contract accounts receivable and payable (fi-ca) security guide · 2017-02-23 · contract accounts...

Contract Accounts Receivable and Payable (FI-CA) Security

Guide

R e l e a s e 6. 00

Contract Accounts Receivable and Payable (FI-CA) Security Guide October 2005

Contract Accounts Receivable and Payable (FI-CA) Security Guide 6.00 2

Copyright © Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.



Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and table titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.



Contract Accounts Receivable and Payable (FI-CA) Security Guide ..................................... 5 Introduction ................................................................................................................... 5 Before You Start ............................................................................................................ 6 Technical System Landscape ......................................................................................... 7 User Management and Authentication ............................................................................ 7

User Management ..................................................................................................... 8

Synchronization of User Data ................................................................................... 10

Integration with Single Sign-On Environments............................................................ 11

Authorizations ............................................................................................................. 11 Network and Communication Security........................................................................... 13

Communication Channel Security ............................................................................. 13

Network Security...................................................................................................... 15

Communication Destinations .................................................................................... 15

Data Storage Security.................................................................................................. 15 More Security Information ............................................................................................ 16 Trace and Log Files ..................................................................................................... 16



Contract Accounts Receivable and Payable (FI-CA) Security Guide This guide covers the information that you require to operate Contract Accounts Receivable and Payable (FI-CA) securely.

Introduction

This guide should not be regarded as a substitute for a daily operational manual as recommended by SAP.

Target Group • Technology consultants

• System administrators

The information contained in this document is not contained in the installation and configuration guides or the technical manuals and upgrade guides of the components cited below. Such guides are only relevant for a certain phase of the software life cycle, whereas security guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, greater emphasis is being placed on the need for security. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements also apply to Contract Accounts Receivable and Payable (FI-CA). This document is intended to help you make Contract Accounts Receivable and Payable (FI-CA) more secure.

About this Document The security guides give you an overview of the information for secure operation of Contract Accounts Receivable and Payable (FI-CA). This guide cross-references information in existing security guides where available, or other relevant documentation where security aspects are discussed.

As Contract Accounts Receivable and Payable (FI-CA) is based on and uses SAP NetWeaver technology, it is essential you consult the SAP NetWeaver security guide: see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → SAP NetWeaver → Security → SAP NetWeaver Security Guide.

To view all of the security guides published by SAP, see SAP Service Marketplace at service.sap.com/securityguide.

Overview of the Main Sections The security guide comprises the following main sections:

• Before You Start [Seite 6] This section contains information about why security is necessary, how to use this document, and references to other security guides that are a basis for this security guide.



• Technical System Landscape [Seite 7] This section is an overview of the technical components and communication paths used by Contract Accounts Receivable and Payable (FI-CA).

• User Management and Authentication [Seite 7] This section provides an overview of the following user management and authentication aspects:

¡ Recommended tools for user management.

¡ User types required for Contract Accounts Receivable and Payable (FI-CA)

¡ Standard users delivered with Contract Accounts Receivable and Payable (FI-CA)

¡ Overview of the user synchronization strategy, if several components or products are integrated

¡ Overview of integration options in single sign-on environments

• Authorizations [Seite 11] This section provides an overview of the authorization concept that applies for Contract Accounts Receivable and Payable (FI-CA).

• Network and Communication Security [Seite 13] This section provides an overview of the communication paths used by Contract Accounts Receivable and Payable (FI-CA) and the security mechanisms to be used. It also includes our recommendations for the network topology to restrict access at the network level.

• Data Storage Security [Seite 15] This section provides an overview of all critical data used by Contract Accounts Receivable and Payable (FI-CA) and the security mechanisms to be used.

• Trace and Log Files [Seite 16] This section provides an overview of the trace and log files that contain information relevant for security and that enable you to reproduce the activities in the case of security violations, for example.

Before You Start Contract Accounts Receivable and Payable (FI-CA) is based on the technology of SAP NetWeaver. Therefore, the security guide for SAP NetWeaver also applies to Contract Accounts Receivable and Payable (FI-CA).

For a complete list of the SAP security guides available , see SAP Service Marketplace at service.sap.com/securityguide.

Important SAP Notes SAP Note 138498 contains information on single sign-on solutions.

SAP Note 853497 contains information about saving temporary files when using Adobe® Acrobat® Reader in SAP applications.

For further SAP notes on security, see SAP Service Marketplace at service.sap.com/security → SAP Security Notes.



Additional Information For more information about specific topics, see

Additional Information

Contents SAP Service Marketplace

Security service.sap.com/security

Security guides, security guide for SAP NetWeaver, ERP Central Component

service.sap.com/securityguide

SAP NetWeaver documentation help.sap.com → Documentation → SAP NetWeaver

SAP NetWeaver installation guide

service.sap.com → SAP Support Portal → Tools & Methods → Installation Guides → SAP NetWeaver

Related SAP notes service.sap.com/notes

Platforms permitted service. sap.com/platforms

Network security service.sap.com/network

SAP Solution Manager service.sap.com/solutionmanager

Technical System Landscape For more information about the technical system landscape, see the sources listed in the table below.

More Information About the Technical System Landscape

Subject Guide/Tool SAP Service Marketplace

Technical description of Contract Accounts Receivable and Payable (FI-CA) and the underlying technological components, such as SAP NetWeaver

Master guide service.sap.com/instguides

Technical configuration high availability

Technical infrastructure guide

service.sap.com/ti

Security service.sap.com/security

User Management and Authentication Contract Accounts Receivable and Payable (FI-CA) uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user management and authentication as described in the security guide for SAP NetWeaver Application Server for ABAP also apply for Contract Accounts Receivable and Payable (FI-CA).



In addition to these guidelines, SAP also supplies information on user management and authentication that is especially applicable to Contract Accounts Receivable and Payable (FI-CA) in the following sections:

• User Management [Seite 8] This section details the user management tools, the required user types, and the standard users supplied by SAP.

• Synchronization of User Data [Seite 10] Contract Accounts Receivable and Payable (FI-CA) can use user data together with other components. This topic describes how theuser data is synchronized with these other sources.

• Integration in Single Sign-On Environments [Seite 11] This section describes how Contract Accounts Receivable and Payable (FI-CA) supports single sign-on-mechanisms.

User Management Contract Accounts Receivable and Payable (FI-CA) user management uses the mechanisms provided by SAP NetWeaver Application Server for ABAP, such as tools, user types, and password concept. For an overview of how these mechanisms affect Contract Accounts Receivable and Payable (FI-CA), see the sections below. In addition, we provide a list of the standard users required for operating Contract Accounts Receivable and Payable (FI-CA).

User Management Tools The following table shows the tools of the user management in Cont ract Accounts Receivable and Payable (FI-CA).

User Management Tools

Tool Description

User maintenance for ABAP-based systems (transaction SU01)

For more information about the authorization objects provided by Contract Accounts Receivable and Payable (FI-CA), see the section Authorizations in this document.

Role maintenance with the profile generator for ABAP-based systems (PFCG)

For more information about the roles provided by Contract Accounts Receivable and Payable (FI-CA), see the section Authorizations in this document.

Central User Administration (CUA) Used to maintain multiple ABAP-based systems

User Management Engine (UME) Administration console for maintenance of users, roles, and authorizations in Java-based systems and Enterprise Portal.

The UME also provides persistence options, such as ABAP Engine.

For more information on the tools provided by SAP for user management with SAP NetWeaver, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication.



User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

User types required for Contract Accounts Receivable and Payable (FI-CA) are, for example:

• Individual users:

¡ Dialog users Dialog users are used for SAP GUI for Windows .

¡ Internet users for Web applications Same policies apply as for dialog users, but used for Internet connections.

• Technical users:

¡ Service users are dialog users who are available for a large set of anonymous users (for example, for anonymous system access vi a an ITS service).

¡ Communication users are used for dialog-free communication between systems.

¡ Background users can be used for processing in the background.

For additional information on user types, see User Types in the SAP NetWeaver security guide.

Standard Users The table below shows the standard users that are necessary for operating Contract Accounts Receivable and Payable (FI-CA).

Standard Users

System User ID Typ Password Description

SAP NetWeaver Application Server

<sapsid>adm SAP system administrator

Mandatory SAP NetWeaver installation guide

SAP Service <sapsid>

SAP system service administrator

Mandatory SAP NetWeaver installation guide


SAP standard ABAP Users (SAP*, DDIC, EARLYWATCH, SAPCPIC)

See SAP NetWeaver security guide


service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for ABAP Technology → User Authentication → Protecting



Standard Users This user is used in applications that use Web Dynpro under ABAP.


SAP Standard SAP NetWeaver Application Server Java user

SAP NetWeaver Application Server Java user


service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for ABAP Technology → User Authentication → Protecting Standard Users This user is used in applications that use Web Dynpro under Java.

SAP ECC SAP Users Dialog users Mandatory The number of users depends on the area of operation and the business data to be processed.

For more information on standard users in SAP NetWeaver, see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release xx/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → User Maintenance → Logon and Password Security in the SAP System → Password Rules.

For information on user types, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication → User Management and see the section headed User Types.

The users specified are delivered with Contract Accounts Receivable and Payable (FI-CA).

Synchronization of User Data By synchronizing user data, you can reduce effort and expense in the user management of your system landscape. Since Contract Accounts Receivable and Payable (FI-CA) is based on SAP NetWeaver, you can use all of the mechanisms for user synchronization in SAP



NetWeaver here. For more information, see the SAP NetWeaver security guide on SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication → Integration of User Management in Your System Landscape.

You can use user data distributed across systems by replicating the data in a central directory, for example.

Integration with Single Sign-On Environments Contract Accounts Receivable and Payable (FI-CA) supports the single sign-on mechanisms (SSO mechanisms) provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server also apply to Contract Accounts Receivable and Payable (FI-CA).

The supported mechanisms are listed below.

Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

For more information, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application Server Security Guide → SAP NetWeaver Application Server Security Guide for ABAP Technology → User Authentication → Authentication and Single Sign-On → Secure Network Communications (SNC).

SAP Logon Tickets

Contract Accounts Receivable and Payable (FI-CA) supports the use of logon tickets for SSO when using a Web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication, but can access the system directly once it has checked the logon ticket.

For more information, see SAP Logon Tickets in the SAP NetWeaver Application Server security guide.

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. . User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information see Client Certificates in the SAP NetWeaver Application Server security guide.

Authorizations Contract Accounts Receivable and Payable (FI-CA) uses the authorization concept provided by SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for authorizations as described in the security guide for SAP NetWeaver Application Server for ABAP also apply for Contract Accounts Receivable and Payable (FI-



CA). You can use authorizations to restrict the access of users to the system, and thereby protect transactions and programs from unauthorized access.

The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance in SAP NetWeaver Application Server for ABAP, use the profile generator (transaction PFCG). and in SAP NetWeaver Application Server for Java, the user management console of User Management Engine (UME) . You can define user-specific menus using roles.

Standard Roles and Standard Authorization Objects

SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a template for your own roles.

Contract Accounts Receivable and Payable (FI-CA) provides generic roles for all industry solutions that use FI-CA. To determine the roles: ...

0. In the SAP menu, choose Tools → Administration → User Maintenance → Role Management → Roles.

0. On the initial screen of the transaction, enter SAP_IF_CA* in the Role field, and choose the input help.

Contract Accounts Receivable and Payable (FI-CA) delivers only single roles. As FI-CA is a component of different industry solutions, the solutions each deliver industry-specific roles with the functions from Contract Accounts Receivable and Payable (FI-CA). See therefore the security guides for the industry solution(s) that you use.

Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet your requirements.

You can easily recognize the authorization objects currently used in Contract Accounts Receivable and Payable (FI-CA) from their technical name: ...

0. To do this, choose Object Navigator in the SAP menu under Tools → ABAP Workbench → Overview → Application Hierarchy and then the button Process Object in the application toolbar.

0. On the following selection screen, enter F_KK* and choose the input help.

In addition, authorization object S_CFC_AUTH exists for the area Clarification Processing, and for Correspondence, authorization object P_CORR.

For more information about the authorization concept at SAP, see:

• SAP Service Marketplace at service.sap.com/securityguide in SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for ABAP Technology → SAP Authorization Concept

• SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → SAP Authorization Concept → Organizing Authorization Administration → Organization if You Are Using the Profile Generator → Role Maintenance

Authorizations for Customizing Settings

You can use Customizing roles to control access to the configuration of Contract Accounts Receivable and Payable (FI-CA) in the SAP Customizing Implementation Guide (IMG). For information on creating roles, see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → SAP Authorization Concept → Organizing Authorization Administration → Organization if You Are Using the Profile Generator → or Organization without the Profile Generator



Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for Contract Accounts Receivable and Payable (FI-CA) is based on the topology used by SAP NetWeaver. Therefore, the security guidelines and recommendations described in the SAP NetWeaver security guide also apply to Contract Accounts Receivable and Payable (FI-CA). Details that specifically apply to Contract Accounts Receivable and Payable (FI-CA) are described in the following sections:

• Communication Channel Security [Seite 13] This section contains a description of the communication paths and protocols that are used by Contract Accounts Receivable and Payable (FI-CA).

• Network Security [Seite 15] This section contains information about the network topology recommended for Contract Accounts Receivable and Payable (FI-CA). It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also contains a list of the ports required for operating Contract Accounts Receivable and Payable (FI-CA).

• Communication Destinations [Seite 15] This section describes the data needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver security guide:

• Network and Communication Security

• Security Aspects for Connectivity and Interoperability

Communication Channel Security Communication channels transfer a wide variety of different business data that needs to be protected from unauthorized access. SAP makes general recommendations and provides technology for the protection of your system landscape based on SAP NetWeaver.

The table below shows the communication paths used by Contract Accounts Receivable and Payable (FI-CA), the protocol used for the connection, and the type of data transferred.

Communication Paths

Communication Paths

Protocol Used Type of Data Transferred

Data Requiring Special Protection

Application server to application server

RFC, HTTP(S)

Integration data

Business data

Application server to third-party application

HTTP(S) Application data Passwords, business data, for example



DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.

For more information, see the SAP NetWeaver security guide: SAP Service Marketplace at service.sap.com/securityguide in the section Transport Layer Security.

In some application scenarios of Contract Accounts Receivable and Payable (FI-CA), several systems can communicate with one another. This is in integration with the following components:

• SAP Dispute Management Communcation is with a CRM system or a system where SAP Financial Supply Chain Management is run, and by means of RFC. SAP recommends that you use named users, that is, Contract Accounts Receivable and Payable (FI-CA) and CRM use the same user names.

• Customer Interaction Center (CIC) The communication is by means of RFC with a CRM system. SAP recommends that you use named users, that is, Contract Accounts Receivable and Payable (FI-CA) and CRM use the same user names.

• SAP Credit Management The communication is with the system where SAP Financial Supply Chain Management runs, by means of XI interfaces. In the configuration, set up one technical user where XI runs, and one technical user where Contract Accounts Receivable and Payable (FI-CA) runs. XI uses each user respectively for communication.

• External billing systems If invoices are created by external systems, you can transfer the required data (such as payments, open items to be listed on the invoice) to this system using the outbound intefaces of Contract Accounts Receivable and Payable (FI-CA). The data is transferred by means of XI interface. To post the invoice documents in Contract Accounts Receivable and Payable (FI-CA), the external billing system uses the XI interface. On the Contract Accounts Receivable and Payable (FI-CA) side, accounting documents are not created directly; firstly, only IDocs are created. Therefore, the XI user to be used here needs the authorization to create IDocs, but not the authorization for posting in Contract Accounts Receivable and Payable (FI-CA). The IDocs are retrieved and the relevant documents created and posted by means of a mass activity of Contract Accounts Receivable and Payable (FI-CA) that a different user starts separately.

• External tax calculation systems Taxes (such as sales taxes and purchase taxes) can be calculated by external tax calculation systems. The queries to this system take place by means of RFC. The external systems can also create the tax returns. Here the calls for storing the data to be reported also take place by means of RFC.

For information on security aspects if you integrate SAP Contract Accounts Receivable and Payable (FI-CA) with SAP Business Information Warehouse and SAP Supply Chain Management, see SAP Service Marketplace at service.sap.com/securityguide:

• SAP Supply Chain Management Authorizations → Communication Channel Security → Communication Destinations

• SAP Business Information Warehouse Security Guides → Communication Security → Communication Destinations



Network Security Since Contract Accounts Receivable and Payable (FI-CA) is based on SAP NetWeaver technology, for information about network security, see the following sections of the SAP NetWeaver security guide on SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Network and Communication Security:

• Network Services This section contains information about services and ports that use SAP NetWeaver.

• Using Firewall Systems for Access Control This section contains information about firewall settings.

• Using Multiple Network Zones Here you can get information about which parts of your application should be set up in which network segments.

If you provide services in the Internet, you should protect your network infrastructure with at least a firewall. You can further increase the security of your system or group of systems by placing the groups in different network segments, each of which you then protect from unauthorized access by a firewall. You should bear in mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one of your systems.

Communication Destinations The XI user used when querying SAP Credit Management in Contract Accounts Receivable and Payable (FI-CA) needs the authorizations required to read documents. The relevant authorization objects are F_KKKO_BUK (Authorization per Company Code), F_KKKO_GSB (Authorization per Business Area), and F_KKKO_BEG (Authorization per Authorization Group from Contract Account Master Records). In each case the authorization with activity 03 (Display) is to be granted.

The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore follow the security rules below when communicating between ERP systems:

• Employ the user types system and communication.

• Grant a user only the minimum authorizations.

• Choose a secure password and do not divulge it to anyone else.

• Only store user-specific logon data for users of type system and communication.

• Wherever possible, use trusted system functions instead of user-specific logon data.

Data Storage Security Contract Accounts Receivable and Payable (FI-CA) processes the payment transactions with your business partners. Bank data and credit card data is stored for this purpose. This information can be stored in the following objects (technical table names in parentheses):

• Business partner master record (BUT0CC, CCARD)

• Payments in the payment lot or credit card lot (DFKKZP)

• Document supplement for documents posted as a result of a credit card payment (DFKKOPC, DFKKOPKC)

• Payment data for payment run (DPAYH)



• Payment data for a self-service payment (Electronic Bill Presentment and Payment) (EBPPPC)

The data is not encoded. You have to restrict the display of the relevant objects by assigning authorizations and, at the same time, ensure that the authorization protection cannot be circumvented by database programs or customer-specific ABAP evaluations.

For information on data storage security, see the SAP NetWeaver security guide at service.sap.com/securityguide in the section Operating System and Database Platform Security Guides.

More Security Information In Contract Accounts Receivable and Payable (FI-CA) some objects and special activities are protected by special authorizations. The associated authorization object is F_KK_SOND. See table TFKAUTH (use transaction SM30 to display) for information on all activities that you can protect with this authorization object.

Trace and Log Files The trace and log files of Contract Accounts Receivable and Payable (FI-CA) use the standard mechanisms of SAP NetWeaver. For more information, see the SAP NetWeaver security guide at service.sap.com/securityguide.

contract accounts receivable and payable (fi-ca) security guide · 2017-02-23 · contract accounts...

Documents