SAP ERP Central Component Security Guide
Release 686
HE
LP
.SE
CG
UID
E_
EC
C
July 2007
SAP ERP Central Component Security Guide 2
Copyright © Copyright 2007 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
July 2007
SAP ERP Central Component Security Guide 3
Icons in Body Text
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Typographic Conventions
Type Style Description
Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table
titles.
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
July 2007
SAP ERP Central Component Security Guide 4
SAP ERP Central Component Security Guide ........................................................................ 10 Introduction .......................................................................................................................... 10 Before You Start .................................................................................................................. 11 Technical System Landscape.............................................................................................. 12 User Management and Authentication ................................................................................ 13
User Management............................................................................................................ 13
User Data Synchronization............................................................................................... 15
Integration with Single Sign-On Environments................................................................. 15
Authorizations ...................................................................................................................... 16 Network and Communication Security................................................................................. 17
Communication Channel Security .................................................................................... 18
Network Security .............................................................................................................. 18
Communication Destinations............................................................................................ 19
Data Storage Security.......................................................................................................... 19 Security for Other Applications ............................................................................................ 19 Trace and Log Files ............................................................................................................. 20 Cross-Application Components ........................................................................................... 20
Cross-Application Time Sheet (CA-TS) ........................................................................... 20
Authorizations ............................................................................................................... 20
Communication Destinations........................................................................................ 21
Digital Signature ............................................................................................................... 22
Self-Services .................................................................................................................... 23
Before You Start ........................................................................................................... 23
User Management ........................................................................................................ 24
Authorizations ............................................................................................................... 25
Editing Roles and Authorizations for Web Dynpro Services..................................... 27
Authorizations for Controlling Services (MSS, BUA) ................................................ 28
Authorizations for BW iViews (MSS)......................................................................... 29
Communication Destinations........................................................................................ 29
Enterprise Services .......................................................................................................... 29
Before You Start ........................................................................................................... 29
Authorizations ............................................................................................................... 30
Network and Communication Security ......................................................................... 30
Accounting ........................................................................................................................... 30 Financial Accounting ........................................................................................................ 30
Authorizations in Financial Accounting......................................................................... 31
General Ledger Accounting (FI-GL) ............................................................................. 34
Accounts Payable Accounting (FI-AP) ......................................................................... 35
Accounts Receivable Accounting (FI-AR) .................................................................... 36
July 2007
SAP ERP Central Component Security Guide 5
Bank Accounting (FI-BL)............................................................................................... 37
Asset Accounting (FI-AA) ............................................................................................. 38
Travel Management (FI-TV) ......................................................................................... 39
Authorizations in the Special Purpose Ledger (FI-SL) ................................................. 41
Treasury........................................................................................................................ 42
Authorizations ........................................................................................................... 42
Controlling ........................................................................................................................ 44
Authorizations in Controlling......................................................................................... 46
Authorizations in Profit Center Accounting ................................................................... 50
Network and Communication Security ......................................................................... 51
Communication Destinations .................................................................................... 52
Consolidation (EC-CS) ..................................................................................................... 52
Accounting Engine ........................................................................................................... 53
Introduction ................................................................................................................... 53
Before You Start ........................................................................................................... 54
Technical System Landscape....................................................................................... 55
User Administration and Authentication ....................................................................... 56
User Management..................................................................................................... 56
Integration into Single Sign-On Environments.......................................................... 56
Authorizations ............................................................................................................... 57
Network and Communication Security ......................................................................... 57
Communication Channel Security............................................................................. 58
Communication Destinations .................................................................................... 58
Data Storage Security................................................................................................... 58
Financial Supply Chain Management .............................................................................. 59
Management of Internal Controls: Security Guide ........................................................... 59
Technical System Landscape....................................................................................... 60
User Management and Authorizations ......................................................................... 60
User Management..................................................................................................... 61
Roles and Authorizations Concept............................................................................ 62
Standard Roles and Authorization Objects ........................................................... 63
Editing MIC-Specific Roles.................................................................................... 64
Tasks: Central Structure Setup.......................................................................... 65
Tasks: Structure Setup Specific to Organizational Units ................................... 67
Tasks: Control Assessments and Tests ............................................................ 71
Tasks: Management Control Assessment and Test.......................................... 74
Tasks: Reporting and Sign-Off .......................................................................... 76
Assigning Roles to Persons .................................................................................. 77
Integration with Single Sign-On Environments ......................................................... 78
Communication Channel Security ................................................................................ 79
July 2007
SAP ERP Central Component Security Guide 6
Data Storage Security................................................................................................... 80
Master Data Framework................................................................................................... 80
Introduction ................................................................................................................... 80
Before You Start ........................................................................................................... 81
Technical System Landscape....................................................................................... 82
User Administration and Authentication ....................................................................... 83
User Management..................................................................................................... 83
Integration into Single Sign-On Environments.......................................................... 83
Authorizations ............................................................................................................... 84
Network and Communication Security ......................................................................... 85
Communication Channel Security............................................................................. 85
SAP Banking .................................................................................................................... 85
SAP Financial Customer Information Management (FS-BP) ....................................... 86
Authorizations ........................................................................................................... 86
Network and Communication Security...................................................................... 87
Communication Destinations................................................................................. 87
Data Storage Security ............................................................................................... 87
Bank Customer Accounts (BCA) .................................................................................. 87
Authorizations ........................................................................................................... 87
Network and Communication Security...................................................................... 88
Data Storage Security ............................................................................................... 88
Important SAP Notes ................................................................................................ 89
Loans Management (FS-CML) ..................................................................................... 89
Authorizations ........................................................................................................... 89
Network and Communication Security...................................................................... 92
Data Storage Security ............................................................................................... 92
Collateral Management (CM)........................................................................................ 92
Authorizations ........................................................................................................... 93
Network Communication and Security...................................................................... 94
Strategic Enterprise Management (SEM) for Banks .................................................... 96
Authorizations ........................................................................................................... 96
Network and Communication Security...................................................................... 97
Communication Destinations................................................................................. 97
Data Storage Security ............................................................................................... 98
Reserve for Bad Debt (FS-RBD) .................................................................................. 98
Authorizations ........................................................................................................... 98
Network and Communication Security.................................................................... 104
Communication Destinations............................................................................... 104
Trace and Log Files ................................................................................................ 104
Incentive and Commission Management (ICM) ............................................................. 104
July 2007
SAP ERP Central Component Security Guide 7
Statutory Reporting for Insurance (FS-SR) .................................................................... 105
Authorizations ............................................................................................................. 105
Data Storage Security................................................................................................. 105
Real Estate Management............................................................................................... 105
Public Sector Management ............................................................................................ 106
Authorizations ............................................................................................................. 106
Network and Communication Security ....................................................................... 109
Data Storage Security................................................................................................. 110
More Security Information........................................................................................... 110
Logistics ............................................................................................................................. 111 Materials Management (MM) ......................................................................................... 111
Purchasing and Service Industries (MM-PUR, MM SRV) .......................................... 111
Authorizations ......................................................................................................... 111
Network and Communication Security.................................................................... 114
Data Storage Security ............................................................................................. 115
Inventory Management (MM-IM): Authorizations ....................................................... 115
Logistics Invoice Verification (MM-IV): Authorizations ............................................... 117
Product Lifecycle Management (PLM) ........................................................................... 118
Authorizations ............................................................................................................. 118
Communication Destinations...................................................................................... 128
Important SAP Notes .................................................................................................. 128
Manufacturing................................................................................................................. 129
Authorizations ............................................................................................................. 129
Communication Destinations...................................................................................... 133
Logistics Execution (LE)................................................................................................. 133
Decentralized Warehouse Management (LE-IDW), Shipping (LE-SHP), Transportation (LE-TRA)..................................................................................................................... 133
Authorizations ......................................................................................................... 134
Network and Communication Security.................................................................... 137
Warehouse Management System (LE-WMS) ............................................................ 137
Authorizations ......................................................................................................... 137
Network and Communication Security.................................................................... 139
Task and Resource Management (LE-TRM), Yard Management (LE-YM), Cross Docking (LE-WM-CDK), Additional Logistical Services.............................................. 139
Authorizations ......................................................................................................... 139
Network and Communication Security.................................................................... 140
Retail .............................................................................................................................. 141
Network and Communication Security ....................................................................... 141
Authorizations ............................................................................................................. 143
Global Trade................................................................................................................... 145
July 2007
SAP ERP Central Component Security Guide 8
Network and Communication Security ....................................................................... 145
Sales and Distribution (SD) ............................................................................................ 147
Human Capital Management ............................................................................................. 148 Personnel Management (PA) ......................................................................................... 149
Before You Start ......................................................................................................... 149
User Management ...................................................................................................... 150
Authorizations ............................................................................................................. 152
Communication Channel Security .............................................................................. 154
Communication Destinations...................................................................................... 155
Data Storage Security................................................................................................. 157
Security for Additional Applications ............................................................................ 159
Other Security-Relevant Information .......................................................................... 159
Personnel Time Management (PT) ................................................................................ 160
User Management ...................................................................................................... 160
Authorizations ............................................................................................................. 160
Communication Destinations...................................................................................... 161
Payroll (PY) .................................................................................................................... 162
Before You Start ......................................................................................................... 162
User Management ...................................................................................................... 162
Authorizations ............................................................................................................. 163
Communication Channel Security .............................................................................. 165
Communication Destinations...................................................................................... 165
Data Storage Security................................................................................................. 166
Security for Additional Applications ............................................................................ 166
Other Security-Relevant Information .......................................................................... 166
SAP Learning Solution ................................................................................................... 167
Technical System Landscape..................................................................................... 167
Persistence ............................................................................................................. 168
Learning Portal (LSOFE)......................................................................................... 169
Content Player (LSOCP)......................................................................................... 171
Offline Player (LSOOP)........................................................................................... 171
Authoring Environment (LSOAE) ............................................................................ 172
Environment for the Training Administrator ............................................................ 174
User Management ...................................................................................................... 174
Authorizations ............................................................................................................. 178
Communication Channel Security .............................................................................. 179
Other Security-Relevant Information .......................................................................... 183
SAP E-Recruiting ........................................................................................................... 183
Before You Start ......................................................................................................... 183
Technical System Landscape..................................................................................... 184
July 2007
SAP ERP Central Component Security Guide 9
User Management ...................................................................................................... 187
Authorizations ............................................................................................................. 189
Communication Channel Security .............................................................................. 194
Communication Destinations...................................................................................... 195
Data Storage Security................................................................................................. 197
Defense Forces & Public Security ..................................................................................... 197 Before You Start ............................................................................................................. 197
Technical System Landscape ........................................................................................ 198
User Administration and Authentication ......................................................................... 198
User Management ...................................................................................................... 198
Authorizations................................................................................................................. 199
Network and Communication Security ........................................................................... 201
Data Storage Security .................................................................................................... 201
Appendix ............................................................................................................................ 201
July 2007
SAP ERP Central Component Security Guide 10
SAP ERP Central Component Security Guide The following guide covers the information that you require to operate SAP ERP Central Component securely. To make the information more accessible, it been divided into a general part, containing information relevant for all components, and a separate part for specific application areas and their components.
Introduction This guide should not be regarded as a substitute for a daily operational
manual as recommended by SAP.
Target Group ● Technology consultants
● System administrators
The information contained in this document is not contained in the installation and configuration guides or the technical manuals and upgrade guides of the components cited below. Such guides are only relevant for a certain phase of the software life cycle, whereas security guides provide information that is relevant for all life cycle phases.
Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, greater emphasis is being placed on the need for security. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to SAP ERP Central Component. This document is designed to help you make SAP ERP Central Component secure.
About this Document The security guides give you an overview of the information for secure operation of SAP ERP Central Component. SAP ERP Central Component covers the core components Accounting, Logistics, and Human Resources and other components used across these core components. This guide cross-references information in existing security guides where available, or other relevant documentation where security aspects are discussed.
As SAP ERP Central Component is based on and uses SAP NetWeaver technology, it is essential you consult the SAP NetWeaver security guide: see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → SAP NetWeaver → Security → SAP NetWeaver Security Guide.
To view all of the security guides published by SAP, see SAP Service Marketplace at service.sap.com/securityguide.
Overview of the Main Sections
The security guide comprises the following main sections:
● Before You Start This section contains information about why security is necessary, how to use this document, and references to other security guides that are a basis for this security guide.
July 2007
SAP ERP Central Component Security Guide 11
● Technical System Landscape This section is an overview of the technical components and communication paths used by SAP ERP Central Component.
● User Management and Authentication This section provides an overview of the following user management and authentication aspects:
○ Recommended tools for user management.
○ Required user types for SAP ERP Central Component
○ Standard users delivered with SAP ERP Central Component
○ Overview of the user synchronization strategy, if several components or products are integrated
○ Overview of integration options in single sign-on environments
● Authorizations This section provides an overview of the authorization concept that is applicable to SAP ERP Central Component.
● Network and Communication Security This section provides an overview of the communication paths used by SAP ERP Central Component and the security mechanisms to be used. It also includes our recommendations for the network topology to restrict access at the network level.
● Data Storage Security This section provides an overview of the critical data used by SAP ERP Central Component, and also the security mechanisms to be used.
● Security for Third-Party or Additional Applications This section provides security information that applies to third-party or additional applications that are used together with SAP ERP Central Component.
● Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information and that enable you to reproduce activities where, for example, there has been a breach of security.
● Appendix This section provides references to secondary sources of information.
Before You Start Fundamental Security Guides SAP ERP Central Component is based on SAP NetWeaver. This means that the security guide for SAP NetWeaver is also applicable to SAP ERP Central Component. Whenever other guides are relevant, an appropriate reference is included in the documentation for the individual components in this guide.
For a complete list of the SAP Security Guides available, see SAP Service Marketplace at service.sap.com/securityguide.
Important SAP Notes SAP Note 783758 provides any updates for this guide and adds important information.
July 2007
SAP ERP Central Component Security Guide 12
SAP Note 853497 contains information about saving temporary files when using Adobe® Acrobat® Reader in SAP applications.
SAP Note 138498 contains information on single sign-on solutions.
SAP Notes relating to security for the subcomponents of SAP ERP Central Component are referenced in the documentation for the individual components in this guide.
For further SAP notes on security, see SAP Service Marketplace at service.sap.com/security → SAP Security Notes.
Additional information For more information about specific topics, see the sources in the table below.
Additional Information
Contents SAP Service Marketplace
Security service.sap.com/security
Security Guides, SAP NetWeaver Security Guide
service.sap.com/securityguide
SAP NetWeaver documentation help.sap.com → Documentation → SAP NetWeaver
SAP NetWeaver installation guide service.sap.com → SAP Support Portal → Tools & Methods → Installation Guides → SAP NetWeaver
Related SAP notes service.sap.com/notes
Platforms permitted service.sap.com/platforms
Network security service.sap.com/network
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
Technical System Landscape For information about the technical system landscape, see the sources listed in the table below.
More Information About the Technical System Landscape
Subject Guide/Tool SAP Service Marketplace
Technical description of SAP ERP Central Component and the underlying technical components, such as SAP NetWeaver
Master guide
service.sap.com/instguides → mySAP Business Suite Solutions → mySAP ERP
Technical configuration high availability
Technical infrastructure guide
service.sap.com/ti
Security service.sap.com/security
July 2007
SAP ERP Central Component Security Guide 13
User Management and Authentication SAP ERP Central Component uses the user management and authentication mechanisms of the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component.
In addition to these guidelines, SAP also supplies information on user management and authentication that is especially applicable to the subcomponents of SAP ERP Central Component in the following sections:
● User Management [Seite 13] This section details the user management tools, the required user types, and the standard users supplied by SAP.
● Synchronization of User Data [Seite 15] The components of SAP ERP Central Component can use user data together with other components. This section describes how theuser data is synchronized with these other sources.
● Integration in Single Sign-On Environments [Seite 15] This section describes how SAP ERP Central Component supports single sign-on-mechanisms.
User Management Use SAP ERP Central Component user management uses the mechanisms provided by SAP NetWeaver Application Server for ABAP, such as tools, user types, and password concept. For an overview of how these mechanisms apply for SAP ERP Central Component, see the sections below. In addition, we provide a list of the standard users required for operating the subcomponents of SAP ERP Central Component.
User Management Tools
The following table shows the user management tools for SAP ERP Central Component.
User Management Tools
Tool Description
User maintenance for ABAP-based systems (transaction SU01)
For more information about the authorization objects provided by the subcomponents of SAP ERP Central Component, see the relevant component in the section Authorizations.
Role maintenance with the profile generator for ABAP-based systems (PFCG)
For more information about the roles provided by the subcomponents of SAP ERP Central Component, see the relevant component in the section Authorizations.
Central User Administration (CUA) for the maintenance of multiple ABAP-based systems
July 2007
SAP ERP Central Component Security Guide 14
User Management Engine (UME) Administration console for maintenance of users, roles, and authorizations in Java-based systems and in the Enterprise Portal
The UME also provides persistence options, such as ABAP Engine.
For more information on the tools that SAP provides for user management with SAP NetWeaver, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication.
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.
User types required for SAP ERP Central Component include, for example,
● Individual users:
○ Dialog users Dialog users are used for SAP GUI for Windows.
○ Internet users for Web applications Same policies apply as for dialog users, but used for Internet connections.
● Technical users:
○ Service users are dialog users who are available for a large set of anonymous users (for example, for anonymous system access via an ITS service).
○ Communication users are used for dialog-free communication between systems.
○ Background users can be used for processing in the background.
For additional information on user types, see User Types in the SAP NetWeaver security guide.
Standard Users
The following table shows the standard users that are required to operate SAP ERP Central Component.
Standard Users
System User ID Type Password Description
SAP Web AS
<sapsid>adm SAP system administrator
Mandatory SAP NetWeaver installation guide
SAP Web AS
SAP Service <sapsid>
SAP system service administrator
Mandatory SAP NetWeaver installation guide
SAP Web AS
SAP Standard
ABAP Users (SAP*, DDIC, EARLYWATCH, SAPCPIC)
See SAP NetWeaver security guide
See SAP NetWeaver security guide
service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide →
July 2007
SAP ERP Central Component Security Guide 15
SAP Web AS Security Guide for ABAP Technology → User Authentication → Protecting Standard Users
SAP Web AS
SAP Standard
SAP Web AS Java Users
See SAP NetWeaver security guide
See SAP NetWeaver security guide
service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for Java Technology → Users and User Management → Standard Users and Groups
These users are used in applications that use Web Dynpro.
SAP ECC
SAP Users Dialog users Mandatory The number of users depends on the area of operation and the business data to be processed.
For more information on standard users in SAP NetWeaver, see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release xx/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → User Maintenance → Logon and Password Security in the SAP System → Password Rules.
For information on user types, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication → User Management and the section headed User Types.
The users specified are delivered with SAP ERP Central Component.
User Data Synchronization Use By synchronizing user data, you can reduce effort and expense in the user management of your system landscape. Since SAP ERP Central Component is based on SAP NetWeaver, you can use all of the mechanisms for user synchronization in SAP NetWeaver here. For more information, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication → Integration of User Management in Your System Landscape.
You can use user data distributed across systems by replicating the data in a central directory, for example.
Integration with Single Sign-On Environments Use SAP ERP Central Component supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver Application Server for ABAP Technology. Therefore, the security
July 2007
SAP ERP Central Component Security Guide 16
recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server also apply to SAP ERP Central Component.
The supported mechanisms are listed below.
Secure Network Communications (SNC)
SNC is available for user authentication and provides an SSO environment when using SAP GUI for Windows or Remote Function Calls.
For more information, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for ABAP Technology → User Authentication → Authentication and Single Sign-On → Secure Network Communications (SNC).
SAP Logon Tickets
SAP ERP Central Component supports the use of logon tickets for SSO when using a Web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication, but can access the system directly once it has checked the logon ticket.
For more information, see SAP Logon Tickets in the SAP NetWeaver Application Server security guide.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, the user is authenticated on the Web server using the Secure Sockets Layer Protocol (SSL protocol). . User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information see Client Certificates in the SAP NetWeaver Application Server security guide.
Authorizations Use SAP ERP Central Component uses the authorization concept of SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component. You can use authorizations to restrict the access of users to the system, and thereby protect transactions and programs from unauthorized access.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance in SAP NetWeaver Application Server for ABAP, use the profile generator (transaction PFCG), and in SAP NetWeaver Application Server for Java, the user management console of User Management Engine (UME) . You can define user-specific menus using roles.
Standard Roles and Standard Authorization Objects
SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a template for your own roles.
For a list of the standard roles and authorization objects used by the subcomponents of SAP ERP Central Component, see the section of this document relevant to each component.
July 2007
SAP ERP Central Component Security Guide 17
For information on roles and authorizations in Travel Management (FI-TV) see the section Accounting under Financial Accounting.
Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet your requirements. For more information about the authorization concept at SAP, see:
■ SAP Service Marketplace at service.sap.com/securityguide in SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for ABAP Technology → SAP Authorization Concept
■ SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → SAP Authorization Concept → Organizing Authorization Administration → Organization if You Are Using the Profile Generator → Role Maintenance
Authorizations for Customizing Settings
You can use customizing roles to control access to the configuration of ERP Central Component in the SAP Customizing Implementation Guide (IMG). For information on creating roles, see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → SAP Authorization Concept → Organizing Authorization Administration → Organization if You Are Using the Profile Generator → or Organization without the Profile Generator
Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for SAP ERP Central Component is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver security guide also apply to SAP ERP Central Component. Details that relate directly to SAP ERP Central Component are described in the following sections:
● Communication Channel Security [Seite 18] This section contains a description of the communication paths and protocols that are used by subcomponents of SAP ERP Central Component.
● Network Security [Seite 18] This section contains information on the network topology recommended for the subcomponents of SAP ERP Central Component. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also contains a list of the ports required for operating the subcomponents of SAP ERP Central Component.
July 2007
SAP ERP Central Component Security Guide 18
● Communication Destinations [Seite 19] This section describes the data needed for the various communication paths, for example, which users are used for which communications.
For more information, see the following sections in the SAP NetWeaver security guide:
● Network and Communication Security
● Security Aspects for Connectivity and Interoperability
Communication Channel Security Use Communication channels transfer a wide variety of different business data that needs to be protected from unauthorized access. SAP makes general recommendations and provides technology for the protection of your system landscape based on SAP NetWeaver.
The table below shows the communication paths used by SAP ERP Central Component, the protocol used for the connection, and the type of data transferred.
Communication Paths
Communication Paths Protocol Used Type of Data Transferred
Data Requiring Special Protection
Application server to application server
RFC, HTTP(S) Integration data Business data
Application server to third-party application
HTTP(S) Application data Passwords, business data, for example
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see the SAP NetWeaver security guide: SAP Service Marketplace at service.sap.com/securityguide in the section Transport Layer Security.
For information on security aspects if you integrate SAP ERP Central Component with SAP Business Intelligence and SAP Supply Chain Management, see SAP Service Marketplace at service.sap.com/securityguide:
● SAP Supply Chain Management → Authorizations/Communication Channel Security/Communication Destinations
● SAP Business Information Warehouse Security Guides → Communication Security → Communication Destinations
Network Security Since SAP ERP Central Component is based on SAP NetWeaver technology, for information about network security, see the following sections of the SAP NetWeaver security guide on the SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Network and Communication Security:
● Network Services This section contains information about services and ports that use SAP NetWeaver.
July 2007
SAP ERP Central Component Security Guide 19
● Using Firewall Systems for Access Control Here you can see information about firewall settings.
● Using Multiple Network Zones Here you can get information about which parts of your application should be set up in which network segments.
If you provide services in the Internet, you should protect your network infrastructure with at least a firewall. You can further increase the security of your system or group of systems by placing the groups in different network segments, each of which you then protect from unauthorized access by a firewall. You should bear in mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one of your systems.
Communication Destinations Use The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore follow the security rules below when communicating between ERP systems:
● Employ the user types system and communication.
● Grant a user only the minimum authorizations.
● Choose a secure password and do not divulge it to anyone else.
● Only store user-specific logon data for users of type system and communication.
● Wherever possible, use trusted system functions instead of user-specific logon data.
For more information, see the application-specific part of this guide.
Data Storage Security Use For information on data storage security, see the SAP NetWeaver security guide at service.sap.com/securityguide in the section Operating System and Database Platform Security Guides.
Security for Other Applications See the corresponding sections in the application-specific part of this guide.
July 2007
SAP ERP Central Component Security Guide 20
Trace and Log Files Use The trace and log files of SAP ERP Central Component use the standard mechanisms of SAP NetWeaver. For more information, see the SAP NetWeaver Security Guide at service.sap.com/securityguide.
If there is no information about trace and log files in the sections for the individual components of SAP ERP Central Component, you can assume that no sensitive data is updated in these files.
Cross-Application Components
Cross-Application Time Sheet (CA-TS)
Authorizations The Cross-Application Time Sheet uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as set out in the SAP Web AS ABAP security guide therefore also apply to the Cross-Application Time Sheet.
The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles on the SAP Web AS ABAP, use the profile generator (transaction PFCG).
Standard Roles The following table shows examples of standard roles that are used by the Cross-Application Time Sheet.
Standard Roles
Role Description
SAP_EMPLOYEE Employee [Extern] Self-Service
SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]
SAP_ISR_RETAIL_STORE SAP Retail Store User
SAP_PS_CONFIRM Confirmations
SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]
SAP_ISR_STORE_PERSONNEL Store Personnel Manager
SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]
July 2007
SAP ERP Central Component Security Guide 21
Standard Authorization Objects In the Cross-Application Time Sheet environment, you require only the general authorizations for the relevant target applications. When assigning authorizations, base them on the authorizations for the CAT* transactions.
See also:
Note the special points listed in the following section of the SAP Library: Cross-Application Components → Cross-Application Time Sheet → Assigning Authorizations [Extern].
Communication Destinations Use Communication destinations are available for the Cross-Application Time Sheet component to post recorded data to the target applications.
Communication with Personnel Time Management
To post recorded time data to Personnel Time Management, you use BAPIs that enter the data in the interface tables PTEXDIR, PTEX2000, and PTEX2010. Data is communicated using BAPIs via IDocs:
● If you run your Human Resources system in the same system as the Cross-Application Time Sheet, the data is posted synchronously.
● If you run your Human Resources system in a different system from the Cross-Application Time Sheet, the data is posted asynchronously.
The BAPIs enable you to create, change, or delete Personnel Time Management data.
These BAPIs do not enable you to read or change any Cross-Application Time Sheet data within Personnel Time Management.
Technical Users
You require the following technical users for the communication:
● To fill the interface tables, you require a user with authorizations for ALE communication with an SAP system and the relevant table authorizations.
These technical users do not require authorizations specific to the SAP HR solution.
● For the subsequent background processing job to transfer data from the interface tables to the infotype databases, you require a technical user with the same authorizations that are required for the CAT6 transaction (Transfer Time Data to Time Management).
To enter time sheet data, you can read information about the time data from Personnel Time Management. You do not require any special users for this. You should base your employees’ authorizations on the authorizations for the CAT2 transaction.
Posting Data to Other Target Applications
There are no special communication destinations for posting data to the other target applications.
See also:
For more information, see the SAP Library:
July 2007
SAP ERP Central Component Security Guide 22
● For information about transferring time sheet data to the target applications, see: Cross-Application Components → Cross-Application Time Sheet → Transfer of Time Sheet Data to the Target Components [Extern].
● For information about the Time Management ALE scenarios and working with distributed systems, see Scenarios in Applications → ALE / EDI Business Processes [Extern].
Digital Signature Before You Start With the digital signature, SAP provides you with a tool for digital signatures in ABAP-based applications. If you integrate the digital signature, you can sign and approve digital data. The Implementation Guide for the digital signature (see the attachment to SAP Note 700495, "Implementation of Digital Signature using the Signature Tool") contains detailed information about implementing the digital signature.
The digital signature is based on the functions of the component Secure Store and Forward (BC-SEC-SSF) from SAP NetWeaver. In the SAP system, the digital signature is realized with the Basis component Secure Store and Forward (SSF). If you use the user signature as signature method, you also need an external security product that you have to connect to your SAP system using SSF.
You should not store the personal security environment (PSE) of the user in the file system. You can use a Smart Card instead, for example. The software PSE does not fulfill the legal requirements of a digital signature.
For more information, see Approval with Digital Signatures [Extern] in the documentation for SAP ERP Central Component under Cross-Application Components → Document Management → Document Information Record.
If there is no further information to specific security aspects in this section, the settings mentioned in the security guide for SAP ERP Central Component and the details in the security guide of SAP NetWeaver Application Server ABAP Security Guide [Extern] in the section Secure Store & Forward Mechanisms (SSF) and Digital Signatures always apply for the digital signature.
Additional Information Scenario, Application or Component Security Guide
Important Sections
Security service.sap.com/security
Security Guides, SAP NetWeaver Security Guide
service.sap.com/securityguide
SAP NetWeaver documentation help.sap.com → Documentation → SAP NetWeaver
SAP NetWeaver installation guide
service.sap.com → SAP Support Portal → Tools & Methods → Installation Guides → SAP NetWeaver
Related SAP notes service.sap.com/notes
Platforms permitted service.sap.com/platforms
Network security service.sap.com/network
July 2007
SAP ERP Central Component Security Guide 23
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
For information about the system landscape and secure operation of SAP ERP Central Component, see mySAP ERP Master Guide at service.sap.com/instguides → mySAP Business Suite Solutions → mySAP ERP.
Authorizations
The digital signature uses the authorization concept provided by SAP NetWeaver Application Server. Therefore the security recommendations and guidelines for authorizations as they are described in the security guides for SAP NetWeaver Application Server ABAP and SAP NetWeaver Application Server Java also apply for the digital signature.
In applications that have implemented the digital signature, in order to actually make digital signatures, users require the corresponding authorizations from the Customizing of the respective signature object. These cover:
● The relevant authorization for the object to be signed
● If you work with signature strategies, you also need the authorization for the corresponding individual signature or authorization group (authorization object C_SIGN_BGR Authorization Group for Digital Signature). At least the authorization object C_SIGN must be assigned to the user profile.
For information about the system infrastructure, see the section Digital Signatures and Encryption in the documentation for SAP NetWeaver under SAP NetWeaver by Key Capability → Security.
Self-Services
Before You Start This section of the Security Guide provides you with information about the following self-service components:
● Employee Self-Service (ESS)
● Manager Self-Service (MSS)
● Business Unit Analyst (BUA)
● Project Self-Services (PSS)
● E-Recruiting (ECR)
● HR Administrative Services (ASR)
● Higher Education and Research (IS-HER-CSS)
● General Parts (PCUI_GP)
If not stated otherwise, the security settings for user management and authorizations apply to all components.
If there is no special information for particular topics in that section, the settings outlined in the general SAP ERP Central Component Security Guide [Seite 1] apply also the self-service components.
July 2007
SAP ERP Central Component Security Guide 24
For information about the system landscape and secure running of the SAP ERP Central Component, see the mySAP ERP Master Guide at service.sap.com/instguides → mySAP Business Suite Solutions → mySAP ERP.
Fundamental Security Guides Scenario, Application or Component Security Guide
Important Sections
SAP NetWeaver Application Server ABAP SAP Authorization Concept [Extern]
SAP NetWeaver Application Server JAVA User Administration and Authentication [Extern]
Authorizations [Extern]
SAP ECC Industry Extension HE&R SAP ECC Industry Extension HE&R: Security Guide [Extern]
For a complete list of the SAP Security Guides available, see SAP Service Marketplace at securityguide.
Important SAP Notes The following table presents the most important SAP Notes regarding security for the Self-Service applications:
Important SAP Notes
SAP Note Number Title Comment
857431 ESS: Authorizations and Roles for WD Services in ERP 2005.
This note contains the authorization objects, the default values defined for these objects, and the roles for Employee Self-Service (component EP-PCT-ESS).
844639 MSS: Authorizations and Roles for ERP 2005
This note contains the authorization objects and the default values defined for the Human Resources applications in Manager Self-Service (component EP-PCT-MGR-HR).
846439 PSS: Authorizations and Roles for Web Dynpro
This note contains the authorization objects and the default values defined for the Web Dynpro applications for Project Self-Services (component EP-PCT-PLM-PSS).
User Management Use User management for Self-Service applications uses the mechanisms (for example, tools, user types, and password concept) provided by SAP Web Application Server. For an overview of how these mechanisms apply for Self-Service applications, see the sections
July 2007
SAP ERP Central Component Security Guide 25
below. In addition, there is a list of the standard users that are necessary for operating the self-services.
User Management Tools The following table presents the tools used for managing users in Self-Service applications:
User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance (transaction PFCG)
You can use the Role Maintenance (PFCG) transaction to generate profiles for your self-service users.
For more information, see the Users and Roles [Extern] section in SAP Library for SAP NetWeaver (see also help.sap.com → Documentation → SAP NetWeaver).
User Types For more information about user types [Extern] , see the SAP NetWeaver Application Server Security Guide ABAP.
SAP recommends you set up the connection between the portal and the connected systems (ECC system, J2EE Engine, BI system) so that each individual user has access.
Standard Users Different standard users exist for the individual Self-Service components.
Components Standard Users
● Employee Self-Service
● Manager Self-Service
● Project Self-Service
● Business Unit Analyst
No standard users exist in the standard SAP system for these components.
● E-Recruiting
● HR Administrative Services
For information about the standard users for these components, see the Human Capital Management section of the ERP Central Component security guide.
● Higher Education and Research For information about the standard users for this component, see the security guide for this component.
Authorizations Use The Self-Service applications use the authorization concept of SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for authorizations as described in the
July 2007
SAP ERP Central Component Security Guide 26
SAP NetWeaver Security Guide for ABAP and SAP NetWeaver Security Guide for Java also apply to the Self-Service applications.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles, use the Profile Generator (transaction PFCG). For more information, see Editing Roles and Authorizations for Web Dynpro Services [Seite 27].
The Self-Service applications for Human Resources also use the authorizations of the individual components. For more information, see the Human Capital Management section of the ERP Central Component Security Guide.
Standard Roles Employee Self-Service The following table presents the standard roles used in Employee Self-Service applications:
Standard Roles for Employee Self-Service (ESS):
Role Description
SAP_ESSUSER_ERP05 Single role that comprises all non country-specific functions.
SAP_EMPLOYEE_ERP05_xx Single role comprising country-specific functions. A separate role exists for each country version (xx = country ID). The corresponding composite role is SAP_EMPLOYEE_ERP05.
In each case, the profile has been copied from the predefined composite role. The data required for ERP and the relevant NetWeaver authorizations have been added to this role.
The composite role is assigned to the individual employee.
Manager Self-Service, Business Unit Analyst, and Project Self-Services There are no standard roles for these components.
E-Recruiting and HR Administrative Services For information about the standard roles for these components, see the Human Capital Management section of the ERP Central Component Security Guide.
Higher Education and Research For information about the standard roles for this component, see the Security Guide for this component.
Standard Authorization Objects The following table presents the general authorization objects relevant for security that are used by the Self-Service applications.
Standard Authorization Objects for Self-Service Applications:
Authorization Object Field Value Description
S_RFC RFC_NAME Depends on service Saves data from RFC access to Web Dynpro frontend to the backend system.
S_SERVICE SRV_NAME * Additional object for
July 2007
SAP ERP Central Component Security Guide 27
Web Dynpro applications. Check that is run when external services are started.
This authorization object is needed when an employee, project lead or manager wants to start self-service applications.
When you enter the value * for the authorization object S_SERVICE, you provide users with the authorization to start all applications. However, you can also assign authorizations for individual applications. In this case, use the syntax S_SERVICE-SRV_NAME = <vendor>/<dc>/<Application>, for example, sap.com/pcui_gp~xssexamples/AttendanceExample.
E-Recruiting and HR Administrative Services For information about the standard authorization objects for these components, see the Human Capital Management section of the ERP Central Component Security Guide.
Higher Education and Research For information about the standard authorization objects for this component, see the Security Guide for this component.
Internal Service Request and Personnel Change Requests For information about standard authorization objects for the Internal Service Request (ISR) and Personnel Change Requests, see SAP Note 623650.
Editing Roles and Authorizations for Web Dynpro Services Use Use this procedure to edit roles and the related Web Dynpro services and authorizations.
Procedure ...
1. Create a role in transaction PFCG or select the standard role that exists for the component. Choose Create Role or copy the existing standard role.
2. Assign the required services to the role.
a. Choose the Menu tab page and then Default Authorization.
The Service dialog box appears.
b. Set the External Service indicator.
c. Select WEBDYNPRO as the type of external service.
d. In the Service field, select the Web Dynpro service you require.
e. Choose Save.
The authorization objects and default values maintained for the service are displayed in the menu tree.
July 2007
SAP ERP Central Component Security Guide 28
In the same way, select all Web Dynpro services you want to use.
3. Assign the required authorizations.
Choose the Authorizations tab page to maintain the authorization objects and values according to your requirements.
For more information about how to maintain roles, see Role Maintenance [Extern] in the Users and Roles section in SAP Library for SAP NetWeaver (see help.sap.com → Documentation → SAP NetWeaver).
Authorizations for Controlling Services (MSS, BUA) The following table presents the standard authorization objects that are used by the controlling services in Manager Self-Service (MSS) and Business Unit Analyst (BUA).
Standard Authorization Objects for Controlling Services:
Authorization Object Description
K_CCA General authorization object for Cost Center Accounting.
Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.
K_ORDER General authorization object for internal orders.
Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.
K_PCA Area responsible, Profit Center.
Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.
K_CSKS_PLA Cost element planning.
Is checked in the relevant Express Planning services.
K_FPB_EXP Authorization object for Express Planning.
This authorization object checks the Express Planning Framework call and the planning round call. The actual plan data is protected by the authorization objects for the individual Express Planning services.
For more information about the fields for the authorization objects K_CCA, K_ORDER, and K_PCA, see SAP Note 15211.
July 2007
SAP ERP Central Component Security Guide 29
Authorizations for BW iViews (MSS) In the case of BW iViews for Manager Self-Service, users need the standard BW authorizations for executing queries. For more information, see SAP Library for SAP NetWeaver, under Authorization Check When Executing a Query [Extern] (in the Data Warehouse Management section of the documentation for SAP NetWeaver Business Intelligence).
In Human Capital Management, BW queries use a BW variable for personalization. Data is read from the ODS object for personalization 0Pers_VAR. If required, you can fill this ODS object from structural authorizations (see Structural Authorizations - Values [Extern] (0PA_DS02) and Structural Authorizations - Hierarchy [Extern] (0PA_DS03)). For more information, see SAP Library for BI Content for Human Resources under Organizational Management → ODS Objects.
You can also access SAP Library from the SAP Help Portal (see help.sap.com → Documentation → SAP NetWeaver).
Communication Destinations To be able to run the individual self-service components, you have to set up the SAP Java Connector (JCo) connections on the Web Dynpro J2EE server. For more information about these connections, see the Business Package documentation for the relevant component (such as Employee Self-Service, Manager Self-Service, Business Unit Analyst) and choose Setting Up SAP Java Connector (JCo) Connections [Extern]
Enterprise Services
Before You Start Underlying Security Guides As SAP ERP ES is provided as an add-on to SAP ERP, the security guidelines applicable to SAP ERP also apply to SAP ERP ES.
For more information about authorizations for Web services, see the SAP NetWeaver documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s → SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core Development Tasks → Providing and Consuming Web Services → Web Service Toolset → Web Services Security. For more information about Enterprise Services and security, see the mySAP Business Suite: Service Provisioning documentation at service.sap.com/swdc → Download → Installations and Upgrades → Entry by Application Group → SAP Application Components → SAP ERP ES → SAP ERP ES <nn> → Installation → ESA ECC-SE <nn> Add-on Documentation → 00_mySAPServiceProvisioning.pdf → 2.6 Security. For more information about the security of the exchange infrastructure, see the SAP NetWeaver security guide at service.sap.com/securityguide → SAP Process Integration Security Guides → SAP NetWeaver Process Integration Security Guide.
July 2007
SAP ERP Central Component Security Guide 30
Important SAP Notes For more information about security, see SAP Service Marketplace at service.sap.com/security → SAP Security Notes.
Authorizations Use Accessing SAP functions via Web services follows the standard SAP authorization concept. This concept is based on authorizations for specific authorization objects. The system checks for the required authorization for an authorization object during the execution of a Web service. If a user does not have this authorization, the execution is terminated, and an error message is returned.
SAP ERP ES uses the standard authorization objects that are available for mySAP ERP, including authorization default values for Web services. In addition, you need the authorization S_SERVICE to start external services. To create and consume Web services, you require the authorizations belonging to the role SAP_BC_WEBSERVICE_ADMIN as well as authorization for the Internet Communication Framework (S_ICF_ADMIN).
For more information about authorizations for Web services, see the SAP NetWeaver documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s → SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core Development Tasks → Providing and Consuming Web Services → Web Service Toolset → Web Services Security → Authorization.
Network and Communication Security For more information about network security for Web services, see the SAP NetWeaver documentation at help.sap.com → SAP NetWeaver → SAP NetWeaver 2004s → SAP NetWeaver Developer’s Guide → Fundamentals → Using Java → Core Development Tasks → Providing and Consuming Web Services → Web Service Toolset → Web Services Security.
Accounting
Financial Accounting Network and Communication Security
Communication with external systems takes place using the standard channels provided by SAP basis technology:
● Application Link Enabling (ALE)
● Standard interfaces to BW, CRM, and SRM systems
● Batch Input [Extern]
July 2007
SAP ERP Central Component Security Guide 31
● Remote Function Call [Extern] (RFC)
● Business Application Programming Interface (BAPI)
● IDOC [Extern]
● SAP Exchange Infrastructure (XI)
● E-mail, fax
Financial Accounting has interfaces to Taxware and Vertex software used for performing tax calculations. In addition, there is an interface for the electronic advance return for tax on sales and purchases using Elster. Communication takes place by means of XI.
Payments and payment advice notes are dispatched per IDoc, and dunning notices sent by e-mail or fax.
Communication Destinations
All the technical users generally available can be used.
For payment requests from other components, see SAP Note 303205.
Data Storage Security
Many of the Financial Accounting transactions access sensitive data. Access to this kind of data, such as financial statements, is protected by standard authorization objects.
Important SAP Notes
See SAP Notes 303205 and 497712.
Authorizations in Financial Accounting Authorization Objects in Financial Accounting
Object Name
FAGL_INST Customer Enhancements for General Ledger
F_ACE_DST Accrual Engine: Accrual Objects
F_ACE_PST Accrual Engine: Accrual/Deferral Postings
F_BKPF_BES Accounting Document: Account Authorization for G/L Accounts
F_BKPF_BLA Accounting Document: Authorization for Document Types
F_BKPF_BUK Accounting Document: Authorization for Company Codes
F_BKPF_BUP Accounting Document: Authorization for Posting Periods
F_BKPF_GSB Accounting Document: Authorization for Business Areas
F_BKPF_KOA Accounting Document: Authorization for Account Types
July 2007
SAP ERP Central Component Security Guide 32
F_BKPF_VW Accounting Document: Display/Change Default Values Document Type/Posting Key
F_FAGL_LDR General Ledger: Authorization for Ledger
F_FAGL_SEG General Ledger: Authorization for Segment
K_TP_VALU General Ledger: Authorization for Transfer Price Valuation
F_FAGL_SKF General Ledger: Authorization for Transaction with Statistical Key Figures
F_IT_ALV Line Item Display: Change and Save Layouts
F_KMT_MGMT Account Assignment Model: Authorization for Maintenance and Use
F_SKA1_AEN G/L Account: Change Authorization for Certain Fields
F_SKA1_BES G/L Account: Account Authorization
F_SKA1_BUK G/L Account: Authorization for Company Codes
F_SKA1_KTP G/L Account: Authorization for Charts of Accounts
F_T011 Balance Sheet: General Maintenance Authorization
F_T011E Authorization for Financial Calendar
F_T011_BUK Planning: Authorization for Company Codes
F_T060_ACT Information System: Account Type/Activity for Evaluation View
F_AVIK_AVA Payment Advice Note: Authorization for Payment Advice Note Types
F_AVIK_BUK Payment Advice Note: Authorization for Company Codes
F_BKPF_BED Accounting Document: Account Authorization for Customers
F_BKPF_BEK Accounting Document: Account Authorization for Vendors
F_BL_BANK Authorization for House Banks and Payment Methods
F_BNKA_BUK Banks: Authorization for Company Codes
F_FBCJ Cash Journal: General Authorization
F_FEBB_BUK Bank Account Statement Company Code
F_FEBC_BUK Check Deposit/Lockbox Company Code
F_KNA1_AEN Customer: Change Authorization for Certain Fields
F_KNA1_APP Customer: Application Authorization
F_KNA1_BED Customer: Accounts Authorization
F_KNA1_BUK Customer: Authorization for Company Codes
July 2007
SAP ERP Central Component Security Guide 33
F_KNA1_GEN Customer: Central Data
F_KNA1_GRP Customer: Accounts Group Authorization
F_KNA1_KGD Customer: Change Authorization for Accounts Groups
F_KNB1_ANA Customer: Authorization for Account Analysis
F_KNKA_AEN Credit Management: Change Authorization for Certain Fields
F_KNKA_KKB Credit Management: Authorization for Credit Control Area
F_BNKA_MAN Banks: General Maintenance Authorization
F_KNKK_BED Credit Management: Accounts Authorization
F_LFA1_AEN Vendor: Change Authorization for Certain Fields
F_LFA1_APP Vendor: Application Authorization
F_LFA1_BEK Vendor: Accounts Authorization
F_LFA1_BUK Vendor: Authorization for Company Codes
F_LFA1_GEN Vendor: Central Data
F_LFA1_GRP Vendor: Accounts Group Authorization
F_MAHN_BUK Automatic Dunning: Authorization for Company Codes The documentation for this refers to transaction F150.
F_MAHN_KOA Automatic Dunning: Authorization for Account Types
F_PAYRQ Authorization Object for Payment Requests
F_PAYR_BUK Check Management: Action Authorization for Company Codes
F_REGU_BUK Automatic Payment: Action Authorization for Company Codes Refers to transaction F110.
F_REGU_KOA Automatic Payment: Action Authorization for Account Types
F_RPCODE Repetitive Code
F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages
F_T042_BUK Customizing Payment Program: Authorization for Company Codes
S_BTCH_JOB Background Processing: Operations on Background Jobs Users you would like to authorize to start background processing must have authorization for activity RELE.
July 2007
SAP ERP Central Component Security Guide 34
P_ABAP HR Reporting Protects payments from the payroll. See also SAP Note 303205 that describes an enhancement of the checks made using a function module.
F_WEB_EBPP Participation in EBPP Process via a Web Interface
General Ledger Accounting (FI-GL) Standard Roles in General Ledger Accounting
Role Name
SAP_AUDITOR_BA_FI_GL AIS - General Ledger (GLT0)
SAP_FI_GL_ACCOUNT_CHANGE_REQUE General Ledger Account/Change Request
SAP_FI_GL_ACCT_MASTER_DATA General Ledger Master Data Maintenance
SAP_FI_GL_BALANCE_CARRYFORWARD Balance Carryforward
SAP_FI_GL_CHANGE_PARKED_DOCUM Change Parked General Ledger Documents
SAP_FI_GL_CLEAR_OPEN_ITEMS Clear Open General Ledger Items
SAP_FI_GL_CONS_PREPARATIONS Preparation for Consolidation
SAP_FI_GL_CURRENCY_VALUATION General Ledger Account Foreign Currency Valuation
SAP_FI_GL_DISPLAY_ACCT_BALANCE Display General Ledger Account Balances and Items
SAP_FI_GL_DISPLAY_DOCUMENTS Display General Ledger Documents
SAP_FI_GL_DISPLAY_MASTER_DATA Display General Ledger Master Data
SAP_FI_GL_DISPLAY_PARKED_DOCUM Display Parked Documents
SAP_FI_GL_EXCHANGE_RATE_TABLE Maintain Currency Exchange Rates
SAP_FI_GL_FIN_STATEMENT_REPORT Financial Statement Reports
SAP_FI_GL_INTEREST_CALCULATION Interest Calculation for G/L Accounts
SAP_FI_GL_INTEREST_RATE_TABLES Maintain Interest Rates
SAP_FI_GL_KEY_REPORTS Key Reports: General Ledger Accounting
SAP_FI_GL_PARK_DOCUMENT Park General Ledger Documents
SAP_FI_GL_PERIOD_END_CLOSING Closing Procedures in General Ledger Accounting
SAP_FI_GL_PERIODIC_ENTRIES Enter Recurring General Ledger Postings
SAP_FI_GL_POST_ENTRY Make General Ledger Postings
SAP_FI_GL_POST_PARKED_DOCUMENT Post Parked Document
SAP_FI_GL_RECURRING_DOCUMENTS Process Recurring Documents
SAP_FI_GL_REVERSE-CHANGE Reverse/Change General Ledger Documents
July 2007
SAP ERP Central Component Security Guide 35
SAP_FI_GL_SAMPLE_ACCT_MASTER_D Sample Accounts
SAP_FI_GL_SAMPLE_DOCUMENTS Edit Sample Documents
Accounts Payable Accounting (FI-AP) Standard Roles in Accounts Payable Accounting
Role Name
SAP_FI_AP_BALANCE_CARRYFORWARD Vendor Balance Carryforward
SAP_FI_AP_CHANGE-REVERSE_INV Change/Reverse Vendor Invoices
SAP_FI_AP_CHANGE_LINE_ITEMS Change Vendor Line Items
SAP_FI_AP_CHANGE_PARKED_DOCUM Change Parked Vendor Documents
SAP_FI_AP_CHECK_MAINTENANCE Check Processing
SAP_FI_AP_CLEAR_OPEN_ITEMS Clear Vendor Line Items
SAP_FI_AP_CORRESPONDENCE Correspondence – Vendors
SAP_FI_AP_DISPLAY_BALANCES Display Vendor Balances and Items
SAP_FI_AP_DISPLAY_CHECKS Display Checks
SAP_FI_AP_DISPLAY_DOCUMENTS Display Vendor Documents
SAP_FI_AP_DISPLAY_MASTER_DATA Display Vendor Master Data
SAP_FI_AP_DISPLAY_PARKED_DOCUM Display Parked Vendor Documents
SAP_FI_AP_INTEREST_CALCULATION Vendor Interest Calculation
SAP_FI_AP_INTERNET_FUNCTIONS Internet Functions in Accounts Payable Accounting
SAP_FI_AP_INVOICE_PROCESSING Entry of Vendor Invoices
SAP_FI_AP_KEY_REPORTS Important Reports from Accounts Payable Accounting
SAP_FI_AP_MANUAL_PAYMENT Manual Payment
SAP_FI_AP_PARK_DOCUMENT Park Vendor Documents
SAP_FI_AP_PAYMENT_BILL_OF_EXCH Payment Transaction with Bill of Exchange
SAP_FI_AP_PAYMENT_CHECKS Payment Program with Check Processing
SAP_FI_AP_PAYMENT_PARAMETERS Display of Payment Run Parameters
SAP_FI_AP_PAYMENT_PROPOSAL Create and Process Proposal for a Payment Run
SAP_FI_AP_PAYMENT_RUN Payment Run Update Run without Printing Payment Medium
SAP_FI_AP_PCARD Payment Card (Procurement Card)
SAP_FI_AP_PERIOD_END_ACTIVITY Accounts Payable Accounting Period Closing
SAP_FI_AP_POST_PARKED_DOCUM Post Parked Vendor Document
July 2007
SAP ERP Central Component Security Guide 36
SAP_FI_AP_RECURRING_DOCUMENTS Vendor Recurring Entry Documents
SAP_FI_AP_SAMPLE_DOCUMENTS Edit Sample Documents: Accounts Payable Accounting
SAP_FI_AP_VENDOR_MASTER_DATA Vendor Master Data Maintenance
SAP_FI_AP_WITHHOLDING_TAX Withholding Tax Processing
Accounts Receivable Accounting (FI-AR) Authorizations
Standard Roles in Accounts Receivable Accounting
Role Name
SAP_FI_AR_BALANCE_CARRYFORWARD Customer Balance Carryforward
SAP_FI_AR_BILL_OF_EXCHANGE Process Bill of Exchange
SAP_FI_AR_CHANGE-REVERSE Change/Reverse Customer Postings
SAP_FI_AR_CHANGE_LINE_ITEMS Change Customer Items
SAP_FI_AR_CHANGE_PARKED_DOCUM Change Parked Document
SAP_FI_AR_CLEAR_OPEN_ITEMS Clear Customer Items
SAP_FI_AR_CREDIT_MASTER_DATA Credit Management Master Data
SAP_FI_AR_CUST_DOWN_PAYMENTS Processing of Customer Payments
SAP_FI_AR_DISPLAY_CREDIT_INFO Display Credit Data
SAP_FI_AR_DISPLAY_CUST_INFO Display Customer Information
SAP_FI_AR_DISPLAY_DOCUMENTS Display Customer Documents
SAP_FI_AR_DISPLAY_MASTER_DATA Display Customer Master Data
SAP_FI_AR_DISPLAY_PARKED_DOCUM Display Parked Customer Document
SAP_FI_AR_DUNNING_PROGRAM Dunning Program
SAP_FI_AR_INTEREST_CALCULATION Customer Interest calculation
SAP_FI_AR_INTERNET_FUNCTIONS Internet Functions for Accounts Receivable Accounting
SAP_FI_AR_KEY_REPORTS Important Reports for Accounts Receivable Accounting
SAP_FI_AR_MASTER_DATA Customer Master Data Maintenance
SAP_FI_AR_PARK_DOCUMENT Park Customer Documents
SAP_FI_AR_PAYMENT_CARD_PROCESS Payment Card Processing
SAP_FI_AR_PERIOD_END_PROCESS Closing Operations: Accounts Receivable Accounting
SAP_FI_AR_POST_ENTRIES Post Customer Invoices and Credit Memos
SAP_FI_AR_POST_MANUAL_PAYMENTS Post Incoming Payments Manually
SAP_FI_AR_POST_PARKED_DOCUMENT Post Parked Customer Document
July 2007
SAP ERP Central Component Security Guide 37
SAP_FI_AR_PRINT_CORRESPONDENCE Correspondence with Customers
SAP_FI_AR_RECURRING_DOCUMENTS Customer Recurring Entry Documents
SAP_FI_AR_SAMPLE_DOCUMENTS Customer Sample Documents
SAP_FI_AR_VALUATION Valuation of Customer Items
Data Storage Security
You can store payment card numbers encoded in the database. For information about encoding credit card data, see SAP Note 633462.
Bank Accounting (FI-BL) Authorizations
Standard Roles in Bank Accounting
Role Name
SAP_FI_BL_ACCOUNT_REPORTS Financial Status Information
SAP_FI_BL_BANK_MASTERDAT_DISPL Display of Bank Master Data
SAP_FI_BL_BANK_MASTER_DATA Maintenance of Bank Master Data
SAP_FI_BL_BANK_STATEMENT Process Account Statement
SAP_FI_BL_BILL_OF_EX_PRESENT Bill of Exchange Presentation
SAP_FI_BL_BILL_OF_EX_REPORTS Reports on Bill of Exchange Holdings
SAP_FI_BL_CASHED_CHECKS Cashed Checks
SAP_FI_BL_CASH_JOURNAL Cash Journal
SAP_FI_BL_CHECK_DELETE Deletion of Checks
SAP_FI_BL_CHECK_DEPOSIT Check Deposit
SAP_FI_BL_CHECK_MANAGEMENT Check Management
SAP_FI_BL_CHECK_MGMENT_DISPLAY Display of Managed Checks
SAP_FI_BL_INTRADAY_STATEMENT Import Intraday Account Statement Information (USA)
SAP_FI_BL_LOCKBOX Processing the Lockbox - Data
SAP_FI_BL_ONLINE_PAYMENT Make Online Payments
SAP_FI_BL_PAYMENT_TRANSACTIONS Payment Processing
SAP_FI_BL_PAYME_ADVICE_REPORTS Payment Advice Note Reports
SAP_FI_BL_POR_PROCEDURE Incoming Payments via ISR Procedure (Switzerland)
SAP_FI_BL_RETURNED_BILL_OF_EX Returned Bills of Exchange
Data Storage Security
You can store payment card numbers encoded in the database. For information about encoding credit card data, see SAP Note 633462.
July 2007
SAP ERP Central Component Security Guide 38
Asset Accounting (FI-AA) Authorizations
Standard Roles in Asset Accounting
Role Name
SAP_AUDITOR_BA_FI_AA AIS Fixed Assets
SAP_AUDITOR_BA_FI_AA_A AIS Fixed Assets (Authorizations)
SAP_FI_AA_ASSET_ARCHIVING Archiving Activities
SAP_FI_AA_ASSET_CAPITALIZATION Capitalization of Asset under Construction
SAP_FI_AA_ASSET_ENVIRONMENT Worklist and Tools in Asset Accounting
SAP_FI_AA_ASSET_EXPLORER Asset Explorer
SAP_FI_AA_ASSET_INFOSYSTEM Asset Accounting Information System
SAP_FI_AA_ASSET_MASTER_DATA Asset Master Data Maintenance
SAP_FI_AA_ASSET_REVALUATION Revaluation Activities
SAP_FI_AA_ASSET_TRANSACTIONS Asset Transactions
SAP_FI_AA_CURRENT_SETTINGS Current Settings
SAP_FI_AA_EVERY_MANAGER Activities for Cost Center Manager
SAP_FI_AA_GROUP_ASSET Maintain Group Asset
SAP_FI_AA_KEY_REPORTS Important Reports in Asset Accounting
SAP_FI_AA_PERIODIC_PROCESSING Periodic Processing
SAP_FI_AA_PROBLEM_ANALYSIS Tools for Analyzing Problems
SAP_FI_AA_YEAR_END_CLOSING Year-End Closing
Network and Communication Security
Asset Accounting provides BAPIs for communicating with third-party systems.
Communication Destinations
For workflow tasks, you sometimes need either the WF-BATCH user or a user that you can use for background steps of this kind. To execute the decision steps required before reaching these background steps, you need a user that is explicitly assigned (rather than a user like WF-BATCH).
Important SAP Notes
Number Short Text
38957 Fields are not displayed/ready for input
335170 Authorization check AW01/AW01N
372724 Maintenance of report variants
460548 AW01N: Depreciation areas are not displayed
July 2007
SAP ERP Central Component Security Guide 39
540785 FAQ note: Reporting of Asset Accounting
141876 Authorization checks in asset reporting
544703 FAQ Mass change/Mass retirement
Travel Management (FI-TV) Authorizations
Standard Roles in Travel Management
Role Name
SAP_FI_TV_TRAVELER Traveler
SAP_FI_TV_TRAVEL_ASSISTANT Travel Assistant
SAP_FI_TV_ADMINISTRATOR Travel Administrator
SAP_FI_TV_MANAGER_GENERIC Approving Manager
SAP_FI_TV_ADVANCE_PAYER Trip Advance Payer
SAP_FI_TV_TRAVEL_MANAGER Travel Manager
SAP_FI_TV_WEB_POLICY_ADMIN Travel Policy Administrator
The role enables the user to execute guideline management in SAP NetWeaver Business Client (NWBC).
SAP_FI_TV_WEB_APPROVER Approving Manager
The role enables the user to execute the worklist (POWL) of the Approving Manager and the related applications in NWBC.
The role contains the required authorization profile for the Approving Manager for calling the Webdynpro ABAP applications in the Enterprise Portal.
SAP_FI_TV_WEB_ASSISTANT Travel Assistant
The role enables the user to execute the worklist (POWL) of the Travel Assistant and the related applications in NWBC.
The role contains the required authorization profile for the Travel Assistant for calling the Webdynpro ABAP applications in the Enterprise Portal.
SAP_FI_TV_WEB_TRAVELER Traveler
The role enables the user to execute the worklist (POWL) of the Traveler and the related applications in NWBC.
The role contains the required authorization profile for the Traveler for calling the Webdynpro ABAP applications in the Enterprise Portal.
July 2007
SAP ERP Central Component Security Guide 40
Authorization Profiles
SAP supplies travel profile FI-TV (infotype 0470 in Human Resources (HCM)). You can also create the authorization profile based on the organizational affiliation using the characteristic TRVCP.
Authorization Objects
Travel Management uses authorization object P_TRAVL for all general functions.
Transfer of travel expenses to Accounting is protected by authorization object F_TRAVL.
The status of the travel plan is protected by authorization object F_TRAVL_S.
Network and Communication Security
In Travel Management you can configure connections to the following Global Distribution Systems (GDS):
● Amadeus The Gateway is the responsibility of the partner.
● Galileo The Gateway is the responsibility of the partner.
● Amadeus The Gateway is the responsibility of the partner.
● Sabre Communication with the Web service uses HTTPS or a Gateway that is the responsibility of the partner.
Alternatively or in addition, you can configure direct connections to the following travel service providers using SAP Exchange Infrastructure (XI):
● Flight reservation systems, for example, low cost carrier providers The communication with the Web services uses HTTPS or HTTP dependent on the partner.
● Hotel reservation systems, for example, HRS The communication with the Web services uses HTTPS or HTTP dependent on the partner.
● Rail portals, for example Deutsche Bahn (BIBE) The communcation with the Web service uses HTTPS.
In Travel Management you can configure XI connections to credit card companies for credit card clearing. Agree the security of the connection with the respective partner. For more informaton, see the SAP Library under Travel Management (FI-TV) → Travel Expenses (FI-TV-COS) → Credit Card Clearing.
Data Storage Security
Travel Management transmits credit card information to the named partners. It is not possible to access the data in the SAP system.
In Customizing (IMG) for Travel Management, the passwords and credit card information are stored in plaintext. The settings are protected by the standard authorization objects for Customizing.
July 2007
SAP ERP Central Component Security Guide 41
Authorizations in the Special Purpose Ledger (FI-SL) Standard Roles in Special Purpose Ledger
Role Name
SAP_AUDITOR_BA_FI_SL AIS - Special Purpose Ledger
SAP_AUDITOR_BA_FI_SL_A AIS - Special Purpose Ledger (Authorizations)
SAP_FI_SL_ACTUAL_ASSESSMENT Special Purpose Ledger Actual Assessment
SAP_FI_SL_ACTUAL_DISTRIBUTION Special Purpose Ledger Actual Distribution
SAP_FI_SL_ACTUAL_POSTINGS Special Purpose Ledger Actual Postings
SAP_FI_SL_BATCH_JOBS Run Special Purpose Ledger Jobs in Background
SAP_FI_SL_CURRENCY_TRANSLATION Special Purpose Ledger Currency Translation
SAP_FI_SL_DISPLAY_DOCUMENTS Display Special Purpose Ledger Balances and Documents
SAP_FI_SL_DISPLAY_PLAN Display Special Purpose Ledger Plan
SAP_FI_SL_MODIFY_PLAN Modify Special Purpose Ledger Planning
SAP_FI_SL_PLAN_ASSESSMENT Edit Plan Assessment
SAP_FI_SL_PLAN_DISTRIBUTION Plan Distribution
SAP_FI_SL_ROLLUP Special Purpose Ledger Rollup
Authorization Objects in Special Purpose Ledger
Object Name
G_022_GACT FI-SL Customizing: Transactions
G_800S_GSE Special Purpose Ledger Sets: Set
G_802G_GSV Special Purpose Ledger Sets: Variable
G_806H_GRJ FI-SL Rollup
G_820_GPL FI-SL Planning: Planning Parameters
G_821S_GSP FI-SL Planning: Distribution Keys
G_880_GRMP FI-SL Customizing: Global Companies
G_881_GRLD FI-SL Customizing: Ledger
G_888_GFGC FI-SL Customizing: Field Movements
G_ADMI_CUS Central Administrative FI-SL Tools
G_ALLOCTN Special Purpose Ledger - Assessment/Distribution
G_GLTP Special Purpose Ledger - Database (Ledger, Record Type, Version)
G_REPO_GLO FI-SL: Global Reporting (Global Company)
G_REPO_LOC FI-SL: Local Reporting (Company Code)
July 2007
SAP ERP Central Component Security Guide 42
Treasury Network and Communication Security
Communication with external systems is possible using standard interfaces via BAPI, IDoc, and XI.
Communication Destinations
In certain cases a technical user may be required for applying BAPIs.
Data Storage Security
Treasury accesses financial transaction data that can be particularly sensitive. Access is protected by the roles described in the Authorizations section.
More Security Information
All authorizations are controlled by means of roles and profiles. In addition you can further increase the system security by making a number of Customizing settings such as trader authorization and posting release. However, the authorization check itself must always be run on the basis of roles and profiles.
Important SAP Notes
See SAP Notes 445148 (Access of the tax authorities to stored data) and 683810 (CFM-TM Tax reduction law: Separate authorization) for information about the German principles of data access and verifiability of digital documentation (GDPdU).
Authorizations Standard Roles in Corporate Finance Management
Role Name
SAP_CFM_ADMINISTRATOR Administrator
SAP_CFM_DEALER Dealer
SAP_CFM_IHC_SUPERVISOR In-House Cash Supervisor
SAP_CFM_LIMIT_MANAGER Limit Manager
SAP_CFM_RISK_CONTROLLER Risk Controller
SAP_CFM_TM_BACKOFFICE_PROCES Settler
SAP_CFM_TM_FUND_MANAGER Fund Manager
SAP_CFM_TM_STAFF_ACCOUNTANT Accountant
SAP_CFM_TM_TRADE_CONTROLLER Trade Controller
SAP_CFM_TREASURY_MANAGER Treasury Manager
Standard Roles in Treasury
Role Name
July 2007
SAP ERP Central Component Security Guide 43
SAP_TR_ADMINISTRATOR Administrator
SAP_TR_LO_CREDIT_ANALYST Credit Analyst
SAP_TR_LO_DEPARTM_MANAGER Manager of Loans Department
SAP_TR_LO_LOANS_OFFICER Loans Officer
SAP_TR_LO_ROLLOVER_OFFICER Rollover Officer
SAP_TR_LO_STAFF_ACCOUNTANT Staff Accountant for Loans
SAP_TR_TM_BACKOFFICE_PROCES Settler
SAP_TR_TM_CASH_MANAGER Cash Manager
SAP_TR_TM_FUND_MANAGER Fund Manager
SAP_TR_TM_RISK_CONTROLLER Risk Controller
SAP_TR_TM_STAFF_ACCOUNTANT Accountant
SAP_TR_TM_TRADER Dealer
SAP_TR_TM_TRADE_CONTROLLER Trade Controller
SAP_TR_TREASURY_MANAGER Treasury Manager
Transaction Roles
Role Function
SAP_AUDITOR_BA_CFM
(AIS - Audit Information System)
Makes possible a structured, preconfigured collection of evaluations in Treasury.
The menu required for this is an integral part of this role. The appropriate authorization role is SAP_AUDITOR_BA_CFM_A (AIS authorizations for SAP applications except HR).
SAP_AUDITOR_TAX_TR
(AIS - Audit Information System
transaction role)
Offers a structured, preconfigured collection of evaluations for the tax audit in Treasury.
The menu required for this is an integral part of this role.
The appropriate authorization roles are SAP_AUDITOR_TAX_TR_A (AIS tax auditor, authorizations) and SAP_AUDITOR_TAX_A (AIS tax auditor central functions, authorizations).
For more information, see SAP Note 503678.
Authorization Roles
Role Function
SAP_AUDITOR_BA_CFM_A
(AIS - Audit Information System)
Enables read access to business audit in Treasury
The appropriate transaction role is SAP_AUDITOR_BA_CFM/AIS transactions for SAP applications except HR).
July 2007
SAP ERP Central Component Security Guide 44
SAP_AUDITOR_TAX_TR_A
(AIS - Audit Information System)
Enables read access for the tax auditor
The appropriate transaction role is SAP_AUDITOR_TAX_TR (AIS – tax audit, Treasury)
For more information, see SAP Note 503678.
There is an enhanced authorization check for the roles SAP_AUDITOR_TAX_TR and SAP_AUDITOR_TAX_TR_A. For information, see SAP Notes 445148 and 683810.
Controlling Important SAP Notes
See the following SAP Notes on authorizations in Controlling that do not refer to program corrections:
Number Short Text
15211 CO form reports: authorization concept
16371 Authorization for dist. key and plan. parameter
39140 Message KB015 unjustified
49640 More detailed authorization f. summariz.objects
51731 Missing Authorizations for Internal Orders
60522 Author.check B_USERSTAT during business transaction
74676 CO Reports: Extract Authorizations
75970 Missing Authorizations for Internal Orders: Reports
80065 Drill-down reporting: no line items for report line
93695 Authorization for orders with 'release immediately'
98580 Drill-down reporting: Error message KH702
123022 Adv.corr.:authrztn f.reportng in act.-based costing
136325 Report Writer: Authorizatn group for standard repts
155752 Drill-down report: Authorization check mass print
159408 CJ41/CJ43:author. for detailed planning is missing
164166 CO-PA: Planning:Long runtime dur.authorizatn check
165087 Drilldown report: authorization check for intervals
175063 Msg 5A252 whn displying/changing standard hierarchy
July 2007
SAP ERP Central Component Security Guide 45
211991 Authorizatn objcts, enterprise organizatn generatn
313077 Incorrect long text for error message KC040
317824 Drilldown report: authorizatn check and hierarchies
319858 Grp maintce: profile generator with S_PROGRAM = '*'
337885 ALLOCATION: cycle maintnce authrztn frm Easy Access
359664 Problems with old personalization profiles (KEPM)
370082 Authorizations: information about responsibility area
378687 Authorizations: CO_ACTION field entry
386065 Report shows different data for each user
390214 KEPM: Splitting of "changing" authorizations
402757 Drilldown reporting: Authorization object K_CKBOB
412570 Line item display despite missing authorization
425703 KP06ff.: Authorization object K_KA09_KVS
435072 Authorizations: Enhancement of responsibility area
438079 K_COSTCTR_BAPI_GETLIST must check authoriztn more precisely
438492 Change characteristics possible even though display only
448765 KPR6 - Dump SAPSQL_INVALID_FIELDNAME
451621 Authorization concept in KEPM
459864 Group maintenance: Authorization G_800S_GSE
487762 KE21N: Authoriztn check for entered characteristic values
500012 New authorization check for tax reduction law in CO
506164 ALLOCATION:Information message GA185 during list output
515483 Group maintenance: Authorizations
520193 Transporting CO-PA reports without authorization object
545223 Retractor: Error message RD403
554340 Report Writer: enhancement GRWTAUTH without example code
July 2007
SAP ERP Central Component Security Guide 46
556090 Drilldown rprtng: incorrect header (graphical output)
560803 Closing billing elements with warning message
564757 Tax reduction law in CO: goto line item report via RRI
578105 Group maintenance: Authorization G_800S_GSE, part II
594899 Authorization check with internal orders K_ORDER RESPAREA
602445 Group maintenance: Authorization G_800S_GSE for 4.5
604107 MPO_PERS_FILL_CC: Explode cost center hierarchy
611798 ALLOCATION: Information message GA185 with list output
616112 KKA2, KKAJ: Enhancement for authorizations
616338 RESPAREA: Maintain group authorizations as intervals
616580 ALLOCATION: Authorizations for the cancellation of cycles
623650 ISR form terminates: Missing authorizations
625873 KSA3/KSA8: Validation on authorization object K_CCA
638364 KJH3: Display mode and authorizations
667123 ALLOCATIONS: Error message GA 776 incomprehensible
673260 KBxxN: Authorization object K_PVARIANT missing in profile
Authorizations in Controlling Standard Roles in Controlling
Role Description
SAP_CO_DAILY Cross-Application Day-to-Day Activities
SAP_CO_DAILY_CATS Cross-Application Day-to-Day Activities - CATS
SAP_CO_DOCUMENT_LIST Display Accounting Documents
SAP_CO_EASY_COST_PLANNING Easy Cost Planning and Execution Services
SAP_CO_ENTERPRISE_ORGANISATION Maintain Enterprise Organization
SAP_CO_MODEL Maintain CO Version
SAP_CO_OBJECT_STAT_KEYFIGURE Maintain Statistical Key Figures
SAP_CO_OM_DAILY_ABM Day-to-Day Activities: Activity Allocation
July 2007
SAP ERP Central Component Security Guide 47
SAP_CO_OM_ISR_PROCESSING Process Internal Service Requests
SAP_CO_OM_JOB_INTORDER_BUDGET Internal Order - Budgeting
SAP_CO_OM_JOB_INTORDER_DISPLAY Display Internal Orders
SAP_CO_OM_JOB_INTORDER_INTERES Internal Order - Planned Interest Calculation
SAP_CO_OM_JOB_INTORDER_MAINT Maintain Internal Orders
SAP_CO_OM_JOB_INTORDER_PLAN Internal Orders - Overall Planning
SAP_CO_OM_JOB_INTORDER_YEAREND Internal Orders - Year-End Closing
SAP_CO_OM_MANAGER_GENERIC Generic Role Manager
SAP_CO_OM_MODEL_ABM Maintain Indirect Activity Allocation Cycles and Templates
SAP_CO_OM_MODEL_OM Maintain Cycles for Assessment, Distribution, and Reposting
SAP_CO_OM_OBJECT_ABM Maintain Business Processes and Activity Types
SAP_CO_OM_OBJECT_DISPLAY Display Overhead Master Data
SAP_CO_OM_OBJECT_OM_COSTCENTER Maintain Cost Centers
SAP_CO_OM_OBJECT_OM_COSTEL_PRI Maintain Primary Cost Elements
SAP_CO_OM_OBJECT_OM_COSTEL_SEC Maintain Secondary Cost Elements
SAP_CO_OM_PEREND_ABM_COLL Period-End Closing for Cost Center Accounting/Activity-Based Costing
SAP_CO_OM_PEREND_INTORDER_COLL Period-End Closing for Internal Orders - Collective Processing
SAP_CO_OM_PEREND_INTORDER_IND Period-End Closing for Internal Orders - Individual Processing
SAP_CO_OM_PEREND_OM_COLL Period-End Closing - Cost Center Accounting (Without Activity)
SAP_CO_OM_PLAN_ABM Planning Cost Center/Activity Type and Business Process
SAP_CO_OM_PLAN_INTORDER Periodic Planning Internal Order
SAP_CO_OM_PLAN_OM Periodic Planning Cost Center
SAP_CO_OM_PLAN_OM_BUDGET Maintain Cost Center Budgets
SAP_CO_OM_REPORT_COSTCTR_ABM_C Reports for Cost Centers/Activity Types (as with BW)
SAP_CO_OM_REPORT_COSTCTR_ABM_L Reports for Cost Centers/Activity Types (only OLTP)
SAP_CO_OM_REPORT_COSTCTR_OM_C Reports for Cost Centers (as with BW)
SAP_CO_OM_REPORT_COSTCTR_OM_L Reports for Cost Centers (only OLTP)
SAP_CO_OM_REPORT_COST_ELEMENT Reports for Cost Elements
SAP_CO_OM_REPORT_INTORDER_C Reports for Internal Orders (as with BW)
SAP_CO_OM_REPORT_INTORDER_L Reports for Internal Orders (only OLTP)
SAP_CO_OM_REPORT_PROCESS_C Reports for Business Processes (as with BW)
July 2007
SAP ERP Central Component Security Guide 48
SAP_CO_OM_REPORT_PROCESS_L Reports for Business Processes (only OLTP)
SAP_CO_OM_REPORT_TOOLS Report Tools for Overhead Cost Controlling
SAP_CO_PA_ADJUSTMENTS Profitability Analysis Adjustments
SAP_CO_PA_BASICDATA_CHARACTER Maintain Characteristic Values/Derivation in Profitability Analysis
SAP_CO_PA_BASICDATA_DISPLAY Display CO-PA Master Data
SAP_CO_PA_BASICDATA_VALUATION Maintain Valuation in Profitability Analysis
SAP_CO_PA_PEREND Profitability Analysis: Period-End Closing
SAP_CO_PA_PLANNING_AIDS Maintain Planning Aids for Sales and Profit Planning
SAP_CO_PA_PLANNING_EXEC_PROF Execute Sales and Profit Planning
SAP_CO_PA_PLANNING_EXEC_WEB Enter Sales and Profit Planning Data Via the WWW
SAP_CO_PA_PLANNING_INTEGRATION Integrated Data Transfers in Sales and Profit Planning
SAP_CO_PA_PLANNING_SETUP Set Up Sales and Profit Planning
SAP_CO_PA_REPORT_DEMO Execute Demo Reports for Profitability Analysis
SAP_CO_PA_REPORT_DESIGN_L_ITEM Define Line-Item-Based Reports for Profitability Analysis
SAP_CO_PA_REPORT_DESIGN_STD Define Profitability Reports
SAP_CO_PA_REPORT_EXECUTE Execute Profitability Reports
SAP_CO_PA_SET_OPERATINGCONCERN Set Operating Concern
SAP_CO_PA_VALUE_FLOW_ANALYSIS Analyze Value Flows in Profitability Analysis
SAP_CO_PC_ACT_MATERIAL_CONTROL Change Material Price Determination (Actual Costing)
SAP_CO_PC_ACT_MATERIAL_DISPLAY Material Price Analysis (Actual Costing)
SAP_CO_PC_ACT_ORG_MEASURES_SL Organizational Measures (Actual Costing)
SAP_CO_PC_ACT_SETTINGS Set Material Ledger
SAP_CO_PC_DAILY_MAT_DEBIT_CRED Debit/Credit Materials
SAP_CO_PC_DAILY_MAT_PRICEMAINT Maintain and Release Material Prices
SAP_CO_PC_JOB_MANUFORDER Display Manufacturing Orders
SAP_CO_PC_JOB_MANUFORDER_CO Maintain CO Production Orders
SAP_CO_PC_JOB_SALESORDER Display Sales Orders
SAP_CO_PC_MODEL Modeling: Product Cost Controlling
SAP_CO_PC_MODEL_COSTING Costing Models
SAP_CO_PC_MODEL_MATERIAL_CONTR Maintain Material Ledger Update
SAP_CO_PC_OBJECT_COCOLLECTOR Maintain Product Cost Collector
SAP_CO_PC_OBJECT_COOBJHIER Maintain Cost Object Hierarchy
SAP_CO_PC_OBJECT_COOBJID Maintain Cost Object
SAP_CO_PC_PEREND_ACT_MLEVEL Maintain Multilevel Actual Costing
July 2007
SAP ERP Central Component Security Guide 49
SAP_CO_PC_PEREND_ACT_MLEVEL_DP Display Multilevel Actual Costing
SAP_CO_PC_PEREND_ACT_SLEVEL_PC Closing Entry of Individual Materials
SAP_CO_PC_PEREND_ACT_SLEVEL_PD Single-Level Material Price Determination of Individual Materials
SAP_CO_PC_PEREND_COCOLLECT_COL Period-End Closing for Product Cost Collectors - Collective Processing
SAP_CO_PC_PEREND_COCOLLECT_IND Period-End Closing for Product Cost Collectors - Individual Processing
SAP_CO_PC_PEREND_COCOLLECT_WLM Period-End Closing for Product Cost Collectors - Worklist
SAP_CO_PC_PEREND_COOBJHIER_COL Period-End Closing for Cost Object Hierarchy - Collective Processing
SAP_CO_PC_PEREND_COOBJHIER_IND Period-End Closing for Cost Object Hierarchy - Individual Processing
SAP_CO_PC_PEREND_COOBJHIER_WLM Period-End Closing for Cost Object Hierarchy - Worklist
SAP_CO_PC_PEREND_COOBJID_COLL Period-End Closing for Cost Objects - Collective Processing
SAP_CO_PC_PEREND_COOBJID_IND Period-End Closing for Cost Objects - Individual Processing
SAP_CO_PC_PEREND_MANUFORD_COL Period-End Closing for Manufacturing Orders - Collective Processing
SAP_CO_PC_PEREND_MANUFORD_IND Period-End Closing for Manufacturing Orders - Individual Processing
SAP_CO_PC_PEREND_MANUFORD_WLM Period-End Closing for Manufacturing Orders - Worklist
SAP_CO_PC_PEREND_SALESORD Period-End Closing for Sales Orders
SAP_CO_PC_PEREND_SALESORD_WLM Period-End Closing for Sales Orders - Worklist
SAP_CO_PC_PLAN_AUTH_EXPL_FACI Transaction Authorizations for Explanation Facility
SAP_CO_PC_PLAN_COCOLLECTOR Preliminary Costing for Product Cost Collectors
SAP_CO_PC_PLAN_COOBJID Periodic Planning for Cost Objects (General)
SAP_CO_PC_PLAN_MAT_PRICEDETERM Material Costing / Costing Run
SAP_CO_PC_PLAN_MAT_PRICERELEAS Mark and Release Standard Cost Estimate
SAP_CO_PC_PLAN_REFERENCE_SIMUL Multilevel Unit Costing
SAP_CO_PC_PLAN_SALESORDER_BOM Sales Orders - Order BOM Cost Estimate
SAP_CO_PC_REPORT_COCOLLECTOR Reports for Product Cost Collector
SAP_CO_PC_REPORT_COOBJHIER Reports for Cost Object Hierarchy
SAP_CO_PC_REPORT_COOBJID Reports for Cost Objects
SAP_CO_PC_REPORT_MANUFORDER Reports for Manufacturing Orders
SAP_CO_PC_REPORT_MATERIAL_ESTI Reports for Material Costing
SAP_CO_PC_REPORT_MATERIAL_LEDG Reports for Material Ledger and Actual Costing
SAP_CO_PC_REPORT_PROD_CAMPAIGN Reports for Production Campaigns
July 2007
SAP ERP Central Component Security Guide 50
SAP_CO_PC_REPORT_PRODUCTDRILL Reports for Product and Plant
SAP_CO_PC_REPORT_REFERENCE_SIM Reports for Base Planning Objects
SAP_CO_PC_REPORT_SALESORDER Reports for Sales Orders
SAP_CO_PC_REPORT_SUMMARIZATION Reports with Object Summarization
SAP_CO_PC_REPORT_TOOLS Product Drilldown Reporting - Create Own Reports
SAP_CO_PEREND_CLOSING_PERIOD Maintain Period Lock
SAP_CO_PEREND_DISPLAY Schedule Manager - Display Functions
SAP_CO_PEREND_MAINTAIN Schedule Manager - Maintenance Functions
SAP_CO_RECONCILIATION_LEDGER Controlling: Maintain Reconciliation Ledger
SAP_CO_SET_CONTROLLING_AREA Set Controlling Area
SAP_CO_CRM_REP Reports/Master Data for CO Integration of CRM Services
SAP_CO_CRM_REP_PEC CO Integration CRM Service
SAP_CO_CRM_REP_PEC_IMG CO Integration CRM Service with Modeling
For general information on the authorizations in Controlling, see SAP Help Portal at help.sap.com on the tab Documentation → SAP ERP Central Component → Release xx → SAP ERP Central Component → Accounting → Controlling (CO) → Controlling (CO) → Methods in Controlling → Authorizations and under Accounting → Controlling (CO) → Profitability Analysis (CO-PA) → Information System → Authorization Objects in the Information System.
Information on the authorizations for the Controlling functions in Manager Self-Service (MSS) and for the role of the Business Unit Analyst (BUA) can be found in this Security Guide under Cross-Application Components → Self-Services [Seite 23].
Authorizations in Profit Center Accounting Standard Roles in Profit Center Accounting
Role Name
SAP_AUDITOR_BA_EC_PCA AIS - Profit Center Accounting
SAP_AUDITOR_BA_EC_PCA_A AIS - Profit Center Accounting (Authorizations)
SAP_EC_PCA_ARCHIVING Profit Center Accounting Archiving
SAP_EC_PCA_MODEL Maintain Cycles for Assessment, Distribution, and Reposting (EC-PCA)
SAP_EC_PCA_MODEL_TP_DISPLAY Display Transfer Prices
SAP_EC_PCA_MODEL_TP_MAINTAIN Maintain Transfer Prices
SAP_EC_PCA_OBJECT_DISPLAY Display Profit Center Master Data
SAP_EC_PCA_OBJECT_MAINTAIN Maintain Profit Center Master Data
SAP_EC_PCA_PEREND Period-End Closing in Profit Center Accounting
SAP_EC_PCA_PEREND_POSTINGS Data Entry for Profit Center Accounting
July 2007
SAP ERP Central Component Security Guide 51
SAP_EC_PCA_PLAN_CLOSING Plan Closing in Profit Center Accounting
SAP_EC_PCA_PLANNING Planning in Profit Center Accounting
SAP_EC_PCA_REPORT Profit Center Accounting - Line Items and Totals Records
SAP_EC_PCA_REPORT1 Profit Center Accounting - Drilldown Reports
SAP_EC_PCA_REPORT2 Profit Center Accounting - Report Painter Reports
SAP_EC_PCA_REPORT3 Profit Center Accounting - Reports from Other Components
Authorization Objects in Profit Center Accounting
Object Name
K_PCA EC-PCA: Responsibility Area, Profit Center
K_PCAB_DEL EC-PCA: Delete Transaction Data
K_PCAD_UM EC-PCA: Assessment/Distribution
K_PCAF_UEB EC-PCA: FI Data Transfer
K_PCAI_UEB EC-PCA: Actual Data Transfer
K_PCAL_GEN EC-PCA: Generate and Activate Ledger
K_PCAM_UEB EC-PCA: MM Data Transfer
K_PCAP_SET EC-PCA: Planning Hierarchy
K_PCAP_UEB EC-PCA: Plan Data Transfer
K_PCAR_REP EC-PCA: Summary and Line Item Reports
K_PCAR_SRP EC-PCA: Standard Reports and Datasets
K_PCAS_PRC EC-PCA: Profit Center
K_PCAS_UEB EC-PCA: SD Data Transfer
K_PCA_REAL EC-PCA: Realignment for PrCtr Assignments to CO Master Data
Network and Communication Security Controlling is integrated with Microsoft Office®. For information on security aspects with Microsoft Office® applications, refer to the documentation of those products.
Communication in Manager Self-Service (MSS) and in the Web Application for the Business Unit Analyst (BUA) is based on Remote Function Calls (RFCs).
July 2007
SAP ERP Central Component Security Guide 52
Communication Destinations Technical users are required for communication over ALE, for batch reporting, and for third-party providers that access Controlling data.
Consolidation (EC-CS) Authorizations
Authorization Objects in Consolidation
Authorization Object Description
E_CS_BUNIT Consolidation unit
E_CS_CACTT Consolidation tasks
E_CS_CONGR Consolidation group
E_CS_DEFRM SAP Consolidation: Data entry layout
E_CS_DIMEN View
E_CS_ITCLG Consolidated chart of accounts
E_CS_JEFRM SAP Consolidation: Journal entry layout
E_CS_PERMO Monitor, opening/closing of periods
E_CS_RPTNG Reporting with ReportWriter/Report Painter and Drilldown Reports
E_CS_RVERS Version
For more information, see the Implementation Guide for Enterprise Controlling at Consolidation → Preparing for Production → Authorization Management.
Authorization Profiles in Consolidation
Authorization profile Description
E_CS_ALL Full Authorization for EC-CS
E_CS_DISPLAY Display Authorization for EC-CS
Standard Roles in Consolidation
Role Name
SAP_AUDITOR_BA_EC_CS AIS – Consolidation
SAP_AUDITOR_BA_EC_CS_A AIS – Consolidation (Authorizations)
SAP_EC_CS_FUNCTIONS_DETAIL Consolidation – Detail Functions
SAP_EC_CS_FUNCTIONS_GENERAL Consolidation – General Functions
SAP_EC_CS_OFFLINE_DATA_ENTRY Consolidation – Offline Data Entry with Microsoft Access
July 2007
SAP ERP Central Component Security Guide 53
SAP_EC_CS_RECONCILIATION Consolidation – Reconciliation of Integrated Data
SAP_EC_CS_REPORT_ALL Consolidation – All Reports
SAP_EC_CS_REPORT_CONSDATA Consolidation – Reports with Consolidated Data
Network and Communication Security
Consolidation allows for offline entry of data using Microsoft ACCESS®. Communication takes place via Remote Function Call (RFC).
Data Storage Security
The authorization objects listed earlier protect the data that is processed in Consolidation when consolidated statements are created.
Accounting Engine
Introduction
This guide does not replace the daily operations handbook that we recommend customers to create for their specific productive operations.
Target Group
● Technology consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.
The Need for Security With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to the Accounting Engine. To assist you in securing the Accounting Engine, we provide this Security Guide.
About this Document The Security Guide provides an overview of the security-relevant information that applies to the Accounting Engine.
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start
July 2007
SAP ERP Central Component Security Guide 54
This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.
● Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by the Accounting Engine.
● User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
○ Recommended tools to use for user management.
○ User types that are required by the Accounting Engine
○ Standard users that are delivered with the Accounting Engine
○ Overview of the user synchronization strategy, if several components or products are integrated
○ Overview of integration options in Single Sign-On environments
● Authorizations
This section provides an overview of the authorization concept that applies to the Accounting Engine.
● Network and Communication Security
This section provides an overview of the communication paths used by the Accounting Engine and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
● Data Storage Security
This section provides an overview of any critical data that is used by the Accounting Engine and the security mechanisms that apply.
Before You Start Security Guides Referenced For a complete list of the SAP Security Guides available, see SAP Service Marketplace at service.sap.com/securityguide.
Additional Information For more information about specific topics, see the sources in the table below.
Additional Information
Content SAP Service Marketplace
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
July 2007
SAP ERP Central Component Security Guide 55
Platforms permitted service.sap.com/platforms
Network security service.sap.com/network service.sap.com/securityguide
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
Technical System Landscape Use The figure below shows an overview of the technical system landscape for the Accounting Engine.
Accounting EngineAccounting Views
ContributionMargin
Balance
Overhead Costs
Journal
DocumentCreation
Services
AP ARProtocol
C&RProtocol
GJProtocol
Document
ViewKnowlg
BusinessTransactions
SecurityTransaction
ProductionOrder
Confirmation
IncomingPayment
OutgoingInvoice
For more information about the technical system landscape, see the sources listed in the table below.
More Information About the Technical System Landscape
Topic Guide/Tool SAP Service Marketplace
Technical description for Accounting Engine and the underlying technical components, such as SAP NetWeaver
Master Guide service.sap.com/instguides
Technical configuration
High availability
Technical Infrastructure Guide
service.sap.com/ti
July 2007
SAP ERP Central Component Security Guide 56
Security service.sap.com/security
User Administration and Authentication The Accounting Engine uses the user administration and authentication mechanisms provided with the SAP NetWeaver platform, in particular SAP Web Application Server ABAP. Therefore, the security recommendations and guidelines for user management and authentication that are described in SAP Web AS Security Guide for ABAP Technology also apply to the Accounting Engine.
In addition to these guidelines, we include information about user administration and authentication that specifically applies to the Accounting Engine in the following topics:
● User Management
This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with the Accounting Engine.
● Integration into Single Sign-On Environments
This topic describes how the Accounting Engine supports Single Sign-On mechanisms.
User Management Use User management for the Accounting Engine uses the mechanisms provided by SAP Web Application Server ABAP, for example, tools, user types, and password policies.
Integration into Single Sign-On Environments Use The Accounting Engine supports the Single Sign-On (SSO) mechanisms provided by SAP Web Application Server ABAP. Therefore, the security recommendations and guidelines for user management and authentication that are described in the Security Guide for SAP Web Application Server also apply to the Accounting Engine.
The mechanisms supported are listed below.
Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.
For more information, see Secure Network Communications (SNC) in the SAP Web Application Server Security Guide.
SAP Logon Tickets
The Accounting Engine supports the use of logon tickets for SSO when using a Web browser as the front end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to
July 2007
SAP ERP Central Component Security Guide 57
other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.
For more information, see SAP Logon Tickets in the SAP Web Application Server Security Guide.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information, see Client Certificates in the SAP Web Application Server Security Guide.
Authorizations Use The Accounting Engine uses the authorization concept provided by SAP Web Application Server. Therefore, the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP Web AS ABAP also apply to the Accounting Engine.
Authorization Objects The Business Accounting of the Bank Analyzer [Extern] uses the following authorization groups for IMG activities and adjustment programs:
● A1* = authorization for technical issues (configuration)
● A2* = authorizations for business issues
● *EN = authorization for the accounting entities
● *G1 = authorization for General Ledger Accounting (GL)
● *PM = authorization for Profitability Management
Other individual authorization objects are documented in the system.
Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for the Accounting Engine is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in
July 2007
SAP ERP Central Component Security Guide 58
the SAP NetWeaver Security Guide also apply to the Accounting Engine. Details that specifically apply to the Accounting Engine are described in the following topics:
● Communication Channel Security
This topic describes the communication paths and logs used by the Accounting Engine.
● Communication Destinations
This topic describes the information needed for the various communication paths, for example, which users are used for which communications.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Aspects for Connectivity and Interoperability
Communication Channel Security Communication Paths
Communication Paths
Protocol Used
ERP to BW RFC
ERP to Bank Analyzer RFC
DIAG and RFC connections can be protected using Secure Network Communications (SNC).
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
Communication Destinations Use The Accounting Engine uses the communication destination with RFC.
The configuration of the RFC calls is controlled using transaction sm59.
If no technical user was defined, the RFC connection takes place without this default setting.
Data Storage Security Use The Accounting Engine accesses sensitive data within the Bank Analyzer [Extern]. The Bank Analyzer checks the authorizations for this sensitive data with user exits.
For more information, see the Bank Analyzer Security Guide.
July 2007
SAP ERP Central Component Security Guide 59
Financial Supply Chain Management
Management of Internal Controls: Security Guide Use This Security Guide describes the aspects of the Management of Internal Controls (MIC) component that relate to security. MIC forms part of the software component FINBASIS and uses the application server (AS), Process Integration (XI), and Business Intelligence (BI) from SAP NetWeaver.
Consequently, the following security guides also apply to MIC:
● SAP NetWeaver Security Guide
● SAP Web AS Security Guide ABAP
● SAP Exchange Infrastructure Security Guide
● SAP Business Information Warehouse Security Guide
You find these guides on SAP Service Marketplace at service.sap.com/securityguide.
For more information relevant to security, see SAP Service Marketplace at service.sap.com/security.
Target Audience of the Guide
● Technical consultants
● System administrators
The security guides provide information on all phases of the software life cycle.
Features The security guide provides information on the following topics:
● Technical System Landscape
This section lists the other systems with which MIC can communicate.
● User Management and Authorizations
This section provides an overview of the following aspects:
○ User Management
○ Roles and Authorizations Concept Specific to MIC
○ Integration into Single Sign-On Environments
● Communication Channel Security
This section provides an overview of the communication paths used by MIC and the security mechanisms that apply.
● Data Storage Security
This section provides an overview of the various data storage options for MIC data.
July 2007
SAP ERP Central Component Security Guide 60
Technical System Landscape The following figure provides an overview of the technical system landscape of the component Management of Internal Controls (MIC):
MIC XI
BI
AIS
Third-Party
MIC can exchange data with the following systems:
● MIC users can display reports from the Audit Information System (AIS), which can be run on the same system as MIC or on a different system.
● MIC data can be extracted into an SAP NetWeaver Business Intelligence system (BI system).
● Via the SAP NetWeaver Process Integration (XI), data can be exchanged with third-party systems. You can transfer test logs from (semi-)automated tests and structure data (from the central process catalog, for example) into the MIC system.
For information about the communication paths, see Communication Channel Security [Seite 79].
User Management and Authorizations
MIC uses the user management and the authorization concept delivered with the SAP NetWeaver platform, in particular SAP Web Application Server ABAP. For this reason, the security recommendations and guidelines described in the SAP Web AS Security Guide for ABAP Technology also apply for MIC.
In addition to these guidelines, the following sections include information about user management and the authorizations applying specifically to MIC:
● User Management [Seite 61]
July 2007
SAP ERP Central Component Security Guide 61
This section lists the user management tools and the necessary user types.
● Roles and Authorizations Concept [Seite 62]
This section describes the MIC-specific roles and authorizations concept that is based in part on the functions of the SAP Web Application Server ABAP (see Standard Roles and Authorization Objects [Seite 63]) and in part on the functions unique to MIC (see Editing MIC-Specific Roles [Seite 64]).
● Integration with Single Sign-On Environment [Seite 78]
This topic describes how MIC supports Single Sign-On mechanisms.
User Management Use MIC user management uses the mechanisms provided by SAP NetWeaver, such as tools, user types, and the password concept. For an overview of how these mechanisms affect MIC, see the sections below. Furthermore, the system outputs a list of users that are required for operations.
User Management Tool MIC uses user and role maintenance from SAP Web AS ABAP (transactions SU01, PFCG) For more information, see Users and Roles (BC-SEC-USR) [Extern]. To find out which roles are delivered for MIC, see under Standard Roles and Authorization Objects [Seite 63].
User Types It is often necessary to create different security policies for different types of users. For example, your policy may specify that users who perform their tasks interactively have to change their passwords on a regular basis, but not those users who perform their tasks using background processing.
Examples of user types required for MIC:
● Individual users (dialog users)
○ Required for logging on to the SAP GUI for Windows for configuring MIC and for MIC administration
○ Required for logging on to the People-Centric User Interface for the operational use of MIC
○ Required for the RFC connection to the BI system
● Technical users
○ A system user is required for the workflow within MIC, for example (user WF-BATCH must have authorization for authorization profile SAP_ALL)
○ A communications user can be required in order to set up the integration with the Audit Information System (AIS) for the RFC connection to the AIS system. Alternatively, you can define the RFC connection as a trusted system connection.
○ A service user is required for the connection of external applications using the Exchange Infrastructure (XI). The user must have the corresponding XI authorization as well as the authorization for the standard role Management of
July 2007
SAP ERP Central Component Security Guide 62
Internal Controls – Business User (SAP_CGV_MIC_BUSINESS_USER). For more information, see the SAP Exchange Infrastructure Security Guide under Service Users for Message Exchange.
Roles and Authorizations Concept Use For Management of Internal Controls (MIC), a large number of frequently changing people need to perform tasks in a variety of functions. Consequently, a special roles and authorizations concept has been created for this purpose. Besides the general SAP standard roles that are edited by the system administrator in transaction PFCG, there are also MIC-specific roles comprising a variety of delivered tasks. These MIC-specific roles and their respective tasks allow you to manage the detailed authorizations and the workflow between those involved.
Features For information about the general standard roles delivered with MIC, see Standard Roles and Authorization Objects [Seite 63].
The MIC-specific roles refine the authorizations delivered in the standard role Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER). An MIC-specific role consists of different tasks with authorizations attached. You can specify which tasks belong to which role. For more information, see Editing MIC-Specific Roles [Seite 64].
The assignment of am MIC-specific role to one or more persons is dependent on an object (for example, an organizational unit). The assignment is performed in a Web application by different persons throughout the organization hierarchy. The power user triggers this process for the highest level of the organization hierarchy. For more information, see Assigning Roles to Persons [Seite 77].
To ensure the segregation of duties so that the same person is not authorized to perform an assessment as well as the validation of that assessment, for example, you can define conflict groups. You include in a conflict group any tasks that must not be performed by the same person. You can use these conflict groups to run a check to establish whether the defined segregation of duties is actually reflected in the system. For more information, see Segregation of Duties [Extern].
Activities ...
1. The system administrator copies the delivered standard role Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL), makes any necessary adjustments, and assigns the adjusted copy of the standard role to the MIC power user.
2. The power user edits the MIC-specific roles.
3. The power user defines conflict groups.
4. The power user starts the role assignment procedure in the navigational area on the start page.
5. The power user checks whether the segregation of duties defined in the conflict groups is enforced by the system.
July 2007
SAP ERP Central Component Security Guide 63
Standard Roles and Authorization Objects Use The authorization concept of the SAP NetWeaver Application Server uses the assignment of authorizations to users on the basis of roles. Some general SAP standard roles are delivered with MIC. You can copy and adjust them in Customizing under SAP NetWeaver → Application Server → System Administration → Users and Authorizations → Maintain Authorizations and Profiles Using Profile Generator → Maintain Roles (transaction PFCG).
Integration The standard roles are refined using the MIC-specific Roles and Authorization Concept [Seite 62].
Features Standard Roles MIC uses the following standard roles:
● Management of Internal Controls - Customizing (SAP_CGV_MIC_CUSTOMIZING)
This role contains all necessary authorizations to make the Customizing settings for MIC. This role does not contain any authorizations for the Web applications.
● Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER)
A user with this role is only authorized to perform those specific tasks prescribed by the detailed role concept for MIC. All users that have this role assigned to them must also have at least one MIC-specific role assigned to them. A user may use the Web applications that are specified by the tasks in the MIC-specific role.
● Management of Internal Controls - Power User (SAP_CGV_MIC_ALL)
When this role is assigned to a user, that user is made a power user. In addition to the authorizations that the business user has, a power user also has authorization for administration functions in the MIC Implementation Guide, such as the expert mode for structure setup [Extern]. Moreover, the user has special authorizations in the People-Centric UI, such as those for editing roles and for starting role assignment to persons (see Assigning Roles to Persons [Seite 77]).
● Management of Internal Controls - Display (SAP_CGV_MIC_DISPLAY)
A user with this role can display Customizing for MIC in the SAP GUI. This role is useful for external auditors, for example. We recommend using this role in addition to the business user role.
For more information, see the documentation on the individual roles in transaction PFCG.
Standard Authorization Objects Relevant to Security Authorizations for objects of applications belonging to the Application Server and used in MIC are relevant to security in MIC. If you run MIC in a system in which the applications used by MIC are also used productively in other projects, then you need to ensure that you manage the authorizations for the MIC-specific objects separately from the other objects.
● Authorization object Personnel Planning (PLOG) from Organizational Management
The general object types Organizational Unit und Person are used in MIC together with other MIC-specific object types.
July 2007
SAP ERP Central Component Security Guide 64
Note, therefore, that the organizational units and persons created in other projects are also available in MIC (and vice versa).
● Various authorization objects in Case Management and Records Management
Assessments, tests, issues, and remediation plans are stored in Case or Records Management. The RMS ID FOPC_SOA is relevant for MIC.
Activities ...
1. Copy the general SAP roles delivered with MIC, and adjust the authorizations in these roles to suit the circumstances in your system.
2. Assign the roles you have adjusted to the appropriate users. While doing so, ensure that no user has been assigned role Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL) as well as role Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER).
Editing MIC-Specific Roles Use An MIC power user can adjust the MIC-specific roles that are delivered in BC Sets and in this way specify the authorizations of a role by assigning the individual tasks.
Features The power user has the following options for editing MIC-specific roles:
● In Customizing for MIC under Edit Roles
● Using a Web application that can be called up from the MIC start page
SAP delivers sample roles in a BC Set. To be able to use these sample roles, you need to activate the BC Set in Customizing. All other activities for editing roles are possible both in Customizing and in the Web application, although the user interface in the Web application is easier to use.
When editing a role, you assign all the tasks to it that anybody assigned to that role should be allowed to perform. You also specify the role level.
The role level defines whether the tasks can be performed for the entire corporate group, for a single organizational unit, for a process group, for a process, or for a process step.
The tasks are delivered by SAP and cannot be changed. Each task has the following attributes:
● Minimum Role Level: The only tasks you can assign to a role are those with a minimum role level corresponding to the level entered for the role. For example, you can only assign the task Perform Sign-Off at Corporate Level (for which the minimum role level = group) to a role with Corporate level.
● Restricted to One Role: Tasks for which this indicator is selected can only be assigned to one role. Furthermore, the following restriction applies to role assignment: When a role contains a task flagged with this indicator, that role may only be assigned to just one person for an object.
● Processing by One Work Item Recipient Suffices: Tasks flagged with this indicator can be performed by more than one user. However, it is sufficient if only one user performs
July 2007
SAP ERP Central Component Security Guide 65
the task. As soon as one user has completed the task, it is then completed for all other users to whom the task is assigned.
● Web application that the task calls up: Different tasks can call up the same Web application. For example, the task Assign Process to Organizational Unit and the task Edit Attributes of Process Groups Specific to Org Units both call up the Web application Process Assignment for Org Unit. If a person only has authorization for one of the tasks, then that person may only perform that task in the corresponding Web application. If, however, a person has authorization for both tasks, then he/she may perform both, regardless of the task from which the Web application was called up. In this latter case, it is sufficient for just one of the tasks to be scheduled. In this way, you can restrict the number of tasks that need to be sent.
For an overview of the delivered tasks and their attributes, see the following sections:
● Tasks: Central Structure Setup [Seite 65]
● Tasks: Structure Setup Specific to Organizational Units [Seite 67]
● Tasks: Control Assessments and Tests [Seite 71]
● Tasks: Management Control Assessment and Test [Seite 74]
● Tasks: Reporting and Sign-Off [Seite 76]
The task Create User is handled differently because a special authorization is required for this task. For more information, see Creating Users and Connecting Users to Persons [Extern].
Analyses To find out which roles contain a task, you can search for a task in the Web application for processing roles. In this way, you can display all roles that the task is assigned to. Moreover, you can use Authorization Analysis [Extern].
Activities ...
1. If you want to use the delivered sample roles, activate the relevant BC Set in Customizing. For information about the procedure for this, see the documentation on the IMG activity Edit Roles.
2. Change the delivered sample roles or create your own roles.
3. Activate the roles that you would like to use and then save your entries.
Tasks: Central Structure Setup Task Group: Central Structure Setup
Task Description Role Level Restricted to One Role
Processing by One Work Item Recipient Suffices
Web Appl
Display Role (DISP-ROLE)
Display all roles created and all tasks assigned by Process Step Edit Roles
July 2007
SAP ERP Central Component Security Guide 66
power user (see Roles and Authorizations Concept [Seite 62])
Edit Organizational Hierarchy (EDIT-HIER)
Create/change organizational hierarchy [Extern], insert new nodes, and so forth
Corporate X Organizatio
Display Organizational Hierarchy (DISP-HIER)
Display entire organizational hierarchy and detailed information on organizational units
Process Step Organizatio
Document Organizational Units in Scope (PERF-SCOPO)
Define reasoning for decision to include organizational units in project scope [Extern] (or to exclude them from project scope)
Corporate X OrganizatioScope
Display Organizational Units in Scope (DISP-SCOPO)
Display reasoning behind decisions relating to the project scope
Process Step OrganizatioScope
Edit Central Process Catalog (EDIT-CPCAT)
Create/change hierarchy and attributes for process groups and processes, create/change central process steps, define P-CO-R assignment, assign account groups (see Central Process Catalog [Extern])
Corporate X Central Pro
Display Central Process Catalog (DISP-CPCAT)
Display entire central process catalog Process Step Central Pro
Edit General Control Attributes in Central Process Catalog (EDIT-CCATR)
When central process step has been defined as a control, define all attributes and assignments for the control centrally (see Documenting Controls Centrally [Extern])
Corporate DocumentaControls
Edit Account Group Hierarchy (EDIT-ACCH)
Create/change hierarchy and attributes of account groups (see Account Group Hierarchy [Extern])
Corporate X Account G
Display Account Group Hierarchy (DISP-ACCH)
Display entire account group hierarchy Process Step Account G
Edit Management Control Catalog (EDIT-MCCAT)
Create/change hierarchy of management control groups and management controls, define central descriptions (see Management Control Catalog [Extern])
Corporate X ManagemeCatalog
Edit Description of Assessment of a
Create central description in catalog of how a
Corporate X Manageme
July 2007
SAP ERP Central Component Security Guide 67
Management Control (EDIT-MCASD)
management control should be assessed
Catalog
Edit Description of a Test of a Management Control (EDIT-MCTED)
Create central description in catalog of how a management control should be tested
Corporate X ManagemeCatalog
Display Management Control Catalog (DISP-MCCAT)
Display entire management control catalog
Process Step ManagemeCatalog
Edit Central Settings for Scheduling (EDIT-CSCH)
Specify centrally how often and when specific tasks are to be performed (see Task Scheduling [Extern])
Corporate Central ScTasks
Display Central Settings for Scheduling (DISP-CSCH)
Display central settings for task scheduling Process Step Central Sc
Tasks
Assign Delegates Centrally (ASGN-DELC)
Enter delegates [Extern] for oneself and other persons
Corporate X Central AsDelegates
Assign Own Delegates (ASGN-DELO)
Only enter delegates for oneself Process Step Assignmen
Delegates
Tasks: Structure Setup Specific to Organizational Units Task Group: Structure Setup Dependent on Org Unit
Task Description Role Level Restricted to One Role
Processing by One Work Item Recipient Suffices
Web ApCalled
Assign Roles for Corporate and Next Level Down (ASGN-RLCOR)
Assign roles to persons at the corporate level and for the subordinate organizational units directly beneath it (see Assigning Roles to Persons [Seite 77])
Corporate X Role Ass
Assign Replacement at Corporate Level (ASGN-REPLC)
Assign replacements at corporate level (see Replacement [Extern])
Corporate AssignmReplacem
Assign Roles for Given Organizational Unit and Next Level Down (ASGN-RLORG)
Assign roles to persons for an organizational unit and for the subordinate organizational units
Org Unit X Role Ass
July 2007
SAP ERP Central Component Security Guide 68
directly beneath it
Assign Replacement at Org Unit Level (ASGN-REPLO)
Assign replacements for the organizational unit and subordinate objects
Org Unit AssignmReplacem
Assign Roles for Top Process Group in Given Organizational Unit (ASGN-RLOPG)
Assign roles to persons for the top process groups of an organizational unit
Org Unit X Role Ass
Assign Roles for Given Process Group and Next Level Down (ASGN-RLPGR)
Assign roles to persons for a process group and for the subordinate process groups and processes directly beneath it
Process Group X Role Ass
Assign Roles for Process and Subordinate Controls (ASGN-RLPRC)
Assign roles to persons for a process and for the process steps defined as a control in the process
Process X Role Ass
Assign Roles for Control (ASGN-RLCNT)
Assign roles to persons for a process step defined as a control
Process Step DocumeControls
Create User (CREA-USRID) Have a user ID created by the system administrator and connect this user ID to the person (see Creating Users and Connecting Users to Persons [Extern])
Org Unit X Only posGUI
Specify Significance of Accounts for Organizational Unit (EDIT-ACCSO)
Specify for an organizational unit which account groups are significant (see Significance of Account Groups for Organizational Unit [Extern]).
Org Unit X ProcesseAccount Organiza
Display Significance of Accounts for Organizational Unit (DISP-ACCSO)
Display significance of account groups for an organizational unit
Process Step ProcesseAccount Organiza
Perform Scoping of Processes (PERF-SCOPP)
Specify for an organizational unit which processes fall within the project scope and document why (see Processes in Scope [Extern])
Org Unit X Processe
Display Processes in Scope (DISP-SCOPP)
Display processes that fall within the project scope for an organizational unit
Process Step Processe
July 2007
SAP ERP Central Component Security Guide 69
Assign Process to Organizational Unit (ASGN-PRORG)
Accept for organizational unit processes falling in project scope; edit process attributes specific to organizational unit (see Accepting Processes [Extern])
Org Unit X ProcesseAccount Organiza
Display Process Group Attributes Specific to Org Units (DISP-OUPGA)
Display process group attributes specific to organizational units (such as necessity of validation)
Process Step ProcesseAccount Organiza
Edit Process Group Attributes Specific to Org Units (EDIT-OUPGA)
Edit process group attributes specific to org units
Process Group ProcesseAccount Organiza
Display Process Attributes Specific to Org Units (DISP-OUPRA)
Display process attributes specific to organizational units (such as necessity of validation)
Process Step ProcesseAccount Organiza
Edit Process Attributes Specific to Org Units (EDIT-OUPRA)
Edit process attributes specific to org units Process
ProcesseAccount Organiza
Edit Process Steps Specific to Org Units (EDIT-OUPRS)
Edit copied process steps, create/change local process steps, edit process step attributes
Process ProcesseAccount Organiza
Approve Documentation of Process Change (VALI-PRCHD)
Approve the adoption of documented changes in the process (see Documenting Process and Control Changes [Extern])
Process X ProcesseAccount Organiza
Edit General Control Attributes (EDIT-GENCA)
Edit the general control attributes for local or copied process steps defined as controls (excluding assessment and test attributes) (see Documenting Controls [Extern] )
Process Step X DocumeControls
Assign Control to Process - Control Objective - Risk (P-CO-R) (ASGN-CPCOR)
Assign control to the P-CO-R structure defined in the process catalog and select control type
Process Step DocumeControls
Assign Referenced Control to Process - Control Objective - Risk (P-CO-R) (ASGN-CRCOR)
Assign control of a different process to the P-CO-R structure defined in the process catalog and select control type
Process X ProcesseAccount Organiza
July 2007
SAP ERP Central Component Security Guide 70
Assign Controls to Financial Statement Assertions (ASGN-ASS2C)
Assign control to control groups and their FS assertions
Process Step X DocumeControls
General Control Attributes: Edit Assessment Attributes (EDIT-GCAMT)
Of the general control attributes, only edit the control assessment attributes (such as control maturity target)
Process Step X DocumeControls
General Control Attributes: Edit Test Attributes (EDIT-GCATA)
Of the general control attributes, only edit the control test attributes (such as testing technique)
Process Step X DocumeControls
General Control Attributes: Edit AIS Reports (EDIT-COAIS)
Assign reports of the Audit Information System to a control (see Assignment of AIS Reports [Extern])
Process Step DocumeControls
Approve Documentation of Control Change (VALI-PSCHD)
Approve the adoption of documented change in the control
Process Step X DocumeControls
Display Process Hierarchies of all Organizational Units (DISP-PRHIE)
Display process groups, processes, and process steps for all organizational units
Process Step Central PCatalog
Display General Control Attributes (DISP-GENCA)
Display all general attributes and assignments for the control
Process Step DocumeControls
Assign Management Controls to Organizational Units (ASGN-MC2OU)
Accept centrally-defined management controls for organizational unit, create local description (see Accepting Management Controls [Extern]).
Org Unit X AssignmManagem
Assign Management Controls to Process Group (ASGN-MC2PG)
Accept centrally-defined management controls for process group, create local description of the control
Process Group X AssignmManagem
Edit Local Description of Assessment of a Mgmt Control for Organizational Unit (EDIT-MADOU)
Create description of how the management control should be assessed specific to organizational unit
Org Unit X AssignmManagem
Edit Local Description of Test of a Mgmt Control for Organizational Unit (EDIT-MTDOU)
Create description of how the management control should be tested specific to organizational unit
Org Unit X AssignmManagem
July 2007
SAP ERP Central Component Security Guide 71
Edit Local Description of Assessment of a Mgmt Control for Process Group (EDIT-MADPG)
Create description of how the management control should be assessed specific to process group
Process Group X AssignmManagem
Edit Local Description of Test of a Mgmt Control for Process Group (EDIT-MTDPG)
Create description of how the management control should be tested specific to process group
Process Group X AssignmManagem
Edit "To Be Tested" Attribute of a Management Control for Organizational Unit (EDIT-MTAOU)
Specify for organizational unit whether a management control should be tested
Org Unit X AssignmManagem
Edit "To Be Tested" Attribute of a Management Control for Process Group (EDIT-MTAPG)
Specify for process group whether a management control should be tested
Process Group X AssignmManagem
Edit Scheduling Settings for Organizational Unit (EDIT-OUSCH)
Change central settings governing Task Scheduling [Extern] for organizational unit
Org Unit X ScheduliOrganiza
Display Scheduling Settings for Organizational Unit (DISP-OUSCH)
Display task scheduling settings changed for an organizational unit
Process Step ScheduliOrganiza
Tasks: Control Assessments and Tests Task Group Assessment of Control Design and Efficiency
Task Description Role Level Restricted to One Role
Processing by One Work Item Recipient Suffices
Web Application Called
Perform Control Design Assessment (PERF-CDASS)
Enter result of control design assessment in system, reporting issues where necessary (see Assessment of Control Design and Efficiency [Extern])
Process Step X Control Design Assessment
Display Control Design
Display result of control Process Step Control Design
Assessment
July 2007
SAP ERP Central Component Security Guide 72
Assessment (DISP-CDASS)
design assessment
Validate Control Design Assessment (VALI-CDASS)
When validation activated, check result of control design assessment and confirm or send back
Process X Control Design Assessment
Perform Control Efficiency Assessment (PERF-CEASS)
Enter result of control efficiency assessment, reporting issues where necessary
Process Step X Control Efficiency Assessment
Display Control Efficiency Assessment (DISP-CEASS)
Display result of control efficiency assessment
Process Step Control Efficiency Assessment
Validate Control Efficiency Assessment (VALI-CEASS)
When validation activated, check result of control efficiency assessment and confirm or send back
Process X Control Efficiency Assessment
Task Group Process Design Assessment
Task Description Role Level Restricted to One Role
Processing by One Work Item Recipient Suffices
Web Application Called
Perform Process Design Assessment (PERF-PDASS)
Enter result of process design assessment in system, reporting issues where necessary (see Process Design Assessment [Extern])
Process X Process Design Assessment
Display Process Design Assessment (DISP-PDASS)
Display result of process design assessment
Process Process Design Assessment
Validate When Process Group X Process
July 2007
SAP ERP Central Component Security Guide 73
Process Design Assessment (VALI-PDASS)
validation activated, check result of process design assessment and confirm or send back
Design Assessment
Task Group Test Effectiveness of a Control
Task Description Role Level Restricted to One Role
Processing by One Work Item Recipient Suffices
Web Application Called
Mass Assignment of Testers to Controls (ASGN-MT2CN)
Assign testers centrally for all controls of an org unit or process group
Process Group
Mass Tester Assignment Controls/Management Controls
Assign Tester (ASGN-TSTER)
Assign persons for testing control effectiveness (see Test of Control Effectiveness [Extern])
Process X Tester Assignment
Display Notification (DISP-NOTE)
Notifications from an external system (using XI interface) in which (semi-)automated tests are performed
No role level because task cannot be assigned to any role
Notifications
Test Control Effectiveness (PERF-TEST)
Test control effectiveness; may be performed by all persons who were assigned as testers
No role level because task cannot be assigned to any role
Testing Control Effectiveness
Display Test Results (DISP-TSTRE)
Display test logs for effectiveness test of a control
Process Step Testing Control Effectiveness
Receive Issues from Effectiveness Test (RECE-EFISO)
Predefined processor of issues reported during control effectiveness test; can be overwritten by person who
Process X
July 2007
SAP ERP Central Component Security Guide 74
reported issue
Validate Test Control Effectiveness (VALI-TEST)
When validation activated, check result of test of control effectiveness and confirm or send back
Process X Testing Control Effectiveness
Tasks: Management Control Assessment and Test Task Group Assessment and Test of Management Controls
Task Description Role Level Restricted to One Role
Processing by One Work Item Recipient Suffices
Web ApplicatCalled
Mass Assignment of Testers to Management Controls (ASGN-MT2MC)
Assign testers centrally for all management controls of an org unit or process group
Process Group
Mass Tester Assignment Controls/ManaControls
Assign Testers for Management Controls (Org Unit) (ASGN-MCTOU)
Assign persons for testing management controls for organizational unit
Org Unit X Tester Assignm
Assign Testers for Management Controls (Process Group) (ASGN-MCTPG)
Assign persons for testing management controls for process group
Process Group X Tester Assignm
Perform Management Control Assessment at Org Unit Level (PERF-MCAOU)
Enter result of management control assessment for org unit in system, reporting issues where necessary (see Management Control Assessment and Test [Extern])
Org Unit X Management CAssessment
Display Management Control Assessment at Org Unit Level (DISP-MCAOU)
Display result of management control assessment for organizational unit
Org Unit Management CAssessment
Perform Management Control Assessment at Process Group Level (PERF-MCAPG)
Enter result of management control assessment for process group in system, report issues where necessary
Process Group X Management CAssessment
Display Management Control Assessment at
Display result of management control Process Group Management C
Assessment
July 2007
SAP ERP Central Component Security Guide 75
Process Group Level (DISP-MCAPG)
assessment for process group
Validate Management Control Assessment for Top Organizational Unit (VALI-MCACP)
When validation activated, check result of management control assessment for top node of organizational hierarchy and confirm or send back
Corporate X Management CAssessment
Validate Management Control Assessment for Subordinate Organizational Unit (VALI-MCAOU)
When validation activated, check result of management control assessment for subordinate organizational units and confirm or send back
Org Unit X Management CAssessment
Validate Management Control Assessment for Top Process Group (VALI-MCTPG)
When validation activated, check result of management control assessment for top process group of organizational unit and confirm or send back
Org Unit X Management CAssessment
Validate Management Control Assessment for Subordinate Process Group (VALI-MCAPG)
When validation activated, check result of management control assessment for subordinate process groups and confirm or send back
Process Group X Management CAssessment
Perform Management Controls Test at Org Unit Level (PERF-MCTOU)
Create test log after management controls test for organizational unit; may be performed by persons who were assigned as testers
No role level because task cannot be assigned to any role
Management CTest
Display Management Controls Test at Org Unit Level (DISP-MCTOU)
Display result of management controls test for organizational unit
Org Unit Management CTest
Perform Management Controls Test at Process Group Level (PERF-MCTPG)
Create test log after management controls test for process group; may be performed by persons who were assigned as testers
No role level because task cannot be assigned to any role
Management CTest
Display Management Controls Test at Process Group Level (DISP-MCTPG)
Display result of management controls test for process group Process Group Management C
Test
Receive Issues from Management Controls Test at Org Unit Level (RECE-MCISO)
Predefined processor of issues reported during management controls test; can be overwritten by person
Org Unit X
July 2007
SAP ERP Central Component Security Guide 76
who reported issue
Receive Issues from Management Controls Test at Process Group Level (RECE-MCISP)
Predefined processor of issues reported during management controls test; can be overwritten by person who reported issue
Process Group X
Tasks: Reporting and Sign-Off Task Group Reporting
Task Description Role Level Restricted to One Role
Processing by One Work Item Recipient Suffices
Web Application Called
Display Hierarchical Reports (DISP-ANALY)
Display data for the area of responsibility in hierarchical reports in Reporting [Extern]
Process Reporting
Display Tabular Reports (DISP-FLATR)
Display data for the area of responsibility in tabular reports
Process Reporting
Display Management Reports (DISP-MNGRE)
Display aggregated data for the area of responsibility in management reports
Process Reporting
Print Report (PERF-PRINT)
Create and print Print Reports [Extern] Process step Print Reports
Display Change Analysis (DISP-CHGAN)
Display changes to data over different timeframes (see Change Analysis [Extern])
Org unit Change Analysis
Display Authorization Analysis (DISP-SCREP)
Display assignments in the roles and authorizations concept (see Authorization Analysis [Extern])
Process Authorization Analysis
Task Group Sign-Off
Task Description Role Level Restricted to One Role
Processing by One Work Item Recipient Suffices
Web ApplicatCalled
Perform Deficiency Analysis on Organizational Unit
Perform deficiency analysis [Extern] for organizational unit and
Org unit Deficiency Ana
July 2007
SAP ERP Central Component Security Guide 77
Level (PERF- DFAOU) subordinate organizational units
Display Deficiency Analysis on Organizational Unit Level (DISP-DFAOU)
Display deficiency analysis at corporate level and level of subordinate organizational units
Org unit Deficiency Ana
Perform Deficiency Analysis on Corporate Level (PERF-DFACP)
Perform deficiency analysis at corporate level and level of subordinate organizational units
Corporate Deficiency Ana
Display Deficiency Analysis on Corporate Level (DISP-DFACP)
Display deficiency analysis at corporate level and level of subordinate organizational units
Corporate Deficiency Ana
Perform Sign-Off (PERF-SOFOU)
Perform sign-off [Extern] for an organizational unit and, once sign-off has been performed for all organizational units, perform corporate sign-off
Org unit Sign-Off
Display Sign-Off (DISP-SIGNO)
Display sign-off for organizational units in area of responsibility
Org unit Sign-Off
Assigning Roles to Persons Purpose When you assign a person to a role in combination with an object (such as an organizational unit), that person receives the authorization to perform the tasks belonging to that role for that object.
You assign roles to persons in one of the Web applications that can be accessed from the start page [Extern]. Role assignment takes place using the domino principle throughout the organizational hierarchy and the assigned processes.
Prerequisites ● The roles have been created and activated (see Roles and Authorizations Concept
[Seite 62]).
● The organizational hierarchy [Extern] has been defined.
Process Flow ...
1. The power user automatically has authorization for the task Start Role Assignment Procedure. He or she starts the assignment procedure by choosing Role Assignment in
July 2007
SAP ERP Central Component Security Guide 78
the navigation area of the start page [Extern]. The power user then assigns a person (or a user, if already available) to the role containing the task Assign Roles for Corporate and Next Level Down (ASGN-RLCOR).
○ If the person entered does not yet exist in the system, the system issues a message, and an additional area appears in the middle of the screen. To create the person, choose Create Person.
You can deactivate the option of creating a person using the IMG activity Restrict Authorization to Create Persons in Customizing for MIC.
○ If a person does not yet exist for the user entered in the system, a person is created automatically.
2. The power user assigns a role with the task Create User (CREA-USRID) to a user that has already been created.
3. If the power user has created a person in the first step as opposed to assigning a user, a user must be created for that person. For more information, see Creating Users and Connecting Users to Persons [Extern].
4. The person who now has authorization for the task Assign Roles for Corporate and Next Level Down receives this task in their task list on the start page.
5. This person assigns persons or users to the role containing the task Assign Roles for Given Organizational Unit and Next Level Down (ASGN-RLORG). This step is performed for all organizational units occurring directly beneath the corporate group level in the organizational hierarchy.
6. If persons instead of users are assigned, users then have to be created for these persons (see step 3).
7. The persons who now have authorization for the task Assign Roles for Given Organizational Unit and Next Level Down receive this task in their task list on the start page. Subordinate organizational units or process groups can be on the next level down. For the process groups to be available, the processes need to have been accepted [Extern] for the organizational unit in the meantime.
8. Subsequent role assignments follow the same principle all the way down the organizational hierarchy and across the assigned process groups, processes, process steps, and controls. However, you do not perform role assignment for a control in the Web application Assignment of Roles to Persons but instead in the Web application Documenting Controls [Extern].
Integration with Single Sign-On Environments Use MIC supports the Single Sign-On (SSO) mechanisms provided by the SAP Web Application Server ABAP. Consequently, the security recommendations and guidelines for user management and authentication described in the SAP Web Application Server Security Guide also apply to MIC.
The mechanisms supported are listed below.
Secure Network Communications (SNC)
SNC is available for user authentication and provides an SSO environment when the SAP GUI for Windows or Remote Function Calls (RFC) are used.
July 2007
SAP ERP Central Component Security Guide 79
For more information, see Secure Network Communications (SNC) in the security guide of the SAP Web Application Server.
SAP Logon Tickets
MIC supports the use of logon tickets for SSO when the Web browser is used as the front end client. In this case, users can be issued a logon ticket after they have authenticated themselves in the original SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly once the system has checked the logon ticket.
For more information, see SAP Logon Tickets in the SAP Web Application Server security guide.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer protocol (SSL protocol), and no passwords need to be transferred. User authorizations apply in accordance with the authorization concept in the SAP system.
For more information, see Client Certificates in the security guide of the SAP Web Application Server.
Communication Channel Security Use The following table contains the communication paths used by MIC, the protocol used for the connection, and the type of data transferred.
Communication paths
Communication Path Protocol Used Type of Data Transferred
Data Requiring Special Protection
Front end client using SAP GUI for Windows to application server
DIAG All application data Passwords
Front end client using a Web browser to application server
HTTP/HTTPS All application data Passwords
Audit Information System (AIS) to application server
RFC for setting up AIS integration
HTTP for displaying the AIS reports
AIS reports
External application via XI interface to application server
External application – XI: Various protocols possible (SAP standard)
XI – application server: RFC
Structure data (such as central process catalog)
Test logs
Application server to BI system
RFC All application data
July 2007
SAP ERP Central Component Security Guide 80
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPS connections are protected using the Secure Sockets Layer (SSL) protocol. For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
For logon to the front end client (Web browser), Single Sign-On (SSO2) must be activated on the server side. For more information, see SAP Note 517860.
Navigation information is communicated between the start page and the Web applications via the URL.
Data Storage Security Use Master data and transaction data is stored in the database of the SAP system on which MIC has been installed. Data storage occurs for the most part in Organizational Management, in Case Management, and in separate tables for this purpose. Due to the use of Organizational Management in particular, we recommend running MIC on a separate client. For more information and recommendations on the use of clients, see the application documentation under Management of Internal Controls (FIN-CGV-MIC) [Extern].
MIC requires a Web browser as the user interface. For data storage in the front end, non-persistent session cookies are used.
In some Web applications, MIC users can upload documents into the system. Knowledge Provider (KPro) is used for storing the data. Once uploaded, the documents can be accessed using an URL. The MIC-specific Roles and Authorizations Concept [Seite 62] governs authorization for accessing the URL directly in the Web application. To prevent unauthorized access to the document through copying and sending the URL, an URL is only valid for a given user and for a restricted amount of time (two hours).
Master Data Framework
Introduction
This guide does not replace the administration or operation guides that are available for productive operations.
Target Group
● Technology consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.
July 2007
SAP ERP Central Component Security Guide 81
The Need for Security With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to Master Data Framework. To assist you in securing Master Data Framework, we provide this Security Guide.
About this Document The Security Guide provides an overview of the security-relevant information that applies to Master Data Framework.
Overview of the Main Sections
The security guide comprises the following main sections:
● Before You Start
This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.
● Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by Master Data Framework.
● User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
○ Recommended tools to use for user management.
○ User types that are required by Master Data Framework
○ Standard users that are delivered with Master Data Framework
○ Overview of the user synchronization strategy, if several components or products are integrated
○ Overview of integration options in Single Sign-On environments
● Authorizations
This section provides an overview of the authorization concept that applies to the Master Data Framework.
● Network and Communication Security
This section provides an overview of the communication paths used by Master Data Framework and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
Before You Start Security Guides Referenced Master Data Framework is built from SAP NetWeaver Application Server ABAP. Therefore, the corresponding Security Guides also apply to Master Data Framework.
July 2007
SAP ERP Central Component Security Guide 82
For a complete list of the SAP Security Guides available, see SAP Service Marketplace at service.sap.com/securityguide.
Additional Information For more information about specific topics, see the sources in the table below.
Additional Information
Content SAP Service Marketplace
Security service.sap.com/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Platforms permitted service.sap.com/platforms
Network security service.sap.com/network
service.sap.com/securityguide
Technical infrastructure service.sap.com/ti
SAP Solution Manager service.sap.com/solutionmanager
Technical System Landscape Use The figure below shows an overview of the technical system landscape for Master Data Framework.
Framework for
Master data and Hierarchiestime-dependent
version-dependentattributes for edges of hierarchies
Generic Services
Access to
BWSynchronization tools
Change Management
Local Tables ...R/3
User Interface
WorkbenchMaster data Hierarchies
Combination characteristics (such as company and profit center)
Extensibility of InfoObjects by local fields (role concept)
Metadatarepository Transport Authority checks Buffering Where-used list
Generic checks
Read/WriteAccess
Locking Time dependency Validity (incl. version and time dependency)
Transaction control(Commit,Rollback, Save)
Input/Output conversion
For more information about the technical system landscape, see the sources listed in the table below.
July 2007
SAP ERP Central Component Security Guide 83
More Information About the Technical System Landscape
Topic Guide/Tool SAP Service Marketplace
Technical description for Master Data Framework and underlying technical components such as SAP NetWeaver
Master Guide
service.sap.com/instguides
Technical configuration
High availability
Technical Infrastructure Guide
service.sap.com/ti
Security service.sap.com/security
User Administration and Authentication Master Data Framework uses the user administration and authentication mechanisms provided with the SAP NetWeaver platform, in particular SAP Netweaver Application Server ABAP. Therefore, the security recommendations and guidelines for user management and authentication that are described in the SAP NetWeaver Application Server ABAP Security Guide also apply to Master Data Framework.
In addition to these guidelines, we include information about user administration and authentication that specifically applies to Master Data Framework in the following topics:
● User Management
This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with Master Data Framework.
● Integration into Single Sign-On Environments
This topic describes how Master Data Framework supports Single Sign-On mechanisms.
User Management Use User management for Master Data Framework uses the mechanisms provided by SAP Netweaver Application Server ABAP, for example, tools, user types, and password policies.
Integration into Single Sign-On Environments Use Master Data Framework uses the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user management and authentication that are described in the SAP NetWeaver Security Guide also apply to Master Data Framework.
The mechanisms supported are listed below.
July 2007
SAP ERP Central Component Security Guide 84
Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.
For more information, see Secure Network Communications (SNC) in the SAP Netweaver AS ABAP Security Guide.
SAP Logon Tickets
Master Data Framework supports the use of logon tickets for SSO when using a Web browser as the front end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.
For more information, see SAP Logon Tickets in the SAP Netweaver AS ABAP Security Guide.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information, see Client Certificates in the SAP Netweaver AS ABAP Security Guide.
Authorizations Use Master Data Framework uses the authorization concept provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for authorizations that are described in the SAP NetWeaver AS ABAP Security Guide also apply to Master Data Framework.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) when using ABAP technology and the User Management Engine’s user administration console when using Java.
Standard Authorization Objects The table below shows the security-relevant authorization objects that are used by Master Data Framework.
Standard Authorization Objects
Authorization Object Description
R_UGMD_CHA Master data access for all types of characteristics.
R_UGMD_SNG Master data access on the level of single values of combination characteristics
S_TABU_LIN Master data access on the level of individual characteristics
FB_SRV_DMS Authorization for data model synchronization (change monitor)
July 2007
SAP ERP Central Component Security Guide 85
FB_SRV_GC Authorization for MDF Garbage Collector
The authorization objects listed above are also described in the system documentation.
Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for Master Data Framework is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to Master Data Framework. Details that specifically apply to Master Data Framework are described in the topic Communication Channel Security.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security
● Security Aspects for Connectivity and Interoperability
Communication Channel Security Use ERP and Business Information Warehouse (SAP BW) communicate with each other using RFC within Master Data Framework.
RFC connections can be protected using Secure Network Communications (SNC).
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
SAP Banking This security guide includes the following components from SAP Banking:
● SAP Financial Customer Information Management (FS-BP)
● Deposits (FS-BCA)
● Loans Management (FS-CML)
● Collateral Management(FS-CMS)
This security guide only contains Collateral Management-specific information about Authorizations and Network and Communication Security.
July 2007
SAP ERP Central Component Security Guide 86
For general information about security in FS-CMS, see SAP Service Marketplace at service.sap.com/securityguide → mySAP ERP Security Guides → Security Guide for Collateral Management System (CMS).
● Strategic Enterprise Management (SEM)
● Reserve for Bad Debt (FS-RBD)
SAP Financial Customer Information Management (FS-BP) The security policy with SAP Financial Customer Information Management (FS-BP) is very similar to the security policy with the central SAP Business Partner (SAP BP).
For more information about authorizations and data storage security in the SAP Business Partner, see the SAP Service Marketplace at /service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application Server Security Guide → SAP NetWeaver AS Security Guide for ABAP Technology → Security Aspects When Using Business Objects → SAP Business Partner Security.
Authorizations You can create roles in the SAP Customizing Implementation Guide (IMG) for SAP Banking under SAP Business Partner for Financial Services → General Settings → Business Partner → Basic Settings → Authorization Management.
The authorization objects are the responsibility of the SAP Business Partner. SAP Financial Customer Information Management (FS-BP) is only responsible for the following two authorization objects:
● T_BP_DEAL (Standing Instructions / Transactions)
You can use this authorization object to control the company code-dependent authorizations for displaying/creating/changing standing instructions.
There are standing instructions for:
○ Payment details
○ Derived flows
○ Correspondence
○ Transaction authorizations
● B_BUPA_SLV (Selection variant for total commitment)
July 2007
SAP ERP Central Component Security Guide 87
A selection variant includes various settings for the total commitment (such as which business partner roles and relationships can be used for the selection, or whether detailed information can be displayed).
Network and Communication Security When processing total commitment, mySAPERP communicates with other SAP systems (such as Deposits Management (FS-AM)). In theory, mySAP ERP could also communicate with non-SAP systems here.
Communication takes place via Remote Function Call (RFC).
Communication Destinations Depending on the scenario, an RFC user is required for communication via Remote Function Call (RFC). This user requires the appropriate authorizations for the target system (such as FS-CML or FS-AM).
Data Storage Security Authorization object B_CCARD can be used to control access to credit card information that is stored in the business partner. This control falls in the area of responsibility of central SAP Business Partner.
You can protect employee data by using authorization groups (authorization object B_BUPA_GRP).
Bank Customer Accounts (BCA)
Authorizations The following standard roles are available in Bank Customer Accounts (BCA):
Role Name
SAP_ISB_ACCOUNTS_ADMIN_AG SAP Banking BCA: Account Management Administrator
SAP_ISB_ACCOUNTS_ASSISTANT_AG SAP Banking BCA: Assistant in Account Management
July 2007
SAP ERP Central Component Security Guide 88
SAP_ISB_ACCOUNTS_STAFF_AG SAP Banking BCA: Clerical Staff in Account Management
For more information on authorization management and the authorization objects in Bank Customer Accounts, see SAP Help Portal at help.sap.com → Documentation → mySAP ERP → SAP ERP Central Component → Release 5.0 → SAP ERP Central Component → Financials → SAP Banking → Bank Customer Accounts (BCA) → General Subjects → Authorization Administration, or Authorization Administration → Authorization Objects.
Bank Customer Accounts (BCA) also contains the following business transaction events on the subject of authorizations:
Business Transaction Event Name
SAMPLE_INTERFACE_00011040 AUTH1- Account
SAMPLE_INTERFACE_00011700 Authorization checks/authorization type
SAMPLE_INTERFACE_00010950 Check Management
SAMPLE_INTERFACE_00010210 Payment item dialog
SAMPLE_INTERFACE_00010410 Payment order dialog
SAMPLE_INTERFACE_00010411 Standing order dialog
Network and Communication Security Bank Customer Accounts (BCA) communicates with the following external systems:
● Payment transaction systems
● Interest income tax
● Financial Accounting (FI), if Financial Accounting (FI) runs on another system
Encrypt communication with external systems in accordance with the SAP standards.
Communication with all external systems is performed via Remote Function Call (RFC).
Data Storage Security The security of sensitive objects such as savings accounts and checking accounts is guaranteed by the general authorization concept of Bank Customer Accounts (BCA).
For employee accounts, the following security mechanisms are available in addition to the general authorization concept:
● The following special authorization objects
○ F_EMAC_MTH
○ F_EMAC_TRN
● The following special field modification criterion of the Business Data Toolset (BDT)
July 2007
SAP ERP Central Component Security Guide 89
○ FMOD1
This criterion is applied to employee accounts.
Important SAP Notes Consider the following SAP notes on authorizations in Bank Customer Accounts (BCA):
Note Number Short Text
126494 Authorization f. RFC calls of reconciliation GL/BCA
441020 Value table for authorization group objects
315545 Standing orders: release, dual authoriztn principle
731832 Conditions: Authorization object F_COND_BDC
127591 Authorization group in reports
Loans Management (FS-CML)
Authorizations Authorization management for mortgage loans is based on the existing authorization concept in Loans Management (FS-CML).
The authorization check is performed according to the principle of inclusion, that is to say, if a user has authorization to activate a business transaction, he or she also has authorization to delete it. The authorization for making a posting includes the authorization for making a cancellation.
If other functions are called from a business transaction, the relevant authorization check is performed in this business transaction before the other function is accessed. This avoids any termination of the functions that are being called.
To set up your authorization management for mortgage loans, you can use the following roles included in the delivery scope:
Role Name Scope
Loans Officer SAP_CML_LOANS_OFFICER ● Create, change, display, delete business partner
● Collateral value calculation, credit standing calculation
July 2007
SAP ERP Central Component Security Guide 90
and decision-making
● Maintain objects and securities
● Create contracts, or transfer from application or offer
● Enter disbursements
● Process correspondence
● Release loan (colleague or superior)
● Process business operations (such as charges, individual posting, payoff)
Credit Analyst SAP_CML_CREDIT_ANALYST
● Create, change, display, delete business partner
● Maintain loan enquiries, applications and offers
● Calculate credit standing
● Decision-making
● Maintain limits
● Calculate the collateral value
● Maintain objects and securities
Rollover Officer SAP_CML_ROLLOVER_OFFICER
● Loan rollover (individual and mass)
● Process correspondence
● Management of rollover file
● Maintain condition tables
Staff Accountant for Loans SAP_CML_STAFF_ACCOUNTANT
● Post transactions
● Clearing
● Create payments
● Post and monitor incoming payments
● Process waivers and
July 2007
SAP ERP Central Component Security Guide 91
write-offs
● Cancellation
● Accrual/deferral
● Valuation
● Generating accounting reports
Manager of Loans Department SAP_CML_DEPARTM_MANAGER
● Release
● Maintain condition tables
● Change limits
● Risk analysis
● Monitor file (rollover or process management)
● Monitor portfolio and portfolio trend using reports; reports and queries
Product Administrator SAP_CML_PRODUCT_ADMIN
● Update reference interest rates
● Maintain condition tables
● Maintain new business tables
Technical Administrator SAP_CML_TECHNICAL_ADMIN
● Perform mass runs (such as mass print run), set status of plan to completed, post planned records
● Currency conversion
● Update reference interest rates and currency rates
● Reorganization and data archiving
● Define queries, drilldown reporting forms and reports
● Maintain performance parameters
● Analyze change pointers
● Define export interfaces
July 2007
SAP ERP Central Component Security Guide 92
You can assign these roles to the users in your company. Do not make any changes to the original roles, as these changes would be overwritten by the standard settings when the system is upgraded.
If you want to make adjustments, copy these roles. To do so, in the SAP Easy Access menu, choose Tools → Administration → User Maintenance → Role Administration → Roles. Here you can group together authorizations for consumer loans into your own defined roles, and assign these to users in your departments, for example. In the first step you maintain the role menu. You can structure this yourself by adding and, if necessary, renaming files, transactions, and reports. In addition to manually grouping together the relevant transactions, you can also transfer these from the SAP menu or another role. You then maintain the authorizations for your role. The system proposes certain authorizations and their characteristics. You can also add more objects. Then you need to generate the authorization profile. Finally, you maintain the users who are to have the authorizations contained in the role. You can also use elements from organizational management, such as position in the organization. The advantage here is that you do not have to maintain the user assignment individually in each role if a person changes jobs. You can also use this function in release.
Network and Communication Security Loans Management (FS-CML) does not communicate with other systems. The only exception is mySAP Customer Relationship Management (CRM), during the loan origination process. In this process CRM serves as the entry system and FS-CML as the backend system. Communication is by means of XI.
Data Storage Security The security of sensitive data in Loans Management (such as loan contracts, consumer loans, collateral values, credit standing calculations, collateral) is guaranteed by the general authorization concept of Loans Management (FS-CML).
It is possible to display business partner data from Loans Management. You can use the authorization concept of central SAP Business Partner to protect this data.
For more information about authorizations and data storage security in the SAP Business Partner, see the SAP Service Marketplace at /service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application Server Security Guide → SAP NetWeaver AS Security Guide for ABAP Technology → Security Aspects When Using Business Objects → SAP Business Partner Security.
Collateral Management (CM) Purpose The purpose of this guide is to explain the security-specific features built-in for the SAP Collateral Management (CM).
July 2007
SAP ERP Central Component Security Guide 93
To understand the security features provided in CM, you must read the SAP Netweaver Application Server security guide (service.sap.com) that describes the basic security aspects and measures for SAP systems.
Authorizations A multitude of standard roles are shipped with SAP Collateral Management (CM) in the SAP ECC 6.0. These roles are of exemplary character. The standard roles must be modified by the Customers based on their requirements.
The Customers must not use the standard roles in their production systems only with some medications. It is advisable without any modifications. Use the Profile Generator (transaction PFCG) to identify the standard roles and create additional roles.
The following roles are available in CM for banks: Role Purpose
SAP_FS_CMS_DISPLAY_ALL Displaying all the entity objects in CM.
SAP_FS_CMS_MAINTAIN_ALL Maintaining (Create, change and display only) all entity objects.
SAP_FS_CMS_MAINTAIN_ALL_PRC Executing all the process related activities in addition to maintenance of objects
SAP_FS_CMS_CUST_ALL Customizing
SAP_FS_CMS_ADMIN CM administrator role
SAP_FS_CMS_COL_AUDITOR Maintaining all the entity objects and the access to run all the reports in CM.
SAP_FS_CMS_CREDIT_MANAGER Displaying collateral objects and collateral agreements.
SAP_FS_CMS_CREDIT_RISK_MANAGER Maintaining collateral objects and collateral agreements and displaying receivables.
SAP_FS_CMS_LIQUIDATION_OFFICER Maintaining liquidation measures.
Authorization Objects in CM Technical name Name
CMS_PCN_02 Authorization for activities (change request mode)
CMS_PCN_01 Authorization for activities (normal mode)
CMS_OMS1 Authorization for all collateral objects other than real estate (replace CMS_OMS from ECC 6.0 onwards
CMS_OMS Authorization for all collateral objects other than real estate (obsolete from ECC 6.0 onwards)
CMS_CAG Authorization object for collateral agreements
CMS_RE Authorization object for real estate objects in
July 2007
SAP ERP Central Component Security Guide 94
CM.
CMS_RBL Authorization object for receivable in CM.
Characteristic Based Authorizations In the Collateral Management, all the objects must belong to an administration organizational unit. The authorization objects for collateral objects(real estate and other collateral objects) and collateral agreements are based on a combination of the administration organizational unit and the entity type(assigned using a process control key). For receivables, the authorizations are based on the receivable organizational unit, the receivable status and the product. Authorizations for receivables is valid only for the receivables created in the CM or even the local copies of the receivables in external credit systems.
For example, you can use the attribute administration organization unit to differentiate between employee ,VIP and normal customers objects. You can also create objects in these organizational units as characteristics, which can then also be used to protect application data.
Network Communication and Security The table below shows the communication paths used by the SAP Collateral Management (CM), the protocol used for the connections and the type of data transferred.
Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
Financial Customer Information System (FS- Business Partner)
RFC Business partner master data
SAP Document Management System (DMS)
RFC Document data
Loans Management (CML)
RFC Loan data
SAP Business Information Warehouse (BIW)
IDoc and RFC Collateral agreements, collateral objects, charges, collateral agreement – receivable assignment and calculations data
SAP Bank Analyzer (Basel II)
IDoc and RFC Collateral agreements, collateral objects, charges, collateral agreement – receivable assignment and calculations data
July 2007
SAP ERP Central Component Security Guide 95
The following RFC connections have to be set up for operating the CM. You are advised not to create the users belonging to these as dialog users.
● RFC communication with the Tool BW
● RFC communication within the Tool BW
● RFC communication in the context of import methods for the client copy. The relevant authorization objects are:
● S_TABU_DIS; S_RS_ICUBE; S_RS_ADMWB; S_RS_ISOUR; S_BTCH_ADM; S_ADMI_FCD; S_BTCH_JOB; S_RS_ODSO; S_RS_ISET
CM provides the following business application programming interfaces (BAPIs) for allowing external systems to connect to it:
● BAPI_CM_AST_GET_MULTI
● BAPI_CM_CAG_CREATE
● BAPI_CM_CAG_GETDETAIL_MULTI
● BAPI_CM_CAG_GET_BY_RBL
● BAPI_CM_GENLNK_RBL_ON_RBL_01
● BAPI_CM_GENLNK_RBL_ON_RBL_02
● BAPI_CM_SEC_GETDETAIL_MULTI
● BAPI_CM_RE_GETDETAIL_MULTI
● BAPI_CM_RIG_GETDETAIL_MULTI
● BAPI_CM_MOV_GETDETAIL_MULTI
BAPIs are standard SAP interfaces and are important in the technical integration and in exchange of business data between SAP components and between the SAP and non-SAP components. BAPIs enable you to integrate these components. They are therefore an important part of developing integration scenarios where multiple components are connected to each other, either on a local network or on the internet.
BAPIs allow integration at the business level and not at the technical level. This provides for greater stability of the linkage and independence from the underlying communication technology.
The current requirement for BAPIs in CM caters mainly to the migration scenarios. Hence these BAPIs are not protected by special authorizations. Authorization checks for BAPIs can be provided (in the future releases), if there are requirements for them.
CM also provides an extensive enhancement concept that offers user exits in the form of Business Add-Ins (BADIs).
July 2007
SAP ERP Central Component Security Guide 96
Network Security and Communication Channels
Collateral Management (CM) uses the same communication channels that are described in the SAP Netweaver AS security guide. No further customer-specific communication channels are provided. Hence the aspects and actions described in the SAP Netweaver AS security guide (such as use of SAPRouter in combination with Firewall, use of Secure Network Communication (SNC), Communication Front-End-Application Server, connection to the database) also apply for CM.
Strategic Enterprise Management (SEM) for Banks
Authorizations The following standard roles are available in Strategic Enterprise Management (SEM) for Banks:
Roles Description
SEM-PA
SAP_ISB_PA_CONTROLLER_AG SAP Banking Profitability Analysis: Profitability Controller
SEM-MRA
SAP Treasury and Risk Management
SAP_CFM_RISK_CONTROLLER Risk Controller
SAP_CFM_TM_TRADE_CONTROLLER Trade Controller
SAP_CFM_TREASURY_MANAGER Treasury Manager
Bank Applications
SAP_ISB_STRATEGIC_PLANNER_AG SAP Banking Asset Liability Management: Strategic Balance Sheet Planner
SAP_ISB_MAR_RISK_CONTROLLER_AG SAP Banking Risk Analysis: Market Risk Controller
SEM-KL
SAP Treasury and Risk Management
SAP_CFM_RISK_CONTROLLER Risk Controller
SAP_CFM_TM_TRADE_CONTROLLER Trade Controller
SAP_CFM_TREASURY_MANAGER Treasury Manager
SAP_CFM_ADMINISTRATOR Administrator
SAP_CFM_DEALER Treasury: Trader
SAP_CFM_LIMIT_MANAGER Limit Manager
For more information about the individual roles in SAP Treasury and Risk Management (TRM), see the SAP Library, under SAP ERP Central Component → Financials → SAP Treasury and Risk Management → Basic Functions → Roles in Treasury and Risk Management (TRM).
Bank Applications
SAP_ISB_CRE_RISK_CONTROLLER_AG SAP Banking Default Risk and Limit System: Default Risk Controller
July 2007
SAP ERP Central Component Security Guide 97
SAP_ISB_CRE_RISK_MANAGER_AG SAP Banking Default Risk and Limit System: Default Risk Manager
SAP_ISB_CRE_RISK_TRADER_AG SAP Banking Default Risk and Limit System: Trader
In addition, take account of the following activities in the SAP Customizing Implementation Guide (IMG):
● for SEM-PA:
Under SAP Banking → SEM Banking → Profitability Analysis → Tools → Authorization Management
● for SEM-MRA
Under SAP Banking → SEM Banking → Common Settings for Market Risk and Asset/Liability Management → Maintain Authorizations/Profiles/Users
Network and Communication Security ● Transfer of external data
You can use external data transfer to transfer bank transactions not performed via SAP transactions to the SAP system.
Transfer takes place via Remote Function Call (RFC).
● Transfer of market data
Market data for a risk analysis is transferred to the SAP system via a datafeed.
mySAP ERP2005 contains SEM extractors. These extractors are business application programming interfaces (BAPIs) for selected business, market data, and SEM-own data (financial object, limit definitions, cash flow). They can also be used as utilities for integration with systems for Basel II/IAS.
These BAPIs are delivered to customers, but they have not been released officially. There is no documentation available for the SEM extractors, just notes. The collective note on this subject is note 608292.
The development of SEM extractors does not contain any authorization checks at all. Therefore, until the interface has been released officially, a customer-specific authorization concept must be created if these extractors are used. In this event, customers must use the modification assistant to implement suitable authorization checks themselves. As the interface has not been released officially, SAP bears no responsibility for missing authorization checks.
Communication Destinations Some evaluations in SEM Banking will normally be started by customers as batch processing. This applies particularly to drilldown reports and the calculation of key figures of the results databases. If this batch processing is started by a technical user, only the authorizations for the relevant transaction are required. You can use transaction SU22 to determine these authorizations.
If the workflow is activated when limits are exceeded, the sender of the workflow must have the authorization S_OC_SEND. To make this assignment, execute the IMG activity Assign
July 2007
SAP ERP Central Component Security Guide 98
Senders of Workflows to Recipients in the SAP Customizing Implementation Guide (IMG) und Financial Supply Chain Management → Treasury and Risk Management → Credit Risk Analyzer → Basic Settings → Assignments → Assignment of Senders to Recipients.
Data Storage Security The data in Strategic Enterprise Management (SEM) for Banks can be regarded as being not particularly sensitive.
However, from Strategic Enterprise Management (SEM) for Banks you can access business information of other components, including:
● Bank Customer Accounts (BCA)
● Loans Management (CML)
This access is protected in that the authorization for the relevant transaction is checked.
Display of risk key figures is always performed on the basis of a summarization of multiple financial transactions. Users can access a detailed view to see the transactions in question. In doing so, the display transactions of the corresponding components are called. A user can only display business transactions if he or she has the corresponding authorization for this business.
You can also use the authorization objects of Strategic Enterprise Management (SEM) for Banks to ensure that users cannot draw conclusions on financial transactions indirectly (by selecting specific parameters of risk evaluation). For example, you can use authorization object T_RMCHAR_V to restrict the financial transactions for which users can perform certain risk evaluations. This authorization is then used in the display of stored key figure values.
However, these authorization objects are not applied to the SEM extractors. If you use SEM extractors, you must use the modification assistant to implement suitable authorization checks yourself.
Reserve for Bad Debt (FS-RBD)
Authorizations The procedure of the authorization concept used by Reserve for Bad Debt (FS-RBD) is the same as that of the SAP authorization concept.
The authorization checks in FS-RBD differentiate between the following dimensions:
● Activities:
You use the activity to control what a user is permitted to do. For example:
○ Create a RBD account
○ Post value adjustment proposals
○ Display evaluations
July 2007
SAP ERP Central Component Security Guide 99
● Organization
The organization at RBD area level determines which data the user is permitted to display or process.
Standard Profile
In FS-RBD you do not use RBD-specific profiles, but the standard profiles delivered with every SAP system.
The standard profiles are as follows:
Roles Description
S_A.SYSTEM Authorizations for the basis system only
S_A.ADMIN Authorizations for the administration of the operational SAP system, but without authorization for:
● ABAP/4 Development Workbench
● maintaining superusers
● maintaining the standard profiles beginning with “S_A”
S_A.DEVELOP Authorizations for developers working with ABAP/4 Development Workbench
S_A.CUSTOMIZ Authorizations for basis settings in the Customizing system.
S_A.USER Authorizations for end users (without authorization for SAP work areas)
Authorization Objects
Reserve for Bad Debt (FS-RBD) has the following authorization objects:
Critical combination: Creating and posting value adjustment proposals (planned records) within a role.
Authorization Object
Description Authorization Field
Values permitted
for the authorization field
RBD_CUST RBD: Customizing
Activity 16 (Execute)
RBD_EDIT RBD Dialog & Batch
Activity
RBD area
01 (Create)
02 (Change)
03 (Display)
10 (Post)
85 (Reverse)
91 (Reactivate)
According to RBD
July 2007
SAP ERP Central Component Security Guide 100
Customizing
RBD_REPO RBD: Reporting RBD area According to RBD Customizing
Description of these authorization objects:
● The assignment of authorization object RBD_CUST with activity 16 gives the user authorization to use an RBD Customizing tool.
● The assignment of authorization object RBD_EDIT with activity 02 and RBD area 0005, enables the user to change data for an RBD account in the RBD area 0005.
● The assignment of authorization object RBD_EDIT with activities 02 and 10 and the RBD area 0004 enables the user to post planned records for an RBD account in the RBD area 0004.
● The assignment of the authorization object RBD_EDIT with the activities 02, 85, 91 and the RBD area 0003 enables a user to reverse actual records for an RBD account in RBD area 0003, and to reactivate a deactivated account in the RBD area 0003.
● The assignment of the authorization object RBD_REPO in RBD area 0006 enables a user to display the RBD standard evaluations for the data in the RBD area 0006.
Note that the activities Create Value Adjustment Proposals (Planned Records) and Post Value Adjustment Proposals (Planned Records) are possible within one role.
●
Use of RBD Authorization Objects
RBD_CUST
Program Description Permitted Activities
/IBS/MRB_CUST_KTOFI RBD Tool Customizing: Duplicate Account Determination
16 (Execute)
RBD_EDIT
Program Description Permitted Activities
/IBS/MRB_SAPMKTO RBD: Dialog account master data
01 (Create)
02 (Change)
03 (Display)
10 (Post)
85 (Reverse)
/IBS/MRB_EWB_UPDATE CML Position monitoring update run
02 (Change)
10 (Post)
/IBS/MRB_KONTO_REACTIVATE
Reactivate RBD account 91 (Reactivate)
/IBS/MRB_LOG_POST RBD Posting log 03 (Display)
July 2007
SAP ERP Central Component Security Guide 101
/IBS/MRB_PEWB_REFRESH RBD:CML Monitoring of arrears: Planned record generation (FIVA) and posting
10 (Post)
/IBS/MRB_PEWB_RESET RBD: CML monitoring of arrears: Clearing actual records (reversal FIVA)
85 (Reverse)
RBD_REPO
Program Description Permitted Activities
/IBS/DRB_ENTWICKLUNG RBD development list, development reserve for bad debt position
According to RBD Customizing
/IBS/DRB_HINT_LIST Position monitoring: List of notes
According to RBD Customizing
/IBS/DRB_REFERENZ RBD Drilldown reporting with references
According to RBD Customizing
Definition of Customer-Specific Roles
The following information is required for the definition of customer-specific roles for functions in FS-RBD:
● SAP logon names of all employees that are to work in FS-RBD
● RBD areas affected
● Decisions as to which employee is permitted to execute which functions in the RBD Tool
To avoid having to assign a separate role for each employee, we recommend that you form groups of employees that are permitted to execute the same functions. You can then assign a defined role to all of the employees in the group.
Example of generation of user-specific roles:
Activities:
RBD area Activity Employee Role in SAP
All All Adams RBD_ALLES
All Customizing: Duplicate Account Determination
Armstrong RBD_CUST
1 Create, change, and display RBD account
Miller RBD_SACH_01
1 Create, change, and display RBD account
Martin RBD_SACH_01
1 Create, change, and Smith RBD_SACH_01
July 2007
SAP ERP Central Component Security Guide 102
display RBD account
1 Change RBD account, post planned records
Glenn RBD_BUCH_01
1 Change RBD account, post planned records
O’Hara RBD_BUCH_01
1 Change RBD account, reverse actual records
Glenn RBD_STOR_01
1 Change RBD account, reverse actual records
Bertolini RBD_STOR_01
1 Display evaluations Santos RBD_AUSWERT_01
1 Display evaluations Hunter RBD_AUSWERT_01
1 Display evaluations Miller RBD_AUSWERT_01
1 Display evaluations Martin RBD_AUSWERT_01
1 Display evaluations Smith RBD_AUSWERT_01
2 Create, change, and display RBD account
Nielsen RBD_SACH_02
2 Create, change, and display RBD account
Moore RBD_SACH_02
2 Create, change, and display RBD account
Smith RBD_SACH_02
2 Change RBD account, post planned records
Glenn RBD_BUCH_02
2 Change RBD account, post planned records
O’Hara RBD_BUCH_02
2 Change RBD account, reverse actual records
Glenn RBD_STOR_02
2 Change RBD account, reverse actual records
Nielsen RBD_STOR_02
2 Display evaluations Santos RBD_AUSWERT_02
2 Display evaluations Hunter RBD_AUSWERT_02
2 Display evaluations Nielsen RBD_AUSWERT_02
2 Display evaluations Moore RBD_AUSWERT_02
2 Display evaluations Smith RBD_AUSWERT_02
Roles:
Role in SAP RBD Authorization Object Required
Authorization Field Field Value
RBD_ALLES RBD_CUST ACTVT *
RBD_ALLES RBD_EDIT ACTVT *
RBD_ALLES RBD_EDIT RBDID *
July 2007
SAP ERP Central Component Security Guide 103
RBD_ALLES RBD_REPO ACTVT *
RBD_CUST RBD_CUST ACTVT 16
RBD_SACH_01 RBD_EDIT ACTVT 1,2,3
RBD_SACH_01 RBD_EDIT RBDID 1
RBD_BUCH_01 RBD_EDIT ACTVT 2,10
RBD_BUCH_01 RBD_EDIT RBDID 1
RBD_STOR_01 RBD_EDIT ACTVT 2,85
RBD_STOR_01 RBD_EDIT RBDID 1
RBD_AUSWERT_01 RBD_REPO RBDID 1
RBD_SACH_02 RBD_EDIT ACTVT 1,2,3
RBD_SACH_02 RBD_EDIT RBDID 2
RBD_BUCH_02 RBD_EDIT ACTVT 2,10
RBD_BUCH_02 RBD_EDIT RBDID 2
RBD_STOR_02 RBD_EDIT ACTVT 2,85
RBD_STOR_02 RBD_EDIT RBDID 2
RBD_AUSWERT_02 RBD_REPO RBDID 2
As a result, roles are assigned to the user master records as follows:
Employee Role in SAP
Armstrong RBD_CUST
Bertolini RBD_STOR_01
Adams RBD_ALLES
Glenn RBD_BUCH_01
Glenn RBD_STOR_01
Glenn RBD_BUCH_02
Glenn RBD_STOR_02
O’Hara RBD_BUCH_01
O’Hara RBD_BUCH_02
Hunter RBD_AUSWERT_01
Hunter RBD_AUSWERT_02
Martin RBD_SACH_01
Martin RBD_AUSWERT_01
Moore RBD_SACH_02
Moore RBD_AUSWERT_02
Miller RBD_SACH_01
Miller RBD_AUSWERT_01
Nielsen RBD_SACH_02
Nielsen RBD_STOR_02
July 2007
SAP ERP Central Component Security Guide 104
Nielsen RBD_AUSWERT_02
Smith RBD_SACH_01
Smith RBD_AUSWERT_01
Smith RBD_SACH_02
Smith RBD_AUSWERT_02
Santos RBD_AUSWERT_01
Santos RBD_AUSWERT_02
Network and Communication Security In Reserve for Bad Debt (FS-RBD) the following systems communicate with each other:
● Enterprise Resource Planning (ERP) with Loans Management (FS-CML)
● ERP with Deposits Management (FS-AM)
● ERP with Collateral Management System (FS-CMS)
● ERP with Flexible General Ledger/ Financials (FLEXGL/FI)
Communication takes place via Remote Function Call (RFC).
Communication Destinations Technical users are required for Remote Function Call (RFC) connections to Deposits Management (FS-AM).
These technical users require read authorization (for reading balances and account master data, for example).
Trace and Log Files The change documents (master data from the source system) can be used as trace or log files, that contain information relevant for security.
Incentive and Commission Management (ICM) Für detailed information about security in Incentive and Commission Management (ICM), see the security guide for Incentive and Commission Management in the SAP Library under Security → mySAP ERP Security Guides.
July 2007
SAP ERP Central Component Security Guide 105
Statutory Reporting for Insurance (FS-SR)
Authorizations Authorizations are assigned using the authorization objects from the authorization object class ISSR.
Data Storage Security Sensitive data, such as financial transactions, is protected from unauthorized access using the authorization objects in the authorization object class ISSR.
Real Estate Management Authorizations
Standard Roles of Real Estate Management
Roles Description
SAP_RE_APPL Real Estate Specialist
SAP_RE_CONTROLLER_AND_PLANER RE Controller
SAP_RE_CONTROLLING_ANALYST RE Controlling Analyst
SAP_RE_LESSEE_CONTRACT_SUPPORT Lessee Contract Support
SAP_RE_LESSOR_CONTRACT_SUPPORT Lessor Contract Support
SAP_RE_MASTER_DATA_ANALYST Master Data Analyst
SAP_RE_MASTER_DATA_SUPPORT Master Data Support
SAP_RE_RENT_LEVEL_EXPERT Rent Level Expert
SAP_RE_RENTAL_ACC_SUPPORT Rental Account Support
SAP_RE_SC_SUPPORT Service Charge Support
Network and Communication Security
External heating expenses settlement is available In Real Estate Management. To make this settlement possible, the necessary files must be generated in the SAP system in an internal SAP format. Then you need to send the data medium to the settlement company.
Trace and Log Files
The change documents provide information on changes to the authorization group and to the person responsible for the object.
July 2007
SAP ERP Central Component Security Guide 106
Public Sector Management
Authorizations Standard Roles for Public Sector Management (PSM)
Role Name
SAP_IS_PS_CENTRAL_FUNCTION Funds Management Central Function
SAP_IS_PS_PO_CONSUMPTION Postings: Consume Funds
SAP_IS_PS_MD_STRUCTURE Master Data Funds Management: Maintain Structure
SAP_IS_PS_DECK_CREA Cover Eligibility: Rule Maintenance
SAP_IS_PS_BCS_AVC_TOOLS Availability Control - Tools
SAP_IS_PS_BU_RULES Maintain Budget Rules
SAP_IS_PS_BCS_BUD_TOOLS Budgeting - Tools
SAP_IS_PS_PO_RECONCILE Reconciling Data with Feeder Applications
SAP_IS_PS_BCS_BUD_MAINTENANCE Maintain Budget Data
SAP_IS_PS_BCS_BUD_PLANNING Plan Budget Data
SAP_IS_PS_BCS_DISPLAY Display Budget Values (BCS)
SAP_IS_PS_BCS_STATUS_MAINTAIN Budgeting – Assign Status
SAP_IS_PS_BCS_STRUCT_DEF Maintain Budget Structure
SAP_IS_PS_BCS_STRUCT_TOOLS Budget Structure - Tools
SAP_IS_PS_BU_CONTROL Controlling Budget Execution
SAP_IS_PS_BU_DISPLAY Budget Values Display
SAP_IS_PS_BU_PLANNING Budget Planning
SAP_IS_PS_BU_UPDATE Update Budget: Transactions
SAP_IS_PS_BU_UPDATE_TOOLS Update Budget: Tools
SAP_IS_PS_BU_UPDATE_VERSION Update Budget: Edit Versions
SAP_IS_PS_CASH_DESK Payment at Cash Desk
SAP_IS_PS_CF_BU_EXECUTE Execute Budget Carryforward
SAP_IS_PS_CF_BU_PREPARE Prepare Budget Carryforward
SAP_IS_PS_CF_CHECK Check Budget Closing
SAP_IS_PS_CF_OI_EXECUTE Carry Forward Consumable Budget
SAP_IS_PS_CF_OI_PREPARE Prepare Carryforward of Consumable Budget
SAP_IS_PS_DECK_DISP Display Data for Reporting and Master Data Cover Eligibility
July 2007
SAP ERP Central Component Security Guide 107
SAP_IS_PS_MD_DISPLAY Funds Management Master Data: Display Functions
SAP_IS_PS_MD_ZUOB Funds Management Master Data: Assignment to CO Structures
SAP_IS_PS_PO_COMMITMENTS Postings: Commit Funds
SAP_IS_PS_PO_CONSUMPTION_DISP Postings: Consumed Funds Display
SAP_IS_PS_PO_FOR Postings: Forecast of Revenue
SAP_IS_PS_PO_TRANSFERS Postings: Transfer Consumable Budget
Public Sector Management uses the name convention SAP_FI_GM_* and SAP_IS_PS_* for its roles.
Standard Roles for Grants Management (PSM-GM)
Role Name Function
SAP_FI_GM_GRANT_ANALYST Grants Management: Grant Analyst
Master data maintenance, execution of reports
SAP_FI_GM_GRANT_MANAGER Grants Management: Grant Manager
New entry, check, and approval of master data, execution of billing program
SAP_FI_GM_PROGRAM_ANALYST Grants Management: Program Analyst
Creation of master data, processing of proposals and budget
SAP_FI_GM_PROGRAM_MANAGER Grants Management: Program Manager
Check and approval of proposals and budget
SAP_FI_GM_PROJECT_MANAGER Grants Management: Project Manager
Management of grants and budget, execution of reports
Standard Roles for Grantor Management (PSM-GM)
Role Name Function
SAP_PSM_GTR_PROGRAM_MANAGER Instructor for Grantor Program Management
The main task of the instructors for Grantor Program Management is to look after the scenarios of Grantor Management. The instructor for Grantor Program Management not only works with CRM transactions but is also responsible for creating budget for the Grantor programs in PSM and the processing of accounting transactions in Public Sector Contract Accounting. Additional tasks in the area are
July 2007
SAP ERP Central Component Security Guide 108
master data maintenance, reporting and archiving.
SAP_PSM_GTR_PROGRAM_CLERK Clerk for Grantor Program Management
The main task of the clerk for Grantor Program Management is the processing of scenarios in Grantor Management. The clerk works not only with CRM transactions for the Grantor Management but also accesses budget, PSM master data and business partner data in Public Sector Contract Accounting. A user in this role is also authorized to execute PSM reports.
Standard Roles for Expenditure Certification (PSM-EC)
Expenditure Certification (PSM-EC) is available on the portal and contains the following portal roles:
Role Name Function
com.sap.pct.erp.expcert.certif_manager Certification manager The certification manager manages the data for the project (such as budget, deadlines, links to financing sources, and the progress of the project), checks the budget consumption of the projects and financing sources, monitors all certificates and issues approval for a certification run.
com.sap.pct.erp.expcert.cert_admin Certification accountant The certification accountant executes the certification run for financing sources and forwards the provisional certification results to the people responsible for further checks; they also make manual changes in certifications and save the closing version of a certification.
Authorization Objects for Grants Management (PSM-GM)
Authorization object Name
July 2007
SAP ERP Central Component Security Guide 109
F_FIGM_BUD Grants Management: Authority for Budget
F_FIGM_CLS Grants Management: Authority for Class
F_FIGM_GNG GM: Grant Groups
F_FIGM_GNT Grants Management: Authority for Grant
F_FIGM_PRG Grants Management: Authority for Programs
F_FIGM_SCG GM: Sponsored Class Groups
F_FIGM_SPG GM: Sponsored Program Groups
The master data objects and business processes of Grants Management are protected by standard authorization objects.
US Federal Government uses the authorization concept of the components that it uses such as Funds Management and Material Management. See also the documentation for Funds Management on the SAP Help Portal at help.sap.com SAP ERP Central Component → Accounting → Public Sector Management → Funds Management → Authorizations.
Authorization Objects for Grantor Management (PSM-GM)
Authorization object Name
F_PSM_DRUL Rules of Account Assignment Derivation
F_PSM_DSTR Strategy of Account Assignment Derivation
Authorization Objects for Expenditure Certification (PSM-EC)
Authorization object Name
F_PSMEC_CR Expenditure certification: Certification Run
F_PSMEC_FS Expenditure Certification: Financing Source
F_PSMEC_OP Expenditure Certification: Operation
F_PSM_DSTR Strategy of Account Assignment Derivation
F_PSM_DRUL Rules of Account Assignment Derivation
Network and Communication Security Public Sector Management communicates with the following components:
● Human Capital Management (HCM) as part of the scenario Position Budgeting and Control
● SAP Enterprise Buyer (EBP)
● Customer Relationship Management (CRM) as part of the Scenario Grantor Management
The communication with these internal SAP components takes place per Remote Function Call (RFC). See the corresponding sections in the RFC/ICF Security Guide on SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Aspects for Connectivity and Interoperability.
July 2007
SAP ERP Central Component Security Guide 110
The US Federal Government has both payment and collection outbound interfaces at its disposal for Treasury Confirmation and Intragovernment Payment and Collections (IPAC). This outbound interface uses payment methods and flat files.
The inbound interface of the Central Contractor Registration (CCR) uses IDocs.
Expenditure certification (PSM-EC) communicates with the:
● Portal which displays the Workcenter
● Backend system in which the FI invoice documents were certified
● System in which the launchpad is configured (logical system SAP_R3_SelfServiceGenerics) This system can be the same as the backend system.
For registering portal users in the backend system, we recommend that the user is assigned in both the portal and the backend system. In other words, the user ID of a user in the portal and the backend system should match.
Data Storage Security Public Sector Management supports payments by payment card. As this process does not have a key role in Public Sector Management and customers have not yet required the encryption of card numbers, Public Sector Management does not provide encryption for payment card numbers at the moment.
More Security Information Authorization checks only take place in Public Sector Management and Funds Management when the authorization group of a master data object is entered. To ensure that an adequate check is carried out, SAP recommends that you define the affected fields as required entry fields in the field status control. You define this setting in the implementation guide of Public Sector Management:
● Funds Management-Specific Postings → Earmarked Funds and Funds Transfers → Field Control for Earmarked Funds and Funds Transfers → Define Field Status Variant/Assign Field Status Variant to Company Code/Define Field Status Groups
● Actual and Commitment Update/Integration → Integration → Maintain Field Status for Assigning FM Account Assignments
For more information, see the documentation on Funds Management on the SAP Help Portal at help.sap.com → ERP Central Component → Accounting → Public Sector Management.
For Grants Management, note the following system settings in the implementation guide of Public Sector Management, under Funds Management Government → Master Data → Grant
● GM Grant Control: Field Group for Authorizations
● Maintain Grant Authorization Types
● Maintain Grant Authorization Groups
You can enhance the authorization concept using the following BAdI:
BAdI Name
July 2007
SAP ERP Central Component Security Guide 111
GM_AUTHORITY_CHECK Grants Management: Authorization Check
GM_BILL_AUTHORITY GM: User authorization for billing for DP90 in GM
GM_POST_AUTHORITY Grants Management coding block authorization check
Logistics
Materials Management (MM)
Purchasing and Service Industries (MM-PUR, MM SRV)
Authorizations Standard Roles You can implement the following standard roles for the components Purchasing (MM-PUR) and Service Industries (MM-SRV) in the SAP Enterprise Portal:
● Description: Purchasing Agent
● Technical name: pcd:portal_content/com.sap.pct/specialist/com.sap.pct.purch.purchasingagent/com.sap.pct.purch.roles/com.sap.pct.purch.purchasingAgent
Note that this is a role that can only be used in the SAP Enterprise Portal. There are no corresponding roles in the SAP ECC backend.
Profile The following table shows security-relevant profiles that use the components Purchasing and Service Industries.
Profiles: Purchasing, Service Industries
Profile Description
July 2007
SAP ERP Central Component Security Guide 112
M_ANFR_ALL MM Purchasing – RFQs: Maintenance Authorization
M_ANFR_ANZ MM Purchasing – RFQs: Display Authorization
M_ANGE_ALL MM Purchasing: Quotations: Maintenance Authorization
M_ANGE_ANZ MM Purchasing: Quotations: Display Authorization
M_BANF_ALL MM Purchasing – Requisitions: Maintenance Authorization
M_BANF_ANZ MM Purchasing: Requisitions: Display Authorization
M_BEST_ALL MM Purchasing – Purchase Orders: Maintenance Authorization
M_BEST_ANZ MM Purchasing: Purchase Orders: Display Authorization
M_EBEL_ANZ MM Purchasing – Display Order Documents
M_EINF_ALL MM Purchasing: Info Records: Maintenance Authorization
M_EINF_ANZ MM Purchasing: Info Records: Display Authorization
M_EINK_ALL MM Purchasing – Complete: Maintenance Authorizations
M_EINK_ANZ MM Purchasing – Complete: Display Authorizations
M_LPET_ALL MM Purchasing: Sched. Agmt. Delivery Schedules: Maint. Auth.
M_LPET_ANZ MM Purchasing: Sched. Agmt. Delivery Schedules: Displ. Auth.
M_RAHM_ALL MM Purchasing: Outline Agreements: Maintenance Authorization
M_RAHM_ANZ MM Purchasing: Outline Agreement: Display Authorization
M_SRV_ALL Service Master Data: All Authorizations
Standard Authorization Objects The following table shows security-relevant authorization objects that use the components Purchasing and Service Industries.
Standard Authorization Objects: Purchasing, Service Industries
Authorization Object Description
M_AMPL_ALL Approved Manufacturer Parts List
M_AMPL_WRK Approved Manufacturer Parts List - Plant
M_ANFR_BSA Document Type in RFQ
M_ANFR_EKG Purchasing Group in RFQ
July 2007
SAP ERP Central Component Security Guide 113
M_ANFR_EKO Purchasing Organization in RFQ
M_ANFR_WRK Plant in RFQ
M_ANGB_BSA Document Type in Quotation
M_ANGB_EKG Purchasing Group in Quotation
M_ANGB_EKO Purchasing Organization in Quotation
M_ANGB_WRK Plant in Quotation
M_BANF_BSA Document Type in Purchase Requisition
M_BANF_EKG Purchasing Group in Purchase Requisition
M_BANF_EKO Purchasing Organization in Purchase Requisition
M_BANF_FRG Release Code in Purchase Requisition
M_BANF_WRK Plant in Purchase Requisition
M_BEST_BSA Document Type in Order
M_BEST_EKG Purchasing Group in Purchase Order
M_BEST_EKO Purchasing Organization in Purchase Order
M_BEST_WRK Plant in Purchase Order
M_EINF_EKG Purchasing Group in Purchasing Info Record
M_EINF_EKO Purchasing Organization in Purchasing Info Record
M_EINF_WRK Plant in Purchasing Info Record
M_EINK_FRG Release Code and Group (Purchasing)
M_LFM1_EKO Purchasing Organization in Vendor Master Record
M_LIBE_EKO Vendor Evaluation
M_LPET_BSA Document Type in Scheduling Agreement Delivery Schedule
M_LPET_EKG Purchasing Group in Scheduling Agreement Delivery Schedule
M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
M_LPET_WRK Plant in Scheduling Agreement Delivery Schedule
M_ORDR_EKO Purchasing Organization in Source List
M_ORDR_WRK Plant in Source List
M_QUOT_EKO Purchasing Organization (Quotas)
M_QUOT_WRK Plant (Quotas)
M_RAHM_BSA Document Type in Outline Agreement
M_RAHM_EKG Purchasing Group in Outline Agreement
M_RAHM_EKO Purchasing Organization in Outline Agreement
M_RAHM_WRK Plant in Outline Agreement
July 2007
SAP ERP Central Component Security Guide 114
M_SRV_LS Authorization for Maintenance of Service Master
M_SRV_LV Authorization for Maintenance of Model Serv. Specifications
M_SRV_ST Authorization for Maintenance of Standard Service Catalog
S_ME_SYNC Mobile Engine: Synchronization of Offline Applications
V_KONH_EKO Purchasing Organization in Master Condition
Network and Communication Security General Your network infrastructure is extremely important in protecting your system. All special aspects that are relevant for the network and communication security for the components Purchasing (MM-PUR) and Service Industries (MM-SRV) are described below. See also information about SAP ECC under Network and Communication Security [Seite 17].
Communication Channel Security The table below shows the communication paths used by the Purchasing and Service Industries component, the protocol used for the connection, and the type of data transferred.
Communication Paths
Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection
SAP ECC system – Non-SAP system
RFC, HTTP Application data/Idocs (messages for store order, store goods receipt, outgoing purchase order)
-
SAP ECC system – Adobe Document Services (ADS)
HTTP Application data (printer output from ERP purchase, for example, purchase order printout)
Price, delivery and payment conditions, and contract numbers, for example, should be able to be transferred encrypted. The necessary security measures are dependent on whether you have installed ADS behind or in front of the firewall.
Supplier Portal (mySAP Supplier Relationship Management) → SAP ECC system
RFC, HTTP Application data (purchase order confirmations) for Supplier Self-Service (SUS)
Quantities, dates, prices
SAP ECC system – SAP APO system
RFC Application data (conditions/purchase
Dependent on whether you have placed SAP
July 2007
SAP ERP Central Component Security Guide 115
orders) SCM and SAP ECC in front of, or behind the firewall.
SAP ECC system – SAP SCM system (Event Manager)
RFC Application data Quantities, dates
You can protect RFC connections using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. For more information about encryption, see:
● General information about encryption
SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security
● Encryption of ALE data
SAP NetWeaver-security guide under Security Aspects for Connectivity and Interoperability → Security Guide ALE (ALE Applications)
● Encryption via SUS output
mySAP SRM Application security guide on SAP Service Marketplace at service.sap.com/securityguide → mySAP Supplier Relationship Management (SRM) Security Guide → Network and Communication Security
For more information about communication channel security between SAP ECC systems and SAP Supply Chain Management systems (SAP SCM systems), see the SAP SCM security guide on the SAP Service Marketplace at service.sap.com/securityguide → SAP Supply Chain Management → SAP Supply Chain Management Security Guide → Network and Communication Security.
Data Storage Security Check whether the conditions are classified as sensitive data. You can protect conditions with the following authorization objects:
Authorization Objects for Conditions
Authorization Object Description
V_KONH_EKO Purchasing Organization in Master Condition
V_KONH_VKS Condition: Authorization for Condition Types
Inventory Management (MM-IM): Authorizations Standard Roles The following table shows the standard roles that you can use for the Inventory Management (MM-IM) component.
Standard Roles
Role Description
July 2007
SAP ERP Central Component Security Guide 116
SAP_MM_IM_ARCHIVING Archive Material Documents
SAP_MM_IM_BALANCE_LIST GR/IR Balance List
SAP_MM_IM_CYCLE_COUNTING Cycle Counting
SAP_MM_IM_DISPLAY List Display
SAP_MM_IM_GM_FOR_RETAIL Goods Movement (Retail)
SAP_MM_IM_GOODS_MOVEMENTS Goods Movement
SAP_MM_IM_GOODS_MOVEMENT_EMPTY Goods Movement
SAP_MM_IM_INVENTORY_ARCHIVE Physical Inventory Archiving
SAP_MM_IM_INVENTORY_CONTROL Physical Inventory
SAP_MM_IM_INVENTORY_EXECUTION Physical Inventory Execution
SAP_MM_IM_INVENTORY_REPORTING Physical Inventory - Reporting
SAP_MM_IM_INVENTORY_SAMPLING Physical Inventory Sampling
SAP_MM_IM_PERIODIC_PROCESSING Periodic Processing
SAP_MM_IM_REPORTS Reports
SAP_MM_IM_RESERVATION_MAINTAIN Reservations
SAP_MM_IM_VENDOR_CONSIGNMENT Vendor Consignment
Standard Authorization Objects The following table shows the standard authorization objects that you can use for the Inventory Management (MM-IM) component. Standard Authorization Objects: Inventory Management Authorization Object Description
M_ISEG_WDB Phys. Inv: Difference Posting in Plant
M_ISEG_WIB Phys. Inv: Phys. Inv Document in Plant
M_ISEG_WZL Phys. Inv: Count in Plant
M_ISEG_WZB Phys. Inv: Count and Difference Posting in Plant
M_MSEG_BMB Material Documents: Movement Type
M_MBNK_ALL Material Documents: Number Range Maintenance
M_MSEG_WMB Material Documents: Plant
M_MRES_BWA Reservations: Movement Type
M_MRES_WWA Reservations: Plant
M_MWOF_ACT Control for Split Valuation of Value (MBWO)
M_SKPF_VGA Inventory Sampling: Transaction
M_SKPF_WRK Inventory Sampling: Plant
M_MSEG_BWA Goods Movement: Movement Type
M_MSEG_LGO Goods Movement: Storage Location
July 2007
SAP ERP Central Component Security Guide 117
M_MSEG_WWA Goods Movements: Plant
M_MSEG_BWF Goods Receipt for Production Order: Movement Type
M_MSEG_WWF Goods Receipt for Production Order: Plant
M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
M_MSEG_WWE Goods Receipt for Purchase Order: Plant
Logistics Invoice Verification (MM-IV): Authorizations Standard Roles The following table shows the standard roles that you can use for the Logistics Invoice Verification (MM-IV) component.
Standard Roles: Logistics Invoice Verification
Role Description
SAP_MM_IV_CLERK_AUTO Automatic Settlements
SAP_MM_IV_CLERK_BATCH1 Enter Invoices for Verification in the Background
SAP_MM_IV_CLERK_BATCH2 Manual Processing of Invoices Verified in the Background
SAP_MM_IV_CLERK_GRIR_MAINTAIN GR/IR Clearing Account Maintenance
SAP_MM_IV_CLERK_GRIR_MAITAIN GR/IR Clearing Account Maintenance
SAP_MM_IV_CLERK_ONLINE Online Invoice Verification
SAP_MM_IV_CLERK_PARK Park Invoices
SAP_MM_IV_CLERK_RELEASE Invoice Release
SAP_MM_IV_SUPPLIER_FINANCE Settlement Information for Vendor (External Supplier) on the Internet
SAP_MM_IV_CLERK_AUTO Automatic Settlements
Standard Authorization Objects The following table shows the standard authorization objects that you can use for the Logistics Invoice Verification (MM-IV) component.
Standard Authorization Objects: Logistics Invoice Verification
Authorization Object Description
M_RECH_WRK Invoices: Plant
July 2007
SAP ERP Central Component Security Guide 118
M_RECH_AKZ Invoices: Accept Invoice Verification Differences Manually
M_RECH_EKG Invoice Release: Purchasing Group
M_RECH_SPG Invoices: Blocking Reasons
Product Lifecycle Management (PLM)
Authorizations The applications in Product Lifecycle Management (PLM) use the following objects for the authorization checks:
● Composite roles
● Standard roles
● Profile
● Authorization objects
Composite roles The following table shows the composite roles used by applications in PLM.
Composite Role Description
SAP_EHS_IHS_SPECIALIST Industrial Hygiene and Safety Professional
SAP_WP_BD_ADMIN EH&S Administrator
Standard roles The following tables show the standard roles used by applications in PLM.
Roles: Cross-Application (CA)
Role Description
SAP_CA_CL_DISPLAY Product Data Management – Display Classification Information
SAP_CA_CL_MAINTAIN Product Data Management: Classification
SAP_CA_DMS_ADMIN Administration Tasks in DMS
SAP_CA_DMS_DISPLAY Product Data Management: Displaying Documents
SAP_CA_DMS_MAINTAIN Product Data Management: Classification
SAP_CA_NO_NOTIF_GENERAL General Notification Processing
SAP_CA_NO_NOTIF_ISR Creation of Internal Service Request
SAP_CA_NO_NOTIFVIAWEB_EXT General Notification Creation on Web
SAP_CA_NO_NOTIFVIAWEB_INT General Notification Creation on the Web - Link
July 2007
SAP ERP Central Component Security Guide 119
Roles: Customer Service (CS)
Role Description
SAP_CS_AG_CUST_ORDER_COMPLETE Processing of Sales Order Settlement and Billing Document
SAP_CS_AG_CUST_ORDER_DISPLAY Display of Service Agreements, Sales Orders and Billing Documents
SAP_CS_AG_CUST_ORDER_PROCESS Processing of Sales Order and Customer Repair Order
SAP_CS_AG_PROCESS Processing of Service Agreements
SAP_CS_AG_WARRANTIES_DISPLAY Display Warranties
SAP_CS_AG_WARRANTIES_PROCESS Processing of Warranties
SAP_CS_CI_ADMIN Customer Interaction Center Administration
SAP_CS_CI_AGENT Customer Interaction Center (Front Office)
SAP_CS_CI_INFOSYSTEM Contact History for Groups and Agents
SAP_CS_CM_SOL_DATA_BASE_PROC Processing of Solution Database
SAP_CS_IB_INSTALLED_BASE_DISPL Display of Installed Base
SAP_CS_IB_INSTALLED_BASE_PROC Processing of Installed Base
SAP_CS_SE_DISPLAY_NOTIF_ORDERS Display of Service Notifications and Orders
SAP_CS_SE_PROCESS_NOTIF_ORDERS Processing of Service Notifications and Orders
Roles: Environment, Health & Safety (EH&S)
Role Description
SAP_EHS_BD_UTIL Tools
SAP_EHS_DGP_DATABASEFILLING Dangerous Goods Master Filling
SAP_EHS_DGP_DATASENDING Data Distribution – Dangerous Goods
SAP_EHS_DGP_DATATRANSFER Data Transfer, External – Dangerous Goods
SAP_EHS_DGP_DISPLAYLIST Dangerous Goods Master Lists
SAP_EHS_DGP_MASTERDATA Dangerous Goods Master Management
SAP_EHS_DGP_MASTERDATASHOW Dangerous Goods Master Information
SAP_EHS_DGP_PHRASES Dangerous Goods Text Module Management
SAP_EHS_DGP_REPORTINFO Report Information System – Dangerous Goods
SAP_EHS_DGP_SUBSTANCEDATA Dangerous Goods Basic Data Management
SAP_EHS_HSM_AGENT Agent
SAP_EHS_HSM_INFO Reporting
SAP_EHS_HSM_LABEL Global Label Management
SAP_EHS_HSM_MATERIA Material
SAP_EHS_HSM_REPORT Report
SAP_EHS_HSM_SUBSTANCE Substance
SAP_EHS_HSM_WORKAREA Work Area
July 2007
SAP ERP Central Component Security Guide 120
SAP_EHS_IHS_AGENT Agent Management
SAP_EHS_IHS_AMOUNTDETERMIATION Amount Determination
SAP_EHS_IHS_BUSINESSPARTNER Business Partners – Industrial Hygiene and Safety
SAP_EHS_IHS_EXPOSURELOG Exposure Log
SAP_EHS_IHS_INCIDENTLOG Incident/Accident Management
SAP_EHS_IHS_INFOSYSTEM Industrial Hygiene and Safety Reporting
SAP_EHS_IHS_INJURYLOG Injury/Illness Log
SAP_EHS_IHS_PHRASES Phrase Management – Industrial Hygiene and Safety
SAP_EHS_IHS_REPORTINFO Report Information System – Industrial Hygiene and Safety
SAP_EHS_IHS_RISKASSESSMENT Risk Assessment
SAP_EHS_IHS_SERVICE Service
SAP_EHS_IHS_WORKAREA Industrial Hygiene and Safety Professional
SAP_EHS_OH_AMBSERV Work Area Management
SAP_EHS_OH_ASSIGN Person Assignment
SAP_EHS_OH_BUPT Business Partners – Occupational Health
SAP_EHS_OH_EVAL Reporting
SAP_EHS_OH_EVAL_NEW Reporting
SAP_EHS_OH_EXAM Examinations and Tests
SAP_EHS_OH_IMPORT Medical Data Import
SAP_EHS_OH_INJURYLOG Incident/Accident Log and Injury/Illness Log
SAP_EHS_OH_MEDSERV Medical Services
SAP_EHS_OH_PERSSEL Person Selection and Scheduling
SAP_EHS_OH_QUEST Question Catalogs and Questionnaires
SAP_EHS_OH_SERVICE Industrial Hygiene and Safety Link
SAP_EHS_OH_SET Current Settings
SAP_EHS_SAF_UTIL Tools
SAP_EHS_SAF_SUBSTANCESHOW Specification Display
SAP_EHS_SAF_SUBSTANCEINFO Specification Information System
SAP_EHS_SAF_SUBSTANCEDATA Substance
SAP_EHS_SAF_REPORTSHOW EH&S Report Information System
SAP_EHS_SAF_REPORTSHIPPING Report Shipping
SAP_EHS_SAF_REPORTINFO Report Information System – Product Safety
SAP_EHS_SAF_REPORTGENERATION Report Definition
SAP_EHS_SAF_REPORTEDIT Report
SAP_EHS_SAF_PHRASES Phrase Management – Product Safety
SAP_EHS_SAF_LABEL Global Label Management
July 2007
SAP ERP Central Component Security Guide 121
SAP_EHS_SAF_DATATRANSFER Data Transfer, External – Product Safety
SAP_EHS_SAF_DATASENDING Data Distribution
SAP_EHS_SAF_BOMBOS Bill of Materials Composition
SAP_EHS_WA_BUSINESSPARTNER Waste Management Business Partner
SAP_EHS_WA_DATATRANSFER Data Transfer, External – Waste Management
SAP_EHS_WA_DISPOSAL_DOCUMENTS Disposal Documents
SAP_EHS_WA_DISPOSAL_PROCESSING Disposal Processing
SAP_EHS_WA_EHSW_1 Report Tree – Waste Management
SAP_EHS_WA_INFOSYSTEM Waste Information System
SAP_EHS_WA_REPORTEDIT Report Management - Waste Management
SAP_EHS_WA_REPORTGENERATION Report Creation – Waste Management
SAP_EHS_WA_REPORTSHIPPING Report Shipping - Waste Management
SAP_EHS_WA_WASTE_SPEZIFICATION Master Data - Specification
SAP_EHS_WA_WASTECODE Waste Codes
SAP_EHS_WA_WASTEINFO Waste Information
SAP_WP_BD_ADMIN EH&S Administrator
SAP_WP_DG_SPECIALIST Dangerous Goods Specialist
SAP_WP_HSM_SPECIALIST Hazardous Substance Manager
SAP_WP_IHS_SPECIALIST Industrial Hygiene and Safety Professional
SAP_WP_OH_PHYSICIAN Occupational Physician
SAP_WP_PS_SPECIALIST Product Safety Specialist
Roles: Logistics (LO)
Role Description
SAP_LO_ECH_MAINTAIN Engineering Change Management
SAP_LO_EMPLOYEE Employee Self-Service (LO)
SAP_LO_MD_BOM_DISPLAY Complete BOM Display
SAP_LO_MD_BOM_MAINTAIN Complete BOM Processing
SAP_LO_MD_CUSTOMER_DISPLAY Display Customer Master
SAP_LO_MD_CUSTOMER_MAINTAIN Customer Master Maintenance
SAP_LO_MD_MBOM_MAINTAIN Material BOM Processing
SAP_LO_MD_MM_MATERIAL_DISPLAY Display Material Master Data
SAP_LO_MD_MM_MATERIAL_DISPLAY Maintain Material Master
SAP_LO_MD_OBOM_MAINTAIN Order BOM Processing
SAP_LO_MD_PBOM_MAINTAIN WBS BOM Processing
SAP_LO_MD_SERIAL_NO_DISPLAY Display of Serial Numbers
SAP_LO_MD_SERIAL_NO_PROCESS Processing of Serial Numbers
SAP_LO_MD_VENDOR_DISPLAY Display Vendor Master
July 2007
SAP ERP Central Component Security Guide 122
SAP_LO_MD_VENDOR_MAINTAIN Vendor Master Maintenance
SAP_LO_PP_RTG_DISPLAY Routing Display
SAP_LO_PP_RTG_MAINTAIN Routing Maintenance
SAP_LO_VC_DEP_MAINTAIN Variant Configuration Modeling
SAP_LO_VC_ESALES Connection to CRM
SAP_LO_VC_MAINTAIN Complete Variant Configuration
SAP_LO_VC_ORDER_PROC Order Processing – Variant Configuration
SAP_LO_VC_SIMULATION Variant Configuration Simulation
Roles: Plant Maintenance (PM)
Role Description
SAP_PM_ALM_ME_ADMINISTRATOR Asset Life-Cycle Management - Administrator (Mobile Engine)
SAP_PM_ALM_ME_ENGINEER Asset Life-Cycle Management - Administrator (Mobile Engine)
SAP_PM_DATATRANSFER Data Transfer and Download Structure for Plant Maintenance
SAP_PM_EQM_BILL_OF_MAT_DISPL Display of Bill of Material
SAP_PM_EQM_BILL_OF_MAT_PROC Processing of Bill of Material
SAP_PM_EQM_EQUIPMENT_DISPLAY Display of Equipment
SAP_PM_EQM_EQUIPMENT_PROCESS Processing of Equipment
SAP_PM_EQM_FUNC_LOC_DISPLAY Display of Functional Location
SAP_PM_EQM_FUNC_LOC_PROCESS Processing of Functional Location
SAP_PM_EQM_ME_READ_LIST_DISPL Display of Measurement Reading Entry List
SAP_PM_EQM_ME_READ_LIST_PROC Processing of Measurement Reading Entry List
SAP_PM_EQM_MEAS_POINTS_DISPLAY Display of Measuring Points
SAP_PM_EQM_MEAS_POINTS_PROCESS Processing of Measuring Points
SAP_PM_EQM_PERMITS_ISSUE_DISPL Issue and Display of Permits
SAP_PM_EQM_PERMITS_PROCESS Processing of Permits
SAP_PM_EQM_PROCESS_OBJECT_LINK Processing of Object Link
SAP_PM_EQM_PROD_RESOURC_DISPL Display of Production Resources and Tools
SAP_PM_EQM_PROD_RESOURC_PROC Processing of Production Resources and Tools
SAP_PM_EQM_REF_FUNC_LOC_PROC Processing of Reference Location
SAP_PM_EQM_WORK_CENT_EVALUATE Evaluation of Work Centers
SAP_PM_EQM_WORK_CENTERS_DISPL Display of Work Centers
SAP_PM_EQM_WORK_CENTERS_PROC Processing of Work Centers
SAP_PM_IS_INFO-SYSTEM_CONFIG Configuration of Information System
SAP_PM_IS_TASKS_ANALYSIS_PERF Execution of Analyses
SAP_PM_PRM_MAIN_PLANS_DISPLAY Display of Maintenance Plans
July 2007
SAP ERP Central Component Security Guide 123
SAP_PM_PRM_MAIN_PLANS_REV_PROC Processing of Maintenance Plans and Revisions
SAP_PM_PRM_MAIN_PLANS_SCHEDULE Scheduling of Maintenance Plans
SAP_PM_PRM_TASKS_LISTS_DISPLAY Display of Task Lists
SAP_PM_PRM_TASKS_LISTS_PROCESS Processing of Task Lists
SAP_PM_WOC_COMP_CONF_DIS Display of Completion Confirmation
SAP_PM_WOC_COMP_CONF_PROC_CANC Processing and Cancellation of Completion Confirmation
SAP_PM_WOC_CONF_POSTPROC Postprocessing of Completion Confirmation
SAP_PM_WOC_HISTORICAL_ORD_DISP Display of Historical Orders
SAP_PM_WOC_HISTORICAL_ORD_PROC Processing of Historical Orders
SAP_PM_WOC_MEAS_DOC_DISPLAY Display of Measurement Documents
SAP_PM_WOC_MEAS_DOC_MAINTAIN Processing of Measurement Documents
SAP_PM_WOC_NOTIFICATION_DISPL Display of Notification
SAP_PM_WOC_NOTIFICATION_PP Creation of Notification
SAP_PM_WOC_NOTIFICATION_PROC Processing of Notification
SAP_PM_WOC_ORDER_DISPLAY Display of Order
SAP_PM_WOC_ORDER_PROCESS Processing of Order
SAP_PM_WOC_ORDER_SCHEDULE Scheduling of Order
SAP_PM_WOC_PROCESS_PLANNING Resource Planning
SAP_PM_WOC_REFURBISHM_ORD_PROC Processing of Refurbishment Order
SAP_PM_WOC_WCM_ENGINEER Safety Engineer
SAP_PM_WOC_WCM_INFO Information Functions for Work Clearance Management
SAP_PM_WOC_WCM_PLANNER Work Clearance Planner
SAP_PM_WOC_WCM_REQUESTER Work Clearance Requester
SAP_PM_WOC_WORK_MANAGEMENT Work Management in Plant Maintenance and Customer Service
Roles: Project System
Role Description
SAP_PS_ARCHIVING Archive Project Data
SAP_PS_BASIC_WRKPL Work Center Master Data
SAP_PS_BASIC_WRKPL_DISPL Display Work Center Master Data
SAP_PS_BUDGET_PROJ Project Budgeting
SAP_PS_CLAIM Collaboration
SAP_PS_CEP Claim Management
SAP_PS_CO_MODEL_PROJ Allocation Templates
SAP_PS_CONFIRM Confirm
SAP_PS_DATES Project Dates
July 2007
SAP ERP Central Component Security Guide 124
SAP_PS_DATES_DISPLAY Display Project Dates
SAP_PS_DOCUMENTS Documents
SAP_PS_DOCUMENTS_DISPLAY Display Documents
SAP_PS_EXECUTE_CO_REPORTS Execute Controlling Reports
SAP_PS_FUNDS_COMMITMENT Display Project Dates
SAP_PS_GROUPING Requirements Grouping
SAP_PS_LINE_MANAGER PS Input for the Line Manager Generic Role
SAP_PS_MASS_CHANGE Mass Change
SAP_PS_MATERIAL Material in Projects
SAP_PS_MATERIAL_DISPL Display Material in Projects
SAP_PS_MONITOR_MAT_DATES Monitoring Dates for Material
SAP_PS_OVERALL_CO_PLAN_PROJ Overall CO Planning for Projects
SAP_PS_PAYMENTS_ACTUAL Actual Project Payments
SAP_PS_PAYMENTS_PLAN Planned Project Payments
SAP_PS_PER_CO_PLAN_PROJ Periodic CO Planning for Projects
SAP_PS_PEREND_PROJ_COLL Period-End Closing – Collective Project Processing
SAP_PS_PEREND_PROJ_IND Period-End Closing – Individual Project Processing
SAP_PS_PEREND_PROJ_PAYMENT Payment Transfer to Period
SAP_PS_PEREND_PROJ_WLM Worklist for Period
SAP_PS_PERS_RES_EVAL Evaluate Personnel Resources
SAP_PS_PERS_RES_PLAN Plan Personnel Resources
SAP_PS_PROGRESS Progress Determination
SAP_PS_PROJ_YEAREND Year-End Closing for Projects
SAP_PS_REP_CLAIM Claim Reports
SAP_PS_REP_COST_SUMMARIZ Summarized Cost Reports
SAP_PS_REP_COSTS Cost Reports
SAP_PS_REP_LINE_ITEM Line Item Reports
SAP_PS_REP_MATERIAL Material Reports
SAP_PS_REP_PAYMENTS Payment Reports
SAP_PS_REP_PROGRESS Progress Reports
SAP_PS_REP_REVENUES Revenue and Profitability Reports
SAP_PS_REP_STRUCT Structure Reports
SAP_PS_REP_TOOLS Information System - Tools
SAP_PS_RM_ADMINISTRATOR Administrator for Public Sector Records Management
SAP_PS_RM_HEAD Manager Public Sector Records Management
SAP_PS_RM_REGISTRAR Recorder for Public Sector Records Management
SAP_PS_RM_USER Processor Public Sector Records Management
SAP_PS_SALES_PRICING Calculate Sales Price
July 2007
SAP ERP Central Component Security Guide 125
SAP_PS_STD_STRUCT Standard Structures
SAP_PS_STD_STRUCT_DISPL Display Standard Structures
SAP_PS_STRUCT Project Structures
SAP_PS_STRUCT_DISPL Display Project Structures
SAP_PS_TRANSFER_PRICE_ACTUAL Actual Transfer Prices
SAP_PS_TRANSFER_PRICE_PLAN Plan Transfer Prices
Roles: Quality Management (QM)
Role Description
SAP_QM_ADMIN Administrator
SAP_QM_BATCH_INFO Display of Batch Data
SAP_QM_CA_CERTVIAWEB_EXT Processing Certificates on the Web
SAP_QM_CA_CERTVIAWEB_INT Link: Certificates on the Web
SAP_QM_CA_INCOMING_CERT Monitoring of Certificate Receipt
SAP_QM_CA_OUTCERT_MAINT Administration of Certificate Master Data
SAP_QM_CA_OUTGOING_CERT Creation of Certificates in Sales and Distribution
SAP_QM_IM_COSTS Administration of QM Orders
SAP_QM_IM_COSTS_DISPLAY Display of Quality-Related Costs
SAP_QM_IM_DEFECTS_REC Defects Recording
SAP_QM_IM_LOT_COMPLETION Inspection Lot Completion
SAP_QM_IM_LOT_MAINTAIN Processing of Inspection Lots
SAP_QM_IM_QMANAG_WORKLIST Worklist for Quality Managers
SAP_QM_IM_QPLANNER_INSP Inspection Processing by Quality Planner
SAP_QM_IM_RES_REC Results Recording
SAP_QM_IM_RESULTSVIAWEB_EXT Results Recording on the Web
SAP_QM_IM_RESULTSVIAWEB_INT Link: Results Recording on the Web
SAP_QM_IM_SAMPLE Sample Management
SAP_QM_IT_CALIB_INFO Calibration Information
SAP_QM_IT_CALIB_INSP Calibration Inspection
SAP_QM_IT_CALIB_PLANNING Calibration Planning
SAP_QM_IT_CALIB_PROCUREMENT Procurement of Test Equipment
SAP_QM_IT_EQUI_MAINTAIN Maintenance of Test Equipment
SAP_QM_IT_PM_NOTIF Processing of Maintenance Notifications
SAP_QM_PP_OPERATOR Production Worker
SAP_QM_PP_SUPERVISOR Production Supervisor
SAP_QM_PT_BASIC_DATA Maintenance of Basic Data
SAP_QM_PT_CHANGE_MANAG_DISPLAY Change Management - Display
SAP_QM_PT_IPLANNING Inspection Planning
July 2007
SAP ERP Central Component Security Guide 126
SAP_QM_PT_LOG_MASTER_DISPLAY Logistics Master Data - Display
SAP_QM_PT_LOG_MASTER_MAINT Logistics Master Data - Edit
SAP_QM_PT_MAT_MANAG_DISPLAY Display of Materials Management Information
SAP_QM_PT_QMANAG_MASTER_DISP Display of Logistics Master Data for Quality Managers
SAP_QM_QC_CONTROL_ALL General Quality Control
SAP_QM_QC_QMIS Quality Evaluations (QMIS)
SAP_QM_QC_QMIS_ALL General Quality Evaluations (QMIS)
SAP_QM_QMANAG_GR Quality Manager – Goods Receipt
SAP_QM_QMANAG_PP Quality Manager - Production
SAP_QM_QN_NOTIF_BASIC Extended Processing of Notifications
SAP_QM_QN_NOTIF_DISPLAY Display of Quality Notifications
SAP_QM_QN_NOTIF_MAINT Processing of Notifications
SAP_QM_QN_NOTIFVIAWEB_EXT Notifications on the Web – Processing
SAP_QM_QN_NOTIFVIAWEB_INT Link: Notifications on the Web
SAP_QM_QN_TASK_MAINT Processing of Tasks
SAP_QM_QN_TASK_PROCESSOR Task Processor
Roles: General
Role Description
SAP_MM_SE_CLERK Service Entry Clerk
SAP_PLMIFO_MAT_MAINTAIN Material Master Maintenance plus RFC Authorization
SAP_PP_BD_RTG_DISPLAY Routing Display
SAP_PP_BD_RTG_MAINTAIN Work Scheduling - Maintenance
SAP_PP_PS_PRT Project System – Production Resources/Tools
SAP_PP_SFC_OCM Production Order - Order Change Management
Profiles The following table shows the profiles used by applications in PLM. There are several profiles, beginning with the same character string, for some applications. In this case, the table contains the table the starting character string and the wildcard character* (wild card). You can display all the profiles in the profile list (transaction SU02).
Profile Description
B_MASSMAIN Mass maintenance tool
C_A.AV Composite profile for person in charge of work scheduling
C_A.KONSTRUK Composite profile for person in charge of engineering/design
C_AENR_* List of profiles for change management
C_ALL PP: All authorizations for master data/classif. system
C_CAP_ALL All authorizations for standard value calculation with CAPP
C_CV_ALL All authorizations for Document Management
July 2007
SAP ERP Central Component Security Guide 127
C_EHSH_* List of profiles for occupational health
C_EHSH_* List of profiles for EH&S
C_FHMI_* List of profiles for production resources/tools
C_MSTL_* List of profiles for material BOMs
C_PS_* List of profiles for Project Systems
C_ROUT_* List of profiles for task lists
C_SHE_* List of profile for list of profiles for EH&S
E_CS_* List of profiles for EC-CS
I_PM_* List of profiles for Plant Maintenance
M_* List of profiles for Materials Management
Q_* List of profiles for Quality Management
Z_CUSMM01 Maintain Customizing for MM
Z_CUSMM02 Display Customizing for MM
Z_CUSPM01 Maintain Customizing for PM
Z_CUSPM02 Display Customizing for PM
Z_CUSPP01 Maintain Customizing for PP
Z_CUSPP02 Display Customizing for PP
Z_CUSPS01 Maintain Customizing for PS
Z_CUSPS02 Display Customizing for PS
Z_CUSQM01 Maintain Customizing for QM
Z_CUSQM02 Display Customizing for QM
Authorization objects All the authorization objects of an application are grouped into one object class. You can display the authorization objects by choosing Role Maintenance (transaction PFCG) Environment → Authorization Objects → Display.
The following table shows the object classes for the authorization objects used by applications in PLM.
Object Classes for Authorization Objects
Object Class Description
CLAS Classification
CV Document Management
EHS EH&S
LO Logistics - General
Exclusively the authorization objects for the variant configuration (character string C_LOVC_*).
MM_G Materials Management – Master Data
MM_S Materials Management – External Services
PM Plant Maintenance
July 2007
SAP ERP Central Component Security Guide 128
PP Production Planning
Authorization objects for the following applications:
• Change management (character string C_AENR_*)
• Task lists (character string C_ROUT*)
• BOMs (character string C_STUE_*)
PS Project System
QA Quality Management
Communication Destinations The SAP standard system does not supply any communication destinations for Product Lifecycle Management (PLM). In the area of CAD integration, an external CAD system starts communication with the SAP system. A call back calls the SAP system back. This communication take place via Remote Function Call (RFC).
Important SAP Notes Note the following SAP Notes with security-related information.
SAP Note Short Text
13128 General info on authorizations in Project System
24441 CR134 No authorization to reflect change in HR
35100 Changing BOMs with hist. requirement w/o change no.
40586 No authorization for maintaining view V_QDEB
61886 SAP enhancement CNEX0002: No authorization
67713 Authorization check in routing with C_ROUT
192748 Creating PM order for notif. w/o IW34 authorization
198079 No check of authorization S_TCODE for CALL
327801 IW22: Authorization K_ORDER
332997 PS-IS: Authorization check for BEBD
368574 PM/CS Authorization Check
371269 ECH: Authorizations for Customizing parameter
379041 Authorization check for multi-level equipment list
385510 Authorization for EDI translator/middleware
407758 Authorization for evaluations of notifications
414858 Authorization check for mass change
420878 BOM change without change number possible
July 2007
SAP ERP Central Component Security Guide 129
424731 Component assignment without BOM history
426494 Differentiation of history requirement
457086 OINI: No authorization for changing
522426 Consulting: Authorizations in the Project System
532231 Data transfer and authorization concept
554415 FAQ 2: Authorization check
555812 CDESK: CAD desktop: Required authorizations
558586 Authorization check for mass change II
568313 CJ20N, CN22: General layout
568522 Undoing changes in BOM
569048 Undoing changes in BOM
638781 Project authorization via partner functions
671580 PS Cash Management: Customizing for commitment items
755020 Authorization check for EHS.report & report tempatle
Manufacturing
Authorizations The applications in Manufacturing use the following objects for the authorization checks:
● Standard Roles
● Profile
● Authorization Objects
Standard Roles The following table shows the standard roles used by applications in Manufacturing.
Roles: Basic Data
Role Description
SAP_PP_BD_RTG_MAINTAIN Work Scheduling - Maintenance
SAP_PP_BD_WKC_DISPLAY Work Center Display
SAP_PP_BD_WKC_MAINTAIN Work Center Maintenance
SAP_PP_MATERIAL_MANAGEMENT Materials Management Production
SAP_PP_PS_PRT Project System – Production Resources/Tools
SAP_LO_PP_RTG_DISPLAY Routing Display
SAP_LO_PP_RTG_MAINTAIN Routing Maintenance
July 2007
SAP ERP Central Component Security Guide 130
SAP_LO_PP_WRKC_DISPLAY Work Center Display
SAP_LO_PP_WRKC_MAINTAIN Work Center Maintenance
Roles: Capacity Planning (PP-CRP)
Role Description
SAP_PP_CAPA_PLAN Plan Capacities
SAP_PP_CAPA_PLAN Evaluate Capacity Planning
Roles: Kanban (PP-KAB)
Role Description
SAP_PP_KAB_CONTROL KANBAN Control
SAP_PP_KAB_REPORTING KANBAN Evaluation
Roles: Production Planning (PP-MP)
Role Description
SAP_PP_MP_FORECAST Material Forecast
SAP_PP_MP_LONG_TERM_PLANNING Long-Term Planning
SAP_PP_MP_MPS_PLANNING Master Production Scheduling
Roles: Requirements Planning (PP-MRP)
Role Description
SAP_PP_MRP_COORDINATION MRP PP - Coordination
SAP_PP_MRP_EVALUATIONS MRP PP - Evaluation
SAP_PP_MRP_MASTER_DATA MRP PP – Master Data
SAP_PP_MRP_PLANNED_ORDER MRP PP – Planned Order
SAP_PP_MRP_PLANNING MRP PP – Planning Execution
Roles: Production Orders (PP-SFC)
Role Description
SAP_PP_SFC_CONFIRMATIONS Production Order - Confirmations
SAP_PP_SFC_GM Production Order – Goods Movements
SAP_PP_SFC_MAT_MANAGEMENT Production Order – Materials Management
SAP_PP_SFC_OCM Production Order - Order Change Management
SAP_PP_SFC_ORDER_EXCEPTIONS Production Order – Reprocessing
SAP_PP_SFC_ORDERS Production Order – Processing
SAP_PP_SFC_PERFORMANCE Production Order – Production Information System
SAP_PP_SFC_PRODUCTION_OPERATOR Production Operator in Production
SAP_PP_SFC_PRT Production Order – Production Resource/Tool
SAP_PP_SFC_WM Production Order - Warehouse Management
Roles: Repetitive Manufacturing (PP-REM)
July 2007
SAP ERP Central Component Security Guide 131
Role Description
SAP_PP_REM_CONFIRMATION Repetitive Manufacturing - Backflushing
SAP_PP_REM_MASTERDATACHANGE Repetitive Manufacturing – Change Master Data
SAP_PP_REM_MASTERDATADISPL Repetitive Manufacturing – Display Master Data
SAP_PP_REM_PLANNING Repetitive Manufacturing - Planning
SAP_PP_REM_PRODUCTION Repetitive Manufacturing - Production
SAP_PP_REM_REPORTING Repetitive Manufacturing - Evaluations
Roles: Process Industries (PI)
Role Description
SAP_PP_PI_BATCH_RECORD_EXP Edit Batch Record
SAP_PP_PI_BATCH_RECORD_SUPER Approve Batch Record
SAP_PP_PI_CAPA_EVAL_STD Perform Capacity Evaluations
SAP_PP_PI_CAPACITY_EXP Edit Capacity
SAP_PP_PI_CTRL_RECIPE_EXP Monitor Control Recipe
SAP_PP_PI_CUST_PROCMGMT Customizing for Process Management
SAP_PP_PI_DOWNTIME_EXP Record Downtime
SAP_PP_PI_DOWNTIME_SUPER Settings for Downtimes
SAP_PP_PI_GOODS_MOVE_EXP Enter Goods Movement for Order
SAP_PP_PI_GOODS_MOVE_HU_EXP Enter Goods Movements with Handling Units
SAP_PP_PI_GOODS_MOVE_HU_SUPER Cancel Goods Movements with Handling Units
SAP_PP_PI_MA_BATCH_REC_WL_CUM MiniApp: Worklist for Batch Records - Accumulated
SAP_PP_PI_MA_PI_SHEET_WL_CUM MiniApp: Worklist for PI Sheets - Accumulated SAP_PP_PI_MA_PROC_ORDER_WL_CUM MiniApp: Worklist for Process Orders - Accumulated
SAP_PP_PI_MASTER_RECIPE_EXP Edit Master Recipe
SAP_PP_PI_MASTER_RECIPE_STD Display Master Recipe
SAP_PP_PI_MAT_STAGING_EXP Execute Material Staging for Order
SAP_PP_PI_MAT_STAGING_STD Display Material Staging for Order
SAP_PP_PI_MFG_COCKPIT_1_EXP Edit Manufacturing Cockpit for Manager/Engineer
SAP_PP_PI_MFG_COCKPIT_2_EXP Edit Manufacturing Cockpit for Plant Manager
SAP_PP_PI_MPARTS_INFO_STD Evaluate Missing Parts Info System
SAP_PP_PI_ORDER_CONF_EXP Enter Order Confirmation
SAP_PP_PI_ORDER_CONF_STD Display Order Confirmation
SAP_PP_PI_ORDER_CONF_SUPER Correct Order Confirmations
SAP_PP_PI_ORDER_INFO_STD Evaluate Order Info System
SAP_PP_PI_ORDER_RECORD_EXP Store Order Record
SAP_PP_PI_ORDER_RECORD_STD Display Order Record
SAP_PP_PI_PI_SHEET_EXP Maintain PI Sheet
July 2007
SAP ERP Central Component Security Guide 132
SAP_PP_PI_PI_SHEET_SUPER Check PI Sheet and Set to “Technically Complete”
SAP_PP_PI_PROC_MESSAGE_EXP Edit Process Message
SAP_PP_PI_PROC_ORDER_EXP_CHNG Change Process Order
SAP_PP_PI_PROC_ORDER_EXP_CREA Create Process Order
SAP_PP_PI_PROC_ORDER_STD Display Process Order
SAP_PP_PI_PROD_CAMPAIGN_EXP Edit Production Campaign
SAP_PP_PI_PROD_CAMPAIGN_STD Display Production Campaign
SAP_PP_PI_PROD_VERSION_EXP Edit Production Version
SAP_PP_PI_PROD_VERSION_STD Display Production Version
SAP_PP_PI_RESOURCE_EXP Edit Resource
SAP_PP_PI_RESOURCE_STD Display Resource
SAP_PP_PI_RESOURCE_SUPER Resource Settings
SAP_PP_PI_SF_INFO_STD Evaluate Shop Floor Information System
SAP_PP_PI_STD_TEXT_EXP Edit Standard Text
Profiles The following table shows the profiles used by applications in Manufacturing.
Profile Description
C_KANBAN_ALL Profile with All Authorizations for KANBAN Production Control
C_KAPA_ALL PP: Capacity Planning
C_KAPA_ANZ PP Capacity Planning Display Authorizations
C_KAPA_CUST PP: Set & Variables Maintenance for Capacity Planning
C_LFPL_ALL Long-Term Planning: All Authorizations
C_MESS_ALL PP-PI Process Messages: All Authorizations
C_MREC_ALL PP-PI Master Recipe: Authorizations for All Transactions
C_MREC_CHA PP-PI Master Recipe: Change Authorization
C_MREC_CRE PP-PI Master Recipe: Create Authorization
C_MREC_MAT PP-PI Master Recipe: Material Master Update
C_MREC_RPL PP-PI Master Recipe: Authorization for Mass Replacement
C_MREC_SHO PP-PI Master Recipe: Display Authorization
C_MREC_USE PP-PI Master Recipe: Authorization for Where-Used Lists
C_MSTL_ALL PP Material BOMs: Maintenance and Display Authorizations
C_MSTL_ANZ PP Material BOMs: Display Authorizations
C_PBED_ANZ Display Profile for Demand Management
C_PB_ALL Maintenance and Display Authorizations for Demand Mgmt
C_PB_REO Authorization for Reorganization in Demand Management
C_POI_ALL All Authorizations for POI Interface
C_PPPI_ALL PP-PI: All Authorizations for Processing Manufacturing
July 2007
SAP ERP Central Component Security Guide 133
C_PRCHAR_ALL PP-PI: All Authorizations for Ext. Access to Proc. Charact.
Authorization Objects All the authorization objects of an application are grouped into one object class. You can display the authorization objects by choosing Role Maintenance (transaction PFCG) Environment → Authorization Objects → Display.
The following table shows the object classes for the authorization objects used by applications in Manufacturing.
Object Classes for Authorization Objects
Authorization Object Description
PP Production Planning
PPE Integrated Product and Process Engineering
LO Logistics - General
Authorization objects
• C_CF_QUEUE Authorization object for displaying/maintaining contents of CIF queue
• C_PPE_PS iPPE: PS -iPPE interface (Component assignment)
• C_PPE_PS iPPE: PS -iPPE interface (Interface)
Communication Destinations In Manufacturing, the following programming elements are used for communicating with external systems:
● Remote Function Call (RFC)
● Business Integration Programming Interface (BAPI)
It is not necessary to encrypt the data.
Logistics Execution (LE)
Decentralized Warehouse Management (LE-IDW), Shipping (LE-SHP), Transportation (LE-TRA)
July 2007
SAP ERP Central Component Security Guide 134
Authorizations Standard Roles The following table shows the standard roles used by the components Decentralized Warehouse Management (LE-IDW), Transportation (LE-TRA), and Shipping (LE-SHP).
Standard Roles
Role Description
SAP_LE_BASIC_DATA_DISPLAY Logistics Execution: Display Master Data
SAP_LE_GATE_KEEPER Register Persons and Means of Transport at Checkpoint
SAP_LE_GATE_KEEPER_WEB Register Persons and Means of Transport at Checkpoint (WEB)
SAP_LE_GOODS_ISSUE_DELIVERY Post Goods Issue for Outbound Deliveries
SAP_LE_GOODS_RECEIPT_DELIVERY Post Goods Receipt for Inbound Deliveries
SAP_LE_INB_DELIVERY_DISPLAY Display Inbound Deliveries
SAP_LE_INB_DEL_PROCESSING Process Inbound Deliveries
SAP_LE_INB_MONITORING Monitor Inbound Delivery Process
SAP_LE_INB_STATISTICS Standard Analyses for the Inbound Delivery
SAP_LE_LOAD_DELIVERY Load Outbound Deliveries
SAP_LE_MASTER_DATA_MAINTENANCE Master Data Maintenance
SAP_LE_OUTBOUND_POD Proof of Delivery for Outbound Deliveries (POD)
SAP_LE_OUTB_DELIVERY_DISPLAY Display Outbound Deliveries
SAP_LE_OUTB_DEL_PROCESSING Process Outbound Deliveries
SAP_LE_OUTB_MONITORING Monitor Outbound Delivery Process
SAP_LE_OUTB_STATISTICS Standard Analyses for the Outbound Delivery
SAP_LE_PACKING_DELIVERY Pack Deliveries
SAP_LE_PACKING_STATION Packing Station (WEB)
SAP_LE_PICKING_WAVES Process Wave Picks
SAP_LE_POD_HANDHELD Proof of Delivery in Handheld Terminal from Customer’s View
SAP_LE_POD_WEB Proof of Delivery in Internet from Customer’s View
SAP_LE_R2R3_DECENTRAL_SHIPPING R/2-R/3 Link: Decentralized Shipping
SAP_LE_R2R3_MONITORING R/2-R/3 Link: Monitoring
SAP_LE_SHIPPING_NOTIFICATION Process Inbound Deliveries from Supplier’s View in Internet
SAP_LE_TMS_ARCHIVING Archiving of Transportation and Shipment Cost Documents
SAP_LE_TMS_BACKGROUND Background Transactions in Shipment
July 2007
SAP ERP Central Component Security Guide 135
SAP_LE_TMS_CAPACITY_ANALYSIS Perform Analyses for Utilization and Free Capacity
SAP_LE_TMS_CARRIER_WEB Internet Transactions for the Forwarding Agent
SAP_LE_TMS_CURRENT_ANALYSIS Perform Current Evaluations for Shipments
SAP_LE_TMS_DISPLAY Display Documents in Shipment
SAP_LE_TMS_EXECUTION Execute Planned Shipments
SAP_LE_TMS_EXTERNAL_TPS Interface to External Transportation Planning System
SAP_LE_TMS_MAINTAIN_SCD Create, Process, and Display Shipment Costs
SAP_LE_TMS_MAINTAIN_SCD_COND Maintain Conditions in Shipment Costs Environment
SAP_LE_TMS_MAINT_SHP_MASTER Maintain Master Data in the Transportation Environment
SAP_LE_TMS_MONITOR_PLANNING Monitor Shipment Planning
SAP_LE_TMS_MONITOR_SHPCOSTS Monitor Shipment Costs Calculation and Settlement
SAP_LE_TMS_OTHERS Other Transportation Transactions (Without Composite Role)
SAP_LE_TMS_PLANNING Create, Change, and Display Shipments
SAP_LE_TMS_RULES Define Rules for Multiple Shipment Creation
SAP_LE_TMS_STATISTIC_ANALYSIS Perform Statistical Analyses for Shipments
SAP_LE_TMS_TP_SERVICE_AGENT Interface for Shipment Planning in Cooperation with Forwarding Agents
SAP_LE_WMS_APPOINTMENTS Door Appointments
SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM
SAP_LE_WMS_INFORMATION Warehouse Information
SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data
SAP_LE_WMS_LOAD Workload in Warehouse
SAP_LE_WMS_MONITORING Warehouse Monitoring
SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM
SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM
SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM
SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM
SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring in WM
SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management
SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM
SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP
SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment
SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM
SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM
July 2007
SAP ERP Central Component Security Guide 136
SAP_LE_WMS_STATISTICS Analysis in WM
SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM
SAP_LE_WMS_TO_CONFIRM Confirm Transfer Order in WM
SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WM
SAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM
SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM
SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance
Standard Authorization Objects The following tables show security-relevant authorization objects used by the components Decentralized Warehouse Management, Transportation, and Shipment.
Standard Authorization Objects: Decentralized Warehouse Management
Authorization Object Description
L_BWLVS Movement Type in the Warehouse Management System
L_LGNUM Warehouse Number/Storage Type
L_SFUNC Special Functions in Warehouse Management
L_TCODE Transaction Codes in the Warehouse Management System
Standard Authorization Objects: Transportation
Authorization Object Description
V_VFKK_FKA Shipment Cost Processing: Auth. for Shipment Cost Type
V_VTTK_SHT Shipment Processing: Authorization for Shipment Type
V_VTTK_TDL Shipment Processing: Authorization for Forwarding Agents
V_VTTK_TDS Shipment Processing: Auth. for Transport Planning Points
V_VTTK_TSA Transportation Proc.: Authorization for Shipment Type Status
Standard Authorization Objects: Shipping
Authorization Object Description
V_LECI_CKP Checkpoint: Authorization for Checkpoint
V_LIKP_VST Delivery: Authorization for Shipping Points
V_VBSK_GRA Deliveries: Authorization for Delivery Group Type
July 2007
SAP ERP Central Component Security Guide 137
Network and Communication Security General Your network infrastructure is extremely important in protecting your system. Therefore refer to the general notes for SAP ECC under Network and Communication Security [Seite 17].
Communication Channel Security The following table shows the communication paths that the components Decentralized Warehouse Management, Transportation (LE-TRA), and Shipping (LE-SHP) use, the protocol used for the connection, and the type of data transferred.
Communication Paths
Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
Note
SAP ECC system – another SAP ECC system or external system
RFC Application data (inbound and outbound deliveries)
- Decentralized Warehouse Management, communication via BAPI IDoc interface
You can protect RFC connections using Secure Network Communications (SNC). For more information, see the SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security.
Technical Users: You can use the workflow user WF-BATCH to generate inbound and outbound deliveries. The user must have authorization to create an inbound delivery.
Warehouse Management System (LE-WMS)
Authorizations Standard Roles The following table shows the standard roles you can use for Warehouse Management.
Standard Roles: Warehouse Management
Role Description
SAP_LE_BASIC_DATA_DISPLAY Logistics Execution: Display Master Data
July 2007
SAP ERP Central Component Security Guide 138
SAP_LE_GATE_KEEPER Register Persons and Means of Transport at Checkpoint
SAP_LE_GATE_KEEPER_WEB Register Persons and Means of Transport at Checkpoint (WEB)
SAP_LE_PACKING_DELIVERY Pack Deliveries
SAP_LE_PACKING_STATION Packing Station (WEB)
SAP_LE_PICKING_WAVES Process Wave Picks
SAP_LE_WMS_APPOINTMENTS Door Appointments
SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM
SAP_LE_WMS_INFORMATION Warehouse Information
SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data
SAP_LE_WMS_LOAD Workload in Warehouse
SAP_LE_WMS_MONITORING Warehouse Monitoring
SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM
SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM
SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM
SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM
SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring in WM
SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management
SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM
SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment
SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP
SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM
SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM
SAP_LE_WMS_STATISTICS Analysis in WM
SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM
SAP_LE_WMS_TO_CONFIRM Confirm Transfer Order in WM
SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WM
SAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM
SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM
SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance
SAP_LO_HU_GOODS_MOVEMENTS Goods Movements with Handling Units
SAP_LO_HU_MASTER_DATA Master Data for Handling Units
SAP_LO_HU_PACKING Pack Handling Units
July 2007
SAP ERP Central Component Security Guide 139
Network and Communication Security General Your network infrastructure is extremely important in protecting your system. Therefore refer to the general notes for SAP ECC under Network and Communication Security [Seite 17].
Communication Channel Security The table below shows the communication paths used by the Warehouse Management System (LE-WMS) component, the protocol used for the link, and the type of data transferred.
Communication Paths
Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
SAP ECC System – Non-SAP System (external Warehouse Management System)
RFC Application data (ALE distribution)
-
RFC connections can be protected using Secure Network Communications (SNC). For more information, see:
● General information about encryption
SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security
● Security of Application Link Enabling (ALE)
SAPNetWeaver-Security Guide under Security Aspects for Connectivity and Interoperability → Security Guide ALE (ALE Applications)
Technical Users: To use ALE, create one or several users with authorization for the standard ALE transactions.
Task and Resource Management (LE-TRM), Yard Management (LE-YM), Cross Docking (LE-WM-CDK), Additional Logistical Services
Authorizations Standard Roles You can use standard roles for the Warehouse Management System. For more information about these standard roles for the Warehouse Management System, see Authorizations [Seite 137].
July 2007
SAP ERP Central Component Security Guide 140
Standard Authorization Objects The following table shows the security-relevant authorization objects that the component Logistics Execution (EA-APPL) uses:
Application Authorization Object Description
Task and Resource Management
L_EXECUTE Execution activities in TRM
L_MONITOR Monitoring activities in TRM
Value-Added Services: L_MON_VAS L_MON_VAS
Cross-docking L_MON_XDCK L_MON_XDCK
Yard Management L_MON_YARD L_MON_YARD
L_VEHICLE L_VEHICLE
L_YARD L_YARD
L_YRD_MTHD L_YRD_MTHD
For more information, see the SAP ECC documentation in the SAP Help Portal at help.sap.com → Documentation → mySAP ERP → SAP ERP Central Component:
● Task and Resource Management:
SAP ERP Central Component → Logistics→ Logistics Execution (LE) → Task and Resource Management (LE-TRM) → Other Functions → Authorization Checks
● Value-Added Services:
SAP ERP Central Component → Logistics → Logistics Execution (LE) → Warehouse Management System (WMS) → Value-Added Services (LE-WM-VAS) → Other Functions → Authorization Objects
● Cross-docking
SAP ERP Central Component → Logistics → Logistics Execution (LE) → Warehouse-Management-System (WMS) → Cross-Docking (LE-WM-DCK) → Other Functions → Authorization Checks
● Yard Management:
SAP ERP Central Component → Logistics → Logistics Execution (LE) → Yard Management → Other Functions → Authorization Checks
Network and Communication Security General Your network infrastructure is extremely important in protecting your system. Therefore refer to the general notes for SAP ECC under Network and Communication Security [Seite 17].
Communication Channel Security The following table shows the communication paths that the component Task and Resource Management (as part of Logistics Execution, EA_APPL 500) uses, the protocol used for the connection, and the type of data transferred:
July 2007
SAP ERP Central Component Security Guide 141
Communication Paths
Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
SAP ECC system – external system (SAP or non-SAP system)
RFC Application data -
You can protect RFC connections using Secure Network Communications (SNC). For more information, see the SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security.
Retail
Network and Communication Security General Your network infrastructure is extremely important in protecting your system. Therefore refer to the general notes for SAP ECC under Network and Communication Security [Seite 17].
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. For more information, see the SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security.
Communication Channel Security Link to Mobile Data Entry in SAP Retail Store The following table shows the communication paths that you use when you implement SAP Retail Store by linking to a mobile device (non-SAP product). You can find more information about the link to SAP Retail Store in the SAP Help Portal at help.sap.com → Documentation → SAP ERP Central Component → ECC → Logistics → SAP Retail → Distributed Data Processing → SAP Retail Store → PDC link in SAP Retail Store.
Communication Paths
Communication Path Protocol Used Type of Data Transferred
Data Requiring Special Protection
SAP ECC System – SAP Exchange Infrastructure (SAP XI)
RFC Application data -
SAP Exchange Infrastructure – Server for Mobile Data Entry
RFC Application data -
You need a technical user for SAP Exchange Infrastructure for the RFC inbound interface when implementing mobile data. Assign the authorizations for the relevant application to the user.
July 2007
SAP ERP Central Component Security Guide 142
Communication Paths for Forecasting and Replenishment For more information about the security of communication paths for the Business Scenario Forecasting & Replenishment, see the Forecasting and Replenishment Security Guide on the SAP Service Marketplace at service.sap.com/securityguide → Industry Scenario Security Guides → SAP Forecasting and Replenishment: Security Guide.
Other Communication Paths for SAP for Retail The following table shows the communication paths for all remaining system connections for SAP for Retail.
Communication Paths
Application Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
PRICAT SAP ECC System – Manufacturer’s system
RFC (or other log that supports IDocs)
Application data -
Store physical inventory
SAP ECC System – Store’s system
RFC (or other log that supports IDocs)
Application data -
POS interface SAP ECC System – POS System
RFC (or other log that supports IDocs)
Application data Credit card information
AFS/SAP Retail interface
SAP ECC System – AFS System
RFC ALE messages -
Interface for space management systems
SAP ECC System – Space Optimization System
RFC Application data -
Interface to SAP Business Information Warehouse (SAP BW)
SAP ECC System – SAP BW System
RFC Application data -
For more information about communication paths, see the SAP Help Portal at help.sap.com → Documentation → mySAP ERP → ECC → Logistics → SAP for Retail as follows:
● PRICAT
SAP Retail → Distributed Data Processing → Transfer of PRICAT Messages
● Store Physical Inventory
SAP Retail → Merchandise Logistics → Physical Inventory → Physical Inventory: Support for Carrying Out a Store Physical Inventory
● POS Interface
SAP Retail → Distributed Data Processing → POS Interface
● AFS/SAP Retail interface
July 2007
SAP ERP Central Component Security Guide 143
SAP Retail → Distributed Data Processing → AFS to SAP Retail Interface
● Interface for space management systems
SAP Retail → Distributed Data Processing → Application Link Enabling (ALE) → Interface for Space Management Systems
For more information about communication security with SAP BW Systems, see the NetWeaver Security Guide on the SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver 04 Security Guide (Complete) → Security Guides for SAP NetWeaver According to Usage Types → Security Guides for Usage Type BI → SAP Business Information Warehouse Security Guide → Communication Security.
Authorizations Standard Authorization Objects The following tables show the authorization objects used by the Retail component. However, you use other SAP ECC authorization objects in the Retail component. You can find more information about these authorization objects in other sections of the SAP ECC Security Guide.
Standard Authorization Objects: Retail (Software Component SAP-APPL)
Authorization Object Description
W_APPT IS-R Authorization Appointment
W_ASORT Authorization for Assortment Maintenance
W_ASORT_ST Authorization for the Assignment of Assortments to Plants
W_AUFT_BAA IS-R Authorization Document Type Allocation Table
W_AUFT_BAR IS-R Authorization Document Type Allocation Rule
W_AUFT_RMB IS-R Authorization Allocation Table: Display/Confirmation per Plant
W_CM_CDT IS-R Authorization for Maintenance of Article Hierarchies
W_FRM IS-R Authorization for Merchandise Distribution
W_GROUPTYP Authorization to Manage Site Grouping
W_LISTVERF IS-R Authorization to Use Listing Procedure
W_LIST_EAC Authorization Acceptance for Listing Errors
W_MARKDOWN IS-R Markdown Planning Authorization: MTYP, MATCL, SOrg, DChl
W_ONLSTORE Authorization for Starting Online Store
W_PCAT_LAY Authorization: Product Catalog - Layout Area
W_PCAT_MTN Authorization: Product Catalog - Maintenance
W_PRICATIN Retail Authorization: Create and Maintenance PRICAT per Purchasing Group
July 2007
SAP ERP Central Component Security Guide 144
W_REF_SITE Authorization to Clean MMSITEREF Table
W_SRS_POS Authorizations for Open Store Physical Inventory
W_SRS_VKPF Retail Store – Authorization for Daily Price Maintenance
W_STRU_CHG IS-R Authorization: Allow Changes to Structured Material
W_STWB_WRK SAP Retail Store: Stores
W_TRAN_CCR IS-R Authorization: SAP Transaction
W_VKPR_PLT IS-R Authorization Sales Price Calculation: Distribution Chain/Price List
W_VKPR_VKO IS-R Authorization Sales Price Calculation Distribution Chain
W_VKPR_VTL IS-R Authorization Sales Price Calculation: Distribution Chain
W_VKPR_WRK IS-R Authorization Sales Price Calculation: Distribution Chain/Plant
W_WAKH_EKO IS-R Authorization Action: Purchasing Organization/Purchasing Group
W_WAKH_MAT IS-R Authorization Action: Material Number
W_WAKH_THE IS-R Authorization Promotion: Theme
W_WAKH_VKO IS-R Authorization Action: Sales Organization/Distribution Channel
W_WBEF_WRK IS-R Authorization Sales Price Revaluation: Distribution Chain/Plant
W_WIND_TYP IS-R Automatic Document Adjustment: Authorization for Document Type
W_WTAD_AM IS-R Authorization for Additionals Monitor
W_WTAD_ASL IS-R Authorization Additionals: Vendor/Purchase Order List
W_WTAD_IR Request Additionals-IDoc via BAPI Call Function
W_WTAD_ISU IS-R Authorization: Status Update for Additionals IDoc
W_WTRA_LOG Runtime Measurement - Authorization to Delete Data Records
W_WXP_DESI MAP: Design Planning Scenario
W_WXP_HIER Merchandise and Assortment Planning: Planning Hierarchy
W_WXP_INT Merchandise and Assortment Planning: Planning Interfaces
W_WXP_LAY MAP: Planning Layouts and Variants
W_WXP_PLAN MAP: Planning Scenario Planning
July 2007
SAP ERP Central Component Security Guide 145
Standard Authorization Objects: Retail (Software Component EA-RETAIL)
Authorization Object Description
WLM Assignment of Articles for Layout Modules
WLMLOCLIST Creation of Assortments per Layout Module and Store
WLMVREL Release of Layout Module Version
WLMVV Layout Module Version Variant Maintenance
WLWBENT Access to Layout Workbench
WPLGACT Call External Space Management
WRF_CDT_H Article Hierarchy: Horizontal Hierarchy Maintenance
WRF_CDT_V Article Hierarchy: Vertical Hierarchy and Attribute Maintenance
WRF_FOLUP Authorization Follow-Up/Replacement Material Relationships
WRF_GH_AUT Generic Hierarchy: Authorization Check
WRF_OTBSPR Authorization Check OTB Special Release
W_BUDG_TY Budget Type
W_COCO Authorization for Condition Contract
W_RFAPC_GN Authorization for Operative SPS: General
W_RFAPC_RL Authorization for Operative SPS: Release
W_RF_MPA Authorization Object for Markdown Profile Assignment
W_RF_WLAY Authorization Object Layout
C_WRFCHVAL Authorization: Characteristic Value Maintenance
Global Trade
Network and Communication Security General Your network infrastructure is extremely important in protecting your system. Therefore refer to the general notes for SAP ECC under Network and Communication Security [Seite 17].
July 2007
SAP ERP Central Component Security Guide 146
Communication Channel Security Connection to a SAP FSCM System For Global Trade Management (EA-GLTRADE), you can also use an external SAP FSCM System to create forward exchange transactions. If you install SAP FSCM on a separate system, you need a RFC connection. If you install SAP FSCM together with Global Trade Management on a system, you do not need an RFC connection.
Communication Path
Communication Path Protocol Used Type of Data Transferred
Data Requiring Special Protection
SAP ERP System – SAP FSCM System (Financial Supply Chain Management)
RFC Application data -
RFC connections can be protected using Secure Network Communications (SNC). For more information about setting up RFC connections and the prerequisites (authorizations), see the ERP Implementation Guide (IMG) under Logistics General → SAP Global Trade Management → Currency Hedges → Maintain RFC Destination of the CFM System. For more information about encryption, see the SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security.
Connection to an External Global Trade Services System (GTS System) For Global Trade Management (EA-CLTRADE), you can opt to connect an external GTS system. You can use this to check whether the contract data for Global Trade Management adheres to the existing legal requirements (import/export controls, global trade data).
Communication Path
Communication Path Protocol Used Type of Data Transferred
Data Requiring Special Protection
SAP ERP System – GTS System
RFC Application data -
All users in the SAP ECC system can call the functions on the GTS server using an RFC entry In this RFC entry, you specify a user that is used uniquely for communication with GTS. Assign this communication user to the following roles for SAP Compliance Management: Role Description
/SAPSLL/LEG_ARCH GTS Archiving
/SAPSLL/LEG_LCE_APP GTS Legal Control Export: Specialist
/SAPSLL/LEG_LCI_APP GTS Legal Control Import: Specialist
/SAPSLL/LEG_SPL_APP GTS Sanctioned Party List: Specialist
/SAPSLL/LEG_SYS_COMM GTS (Technical) System Communication
The RFC connection can be protected using Secure Network Communications (SNC). For more information about encryption, see the SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security.
July 2007
SAP ERP Central Component Security Guide 147
Sales and Distribution (SD) Before You Start Important SAP Notes The most important SAP Notes that apply to component security are shown in the table below.
Important SAP Notes
SAP Note Number Title Comment
766703 FAQ: Credit card encryption in R/3 system
633462 Encrypting credit card data
791178 Credit card encryption in AR back end
727839 Authorization role for the SAP SCM - SAP R/3 integration
128447 Trusted/Trusting Systems Necessary for Customizing of the RFC relationship for trusted/trusting systems
Authorizations Standard Roles The following table shows the standard roles that are used by the SD component.
Standard Roles
Role Name
SAP_AUDITOR_BA_SD Audit Information System - Sales Revenue
SAP_AUDITOR_BA_SD_A Audit Information System - Sales Revenue
SAP_AUDITOR_TAX_SD AIS - Tax Audit Sales and Distribution
SAP_AUDITOR_TAX_SD_A AIS - Tax Audit Sales and Distribution (Authorization)
SAP_LO_SD_BACKORDERS Backorder Processing
SAP_LO_SD_BILLING_BATCH Process Billing by Batch
SAP_LO_SD_BILLING_DISPLAY Display Billing Documents
SAP_LO_SD_BILLING_PROCESSING Billing Processing Online
SAP_LO_SD_BLOCKED_BILLING_DOC Release Blocked Billing Documents
SAP_LO_SD_CONTRACT_PROCESSING Contract Processing
SAP_LO_SD_CREDIT_MANAGEMENT Credit Management in Sales Documents
SAP_LO_SD_DEALS_PROMOTI_PROCES Sales Deals & Promotions
SAP_LO_SD_INFORMATION_DISPLAY Display Customer & Material Information
SAP_LO_SD_INFORMATION_PROCESSI Maintaining Customer & Material Information
July 2007
SAP ERP Central Component Security Guide 148
SAP_LO_SD_INQUIRY_PROCESSING Inquiry Processing
SAP_LO_SD_INVOICELIST_PROCESSI Invoice List Processing
SAP_LO_SD_OUTPUT_PROCESS Output Process
SAP_LO_SD_PRICING_DISPLAY Display Pricing
SAP_LO_SD_PRICING_MAINTAIN Maintain Pricing
SAP_LO_SD_QUOTATION_PROCESSING Quotation Processing
SAP_LO_SD_REBATE_PROCESSING Rebate Processing
SAP_LO_SD_RELEASE_FOR_DELIVERY Release Orders for Delivery
SAP_LO_SD_RETURN_PROCESSING Return Order Processing
SAP_LO_SD_SALES_DISPLAY Display Sales Information
SAP_LO_SD_SALES_ORD_PROCESSING Sales Order Processing
SAP_LO_SD_SALES_PERFORMANCE Sales Performance
SAP_LO_SD_SALES_SUPPORT Sales Support
SAP_LO_SD_SCHED_AGR_PROCESSING Scheduling Agreement Processing
Network and Communication Security SD calls the ERP availability check, and this communicates with APO. The relevant component is SD-BF-AC. First, master and planning data are exchanged between APO and ERP, and then planning transactions in APO are called up from ERP. Technically, this proceeds as follows: The APO – ATP dialog is called up from the sales order in dialog mode. The APO view of the ATP (transaction /SAPAPO/AC03) is displayed using the view Availability Overview (transaction CO09).
For more information, see SAP Service Marketplace at service.sap.com/securityguide → SAP Supply Chain Management → SAP Supply Chain Management Security Guide SCM 4.1 → Authorization → Integration with SAP Components → Integration of SAP APO and SAP R/3 → Authorization Roles for SAP APO – SAP R/3 Integration → Available to Promise (ATP).
Communication Destinations Create a batch input user as required. This is not included in the standard delivery.
For more information, see Batch Input Authorizations [Extern].
Data Storage Security Credit card numbers are stored in the SAP component SD. As this data is particularly sensitive, it requires additional protection and encryption.
For more information on credit card number encryption, see SAP Note 766703.
Human Capital Management
July 2007
SAP ERP Central Component Security Guide 149
Personnel Management (PA)
Before You Start Important SAP Notes The following table presents the most important SAP Notes regarding security for Personnel Management.
Important SAP Notes
SAP Note Number Title Comment
138526 Authorization check in reports incorrect
PA-PA-XX
138533 Authorization check for SUBTY does not function
PA-PA-XX
138706 Authorization problems, analysis preparations
PA-PA-XX
142865 SAPDBPNP authorization check is too strict
PA-PA-XX
142896 No access on personnel number despite authorization
PA-PA-XX
148525 Search help selects too little data
PA-PA-XX
151207 Authorization check symmetric double-check
PA-XX
362675 Deactivating P_ORIGIN; activating P_PERNR
PA-PA-XX
383290 External object types and structural authorizations
PA-BC
385319 Change of master data in a productive Payroll
PA-PA-IT
385635 Authorization check with employee subgroup change
PA-BC
390373 External relationships: Creation of classes
PA-BC
495971 Workflow 01000015 is not triggered when changing address
PA-PA-XX
514893 Ad hoc query: Hit list differs from the output
PA-IS
552184 Information on the object type of the central person
PA
693156 Authorization check for reentry
PA-PA-XX
724149 HRALX: Masking sensitive BC-BMT-OM-CRM
July 2007
SAP ERP Central Component Security Guide 150
data
23611 Collective Note: Security in SAP Products
BC-SEC
30724 Data protection and security in SAP Systems
BC-SEC
Additional Information ● For extensive documentation on authorization objects in Personnel Management, see
SAP Library or SAP Help Portal under ERP Central Component → Human Resources → Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for Human Resources [Extern].
● For some country versions, additional information is also available:
Country version Germany
○ Leitfaden Datenschutz für SAP R/3 in SAP Service Marketplace at service.sap.com for the country version Germany
Country version Great Britain (PA-PA-GB)
○ For an Implementation and User Guide for E-Filing Incoming, see SAP Service Marketplace at service.sap.com under the customer page for the country version Payroll Great Britain in the Media Center.
Country version Switzerland (PA-PF-CH)
○ For documentation on the settings and functions for the authorization object P_CH_PK for Pension Fund Switzerland, see SAP Library or SAP Help Portal under ERP Central Component → Human Resources → Payroll → Payroll Switzerland → Pension Fund → Reference Guide for the Pension Fund → Authorizations → Authorization Object P_CH_PK [Extern].
User Management User management for Personnel Management uses the mechanisms provided by SAP Web Application Server (ABAP, Java, or ABAP and Java), for example, tools, user types, and password policies. For an overview of how these mechanisms apply for Personnel Management, see the sections below. In addition, there is a list of the standard users that are necessary for operating Personnel Management.
User Management Tools The table below shows the tools for user management in Personnel Management.
User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance (transaction PFCG)
You can use the Role Maintenance transaction PFCG to generate profiles for your Personnel Management users.
July 2007
SAP ERP Central Component Security Guide 151
User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not users who run background processing jobs.
The user types required for Personnel Management include:
● Individual users
○ Administration users for
■ Personnel Administration
■ Benefits Administration
○ Managers for
■ Personnel Administration
■ Benefits Administration
■ Compensation Administration
■ Training and Event Management
○ Specialists for
■ Personnel Administration
■ Benefits Administration
■ Compensation Administration
■ Training and Event Management
● Technical users
Technical users are required for the following business processes:
○ WF-BATCH user
If you want to use the workflow functions for the different Personnel Management functions, you must create a WF-BATCH system user in the standard system.
○ Distribution of master data through ALE technology. For more information, see the documentation for the report RHALEINI (HR: ALE Distribution of HR Master Data).
○ Compensation Management (PA-CM): For the integration with the Award function, the technical user requires authorization for the following functions:
■ Call RFC function module HRCM_RFC_LTI_ACCRUALDATA_GET (Determine awards data for accumulating accruals)
■ Read the Award infotype (0382), authorization object P_ORGIN
○ Budget Management (PA-PM)
■ You use background processing to create commitments in accounting with a RFC connection. Depending on the process and the system landscape used, it may be necessary to set up a user for the background processing. You can use your own user (an additional logon is required) or set up a special commitment engine user.
July 2007
SAP ERP Central Component Security Guide 152
For more information about these user types, see the SAP Web AS ABAP Security Guide under User Types.
Authorizations Personnel Management uses the authorization provided by SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to Personnel Management.
The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user management console for SAP Web AS Java.
Standard Roles The following table shows the standard roles that are used by Personnel Management.
Standard Roles
Function Description
SAP_HR_BN* Roles assigned to component PA-BN (Benefits)
SAP_HR_CM*
Roles assigned to component PA-CM (Compensation Management)
SAP_HR_CP*
Roles assigned to component PA-CM-CP (Personnel Cost Planning)
SAP_ESSUSER_ERP05 Role with all non country-specific functions for Employee Self-Service.
For more information, see the Security Guide for Self-Services [Seite 23].
SAP_EMPLOYEE_ERP05_xx Roles related to the Employee Self-Service country versions
SAP_HR_OS*
Roles assigned to component PA-OS (Organizational Management)
SAP_HR_PA_xx_* Roles related to international and country versions of the component PA-PA (Personnel Administration)
SAP_HR_PA_XF*
Roles assigned to the component CA-GTF-XF (SAP Expert Finder)
SAP_HR_PA_PF_xx_*
Roles assigned to component PA-PF (Pension Fund)
SAP_HR_PD* Roles assigned to component PA-PD (Personnel Development)
SAP_HR_RC*
Roles assigned to component PA-RC (Recruitment)
SAP_HR_REPORTING Role for Human Resources Analyst
July 2007
SAP ERP Central Component Security Guide 153
SAP_AUDITOR_TAX_HR
This role is relevant for Germany only.
Role HR-DE Steuerprüfung § 147 AO (Muster) assigned to the component PA-PA-DE (Personnel Administration Germany).
SAP_ASR_EMPLOYEE Enhancement of the role SAP_ESSUSER_ERP05 for the employees that use the functions of the component PA-AS (HR Administrative Services)
SAP_ASR_MANAGER Enhancement of the role SAP_ESSUSER_ERP05 with functions for the persons with personnel responsibility that use the functions of the component PA-AS (HR Administrative Services)
SAP_ASR_ADMINISTRATOR Enhancement of the role SAP_HR_PA_xx_* for the HR administrators that use the functions of the component PA-AS (HR Administrative Services)
For the roles marked with an asterisk (*), several roles exist for each of the components. For roles with “xx”, where “xx” represents the SAP country key, various roles exist for each of the country versions.
Standard Authorization Objects The following table shows the most important central security-relevant authorization objects used by Personnel Management.
For more information about Personnel Management authorizations, see SAP Library under ERP Central Component → Human Resources → Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for Human Resources [Extern].
Most Important Standard Authorization Objects
Authorization Object
Field Value Description
P_ORGIN HR Master Data Used when checking authorizations for HR infotypes. The check takes place when HR infotypes are edited or read.
P_ORGINCON
HR Master Data with Context
This authorization object consists of the same fields as the authorization object P_ORGIN, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be included in the HR master data.
P_ORGXX
HR Master Data – Extended Check
With this object you can determine whether other fields are also to be checked. You can determine whether this check is to be performed in addition to or instead of the HR Master Data authorization check.
July 2007
SAP ERP Central Component Security Guide 154
P_P_ORGXXCON
HR Master Data – Extended Check with Context
This authorization object consists of the same fields as the authorization object P_ORGXX, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be included in the HR master data.
P_TCODE HR: Transaction Code
This authorization object checks certain specific transactions in SAP Human Resources Management.
PLOG
Personnel Planning Used to indicate the types of information processing a user is authorized to perform.
PLOG_CON
Personnel Planning with Context
This authorization object consists of the same fields as the object PLOG, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be included in the HR master data.
P_ASRCONT Authorization for Process Content
The Authorization for Process Content object is used by the authorization check for HR Administrative Services. It checks the authorization for access to various process contents and also runs through the authorization objects that you have specified in Customizing in T77S0 (see note below). For more information, see Authorization Concept of HCM Processes and Forms [Extern].
In Customizing, you can determine whether specific authorization objects are to be checked. All central switches and settings for the Human Resources authorization check are summarized in table T77S0 in the Group for semantic short text for PD Plan AUTSW. Note that changes to the settings severely affect your authorization concept.
For more information about changing the main authorization switch, see the Implementation Guide (IMG) for Personnel Administration under Tools → Authorization Management.
Communication Channel Security Use The table below shows the communication paths used by Personnel Management, the protocol used for the connection, and the type of data transferred.
July 2007
SAP ERP Central Component Security Guide 155
Communication Path
Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
Interface Toolbox (Transaction PU12)
ALE Master data, Benefits data, Organizational data as defined by the user
SAP BW Extractor Program Master data, Organizational data, Personnel Development data
SAP CO
(for distributed systems)
RFC Cost centers, orders, and so on
Authorizations for CO objects are required here
External Files ASCII Personnel Administration data
Applicable only for country versions Australia and New Zealand
Microsoft Word Report Interface with SAP NetWeaver
Office Integration
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
Communication Destinations Use Specific communication destinations are available for some Personnel Management components and Personnel Administration country-specific components.
Benefits (PA-BN)
When evaluating retirement benefits for employees, service-related data is sent to an external system using IDocs. The Benefits system places the IDocs in a special port. External systems can collect the IDocs from this port. The external systems evaluate the retirement benefits based on the transferred data and then send them with an inbound IDoc back to the SAP system.
There are no special functions from the Benefits system side to protect this data.
Enterprise Compensation Management (PA-EC)
Using IDocs, you communicate with banks and brokers through the SAP Business Connector. The transferred data must be encrypted.
For more information, see the documentation for the following reports:
● RHECM_GRANT_IDOC_OUT (Export LTI Grant Data)
● RHECM_PARTICIPANT_IDOC_OUT (Export LTI Participant Data)
● RHECM_EXERCISE_IDOC_IN (Import LTI Exercise Data)
July 2007
SAP ERP Central Component Security Guide 156
Compensation Management (PA-CM)
The self-service scenario Salary Benchmarking (HRCMP0053) exchanges data with external benchmarking providers. You communicate synchronously and online using HTTPS.
SAP Expert Finder (CA-GTF-XF)
The component SAP Expert Finder can exchange data with external systems using RFC.
Personnel Administration
● HR Administrative Services
HR Administrative Services can transfer personal data from SAP E-Recruiting and return data to SAP E-Recruiting. For more information, see the Security Guide for SAP E-Recruiting under Technical System Landscape [Seite 184] and Communication Destinations [Seite 195].
● B2A Manager – Authorities Communication
Some country versions use the B2A Manager to exchange data with the authorities. For example, in the German country version (PA-PA-DE) you can exchange data with social insurance bodies and health insurance funds.
The B2A Manager supports the following communication channels and encryption procedures, depending on the recipient:
○ Communication channels
■ E-mail with file attachments
■ HTTPS (Hyper Text Transfer Protocol Secure Sockets)
○ Encryption procedures
■ PEM (Privacy Enhanced Mail)
■ PKCS#7 (Public Key Cryptography Standard No.7)
● Pension Fund (PA-PF)
○ You can create files with SAP List Viewer (ALV) and TemSe (Temporary Sequential Objects).
○ There is no encryption of data in the standard system.
○ Country version Netherlands (PA-PF-NL): You can upload the inbound data using the GBA interface (Gemeentelijke Basis Administratie).
● Country version Germany (PA-PA-DE)
Employees can submit their tax returns in electronic form (ELSTER). Data is communicated using HTTP. The data is encrypted with PKCS#7. The tax authorities specify the procedure.
● Country version USA
For the VET and EEO reports for the country version USA, you can exchange data with local servers or terminals. With this function you can download files from the application server to a presentation server. This results in text files with the output format .txt, as required by the authorities. This output format is legally compliant.
The data is not encrypted in the standard system. You decide to what extent you want to encrypt data if you want to send data to the Federal Commission or the Department of Labor.
● Country version Great Britain
July 2007
SAP ERP Central Component Security Guide 157
You can communicate with the GB Inland Revenue Gateway. The communication channel is encrypted with 128 SSL. Employee tax data is transferred with RFC connections and HTTPS.
Data Storage Security The infotypes in Personnel Management contain particularly sensitive data. This data is protected by central authorization objects.
For more information about authorization objects, see Authorizations [Seite 152].
Examples of infotypes containing particularly sensitive data:
● International infotypes for Personnel Administration (PA-PA)
○ Personal Data (0002)
○ Basic Pay (0008)
○ Bank Details (0009)
○ Family Member/Dependents (0021)
● Personnel Development (PA-PD)
○ Qualifications
○ Appraisals
● Personnel Cost Planning and Simulation (PA-CP)
○ Planning of Personnel Costs (0666), contains salary-based information
● Enterprise Compensation Management (PA-EC)
○ LTI Grant (0761)
○ LTI Exercise (0762)
● Management of Global Employees (PA-GE)
○ Compensation Package Offer (0706)
Other sensitive Personnel Management data
● Budget Management
The Budget Management component accesses the salary data of employees and displays data from the Controlling (CO) and Funds Management (FI-FM) components. The standard authorization concept for Human Resources, Controlling, and Funds Management is used for these processes. The following authorization objects are also available to protect the data:
○ P_ENCTYPE (HR: PBC - Financing): Determines which funds reservation types a user can access and which activities the user is allowed to perform.
○ P_ENGINE (HR: Authorization for Automatic Commitment Creation): Determines which activities a user is allowed to perform when creating commitments.
July 2007
SAP ERP Central Component Security Guide 158
● Pension Fund (PA-PF)
Access to salary data, pensions and benefits entitlements is protected by the following authorization objects:
○ P_ORIGIN (HR: Master Data)
○ P_CH_CK (HR-CH: Pension Fund: Account Access)
○ P_NL_PKEV (Bevoegdheidsobject voor PF-gebeurtenissen)
● SAP Expert Finder (CA-GTF-XF)
For the connection with the external LDAP system, the user should only have read access to the data. The role SAP_HR_PA_XF_SERVICE_USER_DOC (HR Expert Finder: Service User for Access Search Engine) is available for this.
● Personnel Cost Planning (PA-CM-CP and PA-CP)
The old Personnel Cost Planning (PA-CM-CP) and the new Personnel Cost Planning and Simulation (PA-CP) components both save salary-relevant information to the clusters of the database PCL5. You can control access rights using the authorization object P_TCODE (HR: Transaction Code).
● Employee Interaction Center (PA-EIC)
The EIC Authentication infotype (0816) enables question and response pairs to be saved that an agent of Employee Interaction Center then uses to identify a calling employee. You can only maintain the infotype with the Authentication for EIC Employee Self-Service.
● HR Administrative Services (PA-AS)
The personnel file and all process instances are saved with intermediate statuses and history to the Case Management databases.
● Particularly sensitive data in the country versions
○ The transfer of salary and tax data using the B2A Manager is protected by the authorization object P_B2A (HR-B2A: B2A Manager).
○ Country version USA (PA-PA-US)
The social security number (SSN) in the Personal Data infotype (0002)
○ Country version Canada (PA-PA-CA)
The social insurance number (SNI) in the Personal Data infotype (0002)
○ Country version Australia (PA-PA-AU)
The Tax File Number (TFN) in the TFN Australia infotype (0227)
○ Country version New Zealand (PA-PA-NZ)
The Employee IRD Number in the IRD Nbr New Zealand infotype (0309). There are several ways to access this number:
■ Directly, using the IRD Nbr New Zealand infotype (0309) with the transaction Maintain HR Master Data (PA30)
■ Using the IRD Number pushbutton in the Tax New Zealand infotype (0313)
The necessary authorizations to read or change the IRD number depend on the authorizations in the user profile.
July 2007
SAP ERP Central Component Security Guide 159
Security for Additional Applications Personnel Administration country-specific components use several reports that store security-relevant and sensitive data. This data includes employee data relating to salary, tax, social insurance, pension contributions, and garnishments.
The data is stored in temporary sequential (TemSe) files and used when printing legal forms, statistics, and business reports. Access to TemSe is controlled by the authorization object S_TMS_ACT. Data encryption is not necessary here. For a list of all reports and programs using TemSe, see the Personnel Administration documentation for your country version.
You can also download data directly from the front-end server (for example, PC/terminal) or application server without first storing the data records in the TemSe. To do so, you copy the data to a data carrier that you can then send to the authorities.
Other Security-Relevant Information Use Other security-relevant Customizing for infotype records
With the field Access Auth. (Access Authorization) in Table V_T582A (Infotype attributes (Customizing)), you can control access to an infotype record depending on whether the record belongs to the area of responsibility of a person responsible on the current date. For more information, see the Implementation Guide for Personnel Management under Personnel Administration → Customizing Procedures → Infotypes → Infotypes. Note in particular the help for the Access Authorization field.
Technical utilities without integrated authorization check
The following technical utilities read data without the user’s authorizations being checked. You should therefore only assign relevant report authorizations to roles containing system administrator functions.
● Reports with the prefix RHDBST*: Database statistics
● Reports with the prefix RHCHECK*: Consistency checks for Organizational Management and Personnel Development data.
If required, you can use the following reports (developed for SAP internal use) for testing purposes. However, SAP does not accept any responsibility for these reports:
● Report RPCHKCONSISTENCY: (Consistency check for HR master data)
● Report RPUSCNTC (Find Inconsistencies in Time Constraints)
Authorizations for the Implementation Guide for HR Administrative Services
The views in the Implementation Guide for HR Administrative Services are protected separately by a grouping for the authorization check to prevent users without authorization maintaining person-related data. Under the field name DICBERCLS (Authorization Group), you can set the following in the authorization object S_TABU_DIS:
● Switch PASC: Authorization check for all views of HR Administrative Services in which no Customizing settings were made that affect authorization checks for the users of HR Administrative Services.
● Switch PASA: Additional authorization check for the views that may possibly affect the authorization check for users of HR Administrative Services.
July 2007
SAP ERP Central Component Security Guide 160
Personnel Time Management (PT)
User Management It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.
You require technical users for the following tasks in Personnel Time Management:
● To upload time events from the external time recording system you use the RPTCC106 report (HR-PDC: Download Upload Request for Time Events). You will normally schedule the report as a background processing job. For this you require a technical user. The authorizations of the technical user should be based on the authorizations for the PT80 transaction (Subsystem Connection).
Time events are uploaded from the subsystem by an IDOC, which stores the time events in the CC1 TEV interface table. For the upload, you require a technical user with authorizations for communication with an SAP system via Application Link Enabling (ALE) and the required table authorizations. The technical user does not require authorizations specific to the SAP HR solution.
You require a technical user with authorizations for the PT45 transaction (HR-PDC: Post Person Time Events) for the background processing job that transfers the time events from the interface table to the relevant Time Management tables.
● You require two types of technical users for BAPIs that store data in one of the PTEXDIR, PTEX2000, PTEX2003, or PTEX2010 interface tables.
○ To fill the interface tables, you require a user with authorizations for ALE communication with an SAP system and the relevant table authorizations.
○ For the subsequent background processing job to transfer data from the interface tables to the infotype database tables, you require a technical user with the same authorizations that are required for the CAT6 transaction (Transfer Time Data to Time Management).
○ For technical users for the BAPIs that have read access to the infotypes, you can use the same authorizations as contained in the SAP_HR_PT_TIME-ADMINISTRATOR role.
● You also require technical users for all other ALE scenarios and BAPIs in Personnel Time Management.
For more information, see Communication Destinations [Seite 161].
●
Authorizations
July 2007
SAP ERP Central Component Security Guide 161
The Personnel Time Management component uses the authorization provided by the SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to the Time Management component.
The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles on the SAP Web AS ABAP, use the profile generator (transaction PFCG).
Standard Roles The following table shows examples of standard roles that are used by the Time Management component.
Standard Roles
Role Description
SAP_HR_PT_SHIFT-PLANNER Shift Planner [Extern]
SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]
SAP_HR_PT_TIME-LABOR-ANALYST Time and Labor Analyst [Extern]
SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]
SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]
SAP_ESSUSER_ERP05 Employee [Extern] Self-Service
SAP_HR_PT_US_PS_TIME-ADM Time Recording Administrator
This role is used only in the Public Sector in the country version for the USA.
Authorization Objects The Time Management component uses the Personnel Management authorization objects; it does not have any of its own.
For more information about the authorizations, see:
● The SAP Library. Choose Human Resources → Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for Human Resources [Extern].
● The Implementation Guide for Personnel Time Management: Choose Management of Roles and Authorizations.
Communication Destinations Use Special communication destinations are available for some Time Management components.
Connection to External Time Recording Terminals
Time Management supports a connection to external time recording systems (using the HR-PDC interface). Data is communicated using asynchronous BAPIs via IDocs.
July 2007
SAP ERP Central Component Security Guide 162
For more information, see the SAP Library and choose Personnel Time Management → Integration with Other Components → Connection to External Time Management Systems [Extern].
External Interfaces to Personnel Time Management
You can use the Time Management BAPIs to exchange data with other time management software. The BAPIs enable you to read, create, change, or delete the time management data.
See also:
For more detailed information, see
● The SAP Library in the description of the ALE scenarios for Personnel Time Management under Scenarios in Applications → ALE/EDI Business Processes [Extern].
● SAP Note 44103: Setting Up the PDC Interface
Payroll (PY)
Before You Start Important SAP Notes The following table presents the most important SAP Notes regarding security for Payroll.
Important SAP Notes
SAP Note Number Title Comment
430595 Tax Reporter Transaction and Spool Security
Only valid for the USA country version
Additional Information For more information about Payroll security, see the Personnel Management [Seite 149] Security Guide.
User Management User management for Payroll uses the mechanisms provided by the SAP Web Application Server (ABAP and Java), for example, tools, user types, and password policies. For an
July 2007
SAP ERP Central Component Security Guide 163
overview of how these mechanisms apply for Payroll, see the sections below. In addition, there is a list of the standard users that are necessary for operating Payroll.
User Management Tools The table below shows the tools to use for user management with Payroll.
User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance (transaction PFCG)
You can use the Role Maintenance transaction PFCG to generate profiles for your Payroll users.
User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.
The user types required for Payroll include:
● Individual users
○ Administration user
○ Payroll manager
○ Payroll specialist
● Technical users
○ Payroll procedure administrator
○ ALE user for posting payroll results to Accounting
For more information about these user types, see the SAP Web AS ABAP Security Guide under User Types.
Authorizations The Payroll component uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as set out in the SAP Web AS ABAP security guide therefore also apply to Payroll.
The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles on the SAP Web AS ABAP, use the profile generator (transaction PFCG).
Standard Roles The following table shows examples of standard roles that are used by the Payroll component.
Standard Roles
Role Description
SAP_HR_PY_xx_PAYROLL-ADM Payroll administrator <xx>
July 2007
SAP ERP Central Component Security Guide 164
SAP_HR_PY_xx_PAYROLL-MANAGER Payroll manager <xx>
SAP_HR_PY_xx_PAYROLL-PROC-ADM Payroll procedure administrator <xx>
SAP_HR_PY_xx_PAYROLL-SPEC Payroll specialist <xx>
SAP_HR_PY_xx_* Roles for mapping country-specific tasks within payroll.
SAP_HR_PY_PAYROLL-LOAN-ADM Loan accounting administrator
xx stands for the country key. For the roles marked with an asterisk (*), additional roles exist for each of the countries.
You can find additional roles in the description of Personnel Management standard roles.
Standard Authorization Objects The following table displays the security-relevant authorization objects used by payroll.
Standard Authorization Objects
Authorization Objects Description Value Description
P_PBSPWE Process Workbench Engine (PWE) authorization
Authorizations for the Process Workbench Engine (PWE)
P_PCLX HR: Cluster Check when accessing HR files on the PCLx (x = 1, 2, 3, 4) databases
P_PCR HR: Personnel control record
Authorization check for the personnel control record (transaction PA03)
P_PE01 HR: Authorization for personnel calculation schemes
Authorization check for personnel calculation schemes
P_PE02 HR: Authorization for personnel calculation rule
Authorization check for personnel calculation rules
P_PYEVDOC HR: Posting document Protection of actions on payroll posting documents
P_PYEVRUN HR: Posting run Control of actions that are possible for posting runs
P_OCWBENCH HR: Activities in the Off-Cycle Workbench
Used for the authorization check in the Off-Cycle Workbench.
P_B2A HR-B2A: B2A Manager Used to determine the authorization check for the B2A Manager. The B2A Manager must first be employed.
P_USTR Tax report authorization (only the USA country version)
Authorizations for the tax report (only the USA country version)
July 2007
SAP ERP Central Component Security Guide 165
S_TMS_ACT Actions to/on TemSe objects
The authorization determines who may execute which operations on which TemSe objects
Communication Channel Security Use The table below shows the communication paths used by Payroll, the protocol used for the connection, and the type of data transferred.
Communication Paths
Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
Interface Toolbox (Transaction PU12)
ALE Determined by the user
Display posting runs (transaction PCP0)
ALE Data for cost accounting
BSI Tax Factory for tax calculation
RFC Tax data for the USA country version
RFC connections can be protected using Secure Network Communication (SNC). For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
Communication Destinations The following table provides an overview of the communication destinations that Payroll uses.
Communication Destinations
Destination Delivered Type Description
BSI For USA country version
RFC with the function module PAYROLL_TAX_CALC_US
PAYROLL_TAX_CALC_US_50
PAYROLL_TAX_CALC_US_60
PAYROLL_TAX_CALC_US_70
July 2007
SAP ERP Central Component Security Guide 166
Data Storage Security Use Payroll results are condensed and stored on an INDX-type table Access is protected by read and write authorizations in the standard system for the infotypes and authorizations for the required clusters.
Security for Additional Applications Use The country versions for payroll use reports in which sensitive data is displayed. For example, this data can be from the following sensitive areas:
● Salary
● Tax
● Social insurance
● Pension contributions
● Court orders
This data is stored in temporary sequential (TemSe) files to create and output legal forms, statistics, and analyses. Likewise, this technology is used to download data for the front end or application server directly, without storing the data as TemSe objects beforehand. The data can then be transferred from the front end or the application server to a data medium that can be transferred to the authorities.
You can control access to the TemSe objects within the ECC system using the authorization object S_TMS_ACT (TemSe: Actions at/to TemSe objects). Data encryption is not necessary here.
You can find information about the TemSe objects for your country version in the Payroll documentation for your country version.
Other Security-Relevant Information Use There is the following security-relevant information for the USA country-version:
● You can update the Taxability model using the Interface Toolbox (transaction PU12). There are currently no special authorizations for this.
● You have the option of preventing unauthorized or accidental updates to the PCL4 database.
○ You can activate or deactivate the authorization checks for the tax return using the feature UTXSS.
○ You can determine the codes for spool authorizations depending on the tax company and the tax class using the feature UTXSP.
For more information, see the documentation for these features.
July 2007
SAP ERP Central Component Security Guide 167
SAP Learning Solution
Technical System Landscape The SAP Learning Solution provides very versatile installation and integration options. The distributed system architecture enables a scalable solution. Knowledge of the communication channels and of the relationships between the individual components is important to enable you to select the optimum security strategy.
The following graphic provides an overview of the technical system landscape of the SAP Learning Solution.
Technical System Landscape
Offline Learning
EP
Content Player
my SAP ERP
SAP ECC Core
Learning Content
Search
AnalyticalReporting
SAP ProcessIntegration
(PI / XI)
ExternalLMS
Authoring
SAP BW
AuthoringEnvironmentLSOAE
Learner‘s user interface
Author‘s user interface
Manager‘s user interface
Business Logic
Legend
Offl
ine
Play
erLS
OO
P
SAP J2EE EngineLSOCP
CMS EP
Lear
ning
Port
alB
P fo
rLe
arni
ngC
olla
bora
tion
Web
AS+
LSO
FE A
dd-O
n
TREX EP
mySAP HRPerformanceManagement
Personnel DevelopmentMaster Data
SAP ECCHCM Extension
IncludesLSOTM Training
Management (noadd-on)
Communication between the individual components is handled using RFC and HTTP. This enables you to distribute the components on multiple servers and thus to safeguard individual communication channels and servers specifically. If there are no specifically critical security requirements, you can combine all components on one server. The advantage of using a distributed system landscape is that it enables you to maximize security for individual components. The advantage of using a single server is that it enables you to reduce costs and improve system performance.
July 2007
SAP ERP Central Component Security Guide 168
Persistence Use The following table contains a classification of the data that is saved in the SAP Learning Solution and specifies the tables in which it is saved. The SAP Learning Solution stores all data centrally in the ERP system.
Persistence of the Training Catalog
Table ● Objects and their attributes: HRPnnnn
● Relationships: HRP1001 or additional data in HRPADnnn
Remarks PD infotype framework. Courses, course types, and course groups are object types for which data is stored in infotypes. Links between the objects are realized using relationships. Relationship data is stored in transparent tables.
Components Used ● LSOFE (read/write)
● ERP system (read/write)
● LSOCP (read/write)
Most Important Authorization Objects ● P_ORGIN
● P_APPL
● PLOG
Persistence of Completion Information, Progress Data, SCORM Data
Table LSOLEARN* tables of package LSO_LEARNERACCOUNT
Remarks LSOLEARNING_C contains data for results feedback from the Content Player to the ERP system. All other data is used by the Content Player only.
Components Used ● LSOCP (read/write)
● ERP system (read)
Persistence of Test Results
Table LSOTACLRN* tables of package LSO_TAC_DD
Components Used ● LSOCP (write)
● ERP system (read)
July 2007
SAP ERP Central Component Security Guide 169
Persistence of Publishing Information
Table ● LSOTACAS* tables of package LSO_TAC_DD for tests
● LSOLU* tables of package LSO_LEARNERACCOUNT
Components Used ● LSOAE (read/write)
● LSOCP (read)
● ERP system (read/write)
Persistence of Digital Signatures
Table LSOLEARNESIGN* tables of package LSO_LEARNERACCOUNT
Components Used ● LSOFE (read)
● ERP system (read/write)
Learning Portal (LSOFE) The Learning Portal (LSOFE) is the entry point for learners in SAP Learning Solution. The Learning Portal can be called directly by the SAP WAS or it can be integrated as an iView in SAP Enterprise Portal.
The following graphic provides an overview of the technical system landscape for the Learning Portal.
Learning Portal
July 2007
SAP ERP Central Component Security Guide 170
Browser
SAP EnterprisePortal
(optional)LSOFE mySAP ERP
HTTPHTTPS
HTTPHTTPS
HTTPHTTPS+SSO2
TrustedRFC
RFC
ExternalLMS
SOAP
Learner 1
Learner 3Learner 2 Learner 4
Learner 7
Learner 5Learner 6
The learner requires a user in SAP Web AS. No special authorizations are required for the user since the front end does not contain a persistence layer. All data is stored in the ERP system.
Configuration Settings
Components Remarks
Browser ● JavaScript must be active.
● SAP Web AS requires cookies for session handling.
● HTTP 1.1 is strongly recommended.
SAP Enterprise Portal ● It may be necessary to map users between the user in the SAP Enterprise Portal and the Web AS user.
● You must maintain the RFC connection with the ERP system.
SAP ERP ● Trusted relationship is required between SAP Web AS and the ERP system.
● If you want to implement the Objective Setting and Appraisals component, an HTTP/HTTPS channel is also required.
July 2007
SAP ERP Central Component Security Guide 171
Content Player (LSOCP) The Content Player (LSOCP) is called using a URL from the Learning Portal to play Web-based training courses (WBTs). The Content Player does not have a persistence layer. It reads and writes all data to the ERP system.
The following graphic provides an overview of the technical system landscape for the Content Player.
Content Player
Browser
ContentManagement
SystemLSOCP mySAP ERP
HTTPHTTPS
HTTPHTTPS
RFC
Content Player 1
Content Player 2Content Player 4 Content Player 3
Configuration Settings
Components Remarks
Browser ● JavaScript must be active.
● Java VM must be active.
● SUN Java Plug-In 1.4.2 must be installed (but only if you want to use tests created with LSO Test Author).
● HTTP 1.1 is strongly recommended.
● Cookies are required for Session Handling.
Offline Player (LSOOP) The Offline Player enables you to play instructional content offline without network access. It reads the instructional content and synchronizes the learner’s progress using the Content
July 2007
SAP ERP Central Component Security Guide 172
Player. Instructional content and learning progress are stored in the local file system. In the standard system, this is the learner’s home directory.
The following graphic provides an overview of the technical system landscape for the Offline Player.
Content Player
Browser LSOOP LSOCPHTTPHTTP
HTTPS
Offline Player 1 Offline Player 1 Offline Player 2
Configuration Settings
Components Remarks
Browser ● JavaScript must be active.
● Java VM must be active.
● SUN Java Plug-In 1.4.2 must be installed (but only if you want to use tests created with LSO Test Author).
● HTTP 1.1 is strongly recommended.
● Cookies are required for session handling.
LSOOP ● Java 2 SDK 1.4.2 must be installed.
Authoring Environment (LSOAE) The Authoring Environment (LSOAE) must be installed locally on the author’s PC. The Authoring Environment can be used online or offline. In online mode, you require a
July 2007
SAP ERP Central Component Security Guide 173
connection to the ERP system and the Content Management System. If you use it in offline mode, all data is stored in the local file system. You can choose the directory in which to store data. The data comprises course content and configuration data. You can protect this data at operating system level.
The following graphic provides an overview of the technical system landscape for the Authoring Environment.
Authoring Environment
Browser
ContentManagement
SystemLSOAE mySAP ERP
HTTP
WEBDAVRFC
Author 1
Author 2 Author 1 Author 3
TREX
HTTP
Author 4
The Authoring Environment contains a special version of the Content Player that plays course content locally that is currently being played using the Authoring Environment. Similar to the Offline Player, you cannot use this local Content Player remote. You can only call it from the PC on which it is installed.
Configuration Settings
Components Remarks
Browser ● JavaScript must be active.
● Java VM must be active.
● SUN Java Plug-In 1.4.2 must be installed (but only if you want to use tests created with LSO Test Author).
● HTTP 1.1 is strongly recommended.
● Cookies are required for session handling.
LSOAE300 ● Java 2 SDK 1.4.2 must be installed.
July 2007
SAP ERP Central Component Security Guide 174
Environment for the Training Administrator The SAP GUI transactions required for the training administrator role are available in the ERP system.
The following graphic provides an overview of the technical system landscape for the back end.
Environment for the Training Administrator
SAP GUISAP Enterprise
Portal(optional)
mySAP ERPDIAG
User2User1 User3 User4
Process Integration (PI/XI)
RFC
User5
User Management User management for SAP Learning Solution uses the mechanisms provided by the SAP Web Application Server (ABAP and Java), for example, tools, user types, and password policies. See the sections below for an overview of how these mechanisms apply to SAP Learning Solution. In addition, there is a list of the standard users that are necessary for operating SAP Learning Solution.
User Management Tools The table below shows the tools implemented for user management in SAP Learning Solution.
User Management Tools
Tool Detailed Description Prerequisites
User and role maintenance in For more information, see
July 2007
SAP ERP Central Component Security Guide 175
SAP Web AS ABAP (transactions SU01, PFCG)
Users and Roles (BC-SEC-USR) [Extern].
User Management Engine of SAP Web AS Java
For more information, see User Management Engine [Extern].
User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not users who run background processing jobs.
The user types required for SAP Learning Solution include:
● Individual users
○ Access to Training Management (LSOTM) is done by means of dialog users. Access is either directly through SAP GUI or indirectly through the Authoring Environment (LSOAE).
○ Access to the Learning Portal (LPO) is handled by means of Internet users. The required users must exist in the front-end system (LSOFE) and in the Training Management system (LSOTM) if the components are installed on separate systems.
○ Access to SAP Enterprise Portal (EP) is handled by means of Internet users. Authors access the Content Management System (CMS) in SAP Enterprise Portal indirectly from the Authoring Environment (LSOAE). Learners access it via the browser if the LPO is embedded in EP or if you use Collaboration in EP.
● Technical users:
○ A communication user is used to access Training Management (LSOTM) when playing courses on the Content Player (LSOCP).
○ A communication user is used to access the Content Management System in SAP Enterprise Portal when playing courses on the Content Player (LSOCP).
○ A communication user is used for communication with external learning management systems (LMS) from the Training Management system (LSOTM) to access the Exchange Infrastructure (XI).
For more information on these user types, see User Types [Extern] in the SAP Web AS ABAP Security Guide.
This table contains details of user management for the various user types in the different tools of SAP Learning Solution.
User Types in the Learning Portal
User Type Description Role / Authorization Name in Graphic of Technology Landscape [Seite 169]
Depends on the operating system used
Learner in local operating system
Browser authorization Learner 1
Portal user Learner in SAP No special Learner 2
July 2007
SAP ERP Central Component Security Guide 176
Enterprise Portal authorization for the SAP Learning Solution
Dialog user Learner in SAP Web AS
No special authorization for the SAP Learning Solution
Learner 3
Communication user Learner in ERP system
SAP_HR_LSO_LEARNER
Learner 4
Service user Collaboration in the ERP system
No special authorization for the SAP Learning Solution
Learner 5
Portal user Collaboration in the SAP Enterprise Portal
No special authorization for the SAP Learning Solution
Learner 6
Anonymous External LMS Depends on LMS used
Learner 7
User Types in the Content Player
User Type Description Role / Authorization Name in Graphic of Technology Landscape [Seite 171]
Depends on the operating system used
Learner in local operating system
Browser authorization Content Player 1
Anonymous Content Player in SAP J2EE
Content Player 2
Communication user Content Player in the ERP system
SAP_HR_LSO_COURSEPLAYER
Content Player 3
Depends on the CMS used
Content Player in the Content Management System (CMS)
Read access via HTTP/HTTPS
Content Player 4
User Types in the Offline Player
User Type Description Role / Authorization Name in Graphic of Technology Landscape [Seite 171]
Depends on the operating system used
Learner in local operating system
Browser authorization Offline Player 1
Anonymous Content Player in SAP J2EE
Offline Player 2
User Types in the Authoring Environment
User Type Description Role / Authorization Name in Graphic of
July 2007
SAP ERP Central Component Security Guide 177
Technology Landscape [Seite 172]
Depends on the operating system used
Learner in local operating system
Browser authorization
Authorization for Java 2 SDK 1.4.2
Author 1
Depends on the CMS used
Author in the CMS Authorization to lock, unlock, read, create, delete, and write data via WEB-DAV
Author 2
Communication user Author in the ERP system
SAP_HR_LSO_AUTHOR
Author 3
Anonymous Author Author 4
User Types in the Training Coordinator’s Environment
User Type Description Role / Authorization Name in Graphic of Technology Landscape [Seite 174]
Depends on the operating system used
Learner in local operating system
SAP GUI authorization User 1
Dialog user Administrator in ERP system
SAP_HR_LSO_DEVELOPMANAGER
SAP_HR_LSO_HRMANAGER
SAP_HR_LSO_SPECIALIST
SAP_HR_LSO_TRAININGADMIN
SAP_HR_LSO_TRAININGMANAGER
AP_HR_LSO_ACCOUNTINGADMIN
SAP_HR_LSO_FOLLOWUPADMIN
SAP_HR_LSO_PARTICIPADMIN
SAP_HR_LSO_RESOURCEADMIN
User 2
Collaboration in the ERP system
No special authorization for SAP Learning Solution
User 3 Service user
XI user XI access authorization User 5
Portal user Collaboration in SAP Enterprise Portal
No special authorization for SAP Learning Solution
User 4
July 2007
SAP ERP Central Component Security Guide 178
Authorizations SAP Learning Solution component uses the authorization provided by the SAP Web Application Server. Therefore, the security recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to SAP Learning Solution.
The SAP Web Application Server authorization concept is based on assigning authorizations to users on the basis of roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user administration console for SAP Web AS Java.
Standard Authorization Objects The following table shows the security-relevant authorization objects that are used by the SAP Learning Solution.
Standard Authorization Objects
Authorization Object Field Value Description
P_ORGIN HRPnnn PD Infotype Framework: course, course types, and course groups
Used to determine and check a user’s authorizations at the level of HR master data
P_APPL Used to control read and write authorizations for Applicant Management infotypes.
PLOG Used at the level of Personnel Planning data to specify the types of information a user may receive.
Standard Roles The following table shows the standard roles that are used by SAP Learning Solution. For more information, see User Management [Seite 174].
Standard Roles
Role Description
SAP_HR_LSO_ACCOUNTINGADMIN Training accounting
SAP_HR_LSO_AUTHOR Course author or instructional designer
SAP_HR_LSO_COURSEPLAYER User of the Content Player
SAP_HR_LSO_DEVELOPMANAGER Personnel Development Manager Training
SAP_HR_LSO_FOLLOWUPADMIN Course follow-up
SAP_HR_LSO_HR-MANAGER HR Manager Training
SAP_HR_LSO_LEARNER Learner
SAP_HR_LSO_MANAGER Manager
SAP_HR_LSO_PARTICIPADMIN Participation administration
SAP_HR_LSO_RESOURCEADMIN Manage resources
SAP_HR_LSO_SPECIALIST System Specialist Training
July 2007
SAP ERP Central Component Security Guide 179
SAP_HR_LSO_TRAININGADMIN Training Administrator
SAP_HR_LSO_TRAININGMANAGER Training Manager
Communication Channel Security The following graphic displays an overview of the communication channels listed in the tables below.
Technical System Landscape and Communication Channels
LSOFE LSOAELSOOPECC
SAP Web AS ABAP SAP Web AS JAVA
LSOCP EP 6.0
Java 2 SDK
RFC
RFC / JCo
RFC / JCo
TrustedRFC
HTTPHTTPS
WEBDAVHTTPHTTPS
HTTP
HTTPHTTPS
The tables below show the communication paths used by SAP Learning Solution, the protocol used for the connection, and the type of data transferred.
For a better understanding of the table, you should also display the graphics, which provide an overview of the technology landscape.
Learning Portal See also: Learning Portal (LSOFE) [Seite 169]
Communication Paths for the Learning Portal: Inbound Relationships
Communication Path Protocol Used Authentication Remarks
Browser HTTP, HTTPS All authentications supported by the SAP Web AS, typically form-based-logon or
With standard authentication, passwords are transferred in plain
July 2007
SAP ERP Central Component Security Guide 180
standard authentication.
Anonymous is supported. However, you should not use it since unique learner assignment is not possible in the back end.
text. Consequently, you should protect the transports using SSL.
SAP Enterprise Portal, iView Server
HTTP, HTTPS All authentications supported by the SAP Web AS. Typically, you can use the Single-Sign-On Ticket (SSO) here since logon has been done in the Enterprise Portal already.
For SSO, you must import the Enterprise Portal certificate into the SAP Web AS.
Communication Paths for the Learning Portal: Outbound Relationships
Communication Path Protocol Used Authentication Remark
ERP system RFC Trusted RFC
SAP Enterprise Portal / Collaboration
RFC Ticket User4 for authentification, User3 for RFC authorization
Content Player See also: Content Player (LSOCP) [Seite 171]
Communication Paths for the Learning Portal: Inbound Relationships
Communication Path Protocol Used Authentication Remark
Browser HTTP, HTTPS All authentications supported by the SAP Web AS/J2EE. The standard system uses anonymous. You do not require advanced authentication in the standard system since access is protected by a ticket.
Access to the Content Player is protected by a ticket. The ticket ensures that content can only be called one time using the URL. Only one ticket is valid at any one time.
Communication Paths for the Content Player: Outbound Relationships
Communication Path Protocol Used Authentication Remarks
Content Management System
HTTP, HTTPS Anonymous, Basic You store the user for authentication when you configure the
July 2007
SAP ERP Central Component Security Guide 181
Content Player.
If you use HTTPS, you must set up HTTPS Support of the J2EE Engine. X509 certificate management is realized using the J2EE Engine.
ERP system RFC (JCo) User/password You store the user for authentication when you configure the Content Player.
You must create a service user for the Content Player in the ERP system.
Offline Player See also: Offline Player (LSOOP) [Seite 171]
Communication Paths for the Offline Player: Inbound Relationships
Communication Path Protocol Used Authentication Remark
Browser HTTP Anonymous The Offline Player can be called from a local PC only.
Communication Paths for the Offline Player: Outbound Relationships
Communication Path Protocol Used Authentication Remark
LSOCP HTTP, HTTPS All authentications of the SAP Web AS/J2EE.
Authoring Environment See also: Authoring Environment (LSOAE) [Seite 172]
Communication Paths for the Authoring Environment: Inbound Relationships
Communication Path Protocol Used Authentication Remarks
Browser HTTP Anonymous The Offline Player can be called from a local PC only.
Communication Paths for the Authoring Environment: Outbound Relationships
Communication Path Protocol Used Authentication Remarks
Content Management System
WebDAV, via HTTP, HTTPS
Anonymous, Basic WebDav is an enhancement of the
July 2007
SAP ERP Central Component Security Guide 182
http protocol.
The Authoring Environment does not contain a separate truststore for X509 certificates.
The Security Provider and the truststore of the Java 2 SDK installation is used. X509 certificates may have to be imported from the Content Management System if you want to use encrypted communication with SSL.
ERP system RFC (JCo) User/password Credentials must be entered in a dialog box when switching to online mode.
Environment of the Training Administrator in the Back End See also: Environment for the Training Administrator [Seite 174]
Communication Paths for the Back End: Inbound Relationships
Communication Path Protocol Used Authentication Remark
SAP GUI DIAG Standard SAP GUI
Communication Paths for the Back End: Outbound Relationships
Communication Path Protocol Used Authentication Remark
SAP Enterprise Portal RFC With a SSO 2 Ticket. You store the user and password for generating the ticket in Customizing
Only necessary if integration with Collaboration for SAP NetWeaver is active.
External Learning Management System (via XI)
SOAP Anonymous
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
July 2007
SAP ERP Central Component Security Guide 183
Other Security-Relevant Information Profile Parameters To ensure communication between the systems, you must set the following profile parameters using the Profile Parameter Maintenance transaction (RZ11):
mySAP ERP
● For communication with Single Sign-On Tickets (SSO) via RFC connections, you must set the login/accept_sso2_ticket (Accept SSO ticket logon for this (component) system) in the ERP system.
● For communication with cookies using connections via http protocols, you must set the parameter login/create_sso2_ticket in the ERP system.
SAP Web AS ABAP
● For authentication with SSO2, you must set the login/accept_sso2_ticket (Accept SSO ticket logon for this (component) system) in the ERP system.
● If you want to implement the Objective Setting and Appraisals component, you must also set the parameter login/create_sso2_ticket.
For more information, see the documentation for the parameters in transaction RZ11.
SAP E-Recruiting
Before You Start Important SAP Notes The following table presents the most important SAP Notes regarding security for SAP E-Recruiting.
Important SAP Notes
SAP Note Number Title Comment
711701 Composite SAP note: Security in E-Recruiting
957038 Security gap in cross-site scripting
960728 Security gap in Cross-Site Scripting
1017866 Consulting note: Candidate scenarios using ABAP Web Dynpro
Includes information about the possible system constellations, changing from BSP to Web Dynpro, securing the backend system
For more relevant SAP Notes, see the Security Guide for Personnel Management under Before You Start [Seite 149].
July 2007
SAP ERP Central Component Security Guide 184
Technical System Landscape The following graphics provide an overview of the technical system landscape for SAP E-Recruiting.
Functional Architecture
Non SAP
SAP
Backend ERP
Recruitment serviceproviders
Job boards
Internalcareer page
Other tools
Back office
Non-ERP system
External career page
E-Recruiting
July 2007
SAP ERP Central Component Security Guide 185
The “E-Recruiting Box”
System for text retrieval TREX
KPRO
SAP Web AS
DBBusiness partner
SAP E-RecruitingIndex
Technologies used:• Presentation layer: Business Server Pages (BSP), Web Dynpro
ABAP, HTML, HTMLB, JavaScript• Business Logic: ABAP/OO
Basic Architecture
Firewall
Internal user(browser -
SSO optional)
System administrator
(SAP GUI)
HTTP(S) SM TP (Mail)
Internet
HTTP(S)
Externaluser (Web browser)
RFC RFC (ALE)
TREXE-
Recruiting
DB
DMZ Intranet
Application gateway /
proxygateway
SM TP (Mail)
mySAPERP
mySAPERP
PA-AS*
* HR Administrative Services
SAP XI
SAP XI Non-SAPsystem
July 2007
SAP ERP Central Component Security Guide 186
Basic Architecture when Using Web Dynpro ABAP
Using Web Dynpro ABAP as the interface technology means that it is possible to run front-end and backend together on one system or separated on different systems for the candidate scenarios.
Front-End and Backend on One System
Firewall
Internal user(browser -
SSO optional)
System administrator
(SAP GUI)
HTTP(S) SM TP (Mail)
Internet
HTTP(S)
Candidate(Web
browser)
RFC RFC (ALE)
TREXSAP E-
Recruiting
DB
DMZ Intranet
Application gateway /
proxygateway
SM TP (Mail)
mySAPERP
mySAPERP
PA-AS*
* HR Administrative Services
SAP XI
SAP XI Non-SAPsystem
Front-endcandidate
SAP E-Recruiting
.
Front-End and Backend on Different Systems
Firewall
Internal user(browser -
SSO optional)
System administrator
(SAP GUI)
HTTP(S) SM TP (Mail)
Internet
HTTP(S)
Candidate(Web
browser)
RFC RFC (ALE)
TREXSAP E-
Recruiting
DB
DMZ Intranet
Application gateway /
proxygateway
SM TP (Mail)
mySAPERP
mySAPERP
PA-AS*
* HR Administrative Services
SAP XI
SAP XI Non-SAPsystem
Front-end
candidateSAP E-
Recruiting
July 2007
SAP ERP Central Component Security Guide 187
Front-End and Backend on Different Systems (SAP E-Recruiting Integrated with ERP)
Firewall
Internal user(browser -
SSO optional)
System administrator
(SAP GUI)
HTTP(S)
SM TP (Mail)
Internet
HTTP(S)
Candidate(Web
browser)Backend SAP E-Recruiting
Front-end internal candidate
DB
DMZ Intranet
Application gateway /
proxygateway
SM TP (Mail)
ERP / SAP NetWeaver
Front-endexternalcandidate
SAP E-Recruiting SAP NetWeaver
DBNo relevant data in thedatabase
RFC
User Management User management for SAP E-Recruiting uses the mechanisms provided by SAP Web Application Server (ABAP, Java, or ABAP and Java) such as tools, user types, and password policies. For an overview of how these mechanisms apply for SAP E-Recruiting, see the sections below. In addition, there is a list of the standard users that are necessary for operating SAP E-Recruiting.
User Management Tools The following table shows the user management tools for SAP E-Recruiting.
User Management Tools
Tool Detailed Description Prerequisites
User and Role Maintenance (transaction PFCG)
You can use the Role Maintenance transaction PFCG to generate profiles for your SAP E-Recruiting users.
Technical Settings for User Management in SAP E-Recruiting
For more information on user profiles and the roles, see the Implementation Guide for SAP E-Recruiting under Technical Settings → User Administration.
Workflow Settings For more information, see the Implementation Guide for SAP E-Recruiting under
You use the SAP Workflow.
July 2007
SAP ERP Central Component Security Guide 188
Technical Settings → Workflow → Workflow in E-Recruiting.
User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not users who run background processing jobs.
The user types required for SAP E-Recruiting are:
For more information, see the Implementation Guide for SAP E-Recruiting under Technical Settings → User Administration → Create Special Users.
● Reference user
You can create reference users to simplify authorization maintenance. You assign different roles to each reference user. If you then assign a reference user to a user, the user inherits all of the reference user’s role attributes and authorization profile.
...
● Communication user
To enable access to documents in the document area, you create a user that is assigned to the contentserver service (IMG activity: Set Up Access to Documents). This user is a purely technical user, only required for communication with the Web Application Server.
● Service user
Some scenarios are accessible for registered users only; other scenarios are also accessible for unregistered users (registration, job postings, direct application). You must assign a service user to these services so that an unregistered user can use them.
● Background user for workflow
To be able to use the workflow functions, you must create a system user (such as WF-BATCH) in the standard system.
For more information, see the Implementation Guide for SAP E-Recruiting under Technical Settings → Workflow → Workflow in E-Recruiting.
In SAP E-Recruiting you must also assign this user (in addition to the other users) to a candidate. You can do this by using the RCF_CREATE_USER report.
● Standard user
For information about the following themes, see the Implementation Guide for SAP E-Recruiting under Technical Settings → User Administration:
○ User profile
○ Roles (transaction PFCG)
○ Special users
July 2007
SAP ERP Central Component Security Guide 189
Authorizations SAP E-Recruiting uses the authorization provided by SAP Web Application Server. Therefore, the security recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to SAP E-Recruiting.
The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user management console for SAP Web AS Java.
Standard Roles The following table shows the standard roles that are used by SAP E-Recruiting.
Standard Roles for User Interfaces with BSP Technology
Role Description
SAP_RCF_BUSINESS_ADMINISTRATOR Administrator [Extern]
Administrator for SAP E-Recruiting
SAP_RCF_CONTENT_SERVER Search Engine Access [Extern]
Access to the Search and Classification (TREX) search engine
SAP_RCF_DATA_TYPIST Data Entry Clerk [Extern]
The role contains the authorization for minimum data entry for incoming paper applications.
SAP_RCF_DECISION_MAKER Decision Maker [Extern]
The decision maker answers questionnaires about candidates who are assigned to requisitions. In the questionnaires, the decision maker is asked for his or her opinion.
SAP_RCF_EXTERNAL_CANDIDATE External Candidate [Extern]
This role may only display its own data. The role can only see job postings that you published via publications using the external posting channels.
SAP_RCF_INTERNAL_CANDIDATE Internal Candidate [Extern]
This role may only display its own data. The role can only see job postings that you published via publications using the internal posting channels.
The role does not have access to the following data:
● Requisition data
● Posting data
● Application data
● Data for the selection process
July 2007
SAP ERP Central Component Security Guide 190
SAP_RCF_MANAGER Manager [Extern]
This role is required so that managers can access SAP E-Recruiting from the Portal (Manager Self Service).
The manager wants to fill the vacant jobs in his or her area. To do this, the manager creates requisitions with the status In Process that are then processed further by recruiters.
The role has access to the following data:
● Candidate data: The manager can see only the candidate data that is assigned to requisitions for which the manager is responsible.
● Requisition data and data for selection processes: The manager can only see data for which he or she is responsible.
The role also contains the authorization to respond to questionnaires about candidates that are assigned to the relevant requisitions.
SAP_RCF_MANAGER_ASSISTANT Manager’s Assistant
This role is only used for the Career Portal and is no longer in use in the standard SAP E-Recruiting system.
SAP_RCF_RECRUITER Recruiter [Extern]
The role has access to the following data:
● Candidate data: The data is displayed for all candidates who stored their data in the Talent Pool.
● All publications
● All requisition data
● All application data
● All data for the selection processes
The role also contains the authorization for minimum data entry for incoming paper applications.
July 2007
SAP ERP Central Component Security Guide 191
SAP_RCF_SUCCESSION_PLANNER Succession Planner [Extern]
This role contains the following aspects:
● Display of all candidates that are part of the Talent Pool
● Requisition data (succession plan data): Shows all requisitions of the Succession Planning subarea in the system
● Candidacy data: Shows all candidacies that were created in the system within Succession Planning
Applications, job postings, and publications are not required for this role.
SAP_RCF_REST_SUCCESSIONPLANNER Restricted Succession Planner [Extern]
Succession planner without the authorization to release succession plans. An approval process is required for this.
SAP_RCF_REQUISITION_REQUESTER Requester [Extern]
The requester creates requisitions and sends them with the status In Process to a recruiter who then completes the requisition, phrases the job posting, and releases both.
SAP_RCF_RESTRICTED_RECRUITER Restricted Recruiter [Extern]
Recruiter without the authorization to release requisitions. An approval process is required for this.
SAP_RCF_TALENT_CONSULTANT Talent Consultant
This role is only used for the Career Portal and is no longer in use in the standard SAP E-Recruiting system.
SAP_RCF_UNREGISTERED_CANDIDATE Unregistered Candidate (Service User) [Extern]
Standard Roles for User Interfaces with Web Dynpro ABAP
Role Description
SAP_RCF_UNREG_CANDIDATE_CLIENT Unregistered Candidate (Client) [Extern]
This role contains the necessary authorizations for unregistered candidates/service users that are required on the front-end system when using a separated system (front-end and backend on different systems).
SAP_RCF_UNREG_CANDIDATE_SERVER Unregistered Candidate (Server) [Extern]
This role provides the necessary authorizations for an unregistered candidate/service user in SAP E-Recruiting that are required on the backend system when using a separated system (front-end and backend on different systems).
July 2007
SAP ERP Central Component Security Guide 192
SAP_RCF_EXT_CANDIDATE_CLIENT External Candidate (Client) [Extern]
This role contains the necessary authorizations for external candidates that are required on the front-end system when using a separated system (front-end and backend on different systems).
SAP_RCF_EXT_CANDIDATE_SERVER External Candidate (Server) [Extern]
This role provides the necessary authorizations for an external candidate in SAP E-Recruiting that are required on the backend system when using a separated system (front-end and backend on different systems).
SAP_RCF_INT_CANDIDATE_CLIENT Internal Candidate (Client) [Extern]
This role contains the necessary authorizations for internal candidates that are required on the front-end system when using a separated system (front-end and backend on different systems).
SAP_RCF_INT_CANDIDATE_SERVER Internal Candidate (Server) [Extern]
This role provides the necessary authorizations for an internal candidate in SAP E-Recruiting that are required on the backend system when using a separated system (front-end and backend on different systems).
Standard Authorization Objects The following table shows the security-relevant authorization objects that are used by SAP E-Recruiting.
For more information, see the documentation for SAP E-Recruiting under Authorizations (Recruitment) [Extern] and Authorizations (Succession Planning) [Extern].
Standard Authorization Objects
Authorization Object Field Value Description
P_RCF_APPL RCF_APPL Authorization object that specifies within SAP E-Recruiting which SAP E-Recruiting applications a user can call.
SAP E-Recruiting is divided into several applications. You can assign authorizations for each application and then assign them to the corresponding roles. For a list of applications with their values and descriptions, see table
July 2007
SAP ERP Central Component Security Guide 193
T77RCF_LOG_APPL.
R_RCF_VIEW RCF_VIEW Authorization object that specifies within SAP E-Recruiting which data overviews a user can access.
P_RCF_POOL RCF_POOL Authorization object that specifies within SAP E-Recruiting which type of direct access a user can have to the candidates in the Talent Pool.
The following ways to access the candidate pool directly are available:
● Status-Independent Access to Candidates (DIRECT_ACC)
● Recognition of Multiple Applicants (DUPL_CHECK)
● Maintenance of Candidate Data (CAND_MAINT)
P_RCF_STAT RCF_STAT Authorization object that specifies within SAP E-Recruiting the authorization for status changes to SAP E-Recruiting objects (for example, candidate, application, candidacy).
P_RCF_ACT ACTVT ● Add or Create
● Change
● Delete
Authorization object that specifies within SAP E-Recruiting which type of access a user can have to activities. An activity in SAP E-Recruiting is therefore identified through the assigned process and through the activity type.
P_RCF_WL RCF_WL_ID Authorization object
July 2007
SAP ERP Central Component Security Guide 194
that specifies within SAP E-Recruiting which worklists a user can access in the Dashboard [Extern].
Additional Standard Authorization Objects when Using Web Dynpro ABAP
Authorization Object Field Value Description
S_RCF ACTTV RFC_NAME RFC_TYPE
Authorization object for RFC access
(For more information, see the documentation for Authorization Object S_RFC [Extern].)
S_RFCALC ACTTV RFC_CLIENT RFC_EQUSER RFC_INFO RCF_SYSID RCF_TCODE RCF_USER
Authorization check for RFC users (for example, Trusted System)
(For more information, see the documentation for Authorization Object S_RFCACL [Extern].)
S_ICF ICF_FIELD SERVICE Authorization checks for using services in Internet Communication Framework (SICF), for calling remote function modules using an RFC destination (SM59), and for configuring proxy settings (SICF). (For more information, see the documentation for Authorization Object S_ICF [Extern].)
Communication Channel Security Use The table below shows the communication paths used by SAP E-Recruiting, the protocol used for the connection, and the type of data transferred.
Communication Paths
Communication Path
Protocol Used Type of Data Transferred
Data Requiring Special Protection
July 2007
SAP ERP Central Component Security Guide 195
Front-end client that uses SAP GUI for Windows for the application server
DIAG All Customizing data Passwords
Front-end client that uses a Web browser for the application server
HTTP, HTTPS All application data Passwords
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.
Communication Destinations The following table provides an overview of the communication destinations that SAP E-Recruiting uses.
You use the following communication destinations depending on which application you use to manage your HR master data:
● If you use the SAP GUI transactions to maintain HR master data (for example, transactions PA*), communication with SAP E-Recruiting runs via RFC connections.
● If you use the HR Administrative Services application, communication with SAP E-Recruiting runs via SAP NetWeaver PI (Process Integration).
Communication Destinations
Destination Delivered Type User, Authorizations
Description
SAP E-Recruiting to SAP Human Resources Management
No RFC See Implementation Guide (IMG)
IMG: SAP E-Recruiting → Recruitment → Applicant Tracking → Activities → Set Up Data Transfer for New Employees
From SAP Human Resources Management to SAP E-Recruiting
No RFC See IMG SAP E-Recruiting → Technical Settings → SAP ERP Central Component (ECC) Integration → Software Runs on Different Instances → Set Up Data Transfer from SAP ECC
From SAP E-Recruiting to TREX
No RFC See IMG SAP E-Recruiting → Technical Settings → User Administration → Create Special Users
SAP E-Recruiting →
July 2007
SAP ERP Central Component Security Guide 196
Technical Settings → Search Engine → Set Up Search Engine for E-Recruiting
From SAP E-Recruiting to HR Administrative Services
No XI messages Transfer external candidate's data when hiring
From HR Administrative Services to SAP E-Recruiting
No XI messages Return personnel number of former external candidate to SAP E-Recruiting
Changes to the HR master data are transferred to SAP E-Recruiting using the master data distribution in the ALE scenario.
The following table provides an overview of the communication destinations that SAP E-Recruiting uses if you want to use Web Dynpro ABAP to separate the front-end from the backend for the candidate scenarios (front-end and backend on different systems).
Communication Destinations for Separated Systems
Destination Delivered Type User, Authorizations
Description
SAP E-Recruiting (front-end) to SAP E-Recruiting (backend)
No RFC See IMG SAP E-Recruiting → Technical Settings → User Interfaces → Settings for User Interfaces with Web Dynpro ABAP → Front-End Candidate → Enter RFC Destination of Receiving Backend System
You enter the RFC destination as a value of the RECFA UI2BL parameter.
SAP E-Recruiting (backend) to SAP E-Recruiting (front-end)
No RFC See IMG SAP E-Recruiting → Technical Settings → User Interfaces → Settings for User Interfaces with
July 2007
SAP ERP Central Component Security Guide 197
Web Dynpro ABAP → Backend Candidate → Specify System Parameters for Web Dynpro
You enter the RFC destination as a value of the RECFA BL2UI parameter.
Data Storage Security The SAP E-Recruiting data is saved as follows:
● If you use SAP E-Recruiting integrated with other SAP applications, the data is saved in the SAP Web AS or SAP ECC databases.
● If you use SAP E-Recruiting as a standalone application, the data is saved directly in the SAP E-Recruiting databases. You do not require any other databases in addition to this standard.
The application uses a Web browser. The SAP Web AS must issue cookies as well as accepting them.
When you use Web Dynpro ABAP as the interface technology and the front-end and backend are separated on different systems, the system generates the URLs based on the backend system, as the data is stored there. When generating the URL, you can use the database table HTTPURLLOC (HTTP URL Location Exception Table) to replace the actual server name with another one. In this way, it is possible to use a proxy server or similar to access documents.
Defense Forces & Public Security
Before You Start Basic Recommendations The Defense Forces & Public Security component is based on the SAP ERP Central component. For this reason, the relevant Security Guide also applies. The Security Guide for the Defense Forces & Public Security component contains only information about component-specific features.
July 2007
SAP ERP Central Component Security Guide 198
Technical System Landscape Use For a presentation of the multilevel system landscape, see the documentation for mySAP ERP in SAP Library under Defense Forces & Public Security → Support for the Domestic Base and Operations and Exercises → System Architecture and Offline Capabilities.
User Administration and Authentication The Defense Forces & Public Security component uses the user administration and authentication mechanisms of the SAP NetWeaver platform, in particular of the SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the Defense Forces & Public Security component.
The following component-specific tools are also used for user administration. For more information, see the documentation for mySAP ERP in SAP Library under Defense Forces & Public Security → System Architecture.
In addition to these guidelines, we also provide you with information about user administration and authentication, specific to the Defense Forces & Public Security component, in the following section:
● User Management [Seite 198]
User Management User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not users who run background processing jobs.
The user types required for the Defense Forces & Public Security applications are:
● Individual users:
○ Dialog users are used for the following functions for the SAP GUI for Windows or RFC connections:
- Personnel assignment
- Human Resources infotypes
- Qualification management
- Management of flying hours
The other users are usually the same as the users listed for Human Resources. Note in particular the users for Personnel Management. For more information, see User Management [Seite 150].
July 2007
SAP ERP Central Component Security Guide 199
You may want to differentiate users according to target and actual planning. This cannot be defined in the standard system, however, since it depends on your particular organization.
Standard Users No particular standard users are provided for the Defense Forces & Public Security component. You are advised to divide up your users according to business-related processes. This means that you could define the following business-related user groups, for example:
● The process of material assignment for a soldier or individual
You could further divide the user group by the following users:
○ Users that are only responsible for the target planning (materials requirements in the organization on a job/position level)
○ Users that are responsible for the actual planning and goods issue
● The process of managing flying hours
User group for defining the annual flying hours program and recording the actual flying hours
● The personnel development process
User group for defining the qualification block hierarchy, that is, the grouping of qualifications according to business criteria
For master data maintenance, the guidelines in the Security Guide for Personnel Management (PA) [Seite 149] apply.
.
Authorizations The Defense Forces & Public Security component uses the authorization provided by the SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to Defense Forces & Public Security.
The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user administration console for SAP Web AS Java.
Standard Roles Roles and authorization profiles are not defined for Defense Forces & Public Security.
Standard Authorization Objects The following table presents the authorization objects relevant for security that are used by the Defense Forces & Public Security applications.
Standard Authorization Objects
Authorization Object Class Value Description
C_DRAW_TCD CV Authorization for Document Activities
July 2007
SAP ERP Central Component Security Guide 200
C_KLAH_BKP CLAS Authorization for Class Maintenance
C_TCLA_BKA CLAS Authorization for Class Types
EXTBAT_CRE LO Create External Batch Structure for Purchase Orders
EXTBAT_MNT LO Change External Batch Structures
I_ROUT PM PM: Task Lists
I_TCODE PM PM: Transaction Code
PLOG HR Personnel Planning
C_PVS_PNID PPE iPPE Node: External Key
C_PVS_PNTY PPE iPPE Node: Type
C_PVS_PVID PPE iPPE Variant: External Key
C_PPE_PAID PPE iPPE Alternative: External Key
C_PVS_PATY PPE iPPE Alternative: Type
C_PVS_PVTY PPE iPPE Variant: Type
S_SCD0 BC_Z Change Documents
S_TCODE
AAAB Transaction Code Check at Transaction Start
DF_FOR_REL DFPS Force Element: Relationships
M_MATE_STA MM_G Material Master: Maintenance Statuses
M_MATE_WRK MM_G Material Master: Plants
M_MSEG_BMB MM_B Material Documents: Movement Type
M_MSEG_MWB MM_B Material Documents: Plant
M_MSEG_BWA MM_B Goods Movements: Movement Type
M_MSEG_LGO MM_B Goods Movements: Storage Location
M_MSEG_WWA MM_B Goods Movements: Plant
In addition, Defense Forces & Public Security uses the Human Resources authorization objects. For more information, see the description of the Human Resources authorization objects, in particular those for Personnel Management.
July 2007
SAP ERP Central Component Security Guide 201
Network and Communication Security Subareas of Defense Forces & Public Security use the standard functions in the infotype framework for Personnel Administration and Personnel Development. For more information, see the Security Guide for Personnel Management.
In the case of the material assignment function, the existing interfaces (BAPIs) are used to communicate with applications outside of Human Resources, such as Materials Management.
Data Storage Security Data is stored in databases in the SAP system. For general information about the security of the data storage, see the Security Guide for Personnel Management, for example.
Note that the following infotypes may contain sensitive data:
● Personal Features (0804)
● Sanctions (0802)
Appendix For more information about the security of SAP applications see SAP Service Marketplace at service.sap.com/security.
You can also access additional security guides via SAP Service Marketplace at service.sap.com/securityguide.
For more information about security issues, see SAP Service Marketplace at service.sap.com followed by:
Topic SAP Service Marketplace
Master guides, installation guides, upgrade guides, and Solution Management guides
/instguides
/ibc
Related notes /notes
Platforms /platforms
Network security /network
/securityguide
Technical infrastructure /ti
SAP Solution Manager /solutionmanager
July 2007
SAP ERP Central Component Security Guide 202