
2/118

Document History

CAUTION

Before you start the implementation, make sure you have the latest version of this document.

You can find the latest version on SAP Service Marketplace at http://service.sap.com/

securityguideor at http://service.sap.com/wec-inst.

The following table provides an overview of the most important document changes:

Version Date Description1.0 2012-11-29 Initial Version

1.1 2012-12-05 Restructuring done to make what was previously section 15.9 into chapter 16 Security

Checklist.

1.2 2013-01-10 Addition of reference to SAP Note 1029819 to chapter 2.2 Important SAP Notes.

1.3 2013-01-16 Correction in section 12.4.1 Restricting Access to the Administration Area of Web Channel

Applications.

1.4 2013-02-07 Addition of caution in section 8.1.1.1 HTTPS Switch.

2/118 CUSTOMER 2013-02-07
http://service.sap.com/wec-insthttp://service.sap.com/securityguidehttp://service.sap.com/securityguide


3/118

Table of Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1 Why Is Security Necessary? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2 Overview of the Guide's Main Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.1 Fundamental Security Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2 Important SAP Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.3 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 4 Security Aspects of Data, Data Flow, and Processes . . . . . . . . . . . . . . . . . 17

4.1 General Data Flow of Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . 17

4.2 Data and Data Flow of Specific Web Channel Functionality . . . . . . . . . . . . . . . 18

4.2.1 Web Channel Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.2.2 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.2.3 Product Catalog and Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.2.3.1 Product Catalog: Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4.2.3.2 Product Catalog: Adding to the Shopping Cart . . . . . . . . . . . . . . . . . . . . . . . . 20

4.2.3.3 Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 5 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 23

5.1 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5.1.1 User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5.1.2 Internet User Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.1.2.1 Web Shop Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.1.2.2 Web Channel Builder Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.2 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.2.1 Service User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.2.2 Administration User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.2.3 Internet User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.2.3.1 UME Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2013-02-07 CUSTOMER 3/118


4/118

5.2.3.2 Web Channel Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5.2.3.3 Follow-On Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5.2.3.4 User Identification Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5.2.3.5 Early Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3.1 User Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3.1.1 Service Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.3.1.2 Web Channel Builder Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.3.1.3 Web Shop Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.3.1.4 Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.3.2 User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.3.3 Users Relevant for Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.4 User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.5 Integration into Single Sign-On (SSO) Environments . . . . . . . . . . . . . . . . . . . 37

5.5.1 Secure Network Communications (SNC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5.6 User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 6 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.1 Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.1.1 Roles and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.1.1.1 Predefined User Roles on SAP NetWeaver AS ABAP . . . . . . . . . . . . . . . . . . . . . 396.1.1.2 Predefined User Roles on SAP NetWeaver MDM . . . . . . . . . . . . . . . . . . . . . . . 43

6.1.1.3 Predefined User Role on SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . . . . . . 44

6.1.1.4 Additional Aspects of Web Channel User Roles . . . . . . . . . . . . . . . . . . . . . . . . 45

6.1.1.5 Authorization Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

6.1.2 SU24 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.1.2.1 Service Name Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6.1.2.2 Web Channel Module ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6.1.2.3 Service Name Suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6.1.2.4 Authorization Trace Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

6.2 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

6.2.1 Standard Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

6.2.2 Critical Authorizations and Combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6.2.3 Special Web Channel Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.2.3.1 Document Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.2.3.2 Web Channel Builder Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.2.3.3 Authorization Values of Different Web Channel Builder User

Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4/118 CUSTOMER 2013-02-07
http://-/?-http://-/?-http://-/?-http://-/?-


5/118

6.2.3.4 Authorizations Required for Setting Certain Request URL

Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6.2.3.5 Authorizations for Development, Testing, and Support . . . . . . . . . . . . . . . . . 57

6.2.4 Business Object Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.2.4.1 Authorizations Based on the Access Control Engine in SAP CRM . . . . . . . . . . 57

6.2.4.2 Business Object Access Control in SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 7 Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

7.1 Session Security Protection on SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . 59

7.1.1 Recommended Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

7.1.1.1 Switch to HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

7.1.1.2 HTTPS for Whole Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

7.1.2 Session Security Aspects of the Product Catalog . . . . . . . . . . . . . . . . . . . . . . . 61

Chapter 8 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

8.1.1 HTTPS for Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

8.1.1.1 HTTPS Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

8.1.1.2 HTTPS Servlet Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

8.1.1.3 Grace Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

8.1.1.4 HTTPS in the Administration Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

8.2.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

8.2.2 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

8.3 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

8.3.1 RFC Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

8.3.1.1 Automatic Creation of Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

8.3.2 SAP NetWeaver MDM Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Chapter 9 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

9.1 Storage Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

9.1.1 SAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

9.1.2 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

9.1.2.1 HTTPSRequired Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

9.1.2.2 COMSAPWECUM01 Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

9.1.2.3 Java Cart Cookie (recoverCart) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

9.1.2.4 Additional Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

9.1.3 Database of SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

2013-02-07 CUSTOMER 5/118


6/118

9.1.4 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

9.1.5 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

9.1.6 Encryption of Payment Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

9.1.7 Encryption of Gift Card Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

9.1.8 Customer-Specific List Price . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Chapter 10 Web Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

10.1 HTTP Request Serialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

10.2 Cross Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

10.3 Input Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

10.4 Session Riding: Cross Site Request Forgery (XSRF) . . . . . . . . . . . . . . . . . . . . . 83

10.5 File Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

10.5.1 Virus Scanning for Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

10.5.2 Upload of Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

10.6 Cookie Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

10.6.1 Secure Cookie Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

10.6.2 HttpOnly Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

10.6.3 Application Cookie Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

10.7 Session Fixation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

10.8 Fast Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

10.9 Distributed Denial-of-Service Attacks (DDOS) . . . . . . . . . . . . . . . . . . . . . . . . . 8810.10 URL Session Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

10.11 ZIP Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

10.12 Autocompletion Attribute of UI Components . . . . . . . . . . . . . . . . . . . . . . . . . 89

10.13 Clickjacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Chapter 11 Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

11.1 Integrating Payment Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

11.2 Securing the Communication Between the Back-End System and SAP

NetWeaver MDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Chapter 12 Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

12.1 Security-Relevant Module Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

12.2 Web Channel Builder (WECB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

12.2.1 Web Channel Builder Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

12.2.2 Application Preview in Web Channel Builder . . . . . . . . . . . . . . . . . . . . . . . . . . 94

12.2.3 Web Channel Builder Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

12.2.4 Web Channel Builder Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

6/118 CUSTOMER 2013-02-07


7/118

12.2.5 Web Channel Builder Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

12.3 Web Channel User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

12.3.1 User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

12.3.2 Self-Registration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

12.3.3 Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

12.3.4 Guest User Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

12.3.5 User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

12.3.6 Digitally-Signed E-Mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

12.4 Web Channel Administration Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

12.4.1 Restricting Access to the Administration Area of Web Channel

Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

12.5 Security-Relevant Information for Other Web Channel Modules . . . . . . . . . . 98

12.5.1 Java Cart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

12.6 Additional Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

12.6.1 JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

12.6.2 AJAX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

12.6.3 Theme Server Location and HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.6.4 Search Engine Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.6.5 Web Application ID (WEC-APPID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.6.6 Error Page and Runtime Error Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

12.6.7 URL Parameter wec-debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10012.6.8 Exception Hierarchy and Mapping to Error Pages . . . . . . . . . . . . . . . . . . . . . . 101

12.6.9 Dynamic UI Help Texts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 13 Payment Card Security According to PCI-DSS . . . . . . . . . . . . . . . . . . . . . 103

Chapter 14 Security Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

14.1 Web Channel Log and Trace Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

14.2 Session Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

14.3 Excluding Sensitive Data from Session Tracing . . . . . . . . . . . . . . . . . . . . . . . 106

Chapter 15 Web Service Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

15.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

15.1.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

15.1.2 Authentication Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

15.2 Communication Channel Security: Force HTTPS . . . . . . . . . . . . . . . . . . . . . 109

15.3 Error Handling: Project Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

15.4 Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

2013-02-07 CUSTOMER 7/118


8/118

15.5 Session Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

15.6 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

15.7 Authorization Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

15.8 Cross-Site Request Forgery Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Chapter 16 Security Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

8/118 CUSTOMER 2013-02-07


9/118

1 Introduction

CAUTION

This guide does not replace the administration or operation guides that are available for productive

operations.

This document is not included as part of the installation guides, configuration guides, technical

operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software

lifecycle, whereas security guides provide information that is relevant for all lifecycle phases.

1.1 Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, security

demands are also on the rise. When using a distributed system, you need to be sure that your data and

processes support your business needs without allowing unauthorized access to critical information.

User errors, negligence, or attempted manipulation of your system should not result in loss of

information or processing time.These security demands also apply to SAP Web Channel Experience Management (Web Channel).

Web Channel allows you to do your business over the Internet. Security is therefore important, because

any business-related information can be accessed and your application can be the target of many

different attack scenarios.

The following table provides an overview of some attack scenarios and references to subsections that

contain details on how to protect your application:

Attack Scenarios

Attack Type Description Relevant Subsections

Broken access control Authenticated users are not required to performrestrictions on the activities.

User Administration andAuthentication

Data Storage Security

Other Security-Relevant

Information

Broken authentication

and session management

The account credentials and session tokens may

not be properly protected. As a result, attackers

can overcome authentication restrictions to

access passwords, keys, session cookies, or other

tokens and assume other users identities.

Network and Communication

Security

Storage that is not secure Data stored in the files is not protected

accordingly.

Data Storage Security

1 Introduction


2013-02-07 CUSTOMER 9/118


10/118

Attack Type Description Relevant Subsections

Distributed denial-of-

service (DDOS)

DDOS attacks Other Security-Relevant

Information

Cross-site request forgery

attack

Cross-site request forgery, also known as a one-

click attack or session riding and abbreviated as

CSRF (pronounced sea-surf) or XSRF, is a type of

malicious violation of a Web site whereby

unauthorized commands are transmitted from a

user that the Web site trusts. Unlike cross-site

scripting (XSS), which exploits the trust a user has

for a particular site, CSRF exploits the trust that a

site has in a user's browser. For more information,

see https://www.owasp.org/index.php/Cross-

Site_Request_Forgery_(CSRF).

Web Application Security

Cross-site scripting Cross-site scripting (XSS) attacks are a type of

injection problem, in which malicious scripts areinjected into the otherwise benign and trusted

Web sites. Cross-site scripting attacks occur when

an attacker uses a Web application to send

malicious code, generally in the form of a browser

side script, to a different end user. For more

information, see https://www.owasp.org/

index.php/Cross-site_Scripting_(XSS).


Session Fixation Session fixation is an attack that permits an

attacker to hijack a valid user session. The attack

explores a limitation in the way the Web

application manages the session ID, morespecifically the vulnerable Web application. When

authenticating a user, it doesnt assign a new

session ID, making it possible to use an existing

session ID. The attack consists of inducing a user

to authenticate himself with a known session ID,

and then hijacking the user-validated session by

the knowledge of the used session ID. The attacker

has to provide a legitimate Web application session

ID and try to make the victim's browser use it.

The session fixation attack is a class of session

hijacking, which steals the established sessionbetween the client and the Web server after the

user logs in. Instead, the session fixation attack

fixes an established session on the victim's

browser, so the attack starts before the user logs

in. For more information, see https://

www.owasp.org/index.php/Session_fixation.

Session Security Protection


To assist you in securing Web Channel scenarios and applications, we provide this security guide.

1 Introduction


10/118 CUSTOMER 2013-02-07
https://www.owasp.org/index.php/Session_fixationhttps://www.owasp.org/index.php/Session_fixationhttps://www.owasp.org/index.php/Session_fixationhttps://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29


11/118

1.2 Overview of the Guide's Main Sections

The security guide contains the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this document, and

references to other security guides that build the foundation for this security guide.

Technical System Landscape

This section provides an overview of the technical components and communication paths that

are used by Web Channel applications.

Security Aspects of Data, Data Flow, and Processes

This section provides information on data and data flows for Web Channel applications.

User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects: Recommended tools to use for user management

User types that are required by Web Channel applications

Standard users that are delivered with Web Channel applications

Overview of the user synchronization strategy, if several components or products are involved

Overview of how integration into single sign-on environments is possible

Authorization

This section provides an overview of the authorization concept that applies to Web Channel

applications.

Session Security Protection

This section provides session security protection information including recommended settings,

details on in-session switching from HTTP to HTTPS, and security information pertaining to the

product catalog.

Network and Communication Security

This section provides an overview of the communication paths used by Web Channel and the

security mechanisms that apply. It also includes our recommendations for the network topology

to restrict access at the network level.

Data Storage SecurityThis section provides an overview of any critical data that is used by Web Channel applications and

the security mechanisms that apply.


This section provides security information that applies to Web applications. The section includes

countermeasures for specific attack scenarios.

Security for Additional Applications

This section provides security information that applies to applications that are used with Web

Channel applications.

1 Introduction


2013-02-07 CUSTOMER 11/118


12/118

Other Security-Relevant Information

This section contains information about Web Channel application security that was not covered

in the previous sections.

Payment Card Security According to PCI-DSS

This section provides information about payment card security.

Security Logging and Tracing

This section provides an overview of the trace and log files that contain security-relevant

information, for example, so you can reproduce activities if a security breach occurs.

Web Service Security

This section provides security information relevant for Web Channel Web services.

Security Checklist

This section provides an overview of the tasks required to ensure Web Channel application security.

1 Introduction


12/118 CUSTOMER 2013-02-07


13/118

2 Before You Start

2.1 Fundamental Security Guides

SAP Web Channel Experience Management uses a frameworkthat provides logic composition

capabilities to expose functionality from a SAP CRM or SAP ERP back end in Web Channel applications.

Web Channel applications based on SAP CRM can include e-commerce, e-service, and e-marketing

functionality. With SAP ERP, the functionality is restricted to e-commerce. To enable Web Channel

scenarios, Web Channel applications leverage different components such as the Internet Pricing and

Configuration Engine (IPC), or product catalogs on SAP NetWeaver Master Data Management (SAP

NetWeaver MDM) servers. Furthermore, third-party products for knowledge management and other

functionality can be included.

Web Channel application scenarios are built using ABAP functionality (RFC function modules) on the

SAP CRM or SAP ERP server and Java-based functionalityon the SAP NetWeaver Application Server

Java (SAP NetWeaver AS Java). The Java-based applications on the SAP NetWeaver AS Java provide the

user interface that is based on Java Server Faces (JSF).

The corresponding security guides also apply to the Web Channel applications. The most relevant

sections or specific restrictions are listed in the following table:

Fundamental Security Guides

Scenario-, Application-, orComponent Security Guide Guide

SAP NetWeaver AS Java/ABAP http://service.sap.com/securityguide SAP NetWeaver

SAP CRM http://service.sap.com/securityguide SAP Business Suite

Applications SAP CRM

SAP ERP http://service.sap.com/securityguide SAP Business Suite

Applications SAP ERP

SAP NetWeaver MDM Product

Catalog

http://service.sap.com/securityguide SAP NetWeaver SAP

NetWeaver MDM

For a complete list of the available SAP Security Guides, see SAP Service Marketplace at http://

service.sap.com/securityguide.

2.2 Important SAP Notes

The SAP Notes that are relevant to the security of Web Channel are listed inthe following table:

2 Before You Start

2.1 Fundamental Security Guides

2013-02-07 CUSTOMER 13/118
http://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguide


14/118

SAP Note Title

891659 Composite Security Note: AS Java

77503 Audit Information System

1029819 Encryption of payment cards in SD and customer master

You can also find a list of security-relevant SAP Hot News and SAP Notes on SAP Service Marketplace

at http://service.sap.com/securitynotes.

2.3 Additional Information

For more information about specific topics, see the relevant documents on SAP Service Marketplace,

as listed in the following table:

Content SAP Service Marketplace Address

Security http://service.sap.com/security

Security Guides http://service.sap.com/securityguide

Related SAP Notes http://service.sap.com/notes

Released Platforms http://service.sap.com/platforms

Network Security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

2 Before You Start

2.3 Additional Information

14/118 CUSTOMER 2013-02-07
http://service.sap.com/solutionmanagerhttp://service.sap.com/securityguidehttp://service.sap.com/platformshttp://service.sap.com/noteshttp://service.sap.com/securityguidehttp://service.sap.com/securityhttp://service.sap.com/securitynoteshttp://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1029819&_NLANG=en&_NVERS=0http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=77503&_NLANG=en&_NVERS=0http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=891659&_NLANG=en&_NVERS=0


15/118

3 Technical System Landscape

The figure below shows an overview of the technical system landscape for Web Channel.

Figure 1: Technical System Landscape

Web Channel applications are deployed to SAP NetWeaver AS Java and run in the Web Container of

SAP NetWeaver AS Java. Different back-end systems can be used to run the business logic. Standard

Web Channel supports the SAP CRM or SAP ERP back ends. The SAP NetWeaver MDM server provides

the product catalog functionality.


2013-02-07 CUSTOMER 15/118


16/118

Figure 2: Web Channel UI Based on Java Server Faces

The Web Channel UI is based on Java Server Faces 2.0, with Apache MyFaces 2.1.7 and Velocity templates

being used for UI rendering.. AJAX capabilities are provided using jQuery library. Web Channel

applications can run in different Web browsers. Web Channel applications are called via HTTP and

HTTPS. Connections to the back-end system are built via RFC using the SAP Java Connector (JCo).

The destination information is maintained in the destination service of SAP NetWeaver AS Java. Web

Channel Builder (WECB) is used to configure Web Channel applications. To allow application support

and monitoring, each Web Channel application provides an Administration area.

For more information about the technical system landscape, see the resources listed in the following

table:

Topic Guide/Tool Quick Link to the SAP Service Marketplace

Technical description for Web Channel and

the underlying components such as SAP

NetWeaver

Master Guide http://service.sap.com/wec-inst

Installation Guide for Web Channel Installation Guide http://service.sap.com/wec-inst

High availability High Availability

for SAP Solutions

http://sdn.sap.com/irj/sdn/ha

Technical landscape design - http://sdn.sap.com/irj/sdn/

landscapedesign

Security See applicable

documents

http://sdn.sap.com/irj/sdn/security


16/118 CUSTOMER 2013-02-07
http://sdn.sap.com/irj/sdn/hahttp://service.sap.com/wec-insthttp://sdn.sap.com/irj/sdn/securityhttp://sdn.sap.com/irj/sdn/landscapedesignhttp://sdn.sap.com/irj/sdn/landscapedesignhttp://sdn.sap.com/irj/sdn/hahttp://service.sap.com/wec-insthttp://service.sap.com/wec-inst


17/118

4 Security Aspects of Data, Data Flow,and Processes

4.1 General Data Flow of Web Channel Applications

The figure below shows an overview of the data flow for Web Channel applications using a SAP CRM

back-end system:

Figure 3: Data Flow for Web Channel Applications with SAP CRM Back End

The table below shows the security aspect to be considered for the process step and what mechanism

applies:Step Description Security Measure

1 User Submits Form Communication protocol HTTPS

2 Process Business Data RFC based on destination using the current

SAP NetWeaver AS Java User Management

Engine (UME) user

User Type: Dialog User SNC

3 Return Data Not applicable

4 Return 302 Response Not applicable

5 Perform Redirect Communication protocol HTTPS

6 Display Result Communication protocol HTTPS

4 Security Aspects of Data, Data Flow, and Processes

4.1 General Data Flow of Web Channel Applications

2013-02-07 CUSTOMER 17/118


18/118

4.2 Data and Data Flow of Specific Web Channel Functionality

This section describes the security aspects of data and data flow of the specific Web Channel processes.

4.2.1 Web Channel Builder

Web Channel Builder is used to create and maintain Web Channel application configurations. It also

provides an approval process to allow distributed responsibilities for the release of application

configurations.

Initially the Web Channel configuration data is stored in the XML files below the CDM folder in the

application WEB-INF folder. The configurations are transferred into the Java DB after the start of the

application. Afterwards the Java DB is always used to store configuration data.

4.2.2 User Management

Figure 4: Logon Data Flow

Step Description Security Measure

1 User Submits Logon Form Communication protocol HTTPS

User type: Dialog (UME) user

2 Check for Business Partner RFC based on destination SNC

User type: Service user

3 BP Available Not applicable

4 UME Authentication Programmatic UME authentication (UME

API call)

5 User Authenticated Not applicable



18/118 CUSTOMER 2013-02-07


19/118

Step Description Security Measure

6 UME User Details Programmatic UME API call

7 Return User Details Not applicable

8 Get Business Partner Details RFC based on destination SNCUser type: Dialog user

9 Return BP Details Not applicable

10 Welcome User Not applicable

4.2.3 Product Catalog and Product Registration

The figure below provides an overview of the systems involved in the data flow for the product catalog

and product registration.

Figure 5: Product Catalog

4.2.3.1 Product Catalog: Browsing

The product catalog operates in the following modes:

Anonymous

This allows non-registered users to browse the catalog.

Registered user

This allows Internet users in the consumer and contact scenarios to browse the catalog.



2013-02-07 CUSTOMER 19/118


20/118

4.2.3.2 Product Catalog: Adding to the Shopping Cart

Web Channel provides the following options for shopping carts:

Back-end cart

With this option, the Web shop is configured with back-end functionality from either SAP CRM

or SAP ERP. To add a product to the cart, the user must log on by either registering, or providing

a user name and password. For more information, see User Administration Toolsin the section User

Managementof this guide.

Java cart

With this option, the Web shop is configured with a Java cart, thereby reducing the load on the

back end. With this scenario, logon is not required, although it is still possible, to add products,

view, or modify cart contents. At checkout time, user logon is mandatory.

Figure 6: Back-End Cart



20/118 CUSTOMER 2013-02-07


21/118

Figure 7: Java Cart

4.2.3.3 Product Registration

Figure 8: Product Registration

Product registration requires a user to be logged on.



2013-02-07 CUSTOMER 21/118


22/118

This page is left blank for documentsthat are printed on both sides.


23/118

5 User Administration andAuthentication

Web Channel applications leverage the user management and authentication mechanisms provided

with the SAP NetWeaver platform, in particular the SAP NetWeaver AS ABAP and Java. Therefore, the

security recommendations and guidelines for user administration and authentication as described in

the SAP NetWeaver Application Server ABAP Security Guideand the SAP NetWeaver Application Server Java Security

Guidealso apply to Web Channel applications.

In addition to these guidelines, information about user administration and authentication that

specifically applies to Web Channel applications is available in the following topics:

User Management

This topic lists the tools to utilize for user management, the types of users required, and the standard

users that are delivered with Web Channel applications.

User Data Synchronization

Integration intoSingle Sign-On Environments

This topic describes how Web Channel applications support single sign-on mechanisms.

5.1 Users

5.1.1 User Types

To use Web Channel applications, different users are needed, such as the following:

Service users

Service or technical users are used to access business functionality on the SAP CRM or SAP ERP

back-end servers that can be used anonymously. These service users are maintained in the

corresponding SAP NetWeaver AS Java destinations and are used to establish anonymous stateless

or stateful connections to the back-end systems.

Administrators

Administrators are internal users who have the task to administer SAP NetWeaver AS Java and SAP

NetWeaver AS ABAP. These users can use the Admin area of Web Channel applications.

Reference users

A reference user provides default authorizations to Internet users in the self-registration process.

The user is not used for any dialog.

Internet users

5 User Administration and Authentication

5.1 Users

2013-02-07 CUSTOMER 23/118


24/118

Internet users are external or internal users who access the business functionality provided by Web

Channel applications. For Web Channel applications, the following kinds of Internet users can be

differentiated:

Web shop customers

To enable the usage of Web Channel business functions, Internet users of Web Channel

applications are linked to business partners. Different Internet user models, dependent on the

back-end system in use, exist for the Web Channel scenarios.

Delegated user administrator

Internet user with special authorizations to create and administer other Internet users for

their company.

Web Channel Builder users

For the internally used Web Channel Builder application, internal users are needed. For this

application no linkage to a business partner is needed.

5.1.2 Internet User Models

This section describes how the Internet users are modeled in the specific ABAP back-end system.

NOTE

If the User Management Engine (UME) used for authentication uses a different user persistency

than the back-end system (for example LDAP or database), an additional UME user must exist inthe UME data persistency. If Web Channel user management functionality is used to create and

maintain users, this is managed. Additional UME users need to be created if other functionality

(non-Web Channel) is used.

5.1.2.1 Web Shop Customers

Consumer Scenario

In the consumer scenario, the Internet user is linked to a business partner that represents a consumer.

The realization of the business partner depends on the back-end system.


5.1 Users

24/118 CUSTOMER 2013-02-07


25/118

Figure 9: SAP CRM Consumer Scenario

On the SAP CRM back end, the business partner is realized as a business partner with partner role

Consumer. The linkage between the business partner and the SU01user is built using the Central Person(table HRP1001).

Figure 10: SAP ERP Consumer Scenario

On the SAP ERP back end, the business partner is realized as a KNA1customer. The linkage between the

business partner and the SU01user is built using the user object references (table USAPREF).

Contact Scenario

In the contact scenario, the Internet user is linked to a business partner that represents a contact person

for one or more customers. How the business partner is realized depends on the back-end system.


5.1 Users

2013-02-07 CUSTOMER 25/118


26/118

Figure 11: SAP CRM Contact Scenario

On the SAP CRM back end, partners with partner roles Contact Personand Sold-to-Partyare used.

Figure 12: SAP ERP Contact Scenario

On the SAP ERP back end, the contact person is equivalent to an entry in the KNVKtable that is linked

to a KNAIcustomer.

5.1.2.2 Web Channel Builder Users

Web Channel Builder (WECB) users do not need a business partner. In this case, only an SU01user mustexist on the back-end system used for the WECB application.

5.2 User Authentication

5.2.1 Service User Authentication

Service users are specified in the destinations used by Web Channel applications. The authentication

of service users happens implicitly on SAP NetWeaver AS ABAP if a connection is established to the SAP

CRM or SAP ERP back-end system based on the destination containing the service user.



26/118 CUSTOMER 2013-02-07


27/118

5.2.2 Administration User Authentication

For the Web Channel Administration area of Web Channel applications, container-based

authentication is used: In the Web descriptor, a security constraint is declared that secures the Web

resources of the Web Channel Administration area. The default SAP NetWeaver AS Java authentication

stack (ticket authorization) is used.

5.2.3 Internet User Authentication

Web Channel Internet user authentication consists of several authentication steps induced by the

Internet user model that is used for a Web Channel application. The step sequence below does not

reflect the sequence of processing at runtime.

Web Channel provides two different user authentication approaches depending on the User Storage

Systemsettings:

UME authentication

Web Channel logon (ABAP logon)

NOTE

Only UME authentication provides single sign-on (SSO) support, as well as sufficient protection

against session fixation attacks. For more information, see the following:

Integration into Single Sign-On Environmentsin this chapter

Session Security Protectionchapter

Session Fixationin the Session Security Chapter

5.2.3.1 UME Authentication

Web Channel applications use their own logon views for authentication. The logon views are embedded

into other Web Channel application pages. Consequently, the programmatic authentication of the

User Management Engine (UME), located on SAP NetWeaver AS Java, is used to authenticate users.

The programmatic authentication relies on the configured security policy of the Web Channel

application. A policy configuration determines the logon views that are in the authentication stack,

and any configurations that apply to that stack. For more information, see Authorization Concept of the AS

Java: http://help.sap.com/saphelp_nw73/helpdata/en/48/c943f3825c581ce10000000a42189c/

frameset.htm.

NOTE

The policy configuration property can be specified for the application configuration in the User

module of Web Channel Builder. The default value is Form, which defines a UME logon with a

username and password, but without SSO support.



2013-02-07 CUSTOMER 27/118
http://help.sap.com/saphelp_nw73/helpdata/en/48/c943f3825c581ce10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/48/c943f3825c581ce10000000a42189c/frameset.htm


28/118

With the Usermodule, container-based authentication is avoided. For this reason, do not enter any

security constraints to the Web descriptor of Web Channel applications for common Web Channel

Web resources. The programmatic authentication of the Web Channel applications relies on the

security policyformor the corresponding logon module stack.

For more information, see Policy Configurations and Authentication Stacks: http://help.sap.com/

saphelp_nw73/helpdata/en/99/f66e424925c253e10000000a1550b0/frameset.htm.

5.2.3.2 Web Channel Logon

With Web Channel logon, no UME logon takes place. Internet users are authenticated via RFC modules

that call the ABAP Identity Management for authentication.

RECOMMENDATION

We recommend using UME authentication for Web Channel applications. In addition to the Web

Channel logon, UME authentication enables the usage of session security protection on SAP

NetWeaver AS Java. For more information, see the sections Session Security Protectionand Communication

Channel Securityin this guide.

5.2.3.3 Follow-On Steps

Authorization check (only valid for Web Channel Builder users)

For Web Channel Builder, access is controlled by the authorization object COM_WEC_AP. The logon

process is only successful if the Internet users have been granted the required authorization.

Business partner determination (only valid for Web shop customers)

For Web shop customers of Web Channel applications, a business partner must be linked to the

user. During the logon of a Web shop customer, the existence of a business partner is checked on

the back-end system. The Web application is only usable if the required business partner exists.

5.2.3.4 User Identification Types

Web Channel supports the following user identification types:

User Name (based on UME and the SU01user ID)

User Alias (based on the SU01user alias)

E-Mail Address

Technical ID (for example, the Web shop customer ID)

The user ID and user alias identification types are based on UME and SU01user data, whereas e-mail

address and technical ID are based on business partner data. If the user alias, e-mail address, or technical

ID is used initially, the system retrieves the user ID related to the given identification. The user ID is



28/118 CUSTOMER 2013-02-07
http://help.sap.com/saphelp_nw73/helpdata/en/99/f66e424925c253e10000000a1550b0/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/99/f66e424925c253e10000000a1550b0/frameset.htm


29/118

then used for the authentication with the given password. For example, when a user enters their e-

mail address, the system retrieves the business partner, and determines the related user object. The

user ID of the user object is then used for authentication.

RECOMMENDATION

For optimal security, use the user ID or user alias instead of e-mail address or technical ID.

5.2.3.5 Early Logon

You can configure early logon for Web Channel applications in the Usermodule of Web Channel

Builder. When you enable this setting, Web shop customers must log on before they can enter the Web

shop.

5.3 User Management

User management for Web Channel uses the mechanisms provided with SAP NetWeaver AS ABAP and

SAP NetWeaver AS Java, for example, tools, user types, and password policies. For an overview of how

these mechanisms apply to Web Channel applications, seethe sections below. In addition, we provide

a list of the standard users required for operating Web Channel applications.

5.3.1 User Administration Tools

5.3.1.1 Service Users

The table below shows the tools to use for the user management and user administration of service

users.

Tool Detailed Description Prerequisites

Service user and role maintenance

with SAP NetWeaver AS ABAP

(transactions SU01, PFCG)

For more information, see User and

Role Administration of Application Server

ABAP: http://help.sap.com/

saphelp_nw70ehp2/helpdata/en/

52/671126439b11d1896f0000e8322d

00/frameset.htm.

Select the user type Service.

User Management Engine with SAP

NetWeaver AS Java

For more information, see User

Management Engine: http://

help.sap.com/saphelp_nw73/

helpdata/en/5b/

5d2706ebc04e4d98036f2e1dcfd47d/

frameset.htm.

UME user persistency equals back-

end system, for example SAP CRM

or SAP ERP.


5.3 User Management

2013-02-07 CUSTOMER 29/118
http://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm


30/118

5.3.1.2 Web Channel Builder Users

The table below shows the tools to use for user management and user administration of Internet (dialog)

users of Web Channel Builder (WECB).

The configuration of the user storage system determines whether a WECB user can be created using

the Identity Management of SAP NetWeaver AS ABAP or/and SAP NetWeaver AS Java.


User and role

maintenance with

SAP NetWeaver AS

ABAP (transactions

SU01, PFCG)

For more information, see User and Role Administration of Application Server

ABAP: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/

52/671126439b11d1896f0000e8322d00/frameset.htm.

Select the user type Dialog.

-

User Management

Engine with SAPNetWeaver AS Java

For more information, see User Management Engine: http://help.sap.com/

saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/

frameset.htm.

If the user storage system is set to UME Only, it is sufficient to create the

Internet user using SAP NetWeaver AS Java Identity Management.

If the user storage system is set to ABAP and UME, the Internet user must

be created using both SAP NetWeaver AS Java and SAP NetWeaver AS ABAP

Identity Management.

User storage

systemincludes UME

5.3.1.3 Web Shop Customers

This section explains how to create and maintain Web shop customers.

Creating Web Shop Customers

You can create Web shop customers using either tool-based or manual methods.

Tool-Based Creation

The following options are available for tool-based creation of Web shop customers:

User Self-registration

This consists of Web shop customers using the registration guided activity to create their own

Internet users in the configured user storage system. In the consumer scenario, registration is

always available. In the contact scenario, you must enable registration in the Usermodule in WebChannel Builder. As part of the procedure to enable registration, you must activate one of the

following registration types:

With New Sold-To Party

This allows the customer to register both their company and their user.

With Existing Sold-To Party and Contact

This requires the customer to enter a valid company ID, and allows them to enter only their

own data as the contact person.


5.3 User Management

30/118 CUSTOMER 2013-02-07
http://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm


31/118

You can control registration in the contact scenario by means of a workflow. This allows customers

to register themselves and their company in the Web shop, but requires the approval of the Web

shop administrator.

Delegated user administration

This option is available for the contact scenario and is enabled in the Usermodule of Web Channel

Builder. It allows delegated user administrators to create and maintain users for all of the sold-to

parties to which they are assigned. You can also configure this setting so that the first contact for

a new sold-to party is given superuser privileges that allow them to create and maintain users for

their company. As the creation and maintenance of users are security-critical operations, we

recommend that you offer authorizations selectively, and that you not assign them to reference

users that are used for registration. For more information, see SAP Library for SAP Web Channel

Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and

then Application Help. In SAP Library, choose User Management Delegated User Administration .

Manual Creation

Since an Internet user consists of an SU01user and a business partner, user creation cannot be achieved

using SAP NetWeaver user maintenance alone. For Web shop customers, business partner maintenance

functionality is needed as well. Web shop customers can be created in both the consumer scenario and

the contact scenario using manual methods. Manual creation may be necessary if users are needed for

development and testing.

The following table lists approaches for manually creating Internet users in the consumer scenario.


SAP CRM business

partner maintenance in

SAP GUI (transaction

BP)

1. Create business partner with partner role

Consumer(CRM006).

2. Maintain the Internet user partner role.

Only available in SAP GUI

SAP CRM business

partner maintenance in

WebClient UI

- Only available in WebClient UI

NOTE

The application does not

support central user

administration.

SAP ERP customer

maintenance

(transactions VD0*)

SAP ERP user and role

maintenance with SAP

NetWeaver AS ABAP

(transactions SU01,

PFCG)

1. Create a customer.

2. Create an SU01user.

3. Create user references to the related customer

(object type KNA1).

-

User Management

Engine with SAP

NetWeaver AS Java

For more information, see User Management Engine:

http://help.sap.com/saphelp_nw73/helpdata/

Internet user is already created

using the tools mentioned above.

If the user storage system is set to


5.3 User Management

2013-02-07 CUSTOMER 31/118
http://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/wec


32/118


en/5b/5d2706ebc04e4d98036f2e1dcfd47d/

frameset.htm.

UME Only, the Internet user must

be created in the UME as well.

The following table lists approaches for manually creating Internet users in the contact scenario.


SAP CRM business

partner maintenance

in SAP GUI

(transaction BP)

1. Create business partner with business partner

role Contact Person BUP001.

2. Maintain Internet user partner role.

For more information, see Business Partners: http://

help.sap.com/saphelp_crm700_ehp02/helpdata/en/

52/cff837a9aae651e10000009b38f8cf/frameset.htm

Only available in SAP GUI

WebClient UI business

partner maintenance


NOTE

The application does not

support central user

administration.

SAP ERP customer and

contact person

maintenance

(transactions VD0*and

VAP*)

SAP ERP user and role

maintenance with SAP

NetWeaver AS ABAP(transactions SU01and

PFCG)

1. Create a customer and a contact person.

2. Create an SU01user.

3. Create user references to the related contact

person (object type BUS1006001) and related

customer (object type KNA1).

-

User Management

Engine with SAP

NetWeaver AS Java

For more information, see User Management Engine:

http://help.sap.com/saphelp_nw73/helpdata/en/

5b/5d2706ebc04e4d98036f2e1dcfd47d/

frameset.htm.

Internet user is already created

using the tools mentioned

above. If the user storage system

is set to UME Only, the Internet

user must be created in the UME

as well.

Delegated user administrators can use the tools described above to create Internet users. For more

information, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at

http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose User

Management Creation of and Search for Delegated User Administrators .

Maintaining Web Shop Customers

The table below shows the tools that can be used to maintain the user partof an Internet user.


Administrator user and

role maintenance with

SAP NetWeaver AS

For more information, see User and Role Administration of Application

Server ABAP: http://help.sap.com/saphelp_nw70ehp2/

You have created

an Internet user.


5.3 User Management

32/118 CUSTOMER 2013-02-07
http://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/wechttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm


33/118


ABAP (transactions

SU01, PFCG)

helpdata/en/52/671126439b11d1896f0000e8322d00/

frameset.htm.

Select the user type Service.

User ManagementEngine with SAP

NetWeaver AS Java

For more information, see User Management Engine: http://

help.sap.com/saphelp_nw73/helpdata/en/5b/

5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm.

You have createdan Internet user.

UME user

persistency equals

back-end system,

for example SAP

CRM or SAP ERP.

The table below shows the tools that can be used to maintain the business partnerpart of an Internet

user.

ToolDetailedDescription Prerequisites

SAP CRM business partner maintenance

in SAP GUI (transaction BP)

- Only available in SAP GUI

SAP CRM business partner maintenance

in WebClient UI


NOTE

The application does not support central

user administration.

SAP ERP customer maintenance

(transactions VD0*)

- -

Web shop customers can maintain their own Internet user with Web Channel self-service. This allows

them to change their password and address data.

Depending on the settings made in Web Channel Builder, Web shop customers in the contact scenario

can also be maintained by company superusers using delegated user administration.

5.3.1.4 Administrators

The table below shows the tools to use for the user management and user administration of

administrators.


User Management Engine with SAP

NetWeaver AS Java

For more information, see User

Management Engine: http://

help.sap.com/saphelp_nw73/

helpdata/en/5b/

5d2706ebc04e4d98036f2e1dcfd47d

/frameset.htm

-


5.3 User Management

2013-02-07 CUSTOMER 33/118
http://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm


34/118


35/118

The tables below show the users required for operating SAP Web Channel Experience Management.

Delivered Users on SAP NetWeaver MDM Repository

System User Password Role

SAP NetWeaver MDM Admin initial Admin

SAP Web Channel Experience Management Users (Consumer Scenario and Contact Scenario)

System User Type Description

Configured back-end

system: SAP CRM or SAP

ERP

Technical user

for anonymous

functionality

Service user User for establishing the stateless connection

between Web Channel applications and the

configured back-end system.

Created using the User Maintenance(SU01)

transaction in SAP NetWeaver AS ABAP or

user management in SAP NetWeaver AS Java,

if UME persistency equals ABAP back end.

The user ID and password must be stored in

the RFC destination for the connection.

Configured back-end


ERP

(and UME if user

persistency unequals

ABAP back-end system)

Internet user Dialog user The user that logs on to Web Channel

applications. The full-state connection is

established with this user.

Created using one of the user management

tools mentioned above.

Configured back-end


ERP

Reference user Reference user This user is needed if self-registration is

configured for consumer scenario

applications.

The user is automatically assigned to Internet

users for authorization purposes.

SAP NetWeaver MDM Technical user - This user is needed for product catalog

functionality.

The user is used to establish connections to the

SAP NetWeaver MDM server that provides the

product catalogs.

This user must have the role

WEBCHANNEL_CATALOGDISPLAY_ROLE.

Web Channel Builder UsersSystem User Type Description

Configured back-end


ERP

Technical user

for anonymous

functionality

Service user User for establishing the stateless connection

between Web Channel applications and the

configured back-end system.

Created using the User Maintenance(SU01)

transaction on SAP NetWeaver AS ABAP or

user management in SAP NetWeaver AS Java.

The user ID and password must be stored in

the RFC destination for the connection.


5.3 User Management

2013-02-07 CUSTOMER 35/118


36/118

System User Type Description

Configured back-end


ERP

Web Channel

Builder User

Dialog user The user that logs on to Web Channel Builder

applications. The full-state connection is

established with this user.

Created using the User Maintenance(SU01)transaction in SAP NetWeaver AS ABAP or

user management in SAP NetWeaver AS Java.

SAP NetWeaver AS Java Users Required for Administration

System User Delivered Type Default Password Description

SAP

NetWeaver

AS Java

Administrato

r

Yes (part of

SAP

NetWeaver

AS Java

installation)

User

administered

on SAP

NetWeaver

AS Java

As defined during

the installation of

SAP NetWeaver AS

Java

We recommend that you

create a new user with

fewer rights for the

administration of Web

Channel applications on

SAP NetWeaver AS Javainstead of using the SAP

NetWeaver AS Java

Administrator.

Users Required for the Web Channel Administration Area

System User Delivered TypeDefaultPassword Description

SAP

NetWeaver

AS Java

Administrator - User

administered

on SAP

NetWeaver ASJava

- User who uses the Web Channel admin

area. The user has role Web

Channeladmin. The role is mapped to the

server role Administrators.

5.4 User Data Synchronization

Web Channel can use the SAP NetWeaver AS Java User Management Engine (UME) for authentication.

The UME can use the following types of data sources:

Database of SAP NetWeaver AS Java

Directory service (LDAP)

User Management of SAP NetWeaver AS ABAP

Based on the configured UME data source, the Web Channel user storage configuration must be set

up accordingly. For more information, see the section Installing SAP NetWeaver 730 SP02 AS Javain the

SAP Web Channel Experience Management Installation Guide.

The configured UME data source influences the Internet users of Web Channel applications.

For Web Channel applications, users must be defined on the specific Web Channel ABAP back-end

system (SAP CRM or SAP ERP). If the UME data source is different from the Web Channel ABAP back-

end system, this means that two user entities with the same user ID are defined: one user in the UME

and one user on the back-end system. The only exception is that the back-end system is used as UME

user persistency.


5.4 User Data Synchronization

36/118 CUSTOMER 2013-02-07


37/118

There is no automatic user data synchronization between the ABAP back-end system and the UME

user persistency. However, the Web Channel user management enables user creation and maintenance

on the UME and the back-end system if Web Channel user management functions, such as self-

registration or the user administration, are used.

NOTE

If other applications are used to maintain users, for example the UME or the SU01on the back-

end system, data synchronization must be carried out manually.

5.5 Integration into Single Sign-On (SSO) Environments

Single sign-on (SSO) is a specialized form of software authentication that enables users to authenticate

once to gain access to resources for multiple software systems. Web Channel makes use of various SSOoptions provided by SAP NetWeaver, such as client certificates, logon tickets, and SAML2.0.

For information about the different options and how to configure your SAP NetWeaver AS, see Single

Sign-On for Web-Based Access: http://help.sap.com/saphelp_nw73/helpdata/en/4a/

672251117a0c89e10000000a42189b/frameset.htm.

When you configure a Web Channel application, you specify the type of SSO authentication to use by

selecting the corresponding policy configuration. For more information, see UME Authenticationin the

User Authenticationsection of this guide.

5.5.1 Secure Network Communications (SNC)

SNC is available for user authentication and can be used in an SSO environment when using SAP GUI

for Windows or remote function calls (RFC).

SNC can be used for the connections from SAP NetWeaver AS Java to SAP CRM or SAP ERP. To use

SNC, maintain the Web Channel RFC destinations to the SAP CRM or SAP ERP system accordingly.

For more information about the required destinations for Web Channel applications, see the section

Communication Destinationsin this guide.

For more information about SNC as part of network and transport layer security in SAP NetWeaver,

see Secure Network Communications (SNC): http://help.sap.com/saphelp_nw73/helpdata/en/

e6/56f466e99a11d1a5b00000e835363f/frameset.htm.

NOTE

The certificate used by SAP NetWeaver AS Java must be accepted by the back-end system.

5.6 User Management Configuration

In addition to settings specific to user management in UME and in the ABAP back-end systems, you

make settings in the Usermodule of Web Channel Builder to define authentication and user


5.5 Integration into Single Sign-On (SSO) Environments

2013-02-07 CUSTOMER 37/118
http://help.sap.com/saphelp_nw73/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/4a/672251117a0c89e10000000a42189b/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/4a/672251117a0c89e10000000a42189b/frameset.htm


38/118

identification types. You can also specify early logon, user registration settings, e-mail templates,

methods for handling forgotten passwords (for example, security questions), and enable the guest user

scenario and delegated user administration.


5.6 User Management Configuration

38/118 CUSTOMER 2013-02-07


39/118

6 Authorization

6.1 Authorization Concept

Web Channel applications use the authorization concept provided by SAP NetWeaver. Therefore, the

recommendations and guidelines for authorizations apply as described in the SAP NetWeaver Security

Guide: http://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/

frameset.htm.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles.

When using ABAP technology, use the profile generator (transactionPFCG) for role maintenance. When

using Java, use the UME user administration.

NOTE

Since most of the business functionality of Web Channel applications runs on the SAP CRM or

SAP ERP system, the ABAP authorization concept is used more often. SAP NetWeaver AS Java

user groups are used if Web Channel applications need to be secured by Web container security

constraints.

6.1.1 Roles and Profiles

User roles are the container for authorization objects needed for specific tasks and functionality. The

authorizations are provided by authorization profiles. User roles and profiles are assigned to service

users and Internet users to enable the usage of Web Channel functionality.

Several Web Channel user roles are predefined and included in the standard delivery. Some roles are

delivered on SAP NetWeaver AS ABAP, and others are delivered on SAP NetWeaver AS Java.

The following subsections provide overviews of available predefined roles for each platform. We

recommend that you create your own copies of the roles, or run authorization traces to enable the

creation of user roles that suit your Web Channel applications.

6.1.1.1 Predefined User Roles on SAP NetWeaver AS ABAP

This section explains the user roles for various Web Channel applications in each back-end system.

NOTE

Create your own user roles as described in Authorization Proposalsin this chapter, and specify the

authorization values according to your needs.

6 Authorization


2013-02-07 CUSTOMER 39/118
http://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htm


40/118

User Roles for Web Channel Builder

You use Web Channel Builder to configure Web Channel applications, send new or changed application

configurations through an approval process, set the go-live date for an application configuration, and

create product views.Web Channel Builder supports various different user roles, and Web Channel Builder users must be

assigned to one of these roles before they can launch the application. The back-end system (SAP CRM

or SAP ERP) used for the Web Channel applications determines which roles must be assigned to the

user.

To create and assign Web Channel Builder users, you must first configure user management

functionality in both the relevant back-end system (transaction SU01in either SAP CRM or SAP ERP),

and in SAP NetWeaver AS Java User Management Engine (UME).If the user persistence in UME differs

from that used in the back-end system, you must create an additional UME user that has the same user

ID as the Web Channel Builder user in the back-end system. This additional user is only required for

authentication purposes, and should not be assigned any roles in UME.

The following table lists the common user roles for SAP CRM and SAP ERP that are contained in the

standard delivery of Web Channel Builder (WECB).

User Roles on SAP CRM or SAP ERP

System Role User Description

SAP CRMSAP_CRM_WEC_WCB_ADMIN WECB

Administrator

Web Channel Builder administrator with full

application configuration authorizationSAP ERP SAP_ERP_WEC_WCB_ADMIN

SAP CRMSAP_CRM_WEC_WCB_USER

WECB User Web Channel Builder user with limitedapplication configuration authorization

This is the main user for creating and editing

Web Channel applications and

configurations. This user can also submit

configurations for approval.

SAP ERP SAP_ERP_WEC_WCB_USER

SAP CRMSAP_CRM_WEC_WCB_MANAGER WECB Manager Web Channel Builder manager with

application configuration authorization on

manager level

This user can view all applications and

configurations and approve or reject

configurations that have been submitted for

approval.

SAP ERP SAP_ERP_WEC_WCB_MANAGER

SAP CRMSAP_CRM_WEC_WCB_USER_DISPLAY WECB User Web Channel Builder user with display

authorizationSAP ERP SAP_ERP_WEC_WCB_USER_DISPLAY

SAP CRMSAP_CRM_WEC_WCB_TU WECB Service

User

Web Channel Builder service user

This user is for technical users of WECB. The

user is maintained in destinations used by

WECB.

SAP ERP SAP_ERP_WEC_WCB_TU

SAP CRMSAP_CRM_WEC_WCB_PROD_VIEWS WECB User for

Product Views

Web Channel Builder user with

authorization to create product views

This user can access and use all functionality

on the Product Viewstab page. If you would like

SAP ERP SAP_ERP_WEC_WCB_PROD_VIEWS

6 Authorization


40/118 CUSTOMER 2013-02-07


41/118

System Role User Description

certain users to be able to display product

views without being able to modify them,

you need to create a copy of this user and

restrict its activity level.SAP CRMSAP_CRM_WEC_WCB_TU_PROD_VIEWS WECB Service

User for Product

Views

Web Channel Builder service user for

product views

These roles are assigned to the technical users

that are used for the destinations in Web

Channel Builder.

SAP ERP SAP_ERP_WEC_WCB_TU_PROD_VIEWS

Additional Information Regarding User Roles for Product Views

When you create a product view, you specify the back-end destination that it uses. This allows you to

create product views for back ends other than the back-end system used by the WebChannel

application. In mixed scenarios like this, you create the WECB Service User for Product Views on theback-end system that is used by the product view. If the product view is created for SAP CRM, you

assign the role SAP_CRM_WEC_WCB_TU_PROD_VIEWSto the user, and if the product view is created for SAP

ERP, you assign the role SAP_ERP_WEC_TU_PROD_VIEWSto the user. If the Web Channel application and

the product view use the same back end, you can assign the service user roles for both the WECB Service

User and the WECB Service User for Product Views to the same service user.

Figure 13: Product Views

For more information about product views, see SAP Library for SAP Web Channel Experience

Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application

Help. In SAP Library, choose Configuration Configuring Web Channel Applications (Web Channel Builder)

Product Views .

Example User Roles for Web Channel Applications

As of Web Channel 3.0, example user roles are available that are based on external services and their

authorization proposals. There is one technical role and one Internet user role for each back-end system.

6 Authorization


2013-02-07 CUSTOMER 41/118
http://help.sap.com/wechttp://help.sap.com/wec


42/118

Example Internet User Roles

System Role

SAP CRM SAP_CRM_WEC_WU_ALL

SAP ERP SAP_ERP_WEC_WU_ALL

Example Service User Roles

System Role

SAP CRM SAP_CRM_WEC_TU_ALL

SAP ERP SAP_ERP_WEC_TU_ALL

These user roles are examples that support Web Channel applications based on delivered templates. If

you plan to create Web Channel applications without using templates, we recommend that you

perform authorization traces and that you create and maintain your own user roles.

The example user roles contain the WEC_MODULEor ERP_WEC_MODULEexternal services in their menus.

You u

Documents

Web Channel Security 3.0