Upload
oscr-ccanihua
View
94
Download
10
Embed Size (px)
Citation preview
SECURITY GUIDE
SAP SolutionManager 7.0 as ofSP16
Scenarios:Service DeskImplementation of SAP SolutionsUpgrade of SAP SolutionsChange ManagementSolution MonitoringDelivery of SAP ServicesRoot Cause Analyses
April 2008
Target Audience Technology consultants System administrators
© Copyright 2008 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in anyform or for any purpose without the express permission of SAP AG.The information contained herein may be changed without priornotice.
Some software products marketed by SAP AG and its distributorscontain proprietary software components of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® andSQL Server® are registered trademarks of Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®,MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries,pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®,Netfinity®, Tivoli®, Informix and Informix® Dynamic Server
TM are
trademarks of IBM Corp. in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif ® are registered trademarks ofthe Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood ®, MetaFrame®,WinFrame®, VideoFrame®, MultiWin® and other Citrix product namesreferenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registeredtrademarks of W3C®, World Wide Web Consortium, MassachusettsInstitute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
J2EE™ is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc.,used under license for technology invented and implemented byNetscape.
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP BusinessWorkflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE,Management Cockpit, mySAP, mySAP.com, and other SAP productsand services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and inseveral other countries all over the world. MarketSet and EnterpriseBuyer are jointly owned trademarks of SAP Markets and CommerceOne. All other product and service names mentioned are thetrademarks of their respective owners.
DisclaimerSome components of this product are based on Java™. Any codechange in these components may cause unpredictable and severemalfunctions and is therefore expressively prohibited, as is anydecompilation of these components.
Any Java™ Source Code delivered with this product is only to be usedby SAP’s Support Services and may not be modified or altered in anyway.
Documentation in the SAP Service MarketplaceYou can find this documentation at the following address:http://service.sap.com/instguides
SAP AGNeurottstraße 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www.sap.com
Security Guide: SAP Solution Manager 7.0
April 2008 3
Typographic Conventions
Type Style Represents
Example Text Words or characters that appear on thescreen. These include field names,screen titles, pushbuttons as well as
menu names, paths and options.Cross-references to other documentation
Example text Emphasized words or phrases in bodytext, titles of graphics and tables
EXAMPLE TEXT Names of elements in the system. Theseinclude report names, program names,
transaction codes, table names, andindividual key words of a programminglanguage, when surrounded by body
text, for example, SELECT andINCLUDE.
Example text Screen output. This includes file anddirectory names and their paths,
messages, names of variables andparameters, source code as well asnames of installation, upgrade and
database tools.
Example text Exact user entry. These are words orcharacters that you enter in the system
exactly as they appear in thedocumentation.
<Example text> Variable user entry. Pointed bracketsindicate that you replace these words
and characters with appropriate entries.
EXAMPLE TEXT Keys on the keyboard, for example,function keys (such as F2) or the
ENTER key.
Icons
Icon MeaningCaution
Example
Note
Recommendation
Syntax
Security Guide: SAP Solution Manager 7.0 as of SP16
4 April 2008
ContentContent ...................................................................................................................................................................... 4
History of Changes.................................................................................................................................................... 5Quick Links to Additional Information .................................................................................................................... 6Recommendations for Additional Components ........................................................................................................ 6
Introduction .............................................................................................................................................................. 8
System Landscape ..................................................................................................................................................... 8
Network and Communication Security ...................................................................................................................10
User Administration and Authentication.................................................................................................................14
Authorizations..........................................................................................................................................................16
Backgroundjobs .......................................................................................................................................................39
Trace and Log Files..................................................................................................................................................43
APPENDIX...............................................................................................................................................................44Security Parameters for Individual Scenarios ..........................................................................................................44Examples Authorization Restriction........................................................................................................................46
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 5
History of ChangesThis Security Guide is updated with each new Support Package Stack in SAP Service Marketplace atservice.sap.com/instguides -> SAP Components -> SAP Solution Manager -> <current release>.This document is not included as part of the Installation Guide, Configuration Guide, Sizing Guide orUpgrade Guide. These guides are only relevant for a certain phase of the software life cycle, whereby theSecurity Guides provide information that is relevant for all life cycle phases. The Solution Manager is builton mySAP Customer Relation Management 2005 and SAP NetWeaver. Therefore, the correspondingSecurity Guides also apply to the Solution Manager. Pay particular attention to the most relevant sections orspecific restrictions as indicated in the table below. For a complete list of the available SAP Security Guides,see the Quick Link: securityguide on the SAP Service Marketplace.
Information on Solution Manager Diagnostics may not be complete in this Guide. For securitytopics on Diagnostics, see: service.sap.com/diagnostics -> Installation and Upgrade.Make sure you have the latest version of the Security Guide.
The following table provides an overview of the most important changes that were made in the latestversions:
Date of Update Topic
This Security Guide is based on the currently available Guide:Authorization Concept of SAP Solution Manager as of SP09
Topic on Authorization moved from Configuration Guide to SecurityGuide and/or IMG (transaction SPRO), e.g. roles moved toadditional documentation in IMG documents (e.g. roles for scenarioIssue Management can be found either in overview on roles inSecurity Guide or in more detail in the according IMG documentationfor Issue Management)
New roles for solution authorization. Authorization objectD_SOL_VSBL is now included in roles SAP_SM_SOLUTION_*. Theauthorization object is deactivated in all other roles. See chapter:Roles in Solution Manager. for an overview. It needs to be granted inaddition to the role for the functionality, e.g Maintenance Optimizer.See examples in the APPENDIX
New roles for: Job Scheduling Issue Management Maintenance Optimizer (additional)
See chapter: Roles in Solution Manager.
New roles for Work Center approach, see chapter Work CenterRoles and the according example.
SP15 06.02.2008
Composite role SAP_SM_BPMO_COMP for background userSM_BPMO. See chapter Communication Destinations.
SP16 New roles for:- Solution Documentation Assistant See chapter: Roles in SolutionManager. and chapter Work Center Roles- Third Party Product: BMC AppSight for SAP Client DiagnosticsSee chapter: Roles in Solution Manager.
28.04.2008 Name change: SAP Solution Manager 4.0 becomes SAP SolutionManager 7.0
Security Guide: SAP Solution Manager 7.0 as of SP16
6 April 2008
Documentation types in the software life cycle:
For a detailled overview on which documentation is relevant for each individual phase, see SAPNote 1088980. We strongly recommend that you use the documents available here. The guidesare regularly updated.
Quick Links to Additional InformationContent Note...
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Technical infrastructure/ Network security service.sap.com/network
SAP Solution Manager service.sap.com/solutionmanager
Recommendations for Additional ComponentsThe following table lists further useful information for additional components:
Content Note...
Diagnostics See the according documents for installationand configurationservice.sap.com/diagnostics
System Landscape Directory service.sap.com/sld
Software Lifecycle Manager service.sap.com/slm
Adobe Document Services service.sap.com/adobe
Business Intelligence service.sap.com/bi
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 7
SAP Quality Center by HP service.sap.com/solutionmanager
SAP Redwood Job Scheduling service.sap.com/job-scheduling
Master Guide SAP NetWeaver 7.0 service.sap.com/installNW70
One Transport Order service.sap.com/solutionmanager ->Media Library -> Technical Papers
Help on Application Usage for SolutionManager; Links to further documentation forSAP NetWeaver, SAP Business Suite
help.sap.com
Help on SAP NetWeaver (ABAP and Java) foradditional components
help.sap.com/nw70 -> FunctionalView -> Solution LifecycleManagement -> Software LifecycleManagement
Security Guide: SAP Solution Manager 7.0 as of SP16
8 April 2008
Introduction
This guide does not replace the daily operations handbook that we recommend customers tocreate for their specific productive operations.
With the increasing use of distributed systems and the Internet for managing business data, the demands onsecurity are also on the rise. When using a distributed system, you need to be sure that your data andprocesses support your business needs without allowing unauthorized access to critical information. Usererrors, negligence, or attempted manipulation on your system should not result in loss of information orprocessing time. These demands on security apply likewise to SAP Solution Manager.To assist you insecuring SAP Solution Manager, we provide this Security Guide.Therefore, when analyzing the security risk for Solution Manager and your system landscape, you should beable to answer the following questions:
What are your security requirements in regard to availability, confidentiality and data integrity? Are there any threads (and their relevance) that could compromise your security? What are the measures (and costs) that are to be undertaken to safeguard the system?
System LandscapeArchitectureSolution Manager is working with the ABAP and the Java (Solution Manager Diagnostics only) stack. It isrunning on a SAP CRM-5.0 Server. To use Solution Manager you need SAP GUI or Web Browser (in case ofwork center functionality). Communication with other systems is working via RFC technology and via WebServices. For more information on the appropriate usage types, see Master Guide Solution Manager onservice.sap.com/instguides -> SAP Components -> SAP Solution Manager -> <current release>.
The figure below shows an overview of the the technical system landscape for the Solution Manager(including its satellite systems and SAP Service and Support).
Satellite System(s)
Content Development at SAP SAP Service & SupportSolution Manager System
Business ProcessRepository (BPR)
KnowledgeWarehouse (KW)
Product Planningand MaintenanceSystem (PPMS)
MasterComponent
Repository (MCR)
Software LifecycleManagement
(SLM)
SAP Solution Manager
SAP ChangeManager
Service Delivery
Problem MessageHandling
R
R
ProcessManagement
Infrastructure (PMI)
Computing CenterManagement
System (CCMS)
Service DataControl Center
(SDCC)
ImplementationGuide (IMG)
RR R
R
SystemLandscape
Directory (SLD)
RComputing Center
ManagementSystem (CCMS)
R
R
R
CRM Server
Support Desk
Change RequestManager
R R
R
R
R
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 9
ScenariosSolution Manager is a tool which supports your whole product life-cycle, that is the life-cycle of your businessprocesses and systems within ONE single system/platform. According to these aspects of the product life-cycle, various scenarios can be differentiated. A scenario describes a grouping of functionalities whichsupport the sequential and logical relationships of processes within the life-cycle of the product. Therefore,we differentiate between scenarios (e.g. 1. Implementation/Upgrade of SAP Solutions), processes (e.g.Roadmap) and additional functionalities (e.g. Document Management).
Implementation/Upgrade of SAP SolutionsRoadmapProject ManagementBusiness BlueprintConfiguration Solution MonitoringTest Management EarlyWatch AlertE-Learning Service Level ReportingSolution Documentation Assistant System Administration
Change Management System MonitoringMaintenance Optimizer Bus. Process MonitoringChange Request Managemen Solution Reporting
Job Scheduling
Service DeskService Desk Standard Usage Delivery of SAP ServicesService Providers Issue ManagementThird Party Interface Onsite/Remote Service
Root Cause Analyses Service PlanExpert-on-Demand
------------------------------------------------------------------------------------------------------------------------- PLUS
System Landscape (SMSY)Service Data Control Center (SDCCN)Solution Design (SOLMAN_DIRECTORY)Customizing DistributionRolloutWork CenterBI - AnalysisThird Party Product Integration
Security Guide: SAP Solution Manager 7.0 as of SP16
10 April 2008
Network and Communication SecurityNetwork TopologyYour network infrastructure is extremely important in protecting your system. It needs to support thecommunication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operatingsystem and application level) or network attacks such as eavesdropping. If users cannot log on to yourapplication or database servers at the operating system or database layer, then there is no way for intrudersto compromise the machines and gain access to the backend system’s database or files. Additionally, ifusers are not able to connect to the server LAN (local area network), they cannot exploit well-known bugsand security holes in network services on the server machines.The network topology for the Solution Manager is based on the topology used by the SAP NetWeaverplatform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver SecurityGuide also apply to the Solution Manager.
Communication ChannelsThe table below shows the communication channels used by the Solution Manager, the protocol used forthe connection, and the type of data transferred.
Communication Channel Protocolused
Type of Data transferred
Solution Manager to OSS RFC Exchange of Problem messages, Retrieval ofServices
Solution Manager to OSS Secure Area HTTP(S) Logon data to systems opened for SAP Support
Solution Manager to Satellite Systemsand back
RFC see chapter RFC connections
Solution Manager to SAP ServiceMarketplace
HTTP(S) Search for notes
Solution Manager Support Desk to ThirdParty Support Desks
SOAP Problem Messages
Solution Manager to Quality Center by HP SOAP Test Requirements
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 11
Communication DestinationsThe figure below shows an overview of the communication destinations used by Solution Manager(including its satellite systems, Third Party Products and SAP Service and Support):
The table below shows an overview of communication destinations used by the Solution Manager for RFCcommunications.
RFCDestination
Name
Target HostName
SystemNumber
LogonClient
Logon User(Password)
Use (Scenario) How Created
To SAPNet R/3 FrontendSAPOSS (ABAP
connection)/H/SAPROUTER/S/<XX>/sapserv
<X>/H/oss001
01 001 OSS_RFC(CPIC)
Notes Assistant Maintain technicalsettings in
transaction “OSS1”
SAP-OSS (ABAPconnection)
/H/SAPROUTER/S/<XX>/sapserv
<X>/H/oss001
01 001 S-User(Customer-
specific)
Exchange problem messageswith SAP (Scenario: ServiceDesk); Synchronize SystemData with Support Portal and
send data about satellitesystems (SMSY); Transfer ofSolution, Issue data transferfeedback to SAP (Scenario:
Service Delivery); ServiceConnection
TransactionSOLUTION_MANAGER; Menu path:
Edit->GlobalSettings
SAP-OSS-LIST-O01 (ABAPconnection)
/H/SAPROUTER/S/<XX>/sapserv
<X>/H/oss001
01 001 S-User(Customer-
specific)
Retrieve information aboutwhich messages have beenchanged at SAP (Scenario:
Service Desk)
Transaction SM59
SDCC_OSS(ABAP connection)
(will begenerated) See
Used by the Service DataControl Center to
A copy of theSAPOSS
SAP Systems
SAP SMP
SAPSolutionManager
http (s)CustomerSAP
OSS (O01)RFCSAPOSSSAP-OSSSAP-OSS-LIST-O01SDCC-OSS
http (s)
RFC
RFCSM_<SID>CLNT<client>_LOGINSM_<SID>CLNT<client>_READSM_<SID>CLNT<client>_TRUSTEDSM_<SID>CLNT<client>_TMW
RFCBPM_LOCAL_<client>
RFCSM_<SID>CLNT<client>_BACK
Third PartyProducts
Security Guide: SAP Solution Manager 7.0 as of SP16
12 April 2008
RFCDestination
Name
Target HostName
SystemNumber
LogonClient
Logon User(Password)
Use (Scenario) How Created
SAP Note763561
communicate with the SAP NetR/3 Frontend system; UpdateService Definitions (Scenarios:Solution Monitoring for EWA
and Service Plan)
destination toSDDC_OSS; a
new user is usedSDCC_NEW with
Password:download.
SAPNET_RFC(ABAP connection)
/H/SAPROUTER/S/<XX>/sapserv
<X>/H/oss001
01 001 OSS_RFC(CPIC)
Send EarlyWatch Alerts(Scenarios: Solution
Monitoring for EWA andService Plan)
A copy of theSAPOSS
destination toSAPNET_RFC
SAP-SMP (HTTPconnection)
Target host:websmp230.sap-ag.de; Serviceno. 80; Pathprefix:/sap/bc/bsp/spn/swdc/slm/
001 S-User(Customer-
specific)
To send an up-to-date versionof the component ST-SER fordelivery of Services by SAPActive Global Support(Scenario: Service Delivery)
Transaction SM59
SAPNET_RTCC(ABAP connection)
/H/SAPROUTER/S/<XX>/sapserv
X/H/oss001
01 001 OSS_RFC(CPIC)
Service Preparation Check(RTCCTOOL) (Scenario:
Service Delivery)
Createdautomatically by
RTCCTOOL. copy of
SAPOSS
<SM_SP>_<customer number
/H/SAPROUTER/S/<XX>/sapserv
<X>/H/oss001
01 001 S-User(Customerspecific no
authorizationneeded)
Service Desk -> Value AddedReseller
You automaticallycreate customerRFCs based on
RFC SAP-OSS viaReport
To Satellite System from Solution Manager SystemSM_<SID>CLNT<c
lient>_LOGIN(ABAP connection)
Satellite System Customer-specific
Customer-specific
empty Execute TransactionsScenarios: Solution Monitoring
and Implementation andDistribution
Transaction SMSY
SM_<SID>CLNT<client>_READ
(ABAP connection)
Satellite System SatelliteSystem-specific
SatelliteSystemspecific
Default user:SOLMAN<SID><Client> (will be
generated)
for read access Scenarios:Solution Monitoring and
Implementation andDistribution
Transaction SMSY
SM_<SID>CLNT<client>_TRUSTED
(ABAP connection)
Satellite System SatelliteSystem-specific
SatelliteSystem-specific
empty Log on through a trustedconnection
Scenarios: Solution Monitoringand Implementation and
Distribution
Transaction SMSY
SM_<SID>CLNT<client>_TMW(ABAP connection)
Satellite System SatelliteSystem-specific
SatelliteSystemspecific
Default user:SOLTMW<SID><Client> (will begenerated)
For creating, releasingtransport requests
Transaction SMSY
From Satellite System to Solution Manager SystemSM_<SID>CLNT<c
lient>BACK(ABAP connection)
SolutionManager System
Customer-specific
Customer-specific
Default user:SOLMAN<SID>
(will begenerated)
Send Service Desk messages,send session data, check
locked customizing objectsScenarios: Service Desk,Solution Monitoring and
Implementation andDistribution
Transaction SMSY
Local System (Solution Manager)
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 13
RFCDestination
Name
Target HostName
SystemNumber
LogonClient
Logon User(Password)
Use (Scenario) How Created
BPM_LOCAL_<CLIENT> (ABAPconnection)
empty empty Client usedfor Business
ProcessMonitoring
SM_BPMO(Customer-
specific)SAP_SM_BPMO_COMP includesSAP_SM_S_CS
MREG(acc.to profile:S_CSMREG),
SAP_SUPPDESK_CREATE andSAP_IDOC_EVE
RYONE
Business Process Monitoring(Scenario: Solution Monitoring)
During BusinessProcess
Monitoring Setup
CCMSPING.<server>
CSMREG Service Level Reporting withCCMSping (Registered Server
Program->ProgramID:<server>.ccmsping
.00)
You can find the current list of all ports used by SAP in the following document "TCP/IP Ports Used by SAPApplications". You can find the document in SAP Service Marketplace: service.sap.com/security -> Securityin Detail -> Infrastructure Security.The following table displays all used TCP/IP Default Ports for Solution Manager Diagnostics:
System Ports used on Solution ManagerDiagnostics Server
Ports used on each monitoredSatellite System
Open inSAProut tab
ABAP Gateway 33nn (nn: instance no.), e.g. 3301HTTP Port ofJ2EE Engine
5nn00 (nn: instance no. of SMD), e.g.50100
5nn00 (nn: instance no. of managedsystem), e.g. 50200
X
P4 5nn04 nn: instance no. of SMD), e.g.50104
Database depends on DBMS, e.g. 1433 onMS SQL Server
Introscope 6001 (Listener port) 6001LoadRunner 5001 (Load Generator)J2EEstandalonelogviewer
26000 For details, refer toAdvancedDiagnostics Setup Guide
SSL (Secure Socket Layer) for HTTP - ConnectionsBSP Applications and WebDynpro technologyInterfaces maintenance such as BSP and WebDynpro need HTTP/S. Web Dynpro for ABAP or Web Dynprofor ABAP (WD4A, WDA) is the SAP standard UI technology for developing Web applications in the ABAPenvironment.Most scenarios in Solution Manager use either BSP or WebDynpro technology. The Internet CommunicationFramework (ICF) provides the infrastructure for handling HTTP requests in work processes in an SAPsystem (server and client). It enables you to use standard protocols (HTTP, HTTPS, and SMTP) to operatecommunications between systems through the Internet. You do not need any additional SAP programlibraries (other than the SAP Web Application Server). The only condition is that your system platform isInternet-compliant. This scenario gives you a maximum amount of flexibility in responding to varyingcommunication requirements.Communications operated through the ICF have the following benefits:
Increased security: The HTTPS protocol guarantees secure data transmission at the same level asmodern security standards for RFC/SNC communication and other interfaces.
Security Guide: SAP Solution Manager 7.0 as of SP16
14 April 2008
Increased flexibility: Using the ICF, the user can open a connection to an SAP system across theInternet from any location. After you install the Web Application Server, all Internet CommunicationFramework (ICF) services are delivered as inactive for security reasons. To activate them, see IMGfor Solution Manager -> Basic Settings -> Standard Configuration -> Activate HTTP Services(transaction SPRO).
Reduced technological barriers: The open HTTP standard is used worldwide, which makes itefficient to install and configure.
Setting up SSL
It is strongly recommended to set up SSL for NetWeaver AS and Java (e.g. MaintenanceOptimizer and SLM it is necessary). See: Online Help on System Security for SAP Web ASABAP and Java on service.sap.com/security -> Media Library -> Literature.
Relevant information sources
Information Source Note
SAP Note 510007 Setting Up SSL on the Web Application Server(Procedure on how to set up SSL)
SAP Note 1000000 Web Dynpro ABAP FAQ (General authorizationchecks for services and application areavailable over the ICF)
SAP Note 938809 Web Dynpro ABAP checklist for creatingproblem mesasges (If you create an errormessage for WebDynpro ABAP undercomponent BC-WD-ABA, see the checklist inSAP Note)
SAP Note 810159 Subsequent installation of SAP JAVA CRYPTOTOOLKIT
Application help for security topics connectedto ICF - Services
help.sap.com/nw2004s
Installation Guide service.sap.com/instguides -> SAPComponents -> SAP Solution Manager<current release>.
System Security for SAP Web AS ABAP andJava (Help on setting up system security forABAP and Java)
service.sap.com/security -> Media Library-> Literature
HTTP Connect Service for SAP SupportDue to the firewall between customer systems and SAP systems it is not possible to display pages of BSPsor WebDynpro applications in SAP Solution Manager using standard Service or Support connections. Toreceive Support from SAP for these technology types you need to set up an HTTP Connect Service. To doso, follow the descriptions in SAP Note: 1072324.
You need to maintain this connection for onsite and remote support. To secure this HTTP toremote support you should secure with HTTPS.
User Administration and AuthenticationGeneralThe Solution Manager uses the User Management and authentication mechanisms provided with the SAPNetWeaver platform, in particular the SAP Web Application Server ABAP. If you use the Solution ManagerDiagnostics, the user management and authentication mechanisms provided with the SAP Web Application
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 15
Server Java are used, too. Therefore, the security recommendations and guidelines for user administrationand authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and theSAP NetWeaver Application Server Java Security Guide also apply to Solution Manager.
User Management ToolsUser Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaverApplication Server ABAP and Java, for example, tools (ABAP: SU01 and Java: UME), user types, andpassword policies. For an overview of how these mechanisms apply for the Solution Manager, see thesections below. In addition, we provide a list of the standard users required for operating the SolutionManager. As the mechanisms provided by the SAP NetWeaver Application Server Java only apply forSolution Manager Diagnostics consult the according Guide on service.sap.com/diagnostics.
Standard UsersThe table below shows the standard users that are necessary for operating the Solution Manager.
Logon User(Password)
Use How Created Required Roles(Authorizations)
OSS_RFC (CPIC) Notes Assistant
S-User (Customer-specific)
Exchange problem messages with SAP;Retrieve information which messages have
been changed at SAP
The S-user for the SAPSupport Portal is requested via
www.service.sap.com.
See chapter: S-Userauthorizations
SOLMAN<SystemID ofSAP Solution
Manager><CLNT>(Customer-specific)
For Read access; Scenarios: SolutionMonitoring, Implementation and Distribution;
Service Desk; Change Management
Transaction SMSY,automatically generated
See chapter: RFC-Connections READ, TMW,
BACK
SOLTMW<SystemID ofSAP SolutionManager><CLNT>(Customer-specific)
Change Request Management Transaction SMSY,automatically generated
See chapter: RFC-Connections READ, TMW,
BACK
SOLMAN<SystemID ofSatellite
system><_Version>(Customer-specific)
SDCCN, Service Desk Message from SatelliteSystems
Transaction SMSY,automatically generated
See chapter: RFC-Connections READ, TMW,
BACK
CSMREG (Customer-specific)
For data collection (to get CCMS alerts)Only required if SMSY is not used to generate
RFC destinations; Business ProcessMonitoring; required, if CCMSPing for Service
Level Reporting in scenario SolutionMonitoring is used
RZ10 See chapter: RFC-Connections READ, TMW,
BACK and Background Users
OSS_RFC (CPIC) Notes Assistant ; Update Service Definitions;Service Preparation Check (RTCCTOOL)
SLDAPIUSER(Customer-specific)
To send data from SAP Solution Manager toSLD
During installation -
SAPJSF (Service User) To read data from SLD During installation SAP_BC_JSF_COMMUNICATION_RO
Service UserJ2EE_ADMIN
(Customer-specific)
Context: Application integration infrastructure(SLD): User, who is able to write on thedatabase tables of the SAP SystemLandscape Directory (SLD). User who makesthe RFC calls from the SLD.
Context: J2EE Administration; user who hasadministrator rights in a connected SAP
J2EE Engine. Used to attach a local UME tothe central ABAP user management.
During installation SAP_BC_AI_LANDSCAPE_DB_RFC; SAP_J2EE_ADMIN
Service User
J2EE_GUEST(Customer-specific)
Users who have guest authorizations in a
connected SAP J2EE Engine.
During installation SAP_J2EE_GUEST
Security Guide: SAP Solution Manager 7.0 as of SP16
16 April 2008
Integration into Single Sign-On Environments (SSO)SAP Solution Manager uses different front ends (SAP GUI and Web browser - in this case, an HTMLControl). Multiple sessions are opened on the server that require, for example, a second logon. The useruses SAP GUI to log on to a system, the application uses the SAP GUI for HTML Control to call another BSPapplication, and the system then prompts the user to reenter the logon data.The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver.Therefore, the security recommendations and guidelines for user administration and authentication asdescribed in the SAP NetWeaver Security Guide (SAP Library) also apply to the SAP Solution Manager.The supported mechanisms are listed below:
Secure Network Communications (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls. For more information, see Secure Network Communications (SAP Library) in the SAP NetWeaver Application Server ABAP Security Guide.
SAP logon tickets The Solution Manager supports the use of logon tickets for SSO when using a Web browser to access Solution Manager documents via URLs from outside. In this case, users can be issued a logon ticket after they have authenticated themselves with the Solution Manager system. The ticket can then be submitted to the system as an authentication token each time the users access documents via URLs from within the same Browser session. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.
For more information on how to use Single Sign-On on the SAP Service Marketplace go to:service.sap.com/sso-smp.
AuthorizationsAuthorization Concept in GeneralFor ABAP SystemsAuthorizations can be displayed by roles (for systems with Basis >= WebApplication Server 6.10) or profiles(for systems with Basis <WebApplication Server 6.10) which are assigned to the respective users in thesystem (transaction PFCG). Roles can either be single roles or composite roles which in themselves consistof single roles.As of basis release >=WebApplication Server 6.10, an authorization is based on specific transactions andso-called authorization objects which are inherently connected to these transactions or programs.Authorization objects consist of authorization fields. A role is always assigned to one or more authorizationprofiles by the profile generator (transaction PFCG).As of basis release <WebApplication Server 6.10, an authorization is based on specific profiles whichinclude objects with authorizations that can be maintained. These profiles need to be activated and can thenbe assigned a user in the user administration (transaction SU01).Roles are created and authorization objects are maintained according to the specific needs of the scenarioor functionality, mostly depending on who is using which transaction in which context. For instance, inmost businesses administration tasks will be processed by the system administrator, project organisation islead by a project manager, or day to day tasks are fullfilled by the key user etc. Hence, most roles aredesigned according to these business roles. Still, in some areas of usage, functionality plays a major partand roles are designed solely to fullfill the according requirements, such as Solution Monitoring.Authorizations and the authorization concept in a company are maintained and assigned by the systemadministrator.
For Java SystemsIn general, for Java systems the Web-based User Management Engine (UME) administration console isused to maintain users, roles and authorizations in Java-based systems that use the UME for the user store.In a system landscape containing a combination of ABAP and Java components, it makes sense to integrateyour user management so that you can use the same user data across different systems and canadministrate this data centrally.
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 17
SAP Solution Manager Authorization ConceptThis paragraph covers information on general concepts in regard to roles and authorizations. In thisrespect, it refers to both background users and automatically applied profiles as well as the individualscenarios and the roles used which are relevant for SAP Solution Manager and its satellite systems.Before starting to assign any roles to users, you are strongly adviced to create a thorough authorizationconcept. The roles mentioned in this document are delivered by SAP as template roles with a number ofdefault values, which you need to customize according to your individual needs. All values that are genericand individual for your company, you have to maintain according to your authorization concept.The SAP Solution Manager authorization concept is based on the overall SAP authorization concept which isrelevant for all SAP systems.As SAP Solution Manager 7.0 is based on SAP Netweaver Application Server (Application Server ABAPand Application Server Java), we recommend that you configure the User Management Engine of the Javaapplication to use the ABAP user management (transaction SU01) of the Application Server ABAP (see SAPReference Implementation Guide; transaction SPRO).The UME of the Application Server Java is configuredagainst the user management of the Application Server ABAP.SAP role assignments appear as user-to-group assignments in the UME administration console. Therefore,you have to have set up UME groups, which correspond to roles of the Application Server ABAP (PFCGroles).
In the UME administration console, you cannot assign users or groups to the groups thatcorrespond to SAP ABAP roles. These groups are read-only in the J2EE engine, with theexception that you can assign UME roles and security roles to them.
The following figure illustrates the integration of J2EE Engine security roles, UME roles, and SAP roles.
Object Recommended Tool
Users Use transaction SU01 in the ABAP system(s).
PFCG roles Use the Profile Generator (transaction PFCG) in the Solution Managersystem.
J2EE securityroles and UMEroles
(Only applies to Java application)Use the UME administration console to manage UME roles and the VisualAdministrator of the Application Server Java to manage J2EE securityroles. Both of these tools are part of Application Server Java.To integrate the Java-based authorizations supplied by J2EE securityroles and UME roles with PFCG roles, you can integrate PFCG roles asgroups in Application Server Java.
RFC Connection: TrustedTo work with a heterogeneous system landscape with SAP Solution Manager as the managing platform youneed to create RFC connections between SAP Solution Manager and the various Satellite systems(component systems). The appropriate Satellite or component system needs to be made known in the SAPSolution Manager system as so-called “Trusted System” and vica versa. In other words, the server system"trusting system" (SAP Solution Manager system) trusts the user administration of the client system "trustedsystem" (Satellite system). Trusted systems can log on to the so-called “Trusting System” without password.User specific data are controlled in the trusting system. This is called a trusting trusted RFC connection. Yougenerate this RFC connection in the SAP Solution Manager within the transaction SMSY.
Trusted RFCs need to be maintained from both sides, that is Solution Manager to Satellitesystem and Satellite system to Solution Manager system.
In order to communicate successfully with each other both SAP Solution Manager and the appropriateSatellite system need to have the same username created in their user administration (transaction SU01).
Security Guide: SAP Solution Manager 7.0 as of SP16
18 April 2008
If you use SAP router between Solution Manager and satellite systems you might have problemsin some functionalities, e.g:. BSP Applications. RFC which should open a new window (session).To solve these issues, see SAP Note 555162
Authorization Object S_RFCACLTo be able to create the trusted RFC connection you need to have the authorization object S_RFCACLassigned in the Solution Manager and in the Satellite system for this current user. The role SAP_S_RFCACL(as of SAP NetWeaver Application Server 7.00) contains the authorization object S_RFCACL which consistsof a number of authorization fields which allow a trusting trusted relation between SAP Solution Manager andany Satellite system. Due to the high potential risk of such an RFC connection the authorization objectS_RFCACL is not included in SAP_ALL.
In order to restrict user access you need to maintain for this authorization object field"RFC_USER" with the value ' '. The trusting RFC destination usually has the 'Current User'setting in SM59. Fore more information, see: help.sap.com/nw70.
Authorization errors in the usage of an RFC destination with set 'Trusted Systems' indicators aredocumented by the following message: "No Authorization to logon as Trusted System (Trusted RC = #).Every authorization error when using an RFC Destination with a set 'Trusted Systems' indicator is designatedas a RABAX (ABAP Exception). This RABAX contains detailed error information. Proceed as follows toanalyze the error:
1. Choose Transaction ST22 and the desired selection period.2. Choose the corresponding entry under the User SAPSYS and the program name
CALL_FUNCTION_SYSCALL_ONLY. In the paragraph, 'Troubleshooting' you will find all thenecessary information to correct the error.
Return code
Returncode explanation To do0 Invalid logon data (user and client) for the
Trusting SystemCreate a corresponding user inthe Client system for the user inthe Server System (TrustingSystem)
1 The calling system is not a TrustedSystem, or the security ID for the Systemis invalid.
Create the Trusted RFC again.
2 The user has no authorization containingthe authorization object S_RFCACL or islogged on as the protected user 'DDIC' orSAP*'.
Either supply the user with thecorresponding authorization or donot use the protected users'DDIC' or SAP* (see profileparamter and value:login/no_automatic_user_sapstar= 0)
3 The time stamp of the logon data isinvalid.
Check the system time on theclient and on the server and thevalidity date of the logon data. Thesystem times of both systemshave to be synchronised.
Now, you can start to setup your system landscape with SAP Solution Manager as the central platform.
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 19
RFC Connections READ, TMW, BACKBefore you can use all mentioned scenarios you need to set up your System Landscape in the SolutionManager, which includes:
defining all your systems (referred to as Satellite systems), creating appropriate logical components, assign your Satellite systems to the logical components, set up your solution design.
The transfer of data between SAP Solution Manager and its Satellite systems is managed by according RFCconnections:
READ (SM_<SID>CLNT<Client>_READ): Used for transfer of data, eg. in CustomizingDistribution, Change Request Management, Service Desk, Root Cause Analysis, Monitoring. SIDand Client refer to the connected satellite system.TMW (SM_<SID>CLNT<Client>_TMW): Used for Change Request Management, used to allowremote creation of transport requests with tasks for the designated developers in the developmentsystems. SID and Client refer to the connected satellite system.TRUSTED (SM_<SID>CLNT<Client>_TRUSTED): Enables e.g. customizing data transfer fromthe source to the target system and to enter analyses transactions for System Monitoring andBusiness Process Monitoring (as described in chapter: RFC Connection: TRUSTED). SID andClient refer to the connected satellite system.BACK (SM_<SID>CLNT<Client>_BACK): Used to send SDCCN data or send messages from asatellite system to the SAP Solution Manager system; to check locked customizing objects againstchanges in scenario Customizing Distribution; provides integration of Change RequestManagement into the Service Desk. This RFC destination needs a functioning READ destination.SID and Client refer to the SAP Solution Manager system.
In order to create them as easily as possible, the system generates so-called automatically createdbackground users for the appropriate RFC connection needed, when you execute the RFC generation intransaction SMSY. These users are automatically assigned the according profiles to allow a smooth datatransfer. In the following screen shot you can see three screen partitions:
RFCs from the Solution Manager to the Satellite system RFCs from the Satellite system to the Solution Manager RFCs that are to be generated, including RFCs for System Monitoring: information retrieval via the
RFC Destination for Data Collection and analysis via RFC Destination for Analysis.
Security Guide: SAP Solution Manager 7.0 as of SP16
20 April 2008
As you can see for the READ, TMW and BACK RFC connections, the system provides you with a user,which will automatically be created in the Satellite system as soon as you generate this RFC connection.These users are also automatically assigned the according profiles. In case you want to use an alreadyexisting user of your Satellite system, you would enter this user and specify the password or not.In this example, DT1 CLNT 800 is the Solution Manager system and ID3 CLNT 800 is the Satellite system,users and password will be automatically generated by the system.
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 21
Profiles Assigned to Background System UsersUser Role (Release >= 6.10) in Satellie
systemProfile (< 6.10) inSatellite system
Purpose
SAP_S_CUS_CMP S_CUS_CMP Data read access
SAP_S_CMSREG S_CMSREG Central system repository data
SAP_S_BDLSM_READ S_BDLSM_READ SDCCN data
SAP_SATELLITE_E2E S_AI_SMD_E2E End-to-End Diagnose (SolutionManager Diagnostics)
SOLMAN<SystemID of SAPSolution Manager><CLNT>
SAP_SM_S_USER_GRP S_USER_GRP User Group Display of all usersfor Licence AdministrationWorkbench (LAW) and BusinessPartner
SAP_S_CUS_CMP S_CUS_CMP Data read access
SAP_S_CMSREG S_CMSREG Central system repository data
SAP_S_BDLSM_READ S_BDLSM_READ Read SDCCN data
SAP_S_TMW_CREATE S_TMW_CREATE for creating and releasingtransport requests in
development systems as well asfor setting the project statusswitch for creating transport
requests
SOLTMW<SystemID ofSAP SolutionManager><CLNT>The most important task ofthe background user is tocreate and release transportrequests and tasks remotelyfrom Change RequestManagement. Requests thatare created in this way areknown to Change RequestManagement, which meansthat Change RequestManagement can control thedistribution of theserequests within thelandscape.
SAP_S_TMW_IMPORT S_TMW_IMPORT for importing transport requestsinto test systems (empty)
SAP_S_CUS_CMP S_CUS_CMP Data read access
SAP_S_CMSREG S_CMSREG Central system repository data
SAP_SV_FDB_NOTIF_BC_ADMIN Service Desk Messages
SAP_SUPPDESK_CREATE Service Desk Message Creation
SOLMAN<SystemID ofSatellitesystem><_Version>
SAP_S_BDLSM_READ S_BDLSM_READ SDCCN data1
These profiles are more or less static. You will also find the corresponding roles (SAP_<profilename>), which you would have to assign manually to the created users. These can easily bemaintained.In case of RFC problems after generation, see SAP Note 176277: Generating RFC traceinformation.
Authorization Object S_RFC to Call Function GroupsFor certain scenarios certain function groups are needed. In order to start RFC functions from certainfunction groups, users need to have the authorization object S_RFC in the trusting system (SAP SolutionManager system) as server system which is included in the according roles for the individual scenarios (seelater chapters). For instance, the "SYST" function group is needed to call a system. In case it is missing,executing the remote login in SM59 causes the "RFC_NO_AUTHORITY" ABAP runtime error in the targetsystem.
1 Requests that are created, released, or imported locally cannot be identified by Change Request Management in conjunction with achange request and are therefore not part of the Change Request Management transport control and distribution process. For thisreason, we recommend that no users (apart from administrators) have authorization to create transport requests or tasks in ChangeRequest Management-controlled clients.
Security Guide: SAP Solution Manager 7.0 as of SP16
22 April 2008
It is also needed in the Satellite systems. Authorization object S_RFC in the Satellite system is included inthe automatically generated profiles. The following table gives you an overview of the appropriate field valuesfor the field RFC_NAME needed for authorization object S_RFC in:S_CUS_CMPS_CSMREGD_SOLMAN_RFC
S_RFC
Profile Function Group Values in Field RFC_NAMES_CUS_CMP See SAP Note attachment: 831535
S_CSMREG See SAP Note attachment: 831535
D_SOLMAN_RFC See SAP Note attachment: 831535
Authorization Roles and Profiles in the SAP Solution Manager SystemDue to the system landscape of SAP Solution Manager System and Satellite Systems, it is necessary toassign users with corresponding roles in the SAP Solution Manager including Diagnostics as well as in theSatellite System (so-called Managed Systems in respect to Diagnostics). As most of the mentionedscenarios include actions in the SAP Solution Manager as well as information and data exchange from/toSAP Solution Manager and its Satellite systems, we differentiate for each scenario and process betweenroles for the SAP Solution Manager and corresponding roles (systems with Basis >= Web ApplicationServer 6.10) or profiles (systems with basis < Web Application Server 6.10) in the various Satellitesystems.
For details on all roles concerning Diagnostics, refer to Diagnostics Guides on the SAP ServiceMarketplace: service.sap.com/diagnostics Installation and Upgrade Guides.
The table below provides an overview of the roles and profiles for SAP Solution Manager system. For theApplication Server Java, the default user store is the ABAP database, thus users have to be created withintransaction SU01 only.For the according scenarios, users have to be also assigned in the Satellite Systems with the correspondingroles.
Solution Manager roles (for individual examples, see APPENDIX -> Examples)Scenario/Functionality Role Purpose
IMPLEMENTATION AND DISTRIBUTIONSee IMG activity: Information and Configuration (technical name: SOLMAN_RECOMMEND) for the scenario
SAP_SOL_PM_COMP 1) Composite role: Organizing and planning a project
SAP_SOL_AC_COMP 1) Composite role: Create Business content and thedocumentation of operational activities
SAP_SOL_BC_COMP 1) Composite role: Development of customer-specificprograms and authorizations
SAP_SOL_TC_COMP 1) Composite role: Installing systems and providingtechnical support
SAP_SOL_RO_COMP 1) Composite role: Read-only authorizations for SAPSolution Manager
SAP_SOL_RE_COMP 1) Composite role: Read user according to status(document management)
Implementation andUpgrade
SAP_SOL_LEARNING_MAP_DIS For restricted authorization for user
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 23
Scenario/Functionality Role Purpose
SOLARSERVICE, which is used for accessing HTTPservices in the Solution Manager without login, e.g.for displaying HTML Learning Maps (1); see Basicsettings in IMG.
SAP_DMDDEF_DIS For restricted authorization for userSOLARSERVICE, which is used for accessing HTTPservices in the Solution Manager without login, e.g.for displaying HTML Learning Maps (1)
SAP_STWB_WORKFLOW_CREATE Use Workflow
SAP_STWB_WORKFLOW_ADMIN Admin Workflow, Authority to create BusinessPartner
Test Workbench (Workflow)(Extended Traceability package)See IMG activity: Information andConfiguration (technical name:SOLMAN_TEST_WF_INFO) for thescenario
SAP_STWB_WORKFLOW_DIS Display Workflow
SAP_RMDEF_RMAUTH_EXE For administrator purposes: change of roadmaps(needs to be granted in addition toSAP_SOL_*_COMP)
Changing of Roadmaps
SAP_RMDEF_RMAUTH_DIS For display purposes: display of roadmaps. (needsto be granted in addition to SAP_SOL_*_COMP)
SAP_SOL_TRAINING_ALL Single role (included in SAP_SOL* Composite roles),needed to use E-Learning Management tool.
E-Learning Management
SAP_SOL_TRAINING_EDIT Single role (included in SAP_SOL* Composite roles),needed to use E-Learning Management tool.
SAP_SDA_ALL Full authorization: needs to be added to accordingcomposite Implementation role(SAP_SOL_*_COMP) and Work Center role
Solution Documentation Assistant 4)
SAP_SDA_DIS Display authorization: needs to be added toaccording composite Implementation role(SAP_SOL_*_COMP) and Work Center role
GENERAL INFRASTRUCTUREsee IMG activity: Information and Configuration (technical name: SOLMAN_SYST_INFORMAT) Basic Settings -> System Landscape
SAP_SOLMAN_DIRECTORY_ADMIN Administer Data in Solution Directory
SAP_SOLMAN_DIRECTORY_EDIT Maintain Data in Solution Directory
Solution Directory
SAP_SOLMAN_DIRECTORY_DISPLAY Display Data in Solution Directory
SAP_SMSY_ALL Full authorization for transaction SMSY,maintenance of systems, servers, databases andlogical components
System Landscape Maintenance(SMSY)
SAP_SMSY_DISP Display authorization for transaction SMSY
SAP_SM_SOLUTION_ALL Full authorization for solutionsSolution
SAP_SM_SOLUTION_DIS Display authorization for solutions
SERVICE DESK
SAP_SUPPDESK_ADMIN Authorizations needed to configure the ServiceDesk. In addition, it contains the authorizations forthe roles SAP_SUPPDESK_PROCESS,SAP_SUPPDESK_DISPLAY, andSAP_SUPPDESK_CREATE,
SAP_SUPPDESK_PROCESS Authorizations needed for message (notification)processing, including the use of the solutiondatabase
SAP_SUPPDESK_CREATE Create support messages from the satellite systemsor in the central SAP Solution Manager system. If ageneric RFC user is used to create notifications inthe SAP Solution Manager system (that is, the useris specified in the RFC destination in transactionSM59 in the satellite systems), the role will only needto be assigned to this generic RFC user.
Service Desk-Messages
SAP_SUPPDESK_DISPLAY Display user
Security Guide: SAP Solution Manager 7.0 as of SP16
24 April 2008
Scenario/Functionality Role Purpose
SAP_SUPPCF_ADMIN Administrator authorization for creating andprocessing, and IMG, see: SAP Note 834534.
SAP_SUPPCF_CREATE Key user (IT-Operator) authorization to createmessages, see: SAP Note 834534.
Service Provider/Value AddedReseller
SAP_SUPPCF_PROCESS Support Employee authorization to processmessages, see: SAP Note 834534.
CHANGE MANAGEMENT
SAP_CM_CHANGE_MANAGER_COMP1)
Approving or rejecting change requests.
SAP_CM_DEVELOPER_COMP 1) Corrections in the development system; Correctionsin the maintenance and development systems
SAP_CM_TESTER_COMP 1) Testing corrections in the test system¸ Testing andvalidating corrections
SAP_CM_OPERATOR_COMP 1) Import corrections into the production system; Tasklists
SAP_CM_PRODUCTIONMANAGER_COMP 1)
Import corrections into the production system;Approve imports into the production systems
SAP_SOCM_REQUESTER Create change requests
Change Request Management ->Schedule Manager; Service Desk,cProjects
SAP_CM_ADMINISTRATOR_COMP 1) Customize and check Change RequestManagement functions; Administrative and technicalmaintenance; The task list administrator in ChangeRequest Management deals with the administrativeand technical side of maintenance cycles and urgentcorrections; in particular, the Schedule Managertask lists.
SAP_MAINT_OPT_ADMIN Full authorization for Maintenance Optimizer
SAP_MAINT_OPT_DISP Display authorization for Maintenance Optimizer
Maintenance Optimizersee IMG activity: Information andConfiguration (technical name:SOLMAN_MAINT_OPTIMIZ) BasicSettings -> Basic BC-Sets forConfiguration
SAP_MAINT_OPT_ADD Authorization to write Stack-Delta-XML folder intothe EPS Outbox of the operating system of SolutionManager (Stack-Delta-XML folder are relevant forJSPM (Java Support Package Manager) and SAPJup (SAP Java Upgrade) in Java systems
SOLUTION MONITORINGSee IMG activity: Information and Configuration (technical name: SOLMAN_MON_INFORMATI) for the scenario
SAP_SDCCN_ALL Service Data Control Center Administration, changesetup
SAP_SDCCN_DIS Service Data Control Center Display only
Service Data ControlCenter
SAP_SDCCN_EXE Maintain Service Data Control Center
SAP_SV_SOLUTION_MANAGER Full authorization for all functionalities withintransaction SOLUTION_MANAGER,
SAP_SV_SOLUTION_MANAGER_DISP Display authorization for all functionalities withintransaction SOLUTION_MANAGER,
SAP_SETUP_DSWP Full authorization for all sessions in area operationssetup
Complete Monitoring (setup and/oroperations of EWA; SLR, SystemMonitoring, Business Process andInterface Monitoring, CentralSystem Administration)
SAP_OP_DSWP Full authorization for all sessions in area operations
SAP_SETUP_DSWP_EWAFull authorization for session Early Watch Alert in
area operations setup (according to BundleID)Early Watch Alert
SAP_OP_DSWP_EWA Full authorization for session EarlyWatch Alert inarea operations (according to BundleID)
SAP_SETUP_DSWP_SLRFull authorization for session Service Level
Reporting in area operations setup (according toBundleID)
Service Level Reporting
SAP_OP_DSWP_SLR Full authorization for session Service LevelReporting in area operations (according to BundleID)
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 25
Scenario/Functionality Role Purpose
SAP_SETUP_DSWP_SM Full authorization for session System Monitoring inarea operations setup (according to BundleID)
System Monitoring
SAP_OP_DSWP_SM Full authorization for session System Monitoring inarea operations setup (according to BundleID)
SAP_SETUP_DSWP_BPM Full authorization for session Business ProcessMonitoring in area operations setup (according to
BundleID)
Business Process Monitoring
SAP_OP_DSWP_BPM Full authorization for session Business ProcessMonitoring in area operations (according to
BundleID)
SAP_SETUP_DSWP_CSA Full authorization for session Central ServiceAdministration in area operations setup (according to
BundleID)
Central System Administration
SAP_OP_DSWP_CSA Full authorization for session Central ServiceAdministration in area operations (according to
BundleID)
JOB SCHEDULING MANAGEMENTSee IMG activity: Information and Configuration (technical name: SOLMAN_JSCHED_INFORM) for the scenario
SAP_SM_SCHEDULER_ADMIN Full authorization including communication toexternal tool
SAP_SM_SCHEDULER_EXE Execution authorization including communication toexternal tool
Job Scheduling
SAP_SM_SCHEDULER_DIS Display authorization
REPORTING
SAP_SOL_REP_ADMIN Authorization for reporting, maintaining systemavailability data, BI Reporting
Solution Reporting
SAP_SOL_REP_DISP Authorization for report execution and display only.
SAP_SM_ALEREMOTE Authorization for background user in SolutionManager Client, according to profile S_BI-WX_RFC(see SAP Note 150315)
BI EWA-Reporting 2)
SAP_BW_SOLUTION_MANAGER Authorization for transaction RRMX
IT Performance Reporting 5) Via Work Center System Monitoring See Work Center role and authorization mapping forWork Center System Monitoring
SERVICE CONNECTION and SOLUTION TRANSFER
Service Connection SAP_SERVICE_CONNECT Authorizations for Service Connection
Solution Transfer SAP_SOLUTION_TRANSFER Authorization to transfer a solution from one SAPSolution Manager system to another SAP SolutionManager system.
DIAGNOSTICS
SAP_SOLMANDIAG_SAPSUPPORT Contains the required authorizations for using theDiagnostics for user SAPSUPPORT, see also SAPNote 828533
SAP_SOLMANDIAG_E2E RFC Calls for Diagnostics (according profileS_SMDIAG_E2E)
SAP_SMDIAG_WIZARDAuthorization for using the Diagnostics Wizard totransfer data from Solution Manager to Diagnostics
SAP_SMDIAG_TEMPLATEAuthorization to edit templates for Diagnostics
Root Cause Analyses
SAP_BI_E2ESMD and E2E Diagnostics for BI Reporting viaDiagnostics according profile S_SMDIAG_BI 4),assigned to Diagnostics user SAPSUPPORT
THIRD PARTY PRODUCTS
SAP Quality Center by HPSee IMG activity: Information and
SAP_QC_BY_HP_ADMIN Full authorization to configure, send and receivedata to/from Quality Center; needs to be assignedadditionally with respective role for Implementation
Security Guide: SAP Solution Manager 7.0 as of SP16
26 April 2008
Scenario/Functionality Role Purpose
and Distribution scenario, e.g.SAP_SOL_PM_COMP
SAP_QC_BY_HP_EXE Authorization to work on the QC tab in SOLAR01/02,needs to be assigned additionally with respectiverole for Implementation and Distribution scenario,e.g. SAP_SOL_AC_COMP etc.
SAP_QC_BY_HP_DISP Display Authorization; needs to be assignedadditionally with respective role for Implementationand Distribution scenario, e.g.SAP_SOL_RO_COMP
Configuration (technical name:SOLMAN_QC_INFORMATIO) forthe scenario
SAP_QC_INTERFACE Authorization for background communication user
Service Desk Interface SAP_SUPPDESK_INTERFACE Authorization for bidirectional interface andconfiguration; needs to be assigned additionally withrespective roles for Service Desk scenario, e.g.SAP_SUPPDESK_ADMIN
SAP CPS (Redwood)See IMG activity: Information andConfiguration (technical name:SOLMAN_REDWOOD_INFOR) forthe scenario
SAP_SM_REDWOOD_COMMUNICATION
Redwood Users (Communication User) in RFCDestionation to Solution Manager
BMC AppSight for SAP ClientDiagnostics 4)
SAP_APPSIGHT_INTERFACE Authorization for background communication user
CONTINUES IMPROVEMENT
SAP_ISSUE_MANAGEMENT_ALL 4) Full authorization for Issue Management
SAP_ISSUE_MANAGEMENT_EXE 4) Operations Authorization for Issue Management
Issue ManagementSee IMG activity: Information andConfiguration (technical name:SOLMAN_ISSUE_INFORMA) forthe scenario
SAP_ISSUE_MANAGEMENT_DIS 4) Display Authorization for Issue Management
SERVICE DELIVERY
Onsite and Remote Service Delivery SAP_SOLMAN_ONSITE_COMPSAP_SOLMAN_ONSITE_ALL_COMP
SAP provides two main users for Onsite ServiceDelivery and Remote Service Delivery, see SAPNotes: 834534 and 872800
The following table shows which task list authorizations are assigned to the Schedule Manager roles thatincluded in the Change Request Management composite roles:
Developer Tester Prod.Manager
Operator Administrator
Display X X X X X
Create X --- --- --- X
Change --- --- --- --- X
Delete --- --- --- --- X
Run X X X X X
Changestatus
X X X X X
1) Composite roles with naming convention _COMP consist of a number of single roles, whichyou may also use individually.2) In the BI-Client (system) the following profiles are required:- Administrator (IMG): Profile S_RS_ALL (according role SAP_S_RS_ALL)- Backgrounduser ALEREMOTE: Profile S_BI-WHM_RFC (according roleSAP_BI_ALEREMOTE)
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 27
3) To maintain actions, you need the additional role SAP_PPF_CONFIGURATOR4) New as of SP16For security information on passwords, see SAP Note 862989. New password rules as of SAPNetWeaver 2004s (NW ABAP 7.0)5) In the BI Client (system) the following roles are required:- for setup: SAP_BW_CCMS_SETUP, SAP_PI_CCMS_SETUP- to view the reports: SAP_BW_CCMS_REPORTING
For more information:
SAP Solution Manager Roles SAP Note 834534 (SAP Solution Manager Roles)
Role Maintenance online documentation: Choose Help Application HelpSolution Manager Projects Project PreparationRoles in Solution Manager
Change Request Management Roles Online documentation (in SAP Solution Manager system):Help Application Help SAP Solution ManagerChange Request Management Roles in Change RequestManagement
Authorization Roles and Profiles in the Satellite SystemsYou need to create users in the satellite systems to enable SAP Solution Manager users to access andconfigure these systems and perform test activities. Users are created in a satellite system using the UserMaintenance tool (transaction code SU01) in that system. In each satellite system, you need to assignauthorizations to users for IMG and the Customizing configuration transactions as well as the applicationtransactions to be configured.
For details on all roles concerning Diagnostics, refer to Diagnostics on the SAP ServiceMarketplace: service.sap.om/diagnostics Installation and Upgrade Guides. For SAP R/3Releases lower than SAP Web Application Server 6.10, the profiles listed in the table areavailable, but not the roles. Therefore, you have to explicitly assign the authorization profiles tothe relevant users.
The table below provides an overview of the roles and profiles for Satellite systems:Scenario Role (Release >= 610) Profile (Release<
610)Purpose
CHANGE MANAGEMENT
SAP_CHANGEMAN_DEVELOPER S_TMW_DEVELO Authorizations for developers;This profile contains CTSauthorizations for developers: Noauthorization to create transportrequests, and no authorization torelease transport requests but tocreate and release tasks.
SAP_CHANGEMAN_OPERATOR S_TMW_OPERA Authorizations for operators;This profile contains CTSauthorizations for operators: Alltransport authorizations; noconfiguration authorizations
Change RequestManagement
SAP_CHANGEMAN_ADMIN S_TMW_ADMIN Authorizations for administrators;This profile contains CTSauthorizations for administrators:All authorizations in the CTS(including configuration)
SERVICE DATA CONTROL CENTER
Service Data Control For Basis WebAs >=610 For Basis 4* Service Data Control Center
Security Guide: SAP Solution Manager 7.0 as of SP16
28 April 2008
Scenario Role (Release >= 610) Profile (Release<610)
Purpose
SAP_SDCCN_ALL S_SDCCN_ALL Administration, change setup
For Basis WebAs >=610SAP_SDCCN_EXE
For Basis 4*S_SDCCN_EXE
Maintain Service Data ControlCenter
Center
For Basis WebAs >=610SAP_SDCCN_DIS
For Basis 4*S_SDCCN_DIS
Service Data Control CenterDisplay only
SOLUTION MONITORING
System Monitoring and/orCentral SystemAdministration
SAP_BC_BASIS_ADMIN Contains main transactions forBasis Administration
IMPLEMENTATION AND DISTRIBUTION
SAP_BC_CUS_ADMIN Administration of Customizingprojects;
in addition: Authorization objectS_RFC is missing and needs to
be maintained (transactionPFCG).
values:ACTI: 16
RFC_NAME:S_SOLAR_RFC_00RFC_TYPE: FUGR
SAP_BC_CUS_CUSTOMIZER Changing customizing settingssee SAP_BC_CUS_ADMIN
Customizing Distributionand Comparison
S_CUS_CMP See also Online Documentation:SAP Solution Manager ->Projects -> Customizing
Distribution and Comparisonsystem settings
SAP_SOLAR_SATELITE_SCOUT Customizing ScoutCustomizing Scout andSystem Landscape
SAP_SOLAR_SATELITE_SMSY System Landscape
SAP_BC_CAT_TESTER Testing with CATTCATT
SAP_BC_CAT_TESTORGANIZER Testorganization with CATT
eCatt See SAP note 519858
SAP_TWB_TESTER Testing with test workbench
SAP_TWB_COORDINATOR Coordination with testworkbench
Testworkbench
SAP_TWB_ADMINISTRATOR Administration with testworkbench
SAP_BCS_ACTIV Activation BC Sets; see SAPnote 505603
SAP_BCS_CREAT Creating BC Sets
BC Sets
SAP_BCS_ADMIN Administration of BC Sets
DIAGNOSTICS
SAP_JAVA_SUPPORT Authorization for Diagnostics. Allusers of Diagnostics have to beassigned this role
SAP_JAVA_NWADMIN_CENTRAL_READONLY All users of Diagnostics have tobe assigned this role
Root Cause Analyses
SAP_SLD_GUESTFor read-only access to the SLDapplication, the user must belongto the group having the LcrUserJ2EE server role (e.g. a group
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 29
Scenario Role (Release >= 610) Profile (Release<610)
Purpose
named SAP_SLD_GUEST).SAP_XI_DISPLAY_USER
Only for XI systemsSAP_XI_MONITOR
Only for XI systemsSAP_SATELLITE_E2E_DISP Display Diagnostics transactions
ST-PI
Roles and Profiles are customizing entries. If profiles are delivered with new or changedauthorizations they have to be transported to your productive client.
Import Authorization ChecksChange Request Management uses the import functions of the Transport Management System (TMS).The TMS remote infrastructure is based on RFC connections that point solely to the 000 client of a targetsystem. For this reason, you must make sure that Operators and Administrators have users both in theclient into which changes are imported, and in the 000 client of these systems.
Automatic ImportsIn test systems, it is sometimes necessary that imports are performed automatically. If you wantdevelopers within the Change Request Management scenario to start imports into a test systemautomatically, you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the testsystem. Since S_TMW_IMPORT is delivered empty, you have to assign it the authorizationsS_CTS_IMPALL and S_CTS_IMPSGL, which are also contained in the authorization objectS_CTS_ADMI.
It is now possible to start an import into this system from every satellite system within yourdomain by using the CPIC user TMSADM; therefore, do not use this method in productionsystems or in any other security-critical systems.
The system where you want to start the import automatically must share the same transportdirectory as its preceding system. If the transport directories were different, the user who startsthe import would need “addtobuffer” authorizations for the buffer adjustment, which wouldpresent a security risk not only for the system concerned, but also for the whole landscape(including the production system).
Regarding Change Request Management, the following table shows which transport methods are assignedto the background users in the target client and in client 000. In addition, the table indicates which roles arerequired for real users when using trusted RFC destinations:
Security Guide: SAP Solution Manager 7.0 as of SP16
30 April 2008
(*) If you want developers within the Change Request Management scenario to start imports intoa test system automatically, you must add the profile S_TMW_IMPORT to the user TMSADM inclient 000 of the test system. You have to assign it the authorizations S_CTS_IMPALL andS_CTS_IMPSGL which are contained in S_CTS_ADMI.Do not use this method in production systems or in any other security-critical systems.The system where you want to start the import automatically must share the same transportdirectory as its preceding system.
For more information:
Role Maintenance Online documentation (in the SAP Solution Managersystem): Choose Help Application Help SolutionManager Projects Project Preparation Roles inSolution Manager
Change Request Management Roles Online documentation (in SAP Solution Manager system):Help Application Help SAP Solution ManagerChange Request Management Roles in Change RequestManagement
Authorizations for Customizing Online documentation for IMG (transaction SPRO) ->chapter Create Solution Manager Configuration User.
Authorizations for Customizing Distribution Online documentation (in the SAP Solution Manager)(transaction SCDT_SETUP) -> Help Application HelpCustomizing Distribution Customizing DistributionSystem Settings
Work Center Roles in the Solution Manager SystemAs of Solution Manager 7.0 SP15 a number of Work Center roles are delivered. Work Center Roles (namingconvention: SAP_SMWORK_<Work Center name>) are based on the authorization roles approach(transaction PFCG). Still, in contrast to authorization roles which contain a number of authorization objects,Work Center roles do not contain any active authorization objects, but only menu entries. The menu entriesconsist of a two folder hierachy. They display the menu hierarchy/entries in the NetWeaver Business Client(NWBC). The first level always consists of the homepage WebDynpro Application of the according WorkCenter (e.g. Incident Management). The second level consists of several related links, such as ServiceMarketplace etc.. Work Center roles are always single roles. They need to be assigned to the user inADDITION to the authorization roles for the individual scenarios (e.g. SAP_SUPPDESK_* andSAP_SUPPCF_*) and single role SAP_SMWORK_BASIC. Work Center roles do not contain authorizations,
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 31
therefore it is not necessary to generate an authorization profile. If a user is to be assigned more than oneWork Center, the single roles can be combined to composite roles according to your needs. In this case, themerge of menu entries is not necessary and should not be done.
Each end user who works with Work Centers needs to be assigned roleSAP_SMWORK_BASIC. This role provides all the necessary authorizations for the WorkCenters themselves, such as authorization for POWL (table control) and navigation. It needs tobe fully maintained, including profile generation and user comparison.
The following table provides an overview and mapping of the Work Center roles and standard SolutionManager roles.
INCIDENT MANAGEMENTWork Center Role: SAP_SMWORK_INCIDENT_MAN
View Link Mapping of Authorization Roles
Overview
Messages
Search
SAP_SUPPDESK_*; (SAP_SUPPCF_* in case of Service Provider)
Reports SAP_SM_SOLUTION_* (in case of solution -dependend reporting), SAP_SOL_REP_*
New message SAP_SUPPDESK_*; (SAP_SUPPCF_* in case of Service Provider)
Search for SAP Note URL - no authorization check
Common Tasks
Transaction Monitori SAP_SUPPDESK_*; (SAP_SUPPCF_* in case of Service Provider)
CHANGE MANAGEMENTWork Center Role: SAP_SMWORK_CHANGE_MAN
View Link Mapping of Authorization Roles
Overview SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* / SAP_CM_*_COMP
ChangeRequest
SAP_CM_*_COMP
Hot News SAP_SM_SOLUTION_*
MaintenanceOptimizer
SAP_MAINT_OPT_* / SAP_SM_SOLUTION_*
TestManagement
SAP_SOL_*_COMP (acc. to function, e.g. Tester or Testorganizer)
Reports SAP_SOL_REP_*/ SAP_SM_SOLUTION_*
New Change Request SAP_CM_*_COMPCommon tasks
New MaintenanceTransaction
SAP_MAINT_OPT_* / SAP_SM_SOLUTION_*
IMPLEMENTATION AND UPGRADEWork Center Role: SAP_SMWORK_IMPL
View Link Mapping of Authorization Roles
Overview Project Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Project Administration)
Access Business MapDownload SolutionComposerAccess SAP BestPractices
URL - Service Marketplace: no authorization checkEvaluate
Access BusinessProcess Repository
WebDynpro BPR - no authorization check
Security Guide: SAP Solution Manager 7.0 as of SP16
32 April 2008
Access projects Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Project Administration)
Access SolutionDirectory
SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_*
Projects Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)
SAP_SOL_*_COMP (Project Administration)
Roadmap Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Roadmap)Changing of RoadmapsSAP_RMDEF_RMAUTH_*
Plan
Business Blueprint Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Business Blueprint)
Configuration Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Business Blueprint)
E-Learning Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (E-Learning)
Customizing Distribution Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Customizing Distribution)
Build
BC-Sets No authorization check
Test - E-Learning ManagementSAP_SOL_TRAINING_*- General Infrastructure: Cutover to Test (transaction SOLMAN_DIRECTORY "SolutionDirectory")SAP_SOLMAN_DIRECTORY_*
Go to Solution Directory SAP_SOLMAN_DIRECTORY_*
Going Live Check URL-no authorization check
Going LivePreparation
SAP EarlyWatch Alert SAP_SM_SOLUTION_* / SAP_OP_DSWP_EWA
Reports Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP
Common Tasks Roadmap Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Roadmap)Changing (Define and Maintain) of RoadmapsSAP_RMDEF_RMAUTH_*
System Landscape SAP_SMSY_*
Project Administration Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Project Administration)
Related Links
Learning Maps Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (E-Learning)
JOB MANAGEMENTWork Center Role: SAP_SMWORK_ JOB_MAN
View Link Mapping of Authorization Roles
Overview SAP_SM_SCHEDULER_ADMIN_*
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 33
Job Monitoring SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*
JobDocumentation
Job Scheduling
Reporting
Common Tasks
SAP_SM_SCHEDULER_ADMIN_*
Related Links SAP Central ProcessScheduling by Redwood
URL - no authorization check
SERVICE DELIVERYWork Center Role: SAP_SMWORK_ SERVICE_DEV
View Link Mapping of Authorization Roles
Overview SAP_SV_SOLUTION_MANAGER, SAP_SM_SOLUTION_*,.SAP_ISSUE_MANAGEMENT_*
SAP DeliveredServices
Self DeliveredServices
SAP_SV_SOLUTION_MANAGER, SAP_SM_SOLUTION_*,.
Issue and TopIssues
Tasks
SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*
Reports SAP_SOL_REP_* / SAP_SM_SOLUTION_*
Create Issue
Create Top Issue
SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*
Display BusinessProcess
SAP_OP_DSWP_BPM (correct maintenance needed for display)/SAP_SM_SOLUTION_DIS
Common Tasks
Data TransferConfiguration
No authorization check
Related Links Solution ManagerOperations
SAP_SV_SOLUTION_MANAGER (full authorization for Solution Monitoring - Operationsand Setup)
SETUPWork Center Role: SAP_SMWORK_ SETUP
View Link Mapping of Authorization Roles
Overview Selfdiagnosis SAP_SM_SOLUTION_*
Solutions (create) SAP_SM_SOLUTION_*
Service Connection SAP_SERVICE_CONNECT
Solution Transfer SAP_SOLUTION_TRANSFER
Solution
Operations Setup (EWA) SAP_SETUP_DSWP_EWA/ SAP_SM_SOLUTION_*
Export and Import SAP_SOLAR_MIGRATIONProject
General project relatedtasks
SAP_SOL_*_COMP
Systems setup SAP_SMSY_*
Systems Maintenance SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_*
Systems
RFC-Destinations Template role for authorizations for SM59 is not delivered with ST, role must be createdindividually.
Users Template roles for authorizations for SU01, PFCG, SU10 or SUIM are not delivered withST, roles must be created individually. Alternatively, role SAP_BC_USER_ADMIN canbe used (NOTE: full administration authorization)
Specific Setup System Administration SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_CSA
Security Guide: SAP Solution Manager 7.0 as of SP16
34 April 2008
Service Level Reporting SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SLR
System Monitoring SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM
EarlyWatch Alert SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_EWA
Connectivity Monitoring Transaction: SOLUTION_MANAGER (no authorization check)
IT-PerformanceReporting
SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM
Landscape Maintenance SAP_SMSY_*
RFC Connection Error Transaction: SOLUTION_MANAGER (no authorization check)Common Tasks
Implementation Guide(SPRO)
Profile SAP_ALL
Implementation Guide(SPRO)
Profile SAP_ALL
Solution-Manager-Migration
SAP_SOLAR_MIGRATION
Related Links
General Task related tosystem configuration ofSolution Manager (IMG)
Profile SAP_ALL
SYSTEM ADMINISTRATIONWork Center Role: SAP_SMWORK_ SYS_ADMIN
View Link Mapping of Authorization Roles
Overview System (GeneralInfrastructure)
SAP_SMSY_*
UserManagement
Template roles for authorizations for SU01, PFCG, SU10 or SUIM are not delivered withST, roles must be created individually. Alternatively, role SAP_BC_USER_ADMIN canbe used (NOTE: full administration authorization)
AdministrationTools
Template roles for nonspecific Solution Manager transactions (functionalities) can befound in the according documentation for these functionalities
CSA SAP_SETUP_DSWP_CSA / SAP_SM_SOLUTION_*Setup
Solutions (GeneralInfrastructure)
SAP_SM_SOLUTION_*
DBA Cockpit SAP_BC_DB_ADMIN
Landscape PrintingAssistant
Template role for authorizations for transaction PAL is not delivered with ST, role mustbe created individually.
Solution ManagerDiagnostics
URL - no authorization check
Related Links
Issue Manaagement SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*
SYSTEM MONITORINGWork Center Role: SAP_SMWORK_ SYS_MON
View Link Mapping of Authorization Roles
Overview Systems/ solutions SAP_SMSY_* / SAP_SM_SOLUTION_*
Alert Inbox System alerts SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*
System / solutions SAP_SMSY_* / SAP_SM_SOLUTION_*ProactiveMonitoring
Template roles for nonspecific Solution Manager transactions (functionalities) can befound in the according documentation for these functionalities
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 35
ConnectivityMonitoring
RFC Destinations SAP_SMSY_* / Template role for authorizations for SM59 is not delivered with ST, rolemust be created individually. Alternatively, role SAP_BC_USER_ADMIN can be used(NOTE: full administration authorization)
Job Monitoring Job Scheduling SAP_SM_SCHEDULER_*
Tab systems: EWAReporting
SAP_OP_DSWP_EWA / SAP_SM_SOLUTION_*
Tab systems: IT-Performance Reporting
SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*
Tab solutions: ServiceLevel Reporting
SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_*
Reporting
Tab solutions:AvailabilityReporting
SAP_SOL_REP_* / SAP_SM_SOLUTION_*
System Monitoring SAP_SETUP_DSWP_* / SAP_SM_SOLUTION_*
Service Level Reporting SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SLR
EarlyWatch Alert SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_EWA
Connectivity Monitoring Transaction: SOLUTION_MANAGER (no authorization check)
IT-PerformanceReporting
SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM
Setup
Solutions SAP_SM_SOLUTION_*
Self Diagnosis SAP_SM_SOLUTION_*
Solution ManagerDiagnostics
URL - no authorization check
Related Links
Wily Introscope URL - no authorization check
SYSTEM LANDSCAPE MANAGEMENTWork Center Role: SAP_SMWORK_ LANDSCAPE MANAGEMENT
View Link Mapping of Authorization Roles
Overview
DowntimeManagement
TransportManagement
SystemInstallation
Setup
System / solution SAP_SMSY_* / SAP_SM_SOLUTION_*
Common Tasks Create solution SAP_SM_SOLUTION_*
System LandscapeSolution Manager
SAP_SMSY_*Related Links
Service Connection SAP_SERVICE_CONNECT
BUSINESS PROCESS AND INTERFACE MONITORINGWork Center Role: SAP_SMWORK_ BPM
View Link Mapping of Authorization Roles
Overview Operation BusinessProcess Monitoring
SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*
BusinessProcess
Operation BusinessProcess Monitoring/Service Desk Message
SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*SAP_SUPPDESK_* / SAP_SUPPCF_* (in case of Service Provider)
Alert Detail SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*
Security Guide: SAP Solution Manager 7.0 as of SP16
36 April 2008
Alert Inbox
Reports
Solution Directory SAP_SOLMAN_DIRECTORY_*, SAP_SM_SOLUTION_*Common Tasks
Setup Business ProcessMonitoring
SAP_SETUP_DSWP_BPM /SAP_SM_SOLUTION_*
Related Links Solution ManagerOperation - transactionSOLUTION_MANAGER
SAP_SV_SOLUTION_MANAGER (full authorization for Solution Monitoring - Operationsand Setup)
ROOT CAUSE ANALYSISWork Center Role: SAP_SMWORK_ DIAG
View Link Mapping of Authorization Roles
Overview Configuration
Configuration
No authorization check
SAP DiagnosticsRelated Links
SAP Diagnostics Setup
URL- no authorization check
Solution Documentation AssistantWork Center Role: SAP_SMWORK_ SDA
View Link Mapping of Authorization Roles
Overview all SAP_SDA_* ; SAP_SOL_*_COMP
AnalysisProjects
all SAP_SDA_* ; SAP_SOL_*_COMP
Analyses all SAP_SDA_* ; SAP_SOL_*_COMP
Related Links all SAP_SDA_* ; SAP_SOL_*_COMP
Related Links all SAP_SDA_* ; SAP_SOL_*_COMP
For detailed information on menu entries, see SAP Note 834534
EXAMPLE: System Administrator
The role described underneath is delivered with Stack 15 as an example role. If you use thisrole, please copy it, maintain all authorization roles and execute the user comparison.
You want your System Administrator to use the Work Centers of Solution Manager. Your SystemAdministrator should maintain your System Landscape and should take care for the smooth running of all itssystems. Therefore, he/she uses the following Work Centers:
System Landscape Management (Work Center role: SAP_SMWORK_LANDSCAPE_MAN) System Monitoring (Work Center role: SAP_SMWORK_SYS_MON) System Administration (Work Center role: SAP_SMWORK_SYS_ADMIN)
According to the Mapping Table above, the Work Center roles for these three Work Centers need to begranted. In addition, the appropriate Authorizations roles with full authorization are needed:
Authorizations for Work Centers: SAP_SMWORK_BASIC System Landscape Maintenance: SAP_SMSY_ALL Solutions: SAP_SM_SOLUTION_ALL Setup System Monitoring: SAP_SETUP_DSWP_SM Setup System Administration: SAP_SETUP_DSWP_CSA Operations System Monitoring: SAP_OP_DSWP_SM Operations System Administration: SAP_OP_DSWP_CSA Service Connection: SAP_SERVICE_CONNECT
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 37
Roles for transactions that are not delivered with Solution Manager (ST) are not included, as well as roles forIssue Management, Job Scheduling and Availability Reporting.
All roles were then included in a composite role for the System AdministratorSAP_SMWORK_ADMINISTRATOR_COMP and user comparison was executed.
SLD (System Landscape Directory) Security RolesIf you have attached the System Landscape Directory, you need to generate roles for set SLD users for thecommunication of ABAP and Java:
SLD User Role PurposeSLDAPIUSER No role required To send data from SAP Solution Manager to
SLD
SAPJSF (Service User) SAP_BC_JSF_COMMUNICATION_RO To read data from SLD
SAP_BC_AI_LANDSCAPE_DB_RFC Context: Application integrationinfrastructureThis role enables write access to thedatabase tables of the SAP SystemLandscape Directory (SLD). The role has tobe assigned to the user who makes theRFC calls from the SLD.
J2EE_ADMIN (Service User)
SAP_J2EE_ADMINRole that is assigned to the users that are tohave administrator rights in a connectedSAP J2EE Engine. Used to attach a localUME to the central ABAP usermanagement.
J2EE_GUEST (Service User) SAP_J2EE_GUESTRole that is assigned to the users that are tohave guest authorizations in a connectedSAP J2EE Engine.
Security Guide: SAP Solution Manager 7.0 as of SP16
38 April 2008
SLM (Software Lifecycle Manager) Security RolesThe security roles in the SLM are analogical to the security roles in the SLD. For detailled information see:help.sap.com/nw70 -> Functional View -> Solution Life Cycle Management -> Software Life CycleManagement.
S-User AuthorizationThe S-user is used for accessing SAP internal systems via special RFC destinations like SAP-OSS undSAP-OSS-LIST-O01 (see chapter Communication Destinations). Background jobs (see chapter BackgroundJobs) control the access via RFC destinations and the data communication. S-users (that have the correctauthorizations) are needed to open the gate and trigger dedicated functions at SAP side.For several use cases it is necessary to assign a SAP Support Portal contact to SAP Solution Managersystem users who will communicate with SAP Support Portal via RFC-Destination SAP-OSS. The contactyou maintain corresponds to the S-user in SAP Support Portal without 'S'. See: IMG (transaction SPRO)activity: Assign S-User for SAP Support Portal functionaliy (SOLMAN_PROFILE_PARAM).
For the customer specific RFC-Connection (scenario: Service Provider) no authorization for theassigned S-User is necessary.
In the SAP Support Portal, your S-user needs to have the following authorizations for the individualfunctionalities:
Service Desk and Expert-on-Demand
Create message ANLEG: Create SAP message
Create and send messages GOSAP: Send to SAP
Confirm messages QUITT: Confirm SAP message
PWDISP Display Secure AreaDisplay/change Secure Area
PWCHGE Change Secure Area
Value Added Reseller: Download Data from SAP
Administration Authorization ADMIN
Maintain all Logon Data Value GLOBAL
Maintain User Data USER
Maintain System Data INSTPROD
Value Added Reseller: Customer
Maintain System Data INSTPROD
Service Desk and Expert-on-Demand
Create message ANLEG: Create SAP message
GOSAP: Send to SAPSend messages
WAUFN: Reopen SAP message
Confirm messages QUITT: Confirm SAP message
PWDISP Display Secure AreaDisplay/change Secure Area
PWCHGE Change Secure Area
Service Connection
Open Service Connections SVER Open Service Connection
SVER Open Service ConnectionSetup/migrate a Service Connection
INSTPROD Maintain System Data
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 39
SAP HotNews
SAP notes search NOTES: Search for notes
BackgroundjobsAs soon as a Solution is created within the Solution Manager system the backgroundjob SM:SCHEDULERwith program RDSWPJOBSCHEDULER is automatically started. This program executes all programs whichare marked as active in table DSWPJOB. You should not alter configurations in this table. See as well SAPNote 894279.The following table provides an overview over all backgroundjobs, whether they are included in DSWPJOBand which RFC connection is used:Backgroundjob/ program, report Use RFC Connection used (see as
well chapter CommunicationDestinations)
SERVICE DELIVERY
SM:GET CSN COMPONENTS/DSWP_GET_CSN_COMPONENTS
Transfer CSN Components to Solution Manager(DSWPJOB)
SAPOSS
SM:SYNC SOLMAN INFO/RDSMOPSERVICEINFOS
Self-Service: Components used by customers(DSWPJOB)
SAPOSS
SM:TOP ISSUE TRANSFER/RDSWPCI_TOPISSUE_TRANSFER
This transfers the top issues that you haveexchanged with SAP once a week. (DSWPJOB)
SAP-OSS
SM:SURVEY TRANSFER/RDSWPCI_SURVEY_TRANSFER
This transfers the questionnaires for customersatisfaction with the service session and issueprocessing to SAP. (DSWPJOB)
SAP-OSS
SM:SEND_SOLUTIONS_TO_SAP/RDSMOPCOLLECTSOLUTIONDATA
This report sends the data of the respectivelyconfigured solutions to SAP (DSWPJOB)
SAP-OSS
SM_SYNC_SAP SESSIONS/RDSWPCISERVICEPLAN;RDSMOPSERVICESESSIONSRDSWPBACKGROUNDSERVICES_4;RDSWPBACKGROUNDSERVICES_3;
Get Serviceplan from SAP (DSWPJOB ->RDSMOPSERVICESESSIONS;RDSWPBACKGROUNDSERVICES_4 andRDSWPBACKGROUNDSERVICES_3 non-active) The session scheduling in the serviceplan is updated daily by SAP. This report isnecessary to receive service plans from SAP
SAP-OSS
SM:FILL ISSUE BUFFER TABLE/DSWP_CI_ISSUE_BUFFER_TABLE
Fill Issue Buffer Table (DSWPJOB)
SM:MIGRATE_ISSUE_PROJECT_CONTEXT/RDSWPCI_ISSUE_PROJECT_CONTEXT1
(DSWPJOB)
SM:SYNC ISSUES FROM CRM/RDSWP_ISSUE_REFRESH
Table DSWPISSUE contains information fromthe CRM document and the support message(Context). This table is updated. (DSWPJOB)
SOLMAN_ISSUE_STATUS_REFRESH/RBM_REFOBJ_BUFFER_UPDATE
The SAP Solution Manager buffers messageattributes such as the current user and theprocessing status. This periodic job collectsthese message attributes from the messagesystem and makes them available for analysis.
SERVICE DESK
SM:RNOTIFUPDATE01/RNOTIFUPDATE01
This refreshes the contents of Support Desk orExpert-on-Demand messages that have beenprocessed by SAP. Recommendation:Deactivate this job and schedule a customer-specific variant (DSWPJOB).
SAP-OSS-LIST-O01
SM:GET CSN COMPONENTS/DSWP_GET_CSN_COMPONENTS
Transfer CSN Components to Solution Manager(DSWPJOB)
SAPOSS
AI_SDK_FILL_FILE_TYPE_TABLE/AI_SDK_FILL_FILE_TYPE_TABLE
Only specified file types can be sent to SAP, forsecurity reasons, all other attachments sent toSAP are refused by SAP. For SAP being able toread all the attachments which you send with
SAP-OSS
Security Guide: SAP Solution Manager 7.0 as of SP16
40 April 2008
Backgroundjob/ program, report Use RFC Connection used (see aswell chapter CommunicationDestinations)
your message, the program updates the file typetables AISDK_FILETX and AISDK_FILETY.
SOLUTION MONITORING
/BDL/TASK_PROCESSOR Starts all necessary tasks (Maintenance Task) insatellite systems for Service sessions (e.g.EWA) (automatically scheduled when SDCCN isactivated in Satellite system
TRUSTED or LOGIN
SM:EXEC SERVICES/RDSMOPBACK_AUTOSESSIONS
Executes Service sessions in Solution ManagerCarries out services daily (or weekly) andschedule new services (DSWPJOB)
SM:CSA SESSION REFRESH/DSVAS_APPL_CSA_REORG_TASKTABLE;RDSMOPSOL_MONIREFRESH
CSA Session Refresh (DSWPJOB) The CentralSystem Administration (CSA) session is openedin the background and processed every hour.This updates the task status icons in the SAPSolution Manager graphic.
SM:CSA UPDATE TASKSTATUS/DSVAS_APPL_CSA_UPD_TASKSTATUS
CSA Task Status Update (DSWPJOB) updatesstatus symbols of CSA tasks in the graphicaloverview of systems
SM:CSDCC HANDLE TASKS/RCSDCCHANDLETASKS
(DSWPJOB)
SM:SESSIONS RESET/RDSMOP_SESSSION_RESET
Session initialization. The set-up sessions areautomatically reset after a new ST-SER releaseis implemented or after a new Support Packageis imported. This ensures that these sessionsalways run on the newest check source code(DSWPJOB)
SM:MIGRATE EWACUSTOMIZING/RDSWPMIGRATEEWACUSTOMIZING
Migrate EWA Customizing (DSWPJOB)
SM:SET DEFAULT RATING/RDSWPSETDEFAULTRATINGHIERARCHY
Set default rating (DSWPJOB -> Non-active)
SM:SOLMAN MONITORING/RDSWP_FILL_CCMS_ALERTS
Supplies the monitoring object of the CCMS forevery solution with data from the SolutionManager, for example EWA, SL Reporting andTransaction SDCCN. (DSWPJOB)
TRUSTED or READ
SM:DOWNLOAD DELETION/RDSWPDOWNLOADDELETION
The download data which is more than 30 daysold, is deleted (DSWPJOB)
Program name:RDSWP_DTM_UPDATE_DT_STATUS
To update downtime status. To be run daily, at00:00 to 00:10 hrs; Period : 1.
CHANGE REQUEST MANAGEMENT
SM:TMWFLOW_CMSSYSCLO//TMWFLOW/CMSSYSCOL2
gets tracking data from systems, asynchronously(DSWPJOB)
READ; TMWFLOW
ROOT CAUSE ANALYSIS
SM:SOLMAN_DIAG_UPDATE/RSOLDIAG_CHECK_FOR_UPDATE
Checks your Solution Manager and notifies itabout the changes made to relevant data andparameters. (DSWPJOB)
IMPLEMENTATION (DOCUMENT MAMANGEMENT)
Jobname (customer-specific)/ RSTIRIDX Asynchronous indexing and de-indexing forDocument Management (manually, see alsoIMG -> Scenario-specific settings -> Cross-scenario -> Document Management -> Servers -> Connect Index Server for Full Text Search)
SM:ACCELERATE DOC USAGE/RDMD_ACCELERATE_DOC_USAGE
Accelerates the where-used list for documents inthe Solution. (DSWPJOB)
THIRD PARTY PRODUCTS
Jobname (customer-specific) /RS_SM_QC_REQUIREMENT_SYNC and
SAP Quality Center by HP send TestRequirements and receive Test Results(manually, see IMG -> Scenario-specific Settings
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 41
Backgroundjob/ program, report Use RFC Connection used (see aswell chapter CommunicationDestinations)
RS_SM_QC_TESTRESULT_SYNC -> Third Party Integration -> SAP Quality Centerby HP
GENERAL INFRASTRUCTURE
REFRESH_ADMIN_DATA_FROM_SUPPORT/AI_SC_REFRESH_READ_ONLY_DATA
Periodically reads administrative data from SAPSupport Portal (System data synchronization inSMSY)
SAP-OSS
SEND_SYSTEM_RELATIONSHIP_TO_SUPP/AI_SC_SEND_SYSTEM_RELATIONSHIP
Periodically sends information which systemsare managed by Solution Manager
SAP-OSS
SERVICE_CONNECTION_LISTENER/AI_SC_LISTENER
Periodically checks in Solution Manager,whether a service connection is planned to beopened
SAP-OSS
LANDSCAPE FETCH/ RSGET_SMSY The job gets system data for the SolutionManager system landscape by automatic datatransfer from TMS/RFC or the SystemLandscape Directory (SLD); Default: TMS/RFC
SM:SYNC CONTENT FROM SAP/RDSWPBACKGROUNDSERVICES_1
(DSWPJOB -> non-active)
SM:MIGRATE_LANG_DEP_SAPSCRIPT/MIGRATE_LANG_DEP_SAPSCRIPT;RMIGRATE_LANG_DEP_SAPSCRIPT
(DSWPJOB ->MIGRATE_LANG_DEP_SAPSCRIPT non-active)
-
SM:CLEAR ARCHIVED DATA/RDARCH_CLEAN_DATABASE
(DSWPJOB -> non-active)
SM:DYNAMIC TABU UPDATE/RDMD_DYNAMIC_TABU_UPDATE
Updates the table contents that are necessary tooperate the Solution Manager. (DSWPJOB)
SM:DMD CONSISTENCY/RDMD_INCONSISTENCIES
Checks the data model of a solution forinconsistencies (DSWPJOB)
RDMD_INCONSISTENCIES/RDMD_MIGRATE_OBJS_2_LANG_INDEP
(DSWPJOB)
SM:REMOVE INCONSISTENCIES/RDMD_REMOVE_INCON
Remove inconsistencies in the data model(DSWPJOP)
SM:REORG APPLICATION LOG/RDMD_REORG_APPLICATION_LOG
Reorganization of Application Log (DSWPJOB)
SM:REFRESH ENTRYSCREEN/RDSMOPSOLUTIONLISTUPDATE
Update of Solution list: The status of everysolution is determined for the overview list of allsolutions (the access screen in TransactionSOLUTION_MANAGER) (DSWPJOB)
SM:SERVICE ASSISTANT EVENTS/RDSVAS_EXECUTE_EVENTS
(DSWPJOB -> non-active)
SM:HOURLY SERVICES/RDSWPBACKGROUNDSERVICES_3
(DSWPJOB -> non-active)
SM:UPDATE RULES/RDSWPRULESUPDATE
A set of rules controls the services anddocuments that can be offered for theinformation about system infrastructure andprocesses that is maintained in the SolutionManager.(DSWPJOB)
SM:SELFDIAGNOSIS/RDSWP_SELF_DIAGNOSIS
Update Selfdiagnosis (DSWPJOB)
SM:MIGRATE SESS DL./RDSWP_SSA_MIGRATE_SESS_DL
(DSWPJOB)
SM:MOVE TO ARCHIVE QUEUE/RDSWP_SSA_MOVE_2_ARCHIVE_QUEUE
Move services and sessions to archive queue(DSWPJOB)
EMAIL_NOTIFICATION (csutomer specific)/RSCONN01 (variant SAP&CONNECTALL)
Periodic background job to send queued e-mails(manually scheduled via transaction SCOT) ->see also IMG -> Cross-scenario settings)
SM:RFC MONITORING/RWBA_RFC_WATCHER
To check RFC-Connections. To be run hourly ordaily (recommended between 10pm and 4am).
Security Guide: SAP Solution Manager 7.0 as of SP16
42 April 2008
Backgroundjob/ program, report Use RFC Connection used (see aswell chapter CommunicationDestinations)
The job executes RFCPING or RFC_PING.
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 43
Trace and Log FilesThis section provides an overview of the trace and log files that contain security-relevant information, forexample, so you can reproduce activities if a security breach does occur.
System Landscape Update Logs RFC Logs Data save logs
Solution Manager Implementation All Tabs can be traced. Each change on the tab will be recorded. No changes of the assigned object are logged (except documents). One can specify which project and tab will be traced. Documentation will be versioned by each change.
Solution Manager OperationsTraces are available in Solution Directory
All tabs can be traced. Each change on tab will be recorded. No changes of the assigned object arelogged (except documents).
One can specify which Solution will be traced Documentation will be versioned by each change
Customizing Distribution Each distribution is logged Each distributed object is logged
Security Guide: SAP Solution Manager 7.0 as of SP16
44 April 2008
APPENDIXSecurity Parameters for Individual ScenariosGeneral RemarksIn the following paragraphs the main scenarios of SAP Solution Manager are described in regard to theabove mentioned security parameters.
For a complete description of all scenarios, see: Master Guide SAP Solution Manager <currentrelease>.
Usage data about which functionality/scenario is used by the customer is sent to SAP. See as well: SAPNote 939897 (How to disable this transfer)
Service DeliveryThe Services Delivery scenario comprises the following main functionalities:
Service PlanThe Service Plan is the central instance of collaboration with SAP containing delivered Services andServices that are to be delivered later on. In this regard, customers can accept or deny SAP Services. SAPServices are sent to the customer by SAP and confirmation of Service Delivery is sent by the customer toSAP via backgroundjob or in dialog. If you do not want to send any confirmation for Services to SAP, you donot activate this functionality. If no Service Plan information is sent, SAP can only deliver limited Services.Data which is sent:- GUIDs for Service Identification with values YES or NO.- Delivery DateService Plan makes use of WebDynpro Applications. In order to deliver Services a HTTP connect is needed.Expertise-on-Demand (EoD)Expertise on Demand describes the demand by a customer for an SAP expert on some topic.Solution TransferWhen you transfer solutions, all productive data of your chosen solutions are transferred by default. Whenyou made your solution known to SAP, its data are regularly updated by a backgroundjob. For eachindividual solution you can decide whether you want to transfer only productive data, all data or no data. Todisable it, see SAP Note 920153. During transfer a data download is sent to SAP via DMD_OPEN. This datapackage is only partially read and used by SAP. Information of logical components and business processesare bundled at SAP per customer. To view the data of a solution use reportRDSMOP_VIEW_SOLUTION_XML to save (as an XML file on your desktop) the information that is sent toSAP. You can then use the Internet Explorer to view this XML file. Solution Transfer makes use ofWebDynpro Applications.
Service Desk (Service Provider) and Issue ManagementService DeskThe Service Desk allows you to create support messages in the Solution Manager system and all connectedSatellite systems (see chapter RFC Destinations), send them to SAP, and receive replies from SAP.Communication between Solution Manager and SAP Service and Support is needed. There is also thepossibility to connect Third Party Service Desks via Web Services.Information on third party service desk interface is provided in service.sap.com/solutionmanager -> MediaLibrary -> Technical Papers -> Service Desk Web Service APIIssue ManagementIn Issue Management you can distinguish between Top Issues and Issues. Top Issues bundle Issues whichcontain the same problem. Issues describe potential problems. In contrast to Issues, Top Issues areaddressed towards Management. Issue data is sent via periodical backgroundjobs once a week after theinitial transfer. Initial transfer is done via dialog. You can avoid sending data by deleting this job. If no data issent to SAP, SAP Support can not deliver proactive support. For information on Top Issue data which is sent,see SAP Note 971138. To see the data of a Top Issue, use report RDSMOP_VIEW_TOPISSUE_XML to
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 45
save (as an XML file on your desktop) the information that is sent to SAP. You can then use the InternetExplorer to view this XML file. Issue Management makes use of WebDynpro Applications.
Implementation and DistributionThe Implementation and Distribution scenario is used for the implementation of customer projects. Thisscenario includes an implementation roadmap, an editor for creating and maintaining business blueprints,access to the Implementation Guides (IMG), and tools for testing, monitoring and distributing Customizing.Communication between Solution Manager and satellite systems is needed. Satellite Systems are connectedvia RFC.
Solution MonitoringThe Solution Monitoring scenario provides support for functionalities such as Service-Level Reporting,EarlyWatch Alert, System Monitoring and Business Process Monitoring.Early Watch Alert contains data on system health. The data is collected automatically in the accordingsatellite system, send via RFC destination to the Solution Manager system, and then analyzed in SolutionManager. If you want to transfer download data of a service (EarlyWatch Alert and so on) from a satellitesystem into a Solution Manager system, but your satellite system has no RFC connection to the SolutionManager system, see SAP Note 657306.EarlyWatch Reports are send to SAP in case of a red rating. You can deactivate these settings in transactionSOLUTION_MANAGER, Operations Setup -> Solution Monitoring -> EarlyWatch Alert (column Send to SAP)The solution monitoring functionality allows you to monitor the state of multiple solution landscapes. SAPSolution Manager can be used to monitor the satellite systems in a landscape, as well as all the businessprocesses running on them. Via setup of RFC connections also the according RFC destinations for systemmonitoring (see IMG activity in transaction SPRO: SOLMAN_ASSIGN_RFCS) are set up.Solution Monitoring makes use of WebDynpro Applications.
Change ManagementYou can use the Maintenance Optimizer to download Support Package Stacks and Support Packages foryour various satellite systems. If the RFC connection to SAP or table AISUSER (S_user) is not maintained itis not possible to download SAP Service- and Support-Packages.
Currently, the Change Request Management scenario consists of a workflow for implementing urgentcorrections and support maintenance. This workflow is the result of an integration between the Service Deskand SAP Change Manager. The workflow starts with the occurrence of an error. This error is reported to theService Desk. If the error is serious enough to warrant the immediate implementation of a correction (urgentcorrection), a change request is created. This request is then approved, which results in the creation of achange document.
Root Cause AnalysisSAP Solution Manager Diagnostics provides root cause analysis of incidents in customer solutions poweredby SAP NetWeaver. It provides a read access to traces and configuration settings of SAP NetWeavercomponents.
Security Guide: SAP Solution Manager 7.0 as of SP16
46 April 2008
Examples Authorization Restriction
All examples are also contained in IMG documentation.
Solutions(see as well IMG activity: SOLMAN_SYST_INFORMAT)Maintain One Solution and Display All Other SolutionsProblem: User A needs to use Maintenance Optimizer for a number of systems which are contained insolution XXX. He/she should not be able to do anything in all other existing solutions, but should be able tosee them.Solution: role SAP_SM_SOLUTION_DIS needs to be maintained with authorization object D_SOL_VSBL.D_SOL_VSBL needs to be copied and maintained with act. 02 and solution ID for solution XXX. The role forMaintenance Optimizer SAP_MAINT_OPT_ADMIN is granted as well.Explanation: D_SOL_VSBL with 03 + * and 02 + <SolutionID> gives authorization to display all solutions butonly editing rights for one specific solution. Only for within the solution with editing rights the user is able towork with Maintenance Optimizer.Create Solution and Display AllProblem: User A should be able to create solutions and display XXX and YYY.Solution: In role SAP_SM_SOLUTION_ALL authorization object D_SOL_VSBL can be maintained asfollows: remove activities 02 + 06 (leaving 01 + 03) for solution-IDs for XXX and YYY.Explanation: Activity 01 is independent of solution-IDs. Activity 03 grants display only for the mentionedsolutions.
Project Administration(see as well IMG activity: SOLMAN_RECOMMEND -> authorizations -> Project Administration)Restriction of System LandscapeProblem: The system administrator creates the system landscape for your project. The project managermaintains all other data for the project, in the project administration. Your system administrator should nothave access to other project data than the system landscape.Solution: In role SAP_SOL_PROJ_ADMIN_* (contained in composite role SAP_SOL_*_COMP) he/sheshould receive the value 03 (display) for S_PROJECT and SYST (access to system landscape maintenancein a project) for S_PROJ_GEN.
Digital Signature(see as well IMG activity: SOLMAN_DIGSIG_INFORM)Restriction by Authorization GroupProblem: User A may execute individual signatures to which the authorization group PROD (production) hasbeen assigned but is not allowed to execute individual signatures with authorization group QUAL (qualityassurance).Solution: In role SAP_SOL_KW_* authorization object C_SIGN_BGR, he/she is assigned authorizationPROD for field SIGNAUTH.
Document Management(see as well IMG activity: SOLMAN_DOCU_INFORMAT)Unlocking of DocumentsProblem: You want to allow a user to unlock documents which are locked by a status schema.Solution: This can be controlled with the authorization object S_IWB and the activity 95.Project Restriction
Security Guide: SAP Solution Manager 7.0 as of SP16
April 2008 47
Problem: You want users who are assigned to a project to only be able to search for, edit or display thedocuments for this project.Solution: This can be done with the combination of folder group and project authorizations. Whendocuments are created for a project, the system puts them in a folder group which is assigned to the project,and its name, e.g. the folder group with the name <XYZ> is assigned to the project <XYZ>. You restrict thefollowing authorization object:
S_PROJECT with field PROJECT_ID
S_IWB and S_IWB_ATTR with field IWB_FLDGRP
Solution Monitoring(see as well IMG activity: SOLMAN_MON_INFORMATI)Session RestrictionProblem: The authorization object D_SOLMANBU controls the allowed activities for each session(BundleID), for the scenario Solution Monitoring. You want to restrict access to the Self-Service SAPEarlyWatch Health Check. SAP delivers no default role for this session.Solution: Copy the role SAP_OP_DSWP, and give the authorization object D_SOLMANBU the BundleIDEW_SELF.Monitoring Graphic RestrictionProblem: You want the user to able to display the Monitoring Graphic, but no further access to alerts or CSAsessions.Solution: In role SAP_OP_DSWP in authorization object D_SOLM_ACT remove activities 80 and 81.