2 security guides p 12

Document version: 2014-07-31

Security Guide for SAP Solution Manager 7.1

CUSTOMER

Document History

CautionBefore you start the implementation and configuration of SAP Solution Manager, make sure you have the latest version of this document. You can find the latest version at the following location: service.sap.com/instguides

SAP Components SAP Solution Manager .

The following table provides an overview of the most important document changes.Table 1Support Package Stacks(Version)

Description

SP10 GeneralRole enhancements for Infrastructure Roles: SAP_SYSTEM_REPOSITORY_*, and SAP_SM_RFC_*, see section Authorization and Roles for Infrastructure.Guide structure enhancement to the following individual sections: Secure System Configuration (specifically relating to system configuration issues in regard to security) SAP Solution Manager Authorization Concept

User Interface (SAP NWBC 4.0 not supported) Landscape Setup Guide Scenario-specific Guides Overviews User Authentication and Administration Tools:

new section about Solution Manager User Administration (SMUA) mass tool enhanced section on Automatic User Creation in SOLMAN_SETUP (new fields User Group,

Namespace, Role Upload) new section on password policy for SAP Solution Manager default users

Roles and Authorizations for Infrastructure and LMDB usage, see section on Roles for Infrastructure and LMDBNew single roles SAP_SM_BP_* for Business Partner and Product assignment in LMDB and related queries.New single role for LMDB Dashboard SAP_SM_DASHBOARDS_DISP_LMDBNew authorization object check for LMDB Remote Access AI_LMDB_RE (included in roles SAP_SYSTEM_REPOSITORY_*)Adapted role SAP_SM_SOLUTION_ALLAdapted role SAP_SOLMAN_DIRECTORY_*Adapted role SAP_SM_RFC_ADMIN (added authorization object S_RFC_TT)Adapted roles SAP_SYSTEM_REPOSITORY_* (primarily for authorization object S_RFC)

2

CUSTOMER Copyright 2014 SAP AG or an SAP affiliate company.All rights reserved.

Security Guide for SAP Solution Manager 7.1Document History

Support Package Stacks(Version)

Description

Scenario-Specific GuidesCheck out changes in the Document History for the following scenarios: Custom-Code Life Cycle Management (CCA, CCML) Business Process Operations Business Process Change Analyser Change Request Management Incident Management

NoteAuthorizations for ST-ICC are described in the according ST-ICC Configuration Guide.

Solution Documentation Assistant Test Management Implementation (cProject ITPPM integration) Solution Manager Administration Technical Monitoring Technical Administration (IT Task Inbox and Guided Procedure) Quality Gate Management SAP Engagement and Service Delivery Job Management

Important SAP Notes 1812046 (Role Updates in case of CUA) 1830640 (Roles for READ, TMW, and Back RFC Users) 1908051 (Roles for ST-PI (managed systems))

SAP TAO Section on SAP TAO has been transferred to the SAP TAO Administrators Guide, see on the Service

Marketplace at: service.sap.com/saptao .

SP11 General Authorization object S_ICF for temporary RFC - connections during configuration using transaction

SOLMAN_SETUP implemented. Role enhancement for all configuration users and SOLMAN_ADMIN in SAP Solution Manager required. See update flag for roles in transaction SOLMAN_SETUP after update for the following roles:SAP_SM_BASIC_SETTINGS, SAP_BPCA_CONFIG, SAP_BPO_CONFIG, SAP_CHARM_CONFIG, SAP_DVM_CONFIG, SAP_SM_BIM_CONF, SAP_SM_CBTA_CONFIG, SAP_SM_CCM_CONFIG, SAP_SM_EEM_CONF, SAP_SM_IC_CONF, SAP_SM_ITMO_CONF, SAP_SM_JMON_CONF, SAP_SM_PIM_CONF, SAP_SM_SCHEDULER_CONFIG, SAP_SM_SYM_CONF, SAP_SUPPDESK_CONFIG, SAP_TAO_CONFIG, SAP_TSAM_CONF

Scenario-Specific Guides


CUSTOMER Copyright 2014 SAP AG or an SAP affiliate company.

All rights reserved. 3


Description

Check out changes in the Document History for the following scenarios: new scenario-specific guide: Effort and Scope Analyzer (SEA) Implementation and Upgrade (SEA integration) Change Request Management (Import Authorizations; CSOL RFC-connection; CTS) Job Management Quality Gate Management Landscape Setup Guide (Enhancement of SLD - related section) Technical Monitoring Test Management (CBTA) Custom Code Management Technical Administration (Guided Procedures) Business Process Operations IT Service Management (new section: Additional Security Measures) BPCA (new section: Additional Security Measures)

SP12 General Enhanced: Overview of Function Integration Enhanced: User Authentication and Administration Tools

Automatic user update using Automated Managed System Configuration Storage of multiple users in SMUA Expert mode for user creation and RFC creation Additional user types (Reference User for Template/Demo user, Service User)

Enhanced: Additional Security Measures (Documents: Virus Scan - automatic VSI check, use of Firefox Browser; Reject callback parameter settings)

Scenario-Specific GuidesCheck out changes in the Document History for the following scenarios: Landscape Setup Guide (Automatic User Update using Automated Managed System Configuration,

SOLMAN_SETUP Configuration Administration) Guided Procedure Framework (Chapter: Authorization Concept for SAP Solution Manager) Business Process Operations (integration Notification Management, Job Monitoring, and Interface Channel

Monitoring, Project-based Delivery) Technical Administration (integration of IT Task Management configuration in transaction

SOLMAN_SETUP) Incident Management Change Request Management Technical Monitoring (Job Monitoring, individual roles for Message Flow Monitoring; CSU) Data Volume Management (iCI Dashboard) Custom Code Management (ATC integration, iCI Dashboard)

4




Description

Business Process Change Analyzer (and TAO) Test Management (Redesign CBTA user and roles) Implementation (CDMC; Roadmap) SAP Solution Manager Administration (Enhancement due to Archive Log and Role Comparison Tool) Measurement Platform (iCI Dashboard) SAP Service Delivery and Engagement

Important SAP Notes 1830640 (Roles for READ, TMW, and Back RFC Users) 1968406 (ST-PI: Authorization changes in roles for SAP-BASIS < 700)




Content

1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.1 Target Group of This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.3 How to Use this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.4 Links for Additional Components on the Service Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.5 Using SAP Solution Manager as a Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3 Terminology as Used in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4 Quick Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5 Overviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.1 Overview: Capabilities/Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.2 Overview: Solution Manager Functions Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.3 Overview: Solution Manager Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385.4 Overview: Solution Manager Technical RFC - Users per Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . 395.5 Overview: Third Party Products to Be Used with Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6 System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

7 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.2 Communication Channels and Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.3 Internet Communication Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447.4 Secure Socket Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467.5 HTTP Connect Service for SAP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477.6 File Transfer Protocol (FTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477.7 Use of Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

8 User Administration and Authentication Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498.1 Basic SAP User Management Tools and User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498.2 Automatic User Creation using Transaction SOLMAN_SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528.3 Automatic Managed System Configuration Update using Transaction SOLMAN_SETUP . . . . . . . . . . 558.4 Automatic Mass User Creation/Update using Solution Manager User

Administration (SMUA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568.5 Passwords for Solution Manager Default Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578.6 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588.7 Integration into Single Sign-On Environments (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

9 Authorization Concept for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609.1 User Definitions in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6


Security Guide for SAP Solution Manager 7.1Content

9.2 End - User Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619.3 Configuration User Roles for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699.4 Integration of Functions/Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719.5 Authorizations and Roles for Infrastructure (LMDB, BP, Projects, Solutions, Directory) . . . . . . . . . . . 739.6 Guided Procedure Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749.7 Work Center Navigation Role Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759.8 Using SAP Solution Manager with Customer Relationship Management (CRM) . . . . . . . . . . . . . . . . . 839.9 Using SAP Solution Manager with Business Warehouse (BW) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 BI - Reporting Data Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Configuration of BW and Activation of BW - Content (Step by Step) . . . . . . . . . . . . . . . . . . . . . . 86 Diagnostics Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 BI - Reporting Authorizations and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Using BI - Dashboards for BI - Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

9.10 Using the Help Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929.11 Authorizations for User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939.12 Critical RFC Connections and Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Generated RFC - Connection . . . . . . . . . . . . . . . . . . . . . . 98

Authorization Objects S_RFCACL and S_RFC_TT for Trusted RFCs . . . . . . . . . . . . . . . . . . . . . . . 99 Generated RFC - Connections READ, TMW and BACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Authorization Object S_RFC and S_DEV_REMO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Authorization Object S_TABU_DIS and S_TABU_CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Authorization Object S_TABU_NAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Authorization Object S_DEVELOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

9.13 How to Build Your Own Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

10 Using Central User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10710.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10710.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10910.3 Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11110.4 Configuration Integration in Transaction SOLMAN_SETUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

11 Additional Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

12 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

13 Landscape Setup, Configuration, and Root Cause Analysis Guide . . . . . . . . . . . . . . . . . . . . . . 11813.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11813.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12313.3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12413.4 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12713.5 Required TCP/IP Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13013.6 SAP Solution Manager Configuration Work Center / Transaction SOLMAN_SETUP . . . . . . . . . . . . . 13313.7 Root Cause Analysis Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13513.8 SOLMAN_SETUP Configuration Administration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13713.9 Users Created During Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Database User SAPDB [MANAGED.DB.USER] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 OS Engine User [MANAGED.OS.SIDADM] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138




OS User Dedicated to the Diagnostics Agent ADMIN [MANAGED.OS.AGTSIDADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

13.10 Users and Authorizations for SAP Solution Manager Configuration/Operation . . . . . . . . . . . . . . . . . 139 Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configuration and Administration User SOLMAN_ADMIN [SOLMAN.DUAL.ADMIN] . . . . . . . . . . 140 Technical User SM_AMSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Technical User SMD_AGT [SOLMAN.DUAL.AGTCOM] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Technical User SOLMAN_BTC [SOLMAN.DUAL.BTC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Technical User SM_EXTERN_WS [SOLMAN.DUAL.EXTERN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Technical User SM_INTERN_WS [SOLMAN.DUAL.EXTERN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT] . . . . . . . . . 146 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Technical User SMD_RFC [SOLMAN_DOUBLE_SMDRFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Technical User SEP_WEBSRV [SOLMAN.ABAP.WEBSRV] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Technical User CONTENTSERV [SOLMAN.ABAP.CONTSERV] . . . . . . . . . . . . . . . . . . . . . . . . . 149 Technical User for RFC - connection BACK

[MANAGING.ABAP.RFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 User Wily Guest [SOLMAN.WILY.GUEST] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

13.11 Users and Authorizations for Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 NGAP - Based Managed Systems Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Administrator User in ABAP: SM_ADMIN [MANAGED.JAVA.ABAP.ADMIN] . . . . . . . . . . . . . . . . 150 Administrator User in Java: SM_ADMIN_ [MANAGED.JAVA.ADMIN] . . . . . . . . . . . 151 Technical User SMDAGENT_ for Wily Host Agent

[MANAGED.ABAP.WILYAGT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Technical Users for RFC - Connections READ and TMW [MANAGED.ABAP.RFC] . . . . . . . . . . . . . 152 SAPSUPPORT User [MANAGED.DUAL.SAPSUPPORT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Technical User SM_COLL_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 J2EE Administrator J2EE_ADMIN [MANAGED.J2EE.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Administrator OS User [MANAGED.OS.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Technical Users for CTC Configuration and Runtime Activation . . . . . . . . . . . . . . . . . . . . . . . . . 157

13.12 Users and Authorizations for BW Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 BW Administrator User SM_BW_ADMIN [SOLMAN.BI.ADMIN] . . . . . . . . . . . . . . . . . . . . . . . . . 157 Technical User SM_BW_ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Technical User SM_EFWK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Technical User SMD_BI_RFC [SOLMAN.BI.RFC] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Technical User SM_BW_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Dialog User SAPSUPPORT [SOLMAN.DUAL.SAPSUPPORT][SOLMAN.BI.SUPPORT] . . . . . . . . . 146 Dialog User SAPSERVICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Technical User BI_CALLBACK [SOLMAN.BI.CALLBACK] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Diagnostics Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

13.13 Users and Authorizations for SLD and LMDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Technical User SLD_CS_USER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Technical User SLDAPIUSER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Technical User SLDDSUSER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Technical User for CTC Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

13.14 S-Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 S-User for SAP Backend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 S-User for Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

13.15 Landscape Modelling and Infrastructure Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

8



User Roles for System Landscape Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 User Roles for Solutions, Projects, Solution Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 User Roles for System Landscape Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

13.16 User Role for TREX Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17213.17 Configuration User Roles for SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6913.18 Business Partners Created During Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17413.19 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

14 Scenario-Specific Guide: Solution Manager Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 17714.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17714.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17814.3 Users and Authoriaztions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

15 Scenario-Specific Guide: Technical Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18315.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18315.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18715.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Scenario Configuration Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

15.4 Work Center Technical Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19415.5 User Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19515.6 User Roles for System, Database, Host Monitoring, and Self - Monitoring . . . . . . . . . . . . . . . . . . . . 196

First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

15.7 User Roles for Process Integration - Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

15.8 User Roles for Message Flow Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Function Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

15.9 User Roles for End-User Experience Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

15.10 User Roles for Business Intelligence Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

15.11 User Roles for Interface (Channel) Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Second Level Roles in SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

15.12 End-User Roles for Job Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 First Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Second Level User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

15.13 User Roles for Infrastructure Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 First Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Second Level User Description and User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215




15.14 Integration Visibility in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21615.15 Role for Technical Monitoring Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21715.16 Role for Technical Monitoring Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21715.17 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21715.18 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21915.19 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

16 Scenario-Specific Guide: Maintenance Optimizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22216.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22216.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22216.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Scenario Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 227 S-User Authorization for Maintenance Optimizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

16.4 CRM Standard Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22816.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 User Roles in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

16.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

17 Scenario-Specific Guide: Change Request Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23317.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23317.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23617.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

17.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24317.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Best Practice: Manage Import Authorizations in Managed Systems . . . . . . . . . . . . . . . . . . . . 253 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

17.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23217.7 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

18 Scenario-Specific Guide: Quality Gate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26118.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26118.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26318.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

18.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

10



18.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . 268 User Descriptions and User Roles in the Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Central CTS-Integration User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . 271 Critical Authorization Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

18.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

19 Scenario-Specific Guide: Configuration Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27419.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27419.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27519.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27519.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . 27619.5 Critical Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27919.6 System Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

20 Scenario-Specific Guide: Implementation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28120.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28120.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28220.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

20.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . 289 User Descriptions and User Roles in Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

20.5 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 User Roles for Roadmap Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 User Roles for Activation of Business Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 User Roles for Custom Development Management Cockpit (CDMC) . . . . . . . . . . . . . . . . . . . . . 307 User Roles for Upgrade Dependency Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 User Roles for Customizing Comparison and Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 User Roles for BC-Set Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

20.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31020.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Business Process Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Enterprise Service Repository within Process Integration (PI) . . . . . . . . . . . . . . . . . . . . . . . . . . 314 SAP Productivity Pak by RWD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Business Process Blueprinting Tool (BPB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

20.8 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

21 Scenario-Specific Guide: Solution Documentation Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 31721.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31721.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31821.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319




Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

21.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

21.5 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32721.6 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

22 Scenario-Specific Guide: Test Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32922.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32922.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28222.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332 Technical Users for RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

22.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

22.5 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 User Roles for Test Workbench Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 User Roles for Extended Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 User Roles for CBTA (Component-Based Test Automation) . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

22.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35922.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Tool with BC ECATT- Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Quality Center by HP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 IBM Rational Test Management Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

23 Scenario-Specific Guide: Business Process Change Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . 36523.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36523.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36723.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367


23.4 CRM Standard Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37223.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37323.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37723.7 Additional Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

24 Scenario-Specific Guide: Custom - Code Life Cycle Management . . . . . . . . . . . . . . . . . . . . . . 37924.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37924.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38024.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381


12



24.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 User Descriptions and User Roles in the SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . 384 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

24.5 Background Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

25 Scenario-Specific Guide: Scope and Effort Analyzer (SEA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 38825.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38825.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38825.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

25.4 User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39325.5 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39525.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

26 Scenario-Specific Guide: IT Service Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39726.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39726.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39926.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 Technical Users for RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 227 S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . . . . . . . . . . . . . . . . . 407

26.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40726.5 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

26.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41526.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

External Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41626.8 Additional Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

27 Scenario-Specific Guide: Job Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41927.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41927.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42027.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Technical User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

27.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 User Roles (Old) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 User Roles (New) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

27.5 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31027.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43627.7 External Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439




SAP CPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

28 Scenario-Specific Guide: SAP Engagement and Service Delivery . . . . . . . . . . . . . . . . . . . . . . 44028.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44028.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44128.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . . . . . . . . . . . . . . . . . 227 S-User Authorization for Service Desk and Expert on Demand . . . . . . . . . . . . . . . . . . . . . . . . . 407 S-User Authorization for Data Download from SAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Business Partners Created During Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

28.4 CRM Standard Customizing for Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45228.5 Recommended Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

User Descriptions and User Roles to Use the Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 User Description and User Roles for Service Delivery (Premium Engagement) . . . . . . . . . . . . . . 458 Enterprise Service Reporting User - ES_REP_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Supportability Performance Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 User Descriptions and User Integration Roles for Issue Management . . . . . . . . . . . . . . . . . . . . 460 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

28.6 Security Optimization Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46228.7 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

29 Scenario-Specific Guide: Technical Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46329.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46329.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46529.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

29.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 User Descriptions and Roles for Technical Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 User Roles for IT Task Inbox and Guided Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471 Service Availability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Main Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

29.5 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47829.6 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

30 Scenario-Specific Guide: Business Process Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47930.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47930.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48230.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Scenario Configuration User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

30.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

14



User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48930.5 User Roles for Additional Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Dashboard User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Solution Maintenance via Work Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 End-User Roles for CDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

30.6 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

31 Scenario-Specific Guide: Data Volume Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49731.1 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49731.2 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49931.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 Scenario Configuration User and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

31.4 Users and Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 User and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Critical Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

31.5 Scenario Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

32 Measurement Platform and Enterprise Support Reporting (iCI - Interactive Continuous Improvement) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508

32.1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50832.2 Document History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50932.3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Scenario Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Communication Channels and Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Technical Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

32.4 Interactive Continuous Improvement (iCI) Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

33 Service Provider Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51433.1 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51433.2 Service Provider Customer RFC-Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51433.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51533.4 Service ProviderSpecific Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51633.5 Incident Management User Descriptions and User Roles for Customers . . . . . . . . . . . . . . . . . . . . . 51633.6 Solution Documentation User Descriptions and User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51933.7 Work Centers for Service Provider Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51933.8 Granting Work Center Access to Service Provider Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

34 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52234.1 HowTo Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

SDN Wiki for Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 How to Create Users and Business Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 How to Administer Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 How to Create a User Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 How to Maintain Authorizations in Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 How to Generate a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 How to Assign Roles to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 How to Create Scenario Configuration Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533




How to Upgrade Authorizations after Release Upgrade or Support Package Upgrade . . . . . . . . . 536 How to Use an ST01 Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 How to User Transaction SU24 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 How to Translate Your Own Customizing Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

34.2 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Links for Additional Components on Service Marketplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 SAP Notes as Mentioned in the IMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

34.3 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Terminology: System Landscape and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Terminology: Solution and Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

A Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

16



1 Security Guide

CautionUsage Rights for SAP Solution Manager Enterprise EditionThe extent of the usage of the software package SAP Solution Manager 7.1 depends upon the type of maintenance contract you have signed. If you have a signed contract for: SAP Enterprise Support Product Support for Large Enterprises SAP Premium Support SAP MaxAttention

you are authorized to use all functions in the software package, without any restrictions.If you have signed exclusively standard support contracts, you are allowed to install this software package, but you are only allowed to use a restricted functionality. You are not allowed to use the following Enterprise Edition functions: Business Process Change Analyzer Quality Gate Management Custom Development Management Cockpit

This Security Guide is updated in the SAP Service Marketplace at: service.sap.com/instguides SAP Components SAP Solution Manager ) with every Support Package.For any issues with security, authorizations, roles, and user management for SAP Solution Manager use SV-SMG-AUT.

IntegrationSecurity topics are relevant for the following phases: Installation and Upgrade Configuration Operation

RecommendationUse this guide during all phases. For a detailed overview of which documentation is relevant for each phase, see guides reference on the Service Marketplace at: service.sap.com/instguides SAP Components SAP Solution Manager 7.1 .

More InformationFor a complete list of the available SAP Security Guides, see the SAP Service Marketplace: service.sap.com/securityguides

Security Guide for SAP Solution Manager 7.1Security Guide



2 Introduction

2.1 Target Group of This GuideThe purpose of SAP Solution Manager is to provide an administration, and implementation environment, to allow for better managing your systems and business processes in a transparent way.The target groups of this guide are readers who are familiar with SAP Solution Manager and configuration procedures in an implementation and/or upgrade project, that is technical consultants, system administrators and/or application consultants. technology consultants: working with technical processes supported by SAP software during implementation,

when deciding which settings to make system administrators: optimizing the SAP Solution Manager system during and after implementation application consultants: mapping a companys actual business processes to the processes and functions

supported by SAP software during implementation, and when deciding which settings to make SAP Security Professionals: securing the system landscape settings

2.2 Getting StartedThis security guide provides you with an overview of the security-relevant information that applies to SAP Solution Manager 7.1 as of SP01 and higher. Since SAP Solution Manager covers several scenarios, this document first provides general security recommendations for SAP Solution Manager in a so called Core Guide followed by specific security guidelines for the individual capabilities.In other words, this guide consists of a main guide, the core guide, containing general information on how to execute on authorizations and roles within SAP Solution Manager, such as authorizations concept and integration as well as user management functions. The Specific Scenario Guides are descriptions of the delivered scenarios in analogy to the work centers and configuration view structure in transaction SOLMAN_SETUP.The SAP Solution Manager IMG comprises several nodes for configuration, see configuration guide for SAP Solution Manager for more information. Scenario configuration is done during Capabilities configuration. This graphic references the IMG as delivered with SAP Solution Manager 7.1 as of SP02. The structure can change when delivered with further SPs, due to changes or additions in capabilities. Therefore, this graphic only represents an example for IMG structure.Authorization assignments or specific user creation for scenarios are described in the according IMG activities, which are referenced as well in the scenario - specific security guides.The initial configuration, or Basic Configuration, references to the automated basic configuration using transaction SOLMAN_SETUP or Solution Manager Configuration work center.

RecommendationWe recommend to always use this security guide in combination with transaction SOLMAN_SETUP and the Implementation Reference Guide (IMG) for configuration.

18


Security Guide for SAP Solution Manager 7.1Introduction

Which topics are covered in the core guideThe following topics are covered in this core security guide: Target Group: Who should use this guide How to use this guide: How should different user groups use this guide effectively? Links to additional components: Where can you find further information for functions, tools, and third party

product which are not covered in this guide? Using Solution Manager as Service Provider: How to use this guide as a Service Provider? Terminology: How are specific terms to be understood in this guide? System Landscape Security Dependencies: Which additional dependencies have to be taken into account? Network and Communication Security: How should your network be built up? User Management Tools: Which tools are used within SAP Solution Manager to create users? Central User Administration: How to set up CUA in Solution Manager? Secure Storage Integration into Single Sign-On Environments Authorization Integration Concept: How is the authorization concept for SAP Solution Manager defined? User Definitions: How do we define users? User Roles: How do we define user roles? Data Storage

What should you know in advanceIf you have little or no knowledge concerning security and authorization concepts, start with reading the general documentation for authorizations at SAP. This topic is not covered in this guide and is regarded as a prerequisite. In addition, before using this guide you should familiarize yourself with the respective Master Guide for SAP Solution Manager, and general user and authorization information for SAP NetWeaver systems: Transaction SPRO SAP Customer Reference Guide SAP NetWeaver Application Server System Administration User and Authorization.

2.3 How to Use this GuideSetting up an authorization concept for your own company for SAP Solution Manager is not simple. It requires approaching the topic from a technical as well as content - oriented perspective.Authorizations are strongly tied to configuration topics for certain scenarios, as well as security relevant technical information. The knowledge for these sectors is seldom found within one department at the customer's side, as technical and application components must be aligned for a successful concept. Especially with SAP Solution Manager this is important, as the product is aimed at the support for the life - cycle of systems (maintained by technical staff), but also the life - cycle of solutions (maintained by application - oriented staff).Therefore, as described in the former section, this guide is directed to differing groups with different focus on SAP Solution Manager. These groups can be organizationally divided.This guide addresses the resulting differing ways of approaching authorizations and their maintenance from a content oriented view (for instance application consultant), and a technically oriented view (for instance system administrator).




RecommendationTo set up a stable authorization concept, both views are to be considered, and involved.

The following sections give you a short guidance to how to use this guide, depending on your main tasks when setting up an authorization concept or authorization roles for SAP Solution Manager.

How to use the guide from a technically - oriented perspectiveWhat do we mean by technical perspective? The technical perspective means, that you should know how to apply an authorization concept in an SAP system effectively. You know how to handle transactions PFCG, SU01, and roles and profile generation. This implies that you are familiar with the SAP role concept and its specifics, such as for instance profiles SAP_ALL and SAP_NEW.It also includes a basic technical background knowledge of the SAP Solution Manager system and its landscape structure, such as Business Warehouse (BW) integration or the handling of the System Landscape Directory (SLD) specifics. The maintenance of roles and authorizations depends on this knowledge.In addition, you should have a basic idea about the basic configuration of the SAP Solution Manager system, and its managed systems.From a Technical Perspective (Recommendation)Table 2Step Section Remark

1 Core Guide This guide includes all relevant information to know about the SAP Solution Manager authorization concept, overall topics such as clients to be used, setup information, and so on.

2 Setup Landscape Guide If the system is initially installed or upgraded, most users and authorizations need to be adapted. This guide contains all information on basic system landscape setup, users, and authorizations needed to run SAP Solution Manager

3 Scenario-specific Guides Each scenario-specific guide contains roles for users, which can be assigned to users. These roles are recommendations of SAP. For each scenario, or function a so called ALL or ADMIN (administration) role is delivered. This role contains full authorization for a specific scenario. In addition, SAP delivers a so called DISP (display) role, which contains only display authorizations for the respective scenario. If your company's business processes are different to the recommended SAP process, these roles need to be adapted. Your application consultant should define the applicable roles to be used. If the definition differs, according authorization objects must be maintained.

4 Glossary in this guide, Transaction SUIM in the system, WIKI for Authorizations

If you need to maintain authorization objects, you may check the mentioned information sources on individual authorization objects, and how they relate to functions.The glossary gives you an overview of all roles mentioned in this guide with the main authorization objects included in these roles.In transaction SUIM, you can search for individual authorization objects and read their documentation.The new WIKI page for authorizations in SAP Solution Manager covers many of the relevant authorization objects for Solution Manager with according use cases, such as how should the authorization object be maintained to restrict

20



Step Section Remarkcertain functions. The use cases are more or less taken from customer situations.

5 HowTo section This section covers how-to guides for technical as well as content - oriented tasks.

How to use the guide from a content - oriented perspectiveWhat do we mean by content - oriented perspective? The SAP Solution Manager is an SAP product that supports your business. Roles and authorization objects are delivered to allow your end - users to work within the limits of their tasks. In other words, they should only be allowed to execute and see what they need in their daily work. These tasks depend on your specific business processes. As a logical consequence, the authorizations and roles assigned to your users depend heavily on the business processes you deploy, and are depending on the configuration of your system accordingly. The concept of your configuration needs to be considered for the concept of your authorizations. Although we deliver template roles for your use, they can hardly ever be applied without modification to your business. Therefore, before tailoring authorizations or using SAP template roles, you need to consider your business processes, the content of your business.From a Content - Oriented Perspective (Recommendation)Table 3Step Section Remark

1 Core Guide This guide includes all relevant information to know about the SAP Solution Manager authorization concept, overall topics such as clients to be used, setup information, and so on.

2 Setup Landscape Guide If the system is initially installed or upgraded, most users and authorizations need to be adapted. This guide contains all information on basic system landscape setup, users, and authorizations needed to run SAP Solution Manager. It gives you an overview on which scenarios should be running out-of-the-box after the setup is done.

3 Scenario-specific Guides Each scenario-specific guide contains roles for users, which can be assigned to users. These roles are recommendations of SAP. If the definition differs, according authorization objects must be maintained. You need to discuss which authorizations must be maintained in these cases with the person responsible for the technical implementation of the authorization concept.All roles are delivered according to a specific user definition. This user definition gives you an overview of which tasks the user is authorized if the SAP delivered template roles are used.

4 HowTo section This section covers how-to guides for technical as well content - oriented tasks.

How to use this guide when upgrading from Release 7.0 to 7.11. Read the SAP Solution Manager Upgrade Guide first, for information see section Additional Links.2. Check out the Document History for the specific scenarios you are using.3. Check for updates in transaction SOLMAN_SETUP.4. Activate the Release Note info button in the IMG to display all information icons for new release features for the

configuration of the specific scenarios.




5. If required, read additional guides for additional functions and tools.

NoteIf you are already acquainted with the authorization concept in SAP Solution Manager, we strongly recommend to read the Document History for changes in roles and authorization objects, and in addition the Operations Guide for SAP Solution Manager on the Service Marketplace at: service.sap.com/instguides SAP Components SAP Solution Manager. .

2.4 Links for Additional Components on the Service Marketplace

Your Solution Manager system is the platform for administrative tasks in implementing, operating and upgrading systems in your system landscape. It relies heavily on mandatory and optional components implemented in addition to SAP Solution Manager. This guide cannot describe all relevant details for integrated components, like third party product or other SAP components. We refer therefore to the applicable guides, Service Marketplace links, or IMG - activities as relevant information sources.The following table gives you an overview of these additional components, where to find more details, and what they are used for in connection with SAP Solution Manager.

RecommendationTo ensure a smooth integration of these components, familiarize yourself with their installation, configuration, and operation if needed.

Additional Information on SAP Solution ManagerTable 4Component Where in the Service Marketplace? And Additional Sources

Master Guide for SAP Solution Manager

service.sap.com/instguides SAP Components SAP Solution Manager 7.1

Upgrade Guide for SAP Solution Manager


Operations Guide for SAP Solution Manager


Installation Guide for SAP Solution Manager


Implementation Reference Guide for SAP Solution Manager

no link, see transactions SOLMAN_SETUP and SPRO in the SAP Solution Manager system

Solution Manager Diagnostics service.sap.com/diagnostics

IMG projects and project IMGs

How to Create Customizing Projects and Project IMGs on the Service Marketplace: service.sap.com/solutionmanager Media Library Technical Papers.

22



Additional Information on InfrastructureTable 5Component Where in the Service Marketplace?

Guide Landscape Management Database

service.sap.com/instguides SAP Components SAP Solution Manager Release 7.1Additional Guides

System Landscape Directory (SLD)

service.sap.com/sldor sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management Application Management System Landscape Directory

NoteTransaction SOLMAN_SETUP in the SAP Solution Manager system

Software Life-Cycle Manager (SLM)

service.sap.com/slm and help.sap.com/nw70 Functional View Solution Life Cycle Management Software Life Cycle Management

NoteInformation and Configuration Prerequisites Change Control scenario (technical name: SOLMAN_MOPZ_SLM_INFO)

Adobe Document Services (ADS)

service.sap.com/adobe

NoteInformation and Configuration Prerequisites ADS setup (technical name: SOLMAN_ADS_INFO)

One Transport Order service.sap.com/solutionmanager Media Library Technical Papers

TREX help.sap.com/nw2004s

NoteInformation and Configuration Prerequisites TREX (technical name: SOLMAN_TREX_INFO)

Master Data Management (MDM) MDM Administration Cockpit

service.sap.com/mdm and service.sap.com/installmdm

SAP NetWeaver Administrator

service.sap.com/nwa

Adaptive Controlling (ACC) for general information sdn.sap.com/irj/sdn/adaptive for application help, such as starting and stopping an application service:

help.sap.com for installation information service.sap.com/instguides

Application help for security topics connected to ICF services

help.sap.com/nw07




Component Where in the Service Marketplace?

System security for SAP NetWeaver ABAP and Java (Help setting up system security for ABAP and Java)

service.sap.com/security Media Library Literature

Current list of ports used by SAP

service.sap.com/security Infrastructure Security TCP/IP Ports Used by SAP Applications or wiki.scn.sap.com/wiki/display/TCPIP/Home+of+TCP-IP+Ports .

Diagnostics service.sap.com diagnostics .

Authorization object S_RFCACL

help.sap.com/nw70

Auditing and Logging help.sap.com Search Documentation , search for Auditing and Logging.

Web Dispatcher See according Help documentatio

2 security guides p 12

Documents

sap ag

ttadapted roles sap

alladapted role sap

lmdb dashboard sap

lmdbnew single roles

sap affiliate company

sap tao administrators

infrastructure roles