EHS_SAF_BOMBOS Bill of Materials Composition

SAP_EHS_WA_BUSINESSPARTNER Waste Management Business Partner




SAP_EHS_WA_DATATRANSFER Data Transfer, External – Waste Management

SAP_EHS_WA_DISPOSAL_DOCUMENTS Disposal Documents

SAP_EHS_WA_DISPOSAL_PROCESSING Disposal Processing

SAP_EHS_WA_EHSW_1 Report Tree – Waste Management

SAP_EHS_WA_INFOSYSTEM Waste Information System

SAP_EHS_WA_REPORTEDIT Report Management - Waste Management

SAP_EHS_WA_REPORTGENERATION Report Creation – Waste Management

SAP_EHS_WA_REPORTSHIPPING Report Shipping - Waste Management

SAP_EHS_WA_WASTE_SPEZIFICATION Master Data - Specification

SAP_EHS_WA_WASTECODE Waste Codes

SAP_EHS_WA_WASTEINFO Waste Information

SAP_WP_BD_ADMIN EH&S Administrator

SAP_WP_DG_SPECIALIST Dangerous Goods Specialist

SAP_WP_HSM_SPECIALIST Hazardous Substance Manager

SAP_WP_IHS_SPECIALIST Industrial Hygiene and Safety Professional

SAP_WP_OH_PHYSICIAN Occupational Physician

SAP_WP_PS_SPECIALIST Product Safety Specialist

Roles: Logistics (LO)

Role Description

SAP_LO_ECH_MAINTAIN Engineering Change Management

SAP_LO_EMPLOYEE Employee Self-Service (LO)

SAP_LO_MD_BOM_DISPLAY Complete BOM Display

SAP_LO_MD_BOM_MAINTAIN Complete BOM Processing

SAP_LO_MD_CUSTOMER_DISPLAY Display Customer Master

SAP_LO_MD_CUSTOMER_MAINTAIN Customer Master Maintenance

SAP_LO_MD_MBOM_MAINTAIN Material BOM Processing

SAP_LO_MD_MM_MATERIAL_DISPLAY Display Material Master Data

SAP_LO_MD_MM_MATERIAL_DISPLAY Maintain Material Master

SAP_LO_MD_OBOM_MAINTAIN Order BOM Processing

SAP_LO_MD_PBOM_MAINTAIN WBS BOM Processing

SAP_LO_MD_SERIAL_NO_DISPLAY Display of Serial Numbers

SAP_LO_MD_SERIAL_NO_PROCESS Processing of Serial Numbers

SAP_LO_MD_VENDOR_DISPLAY Display Vendor Master

SAP_LO_MD_VENDOR_MAINTAIN Vendor Master Maintenance

SAP_LO_PP_RTG_DISPLAY Routing Display

SAP_LO_PP_RTG_MAINTAIN Routing Maintenance

SAP_LO_VC_DEP_MAINTAIN Variant Configuration Modeling




SAP_LO_VC_ESALES Connection to CRM

SAP_LO_VC_MAINTAIN Complete Variant Configuration

SAP_LO_VC_ORDER_PROC Order Processing – Variant Configuration

SAP_LO_VC_SIMULATION Variant Configuration Simulation

Roles: Plant Maintenance (PM)

Role Description

SAP_PM_ALM_ME_ADMINISTRATOR Asset Life-Cycle Management - Administrator(Mobile Engine)

SAP_PM_ALM_ME_ENGINEER Asset Life-Cycle Management - Administrator(Mobile Engine)

SAP_PM_DATATRANSFER Data Transfer and Download Structure for PlantMaintenance

SAP_PM_EQM_BILL_OF_MAT_DISPL Display of Bill of Material

SAP_PM_EQM_BILL_OF_MAT_PROC Processing of Bill of Material

SAP_PM_EQM_EQUIPMENT_DISPLAY Display of Equipment

SAP_PM_EQM_EQUIPMENT_PROCESS Processing of Equipment

SAP_PM_EQM_FUNC_LOC_DISPLAY Display of Functional Location

SAP_PM_EQM_FUNC_LOC_PROCESS Processing of Functional Location

SAP_PM_EQM_ME_READ_LIST_DISPL Display of Measurement Reading Entry List

SAP_PM_EQM_ME_READ_LIST_PROC Processing of Measurement Reading Entry List

SAP_PM_EQM_MEAS_POINTS_DISPLAY Display of Measuring Points

SAP_PM_EQM_MEAS_POINTS_PROCESS Processing of Measuring Points

SAP_PM_EQM_PERMITS_ISSUE_DISPL Issue and Display of Permits

SAP_PM_EQM_PERMITS_PROCESS Processing of Permits

SAP_PM_EQM_PROCESS_OBJECT_LINK Processing of Object Link

SAP_PM_EQM_PROD_RESOURC_DISPL Display of Production Resources and Tools

SAP_PM_EQM_PROD_RESOURC_PROC Processing of Production Resources and Tools

SAP_PM_EQM_REF_FUNC_LOC_PROC Processing of Reference Location

SAP_PM_EQM_WORK_CENT_EVALUATE Evaluation of Work Centers

SAP_PM_EQM_WORK_CENTERS_DISPL Display of Work Centers

SAP_PM_EQM_WORK_CENTERS_PROC Processing of Work Centers

SAP_PM_IS_INFO-SYSTEM_CONFIG Configuration of Information System

SAP_PM_IS_TASKS_ANALYSIS_PERF Execution of Analyses

SAP_PM_PRM_MAIN_PLANS_DISPLAY Display of Maintenance Plans

SAP_PM_PRM_MAIN_PLANS_REV_PROC Processing of Maintenance Plans andRevisions

SAP_PM_PRM_MAIN_PLANS_SCHEDULE Scheduling of Maintenance Plans

SAP_PM_PRM_TASKS_LISTS_DISPLAY Display of Task Lists

SAP_PM_PRM_TASKS_LISTS_PROCESS Processing of Task Lists




SAP_PM_WOC_COMP_CONF_DIS Display of Completion Confirmation

SAP_PM_WOC_COMP_CONF_PROC_CANC Processing and Cancellation of CompletionConfirmation

SAP_PM_WOC_CONF_POSTPROC Postprocessing of Completion Confirmation

SAP_PM_WOC_HISTORICAL_ORD_DISP Display of Historical Orders

SAP_PM_WOC_HISTORICAL_ORD_PROC Processing of Historical Orders

SAP_PM_WOC_MEAS_DOC_DISPLAY Display of Measurement Documents

SAP_PM_WOC_MEAS_DOC_MAINTAIN Processing of Measurement Documents

SAP_PM_WOC_NOTIFICATION_DISPL Display of Notification

SAP_PM_WOC_NOTIFICATION_PP Creation of Notification

SAP_PM_WOC_NOTIFICATION_PROC Processing of Notification

SAP_PM_WOC_ORDER_DISPLAY Display of Order

SAP_PM_WOC_ORDER_PROCESS Processing of OrderSAP_PM_WOC_ORDER_SCHEDULE Scheduling of Order

SAP_PM_WOC_PROCESS_PLANNING Resource Planning

SAP_PM_WOC_REFURBISHM_ORD_PROC Processing of Refurbishment Order

SAP_PM_WOC_WCM_ENGINEER Safety Engineer

SAP_PM_WOC_WCM_INFO Information Functions for Work ClearanceManagement

SAP_PM_WOC_WCM_PLANNER Work Clearance Planner

SAP_PM_WOC_WCM_REQUESTER Work Clearance Requester

SAP_PM_WOC_WORK_MANAGEMENT Work Management in Plant Maintenance andCustomer Service

Roles: Project System

Role Description

SAP_PS_ARCHIVING Archive Project Data

SAP_PS_BASIC_WRKPL Work Center Master Data

SAP_PS_BASIC_WRKPL_DISPL Display Work Center Master Data

SAP_PS_BUDGET_PROJ Project Budgeting

SAP_PS_CLAIM Collaboration

SAP_PS_CEP Claim Management

SAP_PS_CO_MODEL_PROJ Allocation Templates

SAP_PS_CONFIRM Confirm

SAP_PS_DATES Project Dates

SAP_PS_DATES_DISPLAY Display Project Dates

SAP_PS_DOCUMENTS Documents

SAP_PS_DOCUMENTS_DISPLAY Display Documents

SAP_PS_EXECUTE_CO_REPORTS Execute Controlling Reports




SAP_PS_FUNDS_COMMITMENT Display Project Dates

SAP_PS_GROUPING Requirements Grouping

SAP_PS_LINE_MANAGER PS Input for the Line Manager Generic Role

SAP_PS_MASS_CHANGE Mass Change

SAP_PS_MATERIAL Material in Projects

SAP_PS_MATERIAL_DISPL Display Material in Projects

SAP_PS_MONITOR_MAT_DATES Monitoring Dates for Material

SAP_PS_OVERALL_CO_PLAN_PROJ Overall CO Planning for Projects

SAP_PS_PAYMENTS_ACTUAL Actual Project Payments

SAP_PS_PAYMENTS_PLAN Planned Project Payments

SAP_PS_PER_CO_PLAN_PROJ Periodic CO Planning for Projects

SAP_PS_PEREND_PROJ_COLL Period-End Closing – Collective Project Processing

SAP_PS_PEREND_PROJ_IND Period-End Closing – Individual Project Processing

SAP_PS_PEREND_PROJ_PAYMENT Payment Transfer to Period

SAP_PS_PEREND_PROJ_WLM Worklist for Period

SAP_PS_PERS_RES_EVAL Evaluate Personnel Resources

SAP_PS_PERS_RES_PLAN Plan Personnel Resources

SAP_PS_PROGRESS Progress Determination

SAP_PS_PROJ_YEAREND Year-End Closing for Projects

SAP_PS_REP_CLAIM Claim Reports

SAP_PS_REP_COST_SUMMARIZ Summarized Cost Reports

SAP_PS_REP_COSTS Cost Reports

SAP_PS_REP_LINE_ITEM Line Item Reports

SAP_PS_REP_MATERIAL Material Reports

SAP_PS_REP_PAYMENTS Payment Reports

SAP_PS_REP_PROGRESS Progress Reports

SAP_PS_REP_REVENUES Revenue and Profitability Reports

SAP_PS_REP_STRUCT Structure Reports

SAP_PS_REP_TOOLS Information System - Tools

SAP_PS_RM_ADMINISTRATOR Administrator for Public Sector Records Management

SAP_PS_RM_HEAD Manager Public Sector Records Management

SAP_PS_RM_REGISTRAR Recorder for Public Sector Records Management

SAP_PS_RM_USER Processor Public Sector Records Management

SAP_PS_SALES_PRICING Calculate Sales Price

SAP_PS_STD_STRUCT Standard Structures

SAP_PS_STD_STRUCT_DISPL Display Standard Structures

SAP_PS_STRUCT Project StructuresSAP_PS_STRUCT_DISPL Display Project Structures




SAP_PS_TRANSFER_PRICE_ACTUAL Actual Transfer Prices

SAP_PS_TRANSFER_PRICE_PLAN Plan Transfer Prices

Roles: Quality Management (QM)

Role Description

SAP_QM_ADMIN Administrator

SAP_QM_BATCH_INFO Display of Batch Data

SAP_QM_CA_CERTVIAWEB_EXT Processing Certificates on the Web

SAP_QM_CA_CERTVIAWEB_INT Link: Certificates on the Web

SAP_QM_CA_INCOMING_CERT Monitoring of Certificate Receipt

SAP_QM_CA_OUTCERT_MAINT Administration of Certificate Master Data

SAP_QM_CA_OUTGOING_CERT Creation of Certificates in Sales andDistribution

SAP_QM_IM_COSTS Administration of QM Orders

SAP_QM_IM_COSTS_DISPLAY Display of Quality-Related Costs

SAP_QM_IM_DEFECTS_REC Defects Recording

SAP_QM_IM_LOT_COMPLETION Inspection Lot Completion

SAP_QM_IM_LOT_MAINTAIN Processing of Inspection Lots

SAP_QM_IM_QMANAG_WORKLIST Worklist for Quality Managers

SAP_QM_IM_QPLANNER_INSP Inspection Processing by Quality Planner

SAP_QM_IM_RES_REC Results Recording

SAP_QM_IM_RESULTSVIAWEB_EXT Results Recording on the Web

SAP_QM_IM_RESULTSVIAWEB_INT Link: Results Recording on the Web

SAP_QM_IM_SAMPLE Sample Management

SAP_QM_IT_CALIB_INFO Calibration Information

SAP_QM_IT_CALIB_INSP Calibration Inspection

SAP_QM_IT_CALIB_PLANNING Calibration Planning

SAP_QM_IT_CALIB_PROCUREMENT Procurement of Test Equipment

SAP_QM_IT_EQUI_MAINTAIN Maintenance of Test Equipment

SAP_QM_IT_PM_NOTIF Processing of Maintenance NotificationsSAP_QM_PP_OPERATOR Production Worker

SAP_QM_PP_SUPERVISOR Production Supervisor

SAP_QM_PT_BASIC_DATA Maintenance of Basic Data

SAP_QM_PT_CHANGE_MANAG_DISPLAY Change Management - Display

SAP_QM_PT_IPLANNING Inspection Planning

SAP_QM_PT_LOG_MASTER_DISPLAY Logistics Master Data - Display

SAP_QM_PT_LOG_MASTER_MAINT Logistics Master Data - Edit

SAP_QM_PT_MAT_MANAG_DISPLAY Display of Materials Management Information




SAP_QM_PT_QMANAG_MASTER_DISP Display of Logistics Master Data for QualityManagers

SAP_QM_QC_CONTROL_ALL General Quality Control

SAP_QM_QC_QMIS Quality Evaluations (QMIS)

SAP_QM_QC_QMIS_ALL General Quality Evaluations (QMIS)

SAP_QM_QMANAG_GR Quality Manager – Goods Receipt

SAP_QM_QMANAG_PP Quality Manager - Production

SAP_QM_QN_NOTIF_BASIC Extended Processing of Notifications

SAP_QM_QN_NOTIF_DISPLAY Display of Quality Notifications

SAP_QM_QN_NOTIF_MAINT Processing of Notifications

SAP_QM_QN_NOTIFVIAWEB_EXT Notifications on the Web – Processing

SAP_QM_QN_NOTIFVIAWEB_INT Link: Notifications on the Web

SAP_QM_QN_TASK_MAINT Processing of TasksSAP_QM_QN_TASK_PROCESSOR Task Processor

Roles: General

Role Description

SAP_MM_SE_CLERK Service Entry Clerk

SAP_PLMIFO_MAT_MAINTAIN Material Master Maintenance plus RFCAuthorization

SAP_PP_BD_RTG_DISPLAY Routing Display

SAP_PP_BD_RTG_MAINTAIN Work Scheduling - Maintenance

SAP_PP_PS_PRT Project System – Production Resources/Tools

SAP_PP_SFC_OCM Production Order - Order Change Management

Profiles

The following table shows the profiles used by applications in PLM. There are severalprofiles, beginning with the same character string, for some applications. In this case,the table contains the table the starting character string and the wildcard character*

(wild card). You can display all the profiles in the profile list (transaction SU02).

Profile Description

B_MASSMAIN Mass maintenance tool

C_A.AV Composite profile for person in charge of work scheduling

C_A.KONSTRUK Composite profile for person in charge of engineering/design

C_AENR_* List of profiles for change management

C_ALL PP: All authorizations for master data/classif. system

C_CAP_ALL All authorizations for standard value calculation with CAPP

C_CV_ALL All authorizations for Document Management

C_EHSH_* List of profiles for occupational health




C_EHSH_* List of profiles for EH&S

C_FHMI_* List of profiles for production resources/tools

C_MSTL_* List of profiles for material BOMs

C_PS_* List of profiles for Project Systems

C_ROUT_* List of profiles for task lists

C_SHE_* List of profile for list of profiles for EH&S

E_CS_* List of profiles for EC-CS

I_PM_* List of profiles for Plant Maintenance

M_* List of profiles for Materials Management

Q_* List of profiles for Quality Management

Z_CUSMM01 Maintain Customizing for MM

Z_CUSMM02 Display Customizing for MM

Z_CUSPM01 Maintain Customizing for PM

Z_CUSPM02 Display Customizing for PM

Z_CUSPP01 Maintain Customizing for PP

Z_CUSPP02 Display Customizing for PP

Z_CUSPS01 Maintain Customizing for PS

Z_CUSPS02 Display Customizing for PS

Z_CUSQM01 Maintain Customizing for QM

Z_CUSQM02 Display Customizing for QM

Authorization objects

All the authorization objects of an application are grouped into one object class. Youcan display the authorization objects by choosing Role Maintenance (transaction PFCG)

Environment → Authorization Objects → Display .

The following table shows the object classes for the authorization objects used byapplications in PLM.

Object Classes for Authorization Objects

Object Class Description

CLAS Classification

CV Document Management

EHS EH&S

LO Logistics - General

Exclusively the authorization objects for the variant configuration(character string C_LOVC_*).

MM_G Materials Management – Master Data

MM_S Materials Management – External Services

PM Plant Maintenance




PP Production Planning

Authorization objects for the following applications:

• Change management (character string C_AENR_*)

• Task lists (character string C_ROUT*)

• BOMs (character string C_STUE_*)

PS Project System

QA Quality Management

Communication DestinationsThe SAP standard system does not supply any communication destinations for ProductLifecycle Management (PLM). In the area of CAD integration, an external CAD system

starts communication with the SAP system. Acall back

calls the SAP system back.This communication take place via Remote Function Call (RFC).

Important SAP NotesNote the following SAP Notes with security-related information.

SAP Note Short Text

13128 General info on authorizations in Project System

24441 CR134 No authorization to reflect change in HR

35100 Changing BOMs with hist. requirement w/o change no.

40586 No authorization for maintaining view V_QDEB

61886 SAP enhancement CNEX0002: No authorization

67713 Authorization check in routing with C_ROUT

192748 Creating PM order for notif. w/o IW34 authorization

198079 No check of authorization S_TCODE for CALL

327801 IW22: Authorization K_ORDER

332997 PS-IS: Authorization check for BEBD

368574 PM/CS Authorization Check

371269 ECH: Authorizations for Customizing parameter

379041 Authorization check for multi-level equipment list

385510 Authorization for EDI translator/middleware

407758 Authorization for evaluations of notifications

414858 Authorization check for mass change

420878 BOM change without change number possible

424731 Component assignment without BOM history

426494 Differentiation of history requirement

457086 OINI: No authorization for changing




522426 Consulting: Authorizations in the Project System

532231 Data transfer and authorization concept

554415 FAQ 2: Authorization check

555812 CDESK: CAD desktop: Required authorizations

558586 Authorization check for mass change II

568313 CJ20N, CN22: General layout

568522 Undoing changes in BOM

569048 Undoing changes in BOM

638781 Project authorization via partner functions

671580 PS Cash Management: Customizing for commitment items

755020 Authorization check for EHS.report & report tempatle

Manufacturing

AuthorizationsThe applications in Manufacturing use the following objects for the authorization checks:

● Standard Roles

● Profile

● Authorization Objects

Standard Roles

The following table shows the standard roles used by applications in Manufacturing .

Roles: Basic Data

Role Description

SAP_PP_BD_RTG_MAINTAIN Work Scheduling - Maintenance

SAP_PP_BD_WKC_DISPLAY Work Center Display

SAP_PP_BD_WKC_MAINTAIN Work Center Maintenance

SAP_PP_MATERIAL_MANAGEMENT Materials Management Production

SAP_PP_PS_PRT Project System – Production Resources/Tools

SAP_LO_PP_RTG_DISPLAY Routing Display

SAP_LO_PP_RTG_MAINTAIN Routing Maintenance

SAP_LO_PP_WRKC_DISPLAY Work Center Display

SAP_LO_PP_WRKC_MAINTAIN Work Center Maintenance




Roles: Capacity Planning (PP-CRP)

Role Description

SAP_PP_CAPA_PLAN Plan Capacities

SAP_PP_CAPA_PLAN Evaluate Capacity Planning

Roles: Kanban (PP-KAB)

Role Description

SAP_PP_KAB_CONTROL KANBAN Control

SAP_PP_KAB_REPORTING KANBAN Evaluation

Roles: Production Planning (PP-MP)

Role Description

SAP_PP_MP_FORECAST Material Forecast

SAP_PP_MP_LONG_TERM_PLANNING Long-Term PlanningSAP_PP_MP_MPS_PLANNING Master Production Scheduling

Roles: Requirements Planning (PP-MRP)

Role Description

SAP_PP_MRP_COORDINATION MRP PP - Coordination

SAP_PP_MRP_EVALUATIONS MRP PP - Evaluation

SAP_PP_MRP_MASTER_DATA MRP PP – Master Data

SAP_PP_MRP_PLANNED_ORDER MRP PP – Planned Order

SAP_PP_MRP_PLANNING MRP PP – Planning Execution

Roles: Production Orders (PP-SFC)

Role Description

SAP_PP_SFC_CONFIRMATIONS Production Order - Confirmations

SAP_PP_SFC_GM Production Order – Goods Movements

SAP_PP_SFC_MAT_MANAGEMENT Production Order – Materials Management

SAP_PP_SFC_OCM Production Order - Order Change Management

SAP_PP_SFC_ORDER_EXCEPTIONS Production Order – Reprocessing

SAP_PP_SFC_ORDERS Production Order – Processing

SAP_PP_SFC_PERFORMANCE Production Order – Production InformationSystem

SAP_PP_SFC_PRODUCTION_OPERATOR Production Operator in Production

SAP_PP_SFC_PRT Production Order – Production Resource/Tool

SAP_PP_SFC_WM Production Order - Warehouse Management




Roles: Repetitive Manufacturing (PP-REM)

Role Description

SAP_PP_REM_CONFIRMATION Repetitive Manufacturing - Backflushing

SAP_PP_REM_MASTERDATACHANGE Repetitive Manufacturing – Change Master Data

SAP_PP_REM_MASTERDATADISPL Repetitive Manufacturing – Display Master Data

SAP_PP_REM_PLANNING Repetitive Manufacturing - Planning

SAP_PP_REM_PRODUCTION Repetitive Manufacturing - Production

SAP_PP_REM_REPORTING Repetitive Manufacturing - Evaluations

Roles: Process Industries (PI)

Role Description

SAP_PP_PI_BATCH_RECORD_EXP Edit Batch Record

SAP_PP_PI_BATCH_RECORD_SUPER Approve Batch Record

SAP_PP_PI_CAPA_EVAL_STD Perform Capacity Evaluations

SAP_PP_PI_CAPACITY_EXP Edit Capacity

SAP_PP_PI_CTRL_RECIPE_EXP Monitor Control Recipe

SAP_PP_PI_CUST_PROCMGMT Customizing for Process Management

SAP_PP_PI_DOWNTIME_EXP Record Downtime

SAP_PP_PI_DOWNTIME_SUPER Settings for Downtimes

SAP_PP_PI_GOODS_MOVE_EXP Enter Goods Movement for Order

SAP_PP_PI_GOODS_MOVE_HU_EXP Enter Goods Movements with Handling Units

SAP_PP_PI_GOODS_MOVE_HU_SUPER Cancel Goods Movements with Handling Units

SAP_PP_PI_MA_BATCH_REC_WL_CUM MiniApp: Worklist for Batch Records - Accumulated

SAP_PP_PI_MA_PI_SHEET_WL_CUM MiniApp: Worklist for PI Sheets - Accumulated

SAP_PP_PI_MA_PROC_ORDER_WL_CUM MiniApp: Worklist for Process Orders - Accumulated

SAP_PP_PI_MASTER_RECIPE_EXP Edit Master Recipe

SAP_PP_PI_MASTER_RECIPE_STD Display Master Recipe

SAP_PP_PI_MAT_STAGING_EXP Execute Material Staging for Order

SAP_PP_PI_MAT_STAGING_STD Display Material Staging for Order

SAP_PP_PI_MFG_COCKPIT_1_EXP Edit Manufacturing Cockpit for Manager/Engineer

SAP_PP_PI_MFG_COCKPIT_2_EXP Edit Manufacturing Cockpit for Plant Manager

SAP_PP_PI_MPARTS_INFO_STD Evaluate Missing Parts Info System

SAP_PP_PI_ORDER_CONF_EXP Enter Order Confirmation

SAP_PP_PI_ORDER_CONF_STD Display Order Confirmation

SAP_PP_PI_ORDER_CONF_SUPER Correct Order Confirmations

SAP_PP_PI_ORDER_INFO_STD Evaluate Order Info System

SAP_PP_PI_ORDER_RECORD_EXP Store Order Record

SAP_PP_PI_ORDER_RECORD_STD Display Order Record




SAP_PP_PI_PI_SHEET_EXP Maintain PI Sheet

SAP_PP_PI_PI_SHEET_SUPER Check PI Sheet and Set to “Technically Complete”

SAP_PP_PI_PROC_MESSAGE_EXP Edit Process Message

SAP_PP_PI_PROC_ORDER_EXP_CHNG Change Process Order

SAP_PP_PI_PROC_ORDER_EXP_CREA Create Process Order

SAP_PP_PI_PROC_ORDER_STD Display Process Order

SAP_PP_PI_PROD_CAMPAIGN_EXP Edit Production Campaign

SAP_PP_PI_PROD_CAMPAIGN_STD Display Production Campaign

SAP_PP_PI_PROD_VERSION_EXP Edit Production Version

SAP_PP_PI_PROD_VERSION_STD Display Production Version

SAP_PP_PI_RESOURCE_EXP Edit Resource

SAP_PP_PI_RESOURCE_STD Display Resource

SAP_PP_PI_RESOURCE_SUPER Resource Settings

SAP_PP_PI_SF_INFO_STD Evaluate Shop Floor Information System

SAP_PP_PI_STD_TEXT_EXP Edit Standard Text

Profiles

The following table shows the profiles used by applications in Manufacturing .

Profile Description

C_KANBAN_ALL Profile with All Authorizations for KANBAN Production ControlC_KAPA_ALL PP: Capacity Planning

C_KAPA_ANZ PP Capacity Planning Display Authorizations

C_KAPA_CUST PP: Set & Variables Maintenance for Capacity Planning

C_LFPL_ALL Long-Term Planning: All Authorizations

C_MESS_ALL PP-PI Process Messages: All Authorizations

C_MREC_ALL PP-PI Master Recipe: Authorizations for All Transactions

C_MREC_CHA PP-PI Master Recipe: Change Authorization

C_MREC_CRE PP-PI Master Recipe: Create Authorization

C_MREC_MAT PP-PI Master Recipe: Material Master Update

C_MREC_RPL PP-PI Master Recipe: Authorization for Mass Replacement

C_MREC_SHO PP-PI Master Recipe: Display Authorization

C_MREC_USE PP-PI Master Recipe: Authorization for Where-Used Lists

C_MSTL_ALL PP Material BOMs: Maintenance and Display Authorizations

C_MSTL_ANZ PP Material BOMs: Display Authorizations

C_PBED_ANZ Display Profile for Demand Management

C_PB_ALL Maintenance and Display Authorizations for Demand Mgmt

C_PB_REO Authorization for Reorganization in Demand Management




C_POI_ALL All Authorizations for POI Interface

C_PPPI_ALL PP-PI: All Authorizations for Processing Manufacturing

C_PRCHAR_ALL PP-PI: All Authorizations for Ext. Access to Proc. Charact.

Authorization ObjectsAll the authorization objects of an application are grouped into one object class. Youcan display the authorization objects by choosing Role Maintenance (transaction PFCG)

Environment → Authorization Objects → Display .

The following table shows the object classes for the authorization objects used byapplications in Manufacturing .

Object Classes for Authorization Objects


PP Production Planning

PPE Integrated Product and Process EngineeringLO Logistics - General

Authorization objects

• C_CF_QUEUEAuthorization object for displaying/maintaining contents of CIFqueue

• C_PPE_PSiPPE: PS -iPPE interface (Component assignment)

• C_PPE_PSiPPE: PS -iPPE interface (Interface)

Communication DestinationsIn Manufacturing, the following programming elements are used for communicating withexternal systems:

● Remote Function Call (RFC)

● Business Integration Programming Interface (BAPI)

It is not necessary to encrypt the data.




Logistics Execution (LE)

Decentralized Warehouse Management (LE-IDW), Shipping (LE-SHP), Transportation (LE-TRA)

Authorizations

Standard Roles

The following table shows the standard roles used by the components Decentralized Warehouse Management (LE-IDW), Transportation (LE-TRA), and Shipping (LE-SHP).

Standard Roles

Role Description

SAP_LE_BASIC_DATA_DISPLAY Logistics Execution : Display Master Data

SAP_LE_GATE_KEEPER Register Persons and Means of Transport atCheckpoint

SAP_LE_GATE_KEEPER_WEB Register Persons and Means of Transport atCheckpoint (WEB)

SAP_LE_GOODS_ISSUE_DELIVERY Post Goods Issue for Outbound Deliveries

SAP_LE_GOODS_RECEIPT_DELIVERY Post Goods Receipt for Inbound DeliveriesSAP_LE_INB_DELIVERY_DISPLAY Display Inbound Deliveries

SAP_LE_INB_DEL_PROCESSING Process Inbound Deliveries

SAP_LE_INB_MONITORING Monitor Inbound Delivery Process

SAP_LE_INB_STATISTICS Standard Analyses for the Inbound Delivery

SAP_LE_LOAD_DELIVERY Load Outbound Deliveries

SAP_LE_MASTER_DATA_MAINTENANCE Master Data Maintenance

SAP_LE_OUTBOUND_POD Proof of Delivery for Outbound Deliveries(POD)

SAP_LE_OUTB_DELIVERY_DISPLAY Display Outbound Deliveries

SAP_LE_OUTB_DEL_PROCESSING Process Outbound Deliveries

SAP_LE_OUTB_MONITORING Monitor Outbound Delivery Process

SAP_LE_OUTB_STATISTICS Standard Analyses for the Outbound Delivery

SAP_LE_PACKING_DELIVERY Pack Deliveries

SAP_LE_PACKING_STATION Packing Station (WEB)

SAP_LE_PICKING_WAVES Process Wave Picks

SAP_LE_POD_HANDHELD Proof of Delivery in Handheld Terminal from

Customer’s View




SAP_LE_POD_WEB Proof of Delivery in Internet from Customer’sView

SAP_LE_R2R3_DECENTRAL_SHIPPING R/2-R/3 Link: Decentralized Shipping

SAP_LE_R2R3_MONITORING R/2-R/3 Link: Monitoring

SAP_LE_SHIPPING_NOTIFICATION Process Inbound Deliveries from Supplier’sView in Internet

SAP_LE_TMS_ARCHIVING Archiving of Transportation and Shipment CostDocuments

SAP_LE_TMS_BACKGROUND Background Transactions in Shipment

SAP_LE_TMS_CAPACITY_ANALYSIS Perform Analyses for Utilization and FreeCapacity

SAP_LE_TMS_CARRIER_WEB Internet Transactions for the Forwarding Agent

SAP_LE_TMS_CURRENT_ANALYSIS Perform Current Evaluations for Shipments

SAP_LE_TMS_DISPLAY Display Documents in ShipmentSAP_LE_TMS_EXECUTION Execute Planned Shipments

SAP_LE_TMS_EXTERNAL_TPS Interface to External Transportation PlanningSystem

SAP_LE_TMS_MAINTAIN_SCD Create, Process, and Display Shipment Costs

SAP_LE_TMS_MAINTAIN_SCD_COND Maintain Conditions in Shipment CostsEnvironment

SAP_LE_TMS_MAINT_SHP_MASTER Maintain Master Data in the TransportationEnvironment

SAP_LE_TMS_MONITOR_PLANNING Monitor Shipment Planning

SAP_LE_TMS_MONITOR_SHPCOSTS Monitor Shipment Costs Calculation andSettlement

SAP_LE_TMS_OTHERS Other Transportation Transactions (WithoutComposite Role)

SAP_LE_TMS_PLANNING Create, Change, and Display Shipments

SAP_LE_TMS_RULES Define Rules for Multiple Shipment Creation

SAP_LE_TMS_STATISTIC_ANALYSIS Perform Statistical Analyses for Shipments

SAP_LE_TMS_TP_SERVICE_AGENT Interface for Shipment Planning in Cooperationwith Forwarding Agents

SAP_LE_WMS_APPOINTMENTS Door Appointments

SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM

SAP_LE_WMS_INFORMATION Warehouse Information

SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data

SAP_LE_WMS_LOAD Workload in Warehouse

SAP_LE_WMS_MONITORING Warehouse Monitoring

SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM

SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM

SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM




SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM

SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring inWM

SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management

SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM

SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP

SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment

SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM

SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM

SAP_LE_WMS_STATISTICS Analysis in WM

SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM

SAP_LE_WMS_TO_CONFIRM Confirm Transfer Order in WM

SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WMSAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM

SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM

SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance


The following tables show security-relevant authorization objects used by thecomponents Decentralized Warehouse Management, Transportation , and Shipment .

Standard Authorization Objects: Decentralized Warehouse Management


L_BWLVS Movement Type in the WarehouseManagement System

L_LGNUM Warehouse Number/Storage Type

L_SFUNC Special Functions in Warehouse Management

L_TCODE Transaction Codes in the WarehouseManagement System

Standard Authorization Objects: Transportation


V_VFKK_FKA Shipment Cost Processing: Auth. for Shipment Cost Type

V_VTTK_SHT Shipment Processing: Authorization for Shipment Type

V_VTTK_TDL Shipment Processing: Authorization for Forwarding Agents

V_VTTK_TDS Shipment Processing: Auth. for Transport Planning Points

V_VTTK_TSA Transportation Proc.: Authorization for Shipment Type Status




Standard Authorization Objects: Shipping


V_LECI_CKP Checkpoint: Authorization for Checkpoint

V_LIKP_VST Delivery: Authorization for Shipping Points

V_VBSK_GRA Deliveries: Authorization for Delivery GroupType


General

Your network infrastructure is extremely important in protecting your system. Thereforerefer to the general notes for SAP ECC under Network and Communication Security

[Seite 18].


The following table shows the communication paths that the components Decentralized Warehouse Management, Transportation (LE-TRA), and Shipping (LE-SHP) use, theprotocol used for the connection, and the type of data transferred.

Communication Paths

CommunicationPath


Data RequiringSpecialProtection

Note

SAP ECC system – anotherSAP ECC system orexternal system

RFC Application data(inbound andoutbounddeliveries)

- DecentralizedWarehouseManagement,communicationvia BAPI IDocinterface

You can protect RFC connections using Secure Network Communications (SNC). Formore information, see the SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security .

Technical Users:

You can use the workflow user WF-BATCH to generate inbound and outbound

deliveries. The user must have authorization to create an inbound delivery.




Warehouse Management System (LE-WMS)

Authorizations

Standard Roles

The following table shows the standard roles you can use for Warehouse Management.

Standard Roles: Warehouse Management

Role Description

SAP_LE_BASIC_DATA_DISPLAY Logistics Execution: Display Master Data

SAP_LE_GATE_KEEPER Register Persons and Means of Transport atCheckpoint

SAP_LE_GATE_KEEPER_WEB Register Persons and Means of Transport at

Checkpoint (WEB)

SAP_LE_PACKING_DELIVERY Pack Deliveries

SAP_LE_PACKING_STATION Packing Station (WEB)

SAP_LE_PICKING_WAVES Process Wave Picks

SAP_LE_WMS_APPOINTMENTS Door Appointments

SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM

SAP_LE_WMS_INFORMATION Warehouse Information

SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data

SAP_LE_WMS_LOAD Workload in Warehouse

SAP_LE_WMS_MONITORING Warehouse Monitoring

SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM

SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM

SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM

SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM

SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring inWM

SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management

SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM

SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment

SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP

SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM

SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM

SAP_LE_WMS_STATISTICS Analysis in WM

SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM

SAP_LE_WMS_TO_CONFIRM Confirm Transfer Order in WM

SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WM




SAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM

SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM

SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance

SAP_LO_HU_GOODS_MOVEMENTS Goods Movements with Handling Units

SAP_LO_HU_MASTER_DATA Master Data for Handling Units

SAP_LO_HU_PACKING Pack Handling Units


GeneralYour network infrastructure is extremely important in protecting your system. Thereforerefer to the general notes for SAP ECC under Network and Communication Security[Seite 18].


The table below shows the communication paths used by the Warehouse Management System (LE-WMS) component, the protocol used for the link, and the type of datatransferred.

Communication Paths

CommunicationPath Protocol Used Type of DataTransferred Data RequiringSpecial Protection

SAP ECC System – Non-SAP System(external WarehouseManagementSystem)

RFC Application data(ALE distribution)

-

RFC connections can be protected using Secure Network Communications (SNC). Formore information, see:

● General information about encryption

SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security

● Security of Application Link Enabling (ALE)

SAPNetWeaver- Security Guide under Security Aspects for Connectivity and

Interoperability → Security Guide ALE (ALE Applications)

Technical Users:

To use ALE, create one or several users with authorization for the standard ALEtransactions.




Task and Resource Management (LE-TRM),Yard Management (LE-YM), Cross Docking (LE-WM-CDK), Additional Logistical Services

Authorizations

Standard Roles

You can use standard roles for the Warehouse Management System. For moreinformation about these standard roles for the Warehouse Management System, seeAuthorizations [Seite 147].


The following table shows the security-relevant authorization objects that thecomponent Logistics Execution (EA-APPL) uses:

Application Authorization Object Description

Task and ResourceManagement

L_EXECUTE Execution activities in TRM

L_MONITOR Monitoring activities in TRM

Value-Added Services: L_MON_VAS L_MON_VAS

Cross-docking L_MON_XDCK L_MON_XDCK

Yard Management L_MON_YARD L_MON_YARD

L_VEHICLE L_VEHICLE

L_YARD L_YARD

L_YRD_MTHD L_YRD_MTHD

For more information, see the SAP ECC documentation in the SAP Help Portal at

help.sap.com → Documentation → mySAP ERP → SAP ERP Central

Component :

● Task and Resource Management:

SAP ERP Central Component → Logistics → Logistics Execution (LE) → Task

and Resource Management (LE-TRM) → Other Functions → Authorization Checks

● Value-Added Services:

SAP ERP Central Component → Logistics → Logistics Execution (LE) →

Warehouse Management System (WMS) → Value-Added Services (LE-WM-

VAS) → Other Functions → Authorization Objects

● Cross-docking

SAP ERP Central Component → Logistics → Logistics Execution (LE) →

Warehouse-Management-System (WMS) → Cross-Docking (LE-WM-DCK) →

Other Functions → Authorization Checks

● Yard Management:




SAP ERP Central Component → Logistics → Logistics Execution (LE) → Yard

Management → Other Functions → Authorization Checks

Network and Communication SecurityGeneral

Your network infrastructure is extremely important in protecting your system. Thereforerefer to the general notes for SAP ECC under Network and Communication Security[Seite 18].


The following table shows the communication paths that the component Task and Resource Management (as part of Logistics Execution, EA_APPL 500) uses, theprotocol used for the connection, and the type of data transferred:

Communication Paths

CommunicationPath



SAP ECC system – external system (SAPor non-SAP system)

RFC Application data -

You can protect RFC connections using Secure Network Communications (SNC). Formore information, see the SAP NetWeaver security guide under Network and

Communication Security → Transport Layer Security .

Retail


General

Your network infrastructure is extremely important in protecting your system. Therefore

refer to the general notes for SAP ECC under Network and Communication Security[Seite 18].

DIAG and RFC connections can be protected using Secure Network Communications(SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol. For more information, see the SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security .


Link to Mobile Data Entry in SAP Retail Store

The following table shows the communication paths that you use when you implementSAP Retail Store by linking to a mobile device (non-SAP product). You can find more

information about the link to SAP Retail Store in the SAP Help Portal athelp.sap.com → Documentation → SAP ERP Central Component → ECC →




Logistics → SAP Retail → Distributed Data Processing → SAP Retail Store → PDC link in SAP Retail Store .

Communication Paths

Communication Path Protocol Used Type of Data

Transferred

Data Requiring

Special ProtectionSAP ECC System – SAPExchange Infrastructure (SAP XI)


SAP Exchange Infrastructure – Server for Mobile Data Entry


You need a technical user for SAP Exchange Infrastructure for the RFC inboundinterface when implementing mobile data. Assign the authorizations for the relevantapplication to the user.

Communication Paths for Forecasting and Replenishment

For more information about the security of communication paths for the Business

Scenario Forecasting & Replenishment, see the Forecasting and Replenishment Security Guide on the SAP Service Marketplace at

service.sap.com/securityguide → Industry Scenario Security Guides →

SAP Forecasting and Replenishment: Security Guide .

Other Communication Paths for SAP for Retail

The following table shows the communication paths for all remaining systemconnections for SAP for Retail.

Communication Paths

Application CommunicationPath


Data RequiringSpecialProtection

PRICAT SAP ECCSystem – Manufacturer’ssystem

RFC (or other logthat supportsIDocs)

Application data -

Store physicalinventory

SAP ECCSystem – Store’ssystem


Application data -

POS interface SAP ECCSystem – POSSystem


Application data Credit cardinformation

AFS/SAP Retailinterface

SAP ECCSystem – AFSSystem

RFC ALE messages -

Interface forspacemanagementsystems

SAP ECCSystem – SpaceOptimizationSystem


Interface to SAPBusinessInformationWarehouse ( SAP

BW )

SAP ECCSystem – SAPBW System





For more information about communication paths, see the SAP Help Portal at

help.sap.com → Documentation → mySAP ERP → ECC → Logistics → SAP for

Retail as follows:

● PRICAT

SAP Retail → Distributed Data Processing → Transfer of PRICAT Messages

● Store Physical Inventory

SAP Retail → Merchandise Logistics → Physical Inventory → Physical Inventory: Support for Carrying Out a Store Physical Inventory

● POS Interface

SAP Retail → Distributed Data Processing → POS Interface

● AFS/SAP Retail interface

SAP Retail → Distributed Data Processing → AFS to SAP Retail Interface

● Interface for space management systemsSAP Retail → Distributed Data Processing → Application Link Enabling (ALE) → Interface for Space Management Systems

For more information about communication security with SAP BW Systems, see theNetWeaver Security Guide on the SAP Service Marketplace atservice.sap.com/securityguide → SAP NetWeaver 04 Security Guide

(Complete) → Security Guides for SAP NetWeaver According to Usage Types →

Security Guides for Usage Type BI → SAP Business Information Warehouse Security

Guide → Communication Security .

Authorizations


The following tables show the authorization objects used by the Retail component.However, you use other SAP ECC authorization objects in the Retail component. Youcan find more information about these authorization objects in other sections of the SAPECC Security Guide.

Standard Authorization Objects: Retail (Software Component SAP-APPL)


W_APPT IS-R Authorization Appointment

W_ASORT Authorization for Assortment Maintenance

W_ASORT_ST Authorization for the Assignment ofAssortments to Plants

W_AUFT_BAA IS-R Authorization Document Type AllocationTable

W_AUFT_BAR IS-R Authorization Document Type AllocationRule

W_AUFT_RMB IS-R Authorization Allocation Table:Display/Confirmation per Plant




W_CM_CDT IS-R Authorization for Maintenance of ArticleHierarchies

W_FRM IS-R Authorization for Merchandise Distribution

W_GROUPTYP Authorization to Manage Site Grouping

W_LISTVERF IS-R Authorization to Use Listing Procedure

W_LIST_EAC Authorization Acceptance for Listing Errors

W_MARKDOWN IS-R Markdown Planning Authorization: MTYP,MATCL, SOrg, DChl

W_ONLSTORE Authorization for Starting Online Store

W_PCAT_LAY Authorization: Product Catalog - Layout Area

W_PCAT_MTN Authorization: Product Catalog - Maintenance

W_PRICATIN Retail Authorization: Create and MaintenancePRICAT per Purchasing Group

W_REF_SITE Authorization to Clean MMSITEREF Table

W_SRS_POS Authorizations for Open Store PhysicalInventory

W_SRS_VKPF Retail Store – Authorization for Daily PriceMaintenance

W_STRU_CHG IS-R Authorization: Allow Changes toStructured Material

W_STWB_WRK SAP Retail Store: Stores

W_TRAN_CCR IS-R Authorization: SAP Transaction

W_VKPR_PLT IS-R Authorization Sales Price Calculation:Distribution Chain/Price List

W_VKPR_VKO IS-R Authorization Sales Price CalculationDistribution Chain

W_VKPR_VTL IS-R Authorization Sales Price Calculation:Distribution Chain

W_VKPR_WRK IS-R Authorization Sales Price Calculation:Distribution Chain/Plant

W_WAKH_EKO IS-R Authorization Action: PurchasingOrganization/Purchasing Group

W_WAKH_MAT IS-R Authorization Action: Material NumberW_WAKH_THE IS-R Authorization Promotion: Theme

W_WAKH_VKO IS-R Authorization Action: SalesOrganization/Distribution Channel

W_WBEF_WRK IS-R Authorization Sales Price Revaluation:Distribution Chain/Plant

W_WIND_TYP IS-R Automatic Document Adjustment:Authorization for Document Type

W_WTAD_AM IS-R Authorization for Additionals Monitor

W_WTAD_ASL IS-R Authorization Additionals:Vendor/Purchase Order List




W_WTAD_IR Request Additionals-IDoc via BAPI CallFunction

W_WTAD_ISU IS-R Authorization: Status Update forAdditionals IDoc

W_WTRA_LOG Runtime Measurement - Authorization toDelete Data Records

W_WXP_DESI MAP: Design Planning Scenario

W_WXP_HIER Merchandise and Assortment Planning:Planning Hierarchy

W_WXP_INT Merchandise and Assortment Planning:Planning Interfaces

W_WXP_LAY MAP: Planning Layouts and Variants

W_WXP_PLAN MAP: Planning Scenario Planning

Standard Authorization Objects: Retail (Software Component EA-RETAIL)


WLM Assignment of Articles for Layout Modules

WLMLOCLIST Creation of Assortments per Layout Moduleand Store

WLMVREL Release of Layout Module Version

WLMVV Layout Module Version Variant Maintenance

WLWBENT Access to Layout Workbench

WPLGACT Call External Space Management

WRF_CDT_H Article Hierarchy: Horizontal HierarchyMaintenance

WRF_CDT_V Article Hierarchy: Vertical Hierarchy andAttribute Maintenance

WRF_FOLUP Authorization Follow-Up/Replacement MaterialRelationships

WRF_GH_AUT Generic Hierarchy: Authorization Check

WRF_OTBSPR Authorization Check OTB Special Release

W_BUDG_TY Budget TypeW_COCO Authorization for Condition Contract

W_RFAPC_GN Authorization for Operative SPS: General

W_RFAPC_RL Authorization for Operative SPS: Release

W_RF_MPA Authorization Object for Markdown ProfileAssignment

W_RF_WLAY Authorization Object Layout

C_WRFCHVAL Authorization: Characteristic ValueMaintenance




Global Trade


General

Your network infrastructure is extremely important in protecting your system. Thereforerefer to the general notes for SAP ECC under Network and Communication Security[Seite 18].


Connection to a SAP FSCM System

For Global Trade Management (EA-GLTRADE), you can also use an external SAPFSCM System to create forward exchange transactions. If you install SAP FSCM on aseparate system, you need a RFC connection. If you install SAP FSCM together withGlobal Trade Management on a system, you do not need an RFC connection.

Communication Path



SAP ERP System – SAP FSCM System(Financial SupplyChain Management)


RFC connections can be protected using Secure Network Communications (SNC). Formore information about setting up RFC connections and the prerequisites

(authorizations), see the ERP Implementation Guide (IMG) under Logistics General → SAP Global Trade Management → Currency Hedges → Maintain RFC Destination of the CFM System . For more information about encryption, see the SAP NetWeaver

Security Guide under Network and Communication Security → Transport Layer Security .

Connection to an External Global Trade Services System (GTSSystem)

For Global Trade Management (EA-CLTRADE), you can opt to connect an externalGTS system. You can use this to check whether the contract data for Global TradeManagement adheres to the existing legal requirements (import/export controls, globaltrade data).

Communication Path



SAP ERP System – GTS System


All users in the SAP ECC system can call the functions on the GTS server using anRFC entry In this RFC entry, you specify a user that is used uniquely for communicationwith GTS. Assign this communication user to the following roles for SAP ComplianceManagement:




Role Description

/SAPSLL/LEG_ARCH GTS Archiving

/SAPSLL/LEG_LCE_APP GTS Legal Control Export: Specialist

/SAPSLL/LEG_LCI_APP GTS Legal Control Import: Specialist

/SAPSLL/LEG_SPL_APP GTS Sanctioned Party List: Specialist

/SAPSLL/LEG_SYS_COMM GTS (Technical) System Communication

The RFC connection can be protected using Secure Network Communications (SNC).For more information about encryption, see the SAP NetWeaver Security Guide under

Network and Communication Security → Transport Layer Security .

Sales and Distribution (SD)Before You Start

Important SAP Notes

The most important SAP Notes that apply to component security are shown in the tablebelow.

Important SAP Notes


766703 FAQ: Credit card encryption in

R/3 system633462 Encrypting credit card data

791178 Credit card encryption in ARback end

727839 Authorization role for the SAPSCM - SAP R/3 integration

128447 Trusted/Trusting Systems Necessary for Customizing ofthe RFC relationship fortrusted/trusting systems

Authorizations

Standard Roles

The following table shows the standard roles that are used by the SD component.

Standard Roles

Role Name

SAP_AUDITOR_BA_SD Audit Information System - Sales Revenue

SAP_AUDITOR_BA_SD_A Audit Information System - Sales Revenue

SAP_AUDITOR_TAX_SD AIS - Tax Audit Sales and Distribution




SAP_AUDITOR_TAX_SD_A AIS - Tax Audit Sales and Distribution(Authorization)

SAP_LO_SD_BACKORDERS Backorder Processing

SAP_LO_SD_BILLING_BATCH Process Billing by Batch

SAP_LO_SD_BILLING_DISPLAY Display Billing Documents

SAP_LO_SD_BILLING_PROCESSING Billing Processing Online

SAP_LO_SD_BLOCKED_BILLING_DOC Release Blocked Billing Documents

SAP_LO_SD_CONTRACT_PROCESSING Contract Processing

SAP_LO_SD_CREDIT_MANAGEMENT Credit Management in Sales Documents

SAP_LO_SD_DEALS_PROMOTI_PROCES Sales Deals & Promotions

SAP_LO_SD_INFORMATION_DISPLAY Display Customer & Material Information

SAP_LO_SD_INFORMATION_PROCESSI Maintaining Customer & Material Information

SAP_LO_SD_INQUIRY_PROCESSING Inquiry ProcessingSAP_LO_SD_INVOICELIST_PROCESSI Invoice List Processing

SAP_LO_SD_OUTPUT_PROCESS Output Process

SAP_LO_SD_PRICING_DISPLAY Display Pricing

SAP_LO_SD_PRICING_MAINTAIN Maintain Pricing

SAP_LO_SD_QUOTATION_PROCESSING Quotation Processing

SAP_LO_SD_REBATE_PROCESSING Rebate Processing

SAP_LO_SD_RELEASE_FOR_DELIVERY Release Orders for Delivery

SAP_LO_SD_RETURN_PROCESSING Return Order Processing

SAP_LO_SD_SALES_DISPLAY Display Sales Information

SAP_LO_SD_SALES_ORD_PROCESSING Sales Order Processing

SAP_LO_SD_SALES_PERFORMANCE Sales Performance

SAP_LO_SD_SALES_SUPPORT Sales Support

SAP_LO_SD_SCHED_AGR_PROCESSING Scheduling Agreement Processing


SD calls the ERP availability check, and this communicates with APO. The relevantcomponent is SD-BF-AC. First, master and planning data are exchanged between APOand ERP, and then planning transactions in APO are called up from ERP. Technically,this proceeds as follows: The APO – ATP dialog is called up from the sales order indialog mode. The APO view of the ATP (transaction /SAPAPO/AC03) is displayed usingthe view Availability Overview (transaction CO09).

For more information, see SAP Service Marketplace at

service.sap.com/securityguide → SAP Supply Chain Management →

SAP Supply Chain Management Security Guide SCM 4.1 → Authorization → Integration

with SAP Components → Integration of SAP APO and SAP R/3 → Authorization Roles for SAP APO – SAP R/3 Integration → Available to Promise (ATP).

Communication DestinationsCreate a batch input user as required. This is not included in the standard delivery.




For more information, see Batch Input Authorizations [Extern].


Credit card numbers are stored in the SAP component SD. As this data is particularlysensitive, it requires additional protection and encryption.

For more information on credit card number encryption, see SAP Note 766703.

Human Capital Management

Personnel Management (PA)

Before You Start

Important SAP Notes

The following table presents the most important SAP Notes regarding security forPersonnel Management.

Important SAP Notes


138526 Authorization check in reportsincorrect

PA-PA-XX

138533 Authorization check for SUBTYdoes not function

PA-PA-XX

138706 Authorization problems, analysis

preparations

PA-PA-XX

142865 SAPDBPNP authorization check PA-PA-XX




is too strict

142896 No access on personnel numberdespite authorization

PA-PA-XX

148525 Search help selects too little data PA-PA-XX

151207 Authorization check symmetricdouble-check PA-XX

362675 Deactivating P_ORIGIN;activating P_PERNR

PA-PA-XX

383290 External object types andstructural authorizations

PA-BC

385319 Change of master data in aproductive Payroll

PA-PA-IT

385635 Authorization check withemployee subgroup change

PA-BC

390373 External relationships: Creationof classes PA-BC

495971 Workflow 01000015 is nottriggered when changing address

PA-PA-XX

514893 Ad hoc query: Hit list differs fromthe output

PA-IS

552184 Information on the object type ofthe central person

PA

693156 Authorization check for reentry PA-PA-XX

724149 HRALX: Masking sensitive data BC-BMT-OM-CRM

23611 Collective Note: Security in SAPProducts

BC-SEC

30724 Data protection and security inSAP Systems

BC-SEC


● For extensive documentation on authorization objects in Personnel Management,

see SAP Library or SAP Help Portal under ERP Central Component → Human

Resources → Personnel Management → Personnel Administration → Technical

Processes in Personnel Administration → Authorizations for Human Resources[Extern].

● For some country versions, additional information is also available:

Country version Germany

○ Leitfaden Datenschutz für SAP R/3 in SAP Service Marketplace atservice.sap.com for the country version Germany

Country version Great Britain (PA-PA-GB)

○ For an Implementation and User Guide for E-Filing Incoming, see SAPService Marketplace at service.sap.com under the customer page forthe country version Payroll Great Britain in the Media Center.

Country version Switzerland (PA-PF-CH)




○ For documentation on the settings and functions for the authorizationobject P_CH_PK for Pension Fund Switzerland, see SAP Library or SAP

Help Portal under ERP Central Component → Human Resources →

Payroll → Payroll Switzerland → Pension Fund → Reference Guide for the Pension Fund → Authorizations → Authorization Object P_CH_PK[Extern].

User ManagementUser management for Personnel Management uses the mechanisms provided by SAP Web Application Server (ABAP, Java, or ABAP and Java), for example, tools, usertypes, and password policies. For an overview of how these mechanisms apply forPersonnel Management , see the sections below. In addition, there is a list of thestandard users that are necessary for operating Personnel Management .


The table below shows the tools for user management in Personnel Management .




You can use the RoleMaintenance transactionPFCG to generate profiles foryour Personnel Management users.

User Types

It is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not users who run backgroundprocessing jobs.

The user types required for Personnel Management include:

● Individual users

○ Administration users for

■ Personnel Administration

■ Benefits Administration

○ Managers for



■ Compensation Administration

■ Training and Event Management

○ Specialists for






■ Compensation Administration

■ Training and Event Management

● Technical users

Technical users are required for the following business processes:

○ WF-BATCH user

If you want to use the workflow functions for the different Personnel Management functions, you must create a WF-BATCH system user in thestandard system.

○ Distribution of master data through ALE technology. For more information,see the documentation for the report RHALEINI (HR: ALE Distribution of HR Master Data ).

○ Compensation Management (PA-CM): For the integration with the Award function, the technical user requires authorization for the followingfunctions:

■ Call RFC function moduleHRCM_RFC_LTI_ACCRUALDATA_GET (Determine awards data for accumulating accruals )

■ Read the Award infotype (0382), authorization object P_ORGIN

○ Budget Management (PA-PM)

■ You use background processing to create commitments inaccounting with a RFC connection. Depending on the process andthe system landscape used, it may be necessary to set up a userfor the background processing. You can use your own user (an

additional logon is required) or set up a special commitment engineuser.

For more information about these user types, see the SAP Web AS ABAP SecurityGuide under User Types.

AuthorizationsPersonnel Management uses the authorization provided by SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as describedin the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also

apply to Personnel Management .

The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance, use the profile generator(transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s usermanagement console for SAP Web AS Java.

Standard Roles

The following table shows the standard roles that are used by Personnel Management.

Standard Roles

Function Description

SAP_HR_BN* Roles assigned to component PA-BN(Benefits )




SAP_HR_CM* Roles assigned to component PA-CM(Compensation Management )

SAP_HR_CP* Roles assigned to component PA-CM-CP(Personnel Cost Planning)

SAP_ESSUSER_ERP05 Role with all non country-specificfunctions for Employee Self-Service.

For more information, see the SecurityGuide for Self-Services [Seite 24].

SAP_EMPLOYEE_ERP05_xx Roles related to the Employee Self- Service country versions

SAP_HR_OS* Roles assigned to component PA-OS(Organizational Management )

SAP_HR_PA_xx_* Roles related to international and countryversions of the component PA-PA

(Personnel Administration )

SAP_HR_PA_XF* Roles assigned to the component CA-GTF-XF (SAP Expert Finder)

SAP_HR_PA_PF_xx_* Roles assigned to component PA-PF(Pension Fund )

SAP_HR_PD* Roles assigned to component PA-PD(Personnel Development )

SAP_HR_RC* Roles assigned to component PA-RC(Recruitment )

SAP_HR_REPORTING Role for Human Resources Analyst

SAP_AUDITOR_TAX_HR This role is relevant for Germany only.

Role HR-DE Steuerprüfung § 147 AO (Muster) assigned to the component PA-PA-DE (Personnel Administration Germany).

SAP_ASR_EMPLOYEE Enhancement of the roleSAP_ESSUSER_ERP05 for theemployees that use the functions of thecomponent PA-AS (HR Administrative

Services )SAP_ASR_MANAGER Enhancement of the role

SAP_ESSUSER_ERP05 with functionsfor the persons with personnelresponsibility that use the functions of thecomponent PA-AS (HR Administrative Services )

SAP_ASR_ADMINISTRATOR Enhancement of the roleSAP_HR_PA_xx_* for the HRadministrators that use the functions ofthe component PA-AS (HR Administrative Services )




For the roles marked with an asterisk (*), several roles exist for each of the components.For roles with “xx”, where “xx” represents the SAP country key, various roles exist foreach of the country versions.


The following table shows the most important central security-relevant authorizationobjects used by Personnel Management.

For more information about Personnel Management authorizations, see

SAP Library under ERP Central Component → Human Resources →

Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for HumanResources [Extern].

Most Important Standard Authorization Objects

Authorization

Object

Field Value Description

P_ORGIN HR Master Data Used when checkingauthorizations for HRinfotypes. The check takesplace when HR infotypes areedited or read.

P_ORGINCON HR Master Datawith Context

This authorization objectconsists of the same fields asthe authorization objectP_ORGIN, and also includesthe field PROFL (structuralprofile). The check for this

object means that user-specific contexts can beincluded in the HR masterdata.

P_ORGXX HR Master Data – Extended Check

With this object you candetermine whether otherfields are also to be checked.You can determine whetherthis check is to be performedin addition to or instead of theHR Master Data authorizationcheck.

P_P_ORGXXCON HR Master Data – Extended Checkwith Context

This authorization objectconsists of the same fields asthe authorization objectP_ORGXX, and also includesthe field PROFL (structuralprofile). The check for thisobject means that user-specific contexts can beincluded in the HR masterdata.

P_TCODE HR: TransactionCode

This authorization objectchecks certain specific

transactions in SAP HumanResources Management.




PLOG Personnel Planning Used to indicate the types ofinformation processing a useris authorized to perform.

PLOG_CON Personnel Planningwith Context

This authorization objectconsists of the same fields as

the object PLOG, and alsoincludes the field PROFL(structural profile). The checkfor this object means thatuser-specific contexts can beincluded in the HR masterdata.

P_ASRCONT Authorization forProcess Content

The Authorization for ProcessContent object is used by theauthorization check for HR Administrative Services . Itchecks the authorization foraccess to various processcontents and also runsthrough the authorizationobjects that you havespecified in Customizing inT77S0 (see note below). Formore information, seeAuthorization Concept ofHCM Processes and Forms[Extern].

In Customizing, you can determine whether specific authorization objects

are to be checked. All central switches and settings for the Human Resources authorization check are summarized in table T77S0 in the

Group for semantic short text for PD Plan AUTSW . Note that changes to

the settings severely affect your authorization concept.

For more information about changing the main authorization switch, seethe Implementation Guide (IMG) for Personnel Administration under Tools → Authorization Management .

Communication Channel SecurityUse

The table below shows the communication paths used by Personnel Management , theprotocol used for the connection, and the type of data transferred.

Communication Path

CommunicationPath



Interface Toolbox(Transaction PU12)

ALE Master data, Benefits data, Organizational

data as defined by theuser




SAP BW Extractor Program Master data,Organizational data,Personnel Development data

SAP CO

(for distributedsystems)

RFC Cost centers, orders,

and so on

Authorizations for CO

objects are requiredhere

External Files ASCII Personnel Administration data

Applicable only forcountry versionsAustralia and NewZealand

Microsoft Word Report Interface withSAP NetWeaver

Office Integration


For more information, see Transport Layer Security in the SAP NetWeaver Security Guide .


Use

Specific communication destinations are available for some Personnel Management

components and Personnel Administration country-specific components.

Benefits (PA-BN)

When evaluating retirement benefits for employees, service-related data is sent to anexternal system using IDocs. The Benefits system places the IDocs in a special port.External systems can collect the IDocs from this port. The external systems evaluatethe retirement benefits based on the transferred data and then send them with aninbound IDoc back to the SAP system.

There are no special functions from the Benefits system side to protect this data.

Enterprise Compensation Management (PA-EC)

Using IDocs, you communicate with banks and brokers through the SAP Business Connector . The transferred data must be encrypted.

For more information, see the documentation for the following reports:

● RHECM_GRANT_IDOC_OUT (Export LTI Grant Data )

● RHECM_PARTICIPANT_IDOC_OUT (Export LTI Participant Data )

● RHECM_EXERCISE_IDOC_IN (Import LTI Exercise Data )

Compensation Management (PA-CM)

The self-service scenario Salary Benchmarking (HRCMP0053) exchanges data withexternal benchmarking providers. You communicate synchronously and online using

HTTPS.




SAP Expert Finder (CA-GTF-XF)

The component SAP Expert Finder can exchange data with external systems usingRFC.

Personnel Administration

● HR Administrative Services

HR Administrative Services can transfer personal data from SAP E-Recruiting and return data to SAP E-Recruiting . For more information, see the SecurityGuide for SAP E-Recruiting under Technical System Landscape [Seite 197] andCommunication Destinations [Seite 208].

● B2A Manager – Authorities Communication

Some country versions use the B2A Manager to exchange data with theauthorities. For example, in the German country version (PA-PA-DE) you canexchange data with social insurance bodies and health insurance funds.

The B2A Manager supports the following communication channels and encryptionprocedures, depending on the recipient:

○ Communication channels

■ E-mail with file attachments

■ HTTPS (Hyper Text Transfer Protocol Secure Sockets)

○ Encryption procedures

■ PEM (Privacy Enhanced Mail)

■ PKCS#7 (Public Key Cryptography Standard No.7)

● Pension Fund (PA-PF)

○ You can create files with SAP List Viewer (ALV) and TemSe (Temporary Sequential Objects ).

○ There is no encryption of data in the standard system.

○ Country version Netherlands (PA-PF-NL): You can upload the inbounddata using the GBA interface (Gemeentelijke Basis Administratie ).

● Country version Germany (PA-PA-DE)

Employees can submit their tax returns in electronic form (ELSTER). Data iscommunicated using HTTP. The data is encrypted with PKCS#7. The taxauthorities specify the procedure.

● Country version USA

For the VET and EEO reports for the country version USA, you can exchangedata with local servers or terminals. With this function you can download filesfrom the application server to a presentation server. This results in text files with

the output format .txt, as required by the authorities. This output format is

legally compliant.

The data is not encrypted in the standard system. You decide to what extent youwant to encrypt data if you want to send data to the Federal Commission or theDepartment of Labor.

● Country version Great Britain




You can communicate with the GB Inland Revenue Gateway . The communicationchannel is encrypted with 128 SSL. Employee tax data is transferred with RFCconnections and HTTPS.

Data Storage SecurityThe infotypes in Personnel Management contain particularly sensitive data. This data isprotected by central authorization objects.

For more information about authorization objects, see Authorizations[Seite 161].

Examples of infotypes containing particularly sensitive data:

● International infotypes for Personnel Administration (PA-PA)

○ Personal Data (0002)

○ Basic Pay (0008)

○ Bank Details (0009)

○ Family Member/Dependents (0021)

● Personnel Development (PA-PD)

○ Qualifications

○ Appraisals

● Personnel Cost Planning and Simulation (PA-CP)

○ Planning of Personnel Costs (0666), contains salary-based information

● Enterprise Compensation Management (PA-EC)

○ LTI Grant (0761)

○ LTI Exercise (0762)

● Management of Global Employees (PA-GE)

○ Compensation Package Offer (0706)

Other sensitive Personnel Management data

● Budget Management

The Budget Management component accesses the salary data of employees anddisplays data from the Controlling (CO) and Funds Management (FI-FM)components. The standard authorization concept for Human Resources ,Controlling , and Funds Management is used for these processes. The followingauthorization objects are also available to protect the data:

○ P_ENCTYPE (HR: PBC - Financing ): Determines which funds reservationtypes a user can access and which activities the user is allowed toperform.

○ P_ENGINE (HR: Authorization for Automatic Commitment Creation ):Determines which activities a user is allowed to perform when creatingcommitments.




● Pension Fund (PA-PF)

Access to salary data, pensions and benefits entitlements is protected by thefollowing authorization objects:

○ P_ORIGIN (HR: Master Data )

○ P_CH_CK (HR-CH: Pension Fund: Account Access )

○ P_NL_PKEV (Bevoegdheidsobject voor PF-gebeurtenissen )

● SAP Expert Finder (CA-GTF-XF)

For the connection with the external LDAP system, the user should only haveread access to the data. The role SAP_HR_PA_XF_SERVICE_USER_DOC (HR Expert Finder: Service User for Access Search Engine ) is available for this.

● Personnel Cost Planning (PA-CM-CP and PA-CP)

The old Personnel Cost Planning (PA-CM-CP) and the new Personnel Cost Planning and Simulation (PA-CP) components both save salary-relevant

information to the clusters of the database PCL5. You can control access rightsusing the authorization object P_TCODE (HR: Transaction Code ).

● Employee Interaction Center (PA-EIC)

The EIC Authentication infotype (0816) enables question and response pairs tobe saved that an agent of Employee Interaction Center then uses to identify acalling employee. You can only maintain the infotype with the Authentication for EIC Employee Self-Service.

● HR Administrative Services (PA-AS)

The personnel file and all process instances are saved with intermediate statusesand history to the Case Management databases.

● Particularly sensitive data in the country versions

○ The transfer of salary and tax data using the B2A Manager is protected bythe authorization object P_B2A (HR-B2A: B2A Manager ).

○ Country version USA (PA-PA-US)

The social security number (SSN) in the Personal Data infotype (0002)

○ Country version Canada (PA-PA-CA)

The social insurance number (SNI) in the Personal Data infotype (0002)

○ Country version Australia (PA-PA-AU)

The Tax File Number (TFN) in the TFN Australia infotype (0227)

○ Country version New Zealand (PA-PA-NZ)

The Employee IRD Number in the IRD Nbr New Zealand infotype (0309).There are several ways to access this number:

■ Directly, using the IRD Nbr New Zealand infotype (0309) with thetransaction Maintain HR Master Data (PA30)

■ Using the IRD Number pushbutton in the Tax New Zealand

infotype (0313)

The necessary authorizations to read or change the IRD number depend

on the authorizations in the user profile.




Security for Additional ApplicationsPersonnel Administration country-specific components use several reports that storesecurity-relevant and sensitive data. This data includes employee data relating tosalary, tax, social insurance, pension contributions, and garnishments.

The data is stored in temporary sequential (TemSe) files and used when printing legalforms, statistics, and business reports. Access to TemSe is controlled by theauthorization object S_TMS_ACT. Data encryption is not necessary here. For a list of allreports and programs using TemSe, see the Personnel Administration documentationfor your country version.

You can also download data directly from the front-end server (for example,PC/terminal) or application server without first storing the data records in the TemSe. Todo so, you copy the data to a data carrier that you can then send to the authorities.

Other Security-Relevant Information

Use

Other security-relevant Customizing for infotype records

With the field Access Auth. (Access Authorization) in Table V_T582A (Infotype attributes (Customizing)), you can control access to an infotype record depending onwhether the record belongs to the area of responsibility of a person responsible on thecurrent date. For more information, see the Implementation Guide for Personnel

Management under Personnel Administration → Customizing Procedures → Infotypes → Infotypes . Note in particular the help for the Access Authorization field.

Technical utilities without integrated authorization check

The following technical utilities read data without the user’s authorizations beingchecked. You should therefore only assign relevant report authorizations to rolescontaining system administrator functions.

● Reports with the prefix RHDBST*: Database statistics

● Reports with the prefix RHCHECK*: Consistency checks for Organizational Management and Personnel Development data.

If required, you can use the following reports (developed for SAP internal use) fortesting purposes. However, SAP does not accept any responsibility for these reports:

● Report RPCHKCONSISTENCY: (Consistency check for HR master data)

● Report RPUSCNTC (Find Inconsistencies in Time Constraints )

Authorizations for the Implementation Guide for HR Administrative Services

The views in the Implementation Guide for HR Administrative Services are protectedseparately by a grouping for the authorization check to prevent users withoutauthorization maintaining person-related data. Under the field name DICBERCLS(Authorization Group), you can set the following in the authorization objectS_TABU_DIS:

● Switch PASC: Authorization check for all views of HR Administrative Services in

which no Customizing settings were made that affect authorization checks for theusers of HR Administrative Services .




● Switch PASA: Additional authorization check for the views that may possiblyaffect the authorization check for users of HR Administrative Services .

Personnel Time Management (PT)

User ManagementIt is often necessary to specify different security policies for different types of users. Forexample, your policy may specify that individual users who perform tasks interactivelyhave to change their passwords on a regular basis, but not those users under whichbackground processing jobs run.

You require technical users for the following tasks in Personnel Time Management :

● To upload time events from the external time recording system you use the

RPTCC106 report (HR-PDC: Download Upload Request for Time Events ). Youwill normally schedule the report as a background processing job. For this yourequire a technical user. The authorizations of the technical user should bebased on the authorizations for the PT80 transaction (Subsystem Connection ).

Time events are uploaded from the subsystem by an IDOC, which stores the timeevents in the CC1 TEV interface table. For the upload, you require a technicaluser with authorizations for communication with an SAP system via ApplicationLink Enabling (ALE) and the required table authorizations. The technical userdoes not require authorizations specific to the SAP HR solution.

You require a technical user with authorizations for the PT45 transaction (HR- PDC: Post Person Time Events ) for the background processing job that transfersthe time events from the interface table to the relevant Time Management tables.

● You require two types of technical users for BAPIs that store data in one of thePTEXDIR, PTEX2000, PTEX2003, or PTEX2010 interface tables.

○ To fill the interface tables, you require a user with authorizations for ALEcommunication with an SAP system and the relevant table authorizations.

○ For the subsequent background processing job to transfer data from theinterface tables to the infotype database tables, you require a technicaluser with the same authorizations that are required for the CAT6transaction (Transfer Time Data to Time Management ).

○ For technical users for the BAPIs that have read access to the infotypes,you can use the same authorizations as contained in theSAP_HR_PT_TIME-ADMINISTRATOR role.

● You also require technical users for all other ALE scenarios and BAPIs inPersonnel Time Management.

For more information, see Communication Destinations [Seite 171].

Authorizations

The Personnel Time Management component uses the authorization provided by the

SAP Web Application Server. Therefore, the recommendations and guidelines forauthorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to the Time Management component.





Standard Roles

The following table shows examples of standard roles that are used by the Time Management component.

Standard Roles

Role Description

SAP_HR_PT_SHIFT-PLANNER Shift Planner [Extern]

SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]

SAP_HR_PT_TIME-LABOR-ANALYST Time and Labor Analyst [Extern]

SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]

SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]

SAP_ESSUSER_ERP05 Employee [Extern] Self-Service

SAP_HR_PT_US_PS_TIME-ADM Time Recording Administrator

This role is used only in the Public Sector in thecountry version for the USA.


The Time Management component uses the Personnel Management authorizationobjects; it does not have any of its own.

For more information about the authorizations, see:

● The SAP Library. Choose Human Resources → Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for Human Resources [Extern].

● The Implementation Guide for Personnel Time Management: Choose Management of Roles and Authorizations.


Use

Special communication destinations are available for some Time Management components.

Connection to External Time Recording Terminals

Time Management supports a connection to external time recording systems (using theHR-PDC interface). Data is communicated using asynchronous BAPIs via IDocs.

For more information, see the SAP Library and choose Personnel Time Management →

Integration with Other Components → Connection to External Time ManagementSystems [Extern].









You can use the RoleMaintenance transactionPFCG to generate profiles for

your Payroll users.

User Types


The user types required for Payroll include:


○ Administration user

○ Payroll manager

○ Payroll specialist

● Technical users

○ Payroll procedure administrator

○ ALE user for posting payroll results to Accounting

For more information about these user types, see the SAP Web AS ABAP SecurityGuide under User Types.

AuthorizationsThe Payroll component uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as set out inthe SAP Web AS ABAP security guide therefore also apply to Payroll.


Standard Roles

The following table shows examples of standard roles that are used by the Payroll component.

Standard Roles

Role Description

SAP_HR_PY_xx_PAYROLL-ADM Payroll administrator <xx>

SAP_HR_PY_xx_PAYROLL-MANAGER Payroll manager <xx>

SAP_HR_PY_xx_PAYROLL-PROC-ADM Payroll procedure administrator <xx>

SAP_HR_PY_xx_PAYROLL-SPEC Payroll specialist <xx>




SAP_HR_PY_xx_* Roles for mapping country-specific tasks withinpayroll.

SAP_HR_PY_PAYROLL-LOAN-ADM Loan accounting administrator

xx stands for the country key. For the roles marked with an asterisk (*), additional rolesexist for each of the countries.

You can find additional roles in the description of Personnel Management standardroles.


The following table displays the security-relevant authorization objects used by payroll.


Authorization Objects Description Value Description

P_PBSPWE Process WorkbenchEngine (PWE)

authorization

Authorizations for the ProcessWorkbench Engine (PWE)

P_PCLX HR: Cluster Check when accessing HR fileson the PCLx (x = 1, 2, 3, 4)databases

P_PCR HR: Personnel controlrecord

Authorization check for thepersonnel control record(transaction PA03)

P_PE01 HR: Authorization forpersonnel calculationschemes

Authorization check forpersonnel calculation schemes

P_PE02 HR: Authorization forpersonnel calculationrule

Authorization check forpersonnel calculation rules

P_PYEVDOC HR: Posting document Protection of actions on payrollposting documents

P_PYEVRUN HR: Posting run Control of actions that arepossible for posting runs

P_OCWBENCH HR: Activities in the Off-Cycle Workbench

Used for the authorization checkin the Off-Cycle Workbench.

P_B2A HR-B2A: B2A Manager Used to determine theauthorization check for the B2A

Manager. The B2A Managermust first be employed.

P_USTR Tax report authorization(only the USA countryversion)

Authorizations for the tax report(only the USA country version)

S_TMS_ACT Actions to/on TemSeobjects

The authorization determineswho may execute whichoperations on which TemSeobjects





Use

The table below shows the communication paths used by Payroll , the protocol used for

the connection, and the type of data transferred.

Communication Paths

CommunicationPath



Interface Toolbox(Transaction PU12)

ALE Determined by theuser

Display posting runs(transaction PCP0)

ALE Data for costaccounting

BSI Tax Factory fortax calculation

RFC Tax data for the USAcountry version

RFC connections can be protected using Secure Network Communication (SNC). Formore information, see Transport Layer Security in the SAP NetWeaver Security Guide .

Communication DestinationsThe following table provides an overview of the communication destinations that Payroll uses.


Destination Delivered Type Description

BSI For USAcountryversion

RFC with thefunction modulePAYROLL_TAX_ CALC_US

PAYROLL_TAX_CALC_US_50




Use

Payroll results are condensed and stored on an INDX-type table Access is protected byread and write authorizations in the standard system for the infotypes andauthorizations for the required clusters.

Security for Additional Applications

Use

The country versions for payroll use reports in which sensitive data is displayed. Forexample, this data can be from the following sensitive areas:




● Salary

● Tax

● Social insurance

● Pension contributions

● Court orders

This data is stored in temporary sequential (TemSe) files to create and output legalforms, statistics, and analyses. Likewise, this technology is used to download data forthe front end or application server directly, without storing the data as TemSe objectsbeforehand. The data can then be transferred from the front end or the applicationserver to a data medium that can be transferred to the authorities.

You can control access to the TemSe objects within the ECC system using theauthorization object S_TMS_ACT (TemSe: Actions at/to TemSe objects). Dataencryption is not necessary here.

You can find information about the TemSe objects for your country version in the Payroll

documentation for your country version.


Use

There is the following security-relevant information for the USA country-version:

● You can update the Taxability model using the Interface Toolbox (transactionPU12). There are currently no special authorizations for this.

● You have the option of preventing unauthorized or accidental updates to thePCL4 database.

○ You can activate or deactivate the authorization checks for the tax returnusing the feature UTXSS.

○ You can determine the codes for spool authorizations depending on thetax company and the tax class using the feature UTXSP.

For more information, see the documentation for these features.

SAP Learning Solution/SAP EnterpriseLearning

The following sections apply to SAP Learning Solution and SAP Enterprise Learning .

If you also implement the SAP Enterprise Learning product, you can findsecurity-relevant notes on Adobe Connect Enterprise Server 6 in section 6- Securing Connect Enterprise - of the Installation and Configuration Guide from Adobe (part of the delivery).

You can also find further information on the Adobe Connect Enterprise Server 6 in the SSL Configuration Handbook from Adobe (part of the

delivery).




SAP: Important Disclaimers and LegalInformationSAP offers a basic learning solution software product called SAP Learning Solution anda premium learning solution software product with additional features and functionalitycalled SAP Enterprise Learning . The license to use the SAP Learning Solution productdoes not include a license to use the HCM, Enterprise Learning business function,which is exclusively available to customers who have purchased a separate license touse the SAP Enterprise Learning product. If you would like to acquire the use rights tothe HCM, Enterprise Learning business function, contact your SAP Account Executivefor additional information regarding pricing and availability of the SAP Enterprise Learning product.


SAP Learning Solution provides very versatile installation and integration options. Thedistributed system architecture enables a scalable solution. Knowledge of thecommunication channels and of the relationships between the individual components isimportant to enable you to select the optimum security strategy.

The following graphic provides an overview of the technical system landscape of SAP Learning Solution .





Enterprise Portal NW Application Server ABAP

ClientComputer

Learning PortalBP for Learning

Instructor PortalBP for Instructor/

Tutor

SAP BW

Analytical

Reporting

SAP XI

ProcessIntegration

Learner

Instructor

Author

Administrator

NW Application Server Java

Content Player

LSOCP

ClientComputer

O f f l i n e P l a y e r L S O O P

S t a n d a l o n e J a v a A p p l i c a t i o

n

NWApplication

Server ABAP

L S O F E

( A d d - o n )

C o l l a b o r a t i o n

K M C

( o p t i o n a l )

EnterprisePortal

S e a r c h m a c h i n e

T R E X

L e a r n i n g C o n t e n t

C M S

A u t h o r i n g E n v i r o n m e n t

L S O A E

S t a n d a l o n e J a v a A p p l i c a t i o n

E x t e r n a l L M S

SAP ECC HCM Extension

EA-HR 602contains

LSO Training Management

SAP ECC 6.02

containsHR master data

Performance ManagementPersonnel Development

Communication between the individual components is handled using RFC and HTTP.This enables you to distribute the components on multiple servers and thus tosafeguard individual communication channels and servers specifically. If there are nospecifically critical security requirements, you can combine all components on oneserver. The advantage of using a distributed system landscape is that it enables you tomaximize security for individual components. The advantage of using a single server isthat it enables you to reduce costs and improve system performance.

Persistence

Use

The following table contains a classification of the data that is saved in SAP Learning Solution and specifies the tables in which it is saved. SAP Learning Solution stores alldata centrally in the ERP system.

Persistence of the Training Catalog

Table● Objects and their attributes: HRPnnnn

● Relationships: HRP1001 or additionaldata in HRPADnnnn




Remarks PD infotype framework. Courses, course types,and course groups are object types for whichdata is stored in infotypes. Links between theobjects are realized using relationships.Relationship data is stored in transparenttables.

Components Used● LSOFE (read/write)

● ERP system (read/write)

● LSOCP (read/write)

Most Important Authorization Objects● P_ORGIN

● P_APPL

● PLOG

Persistence of Completion Information, Progress Data, SCORM Data

Table LSOLEARN* tables of packageLSO_LEARNERACCOUNT

Remarks LSOLEARNING_C contains data for resultsfeedback from the Content Player to the ERPsystem. All other data is used by the ContentPlayer only.

Components Used● LSOCP (read/write)

● ERP system (read)

Persistence of Test Results

Table LSOTACLRN* tables of packageLSO_TAC_DD

Components Used● LSOCP (write)

● ERP system (read)

Persistence of Publishing Information

Table● LSOTACAS* tables of package

LSO_TAC_DD for tests

● LSOLU* tables of packageLSO_LEARNERACCOUNT

Components Used● LSOAE (read/write)

● LSOCP (read)





Persistence of Digital Signatures

Table LSOLEARNESIGN* tables of packageLSO_LEARNERACCOUNT

Components Used● LSOFE (read)


Learning Portal (LSOFE)The Learning Portal (LSOFE) is the entry point for learners in SAP Learning Solution .The Learning Portal can be called directly by the SAP WAS or it can be integrated as aniView in SAP Enterprise Portal .

The following graphic provides an overview of the technical system landscape for theLearning Portal.

Learning Portal

Browser

SAP Enterprise

Portal

(optional)LSOFE mySAP ERP

HTTPHTTPS

HTTPHTTPS

HTTPHTTPS

+SSO2

Trusted

RFC

RFC

External

LMS

SOAP

Learner 1

Learner 3Learner 2 Learner 4

Learner 7

Learner 5Learner 6

The learner requires a user in SAP Web AS. No special authorizations are required forthe user since the front end does not contain a persistence layer. All data is stored inthe ERP system.

Configuration Settings

Components Remarks

Browser● JavaScript must be active.

● SAP Web AS requires cookies forsession handling.

● HTTP 1.1 is strongly recommended.




SAP Enterprise Portal● It may be necessary to map users

between the user in the SAP EnterprisePortal and the Web AS user .

● You must maintain the RFC connectionwith the ERP system.

SAP ERP● Trusted relationship is required between

SAP Web AS and the ERP system.

● If you want to implement the Objective Setting and Appraisals component, anHTTP/HTTPS channel is also required.

Instructor/Tutor Role in the SAP EnterprisePortalThe Instructor/Tutor 1.02 business package provides a workset for instructors and tutorsin SAP Learning Solution .

The following graphic provides an overview of the technical system landscape for thebusiness package in the Enterprise Portal.

Business Package for Instructor/Tutor

Browser Enterprise Portal SAP ERP

External

CollaborationServer

HTTP

HTTPS

SOAP

Instructor1 Instructor2 Instructor3

Instructor4Instructor7

Instructor 5

Instructor 6

HTTP

HTTPS

HTTP

HTTPS

RFCInstructor8

Instructors require a user in the SAP Enterprise Portal and a user in the ERP system.The portal user must be assigned to the user in the ERP system.

The role com.sap.pct.erp.instructor.instructor must be assigned to the portal user. Theuser in the ERP system must have the authorizations as they are described in theSAP_HR_LSO_INSTRUCTOR role template.

All data is stored in the ERP system.





Component Remarks

Browser • Java script must be active.

• SAP Web AS requires cookies for

session handling.

• HTTP 1.1 is strongly recommended.

SAP Enterprise Portal • It is necessary to map users betweenthe user in the SAP Enterprise Portaland the SAP Web AS user.

• You must maintain the RFC connectionwith the ERP system.

SAP ERP • If you want to use collaboration in theSAP Enterprise Portal, you must haveconfigured the RFC connectionbetween the ERP system and theEnterprise Portal.

• If you want to use an externalcollaboration server, you must set upthe SOAP connection for the purpose.

Content Player (LSOCP)The Content Player (LSOCP) is called using a URL from the Learning Portal to playWeb-based training courses (WBTs). The Content Player does not have a persistencelayer. It reads and writes all data to the ERP system.

The following graphic provides an overview of the technical system landscape for theContent Player .




Content Player

Browser

Content

ManagementSystem

LSOCP mySAP ERP

HTTPHTTPS

HTTP

HTTPSRFC

Content Player 1

Content Player 2Content Player 4 Content Player 3


Components Remarks


● Java VM must be active.

● SUN Java Plug-In 1.4.2 must beinstalled (but only if you want to usetests created with LSO Test Author).


● Cookies are required for SessionHandling.

Offline Player (LSOOP)The Offline Player enables you to play instructional content offline without networkaccess. It reads the instructional content and synchronizes the learner’s progress usingthe Content Player . Instructional content and learning progress are stored in the localfile system. In the standard system, this is the learner’s home directory.

The following graphic provides an overview of the technical system landscape for theOffline Player .




Content Player

Browser LSOOP LSOCPHTTPHTTP

HTTPS

Offline Player 1 Offline Player 1 Offline Player 2


Components Remarks



● SUN Java Plug-In 1.4.2 must beinstalled (but only if you want to usetests created with LSO Test Author).


● Cookies are required for sessionhandling.

LSOOP● Java 2 SDK 1.4.2 must be installed.

Authoring Environment (LSOAE)The Authoring Environment (LSOAE) must be installed locally on the author’s PC. TheAuthoring Environment can be used online or offline. In online mode, you require aconnection to the ERP system and the Content Management System. If you use it inoffline mode, all data is stored in the local file system. You can choose the directory inwhich to store data. The data comprises course content and configuration data. You can

protect this data at operating system level.




The following graphic provides an overview of the technical system landscape for theAuthoring Environment .

Authoring Environment

Browser

Content

Management

System

LSOAE SAP ERP

HTTP

WEBDAV

RFC

Author 1

Author 2 Author 1 Author 3

TREX

HTTP

Author 4

The Authoring Environment contains a special version of the Content Player that plays

course content locally that is currently being played using the Authoring Environment .Similar to the Offline Player , you cannot use this local Content Player remotely. You canonly call it from the PC on which it is installed.


Component Remarks

Browser● Internal ArchiveX objects must be

activated.

● JavaScript must be active.


● SUN Java Plug-In from version 1.4.2must be installed (but only if you want touse tests created with LSO Test Author).


● Cookies are required for sessionhandling.

LSOAE● Java JRE 1.4.2 or JRE 1.5.0 must be

installed.




Environment for the Training AdministratorThe SAP GUI transactions required for the training administrator role are available inthe ERP system.

The following graphic provides an overview of the technical system landscape for the

back end.

Environment for the Training Administrator

SAP GUI

SAP Enterprise

Portal

(optional)

mySAP ERPDIAG

User2User1 User3 User4

ProcessIntegration

(PI/XI)

RFC

User5

User Management

User management for SAP Learning Solution uses the mechanisms provided by theSAP Web Application Server (ABAP and Java), for example, tools, user types, andpassword policies. See the sections below for an overview of how these mechanismsapply to SAP Learning Solution . In addition, there is a list of the standard users that arenecessary for operating SAP Learning Solution .





The table below shows the tools implemented for user management in SAP Learning Solution .



User and role maintenance inSAP Web AS ABAP(transactions SU01, PFCG)

For more information, seeUsers and Roles (BC-SEC-USR) [Extern].

User Management Engine ofSAP Web AS Java

For more information, seeUser Management Engine[Extern].

User Types


The user types required for SAP Learning Solution include:


○ Access to Training Management (LSOTM) is done by means of dialogusers. Access is either directly through SAP GUI or indirectly through theAuthoring Environment (LSOAE).

○ Access to the Learning Portal (LPO) is handled by means of Internetusers. The required users must exist in the front-end system (LSOFE) andin the Training Management system (LSOTM) if the components areinstalled on separate systems.

○ Access to SAP Enterprise Portal (EP) is handled by means of Internetusers. Authors access the Content Management System (CMS) in SAPEnterprise Portal indirectly from the Authoring Environment (LSOAE).Learners access it via the browser if the LPO is embedded in EP or if youuse Collaboration in EP.


○ A communication user is used to access Training Management (LSOTM)when playing courses on the Content Player (LSOCP).

○ A communication user is used to access the Content ManagementSystem in SAP Enterprise Portal when playing courses on the ContentPlayer (LSOCP).

○ A communication user is used for communication with external learningmanagement systems (LMS) from the Training Management system(LSOTM) to access the Exchange Infrastructure (XI).

For more information on these user types, see User Types [Extern] in the SAP Web ASABAP Security Guide.

This table contains details of user management for the various user types in thedifferent tools of SAP Learning Solution.




User Types in the Learning Portal

User Type Description Role / Authorization Name inGraphic ofTechnologyLandscape

Depends onoperating systemused

Learner in localoperating system

Browser authorization Learner 1

Portal user Learner in SAPEnterprise Portal

No special authorizationfor SAP Learning Solution

Learner 2

Dialog user Learner in SAPWeb AS


Learner 3

Communicationuser

Learner in ERPsystem

SAP_HR_LSO_LEARNER Learner 4

Service user Collaboration inthe ERP system


Learner 5

Portal user Collaboration inSAP EnterprisePortal


Learner 6

Anonymous External LMS Depends on LMS used Learner 7

User Types in the Content Player


Depends onoperatingsystem used

Learner inlocal operatingsystem

Browser authorization ContentPlayer 1

Anonymous ContentPlayer in SAPJ2EE

ContentPlayer 2

Communicationuser

ContentPlayer in theERP system

SAP_HR_LSO_COURSEPLAYER ContentPlayer 3

Depends on the

CMS used

Content

Player in theContentManagementSystem (CMS)

Read access via HTTP/HTTPS Content

Player 4

User Types in the Offline Player

User Type Description Role /Authorization

Name in Graphicof TechnologyLandscape

Depends on operatingsystem used


Browserauthorization

Offline Player 1

Anonymous Content Player in SAPJ2EE

Offline Player 2




User Types in the Authoring Environment

User Type Description Role / Authorization Name in Graphicof TechnologyLandscape

Depends onoperating systemused


Browser authorization

Authorization for Java 2SDK 1.4.2

Author 1

Depends on theCMS used

Author in theCMS

Authorization to lock,unlock, read, create,delete, and write data viaWEB-DAV

Author 2

Communicationuser

Author in theERP system

SAP_HR_LSO_AUTHOR Author 3

Anonymous Author Author 4

User Types in the Training Coordinator’s Environment


Dependsonoperatingsystemused

Learner inlocaloperatingsystem

SAP GUI authorization User 1

Dialog user Administratorin ERPsystem

SAP_HR_LSO_DEVELOPMANAGER

SAP_HR_LSO_HRMANAGER

SAP_HR_LSO_SPECIALIST

SAP_HR_LSO_TRAININGADMIN

SAP_HR_LSO_TRAININGMANAGER

AP_HR_LSO_ACCOUNTINGADMIN

SAP_HR_LSO_FOLLOWUPADMIN

SAP_HR_LSO_PARTICIPADMIN

SAP_HR_LSO_RESOURCEADMIN

User 2

Collaborationin the ERPsystem

No special authorization for SAP Learning Solution

User 3Serviceuser

XI user XI access authorization User 5

Portal user Collaborationin SAPEnterprisePortal


User 4




User Types in the Instructor’s Environment


Depends onoperatingsystem used

Learner in localoperatingsystem

Browser authorization Instructor 1

Portal user Instructor in theEnterprisePortal

com.sap.pct.erp.instructor.instructor Instructor 2

Dialog user Instructor inERP system

SAP_HR_LSO_INSTRUCTOR Instructor 3

Service user Administrator inERP system


Instructor 4

Depends onexternalsystem used

Administrator inexternal system No special authorization for SAP Learning Solution Instructor 5

Depends onexternalsystem used

Instructor inexternal system


Instructor 6

Service user Collaboration inthe ERPsystem


Instructor 7

Portal user Instructor in theEnterprise

Portal

com.sap.pct.erp.instructor.instructor Instructor 8

AuthorizationsSAP Learning Solution component uses the authorization provided by the SAP Web Application Server. Therefore, the security recommendations and guidelines forauthorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to SAP Learning Solution .

The SAP Web Application Server authorization concept is based on assigningauthorizations to users on the basis of roles. For role maintenance, use the profile

generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user management console for SAP Web AS Java.


The following table shows the security-relevant authorization objects that are used bySAP Learning Solution.



P_ORGIN HRPnnn PD InfotypeFramework: course,

course types, andcourse groups

Used to determine and check auser’s authorizations at the level

of HR master data




P_APPL Used to control read and writeauthorizations for ApplicantManagement infotypes.

PLOG Used at the level of PersonnelPlanning data to specify the

types of information a user mayreceive.

Standard Roles

The following table shows the standard roles that are used by SAP Learning Solution. For more information, see User Management [Seite 186].

Standard Roles

Role Description

SAP_HR_LSO_ACCOUNTINGADMIN Training accounting

SAP_HR_LSO_AUTHOR Course author

SAP_HR_LSO_COURSEPLAYER User of the Content Player

SAP_HR_LSO_DEVELOPMANAGER Personnel Development Manager Training

SAP_HR_LSO_FOLLOWUPADMIN Course follow-up

SAP_HR_LSO_HR-MANAGER HR Manager Training

SAP_HR_LSO_LEARNER Learner

SAP_HR_LSO_MANAGER Manager

SAP_HR_LSO_PARTICIPADMIN Participation administration

SAP_HR_LSO_RESOURCEADMIN Resource Management

SAP_HR_LSO_SPECIALIST System Specialist Training

SAP_HR_LSO_TRAININGADMIN Training Administrator

SAP_HR_LSO_TRAININGMANAGER Training Manager

SAP_HR_LSO_INSTRUCTOR Instructor/Tutor

Communication Channel SecurityThe following graphic displays an overview of the communication channels listed in the

tables below.




Technical System Landscape and Communication Channels

LSOFE LSOAELSOOPECC

SAP Web AS ABAP SAP Web AS JAVA

LSOCP EP 6.0

Java 2 SDK

RFC

RFC / JCo

RFC / JCo

TrustedRFC

HTTPHTTPS

WEBDAV

HTTPHTTPS

HTTP

HTTPHTTPS

The tables below show the communication channels used by SAP Learning Solution ,the protocol used for the connection, and the type of data transferred.

For a better understanding of the table, you should also display the graphics, whichprovide an overview of the technology landscape.

Learning Portal

See also: Learning Portal (LSOFE) [Seite 180]

Communication Paths for the Learning Portal: Inbound Relationships

Communication Path Protocol Used Authentication Remarks

Browser HTTP, HTTPS All authenticationssupported by the SAPWeb AS, typically form-based-logon or standardauthentication.

Anonymous is supported.

However, you should notuse it since uniquelearner assignment is notpossible in the back end.

With standardauthentication,passwords aretransferred in plaintext. Consequently,you should protectthe transports

using SSL.

SAP Enterprise Portal,iView Server

HTTP, HTTPS All authenticationssupported by the SAPWeb AS. Typically, youcan use the Single-Sign-On Ticket (SSO) heresince logon has beendone in the EnterprisePortal already.

For SSO, you mustimport theEnterprise Portalcertificate into theSAP Web AS.




Communication Paths for the Learning Portal: Outbound Relationships


ERP system RFC Trusted RFC

SAP Enterprise Portal /

Collaboration

RFC Ticket User4 for

authentification, User3for RFC authorization

Content Player

See also: Content Player (LSOCP) [Seite 182]

Communication Paths for the Learning Portal: Inbound Relationships


Browser HTTP, HTTPS All authenticationssupported by the SAPWeb AS/J2EE. Thestandard system usesanonymous. You donot require advancedauthentication in thestandard system sinceaccess is protected bya ticket.

Access to the ContentPlayer is protected bya ticket. The ticketensures that contentcan only be called onetime using the URL.Only one ticket is validat any one time.

Communication Paths for the Content Player: Outbound Relationships


Content ManagementSystem

HTTP, HTTPS Anonymous, Basic You store the user forauthentication whenyou configure theContent Player.

If you use HTTPS,you must set upHTTPS Support of theJ2EE Engine. X509certificatemanagement isrealized using theJ2EE Engine.

ERP system RFC (JCo) User/Password You store the user forauthentication whenyou configure theContent Player.

You must create aservice user for theContent Player in theERP system.




Offline Player

See also: Offline Player (LSOOP) [Seite 183]

Communication Paths for the Offline Player: Inbound Relationships


Browser HTTP Anonymous The Offline Player canbe called from a localPC only.

Communication Paths for the Offline Player: Outbound Relationships


LSOCP HTTP, HTTPS All authentications of

the SAP WebAS/J2EE.

Authoring Environment

See also: Authoring Environment (LSOAE) [Seite 184]

Communication Paths for the Authoring Environment: Inbound Relationships


Browser HTTP Anonymous The Offline Player canbe called from a local

PC only.

Communication Paths for the Authoring Environment: Outbound Relationships


Content ManagementSystem

WebDAV, viaHTTP, HTTPS

Basic,Anonymous

WebDav is anenhancement of the HTTPprotocol.

The AuthoringEnvironment does not

contain a separatetruststore for X509certificates.

The Security Provider andthe truststore of the Java 2SDK installation is used.X509 certificates may haveto be imported from theContent ManagementSystem if you want to useencrypted communicationwith SSL.

ERP system RFC (JCo) User/Password Credentials must beentered in a dialog box




when switching to onlinemode.

Environment for the Training Administrator in the Back

EndSee also: Environment for the Training Administrator [Seite 186]

Communication Paths for the Back End: Inbound Relationships


SAP GUI DIAG Standard SAP GUI

Communication Paths for the Back End: Outbound Relationships

Communication Path Protocol Used Authentication RemarksSAP Enterprise Portal RFC With an SSO 2 Ticket.

You store the userand password forgenerating the ticketin Customizing.

Only necessary ifintegration withCollaboration for SAPNetWeaver is active.

External LearningManagement System(via XI)

SOAP Anonymous

DIAG and RFC connections can be protected using Secure Network Communications

(SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)protocol.


Instructor/Tutor

Communication Paths for the Instructor/Tutor Role in the SAP Enterprise Portal:Inbound Relationships

Communication

Path

Protocol Used Authentication Remarks

Browser HTTP, HTTPS All authentications of the SAPWeb AS/J2EE.

Communication Paths for the Instructor/Tutor Role in the SAP Enterprise Portal:Outbound Relationships

CommunicationPath

Protocol Used Authentication Remarks

ERP system HTTP, HTTPS Single Sign-OnTicket (SSO)

The portal user is assigned to acorresponding user in the ERPsystem.

You must create a user in theERP system for the instructor.





Profile Parameters

To ensure communication between the systems, you must set the following profile

parameters using the Profile Parameter Maintenance transaction (RZ11):

mySAP ERP

● For communication with Single Sign-On Tickets (SSO) via RFC connections, youmust set the login/accept_sso2_ticket (Accept SSO ticket logon for this

(component) system ) in the ERP system.

● For communication with cookies using connections via http protocols, you mustset the parameter login/create_sso2_ticket in the ERP system.

SAP Web AS ABAP

● For authentication with SSO2, you must set the login/accept_sso2_ticket

(Accept SSO ticket logon for this (component) system ) in the ERP system.

● If you want to implement the Objective Setting and Appraisals component, you

must also set the parameter login/create_sso2_ticket.

For more information, see the documentation for the parameters in transaction RZ11.

SAP E-Recruiting

Before You Start

Important SAP Notes

The following table presents the most important SAP Notes regarding security for SAP E-Recruiting .

Important SAP Notes


711701 Composite SAP note: Securityin E-Recruiting

957038 Security gap in cross-sitescripting

960728 Security gap in Cross-SiteScripting

1017866 Consulting note: Candidatescenarios using ABAP WebDynpro

Includes information about thepossible systemconstellations, changing fromBSP to Web Dynpro, securingthe backend system

For more relevant SAP Notes, see the Security Guide for Personnel Management under Before You Start [Seite 158].




Technical System LandscapeThe following graphics provide an overview of the technical system landscape for SAP E-Recruiting .

Functional Architecture

Non SAP

SAP

Backend ERP

Recruitment service

providers

Job boards

Internal

career page

Other tools

Back office

Non-ERP system

External career page

E-Recruiting




The “E-Recruiting Box”

System for text

retrieval TREX

KPRO

SAP Web AS

DB

Business partner

SAP E-RecruitingIndex

Technologies used:

• Presentation layer: Business Server Pages (BSP), Web DynproABAP, HTML, HTMLB, JavaScript

• Business Logic: ABAP/OO






Front-End and Backend on One System

Firewall

Internal user(browser -

SSOoptional)

Systemadministrator

(SAP GUI)

HTTP(S) SMTP (Mail)

Internet

HTTP(S)

Candidate(Web

browser)

RFC RFC (ALE)

TREXSAP E-

Recruiting

DB

DMZ Intranet

Application

gateway /

proxy

gateway

SMTP

(Mail)

mySAPERP

mySAPERP

PA-AS*

* HR Admini strative Services

SAP XI

SAP XI Non-SAPsystem

Front-endcandidate

SAP E-Recruiting.

Front-End and Backend on Different Systems

Firewall

Internal user(browser -

SSOoptional)

Systemadministrator

(SAP GUI)

HTTP(S) SMTP (Mail)

Internet

HTTP(S)

Candidate(Web

browser)

RFC RFC (ALE)

TREXSAP E-

Recruiting

DB

DMZ Intranet

Application

gateway /

proxy

gateway

SMTP

(Mail)

mySAPERP

mySAPERP

PA-AS*

* HR Admini strative Services

SAP XI

SAP XI Non-SAP

system

Front-end

candidate

SAP E-Recruiting




Front-End and Backend on Different Systems (SAP E-Recruiting Integrated withERP)

Firewall

Internal user(browser -SSO

optional)

Systemadministrator

(SAP GUI)

HTTP(S)

SMTP (Mail)

Internet

HTTP(S)

Candidate(Web

browser)

Backend SAP E-Recruiting

Front-end internal candidate

DB

DMZ Intranet

Application

gateway /

proxy

gateway

SMTP (Mail)

ERP / SAP NetWeaver

Front-end

external

candidate

SAP E-Recruiting

SAPNetWeaver

DBNo relevant data in the

database

RFC

User ManagementUser management for SAP E-Recruiting uses the mechanisms provided by SAP Web Application Server (ABAP, Java, or ABAP and Java) such as tools, user types, andpassword policies. For an overview of how these mechanisms apply for SAP E- Recruiting , see the sections below. In addition, there is a list of the standard users thatare necessary for operating SAP E-Recruiting .


The following table shows the user management tools for SAP E-Recruiting .




You can use the RoleMaintenance transactionPFCG to generate profiles foryour SAP E-Recruiting users.

Technical Settings for UserManagement in SAP E- Recruiting

For more information on userprofiles and the roles, see theImplementation Guide forSAP E-Recruiting under

Technical Settings → User Administration.




Workflow Settings For more information, see theImplementation Guide forSAP E-Recruiting under

Technical Settings →

Workflow → Workflow in E- Recruiting .

You use the SAP Workflow.

User Types


The user types required for SAP E-Recruiting are:

For more information, see the Implementation Guide for SAP E-Recruiting

under Technical Settings → User Administration → Create Special Users .

● Reference user

You can create reference users to simplify authorization maintenance. You assigndifferent roles to each reference user. If you then assign a reference user to auser, the user inherits all of the reference user’s role attributes and authorizationprofile.

...

● Communication user

To enable access to documents in the document area, you create a user that isassigned to the contentserver service (IMG activity: Set Up Access to Documents ). This user is a purely technical user, only required for communicationwith the Web Application Server.

● Service user

Some scenarios are accessible for registered users only; other scenarios are alsoaccessible for unregistered users (registration, job postings, direct application).You must assign a service user to these services so that an unregistered usercan use them.

● Background user for workflow

To be able to use the workflow functions, you must create a system user (such asWF-BATCH) in the standard system.

For more information, see the Implementation Guide for SAP E-Recruiting under

Technical Settings → Workflow → Workflow in E-Recruiting .

In SAP E-Recruiting you must also assign this user (in addition to the other users)to a candidate. You can do this by using the RCF_CREATE_USER report.

● Standard user

For information about the following themes, see the Implementation Guide for

SAP E-Recruiting under Technical Settings → User Administration :

○ User profile

○ Roles (transaction PFCG)

○ Special users




AuthorizationsSAP E-Recruiting uses the authorization provided by SAP Web Application Server. Therefore, the security recommendations and guidelines for authorizations as describedin the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also

apply to SAP E-Recruiting .The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s usermanagement console for SAP Web AS Java .

Standard Roles

The following table shows the standard roles that are used by SAP E-Recruiting.

Standard Roles for User Interfaces with BSP Technology

Role Description

SAP_RCF_BUSINESS_ADMINISTRATOR Administrator [Extern]

Administrator for SAP E-Recruiting

SAP_RCF_CONTENT_SERVER Search Engine Access [Extern]

Access to the Search and Classification (TREX) search engine

SAP_RCF_DATA_TYPIST Data Entry Clerk [Extern]

The role contains the authorization forminimum data entry for incoming paperapplications.

SAP_RCF_DECISION_MAKER Decision Maker [Extern] The decision maker answers questionnaires about candidates who are assigned torequisitions . In the questionnaires, the decisionmaker is asked for his or her opinion.

SAP_RCF_EXTERNAL_CANDIDATE External Candidate [Extern]

This role may only display its own data. Therole can only see job postings that youpublished via publications using the externalposting channels.

SAP_RCF_INTERNAL_CANDIDATE Internal Candidate [Extern]

This role may only display its own data. Therole can only see job postings that youpublished via publications using the internalposting channels.

The role does not have access to the followingdata:

● Requisition data

● Posting data

● Application data

● Data for the selection process




SAP_RCF_MANAGER Manager [Extern]

This role is required so that managers canaccess SAP E-Recruiting from the Portal(Manager Self Service ).

The manager wants to fill the vacant jobs in his

or her area. To do this, the manager createsrequisitions with the status In Process that arethen processed further by recruiters.

The role has access to the following data:

● Candidate data: The manager can seeonly the candidate data that is assignedto requisitions for which the manager isresponsible.

● Requisition data and data for selectionprocesses: The manager can only seedata for which he or she is responsible.

The role also contains the authorization torespond to questionnaires about candidatesthat are assigned to the relevant requisitions.

SAP_RCF_MANAGER_ASSISTANT Manager’s Assistant

This role is only used for the Career Portal andis no longer in use in the standard SAP E- Recruiting system.

SAP_RCF_RECRUITER Recruiter [Extern]

The role has access to the following data:

● Candidate data: The data is displayedfor all candidates who stored their datain the Talent Pool.

● All publications

● All requisition data

● All application data

● All data for the selection processes

The role also contains the authorization forminimum data entry for incoming paper

applications.




SAP_RCF_SUCCESSION_PLANNER Succession Planner [Extern]

This role contains the following aspects:

● Display of all candidates that are part ofthe Talent Pool

● Requisition data (succession plan data):Shows all requisitions of the Succession Planning subarea in the system

● Candidacy data: Shows all candidaciesthat were created in the system withinSuccession Planning

Applications, job postings, and publications arenot required for this role.

SAP_RCF_REST_SUCCESSIONPLANNER Restricted Succession Planner [Extern]

Succession planner without the authorization to

release succession plans. An approval processis required for this.

SAP_RCF_REQUISITION_REQUESTER Requester [Extern]

The requester creates requisitions and sendsthem with the status In Process to a recruiterwho then completes the requisition, phrasesthe job posting, and releases both.

SAP_RCF_RESTRICTED_RECRUITER Restricted Recruiter [Extern]

Recruiter without the authorization to releaserequisitions. An approval process is requiredfor this.

SAP_RCF_TALENT_CONSULTANT Talent Consultant

This role is only used for the Career Portal andis no longer in use in the standard SAP E- Recruiting system.

SAP_RCF_UNREGISTERED_CANDIDATE Unregistered Candidate (Service User) [Extern]

Standard Roles for User Interfaces with Web Dynpro ABAP

Role Description

SAP_RCF_UNREG_CANDIDATE_CLIENT Unregistered Candidate (Client) [Extern]

This role contains the necessary authorizationsfor unregistered candidates/service users thatare required on the front-end system whenusing a separated system (front-end andbackend on different systems).

SAP_RCF_UNREG_CANDIDATE_SERVER Unregistered Candidate (Server) [Extern]

This role provides the necessary authorizationsfor an unregistered candidate/service user inSAP E-Recruiting that are required on thebackend system when using a separatedsystem (front-end and backend on differentsystems).






of direct access a user can have tothe candidates in the Talent Pool.

The following ways to access thecandidate pool directly areavailable:

● Status-Independent Accessto Candidates(DIRECT_ACC)

● Recognition of MultipleApplicants (DUPL_CHECK)

● Maintenance of CandidateData (CAND_MAINT)

P_RCF_STAT RCF_STAT Authorization object that specifieswithin SAP E-Recruiting theauthorization for status changes to

SAP E-Recruiting objects (forexample, candidate, application,candidacy).

P_RCF_ACT ACTVT● Add or

Create

● Change

● Delete

Authorization object that specifieswithin SAP E-Recruiting which typeof access a user can have toactivities. An activity in SAP E- Recruiting is therefore identifiedthrough the assigned process andthrough the activity type.

P_RCF_WL RCF_WL_ID Authorization object that specifieswithin SAP E-Recruiting which

worklists a user can access in theDashboard [Extern].

Additional Standard Authorization Objects when Using Web Dynpro ABAP


S_RCF ACTTVRFC_NAMERFC_TYPE

Authorization objectfor RFC access

(For more information,see thedocumentation forAuthorization Object

S_RFC [Extern].)S_RFCALC ACTTV

RFC_CLIENTRFC_EQUSERRFC_INFORCF_SYSIDRCF_TCODERCF_USER

Authorization checkfor RFC users (forexample, Trusted System )

(For more information,see thedocumentation forAuthorization ObjectS_RFCACL [Extern].)

S_ICF ICF_FIELD SERVICE Authorization checksfor using services in

InternetCommunication




Framework (SICF), forcalling remotefunction modulesusing an RFCdestination (SM59),and for configuring

proxy settings (SICF).(For more information,see thedocumentation forAuthorization ObjectS_ICF [Extern].)


Use

The table below shows the communication paths used by SAP E-Recruiting , theprotocol used for the connection, and the type of data transferred.

Communication Paths

CommunicationPath



Front-end client that

uses SAP GUI for Windows for theapplication server

DIAG All Customizing data Passwords

Front-end client thatuses a Web browserfor the applicationserver

HTTP, HTTPS All application data Passwords



Communication DestinationsThe following table provides an overview of the communication destinations that SAP E- Recruiting uses.

You use the following communication destinations depending on which application youuse to manage your HR master data:

● If you use the SAP GUI transactions to maintain HR master data (for example,transactions PA*), communication with SAP E-Recruiting runs via RFCconnections.




● If you use the HR Administrative Services application, communication with SAP E-Recruiting runs via SAP NetWeaver PI (Process Integration).


Destination Delivered Type User,Authorizations

Description

SAP E- Recruiting toSAP Human Resources Management

No RFC SeeImplementationGuide (IMG)

IMG: SAP E-Recruiting

→ Recruitment →

Applicant Tracking → Activities → Set Up Data Transfer for New Employees

From SAP Human Resources

Management toSAP E- Recruiting

No RFC See IMG SAP E-Recruiting → Technical Settings → SAP ERP Central

Component (ECC)Integration → Software Runs on Different

Instances → Set Up Data Transfer from SAP ECC

From SAP E- Recruiting toTREX

No RFC See IMG SAP E-Recruiting →

Technical Settings → User Administration → Create Special Users

SAP E-Recruiting → Technical Settings → Search Engine → Set Up Search Engine for E-Recruiting

From SAP E- Recruiting toHR Administrative Services

No XI messages Transfer externalcandidate's data whenhiring

From HR Administrative Services toSAP E- Recruiting

No XI messages Return personnelnumber of formerexternal candidate toSAP E-Recruiting

Changes to the HR master data are transferred to SAP E-Recruiting usingthe master data distribution in the ALE scenario.

The following table provides an overview of the communication destinations that SAP E- Recruiting uses if you want to use Web Dynpro ABAP to separate the front-end from thebackend for the candidate scenarios (front-end and backend on different systems).




Communication Destinations for Separated Systems

Destination Delivered Type User,Authorizations

Description

SAP E-Recruiting (front-

end) to SAP E-Recruiting(backend)

No RFC See IMG SAP E-

Recruiting → Technical

Settings → User

Interfaces → Settings for User Interfaces with Web Dynpro

ABAP → Front- End Candidate

→ Enter RFC Destination of Receiving Backend System

You enter theRFC destinationas a value of the

RECFA UI2BL

parameter.

SAP E-Recruiting(backend) toSAP E-Recruiting (front-end)

No RFC See IMG SAP E-

Recruiting → Technical

Settings → User

Interfaces → Settings for User Interfaces with Web Dynpro

ABAP → Backend

Candidate → Specify System Parameters for Web Dynpro

You enter theRFC destinationas a value of the

RECFA

BL2UI

parameter.

Data Storage SecurityThe SAP E-Recruiting data is saved as follows:

● If you use SAP E-Recruiting integrated with other SAP applications, the data is

saved in the SAP Web AS or SAP ECC databases.




● If you use SAP E-Recruiting as a standalone application, the data is saveddirectly in the SAP E-Recruiting databases. You do not require any otherdatabases in addition to this standard.

The application uses a Web browser. The SAP Web AS must issue cookies as well asaccepting them.

When you use Web Dynpro ABAP as the interface technology and the front-end andbackend are separated on different systems, the system generates the URLs based onthe backend system, as the data is stored there. When generating the URL, you can

use the database table HTTPURLLOC (HTTP URL Location Exception Table) to

replace the actual server name with another one. In this way, it is possible to use aproxy server or similar to access documents.

Defense Forces & Public Security

Before You Start

Basic Recommendations

The Defense Forces & Public Security component is based on the SAP ERP Central component. For this reason, the relevant Security Guide also applies. The Security

Guide for the Defense Forces & Public Security component contains only informationabout component-specific features.


Use

For a presentation of the multilevel system landscape, see the documentation for

mySAP ERP in SAP Library under Defense Forces & Public Security → Support for the

Domestic Base and Operations and Exercises → System Architecture and Offline Capabilities .

User Administration and AuthenticationThe Defense Forces & Public Security component uses the user administration andauthentication mechanisms of the SAP NetWeaver platform, in particular of the SAP NetWeaver Application Server . Therefore, the recommendations and guidelines for useradministration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the Defense Forces & Public Security component.






● The personnel development process

User group for defining the qualification block hierarchy, that is, the grouping ofqualifications according to business criteria

For master data maintenance, the guidelines in the Security Guide forPersonnel Management (PA) [Seite 158] apply.

.

AuthorizationsThe Defense Forces & Public Security component uses the authorization provided bythe SAP Web Application Server. Therefore, the recommendations and guidelines forauthorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to Defense Forces & Public Security .

The SAP Web Application Server authorization concept is based on assigningauthorizations to users based on roles. For role maintenance, use the profile generator(transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s useradministration console for SAP Web AS Java.

Standard Roles

Roles and authorization profiles are not defined for Defense Forces & Public Security .


The following table presents the authorization objects relevant for security that are usedby the Defense Forces & Public Security applications.


Authorization Object Class Value Description

C_DRAW_TCD CV Authorization for DocumentActivities

C_KLAH_BKP CLAS Authorization for ClassMaintenance

C_TCLA_BKA CLAS Authorization for Class Types

EXTBAT_CRE LO Create External Batch Structurefor Purchase Orders

EXTBAT_MNT LO Change External Batch Structures

I_ROUT PM PM: Task Lists

I_TCODE PM PM: Transaction Code

PLOG HR Personnel Planning

C_PVS_PNID PPE iPPE Node: External Key

C_PVS_PNTY PPE iPPE Node: Type

C_PVS_PVID PPE iPPE Variant: External Key

C_PPE_PAID PPE iPPE Alternative: External Key

C_PVS_PATY PPE iPPE Alternative: Type




C_PVS_PVTY PPE iPPE Variant: Type

S_SCD0 BC_Z Change Documents

S_TCODE AAAB Transaction Code Check atTransaction Start

DF_FOR_REL DFPS Force Element: Relationships

M_MATE_STA MM_G Material Master: MaintenanceStatuses

M_MATE_WRK MM_G Material Master: Plants

M_MSEG_BMB MM_B Material Documents: MovementType

M_MSEG_MWB MM_B Material Documents: Plant

M_MSEG_BWA MM_B Goods Movements: MovementType

M_MSEG_LGO MM_B Goods Movements: StorageLocation

M_MSEG_WWA MM_B Goods Movements: Plant

In addition, Defense Forces & Public Security uses the Human Resources authorizationobjects. For more information, see the description of the Human Resources authorization objects, in particular those for Personnel Management .

Network and Communication SecuritySubareas of Defense Forces & Public Security use the standard functions in theinfotype framework for Personnel Administration and Personnel Development. For moreinformation, see the Security Guide for Personnel Management .

In the case of the material assignment function, the existing interfaces (BAPIs) are usedto communicate with applications outside of Human Resources, such as Materials Management.

Data Storage SecurityData is stored in databases in the SAP system. For general information about thesecurity of the data storage, see the Security Guide for Personnel Management , forexample.

Note that the following infotypes may contain sensitive data:

● Personal Features (0804)

● Sanctions (0802)



AppendixFor more information about the security of SAP applications see SAP ServiceMarketplace at service.sap.com/security.

You can also access additional security guides via SAP Service Marketplace atservice.sap.com/securityguide.

For more information about security issues, see SAP Service Marketplace at

service.sap.com followed by:

Topic SAP Service Marketplace

Master guides, installation guides, upgradeguides, and Solution Management guides

/instguides

/ibc

Related notes /notes

Platforms /platforms