sap erp central component security guide · pdf filesap erp central component security guide...

SAP ERP Central Component Security Guide

Release 6 .0

SAP ERP Central Component Security Guide January 2006

SAP ERP Central Component Security Guide 2

Copyright © Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.



Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table

titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.



SAP ERP Central Component Security Guide ........................................................................ 10 Introduction .......................................................................................................................... 10 Before You Start .................................................................................................................. 11 Technical System Landscape.............................................................................................. 12 User Management and Authentication ................................................................................ 13

User Management............................................................................................................ 13

User Data Synchronization............................................................................................... 15

Integration with Single Sign-On Environments................................................................. 16

Authorizations ...................................................................................................................... 16 Network and Communication Security................................................................................. 17

Communication Channel Security .................................................................................... 18

Network Security .............................................................................................................. 19

Communication Destinations............................................................................................ 19

Data Storage Security.......................................................................................................... 19 Security for Other Applications ............................................................................................ 20 Trace and Log Files ............................................................................................................. 20 Cross-Application Components ........................................................................................... 21

Cross-Application Time Sheet (CA-TS) ........................................................................... 21

Authorizations ............................................................................................................... 21

Communication Destinations........................................................................................ 22

Self-Services .................................................................................................................... 23

Before You Start ........................................................................................................... 23

User Management ........................................................................................................ 24

Authorizations ............................................................................................................... 25

Editing Roles and Authorizations for Web Dynpro Services..................................... 27

Authorizations for Controlling Services (MSS, BUA) ................................................ 28

Authorizations for BW iViews (MSS)......................................................................... 28

Communication Destinations........................................................................................ 29

Accounting ........................................................................................................................... 30 Financial Accounting ........................................................................................................ 30

Authorizations in Financial Accounting......................................................................... 31

General Ledger Accounting (FI-GL) ............................................................................. 33

Consolidation ............................................................................................................ 34

Accounts Payable Accounting (FI-AP) ......................................................................... 35

Accounts Receivable Accounting (FI-AR) .................................................................... 36

Bank Accounting (FI-BL)............................................................................................... 37

Asset Accounting (FI-AA) ............................................................................................. 38

Travel Management (FI-TV) ......................................................................................... 39

Authorizations in the Special Purpose Ledger (FI-SL) ................................................. 40



Treasury........................................................................................................................ 41

Authorizations ........................................................................................................... 42

Accounting Engine ........................................................................................................... 44

Introduction ................................................................................................................... 44

Before You Start ........................................................................................................... 45

Technical System Landscape....................................................................................... 46

User Administration and Authentication ....................................................................... 47

User Management..................................................................................................... 47

Integration into Single Sign-On Environments.......................................................... 47

Authorizations ............................................................................................................... 48

Network and Communication Security ......................................................................... 48

Communication Channel Security............................................................................. 49

Communication Destinations .................................................................................... 49

Data Storage Security................................................................................................... 49

Financial Supply Chain Management .............................................................................. 50

Management of Internal Controls: Security Guide ........................................................... 50


User Management and Authorizations ......................................................................... 51

User Management..................................................................................................... 52

Roles and Authorizations Concept............................................................................ 53

Standard Roles and Authorization Objects ........................................................... 54

Editing MIC-Specific Roles.................................................................................... 55

Tasks: Central Structure Setup.......................................................................... 57

Tasks: Structure Setup Specific to Organizational Units ................................... 59

Tasks: Control Assessments and Tests ............................................................ 65

Tasks: Management Control Assessment and Test.......................................... 67

Tasks: Reporting and Sign-Off .......................................................................... 70

Assigning Roles to Persons .................................................................................. 71

Integration with Single Sign-On Environments ......................................................... 72

Communication Channel Security ................................................................................ 73

Data Storage Security................................................................................................... 73

Master Data Framework................................................................................................... 74

Introduction ................................................................................................................... 74

Before You Start ........................................................................................................... 75


User Administration and Authentication ....................................................................... 77

User Management..................................................................................................... 77

Integration into Single Sign-On Environments.......................................................... 77

Authorizations ............................................................................................................... 78




Communication Channel Security............................................................................. 79

Controlling ........................................................................................................................ 79

Authorizations in Controlling......................................................................................... 81

Authorizations in Profit Center Accounting ................................................................... 85


Communication Destinations .................................................................................... 86

SAP Banking .................................................................................................................... 87

SAP Financial Customer Information Management (FS-BP) ....................................... 87

Authorizations ........................................................................................................... 87

Network and Communication Security...................................................................... 88

Communication Destinations................................................................................. 88

Data Storage Security ............................................................................................... 88

Bank Customer Accounts (BCA) .................................................................................. 89

Authorizations ........................................................................................................... 89



Important SAP Notes ................................................................................................ 90

Loans Management (FS-CML) ..................................................................................... 91

Authorizations ........................................................................................................... 91



Collateral Management (CM)........................................................................................ 94

Authorizations ........................................................................................................... 94

Network Communication and Security...................................................................... 95

Strategic Enterprise Management (SEM) for Banks .................................................... 97

Authorizations ........................................................................................................... 97


Communication Destinations................................................................................. 98


Reserve for Bad Debt (FS-RBD) ................................................................................ 100

Authorizations ......................................................................................................... 100

Network and Communication Security.................................................................... 105

Communication Destinations............................................................................... 105

Trace and Log Files ................................................................................................ 106

Incentive and Commission Management (ICM) ............................................................. 106

Statutory Reporting for Insurance (FS-SR) .................................................................... 107

Authorizations ............................................................................................................. 107

Data Storage Security................................................................................................. 107

Real Estate Management............................................................................................... 108

Public Sector Management ............................................................................................ 109



Authorizations ............................................................................................................. 109

Network and Communication Security ....................................................................... 112


More Security Information........................................................................................... 112

Logistics ............................................................................................................................. 114 Materials Management (MM) ......................................................................................... 114

Purchasing and Service Industries (MM-PUR, MM SRV) .......................................... 114

Authorizations ......................................................................................................... 114


Data Storage Security ............................................................................................. 118

Inventory Management (MM-IM): Authorizations ....................................................... 119

Logistics Invoice Verification (MM-IV): Authorizations ............................................... 120

Product Lifecycle Management (PLM) ........................................................................... 121

Authorizations ............................................................................................................. 121

Communication Destinations...................................................................................... 131

Important SAP Notes .................................................................................................. 131

Manufacturing................................................................................................................. 133

Authorizations ............................................................................................................. 133


Logistics Execution (LE)................................................................................................. 138

Decentralized Warehouse Management (LE-IDW), Shipping (LE-SHP), Transportation (LE-TRA)..................................................................................................................... 138

Authorizations ......................................................................................................... 138


Warehouse Management System (LE-WMS) ............................................................ 142

Authorizations ......................................................................................................... 142


Task and Resource Management (LE-TRM), Yard Management (LE-YM), Cross Docking (LE-WM-CDK), Additional Logistical Services.............................................. 144

Authorizations ......................................................................................................... 144


Retail .............................................................................................................................. 146


Authorizations ............................................................................................................. 148

Global Trade................................................................................................................... 150


Sales and Distribution (SD) ............................................................................................ 152

Human Capital Management ............................................................................................. 154 Personnel Management (PA) ......................................................................................... 154

Before You Start ......................................................................................................... 154



User Management ...................................................................................................... 155

Authorizations ............................................................................................................. 157

Communication Channel Security .............................................................................. 160



Security for Additional Applications ............................................................................ 164

Other Security-Relevant Information .......................................................................... 164

Personnel Time Management (PT) ................................................................................ 165

User Management ...................................................................................................... 165

Authorizations ............................................................................................................. 166


Payroll (PY) .................................................................................................................... 168

Before You Start ......................................................................................................... 168

User Management ...................................................................................................... 168

Authorizations ............................................................................................................. 169




Security for Additional Applications ............................................................................ 172


SAP Learning Solution ................................................................................................... 173

Technical System Landscape..................................................................................... 173

Persistence ............................................................................................................. 174

Learning Portal (LSOFE)......................................................................................... 175

Content Player (LSOCP)......................................................................................... 176

Offline Player (LSOOP)........................................................................................... 177

Authoring Environment (LSOAE) ............................................................................ 178

Environment for the Training Administrator ............................................................ 179

User Management ...................................................................................................... 180

Authorizations ............................................................................................................. 183



SAP E-Recruiting ........................................................................................................... 190

Before You Start ......................................................................................................... 190

Technical System Landscape..................................................................................... 190

User Management ...................................................................................................... 192

Authorizations ............................................................................................................. 194






Defense Forces & Public Security ..................................................................................... 199 Before You Start ............................................................................................................. 199

Technical System Landscape ........................................................................................ 199

User Administration and Authentication ......................................................................... 199

User Management ...................................................................................................... 200

Authorizations................................................................................................................. 201

Network and Communication Security ........................................................................... 202

Data Storage Security .................................................................................................... 202

Appendix ............................................................................................................................ 202



SAP ERP Central Component Security Guide The following guide covers the information that you require to operate SAP ERP Central Component securely. To make the information more accessible, it been divided into a general part, containing information relevant for all components, and a separate part for specific application areas and their components.

Introduction This guide should not be regarded as a substitute for a daily operational

manual as recommended by SAP.

Target Group ● Technology consultants

● System administrators

The information contained in this document is not contained in the installation and configuration guides or the technical manuals and upgrade guides of the components cited below. Such guides are only relevant for a certain phase of the software life cycle, whereas security guides provide information that is relevant for all life cycle phases.

Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, greater emphasis is being placed on the need for security. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to SAP ERP Central Component. This document is designed to help you make SAP ERP Central Component secure.

About this Document The security guides give you an overview of the information for secure operation of SAP ERP Central Component. SAP ERP Central Component covers the core components Accounting, Logistics, and Human Resources and other components used across these core components. This guide cross-references information in existing security guides where available, or other relevant documentation where security aspects are discussed.

As SAP ERP Central Component is based on and uses SAP NetWeaver technology, it is essential you consult the SAP NetWeaver security guide: see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → SAP NetWeaver → Security → SAP NetWeaver Security Guide.

To view all of the security guides published by SAP, see SAP Service Marketplace at service.sap.com/securityguide.

Overview of the Main Sections

The security guide comprises the following main sections:

● Before You Start This section contains information about why security is necessary, how to use this document, and references to other security guides that are a basis for this security guide.



● Technical System Landscape This section is an overview of the technical components and communication paths used by SAP ERP Central Component.

● User Management and Authentication This section provides an overview of the following user management and authentication aspects:

○ Recommended tools for user management.

○ Required user types for SAP ERP Central Component

○ Standard users delivered with SAP ERP Central Component

○ Overview of the user synchronization strategy, if several components or products are integrated

○ Overview of integration options in single sign-on environments

● Authorizations This section provides an overview of the authorization concept that is applicable to SAP ERP Central Component.

● Network and Communication Security This section provides an overview of the communication paths used by SAP ERP Central Component and the security mechanisms to be used. It also includes our recommendations for the network topology to restrict access at the network level.

● Data Storage Security This section provides an overview of the critical data used by SAP ERP Central Component, and also the security mechanisms to be used.

● Security for Third-Party or Additional Applications This section provides security information that applies to third-party or additional applications that are used together with SAP ERP Central Component.

● Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information and that enable you to reproduce activities where, for example, there has been a breach of security.

● Appendix This section provides references to secondary sources of information.

Before You Start Fundamental Security Guides SAP ERP Central Component is based on SAP NetWeaver. This means that the security guide for SAP NetWeaver is also applicable to SAP ERP Central Component. Whenever other guides are relevant, an appropriate reference is included in the documentation for the individual components in this guide.

For a complete list of the SAP Security Guides available, see SAP Service Marketplace at service.sap.com/securityguide.

Important SAP Notes SAP Note 783758 provides any updates for this guide and adds important information.



SAP Note 853497 contains information about saving temporary files when using Adobe® Acrobat® Reader in SAP applications.

SAP Note 138498 contains information on single sign-on solutions.

SAP Notes relating to security for the subcomponents of SAP ERP Central Component are referenced in the documentation for the individual components in this guide.

For further SAP notes on security, see SAP Service Marketplace at service.sap.com/security → SAP Security Notes.

Additional information For more information about specific topics, see the sources in the table below.

Additional Information

Contents SAP Service Marketplace

Security service.sap.com/security

Security Guides, SAP NetWeaver Security Guide

service.sap.com/securityguide

SAP NetWeaver documentation help.sap.com → Documentation → SAP NetWeaver

SAP NetWeaver installation guide service.sap.com → SAP Support Portal → Tools & Methods → Installation Guides → SAP NetWeaver

Related SAP notes service.sap.com/notes

Platforms permitted service.sap.com/platforms

Network security service.sap.com/network

Technical infrastructure service.sap.com/ti

SAP Solution Manager service.sap.com/solutionmanager

Technical System Landscape For information about the technical system landscape, see the sources listed in the table below.

More Information About the Technical System Landscape

Subject Guide/Tool SAP Service Marketplace

Technical description of SAP ERP Central Component and the underlying technical components, such as SAP NetWeaver

Master guide

service.sap.com/instguides → mySAP Business Suite Solutions → mySAP ERP

Technical configuration high availability

Technical infrastructure guide

service.sap.com/ti




User Management and Authentication SAP ERP Central Component uses the user management and authentication mechanisms of the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component.

In addition to these guidelines, SAP also supplies information on user management and authentication that is especially applicable to the subcomponents of SAP ERP Central Component in the following sections:

● User Management [Seite 13] This section details the user management tools, the required user types, and the standard users supplied by SAP.

● Synchronization of User Data [Seite 15] The components of SAP ERP Central Component can use user data together with other components. This section describes how theuser data is synchronized with these other sources.

● Integration in Single Sign-On Environments [Seite 15] This section describes how SAP ERP Central Component supports single sign-on-mechanisms.

User Management Use SAP ERP Central Component user management uses the mechanisms provided by SAP NetWeaver Application Server for ABAP, such as tools, user types, and password concept. For an overview of how these mechanisms apply for SAP ERP Central Component, see the sections below. In addition, we provide a list of the standard users required for operating the subcomponents of SAP ERP Central Component.

User Management Tools

The following table shows the user management tools for SAP ERP Central Component.


Tool Description

User maintenance for ABAP-based systems (transaction SU01)

For more information about the authorization objects provided by the subcomponents of SAP ERP Central Component, see the relevant component in the section Authorizations.

Role maintenance with the profile generator for ABAP-based systems (PFCG)

For more information about the roles provided by the subcomponents of SAP ERP Central Component, see the relevant component in the section Authorizations.

Central User Administration (CUA) for the maintenance of multiple ABAP-based systems



User Management Engine (UME) Administration console for maintenance of users, roles, and authorizations in Java-based systems and in the Enterprise Portal

The UME also provides persistence options, such as ABAP Engine.

For more information on the tools that SAP provides for user management with SAP NetWeaver, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication.

User Types

It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

User types required for SAP ERP Central Component include, for example,

● Individual users:

○ Dialog users Dialog users are used for SAP GUI for Windows.

○ Internet users for Web applications Same policies apply as for dialog users, but used for Internet connections.

● Technical users:

○ Service users are dialog users who are available for a large set of anonymous users (for example, for anonymous system access via an ITS service).

○ Communication users are used for dialog-free communication between systems.

○ Background users can be used for processing in the background.

For additional information on user types, see User Types in the SAP NetWeaver security guide.

Standard Users

The following table shows the standard users that are required to operate SAP ERP Central Component.

Standard Users

System User ID Type Password Description

SAP Web AS

<sapsid>adm SAP system administrator

Mandatory SAP NetWeaver installation guide

SAP Web AS

SAP Service <sapsid>

SAP system service administrator

Mandatory SAP NetWeaver installation guide

SAP Web AS

SAP Standard

ABAP Users (SAP*, DDIC, EARLYWATCH, SAPCPIC)

See SAP NetWeaver security guide


service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for ABAP



Technology → User Authentication → Protecting Standard Users

SAP Web AS

SAP Standard

SAP Web AS Java Users



service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for Java Technology → Users and User Management → Standard Users and Groups

These users are used in applications that use Web Dynpro.

SAP ECC

SAP Users Dialog users Mandatory The number of users depends on the area of operation and the business data to be processed.

For more information on standard users in SAP NetWeaver, see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release xx/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → User Maintenance → Logon and Password Security in the SAP System → Password Rules.

For information on user types, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication → User Management and the section headed User Types.

The users specified are delivered with SAP ERP Central Component.

User Data Synchronization Use By synchronizing user data, you can reduce effort and expense in the user management of your system landscape. Since SAP ERP Central Component is based on SAP NetWeaver, you can use all of the mechanisms for user synchronization in SAP NetWeaver here. For more information, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → User Administration and Authentication → Integration of User Management in Your System Landscape.

You can use user data distributed across systems by replicating the data in a central directory, for example.



Integration with Single Sign-On Environments Use SAP ERP Central Component supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver Application Server for ABAP Technology. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server also apply to SAP ERP Central Component.

The supported mechanisms are listed below.

Secure Network Communications (SNC)

SNC is available for user authentication and provides an SSO environment when using SAP GUI for Windows or Remote Function Calls.

For more information, see SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for ABAP Technology → User Authentication → Authentication and Single Sign-On → Secure Network Communications (SNC).

SAP Logon Tickets

SAP ERP Central Component supports the use of logon tickets for SSO when using a Web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication, but can access the system directly once it has checked the logon ticket.

For more information, see SAP Logon Tickets in the SAP NetWeaver Application Server security guide.

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, the user is authenticated on the Web server using the Secure Sockets Layer Protocol (SSL protocol). . User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information see Client Certificates in the SAP NetWeaver Application Server security guide.

Authorizations Use SAP ERP Central Component uses the authorization concept of SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component. You can use authorizations to restrict the access of users to the system, and thereby protect transactions and programs from unauthorized access.

The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance in SAP NetWeaver Application Server for ABAP, use the profile generator (transaction PFCG), and in SAP NetWeaver



Application Server for Java, the user management console of User Management Engine (UME) . You can define user-specific menus using roles.

Standard Roles and Standard Authorization Objects

SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a template for your own roles.

For a list of the standard roles and authorization objects used by the subcomponents of SAP ERP Central Component, see the section of this document relevant to each component.

For information on roles and authorizations in Travel Management (FI-TV) see the section Accounting under Financial Accounting.

Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet your requirements. For more information about the authorization concept at SAP, see:

■ SAP Service Marketplace at service.sap.com/securityguide in SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP Web Application Server Security Guide → SAP Web AS Security Guide for ABAP Technology → SAP Authorization Concept

■ SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → SAP Authorization Concept → Organizing Authorization Administration → Organization if You Are Using the Profile Generator → Role Maintenance

Authorizations for Customizing Settings

You can use customizing roles to control access to the configuration of ERP Central Component in the SAP Customizing Implementation Guide (IMG). For information on creating roles, see SAP Help Portal at help.sap.com → Documentation → SAP NetWeaver → Release/Language → Security → Identity Management → Users and Roles (BC-SEC-USR) → SAP Authorization Concept → Organizing Authorization Administration → Organization if You Are Using the Profile Generator → or Organization without the Profile Generator

Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for SAP ERP Central Component is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver security guide also apply to SAP ERP Central Component. Details that relate directly to SAP ERP Central Component are described in the following sections:



● Communication Channel Security [Seite 18] This section contains a description of the communication paths and protocols that are used by subcomponents of SAP ERP Central Component.

● Network Security [Seite 19] This section contains information on the network topology recommended for the subcomponents of SAP ERP Central Component. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also contains a list of the ports required for operating the subcomponents of SAP ERP Central Component.

● Communication Destinations [Seite 19] This section describes the data needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver security guide:

● Network and Communication Security

● Security Aspects for Connectivity and Interoperability

Communication Channel Security Use Communication channels transfer a wide variety of different business data that needs to be protected from unauthorized access. SAP makes general recommendations and provides technology for the protection of your system landscape based on SAP NetWeaver.

The table below shows the communication paths used by SAP ERP Central Component, the protocol used for the connection, and the type of data transferred.

Communication Paths

Communication Paths Protocol Used Type of Data Transferred

Data Requiring Special Protection

Application server to application server

RFC, HTTP(S) Integration data Business data

Application server to third-party application

HTTP(S) Application data Passwords, business data, for example

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.

For more information, see the SAP NetWeaver security guide: SAP Service Marketplace at service.sap.com/securityguide in the section Transport Layer Security.

For information on security aspects if you integrate SAP ERP Central Component with SAP Business Intelligence and SAP Supply Chain Management, see SAP Service Marketplace at service.sap.com/securityguide:

● SAP Supply Chain Management → Authorizations/Communication Channel Security/Communication Destinations

● SAP Business Information Warehouse Security Guides → Communication Security → Communication Destinations



Network Security Since SAP ERP Central Component is based on SAP NetWeaver technology, for information about network security, see the following sections of the SAP NetWeaver security guide on the SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver Security Guide → Network and Communication Security:

● Network Services This section contains information about services and ports that use SAP NetWeaver.

● Using Firewall Systems for Access Control Here you can see information about firewall settings.

● Using Multiple Network Zones Here you can get information about which parts of your application should be set up in which network segments.

If you provide services in the Internet, you should protect your network infrastructure with at least a firewall. You can further increase the security of your system or group of systems by placing the groups in different network segments, each of which you then protect from unauthorized access by a firewall. You should bear in mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one of your systems.

Communication Destinations Use The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore follow the security rules below when communicating between ERP systems:

● Employ the user types system and communication.

● Grant a user only the minimum authorizations.

● Choose a secure password and do not divulge it to anyone else.

● Only store user-specific logon data for users of type system and communication.

● Wherever possible, use trusted system functions instead of user-specific logon data.

For more information, see the application-specific part of this guide.

Data Storage Security Use For information on data storage security, see the SAP NetWeaver security guide at service.sap.com/securityguide in the section Operating System and Database Platform Security Guides.



Security for Other Applications See the corresponding sections in the application-specific part of this guide.

Trace and Log Files Use The trace and log files of SAP ERP Central Component use the standard mechanisms of SAP NetWeaver. For more information, see the SAP NetWeaver Security Guide at service.sap.com/securityguide.

If there is no information about trace and log files in the sections for the individual components of SAP ERP Central Component, you can assume that no sensitive data is updated in these files.



Cross-Application Components

Cross-Application Time Sheet (CA-TS)

Authorizations The Cross-Application Time Sheet uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as set out in the SAP Web AS ABAP security guide therefore also apply to the Cross-Application Time Sheet.

The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles on the SAP Web AS ABAP, use the profile generator (transaction PFCG).

Standard Roles The following table shows examples of standard roles that are used by the Cross-Application Time Sheet.

Standard Roles

Role Description

SAP_EMPLOYEE Employee [Extern] Self-Service

SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]

SAP_ISR_RETAIL_STORE SAP Retail Store User

SAP_PS_CONFIRM Confirmations

SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]

SAP_ISR_STORE_PERSONNEL Store Personnel Manager

SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]

Standard Authorization Objects In the Cross-Application Time Sheet environment, you require only the general authorizations for the relevant target applications. When assigning authorizations, base them on the authorizations for the CAT* transactions.

See also:

Note the special points listed in the following section of the SAP Library: Cross-Application Components → Cross-Application Time Sheet → Assigning Authorizations [Extern].



Communication Destinations Use Communication destinations are available for the Cross-Application Time Sheet component to post recorded data to the target applications.

Communication with Personnel Time Management

To post recorded time data to Personnel Time Management, you use BAPIs that enter the data in the interface tables PTEXDIR, PTEX2000, and PTEX2010. Data is communicated using BAPIs via IDocs:

● If you run your Human Resources system in the same system as the Cross-Application Time Sheet, the data is posted synchronously.

● If you run your Human Resources system in a different system from the Cross-Application Time Sheet, the data is posted asynchronously.

The BAPIs enable you to create, change, or delete Personnel Time Management data.

These BAPIs do not enable you to read or change any Cross-Application Time Sheet data within Personnel Time Management.

Technical Users

You require the following technical users for the communication:

● To fill the interface tables, you require a user with authorizations for ALE communication with an SAP system and the relevant table authorizations.

These technical users do not require authorizations specific to the SAP HR solution.

● For the subsequent background processing job to transfer data from the interface tables to the infotype databases, you require a technical user with the same authorizations that are required for the CAT6 transaction (Transfer Time Data to Time Management).

To enter time sheet data, you can read information about the time data from Personnel Time Management. You do not require any special users for this. You should base your employees’ authorizations on the authorizations for the CAT2 transaction.

Posting Data to Other Target Applications

There are no special communication destinations for posting data to the other target applications.

See also:

For more information, see the SAP Library:

● For information about transferring time sheet data to the target applications, see: Cross-Application Components → Cross-Application Time Sheet → Transfer of Time Sheet Data to the Target Components [Extern].

● For information about the Time Management ALE scenarios and working with distributed systems, see Scenarios in Applications → ALE / EDI Business Processes [Extern].



Self-Services

Before You Start This section of the Security Guide provides you with information about the following self-service components:

● Employee Self-Service (ESS)

● Manager Self-Service (MSS)

● Business Unit Analyst (BUA)

● Project Self-Services (PSS)

● E-Recruiting (ECR)

● HR Administrative Services (ASR)

● Higher Education and Research (IS-HER-CSS)

● General Parts (PCUI_GP)

If not stated otherwise, the security settings for user management and authorizations apply to all components.

If there is no special information for particular topics in that section, the settings outlined in the general SAP ERP Central Component Security Guide [Seite 1] apply also the self-service components.

For information about the system landscape and secure running of the SAP ERP Central Component, see the mySAP ERP Master Guide at service.sap.com/instguides → mySAP Business Suite Solutions → mySAP ERP.

Fundamental Security Guides Scenario, Application or Component Security Guide

Important Sections

SAP NetWeaver Application Server ABAP SAP Authorization Concept [Extern]

SAP NetWeaver Application Server JAVA User Administration and Authentication [Extern]

Authorizations [Extern]

SAP ECC Industry Extension HE&R SAP ECC Industry Extension HE&R: Security Guide [Extern]

For a complete list of the SAP Security Guides available, see SAP Service Marketplace at securityguide.



Important SAP Notes The following table presents the most important SAP Notes regarding security for the Self-Service applications:

Important SAP Notes

SAP Note Number Title Comment

857431 ESS: Authorizations and Roles for WD Services in ERP 2005.

This note contains the authorization objects, the default values defined for these objects, and the roles for Employee Self-Service (component EP-PCT-ESS).

844639 MSS: Authorizations and Roles for ERP 2005

This note contains the authorization objects and the default values defined for the Human Resources applications in Manager Self-Service (component EP-PCT-MGR-HR).

846439 PSS: Authorizations and Roles for Web Dynpro

This note contains the authorization objects and the default values defined for the Web Dynpro applications for Project Self-Services (component EP-PCT-PLM-PSS).

User Management Use User management for Self-Service applications uses the mechanisms (for example, tools, user types, and password concept) provided by SAP Web Application Server. For an overview of how these mechanisms apply for Self-Service applications, see the sections below. In addition, there is a list of the standard users that are necessary for operating the self-services.

User Management Tools The following table presents the tools used for managing users in Self-Service applications:


Tool Detailed Description Prerequisites

User and Role Maintenance (transaction PFCG)

You can use the Role Maintenance (PFCG) transaction to generate profiles for your self-service users.

For more information, see the Users and Roles [Extern] section in SAP Library for SAP NetWeaver (see also help.sap.com → Documentation → SAP NetWeaver).



User Types For more information about user types [Extern] , see the SAP NetWeaver Application Server Security Guide ABAP.

SAP recommends you set up the connection between the portal and the connected systems (ECC system, J2EE Engine, BI system) so that each individual user has access.

Standard Users Different standard users exist for the individual Self-Service components.

Components Standard Users

● Employee Self-Service

● Manager Self-Service

● Project Self-Service

● Business Unit Analyst

No standard users exist in the standard SAP system for these components.

● E-Recruiting

● HR Administrative Services

For information about the standard users for these components, see the Human Capital Management section of the ERP Central Component security guide.

● Higher Education and Research For information about the standard users for this component, see the security guide for this component.

Authorizations Use The Self-Service applications use the authorization concept of SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Security Guide for ABAP and SAP NetWeaver Security Guide for Java also apply to the Self-Service applications.

The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles, use the Profile Generator (transaction PFCG). For more information, see Editing Roles and Authorizations for Web Dynpro Services [Seite 27].

The Self-Service applications for Human Resources also use the authorizations of the individual components. For more information, see the Human Capital Management section of the ERP Central Component Security Guide.



Standard Roles Employee Self-Service The following table presents the standard roles used in Employee Self-Service applications:

Standard Roles for Employee Self-Service (ESS):

Role Description

SAP_ESSUSER_ERP05 Single role that comprises all non country-specific functions.

SAP_EMPLOYEE_ERP05_xx Single role comprising country-specific functions. A separate role exists for each country version (xx = country ID). The corresponding composite role is SAP_EMPLOYEE_ERP05.

In each case, the profile has been copied from the predefined composite role. The data required for ERP and the relevant NetWeaver authorizations have been added to this role.

The composite role is assigned to the individual employee.

Manager Self-Service, Business Unit Analyst, and Project Self-Services There are no standard roles for these components.

E-Recruiting and HR Administrative Services For information about the standard roles for these components, see the Human Capital Management section of the ERP Central Component Security Guide.

Higher Education and Research For information about the standard roles for this component, see the Security Guide for this component.

Standard Authorization Objects The following table presents the general authorization objects relevant for security that are used by the Self-Service applications.

Standard Authorization Objects for Self-Service Applications:

Authorization Object Field Value Description

S_RFC RFC_NAME Depends on service Saves data from RFC access to Web Dynpro frontend to the backend system.

S_SERVICE SRV_NAME * Additional object for Web Dynpro applications. Check that is run when external services are started.

This authorization object is needed when an employee, project lead or manager wants to start self-service applications.



When you enter the value * for the authorization object S_SERVICE, you provide users with the authorization to start all applications. However, you can also assign authorizations for individual applications. In this case, use the syntax S_SERVICE-SRV_NAME = <vendor>/<dc>/<Application>, for example, sap.com/pcui_gp~xssexamples/AttendanceExample.

E-Recruiting and HR Administrative Services For information about the standard authorization objects for these components, see the Human Capital Management section of the ERP Central Component Security Guide.

Higher Education and Research For information about the standard authorization objects for this component, see the Security Guide for this component.

Internal Service Request and Personnel Change Requests For information about standard authorization objects for the Internal Service Request (ISR) and Personnel Change Requests, see SAP Note 623650.

Editing Roles and Authorizations for Web Dynpro Services Use Use this procedure to edit roles and the related Web Dynpro services and authorizations.

Procedure ...

1. Create a role in transaction PFCG or select the standard role that exists for the component. Choose Create Role or copy the existing standard role.

2. Assign the required services to the role.

a. Choose the Menu tab page and then Default Authorization.

The Service dialog box appears.

b. Set the External Service indicator.

c. Select WEBDYNPRO as the type of external service.

d. In the Service field, select the Web Dynpro service you require.

e. Choose Save.

The authorization objects and default values maintained for the service are displayed in the menu tree.

In the same way, select all Web Dynpro services you want to use.

3. Assign the required authorizations.

Choose the Authorizations tab page to maintain the authorization objects and values according to your requirements.

For more information about how to maintain roles, see Role Maintenance [Extern] in the Users and Roles section in SAP Library for SAP NetWeaver (see help.sap.com → Documentation → SAP NetWeaver).



Authorizations for Controlling Services (MSS, BUA) The following table presents the standard authorization objects that are used by the controlling services in Manager Self-Service (MSS) and Business Unit Analyst (BUA).

Standard Authorization Objects for Controlling Services:

Authorization Object Description

K_CCA General authorization object for Cost Center Accounting.

Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.

K_ORDER General authorization object for internal orders.


K_PCA Area responsible, Profit Center.


K_CSKS_PLA Cost element planning.

Is checked in the relevant Express Planning services.

K_FPB_EXP Authorization object for Express Planning.

This authorization object checks the Express Planning Framework call and the planning round call. The actual plan data is protected by the authorization objects for the individual Express Planning services.

For more information about the fields for the authorization objects K_CCA, K_ORDER, and K_PCA, see SAP Note 15211.

Authorizations for BW iViews (MSS) In the case of BW iViews for Manager Self-Service, users need the standard BW authorizations for executing queries. For more information, see SAP Library for SAP NetWeaver, under Authorization Check When Executing a Query [Extern] (in the Data Warehouse Management section of the documentation for SAP NetWeaver Business Intelligence).

In Human Capital Management, BW queries use a BW variable for personalization. Data is read from the ODS object for personalization 0Pers_VAR. If required, you can fill this ODS object from structural authorizations (see Structural Authorizations - Values [Extern] (0PA_DS02) and Structural Authorizations - Hierarchy [Extern] (0PA_DS03)). For more information, see SAP Library for BI Content for Human Resources under Organizational Management → ODS Objects.

You can also access SAP Library from the SAP Help Portal (see help.sap.com → Documentation → SAP NetWeaver).



Communication Destinations To be able to run the individual self-service components, you have to set up the SAP Java Connector (JCo) connections on the Web Dynpro J2EE server. For more information about these connections, see the Business Package documentation for the relevant component (such as Employee Self-Service, Manager Self-Service, Business Unit Analyst) and choose Setting Up SAP Java Connector (JCo) Connections [Extern]



Accounting

Financial Accounting Network and Communication Security

Communication with external systems takes place using the standard channels provided by SAP basis technology:

● Application Link Enabling (ALE)

● Standard interfaces to BW, CRM, and SRM systems

● Batch Input [Extern]

● Remote Function Call [Extern] (RFC)

● Business Application Programming Interface (BAPI)

● IDOC [Extern]

● SAP Exchange Infrastructure (XI)

● E-mail, fax

Financial Accounting has interfaces to Taxware and Vertex software used for performing tax calculations. In addition, there is an interface for the electronic advance return for tax on sales and purchases using Elster. Communication takes place by means of XI.

Payments and payment advice notes are dispatched per IDoc, and dunning notices sent by e-mail or fax.

Communication Destinations

All the technical users generally available can be used.

For payment requests from other components, see SAP Note 303205.

Data Storage Security

Many of the Financial Accounting transactions access sensitive data. Access to this kind of data, such as financial statements, is protected by standard authorization objects.

Important SAP Notes

See SAP Notes 303205 and 497712.



Authorizations in Financial Accounting Authorization Objects in Financial Accounting

Object Name

FAGL_INST Customer Enhancements for General Ledger

F_ACE_DST Accrual Engine: Accrual Objects

F_ACE_PST Accrual Engine: Accrual/Deferral Postings

F_BKPF_BES Accounting Document: Account Authorization for G/L Accounts

F_BKPF_BLA Accounting Document: Authorization for Document Types

F_BKPF_BUK Accounting Document: Authorization for Company Codes

F_BKPF_BUP Accounting Document: Authorization for Posting Periods

F_BKPF_GSB Accounting Document: Authorization for Business Areas

F_BKPF_KOA Accounting Document: Authorization for Account Types

F_BKPF_VW Accounting Document: Display/Change Default Values Document Type/Posting Key

F_FAGL_LDR General Ledger: Authorization for Ledger

F_FAGL_SEG General Ledger: Authorization for Segment

K_TP_VALU General Ledger: Authorization for Transfer Price Valuation

F_FAGL_SKF General Ledger: Authorization for Transaction with Statistical Key Figures

F_IT_ALV Line Item Display: Change and Save Layouts

F_KMT_MGMT Account Assignment Model: Authorization for Maintenance and Use

F_SKA1_AEN G/L Account: Change Authorization for Certain Fields

F_SKA1_BES G/L Account: Account Authorization

F_SKA1_BUK G/L Account: Authorization for Company Codes

F_SKA1_KTP G/L Account: Authorization for Charts of Accounts

F_T011 Balance Sheet: General Maintenance Authorization

F_T011E Authorization for Financial Calendar

F_T011_BUK Planning: Authorization for Company Codes

F_T060_ACT Information System: Account Type/Activity for Evaluation View

F_AVIK_AVA Payment Advice Note: Authorization for Payment Advice Note Types

F_AVIK_BUK Payment Advice Note: Authorization for Company Codes

F_BKPF_BED Accounting Document: Account Authorization for Customers

F_BKPF_BEK Accounting Document: Account Authorization for Vendors

F_BL_BANK Authorization for House Banks and Payment Methods

F_BNKA_BUK Banks: Authorization for Company Codes

F_FBCJ Cash Journal: General Authorization

F_FEBB_BUK Bank Account Statement Company Code



F_FEBC_BUK Check Deposit/Lockbox Company Code

F_KNA1_AEN Customer: Change Authorization for Certain Fields

F_KNA1_APP Customer: Application Authorization

F_KNA1_BED Customer: Accounts Authorization

F_KNA1_BUK Customer: Authorization for Company Codes

F_KNA1_GEN Customer: Central Data

F_KNA1_GRP Customer: Accounts Group Authorization

F_KNA1_KGD Customer: Change Authorization for Accounts Groups

F_KNB1_ANA Customer: Authorization for Account Analysis

F_KNKA_AEN Credit Management: Change Authorization for Certain Fields

F_KNKA_KKB Credit Management: Authorization for Credit Control Area

F_BNKA_MAN Banks: General Maintenance Authorization

F_KNKK_BED Credit Management: Accounts Authorization

F_LFA1_AEN Vendor: Change Authorization for Certain Fields

F_LFA1_APP Vendor: Application Authorization

F_LFA1_BEK Vendor: Accounts Authorization

F_LFA1_BUK Vendor: Authorization for Company Codes

F_LFA1_GEN Vendor: Central Data

F_LFA1_GRP Vendor: Accounts Group Authorization

F_MAHN_BUK Automatic Dunning: Authorization for Company Codes The documentation for this refers to transaction F150.

F_MAHN_KOA Automatic Dunning: Authorization for Account Types

F_PAYRQ Authorization Object for Payment Requests

F_PAYR_BUK Check Management: Action Authorization for Company Codes

F_REGU_BUK Automatic Payment: Action Authorization for Company Codes Refers to transaction F110.

F_REGU_KOA Automatic Payment: Action Authorization for Account Types

F_RPCODE Repetitive Code

F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages

F_T042_BUK Customizing Payment Program: Authorization for Company Codes

S_BTCH_JOB Background Processing: Operations on Background Jobs Users you would like to authorize to start background processing must have authorization for activity RELE.

P_ABAP HR Reporting Protects payments from the payroll. See also SAP Note 303205 that describes an enhancement of the checks made using a function module.

F_WEB_EBPP Participation in EBPP Process via a Web Interface



General Ledger Accounting (FI-GL) Standard Roles in General Ledger Accounting

Role Name

SAP_AUDITOR_BA_FI_GL AIS - General Ledger (GLT0)

SAP_FI_GL_ACCOUNT_CHANGE_REQUE General Ledger Account/Change Request

SAP_FI_GL_ACCT_MASTER_DATA General Ledger Master Data Maintenance

SAP_FI_GL_BALANCE_CARRYFORWARD Balance Carryforward

SAP_FI_GL_CHANGE_PARKED_DOCUM Change Parked General Ledger Documents

SAP_FI_GL_CLEAR_OPEN_ITEMS Clear Open General Ledger Items

SAP_FI_GL_CONS_PREPARATIONS Preparation for Consolidation

SAP_FI_GL_CURRENCY_VALUATION General Ledger Account Foreign Currency Valuation

SAP_FI_GL_DISPLAY_ACCT_BALANCE Display General Ledger Account Balances and Items

SAP_FI_GL_DISPLAY_DOCUMENTS Display General Ledger Documents

SAP_FI_GL_DISPLAY_MASTER_DATA Display General Ledger Master Data

SAP_FI_GL_DISPLAY_PARKED_DOCUM Display Parked Documents

SAP_FI_GL_EXCHANGE_RATE_TABLE Maintain Currency Exchange Rates

SAP_FI_GL_FIN_STATEMENT_REPORT Financial Statement Reports

SAP_FI_GL_INTEREST_CALCULATION Interest Calculation for G/L Accounts

SAP_FI_GL_INTEREST_RATE_TABLES Maintain Interest Rates

SAP_FI_GL_KEY_REPORTS Key Reports: General Ledger Accounting

SAP_FI_GL_PARK_DOCUMENT Park General Ledger Documents

SAP_FI_GL_PERIOD_END_CLOSING Closing Procedures in General Ledger Accounting

SAP_FI_GL_PERIODIC_ENTRIES Enter Recurring General Ledger Postings

SAP_FI_GL_POST_ENTRY Make General Ledger Postings

SAP_FI_GL_POST_PARKED_DOCUMENT Post Parked Document

SAP_FI_GL_RECURRING_DOCUMENTS Process Recurring Documents

SAP_FI_GL_REVERSE-CHANGE Reverse/Change General Ledger Documents

SAP_FI_GL_SAMPLE_ACCT_MASTER_D Sample Accounts

SAP_FI_GL_SAMPLE_DOCUMENTS Edit Sample Documents



Consolidation Authorizations

Authorization Objects in Consolidation


E_CS_BUNIT Consolidation unit

E_CS_CACTT Consolidation tasks

E_CS_CONGR Consolidation group

E_CS_DEFRM SAP Consolidation: Data entry layout

E_CS_DIMEN Dimension

E_CS_ITCLG Consolidation chart of accounts

E_CS_JEFRM SAP Consolidation: Journal entry layout

E_CS_PERMO Monitor, opening/closing of periods

E_CS_RPTNG Reporting with Report Writer/Report Painter and Drilldown Reports

E_CS_RVERS Version

For more information, see the Implementation Guide for Enterprise Controlling at Consolidation → Preparing for Production → Authorization Management.

Authorization Profiles in Consolidation

Authorization Profile Description

E_CS_ALL Full Authorization for EC-CS

E_CS_DISPLAY Display Authorization for EC-CS

Standard Roles in Consolidation

Role Name

SAP_AUDITOR_BA_EC_CS AIS – Consolidation

SAP_AUDITOR_BA_EC_CS_A AIS – Consolidation (Authorizations)

SAP_EC_CS_FUNCTIONS_DETAIL Consolidation – Detail Functions

SAP_EC_CS_FUNCTIONS_GENERAL Consolidation – General Functions

SAP_EC_CS_OFFLINE_DATA_ENTRY Consolidation – Offline Data Entry with Microsoft Access

SAP_EC_CS_RECONCILIATION Consolidation – Reconciliation of Integrated Data

SAP_EC_CS_REPORT_ALL Consolidation – All Reports

SAP_EC_CS_REPORT_CONSDATA Consolidation – Reports with Consolidated Data



Network and Communication Security

Consolidation allows for offline entry of data using Microsoft ACCESS®. Communication takes place via Remote Function Call (RFC).


The authorization objects listed earlier protect the data that is processed in Consolidation when consolidated statements are created.

Accounts Payable Accounting (FI-AP) Standard Roles in Accounts Payable Accounting

Role Name

SAP_FI_AP_BALANCE_CARRYFORWARD Vendor Balance Carryforward

SAP_FI_AP_CHANGE-REVERSE_INV Change/Reverse Vendor Invoices

SAP_FI_AP_CHANGE_LINE_ITEMS Change Vendor Line Items

SAP_FI_AP_CHANGE_PARKED_DOCUM Change Parked Vendor Documents

SAP_FI_AP_CHECK_MAINTENANCE Check Processing

SAP_FI_AP_CLEAR_OPEN_ITEMS Clear Vendor Line Items

SAP_FI_AP_CORRESPONDENCE Correspondence – Vendors

SAP_FI_AP_DISPLAY_BALANCES Display Vendor Balances and Items

SAP_FI_AP_DISPLAY_CHECKS Display Checks

SAP_FI_AP_DISPLAY_DOCUMENTS Display Vendor Documents

SAP_FI_AP_DISPLAY_MASTER_DATA Display Vendor Master Data

SAP_FI_AP_DISPLAY_PARKED_DOCUM Display Parked Vendor Documents

SAP_FI_AP_INTEREST_CALCULATION Vendor Interest Calculation

SAP_FI_AP_INTERNET_FUNCTIONS Internet Functions in Accounts Payable Accounting

SAP_FI_AP_INVOICE_PROCESSING Entry of Vendor Invoices

SAP_FI_AP_KEY_REPORTS Important Reports from Accounts Payable Accounting

SAP_FI_AP_MANUAL_PAYMENT Manual Payment

SAP_FI_AP_PARK_DOCUMENT Park Vendor Documents

SAP_FI_AP_PAYMENT_BILL_OF_EXCH Payment Transaction with Bill of Exchange

SAP_FI_AP_PAYMENT_CHECKS Payment Program with Check Processing

SAP_FI_AP_PAYMENT_PARAMETERS Display of Payment Run Parameters

SAP_FI_AP_PAYMENT_PROPOSAL Create and Process Proposal for a Payment Run

SAP_FI_AP_PAYMENT_RUN Payment Run Update Run without Printing Payment Medium

SAP_FI_AP_PCARD Payment Card (Procurement Card)



SAP_FI_AP_PERIOD_END_ACTIVITY Accounts Payable Accounting Period Closing

SAP_FI_AP_POST_PARKED_DOCUM Post Parked Vendor Document

SAP_FI_AP_RECURRING_DOCUMENTS Vendor Recurring Entry Documents

SAP_FI_AP_SAMPLE_DOCUMENTS Edit Sample Documents: Accounts Payable Accounting

SAP_FI_AP_VENDOR_MASTER_DATA Vendor Master Data Maintenance

SAP_FI_AP_WITHHOLDING_TAX Withholding Tax Processing

Accounts Receivable Accounting (FI-AR) Authorizations

Standard Roles in Accounts Receivable Accounting

Role Name

SAP_FI_AR_BALANCE_CARRYFORWARD Customer Balance Carryforward

SAP_FI_AR_BILL_OF_EXCHANGE Process Bill of Exchange

SAP_FI_AR_CHANGE-REVERSE Change/Reverse Customer Postings

SAP_FI_AR_CHANGE_LINE_ITEMS Change Customer Items

SAP_FI_AR_CHANGE_PARKED_DOCUM Change Parked Document

SAP_FI_AR_CLEAR_OPEN_ITEMS Clear Customer Items

SAP_FI_AR_CREDIT_MASTER_DATA Credit Management Master Data

SAP_FI_AR_CUST_DOWN_PAYMENTS Processing of Customer Payments

SAP_FI_AR_DISPLAY_CREDIT_INFO Display Credit Data

SAP_FI_AR_DISPLAY_CUST_INFO Display Customer Information

SAP_FI_AR_DISPLAY_DOCUMENTS Display Customer Documents

SAP_FI_AR_DISPLAY_MASTER_DATA Display Customer Master Data

SAP_FI_AR_DISPLAY_PARKED_DOCUM Display Parked Customer Document

SAP_FI_AR_DUNNING_PROGRAM Dunning Program

SAP_FI_AR_INTEREST_CALCULATION Customer Interest calculation

SAP_FI_AR_INTERNET_FUNCTIONS Internet Functions for Accounts Receivable Accounting

SAP_FI_AR_KEY_REPORTS Important Reports for Accounts Receivable Accounting

SAP_FI_AR_MASTER_DATA Customer Master Data Maintenance

SAP_FI_AR_PARK_DOCUMENT Park Customer Documents

SAP_FI_AR_PAYMENT_CARD_PROCESS Payment Card Processing

SAP_FI_AR_PERIOD_END_PROCESS Closing Operations: Accounts Receivable Accounting

SAP_FI_AR_POST_ENTRIES Post Customer Invoices and Credit Memos



SAP_FI_AR_POST_MANUAL_PAYMENTS Post Incoming Payments Manually

SAP_FI_AR_POST_PARKED_DOCUMENT Post Parked Customer Document

SAP_FI_AR_PRINT_CORRESPONDENCE Correspondence with Customers

SAP_FI_AR_RECURRING_DOCUMENTS Customer Recurring Entry Documents

SAP_FI_AR_SAMPLE_DOCUMENTS Customer Sample Documents

SAP_FI_AR_VALUATION Valuation of Customer Items


You can store payment card numbers encoded in the database. For information about encoding credit card data, see SAP Note 633462.

Bank Accounting (FI-BL) Authorizations

Standard Roles in Bank Accounting

Role Name

SAP_FI_BL_ACCOUNT_REPORTS Financial Status Information

SAP_FI_BL_BANK_MASTERDAT_DISPL Display of Bank Master Data

SAP_FI_BL_BANK_MASTER_DATA Maintenance of Bank Master Data

SAP_FI_BL_BANK_STATEMENT Process Account Statement

SAP_FI_BL_BILL_OF_EX_PRESENT Bill of Exchange Presentation

SAP_FI_BL_BILL_OF_EX_REPORTS Reports on Bill of Exchange Holdings

SAP_FI_BL_CASHED_CHECKS Cashed Checks

SAP_FI_BL_CASH_JOURNAL Cash Journal

SAP_FI_BL_CHECK_DELETE Deletion of Checks

SAP_FI_BL_CHECK_DEPOSIT Check Deposit

SAP_FI_BL_CHECK_MANAGEMENT Check Management

SAP_FI_BL_CHECK_MGMENT_DISPLAY Display of Managed Checks

SAP_FI_BL_INTRADAY_STATEMENT Import Intraday Account Statement Information (USA)

SAP_FI_BL_LOCKBOX Processing the Lockbox - Data

SAP_FI_BL_ONLINE_PAYMENT Make Online Payments

SAP_FI_BL_PAYMENT_TRANSACTIONS Payment Processing

SAP_FI_BL_PAYME_ADVICE_REPORTS Payment Advice Note Reports

SAP_FI_BL_POR_PROCEDURE Incoming Payments via ISR Procedure (Switzerland)

SAP_FI_BL_RETURNED_BILL_OF_EX Returned Bills of Exchange




You can store payment card numbers encoded in the database. For information about encoding credit card data, see SAP Note 633462.

Asset Accounting (FI-AA) Authorizations

Standard Roles in Asset Accounting

Role Name

SAP_AUDITOR_BA_FI_AA AIS Fixed Assets

SAP_AUDITOR_BA_FI_AA_A AIS Fixed Assets (Authorizations)

SAP_FI_AA_ASSET_ARCHIVING Archiving Activities

SAP_FI_AA_ASSET_CAPITALIZATION Capitalization of Asset under Construction

SAP_FI_AA_ASSET_ENVIRONMENT Worklist and Tools in Asset Accounting

SAP_FI_AA_ASSET_EXPLORER Asset Explorer

SAP_FI_AA_ASSET_INFOSYSTEM Asset Accounting Information System

SAP_FI_AA_ASSET_MASTER_DATA Asset Master Data Maintenance

SAP_FI_AA_ASSET_REVALUATION Revaluation Activities

SAP_FI_AA_ASSET_TRANSACTIONS Asset Transactions

SAP_FI_AA_CURRENT_SETTINGS Current Settings

SAP_FI_AA_EVERY_MANAGER Activities for Cost Center Manager

SAP_FI_AA_GROUP_ASSET Maintain Group Asset

SAP_FI_AA_KEY_REPORTS Important Reports in Asset Accounting

SAP_FI_AA_PERIODIC_PROCESSING Periodic Processing

SAP_FI_AA_PROBLEM_ANALYSIS Tools for Analyzing Problems

SAP_FI_AA_YEAR_END_CLOSING Year-End Closing


Asset Accounting provides BAPIs for communicating with third-party systems.


For workflow tasks, you sometimes need either the WF-BATCH user or a user that you can use for background steps of this kind. To execute the decision steps required before reaching these background steps, you need a user that is explicitly assigned (rather than a user like WF-BATCH).



Important SAP Notes

Number Short Text

38957 Fields are not displayed/ready for input

335170 Authorization check AW01/AW01N

372724 Maintenance of report variants

460548 AW01N: Depreciation areas are not displayed

540785 FAQ note: Reporting of Asset Accounting

141876 Authorization checks in asset reporting

544703 FAQ Mass change/Mass retirement

Travel Management (FI-TV) Authorizations

Standard Roles in Travel Management

Role Description

SAP_FI_TV_TRAVELER Traveler

SAP_FI_TV_TRAVEL_ASSISTANT Travel Assistant

SAP_FI_TV_ADMINISTRATOR Travel Management Administrator

SAP_FI_TV_MANAGER_GENERIC Approving Manager

SAP_FI_TV_ADVANCE_PAYER Trip Advance Payer

SAP_FI_TV_TRAVEL_MANAGER Travel Manager

Authorization Profiles

SAP supplies travel profile FI-TV (infotype 0470 in Human Resources (HR)). You can also create the authorization profile based on the organizational affiliation using the characteristic TRVCP.

Authorization Objects

Travel Management uses authorization object P_TRAVL for all general functions. Transfer of travel expenses to Accounting is protected by authorization object F_TRAVL.

The status of the travel plan is protected by authorization object F_TRAVL_S.


Travel Management uses the following external interfaces to reservation systems:

● Hotel Reservation Service (HRS) Communication with the Web service uses HTTPS. You can also use HTTP at your own risk.

● Deutsche Bahn Communication with the Web service uses HTTPS and is encrypted with PGP.



● Amadeus The Gateway is the responsibility of the partner.

● Sabre Communication with the Web service uses HTTPS or a Gateway that is the responsibility of the partner.

● Galileo The Gateway is the responsibility of the partner.


Travel Management transmits credit card information to the named partners. It is not possible to access the data in the SAP system.

The system settings (IMG) of Travel Management contain passwords and credit card information that is currently stored in unencrypted form. This information is protected by the standard authorization objects of the SAP Customizing Implementation Guide.

Authorizations in the Special Purpose Ledger (FI-SL) Standard Roles in Special Purpose Ledger

Role Name

SAP_AUDITOR_BA_FI_SL AIS - Special Purpose Ledger

SAP_AUDITOR_BA_FI_SL_A AIS - Special Purpose Ledger (Authorizations)

SAP_FI_SL_ACTUAL_ASSESSMENT Special Purpose Ledger Actual Assessment

SAP_FI_SL_ACTUAL_DISTRIBUTION Special Purpose Ledger Actual Distribution

SAP_FI_SL_ACTUAL_POSTINGS Special Purpose Ledger Actual Postings

SAP_FI_SL_BATCH_JOBS Run Special Purpose Ledger Jobs in Background

SAP_FI_SL_CURRENCY_TRANSLATION Special Purpose Ledger Currency Translation

SAP_FI_SL_DISPLAY_DOCUMENTS Display Special Purpose Ledger Balances and Documents

SAP_FI_SL_DISPLAY_PLAN Display Special Purpose Ledger Plan

SAP_FI_SL_MODIFY_PLAN Modify Special Purpose Ledger Planning

SAP_FI_SL_PLAN_ASSESSMENT Edit Plan Assessment

SAP_FI_SL_PLAN_DISTRIBUTION Plan Distribution

SAP_FI_SL_ROLLUP Special Purpose Ledger Rollup

Authorization Objects in Special Purpose Ledger

Object Name

G_022_GACT FI-SL Customizing: Transactions

G_800S_GSE Special Purpose Ledger Sets: Set



G_802G_GSV Special Purpose Ledger Sets: Variable

G_806H_GRJ FI-SL Rollup

G_820_GPL FI-SL Planning: Planning Parameters

G_821S_GSP FI-SL Planning: Distribution Keys

G_880_GRMP FI-SL Customizing: Global Companies

G_881_GRLD FI-SL Customizing: Ledger

G_888_GFGC FI-SL Customizing: Field Movements

G_ADMI_CUS Central Administrative FI-SL Tools

G_ALLOCTN Special Purpose Ledger - Assessment/Distribution

G_GLTP Special Purpose Ledger - Database (Ledger, Record Type, Version)

G_REPO_GLO FI-SL: Global Reporting (Global Company)

G_REPO_LOC FI-SL: Local Reporting (Company Code)

Treasury Network and Communication Security

Communication with external systems is possible using standard interfaces via BAPI, IDoc, and XI.


In certain cases a technical user may be required for applying BAPIs.


Treasury accesses financial transaction data that can be particularly sensitive. Access is protected by the roles described in the Authorizations section.

More Security Information

All authorizations are controlled by means of roles and profiles. In addition you can further increase the system security by making a number of Customizing settings such as trader authorization and posting release. However, the authorization check itself must always be run on the basis of roles and profiles.

Important SAP Notes

See SAP Notes 445148 (Access of the tax authorities to stored data) and 683810 (CFM-TM Tax reduction law: Separate authorization) for information about the German principles of data access and verifiability of digital documentation (GDPdU).



Authorizations Standard Roles in Corporate Finance Management

Role Name

SAP_CFM_ADMINISTRATOR Administrator

SAP_CFM_DEALER Dealer

SAP_CFM_IHC_SUPERVISOR In-House Cash Supervisor

SAP_CFM_LIMIT_MANAGER Limit Manager

SAP_CFM_RISK_CONTROLLER Risk Controller

SAP_CFM_TM_BACKOFFICE_PROCES Settler

SAP_CFM_TM_FUND_MANAGER Fund Manager

SAP_CFM_TM_STAFF_ACCOUNTANT Accountant

SAP_CFM_TM_TRADE_CONTROLLER Trade Controller

SAP_CFM_TREASURY_MANAGER Treasury Manager

Standard Roles in Treasury

Role Name

SAP_TR_ADMINISTRATOR Administrator

SAP_TR_LO_CREDIT_ANALYST Credit Analyst

SAP_TR_LO_DEPARTM_MANAGER Manager of Loans Department

SAP_TR_LO_LOANS_OFFICER Loans Officer

SAP_TR_LO_ROLLOVER_OFFICER Rollover Officer

SAP_TR_LO_STAFF_ACCOUNTANT Staff Accountant for Loans

SAP_TR_TM_BACKOFFICE_PROCES Settler

SAP_TR_TM_CASH_MANAGER Cash Manager

SAP_TR_TM_FUND_MANAGER Fund Manager

SAP_TR_TM_RISK_CONTROLLER Risk Controller

SAP_TR_TM_STAFF_ACCOUNTANT Accountant

SAP_TR_TM_TRADER Dealer

SAP_TR_TM_TRADE_CONTROLLER Trade Controller

SAP_TR_TREASURY_MANAGER Treasury Manager



Transaction Roles

Role Function

SAP_AUDITOR_BA_CFM

(AIS - Audit Information System)

Makes possible a structured, preconfigured collection of evaluations in Treasury.

The menu required for this is an integral part of this role. The appropriate authorization role is SAP_AUDITOR_BA_CFM_A (AIS authorizations for SAP applications except HR).

SAP_AUDITOR_TAX_TR

(AIS - Audit Information System

transaction role)

Offers a structured, preconfigured collection of evaluations for the tax audit in Treasury.

The menu required for this is an integral part of this role.

The appropriate authorization roles are SAP_AUDITOR_TAX_TR_A (AIS tax auditor, authorizations) and SAP_AUDITOR_TAX_A (AIS tax auditor central functions, authorizations).

For more information, see SAP Note 503678.

Authorization Roles

Role Function

SAP_AUDITOR_BA_CFM_A


Enables read access to business audit in Treasury

The appropriate transaction role is SAP_AUDITOR_BA_CFM/AIS transactions for SAP applications except HR).

SAP_AUDITOR_TAX_TR_A


Enables read access for the tax auditor

The appropriate transaction role is SAP_AUDITOR_TAX_TR (AIS – tax audit, Treasury)

For more information, see SAP Note 503678.

There is an enhanced authorization check for the roles SAP_AUDITOR_TAX_TR and SAP_AUDITOR_TAX_TR_A. For information, see SAP Notes 445148 and 683810.



Accounting Engine

Introduction

This guide does not replace the daily operations handbook that we recommend customers to create for their specific productive operations.



This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.

The Need for Security With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to the Accounting Engine. To assist you in securing the Accounting Engine, we provide this Security Guide.

About this Document The Security Guide provides an overview of the security-relevant information that applies to the Accounting Engine.


The Security Guide comprises the following main sections:

● Before You Start

This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.

● Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by the Accounting Engine.

● User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

○ Recommended tools to use for user management.

○ User types that are required by the Accounting Engine

○ Standard users that are delivered with the Accounting Engine




○ Overview of integration options in Single Sign-On environments

● Authorizations

This section provides an overview of the authorization concept that applies to the Accounting Engine.


This section provides an overview of the communication paths used by the Accounting Engine and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

● Data Storage Security

This section provides an overview of any critical data that is used by the Accounting Engine and the security mechanisms that apply.

Before You Start Security Guides Referenced For a complete list of the SAP Security Guides available, see SAP Service Marketplace at service.sap.com/securityguide.

Additional Information For more information about specific topics, see the sources in the table below.


Content SAP Service Marketplace


Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes


Network security service.sap.com/network service.sap.com/securityguide





Technical System Landscape Use The figure below shows an overview of the technical system landscape for the Accounting Engine.

Accounting EngineAccounting Views

ContributionMargin

Balance

Overhead Costs

Journal

DocumentCreation

Services

AP ARProtocol

C&RProtocol

GJProtocol

Document

ViewKnowlg

BusinessTransactions

SecurityTransaction

ProductionOrder

Confirmation

IncomingPayment

OutgoingInvoice

For more information about the technical system landscape, see the sources listed in the table below.


Topic Guide/Tool SAP Service Marketplace

Technical description for Accounting Engine and the underlying technical components, such as SAP NetWeaver

Master Guide service.sap.com/instguides

Technical configuration

High availability

Technical Infrastructure Guide

service.sap.com/ti




User Administration and Authentication The Accounting Engine uses the user administration and authentication mechanisms provided with the SAP NetWeaver platform, in particular SAP Web Application Server ABAP. Therefore, the security recommendations and guidelines for user management and authentication that are described in SAP Web AS Security Guide for ABAP Technology also apply to the Accounting Engine.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to the Accounting Engine in the following topics:

● User Management

This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with the Accounting Engine.

● Integration into Single Sign-On Environments

This topic describes how the Accounting Engine supports Single Sign-On mechanisms.

User Management Use User management for the Accounting Engine uses the mechanisms provided by SAP Web Application Server ABAP, for example, tools, user types, and password policies.

Integration into Single Sign-On Environments Use The Accounting Engine supports the Single Sign-On (SSO) mechanisms provided by SAP Web Application Server ABAP. Therefore, the security recommendations and guidelines for user management and authentication that are described in the Security Guide for SAP Web Application Server also apply to the Accounting Engine.

The mechanisms supported are listed below.


SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

For more information, see Secure Network Communications (SNC) in the SAP Web Application Server Security Guide.

SAP Logon Tickets

The Accounting Engine supports the use of logon tickets for SSO when using a Web browser as the front end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

For more information, see SAP Logon Tickets in the SAP Web Application Server Security Guide.



Client Certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information, see Client Certificates in the SAP Web Application Server Security Guide.

Authorizations Use The Accounting Engine uses the authorization concept provided by SAP Web Application Server. Therefore, the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP Web AS ABAP also apply to the Accounting Engine.

Authorization Objects The Business Accounting of the Bank Analyzer [Extern] uses the following authorization groups for IMG activities and adjustment programs:

● A1* = authorization for technical issues (configuration)

● A2* = authorizations for business issues

● *EN = authorization for the accounting entities

● *G1 = authorization for General Ledger Accounting (GL)

● *PM = authorization for Profitability Management

Other individual authorization objects are documented in the system.

Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for the Accounting Engine is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the Accounting Engine. Details that specifically apply to the Accounting Engine are described in the following topics:

● Communication Channel Security

This topic describes the communication paths and logs used by the Accounting Engine.

● Communication Destinations



This topic describes the information needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide:



Communication Channel Security Communication Paths

Communication Paths

Protocol Used

ERP to BW RFC

ERP to Bank Analyzer RFC

DIAG and RFC connections can be protected using Secure Network Communications (SNC).

For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.

Communication Destinations Use The Accounting Engine uses the communication destination with RFC.

The configuration of the RFC calls is controlled using transaction sm59.

If no technical user was defined, the RFC connection takes place without this default setting.

Data Storage Security Use The Accounting Engine accesses sensitive data within the Bank Analyzer [Extern]. The Bank Analyzer checks the authorizations for this sensitive data with user exits.

For more information, see the Bank Analyzer Security Guide.



Financial Supply Chain Management

Management of Internal Controls: Security Guide Use This Security Guide describes the aspects of the Management of Internal Controls (MIC) component that relate to security. MIC forms part of the software component FINBASIS and uses the application server (AS), Process Integration (XI), and Business Intelligence (BI) from SAP NetWeaver.

Consequently, the following security guides also apply to MIC:

● SAP NetWeaver Security Guide

● SAP Web AS Security Guide ABAP

● SAP Exchange Infrastructure Security Guide

● SAP Business Information Warehouse Security Guide

You find these guides on SAP Service Marketplace at service.sap.com/securityguide.

For more information relevant to security, see SAP Service Marketplace at service.sap.com/security.

Target Audience of the Guide ● Technical consultants


The security guides provide information on all phases of the software life cycle.

Features The security guide provides information on the following topics:


This section lists the other systems with which MIC can communicate.

● User Management and Authorizations

This section provides an overview of the following aspects:

○ User Management

○ Roles and Authorizations Concept Specific to MIC

○ Integration into Single Sign-On Environments

● Communication Channel Security

This section provides an overview of the communication paths used by MIC and the security mechanisms that apply.

● Data Storage Security

This section provides an overview of the various data storage options for MIC data.



Technical System Landscape The following figure provides an overview of the technical system landscape of the component Management of Internal Controls (MIC):

MIC XI

BI

AIS

Third-Party

MIC can exchange data with the following systems:

● MIC users can display reports from the Audit Information System (AIS), which can be run on the same system as MIC or on a different system.

● MIC data can be extracted into an SAP NetWeaver Business Intelligence system (BI system).

● Via the SAP NetWeaver Process Integration (XI), data can be exchanged with third-party systems. You can transfer test logs from (semi-)automated tests and structure data (from the central process catalog, for example) into the MIC system.

For information about the communication paths, see Communication Channel Security [Seite 72].

User Management and Authorizations

MIC uses the user management and the authorization concept delivered with the SAP NetWeaver platform, in particular SAP Web Application Server ABAP. For this reason, the security recommendations and guidelines described in the SAP Web AS Security Guide for ABAP Technology also apply for MIC.

In addition to these guidelines, the following sections include information about user management and the authorizations applying specifically to MIC:

● User Management [Seite 52]



This section lists the user management tools and the necessary user types.

● Roles and Authorizations Concept [Seite 53]

This section describes the MIC-specific roles and authorizations concept that is based in part on the functions of the SAP Web Application Server ABAP (see Standard Roles and Authorization Objects [Seite 54]) and in part on the functions unique to MIC (see Editing MIC-Specific Roles [Seite 55]).

● Integration with Single Sign-On Environment [Seite 72]

This topic describes how MIC supports Single Sign-On mechanisms.

User Management Use MIC user management uses the mechanisms provided by SAP NetWeaver, such as tools, user types, and the password concept. For an overview of how these mechanisms affect MIC, see the sections below. Furthermore, the system outputs a list of users that are required for operations.

User Management Tool MIC uses user and role maintenance from SAP Web AS ABAP (transactions SU01, PFCG) For more information, see Users and Roles (BC-SEC-USR) [Extern]. To find out which roles are delivered for MIC, see under Standard Roles and Authorization Objects [Seite 54].

User Types It is often necessary to create different security policies for different types of users. For example, your policy may specify that users who perform their tasks interactively have to change their passwords on a regular basis, but not those users who perform their tasks using background processing.

Examples of user types required for MIC:

● Individual users (dialog users)

○ Required for logging on to the SAP GUI for Windows for configuring MIC and for MIC administration

○ Required for logging on to the People-Centric User Interface for the operational use of MIC

○ Required for the RFC connection to the BI system

● Technical users

○ A system user is required for the workflow within MIC, for example (user WF-BATCH must have authorization for authorization profile SAP_ALL)

○ A communications user can be required in order to set up the integration with the Audit Information System (AIS) for the RFC connection to the AIS system. Alternatively, you can define the RFC connection as a trusted system connection.

○ A service user is required for the connection of external applications using the Exchange Infrastructure (XI). The user must have the corresponding XI authorization as well as the authorization for the standard role Management of Internal Controls – Business User (SAP_CGV_MIC_BUSINESS_USER). For



more information, see the SAP Exchange Infrastructure Security Guide under Service Users for Message Exchange.

Roles and Authorizations Concept Use For Management of Internal Controls (MIC), a large number of frequently changing people need to perform tasks in a variety of functions. Consequently, a special roles and authorizations concept has been created for this purpose. Besides the general SAP standard roles that are edited by the system administrator in transaction PFCG, there are also MIC-specific roles comprising a variety of delivered tasks. These MIC-specific roles and their respective tasks allow you to manage the detailed authorizations and the workflow between those involved.

Features For information about the general standard roles delivered with MIC, see Standard Roles and Authorization Objects [Seite 54].

The MIC-specific roles refine the authorizations delivered in the standard role Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER). An MIC-specific role consists of different tasks with authorizations attached. You can specify which tasks belong to which role. For more information, see Editing MIC-Specific Roles [Seite 55].

The assignment of am MIC-specific role to one or more persons is dependent on an object (for example, an organizational unit). The assignment is performed in a Web application by different persons throughout the organization hierarchy. The power user triggers this process for the highest level of the organization hierarchy. For more information, see Assigning Roles to Persons [Seite 71].

To ensure the segregation of duties so that the same person is not authorized to perform an assessment as well as the validation of that assessment, for example, you can define conflict groups. You include in a conflict group any tasks that must not be performed by the same person. You can use these conflict groups to run a check to establish whether the defined segregation of duties is actually reflected in the system. For more information, see Segregation of Duties [Extern].

Activities ...

1. The system administrator copies the delivered standard role Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL), makes any necessary adjustments, and assigns the adjusted copy of the standard role to the MIC power user.

2. The power user edits the MIC-specific roles.

3. The power user defines conflict groups.

4. The power user starts the role assignment procedure in the navigational area on the start page.

5. The power user checks whether the segregation of duties defined in the conflict groups is enforced by the system.



Standard Roles and Authorization Objects Use The authorization concept of the SAP NetWeaver Application Server uses the assignment of authorizations to users on the basis of roles. Some general SAP standard roles are delivered with MIC. You can copy and adjust them in Customizing under SAP NetWeaver → Application Server → System Administration → Users and Authorizations → Maintain Authorizations and Profiles Using Profile Generator → Maintain Roles (transaction PFCG).

Integration The standard roles are refined using the MIC-specific Roles and Authorization Concept [Seite 53].

Features Standard Roles MIC uses the following standard roles:

● Management of Internal Controls - Customizing (SAP_CGV_MIC_CUSTOMIZING)

This role contains all necessary authorizations to make the Customizing settings for MIC. This role does not contain any authorizations for the Web applications.

● Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER)

A user with this role is only authorized to perform those specific tasks prescribed by the detailed role concept for MIC. All users that have this role assigned to them must also have at least one MIC-specific role assigned to them. A user may use the Web applications that are specified by the tasks in the MIC-specific role.

● Management of Internal Controls - Power User (SAP_CGV_MIC_ALL)

When this role is assigned to a user, that user is made a power user. In addition to the authorizations that the business user has, a power user also has authorization for administration functions in the MIC Implementation Guide, such as the expert mode for structure setup [Extern]. Moreover, the user has special authorizations in the People-Centric UI, such as those for editing roles and for starting role assignment to persons (see Assigning Roles to Persons [Seite 71]).

● Management of Internal Controls - Display (SAP_CGV_MIC_DISPLAY)

A user with this role can display Customizing for MIC in the SAP GUI. This role is useful for external auditors, for example. We recommend using this role in addition to the business user role.

For more information, see the documentation on the individual roles in transaction PFCG.

Standard Authorization Objects Relevant to Security Authorizations for objects of applications belonging to the Application Server and used in MIC are relevant to security in MIC. If you run MIC in a system in which the applications used by MIC are also used productively in other projects, then you need to ensure that you manage the authorizations for the MIC-specific objects separately from the other objects.

● Authorization object Personnel Planning (PLOG) from Organizational Management

The general object types Organizational Unit und Person are used in MIC together with other MIC-specific object types.

Note, therefore, that the organizational units and persons created in other projects are also available in MIC (and vice versa).



● Various authorization objects in Case Management and Records Management

Assessments, tests, issues, and remediation plans are stored in Case or Records Management. The RMS ID FOPC_SOA is relevant for MIC.

Activities ...

1. Copy the general SAP roles delivered with MIC, and adjust the authorizations in these roles to suit the circumstances in your system.

2. Assign the roles you have adjusted to the appropriate users. While doing so, ensure that no user has been assigned role Management of Internal Controls – All Authorizations (SAP_CGV_MIC_ALL) as well as role Management of Internal Controls - Business User (SAP_CGV_MIC_BUSINESS_USER).

Editing MIC-Specific Roles Use An MIC power user can adjust the MIC-specific roles that are delivered in BC Sets and in this way specify the authorizations of a role by assigning the individual tasks.

Features The power user has the following options for editing MIC-specific roles:

● In Customizing for MIC under Edit Roles

● Using a Web application that can be called up from the MIC start page

SAP delivers sample roles in a BC Set. To be able to use these sample roles, you need to activate the BC Set in Customizing. All other activities for editing roles are possible both in Customizing and in the Web application, although the user interface in the Web application is easier to use.

When editing a role, you assign all the tasks to it that anybody assigned to that role should be allowed to perform. You also specify the role level.

The role level defines whether the tasks can be performed for the entire corporate group, for a single organizational unit, for a process group, for a process, or for a process step.

The tasks are delivered by SAP and cannot be changed. Each task has the following attributes:

● Minimum Role Level: The only tasks you can assign to a role are those with a minimum role level corresponding to the level entered for the role. For example, you can only assign the task Perform Sign-Off at Corporate Level (for which the minimum role level = group) to a role with Corporate level.

● Restricted to One Role: Tasks for which this indicator is selected can only be assigned to one role. Furthermore, the following restriction applies to role assignment: When a role contains a task flagged with this indicator, that role may only be assigned to just one person for an object.

● Processing by One Work Item Recipient Suffices: Tasks flagged with this indicator can be performed by more than one user. However, it is sufficient if only one user performs the task. As soon as one user has completed the task, it is then completed for all other users to whom the task is assigned.

● Web application that the task calls up: Different tasks can call up the same Web application. For example, the task Assign Process to Organizational Unit and the task



Edit Attributes of Process Groups Specific to Org Units both call up the Web application Process Assignment for Org Unit. If a person only has authorization for one of the tasks, then that person may only perform that task in the corresponding Web application. If, however, a person has authorization for both tasks, then he/she may perform both, regardless of the task from which the Web application was called up. In this latter case, it is sufficient for just one of the tasks to be scheduled. In this way, you can restrict the number of tasks that need to be sent.

For an overview of the delivered tasks and their attributes, see the following sections:

● Tasks: Central Structure Setup [Seite 56]

● Tasks: Structure Setup Specific to Organizational Units [Seite 59]

● Tasks: Control Assessments and Tests [Seite 64]

● Tasks: Management Control Assessment and Test [Seite 67]

● Tasks: Reporting and Sign-Off [Seite 69]

The task Create User is handled differently because a special authorization is required for this task. For more information, see Creating Users and Connecting Users to Persons [Extern].

Analyses To find out which roles contain a task, you can search for a task in the Web application for processing roles. In this way, you can display all roles that the task is assigned to. Moreover, you can use Authorization Analysis [Extern].

Activities ...

1. If you want to use the delivered sample roles, activate the relevant BC Set in Customizing. For information about the procedure for this, see the documentation on the IMG activity Edit Roles.

2. Change the delivered sample roles or create your own roles.

3. Activate the roles that you would like to use and then save your entries.



Tasks: Central Structure Setup Task Group: Central Structure Setup

Task Description Role Level Restricted to One Role

Processing by One Work Item Recipient Suffices

Web Application Called

Display Role (DISP-ROLE)

Display all roles created and all tasks assigned by power user (see Roles and Authorizations Concept [Seite 53])

Process Step Edit Roles

Edit Organizational Hierarchy (EDIT-HIER)

Create/change organizational hierarchy [Extern], insert new nodes, and so forth

Corporate X Organizational Hierarchy

Display Organizational Hierarchy (DISP-HIER)

Display entire organizational hierarchy and detailed information on organizational units

Process Step Organizational

Hierarchy

Document Organizational Units in Scope (PERF-SCOPO)

Define reasoning for decision to include organizational units in project scope [Extern] (or to exclude them from project scope)

Corporate X Organizational Units in Scope

Display Organizational Units in Scope (DISP-SCOPO)

Display reasoning behind decisions relating to the project scope

Process Step Organizational

Units in Scope

Edit Central Process Catalog (EDIT-CPCAT)

Create/change hierarchy and attributes for process groups and processes, create/change central process steps, define P-CO-R assignment, assign account groups (see

Corporate X Central Process Catalog



Central Process Catalog [Extern])

Display Central Process Catalog (DISP-CPCAT)

Display entire central process catalog Process

Step Central Process Catalog

Edit General Control Attributes in Central Process Catalog (EDIT-CCATR)

When central process step has been defined as a control, define all attributes and assignments for the control centrally (see Documenting Controls Centrally [Extern])

Corporate Documentation of Controls

Edit Account Group Hierarchy (EDIT-ACCH)

Create/change hierarchy and attributes of account groups (see Account Group Hierarchy [Extern])

Corporate X Account Group Hierarchy

Display Account Group Hierarchy (DISP-ACCH)

Display entire account group hierarchy Process

Step Account Group Hierarchy

Edit Management Control Catalog (EDIT-MCCAT)

Create/change hierarchy of management control groups and management controls, define central descriptions (see Management Control Catalog [Extern])

Corporate X Management Control Catalog

Edit Description of Assessment of a Management Control (EDIT-MCASD)

Create central description in catalog of how a management control should be assessed


Edit Description of a Test of a Management

Create central description in catalog of how a management




Control (EDIT-MCTED)

control should be tested

Display Management Control Catalog (DISP-MCCAT)

Display entire management control catalog Process

Step Management Control Catalog

Edit Central Settings for Scheduling (EDIT-CSCH)

Specify centrally how often and when specific tasks are to be performed (see Task Scheduling [Extern])

Corporate Central Scheduling of Tasks

Display Central Settings for Scheduling (DISP-CSCH)

Display central settings for task scheduling Process

Step Central Scheduling of Tasks

Assign Delegates Centrally (ASGN-DELC)

Enter delegates [Extern] for oneself and other persons Corporate X

Central Assignment of Delegates

Assign Own Delegates (ASGN-DELO)

Only enter delegates for oneself

Process Step Assignment of

Own Delegates

Tasks: Structure Setup Specific to Organizational Units Task Group: Structure Setup Dependent on Org Unit




Assign Roles for Corporate and Next Level Down (ASGN-RLCOR)

Assign roles to persons at the corporate level and for the subordinate organizational units directly beneath it (see Assigning Roles to Persons [Seite 71])

Corporate X Role Assignment



Assign Replacement at Corporate Level (ASGN-REPLC)

Assign replacements at corporate level (see Replacement [Extern])

Corporate

Assignment of Replacements

Assign Roles for Given Organizational Unit and Next Level Down (ASGN-RLORG)

Assign roles to persons for an organizational unit and for the subordinate organizational units directly beneath it

Org Unit X Role Assignment

Assign Replacement at Org Unit Level (ASGN-REPLO)

Assign replacements for the organizational unit and subordinate objects

Org Unit

Assignment of Replacements

Assign Roles for Top Process Group in Given Organizational Unit (ASGN-RLOPG)

Assign roles to persons for the top process groups of an organizational unit Org Unit X Role

Assignment

Assign Roles for Given Process Group and Next Level Down (ASGN-RLPGR)

Assign roles to persons for a process group and for the subordinate process groups and processes directly beneath it

Process Group X Role

Assignment

Assign Roles for Process and Subordinate Controls (ASGN-RLPRC)

Assign roles to persons for a process and for the process steps defined as a control in the process

Process X Role Assignment

Assign Roles for Control (ASGN-RLCNT)

Assign roles to persons for a process step defined as a control

Process Step

Documentation of Controls

Create User (CREA-USRID)

Have a user ID created by the system administrator and connect this user ID to the person (see Creating Users and Connecting Users to Persons [Extern])

Org Unit X Only possible in SAP GUI

Specify Significance of Accounts for

Specify for an organizational unit which account groups are significant (see

Org Unit X Processes and Account Groups for the



Organizational Unit (EDIT-ACCSO)

Significance of Account Groups for Organizational Unit [Extern]).

Organizational Unit

Display Significance of Accounts for Organizational Unit (DISP-ACCSO)

Display significance of account groups for an organizational unit Process

Step

Processes and Account Groups for the Organizational Unit

Perform Scoping of Processes (PERF-SCOPP)

Specify for an organizational unit which processes fall within the project scope and document why (see Processes in Scope [Extern])

Org Unit X Processes in Scope

Display Processes in Scope (DISP-SCOPP)

Display processes that fall within the project scope for an organizational unit

Process Step Processes in

Scope

Assign Process to Organizational Unit (ASGN-PRORG)

Accept for organizational unit processes falling in project scope; edit process attributes specific to organizational unit (see Accepting Processes [Extern])

Org Unit X


Display Process Group Attributes Specific to Org Units (DISP-OUPGA)

Display process group attributes specific to organizational units (such as necessity of validation)

Process Step


Edit Process Group Attributes Specific to Org Units (EDIT-OUPGA)

Edit process group attributes specific to org units Process

Group


Display Process Attributes Specific to Org Units (DISP-OUPRA)

Display process attributes specific to organizational units (such as necessity of validation)

Process Step


Edit Process Attributes

Edit process attributes specific to org units Process Processes

and Account



Specific to Org Units (EDIT-OUPRA)

Groups for the Organizational Unit

Edit Documentation on Process Change (EDIT-OUPRC)

Documenting Process Changes [Extern]

Process


Edit Process Steps Specific to Org Units (EDIT-OUPRS)

Edit copied process steps, create/change local process steps, edit process step attributes

Process


Edit General Control Attributes (EDIT-GENCA)

Edit the general control attributes for local or copied process steps defined as controls (excluding assessment and test attributes) (see Documenting Controls [Extern] )

Process Step X


Assign Control to Process - Control Objective - Risk (P-CO-R) (ASGN-CPCOR)

Assign control to the P-CO-R structure defined in the process catalog and select control type

Process Step


Assign Referenced Control to Process - Control Objective - Risk (P-CO-R) (ASGN-CRCOR)

Assign control of a different process to the P-CO-R structure defined in the process catalog and select control type

Process X


Assign Controls to Financial Statement Assertions (ASGN-ASS2C)

Assign control to control groups and their FS assertions Process

Step X Documentation of Controls

General Control Attributes: Edit Assessment Attributes (EDIT-

Of the general control attributes, only edit the control assessment attributes (such as control maturity target)

Process Step X




GCAMT)

General Control Attributes: Edit Test Attributes (EDIT-GCATA)

Of the general control attributes, only edit the control test attributes (such as testing technique)

Process Step X


General Control Attributes: Edit AIS Reports (EDIT-COAIS)

Assign reports of the Audit Information System to a control (see Assignment of AIS Reports [Extern])

Process Step


Display Process Hierarchies of all Organizational Units (DISP-PRHIE)

Display process groups, processes, and process steps for all organizational units Process

Step Central Process Catalog

Display General Control Attributes (DISP-GENCA)

Display all general attributes and assignments for the control

Process Step


Assign Management Controls to Organizational Units (ASGN-MC2OU)

Accept centrally-defined management controls for organizational unit, create local description (see Accepting Management Controls [Extern]).

Org Unit X

Assignment of Management Controls

Assign Management Controls to Process Group (ASGN-MC2PG)

Accept centrally-defined management controls for process group, create local description of the control

Process Group X


Edit Local Description of Assessment of a Mgmt Control for Organizational Unit (EDIT-MADOU)

Create description of how the management control should be assessed specific to organizational unit Org Unit X


Edit Local Description of Test of a Mgmt Control

Create description of how the management control should be tested specific to

Org Unit X




for Organizational Unit (EDIT-MTDOU)

organizational unit

Edit Local Description of Assessment of a Mgmt Control for Process Group (EDIT-MADPG)

Create description of how the management control should be assessed specific to process group

Process Group X


Edit Local Description of Test of a Mgmt Control for Process Group (EDIT-MTDPG)

Create description of how the management control should be tested specific to process group

Process Group X


Edit "To Be Tested" Attribute of a Management Control for Organizational Unit (EDIT-MTAOU)

Specify for organizational unit whether a management control should be tested Org Unit X


Edit "To Be Tested" Attribute of a Management Control for Process Group (EDIT-MTAPG)

Specify for process group whether a management control should be tested Process

Group X


Edit Scheduling Settings for Organizational Unit (EDIT-OUSCH)

Change central settings governing Task Scheduling [Extern] for organizational unit

Org Unit X

Scheduling Task for Organizational Unit

Display Scheduling Settings for Organizational Unit (DISP-OUSCH)

Display task scheduling settings changed for an organizational unit

Process Step

Scheduling Task for Organizational Unit



Tasks: Control Assessments and Tests Task Group Assessment of Control Design and Efficiency




Perform Control Design Assessment (PERF-CDASS)

Enter result of control design assessment in system, reporting issues where necessary (see Assessment of Control Design and Efficiency [Extern])

Process Step X Control Design Assessment

Display Control Design Assessment (DISP-CDASS)

Display result of control design assessment

Process Step Control Design Assessment

Validate Control Design Assessment (VALI-CDASS)

When validation activated, check result of control design assessment and confirm or send back

Process X Control Design Assessment

Perform Control Efficiency Assessment (PERF-CEASS)

Enter result of control efficiency assessment, reporting issues where necessary

Process Step X Control Efficiency Assessment

Display Control Efficiency Assessment (DISP-CEASS)

Display result of control efficiency assessment

Process Step Control Efficiency Assessment

Validate Control Efficiency Assessment (VALI-CEASS)

When validation activated, check result of control efficiency assessment and confirm or send back

Process X Control Efficiency Assessment



Task Group Process Design Assessment




Perform Process Design Assessment (PERF-PDASS)

Enter result of process design assessment in system, reporting issues where necessary (see Process Design Assessment [Extern])

Process X Process Design Assessment

Display Process Design Assessment (DISP-PDASS)

Display result of process design assessment

Process Process Design Assessment

Validate Process Design Assessment (VALI-PDASS)

When validation activated, check result of process design assessment and confirm or send back

Process Group X Process Design Assessment

Task Group Test Effectiveness of a Control




Mass Assignment of Testers to Controls (ASGN-MT2CN)

Assign testers centrally for all controls of an org unit or process group

Process Group

Mass Tester Assignment Controls/Management Controls

Assign Tester (ASGN-TSTER)

Assign persons for testing control effectiveness (see Test of Control Effectiveness [Extern])

Process X Tester Assignment

Display Notification (DISP-NOTE)

Notifications from an external system (using

No role level because task cannot be

Notifications



XI interface) in which (semi-)automated tests are performed

assigned to any role

Test Control Effectiveness (PERF-TEST)

Test control effectiveness; may be performed by all persons who were assigned as testers

No role level because task cannot be assigned to any role

Testing Control Effectiveness

Display Test Results (DISP-TSTRE)

Display test logs for effectiveness test of a control

Process Step Testing Control Effectiveness

Receive Issues from Effectiveness Test (RECE-EFISO)

Predefined processor of issues reported during control effectiveness test; can be overwritten by person who reported issue

Process X

Tasks: Management Control Assessment and Test Task Group Assessment and Test of Management Controls

Task Description Role Level

Restricted to One Role



Mass Assignment of Testers to Management Controls (ASGN-MT2MC)

Assign testers centrally for all management controls of an org unit or process group

Process Group

Mass Tester Assignment Controls/Management Controls

Assign Testers for Management Controls (Org Unit) (ASGN-MCTOU)

Assign persons for testing management controls for organizational unit

Org Unit X Tester Assignment

Assign Testers for Management Controls (Process Group) (ASGN-MCTPG)

Assign persons for testing management controls for process group

Process Group X Tester

Assignment

Perform Management Control Assessment at

Enter result of management control assessment for org unit in system,

Org Unit X Management Control Assessment



Org Unit Level (PERF-MCAOU)

reporting issues where necessary (see Management Control Assessment and Test [Extern])

Display Management Control Assessment at Org Unit Level (DISP-MCAOU)

Display result of management control assessment for organizational unit Org Unit

Management Control Assessment

Perform Management Control Assessment at Process Group Level (PERF-MCAPG)

Enter result of management control assessment for process group in system, report issues where necessary

Process Group X


Display Management Control Assessment at Process Group Level (DISP-MCAPG)

Display result of management control assessment for process group Process

Group Management Control Assessment

Validate Management Control Assessment for Top Organizational Unit (VALI-MCACP)

When validation activated, check result of management control assessment for top node of organizational hierarchy and confirm or send back

Corporate X


Validate Management Control Assessment for Subordinate Organizational Unit (VALI-MCAOU)

When validation activated, check result of management control assessment for subordinate organizational units and confirm or send back


Validate Management Control Assessment for Top Process Group (VALI-MCTPG)

When validation activated, check result of management control assessment for top process group of organizational unit and confirm or send back


Validate Management Control Assessment for Subordinate Process Group (VALI-MCAPG)

When validation activated, check result of management control assessment for subordinate process groups and confirm or send back

Process Group X




Perform Management Controls Test at Org Unit Level (PERF-MCTOU)

Create test log after management controls test for organizational unit; may be performed by persons who were assigned as testers


Management Controls Test

Display Management Controls Test at Org Unit Level (DISP-MCTOU)

Display result of management controls test for organizational unit

Org Unit Management Controls Test

Perform Management Controls Test at Process Group Level (PERF-MCTPG)

Create test log after management controls test for process group; may be performed by persons who were assigned as testers


Management Controls Test

Display Management Controls Test at Process Group Level (DISP-MCTPG)

Display result of management controls test for process group Process

Group Management Controls Test

Receive Issues from Management Controls Test at Org Unit Level (RECE-MCISO)

Predefined processor of issues reported during management controls test; can be overwritten by person who reported issue

Org Unit X

Receive Issues from Management Controls Test at Process Group Level (RECE-MCISP)

Predefined processor of issues reported during management controls test; can be overwritten by person who reported issue

Process Group X



Tasks: Reporting and Sign-Off Task Group Reporting

Task Description Role Level

Restricted to One Role



Display Hierarchical Reports (DISP-ANALY)

Display data for the area of responsibility in hierarchical reports in Reporting [Extern]

Process Reporting

Display Tabular Reports (DISP-FLATR)

Display data for the area of responsibility in tabular reports

Process Reporting

Display Management Reports (DISP-MNGRE)

Display aggregated data for the area of responsibility in management reports

Process Reporting

Print Report (PERF-PRINT)

Create and print Print Reports [Extern]

Process Step Print Reports

Display Change Analysis (DISP-CHGAN)

Display changes to data over different timeframes (see Change Analysis [Extern])

Org Unit Change Analysis

Display Authorization Analysis (DISP-SCREP)

Display assignments in the roles and authorizations concept (see Authorization Analysis [Extern])

Process Authorization Analysis

Task Group Sign-Off




Perform Sign-Off (PERF-SOFOU)

Perform sign-off [Extern] for an organizational unit and, once sign-off has been performed for all organizational units, perform corporate sign-off

Org Unit X Sign-Off

Display Sign-Off (DISP-SIGNO)

Display sign-off for organizational units in area of responsibility Org Unit Sign-Off



Assigning Roles to Persons Purpose When you assign a person to a role in combination with an object (such as an organizational unit), that person receives the authorization to perform the tasks belonging to that role for that object.

You assign roles to persons in one of the Web applications that can be accessed from the start page [Extern]. Role assignment takes place using the domino principle throughout the organizational hierarchy and the assigned processes.

Prerequisites ● The roles have been created and activated (see Roles and Authorizations Concept

[Seite 53]).

● The organizational hierarchy [Extern] has been defined.

Process Flow ...

1. The power user automatically has authorization for the task Start Role Assignment Procedure. He or she starts the assignment procedure by choosing Role Assignment in the navigation area of the start page [Extern]. The power user then assigns a person (or a user, if already available) to the role containing the task Assign Roles for Corporate and Next Level Down (ASGN-RLCOR).

○ If the person entered does not yet exist in the system, the system issues a message, and an additional area appears in the middle of the screen. To create the person, choose Create Person.

You can deactivate the option of creating a person using the IMG activity Restrict Authorization to Create Persons in Customizing for MIC.

○ If a person does not yet exist for the user entered in the system, a person is created automatically.

2. The power user assigns a role with the task Create User (CREA-USRID) to a user that has already been created.

3. If the power user has created a person in the first step as opposed to assigning a user, a user must be created for that person. For more information, see Creating Users and Connecting Users to Persons [Extern].

4. The person who now has authorization for the task Assign Roles for Corporate and Next Level Down receives this task in their task list on the start page.

5. This person assigns persons or users to the role containing the task Assign Roles for Given Organizational Unit and Next Level Down (ASGN-RLORG). This step is performed for all organizational units occurring directly beneath the corporate group level in the organizational hierarchy.

6. If persons instead of users are assigned, users then have to be created for these persons (see step 3).

7. The persons who now have authorization for the task Assign Roles for Given Organizational Unit and Next Level Down receive this task in their task list on the start page. Subordinate organizational units or process groups can be on the next level



down. For the process groups to be available, the processes need to have been accepted [Extern] for the organizational unit in the meantime.

8. Subsequent role assignments follow the same principle all the way down the organizational hierarchy and across the assigned process groups, processes, process steps, and controls. However, you do not perform role assignment for a control in the Web application Assignment of Roles to Persons but instead in the Web application Documenting Controls [Extern].

Integration with Single Sign-On Environments Use MIC supports the Single Sign-On (SSO) mechanisms provided by the SAP Web Application Server ABAP. Consequently, the security recommendations and guidelines for user management and authentication described in the SAP Web Application Server Security Guide also apply to MIC.



SNC is available for user authentication and provides an SSO environment when the SAP GUI for Windows or Remote Function Calls (RFC) are used.

For more information, see Secure Network Communications (SNC) in the security guide of the SAP Web Application Server.

SAP Logon Tickets

MIC supports the use of logon tickets for SSO when the Web browser is used as the front end client. In this case, users can be issued a logon ticket after they have authenticated themselves in the original SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly once the system has checked the logon ticket.

For more information, see SAP Logon Tickets in the SAP Web Application Server security guide.

Client Certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer protocol (SSL protocol), and no passwords need to be transferred. User authorizations apply in accordance with the authorization concept in the SAP system.

For more information, see Client Certificates in the security guide of the SAP Web Application Server.



Communication Channel Security Use The following table contains the communication paths used by MIC, the protocol used for the connection, and the type of data transferred.

Communication paths

Communication Path

Protocol Used Type of Data Transferred


Front end client using SAP GUI for Windows to application server

DIAG All application data Passwords

Front end client using a Web browser to application server

HTTP/HTTPS All application data Passwords

Audit Information System (AIS) to application server

RFC for setting up AIS integration

HTTP for displaying the AIS reports

AIS reports

External application via XI interface to application server

External application – XI: Various protocols possible (SAP standard)

XI – application server: RFC

Structure data (such as central process catalog)

Test logs

Application server to BI system

RFC All application data

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPS connections are protected using the Secure Sockets Layer (SSL) protocol. For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.

For logon to the front end client (Web browser), Single Sign-On (SSO2) must be activated on the server side. For more information, see SAP Note 517860.

Navigation information is communicated between the start page and the Web applications via the URL.

Data Storage Security Use Master data and transaction data is stored in the database of the SAP system on which MIC has been installed. Data storage occurs for the most part in Organizational Management, in Case Management, and in separate tables for this purpose. Due to the use of Organizational Management in particular, we recommend running MIC on a separate client.



For more information and recommendations on the use of clients, see the application documentation under Management of Internal Controls (FIN-CGV-MIC) [Extern].

MIC requires a Web browser as the user interface. For data storage in the front end, non-persistent session cookies are used.

In some Web applications, MIC users can upload documents into the system. Knowledge Provider (KPro) is used for storing the data. Once uploaded, the documents can be accessed using an URL. The MIC-specific Roles and Authorizations Concept [Seite 53] governs authorization for accessing the URL directly in the Web application. To prevent unauthorized access to the document through copying and sending the URL, an URL is only valid for a given user and for a restricted amount of time (two hours).

Master Data Framework

Introduction

This guide does not replace the administration or operation guides that are available for productive operations.



This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.

The Need for Security With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to Master Data Framework. To assist you in securing Master Data Framework, we provide this Security Guide.

About this Document The Security Guide provides an overview of the security-relevant information that applies to Master Data Framework.


The security guide comprises the following main sections:

● Before You Start

This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.




This section provides an overview of the technical components and communication paths that are used by Master Data Framework.

● User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

○ Recommended tools to use for user management.

○ User types that are required by Master Data Framework

○ Standard users that are delivered with Master Data Framework


○ Overview of integration options in Single Sign-On environments

● Authorizations

This section provides an overview of the authorization concept that applies to the Master Data Framework.


This section provides an overview of the communication paths used by Master Data Framework and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

Before You Start Security Guides Referenced Master Data Framework is built from SAP NetWeaver Application Server ABAP. Therefore, the corresponding Security Guides also apply to Master Data Framework.

For a complete list of the SAP Security Guides available, see SAP Service Marketplace at service.sap.com/securityguide.

Additional Information For more information about specific topics, see the sources in the table below.


Content SAP Service Marketplace


Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes


Network security service.sap.com/network

service.sap.com/securityguide





Technical System Landscape Use The figure below shows an overview of the technical system landscape for Master Data Framework.

Framework for

Master data and Hierarchiestime-dependent

version-dependentattributes for edges of hierarchies

Generic Services

Access to

BWSynchronization tools

Change Management

Local Tables ...R/3

User Interface

WorkbenchMaster data Hierarchies

Combination characteristics (such as company and profit center)

Extensibility of InfoObjects by local fields (role concept)

Metadatarepository Transport Authority checks Buffering Where-used list

Generic checks

Read/WriteAccess

Locking Time dependency Validity (incl. version and time dependency)

Transaction control(Commit,Rollback, Save)

Input/Output conversion

For more information about the technical system landscape, see the sources listed in the table below.


Topic Guide/Tool SAP Service Marketplace

Technical description for Master Data Framework and underlying technical components such as SAP NetWeaver

Master Guide

service.sap.com/instguides

Technical configuration

High availability

Technical Infrastructure Guide

service.sap.com/ti




User Administration and Authentication Master Data Framework uses the user administration and authentication mechanisms provided with the SAP NetWeaver platform, in particular SAP Netweaver Application Server ABAP. Therefore, the security recommendations and guidelines for user management and authentication that are described in the SAP NetWeaver Application Server ABAP Security Guide also apply to Master Data Framework.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to Master Data Framework in the following topics:

● User Management

This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with Master Data Framework.

● Integration into Single Sign-On Environments

This topic describes how Master Data Framework supports Single Sign-On mechanisms.

User Management Use User management for Master Data Framework uses the mechanisms provided by SAP Netweaver Application Server ABAP, for example, tools, user types, and password policies.

Integration into Single Sign-On Environments Use Master Data Framework uses the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user management and authentication that are described in the SAP NetWeaver Security Guide also apply to Master Data Framework.



SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

For more information, see Secure Network Communications (SNC) in the SAP Netweaver AS ABAP Security Guide.

SAP Logon Tickets

Master Data Framework supports the use of logon tickets for SSO when using a Web browser as the front end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

For more information, see SAP Logon Tickets in the SAP Netweaver AS ABAP Security Guide.



Client Certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information, see Client Certificates in the SAP Netweaver AS ABAP Security Guide.

Authorizations Use Master Data Framework uses the authorization concept provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for authorizations that are described in the SAP NetWeaver AS ABAP Security Guide also apply to Master Data Framework.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) when using ABAP technology and the User Management Engine’s user administration console when using Java.

Standard Authorization Objects The table below shows the security-relevant authorization objects that are used by Master Data Framework.

Standard Authorization Objects


R_UGMD_CHA Master data access for all types of characteristics.

R_UGMD_SNG Master data access on the level of single values of combination characteristics

S_TABU_LIN Master data access on the level of individual characteristics

FB_SRV_DMS Authorization for data model synchronization (change monitor)

FB_SRV_GC Authorization for MDF Garbage Collector

The authorization objects listed above are also described in the system documentation.

Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.



The network topology for Master Data Framework is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to Master Data Framework. Details that specifically apply to Master Data Framework are described in the topic Communication Channel Security.

For more information, see the following sections in the SAP NetWeaver Security Guide:



Communication Channel Security Use ERP and Business Information Warehouse (SAP BW) communicate with each other using RFC within Master Data Framework.

RFC connections can be protected using Secure Network Communications (SNC).


Controlling Important SAP Notes

See the following SAP Notes on authorizations in Controlling that do not refer to program corrections:

Number Short Text

15211 CO form reports: authorization concept

16371 Authorization for dist. key and plan. parameter

39140 Message KB015 unjustified

49640 More detailed authorization f. summariz.objects

51731 Missing Authorizations for Internal Orders

60522 Author.check B_USERSTAT during business transaction

74676 CO Reports: Extract Authorizations

75970 Missing Authorizations for Internal Orders: Reports

80065 Drill-down reporting: no line items for report line

93695 Authorization for orders with 'release immediately'

98580 Drill-down reporting: Error message KH702

123022 Adv.corr.:authrztn f.reportng in act.-based costing

136325 Report Writer: Authorizatn group for standard repts

155752 Drill-down report: Authorization check mass print

159408 CJ41/CJ43:author. for detailed planning is missing

164166 CO-PA: Planning:Long runtime dur.authorizatn check



165087 Drilldown report: authorization check for intervals

175063 Msg 5A252 whn displying/changing standard hierarchy

211991 Authorizatn objcts, enterprise organizatn generatn

313077 Incorrect long text for error message KC040

317824 Drilldown report: authorizatn check and hierarchies

319858 Grp maintce: profile generator with S_PROGRAM = '*'

337885 ALLOCATION: cycle maintnce authrztn frm Easy Access

359664 Problems with old personalization profiles (KEPM)

370082 Authorizations: information about responsibility area

378687 Authorizations: CO_ACTION field entry

386065 Report shows different data for each user

390214 KEPM: Splitting of "changing" authorizations

402757 Drilldown reporting: Authorization object K_CKBOB

412570 Line item display despite missing authorization

425703 KP06ff.: Authorization object K_KA09_KVS

435072 Authorizations: Enhancement of responsibility area

438079 K_COSTCTR_BAPI_GETLIST must check authoriztn more precisely

438492 Change characteristics possible even though display only

448765 KPR6 - Dump SAPSQL_INVALID_FIELDNAME

451621 Authorization concept in KEPM

459864 Group maintenance: Authorization G_800S_GSE

487762 KE21N: Authoriztn check for entered characteristic values

500012 New authorization check for tax reduction law in CO

506164 ALLOCATION:Information message GA185 during list output

515483 Group maintenance: Authorizations

520193 Transporting CO-PA reports without authorization object

545223 Retractor: Error message RD403

554340 Report Writer: enhancement GRWTAUTH without example code

556090 Drilldown rprtng: incorrect header (graphical output)

560803 Closing billing elements with warning message

564757 Tax reduction law in CO: goto line item report via RRI

578105 Group maintenance: Authorization G_800S_GSE, part II

594899 Authorization check with internal orders K_ORDER RESPAREA

602445 Group maintenance: Authorization G_800S_GSE for 4.5

604107 MPO_PERS_FILL_CC: Explode cost center hierarchy

611798 ALLOCATION: Information message GA185 with list output

616112 KKA2, KKAJ: Enhancement for authorizations

616338 RESPAREA: Maintain group authorizations as intervals



616580 ALLOCATION: Authorizations for the cancellation of cycles

623650 ISR form terminates: Missing authorizations

625873 KSA3/KSA8: Validation on authorization object K_CCA

638364 KJH3: Display mode and authorizations

667123 ALLOCATIONS: Error message GA 776 incomprehensible

673260 KBxxN: Authorization object K_PVARIANT missing in profile

Authorizations in Controlling Standard Roles in Controlling

Role Description

SAP_CO_DAILY Cross-Application Day-to-Day Activities

SAP_CO_DAILY_CATS Cross-Application Day-to-Day Activities - CATS

SAP_CO_DOCUMENT_LIST Display Accounting Documents

SAP_CO_EASY_COST_PLANNING Easy Cost Planning and Execution Services

SAP_CO_ENTERPRISE_ORGANISATION Maintain Enterprise Organization

SAP_CO_MODEL Maintain CO Version

SAP_CO_OBJECT_STAT_KEYFIGURE Maintain Statistical Key Figures

SAP_CO_OM_DAILY_ABM Day-to-Day Activities: Activity Allocation

SAP_CO_OM_ISR_PROCESSING Process Internal Service Requests

SAP_CO_OM_JOB_INTORDER_BUDGET Internal Order - Budgeting

SAP_CO_OM_JOB_INTORDER_DISPLAY Display Internal Orders

SAP_CO_OM_JOB_INTORDER_INTERES Internal Order - Planned Interest Calculation

SAP_CO_OM_JOB_INTORDER_MAINT Maintain Internal Orders

SAP_CO_OM_JOB_INTORDER_PLAN Internal Orders - Overall Planning

SAP_CO_OM_JOB_INTORDER_YEAREND Internal Orders - Year-End Closing

SAP_CO_OM_MANAGER_GENERIC Generic Role Manager

SAP_CO_OM_MODEL_ABM Maintain Indirect Activity Allocation Cycles and Templates

SAP_CO_OM_MODEL_OM Maintain Cycles for Assessment, Distribution, and Reposting

SAP_CO_OM_OBJECT_ABM Maintain Business Processes and Activity Types

SAP_CO_OM_OBJECT_DISPLAY Display Overhead Master Data

SAP_CO_OM_OBJECT_OM_COSTCENTER Maintain Cost Centers

SAP_CO_OM_OBJECT_OM_COSTEL_PRI Maintain Primary Cost Elements

SAP_CO_OM_OBJECT_OM_COSTEL_SEC Maintain Secondary Cost Elements



SAP_CO_OM_PEREND_ABM_COLL Period-End Closing for Cost Center Accounting/Activity-Based Costing

SAP_CO_OM_PEREND_INTORDER_COLL Period-End Closing for Internal Orders - Collective Processing

SAP_CO_OM_PEREND_INTORDER_IND Period-End Closing for Internal Orders - Individual Processing

SAP_CO_OM_PEREND_OM_COLL Period-End Closing - Cost Center Accounting (Without Activity)

SAP_CO_OM_PLAN_ABM Planning Cost Center/Activity Type and Business Process

SAP_CO_OM_PLAN_INTORDER Periodic Planning Internal Order

SAP_CO_OM_PLAN_OM Periodic Planning Cost Center

SAP_CO_OM_PLAN_OM_BUDGET Maintain Cost Center Budgets

SAP_CO_OM_REPORT_COSTCTR_ABM_C Reports for Cost Centers/Activity Types (as with BW)

SAP_CO_OM_REPORT_COSTCTR_ABM_L Reports for Cost Centers/Activity Types (only OLTP)

SAP_CO_OM_REPORT_COSTCTR_OM_C Reports for Cost Centers (as with BW)

SAP_CO_OM_REPORT_COSTCTR_OM_L Reports for Cost Centers (only OLTP)

SAP_CO_OM_REPORT_COST_ELEMENT Reports for Cost Elements

SAP_CO_OM_REPORT_INTORDER_C Reports for Internal Orders (as with BW)

SAP_CO_OM_REPORT_INTORDER_L Reports for Internal Orders (only OLTP)

SAP_CO_OM_REPORT_PROCESS_C Reports for Business Processes (as with BW)

SAP_CO_OM_REPORT_PROCESS_L Reports for Business Processes (only OLTP)

SAP_CO_OM_REPORT_TOOLS Report Tools for Overhead Cost Controlling

SAP_CO_PA_ADJUSTMENTS Profitability Analysis Adjustments

SAP_CO_PA_BASICDATA_CHARACTER Maintain Characteristic Values/Derivation in Profitability Analysis

SAP_CO_PA_BASICDATA_DISPLAY Display CO-PA Master Data

SAP_CO_PA_BASICDATA_VALUATION Maintain Valuation in Profitability Analysis

SAP_CO_PA_PEREND Profitability Analysis: Period-End Closing

SAP_CO_PA_PLANNING_AIDS Maintain Planning Aids for Sales and Profit Planning

SAP_CO_PA_PLANNING_EXEC_PROF Execute Sales and Profit Planning

SAP_CO_PA_PLANNING_EXEC_WEB Enter Sales and Profit Planning Data Via the WWW

SAP_CO_PA_PLANNING_INTEGRATION Integrated Data Transfers in Sales and Profit Planning

SAP_CO_PA_PLANNING_SETUP Set Up Sales and Profit Planning

SAP_CO_PA_REPORT_DEMO Execute Demo Reports for Profitability Analysis

SAP_CO_PA_REPORT_DESIGN_L_ITEM Define Line-Item-Based Reports for Profitability Analysis



SAP_CO_PA_REPORT_DESIGN_STD Define Profitability Reports

SAP_CO_PA_REPORT_EXECUTE Execute Profitability Reports

SAP_CO_PA_SET_OPERATINGCONCERN Set Operating Concern

SAP_CO_PA_VALUE_FLOW_ANALYSIS Analyze Value Flows in Profitability Analysis

SAP_CO_PC_ACT_MATERIAL_CONTROL Change Material Price Determination (Actual Costing)

SAP_CO_PC_ACT_MATERIAL_DISPLAY Material Price Analysis (Actual Costing)

SAP_CO_PC_ACT_ORG_MEASURES_SL Organizational Measures (Actual Costing)

SAP_CO_PC_ACT_SETTINGS Set Material Ledger

SAP_CO_PC_DAILY_MAT_DEBIT_CRED Debit/Credit Materials

SAP_CO_PC_DAILY_MAT_PRICEMAINT Maintain and Release Material Prices

SAP_CO_PC_JOB_MANUFORDER Display Manufacturing Orders

SAP_CO_PC_JOB_MANUFORDER_CO Maintain CO Production Orders

SAP_CO_PC_JOB_SALESORDER Display Sales Orders

SAP_CO_PC_MODEL Modeling: Product Cost Controlling

SAP_CO_PC_MODEL_COSTING Costing Models

SAP_CO_PC_MODEL_MATERIAL_CONTR Maintain Material Ledger Update

SAP_CO_PC_OBJECT_COCOLLECTOR Maintain Product Cost Collector

SAP_CO_PC_OBJECT_COOBJHIER Maintain Cost Object Hierarchy

SAP_CO_PC_OBJECT_COOBJID Maintain Cost Object

SAP_CO_PC_PEREND_ACT_MLEVEL Maintain Multilevel Actual Costing

SAP_CO_PC_PEREND_ACT_MLEVEL_DP Display Multilevel Actual Costing

SAP_CO_PC_PEREND_ACT_SLEVEL_PC Closing Entry of Individual Materials

SAP_CO_PC_PEREND_ACT_SLEVEL_PD Single-Level Material Price Determination of Individual Materials

SAP_CO_PC_PEREND_COCOLLECT_COL Period-End Closing for Product Cost Collectors - Collective Processing

SAP_CO_PC_PEREND_COCOLLECT_IND Period-End Closing for Product Cost Collectors - Individual Processing

SAP_CO_PC_PEREND_COCOLLECT_WLM Period-End Closing for Product Cost Collectors - Worklist

SAP_CO_PC_PEREND_COOBJHIER_COL Period-End Closing for Cost Object Hierarchy - Collective Processing

SAP_CO_PC_PEREND_COOBJHIER_IND Period-End Closing for Cost Object Hierarchy - Individual Processing

SAP_CO_PC_PEREND_COOBJHIER_WLM Period-End Closing for Cost Object Hierarchy - Worklist

SAP_CO_PC_PEREND_COOBJID_COLL Period-End Closing for Cost Objects - Collective Processing

SAP_CO_PC_PEREND_COOBJID_IND Period-End Closing for Cost Objects - Individual Processing



SAP_CO_PC_PEREND_MANUFORD_COL Period-End Closing for Manufacturing Orders - Collective Processing

SAP_CO_PC_PEREND_MANUFORD_IND Period-End Closing for Manufacturing Orders - Individual Processing

SAP_CO_PC_PEREND_MANUFORD_WLM Period-End Closing for Manufacturing Orders - Worklist

SAP_CO_PC_PEREND_SALESORD Period-End Closing for Sales Orders

SAP_CO_PC_PEREND_SALESORD_WLM Period-End Closing for Sales Orders - Worklist

SAP_CO_PC_PLAN_AUTH_EXPL_FACI Transaction Authorizations for Explanation Facility

SAP_CO_PC_PLAN_COCOLLECTOR Preliminary Costing for Product Cost Collectors

SAP_CO_PC_PLAN_COOBJID Periodic Planning for Cost Objects (General)

SAP_CO_PC_PLAN_MAT_PRICEDETERM Material Costing / Costing Run

SAP_CO_PC_PLAN_MAT_PRICERELEAS Mark and Release Standard Cost Estimate

SAP_CO_PC_PLAN_REFERENCE_SIMUL Multilevel Unit Costing

SAP_CO_PC_PLAN_SALESORDER_BOM Sales Orders - Order BOM Cost Estimate

SAP_CO_PC_REPORT_COCOLLECTOR Reports for Product Cost Collector

SAP_CO_PC_REPORT_COOBJHIER Reports for Cost Object Hierarchy

SAP_CO_PC_REPORT_COOBJID Reports for Cost Objects

SAP_CO_PC_REPORT_MANUFORDER Reports for Manufacturing Orders

SAP_CO_PC_REPORT_MATERIAL_ESTI Reports for Material Costing

SAP_CO_PC_REPORT_MATERIAL_LEDG Reports for Material Ledger and Actual Costing

SAP_CO_PC_REPORT_PROD_CAMPAIGN Reports for Production Campaigns

SAP_CO_PC_REPORT_PRODUCTDRILL Reports for Product and Plant

SAP_CO_PC_REPORT_REFERENCE_SIM Reports for Base Planning Objects

SAP_CO_PC_REPORT_SALESORDER Reports for Sales Orders

SAP_CO_PC_REPORT_SUMMARIZATION Reports with Object Summarization

SAP_CO_PC_REPORT_TOOLS Product Drilldown Reporting - Create Own Reports

SAP_CO_PEREND_CLOSING_PERIOD Maintain Period Lock

SAP_CO_PEREND_DISPLAY Schedule Manager - Display Functions

SAP_CO_PEREND_MAINTAIN Schedule Manager - Maintenance Functions

SAP_CO_RECONCILIATION_LEDGER Controlling: Maintain Reconciliation Ledger

SAP_CO_SET_CONTROLLING_AREA Set Controlling Area

SAP_CO_CRM_REP Reports/Master Data for CO Integration of CRM Services

SAP_CO_CRM_REP_PEC CO Integration CRM Service

SAP_CO_CRM_REP_PEC_IMG CO Integration CRM Service with Modeling



For general information on the authorizations in Controlling, see SAP Help Portal at help.sap.com on the tab Documentation → SAP ERP Central Component → Release xx → SAP ERP Central Component → Accounting → Controlling (CO) → Controlling (CO) → Methods in Controlling → Authorizations and under Accounting → Controlling (CO) → Profitability Analysis (CO-PA) → Information System → Authorization Objects in the Information System.

Information on the authorizations for the Controlling functions in Manager Self-Service (MSS) and for the role of the Business Unit Analyst (BUA) can be found in this Security Guide under Cross-Application Components → Self-Services [Seite 23].

Authorizations in Profit Center Accounting Standard Roles in Profit Center Accounting

Role Name

SAP_AUDITOR_BA_EC_PCA AIS - Profit Center Accounting

SAP_AUDITOR_BA_EC_PCA_A AIS - Profit Center Accounting (Authorizations)

SAP_EC_PCA_ARCHIVING Profit Center Accounting Archiving

SAP_EC_PCA_MODEL Maintain Cycles for Assessment, Distribution, and Reposting (EC-PCA)

SAP_EC_PCA_MODEL_TP_DISPLAY Display Transfer Prices

SAP_EC_PCA_MODEL_TP_MAINTAIN Maintain Transfer Prices

SAP_EC_PCA_OBJECT_DISPLAY Display Profit Center Master Data

SAP_EC_PCA_OBJECT_MAINTAIN Maintain Profit Center Master Data

SAP_EC_PCA_PEREND Period-End Closing in Profit Center Accounting

SAP_EC_PCA_PEREND_POSTINGS Data Entry for Profit Center Accounting

SAP_EC_PCA_PLAN_CLOSING Plan Closing in Profit Center Accounting

SAP_EC_PCA_PLANNING Planning in Profit Center Accounting

SAP_EC_PCA_REPORT Profit Center Accounting - Line Items and Totals Records

SAP_EC_PCA_REPORT1 Profit Center Accounting - Drilldown Reports

SAP_EC_PCA_REPORT2 Profit Center Accounting - Report Painter Reports

SAP_EC_PCA_REPORT3 Profit Center Accounting - Reports from Other Components

Authorization Objects in Profit Center Accounting

Object Name

K_PCA EC-PCA: Responsibility Area, Profit Center

K_PCAB_DEL EC-PCA: Delete Transaction Data

K_PCAD_UM EC-PCA: Assessment/Distribution

K_PCAF_UEB EC-PCA: FI Data Transfer



K_PCAI_UEB EC-PCA: Actual Data Transfer

K_PCAL_GEN EC-PCA: Generate and Activate Ledger

K_PCAM_UEB EC-PCA: MM Data Transfer

K_PCAP_SET EC-PCA: Planning Hierarchy

K_PCAP_UEB EC-PCA: Plan Data Transfer

K_PCAR_REP EC-PCA: Summary and Line Item Reports

K_PCAR_SRP EC-PCA: Standard Reports and Datasets

K_PCAS_PRC EC-PCA: Profit Center

K_PCAS_UEB EC-PCA: SD Data Transfer

K_PCA_REAL EC-PCA: Realignment for PrCtr Assignments to CO Master Data

Network and Communication Security Controlling is integrated with Microsoft Office®. For information on security aspects with Microsoft Office® applications, refer to the documentation of those products.

Communication in Manager Self-Service (MSS) and in the Web Application for the Business Unit Analyst (BUA) is based on Remote Function Calls (RFCs).

Communication Destinations Technical users are required for communication over ALE, for batch reporting, and for third-party providers that access Controlling data.



SAP Banking This security guide includes the following components from SAP Banking:

● SAP Financial Customer Information Management (FS-BP)

● Deposits (FS-BCA)

● Loans Management (FS-CML)

● Collateral Management(FS-CMS)

This security guide only contains Collateral Management-specific information about Authorizations and Network and Communication Security.

For general information about security in FS-CMS, see SAP Service Marketplace at service.sap.com/securityguide → mySAP ERP Security Guides → Security Guide for Collateral Management System (CMS).

● Strategic Enterprise Management (SEM)

● Reserve for Bad Debt (FS-RBD)

SAP Financial Customer Information Management (FS-BP) The security policy with SAP Financial Customer Information Management (FS-BP) is very similar to the security policy with the central SAP Business Partner (SAP BP).

For more information about authorizations and data storage security in the SAP Business Partner, see the SAP Service Marketplace at /service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application Server Security Guide → SAP NetWeaver AS Security Guide for ABAP Technology → Security Aspects When Using Business Objects → SAP Business Partner Security.

Authorizations You can create roles in the SAP Customizing Implementation Guide (IMG) for SAP Banking under SAP Business Partner for Financial Services → General Settings → Business Partner → Basic Settings → Authorization Management.

The authorization objects are the responsibility of the SAP Business Partner. SAP Financial Customer Information Management (FS-BP) is only responsible for the following two authorization objects:

● T_BP_DEAL (Standing Instructions / Transactions)

You can use this authorization object to control the company code-dependent authorizations for displaying/creating/changing standing instructions.

There are standing instructions for:

○ Payment details

○ Derived flows



○ Correspondence

○ Transaction authorizations

● B_BUPA_SLV (Selection variant for total commitment)

A selection variant includes various settings for the total commitment (such as which business partner roles and relationships can be used for the selection, or whether detailed information can be displayed).

Network and Communication Security When processing total commitment, mySAPERP communicates with other SAP systems (such as Deposits Management (FS-AM)). In theory, mySAP ERP could also communicate with non-SAP systems here.

Communication takes place via Remote Function Call (RFC).

Communication Destinations Depending on the scenario, an RFC user is required for communication via Remote Function Call (RFC). This user requires the appropriate authorizations for the target system (such as FS-CML or FS-AM).

Data Storage Security Authorization object B_CCARD can be used to control access to credit card information that is stored in the business partner. This control falls in the area of responsibility of central SAP Business Partner.

You can protect employee data by using authorization groups (authorization object B_BUPA_GRP).



Bank Customer Accounts (BCA)

Authorizations The following standard roles are available in Bank Customer Accounts (BCA):

Role Name

SAP_ISB_ACCOUNTS_ADMIN_AG SAP Banking BCA: Account Management Administrator

SAP_ISB_ACCOUNTS_ASSISTANT_AG SAP Banking BCA: Assistant in Account Management

SAP_ISB_ACCOUNTS_STAFF_AG SAP Banking BCA: Clerical Staff in Account Management

For more information on authorization management and the authorization objects in Bank Customer Accounts, see SAP Help Portal at help.sap.com → Documentation → mySAP ERP → SAP ERP Central Component → Release 5.0 → SAP ERP Central Component → Financials → SAP Banking → Bank Customer Accounts (BCA) → General Subjects → Authorization Administration, or Authorization Administration → Authorization Objects.

Bank Customer Accounts (BCA) also contains the following business transaction events on the subject of authorizations:

Business Transaction Event Name

SAMPLE_INTERFACE_00011040 AUTH1- Account

SAMPLE_INTERFACE_00011700 Authorization checks/authorization type

SAMPLE_INTERFACE_00010950 Check Management

SAMPLE_INTERFACE_00010210 Payment item dialog

SAMPLE_INTERFACE_00010410 Payment order dialog

SAMPLE_INTERFACE_00010411 Standing order dialog

Network and Communication Security Bank Customer Accounts (BCA) communicates with the following external systems:

● Payment transaction systems

● Interest income tax

● Financial Accounting (FI), if Financial Accounting (FI) runs on another system

Encrypt communication with external systems in accordance with the SAP standards.

Communication with all external systems is performed via Remote Function Call (RFC).



Data Storage Security The security of sensitive objects such as savings accounts and checking accounts is guaranteed by the general authorization concept of Bank Customer Accounts (BCA).

For employee accounts, the following security mechanisms are available in addition to the general authorization concept:

● The following special authorization objects

○ F_EMAC_MTH

○ F_EMAC_TRN

● The following special field modification criterion of the Business Data Toolset (BDT)

○ FMOD1

This criterion is applied to employee accounts.

Important SAP Notes Consider the following SAP notes on authorizations in Bank Customer Accounts (BCA):

Note Number Short Text

126494 Authorization f. RFC calls of reconciliation GL/BCA

441020 Value table for authorization group objects

315545 Standing orders: release, dual authoriztn principle

731832 Conditions: Authorization object F_COND_BDC

127591 Authorization group in reports



Loans Management (FS-CML)

Authorizations Authorization management for mortgage loans is based on the existing authorization concept in Loans Management (FS-CML).

The authorization check is performed according to the principle of inclusion, that is to say, if a user has authorization to activate a business transaction, he or she also has authorization to delete it. The authorization for making a posting includes the authorization for making a cancellation.

If other functions are called from a business transaction, the relevant authorization check is performed in this business transaction before the other function is accessed. This avoids any termination of the functions that are being called.

To set up your authorization management for mortgage loans, you can use the following roles included in the delivery scope:

Role Name Scope

Loans Officer SAP_CML_LOANS_OFFICER ● Create, change, display, delete business partner

● Collateral value calculation, credit standing calculation and decision-making

● Maintain objects and securities

● Create contracts, or transfer from application or offer

● Enter disbursements

● Process correspondence

● Release loan (colleague or superior)

● Process business operations (such as charges, individual posting, payoff)

Credit Analyst SAP_CML_CREDIT_ANALYST ● Create, change, display, delete business partner

● Maintain loan enquiries, applications and offers

● Calculate credit standing

● Decision-making

● Maintain limits

● Calculate the collateral value

● Maintain objects and securities



Rollover Officer SAP_CML_ROLLOVER_OFFICER ● Loan rollover (individual and mass)

● Process correspondence

● Management of rollover file

● Maintain condition tables

Staff Accountant for Loans

SAP_CML_STAFF_ACCOUNTANT ● Post transactions

● Clearing

● Create payments

● Post and monitor incoming payments

● Process waivers and write-offs

● Cancellation

● Accrual/deferral

● Valuation

● Generating accounting reports

Manager of Loans Department

SAP_CML_DEPARTM_MANAGER ● Release


● Change limits

● Risk analysis

● Monitor file (rollover or process management)

● Monitor portfolio and portfolio trend using reports; reports and queries

Product Administrator

SAP_CML_PRODUCT_ADMIN ● Update reference interest rates


● Maintain new business tables

Technical Administrator

SAP_CML_TECHNICAL_ADMIN ● Perform mass runs (such as mass print run), set status of plan to completed, post planned records

● Currency conversion

● Update reference interest rates and currency rates

● Reorganization and data archiving

● Define queries, drilldown reporting forms and reports

● Maintain performance parameters

● Analyze change pointers

● Define export interfaces



You can assign these roles to the users in your company. Do not make any changes to the original roles, as these changes would be overwritten by the standard settings when the system is upgraded.

If you want to make adjustments, copy these roles. To do so, in the SAP Easy Access menu, choose Tools → Administration → User Maintenance → Role Administration → Roles. Here you can group together authorizations for consumer loans into your own defined roles, and assign these to users in your departments, for example. In the first step you maintain the role menu. You can structure this yourself by adding and, if necessary, renaming files, transactions, and reports. In addition to manually grouping together the relevant transactions, you can also transfer these from the SAP menu or another role. You then maintain the authorizations for your role. The system proposes certain authorizations and their characteristics. You can also add more objects. Then you need to generate the authorization profile. Finally, you maintain the users who are to have the authorizations contained in the role. You can also use elements from organizational management, such as position in the organization. The advantage here is that you do not have to maintain the user assignment individually in each role if a person changes jobs. You can also use this function in release.

Network and Communication Security Loans Management (FS-CML) does not communicate with other systems. The only exception is mySAP Customer Relationship Management (CRM), during the loan origination process. In this process CRM serves as the entry system and FS-CML as the backend system. Communication is by means of XI.

Data Storage Security The security of sensitive data in Loans Management (such as loan contracts, consumer loans, collateral values, credit standing calculations, collateral) is guaranteed by the general authorization concept of Loans Management (FS-CML).

It is possible to display business partner data from Loans Management. You can use the authorization concept of central SAP Business Partner to protect this data.

For more information about authorizations and data storage security in the SAP Business Partner, see the SAP Service Marketplace at /service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Guides for the SAP NetWeaver Products → SAP NetWeaver Application Server Security Guide → SAP NetWeaver AS Security Guide for ABAP Technology → Security Aspects When Using Business Objects → SAP Business Partner Security.



Collateral Management (CM) Purpose The purpose of this guide is to explain the security-specific features built-in for the SAP Collateral Management (CM).

To understand the security features provided in CM, you must read the SAP Netweaver Application Server security guide (service.sap.com) that describes the basic security aspects and measures for SAP systems.

Authorizations A multitude of standard roles are shipped with SAP Collateral Management (CM) in the SAP ECC 6.0. These roles are of exemplary character. The standard roles must be modified by the Customers based on their requirements.

The Customers must not use the standard roles in their production systems only with some medications. It is advisable without any modifications. Use the Profile Generator (transaction PFCG) to identify the standard roles and create additional roles.

The following roles are available in CM for banks: Role Purpose

SAP_FS_CMS_DISPLAY_ALL Displaying all the entity objects in CM.

SAP_FS_CMS_MAINTAIN_ALL Maintaining (Create, change and display only) all entity objects.

SAP_FS_CMS_MAINTAIN_ALL_PRC Executing all the process related activities in addition to maintenance of objects

SAP_FS_CMS_CUST_ALL Customizing

SAP_FS_CMS_ADMIN CM administrator role

SAP_FS_CMS_COL_AUDITOR Maintaining all the entity objects and the access to run all the reports in CM.

SAP_FS_CMS_CREDIT_MANAGER Displaying collateral objects and collateral agreements.

SAP_FS_CMS_CREDIT_RISK_MANAGER Maintaining collateral objects and collateral agreements and displaying receivables.

SAP_FS_CMS_LIQUIDATION_OFFICER Maintaining liquidation measures.



Authorization Objects in CM Technical name Name

CMS_PCN_02 Authorization for activities (change request mode)

CMS_PCN_01 Authorization for activities (normal mode)

CMS_OMS1 Authorization for all collateral objects other than real estate (replace CMS_OMS from ECC 6.0 onwards

CMS_OMS Authorization for all collateral objects other than real estate (obsolete from ECC 6.0 onwards)

CMS_CAG Authorization object for collateral agreements

CMS_RE Authorization object for real estate objects in CM.

CMS_RBL Authorization object for receivable in CM.

Characteristic Based Authorizations In the Collateral Management, all the objects must belong to an administration organizational unit. The authorization objects for collateral objects(real estate and other collateral objects) and collateral agreements are based on a combination of the administration organizational unit and the entity type(assigned using a process control key). For receivables, the authorizations are based on the receivable organizational unit, the receivable status and the product. Authorizations for receivables is valid only for the receivables created in the CM or even the local copies of the receivables in external credit systems.

For example, you can use the attribute administration organization unit to differentiate between employee ,VIP and normal customers objects. You can also create objects in these organizational units as characteristics, which can then also be used to protect application data.

Network Communication and Security The table below shows the communication paths used by the SAP Collateral Management (CM), the protocol used for the connections and the type of data transferred.

Communication Path



Financial Customer Information System (FS- Business Partner)

RFC Business partner master data

SAP Document Management System (DMS)

RFC Document data

Loans Management (CML)

RFC Loan data

SAP Business Information Warehouse (BIW)

IDoc and RFC Collateral agreements, collateral objects, charges, collateral agreement – receivable assignment and calculations data



SAP Bank Analyzer (Basel II)

IDoc and RFC Collateral agreements, collateral objects, charges, collateral agreement – receivable assignment and calculations data

The following RFC connections have to be set up for operating the CM. You are advised not to create the users belonging to these as dialog users.

● RFC communication with the Tool BW

● RFC communication within the Tool BW

● RFC communication in the context of import methods for the client copy. The relevant authorization objects are:

● S_TABU_DIS; S_RS_ICUBE; S_RS_ADMWB; S_RS_ISOUR; S_BTCH_ADM; S_ADMI_FCD; S_BTCH_JOB; S_RS_ODSO; S_RS_ISET

CM provides the following business application programming interfaces (BAPIs) for allowing external systems to connect to it:

● BAPI_CM_AST_GET_MULTI

● BAPI_CM_CAG_CREATE

● BAPI_CM_CAG_GETDETAIL_MULTI

● BAPI_CM_CAG_GET_BY_RBL

● BAPI_CM_GENLNK_RBL_ON_RBL_01

● BAPI_CM_GENLNK_RBL_ON_RBL_02

● BAPI_CM_SEC_GETDETAIL_MULTI

● BAPI_CM_RE_GETDETAIL_MULTI

● BAPI_CM_RIG_GETDETAIL_MULTI

● BAPI_CM_MOV_GETDETAIL_MULTI

BAPIs are standard SAP interfaces and are important in the technical integration and in exchange of business data between SAP components and between the SAP and non-SAP components. BAPIs enable you to integrate these components. They are therefore an important part of developing integration scenarios where multiple components are connected to each other, either on a local network or on the internet.

BAPIs allow integration at the business level and not at the technical level. This provides for greater stability of the linkage and independence from the underlying communication technology.

The current requirement for BAPIs in CM caters mainly to the migration scenarios. Hence these BAPIs are not protected by special authorizations. Authorization checks for BAPIs can be provided (in the future releases), if there are requirements for them.



CM also provides an extensive enhancement concept that offers user exits in the form of Business Add-Ins (BADIs).

Network Security and Communication Channels

Collateral Management (CM) uses the same communication channels that are described in the SAP Netweaver AS security guide. No further customer-specific communication channels are provided. Hence the aspects and actions described in the SAP Netweaver AS security guide (such as use of SAPRouter in combination with Firewall, use of Secure Network Communication (SNC), Communication Front-End-Application Server, connection to the database) also apply for CM.

Strategic Enterprise Management (SEM) for Banks

Authorizations The following standard roles are available in Strategic Enterprise Management (SEM) for Banks:

Roles Description

SEM-PA

SAP_ISB_PA_CONTROLLER_AG SAP Banking Profitability Analysis: Profitability Controller

SEM-MRA

SAP Treasury and Risk Management




Bank Applications

SAP_ISB_STRATEGIC_PLANNER_AG SAP Banking Asset Liability Management: Strategic Balance Sheet Planner

SAP_ISB_MAR_RISK_CONTROLLER_AG SAP Banking Risk Analysis: Market Risk Controller

SEM-KL

SAP Treasury and Risk Management




SAP_CFM_ADMINISTRATOR Administrator

SAP_CFM_DEALER Treasury: Trader

SAP_CFM_LIMIT_MANAGER Limit Manager

For more information about the individual roles in SAP Treasury and Risk Management (TRM), see the SAP Library, under SAP ERP Central Component → Financials → SAP Treasury and Risk Management → Basic Functions → Roles in Treasury and Risk Management (TRM).



Bank Applications

SAP_ISB_CRE_RISK_CONTROLLER_AG SAP Banking Default Risk and Limit System: Default Risk Controller

SAP_ISB_CRE_RISK_MANAGER_AG SAP Banking Default Risk and Limit System: Default Risk Manager

SAP_ISB_CRE_RISK_TRADER_AG SAP Banking Default Risk and Limit System: Trader

In addition, take account of the following activities in the SAP Customizing Implementation Guide (IMG):

● for SEM-PA:

Under SAP Banking → SEM Banking → Profitability Analysis → Tools → Authorization Management

● for SEM-MRA

Under SAP Banking → SEM Banking → Common Settings for Market Risk and Asset/Liability Management → Maintain Authorizations/Profiles/Users

Network and Communication Security ● Transfer of external data

You can use external data transfer to transfer bank transactions not performed via SAP transactions to the SAP system.

Transfer takes place via Remote Function Call (RFC).

● Transfer of market data

Market data for a risk analysis is transferred to the SAP system via a datafeed.

mySAP ERP2005 contains SEM extractors. These extractors are business application programming interfaces (BAPIs) for selected business, market data, and SEM-own data (financial object, limit definitions, cash flow). They can also be used as utilities for integration with systems for Basel II/IAS.

These BAPIs are delivered to customers, but they have not been released officially. There is no documentation available for the SEM extractors, just notes. The collective note on this subject is note 608292.

The development of SEM extractors does not contain any authorization checks at all. Therefore, until the interface has been released officially, a customer-specific authorization concept must be created if these extractors are used. In this event, customers must use the modification assistant to implement suitable authorization checks themselves. As the interface has not been released officially, SAP bears no responsibility for missing authorization checks.

Communication Destinations Some evaluations in SEM Banking will normally be started by customers as batch processing. This applies particularly to drilldown reports and the calculation of key figures of the results databases. If this batch processing is started by a technical user, only the authorizations for



the relevant transaction are required. You can use transaction SU22 to determine these authorizations.

If the workflow is activated when limits are exceeded, the sender of the workflow must have the authorization S_OC_SEND. To make this assignment, execute the IMG activity Assign Senders of Workflows to Recipients in the SAP Customizing Implementation Guide (IMG) und Financial Supply Chain Management → Treasury and Risk Management → Credit Risk Analyzer → Basic Settings → Assignments → Assignment of Senders to Recipients.

Data Storage Security The data in Strategic Enterprise Management (SEM) for Banks can be regarded as being not particularly sensitive.

However, from Strategic Enterprise Management (SEM) for Banks you can access business information of other components, including:

● Bank Customer Accounts (BCA)

● Loans Management (CML)

This access is protected in that the authorization for the relevant transaction is checked.

Display of risk key figures is always performed on the basis of a summarization of multiple financial transactions. Users can access a detailed view to see the transactions in question. In doing so, the display transactions of the corresponding components are called. A user can only display business transactions if he or she has the corresponding authorization for this business.

You can also use the authorization objects of Strategic Enterprise Management (SEM) for Banks to ensure that users cannot draw conclusions on financial transactions indirectly (by selecting specific parameters of risk evaluation). For example, you can use authorization object T_RMCHAR_V to restrict the financial transactions for which users can perform certain risk evaluations. This authorization is then used in the display of stored key figure values.

However, these authorization objects are not applied to the SEM extractors. If you use SEM extractors, you must use the modification assistant to implement suitable authorization checks yourself.



Reserve for Bad Debt (FS-RBD)

Authorizations The procedure of the authorization concept used by Reserve for Bad Debt (FS-RBD) is the same as that of the SAP authorization concept.

The authorization checks in FS-RBD differentiate between the following dimensions:

● Activities:

You use the activity to control what a user is permitted to do. For example:

○ Create a RBD account

○ Post value adjustment proposals

○ Display evaluations

● Organization

The organization at RBD area level determines which data the user is permitted to display or process.

Standard Profile

In FS-RBD you do not use RBD-specific profiles, but the standard profiles delivered with every SAP system.

The standard profiles are as follows:

Roles Description

S_A.SYSTEM Authorizations for the basis system only

S_A.ADMIN Authorizations for the administration of the operational SAP system, but without authorization for:

● ABAP/4 Development Workbench

● maintaining superusers

● maintaining the standard profiles beginning with “S_A”

S_A.DEVELOP Authorizations for developers working with ABAP/4 Development Workbench

S_A.CUSTOMIZ Authorizations for basis settings in the Customizing system.

S_A.USER Authorizations for end users (without authorization for SAP work areas)

Authorization Objects

Reserve for Bad Debt (FS-RBD) has the following authorization objects:

Critical combination: Creating and posting value adjustment proposals (planned records) within a role.



Authorization Object

Description Authorization Field

Values permitted

for the authorization field

RBD_CUST RBD: Customizing

Activity 16 (Execute)

RBD_EDIT RBD Dialog & Batch

Activity

RBD area

01 (Create)

02 (Change)

03 (Display)

10 (Post)

85 (Reverse)

91 (Reactivate)

According to RBD Customizing

RBD_REPO RBD: Reporting RBD area According to RBD Customizing

Description of these authorization objects:

● The assignment of authorization object RBD_CUST with activity 16 gives the user authorization to use an RBD Customizing tool.

● The assignment of authorization object RBD_EDIT with activity 02 and RBD area 0005, enables the user to change data for an RBD account in the RBD area 0005.

● The assignment of authorization object RBD_EDIT with activities 02 and 10 and the RBD area 0004 enables the user to post planned records for an RBD account in the RBD area 0004.

● The assignment of the authorization object RBD_EDIT with the activities 02, 85, 91 and the RBD area 0003 enables a user to reverse actual records for an RBD account in RBD area 0003, and to reactivate a deactivated account in the RBD area 0003.

● The assignment of the authorization object RBD_REPO in RBD area 0006 enables a user to display the RBD standard evaluations for the data in the RBD area 0006.

Note that the activities Create Value Adjustment Proposals (Planned Records) and Post Value Adjustment Proposals (Planned Records) are possible within one role.

Use of RBD Authorization Objects

RBD_CUST

Program Description Permitted Activities

/IBS/MRB_CUST_KTOFI RBD Tool Customizing: Duplicate Account Determination

16 (Execute)



RBD_EDIT


/IBS/MRB_SAPMKTO RBD: Dialog account master data

01 (Create)

02 (Change)

03 (Display)

10 (Post)

85 (Reverse)

/IBS/MRB_EWB_UPDATE CML Position monitoring update run

02 (Change)

10 (Post)

/IBS/MRB_KONTO_REACTIVATE

Reactivate RBD account 91 (Reactivate)

/IBS/MRB_LOG_POST RBD Posting log 03 (Display)

/IBS/MRB_PEWB_REFRESH RBD:CML Monitoring of arrears: Planned record generation (FIVA) and posting

10 (Post)

/IBS/MRB_PEWB_RESET RBD: CML monitoring of arrears: Clearing actual records (reversal FIVA)

85 (Reverse)

RBD_REPO


/IBS/DRB_ENTWICKLUNG RBD development list, development reserve for bad debt position


/IBS/DRB_HINT_LIST Position monitoring: List of notes


/IBS/DRB_REFERENZ RBD Drilldown reporting with references


Definition of Customer-Specific Roles

The following information is required for the definition of customer-specific roles for functions in FS-RBD:

● SAP logon names of all employees that are to work in FS-RBD

● RBD areas affected

● Decisions as to which employee is permitted to execute which functions in the RBD Tool

To avoid having to assign a separate role for each employee, we recommend that you form groups of employees that are permitted to execute the same functions. You can then assign a defined role to all of the employees in the group.



Example of generation of user-specific roles:

Activities:

RBD area Activity Employee Role in SAP

All All Adams RBD_ALLES

All Customizing: Duplicate Account Determination

Armstrong RBD_CUST

1 Create, change, and display RBD account

Miller RBD_SACH_01


Martin RBD_SACH_01


Smith RBD_SACH_01

1 Change RBD account, post planned records

Glenn RBD_BUCH_01


O’Hara RBD_BUCH_01

1 Change RBD account, reverse actual records

Glenn RBD_STOR_01


Bertolini RBD_STOR_01

1 Display evaluations Santos RBD_AUSWERT_01

1 Display evaluations Hunter RBD_AUSWERT_01

1 Display evaluations Miller RBD_AUSWERT_01

1 Display evaluations Martin RBD_AUSWERT_01

1 Display evaluations Smith RBD_AUSWERT_01


Nielsen RBD_SACH_02


Moore RBD_SACH_02


Smith RBD_SACH_02


Glenn RBD_BUCH_02




Glenn RBD_STOR_02


Nielsen RBD_STOR_02

2 Display evaluations Santos RBD_AUSWERT_02

2 Display evaluations Hunter RBD_AUSWERT_02

2 Display evaluations Nielsen RBD_AUSWERT_02



2 Display evaluations Moore RBD_AUSWERT_02

2 Display evaluations Smith RBD_AUSWERT_02

Roles:

Role in SAP RBD Authorization Object Required

Authorization Field Field Value

RBD_ALLES RBD_CUST ACTVT *

RBD_ALLES RBD_EDIT ACTVT *

RBD_ALLES RBD_EDIT RBDID *

RBD_ALLES RBD_REPO ACTVT *

RBD_CUST RBD_CUST ACTVT 16

RBD_SACH_01 RBD_EDIT ACTVT 1,2,3

RBD_SACH_01 RBD_EDIT RBDID 1

RBD_BUCH_01 RBD_EDIT ACTVT 2,10

RBD_BUCH_01 RBD_EDIT RBDID 1

RBD_STOR_01 RBD_EDIT ACTVT 2,85

RBD_STOR_01 RBD_EDIT RBDID 1

RBD_AUSWERT_01 RBD_REPO RBDID 1

RBD_SACH_02 RBD_EDIT ACTVT 1,2,3

RBD_SACH_02 RBD_EDIT RBDID 2

RBD_BUCH_02 RBD_EDIT ACTVT 2,10

RBD_BUCH_02 RBD_EDIT RBDID 2

RBD_STOR_02 RBD_EDIT ACTVT 2,85

RBD_STOR_02 RBD_EDIT RBDID 2

RBD_AUSWERT_02 RBD_REPO RBDID 2

As a result, roles are assigned to the user master records as follows:

Employee Role in SAP

Armstrong RBD_CUST

Bertolini RBD_STOR_01

Adams RBD_ALLES

Glenn RBD_BUCH_01

Glenn RBD_STOR_01

Glenn RBD_BUCH_02

Glenn RBD_STOR_02





Hunter RBD_AUSWERT_01

Hunter RBD_AUSWERT_02

Martin RBD_SACH_01

Martin RBD_AUSWERT_01

Moore RBD_SACH_02

Moore RBD_AUSWERT_02

Miller RBD_SACH_01

Miller RBD_AUSWERT_01

Nielsen RBD_SACH_02

Nielsen RBD_STOR_02

Nielsen RBD_AUSWERT_02

Smith RBD_SACH_01

Smith RBD_AUSWERT_01

Smith RBD_SACH_02

Smith RBD_AUSWERT_02

Santos RBD_AUSWERT_01

Santos RBD_AUSWERT_02

Network and Communication Security In Reserve for Bad Debt (FS-RBD) the following systems communicate with each other:

● Enterprise Resource Planning (ERP) with Loans Management (FS-CML)

● ERP with Deposits Management (FS-AM)

● ERP with Collateral Management System (FS-CMS)

● ERP with Flexible General Ledger/ Financials (FLEXGL/FI)

Communication takes place via Remote Function Call (RFC).

Communication Destinations Technical users are required for Remote Function Call (RFC) connections to Deposits Management (FS-AM).

These technical users require read authorization (for reading balances and account master data, for example).



Trace and Log Files The change documents (master data from the source system) can be used as trace or log files, that contain information relevant for security.

Incentive and Commission Management (ICM) Für detailed information about security in Incentive and Commission Management (ICM), see the security guide for Incentive and Commission Management in the SAP Library under Security → mySAP ERP Security Guides.



Statutory Reporting for Insurance (FS-SR)

Authorizations Authorizations are assigned using the authorization objects from the authorization object class ISSR.

Data Storage Security Sensitive data, such as financial transactions, is protected from unauthorized access using the authorization objects in the authorization object class ISSR.



Real Estate Management Authorizations

Standard Roles of Real Estate Management

Roles Description

SAP_RE_APPL Real Estate Specialist

SAP_RE_CONTROLLER_AND_PLANER RE Controller

SAP_RE_CONTROLLING_ANALYST RE Controlling Analyst

SAP_RE_LESSEE_CONTRACT_SUPPORT Lessee Contract Support

SAP_RE_LESSOR_CONTRACT_SUPPORT Lessor Contract Support

SAP_RE_MASTER_DATA_ANALYST Master Data Analyst

SAP_RE_MASTER_DATA_SUPPORT Master Data Support

SAP_RE_RENT_LEVEL_EXPERT Rent Level Expert

SAP_RE_RENTAL_ACC_SUPPORT Rental Account Support

SAP_RE_SC_SUPPORT Service Charge Support


External heating expenses settlement is available In Real Estate Management. To make this settlement possible, the necessary files must be generated in the SAP system in an internal SAP format. Then you need to send the data medium to the settlement company.

Trace and Log Files

The change documents provide information on changes to the authorization group and to the person responsible for the object.



Public Sector Management

Authorizations Standard roles for Public Sector Management (PSM)

Role Name

SAP_IS_PS_CENTRAL_FUNCTION Funds Management Central Function

SAP_IS_PS_PO_CONSUMPTION Postings: Consuming Funds

SAP_IS_PS_MD_STRUCTURE Master Data Funds Management: Maintain Structure

SAP_IS_PS_DECK_CREA Cover Eligibility: Rule Maintenance

SAP_IS_PS_BCS_AVC_TOOLS Availability Control - Tools

SAP_IS_PS_BU_RULES Maintain Budget Rules

SAP_IS_PS_BCS_BUD_TOOLS Budgeting - Tools

SAP_IS_PS_PO_RECONCILE Reconciling Data with Feeder Applications

SAP_IS_PS_BCS_BUD_MAINTENANCE Maintain Budget Data

SAP_IS_PS_BCS_BUD_PLANNING Plan Budget Data

SAP_IS_PS_BCS_DISPLAY Display Budget Values (BCS)

SAP_IS_PS_BCS_STATUS_MAINTAIN Budgeting – Assign Status

SAP_IS_PS_BCS_STRUCT_DEF Maintaining the Budget Structure

SAP_IS_PS_BCS_STRUCT_TOOLS Budget Structure - Tools

SAP_IS_PS_BU_CONTROL Controlling Budget Execution

SAP_IS_PS_BU_DISPLAY Budget Values Display

SAP_IS_PS_BU_PLANNING Budget Planning

SAP_IS_PS_BU_UPDATE Updating Budget: Transactions

SAP_IS_PS_BU_UPDATE_TOOLS Updating Budget: Tools

SAP_IS_PS_BU_UPDATE_VERSION Updating Budget: Editing Versions

SAP_IS_PS_CASH_DESK Payment at Cash Desk

SAP_IS_PS_CF_BU_EXECUTE Execute Budget Carryforward

SAP_IS_PS_CF_BU_PREPARE Preparing the Budget Carryforward

SAP_IS_PS_CF_CHECK Check Budget Closing

SAP_IS_PS_CF_OI_EXECUTE Execute Carryforward of Assigned Funds

SAP_IS_PS_CF_OI_PREPARE Preparing Assigned Funds Carryforward

SAP_IS_PS_DECK_DISP Displaying Data for Reporting and Master Data Cover Eligibility



SAP_IS_PS_MD_DISPLAY Funds Management Master Data: Display Functions

SAP_IS_PS_MD_ZUOB Funds Management Master Data: Assignment to CO Structures

SAP_IS_PS_PO_COMMITMENTS Postings: Committing Funds

SAP_IS_PS_PO_CONSUMPTION_DISP Postings: Assigned Funds Display

SAP_IS_PS_PO_FOR Postings: Forecast of Revenue

SAP_IS_PS_PO_TRANSFERS Postings: Repost Assigned Funds

Public Sector Management uses the name convention SAP_FI_GM_* and SAP_IS_PS_* for its roles.

Standard roles for Grants Management (PSM-GM)

Role Name Function

SAP_FI_GM_GRANT_ANALYST Grants Management: Grant Analyst

Master data maintenance, execution of reports

SAP_FI_GM_GRANT_MANAGER Grants Management: Grant Manager

New entry, check and approval of master data, execution of billing program

SAP_FI_GM_PROGRAM_ANALYST Grants Management: Program Analyst

Creation of master data, processing of proposals and budget

SAP_FI_GM_PROGRAM_MANAGER Grants Management: Program Manager

Check and approval of proposals and budget

SAP_FI_GM_PROJECT_MANAGER Grants Management: Project Manager

Management of grants and budget, execution of reports

Standard roles for Grantor Management (PSM-GM)

Role Name Function

SAP_PSM_GTR_PROGRAM_MANAGER Instructor for Grantor Program Management

The main task of the instructors for the Grantor Program Management is to look after the scenarios of Grantor Management. The instructor for the Grantor Program Management not only works with CRM transactions but is also responsible for creating budget for the Grantor programs in PSM and the processing of accounting transactions in Public Sector Contract Accounting. Additional tasks in the area are master data maintenance, reporting and archiving.



SAP_PSM_GTR_PROGRAM_CLERK Clerk for Grantor Program Management

The main task of the clerk for Grantor Program Management is the processing of scenarios of Grantor Management. The clerk works not only with CRM transactions for the Grantor Management but also accesses budget, PSM master data and business partner data in Public Sector Contract Accounting. A user in this role is also authorized to execute PSM reports.

Authorization Objects for Grants Management (PSM-GM)

Authorization Object Name

F_FIGM_BUD Grants Management: Authority for Budget

F_FIGM_CLS Grants Management: Authority for Class

F_FIGM_GNG GM: Grant Groups

F_FIGM_GNT Grants Management: Authority for Grant

F_FIGM_PRG Grants Management: Authority for Programs

F_FIGM_SCG GM: Sponsored Class Groups

F_FIGM_SPG GM: Sponsored Program Groups

The master data objects and business processes of Grants Management are protected by standard authorization objects.

US Federal Government uses the authorization concept of the components that it uses such as Funds Management and Material Management. See also the documentation of Funds Management on the SAP Help Portal at Internet address help.sap.com SAP ERP Central Component → Accounting → Public Sector Management → Funds Management → Authorizations.

Authorization objects for Grantor Management (PSM-GM)

Authorization Object Name

F_PSM_DRUL Rules of Account Assignment Derivation

F_PSM_DSTR Strategy of Account Assignment Derivation



Network and Communication Security Public Sector Management communicates with the following components:

● Human Capital Management (HCM) as part of the scenario Position Budgeting and Control

● SAP Enterprise Buyer (EBP)

● Customer Relationship Management (CRM) as part of the Scenario Grantor Management

The communication with these internal SAP components takes place per Remote Function Call (RFC). See the corresponding sections in the RFC/ICF Security Guide on the SAP Service Marketplace, under the Internet address service.sap.com/securityguide → SAP NetWeaver Security Guide → Security Aspects for Connectivity and Interoperability.

The US Federal Government has both payment and collection outbound interfaces at its disposal for Treasury Confirmation and Intragovernment Payment and Collections (IPAC). This outbound interface uses payment methods and flat files.

The inbound interface of the Central Contractor Registration (CCR) uses IDocs.

Data Storage Security Public Sector Management supports payments by payment card. As this process does not have a key role in Public Sector Management and customers have not yet required the encryption of card numbers, Public Sector Management does not provide encryption for payment card numbers at the moment.

More Security Information Authorization checks only take place in Public Sector Management and Funds Management when the authorization group of a master data object is entered. To ensure that an adequate check is carried out, SAP recommends that you define the affected fields as required entry fields in the field status control. You define this setting in the implementation guide of Public Sector Management:

● Funds Management-Specific Postings → Earmarked Funds and Funds Transfers → Field Control for Earmarked Funds and Funds Transfers → Define Field Status Variant/Assign Field Status Variant to Company Code/Define Field Status Groups

● Actual and Commitment Update/Integration → Integration → Maintain Field Status for Assigning FM Account Assignments

For more information, see the documentation on Funds Management on the SAP Help Portal at help.sap.com → ERP Central Component → Accounting → Public Sector Management.

For Grants Management, note the following system settings in the implementation guide of Public Sector Management, under Funds Management Government → Master Data → Grant

● GM Grant Control: Field Group for Authorizations

● Maintain Grant Authorization Types

● Maintain Grant Authorization Groups



You can enhance the authorization concept using the following BAdI:

BAdI Name

GM_AUTHORITY_CHECK Grants Management: Authorization Check

GM_BILL_AUTHORITY GM: User authorization for billing for DP90 in GM

GM_POST_AUTHORITY Grants Management coding block authorization check



Logistics

Materials Management (MM)

Purchasing and Service Industries (MM-PUR, MM SRV)

Authorizations Standard Roles You can implement the following standard roles for the components Purchasing (MM-PUR) and Service Industries (MM-SRV) in the SAP Enterprise Portal:

● Description: Purchasing Agent

● Technical name: pcd:portal_content/com.sap.pct/specialist/com.sap.pct.purch.purchasingagent/com.sap.pct.purch.roles/com.sap.pct.purch.purchasingAgent

Note that this is a role that can only be used in the SAP Enterprise Portal. There are no corresponding roles in the SAP ECC backend.

Profile The following table shows security-relevant profiles that use the components Purchasing and Service Industries.

Profiles: Purchasing, Service Industries

Profile Description

M_ANFR_ALL MM Purchasing – RFQs: Maintenance Authorization

M_ANFR_ANZ MM Purchasing – RFQs: Display Authorization

M_ANGE_ALL MM Purchasing: Quotations: Maintenance Authorization

M_ANGE_ANZ MM Purchasing: Quotations: Display Authorization

M_BANF_ALL MM Purchasing – Requisitions: Maintenance Authorization

M_BANF_ANZ MM Purchasing: Requisitions: Display Authorization

M_BEST_ALL MM Purchasing – Purchase Orders: Maintenance Authorization



M_BEST_ANZ MM Purchasing: Purchase Orders: Display Authorization

M_EBEL_ANZ MM Purchasing – Display Order Documents

M_EINF_ALL MM Purchasing: Info Records: Maintenance Authorization

M_EINF_ANZ MM Purchasing: Info Records: Display Authorization

M_EINK_ALL MM Purchasing – Complete: Maintenance Authorizations

M_EINK_ANZ MM Purchasing – Complete: Display Authorizations

M_LPET_ALL MM Purchasing: Sched. Agmt. Delivery Schedules: Maint. Auth.

M_LPET_ANZ MM Purchasing: Sched. Agmt. Delivery Schedules: Displ. Auth.

M_RAHM_ALL MM Purchasing: Outline Agreements: Maintenance Authorization

M_RAHM_ANZ MM Purchasing: Outline Agreement: Display Authorization

M_SRV_ALL Service Master Data: All Authorizations

Standard Authorization Objects The following table shows security-relevant authorization objects that use the components Purchasing and Service Industries.

Standard Authorization Objects: Purchasing, Service Industries


M_AMPL_ALL Approved Manufacturer Parts List

M_AMPL_WRK Approved Manufacturer Parts List - Plant

M_ANFR_BSA Document Type in RFQ

M_ANFR_EKG Purchasing Group in RFQ

M_ANFR_EKO Purchasing Organization in RFQ

M_ANFR_WRK Plant in RFQ

M_ANGB_BSA Document Type in Quotation

M_ANGB_EKG Purchasing Group in Quotation

M_ANGB_EKO Purchasing Organization in Quotation

M_ANGB_WRK Plant in Quotation

M_BANF_BSA Document Type in Purchase Requisition

M_BANF_EKG Purchasing Group in Purchase Requisition

M_BANF_EKO Purchasing Organization in Purchase Requisition

M_BANF_FRG Release Code in Purchase Requisition

M_BANF_WRK Plant in Purchase Requisition

M_BEST_BSA Document Type in Order

M_BEST_EKG Purchasing Group in Purchase Order

M_BEST_EKO Purchasing Organization in Purchase Order

M_BEST_WRK Plant in Purchase Order

M_EINF_EKG Purchasing Group in Purchasing Info Record



M_EINF_EKO Purchasing Organization in Purchasing Info Record

M_EINF_WRK Plant in Purchasing Info Record

M_EINK_FRG Release Code and Group (Purchasing)

M_LFM1_EKO Purchasing Organization in Vendor Master Record

M_LIBE_EKO Vendor Evaluation

M_LPET_BSA Document Type in Scheduling Agreement Delivery Schedule

M_LPET_EKG Purchasing Group in Scheduling Agreement Delivery Schedule

M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule

M_LPET_WRK Plant in Scheduling Agreement Delivery Schedule

M_ORDR_EKO Purchasing Organization in Source List

M_ORDR_WRK Plant in Source List

M_QUOT_EKO Purchasing Organization (Quotas)

M_QUOT_WRK Plant (Quotas)

M_RAHM_BSA Document Type in Outline Agreement

M_RAHM_EKG Purchasing Group in Outline Agreement

M_RAHM_EKO Purchasing Organization in Outline Agreement

M_RAHM_WRK Plant in Outline Agreement

M_SRV_LS Authorization for Maintenance of Service Master

M_SRV_LV Authorization for Maintenance of Model Serv. Specifications

M_SRV_ST Authorization for Maintenance of Standard Service Catalog

S_ME_SYNC Mobile Engine: Synchronization of Offline Applications

V_KONH_EKO Purchasing Organization in Master Condition

Network and Communication Security General Your network infrastructure is extremely important in protecting your system. All special aspects that are relevant for the network and communication security for the components Purchasing (MM-PUR) and Service Industries (MM-SRV) are described below. See also information about SAP ECC under Network and Communication Security [Seite 17].

Communication Channel Security The table below shows the communication paths used by the Purchasing and Service Industries component, the protocol used for the connection, and the type of data transferred.



Communication Paths

Communication Path Protocol Used Type of Data Transferred Data Requiring Special Protection

SAP ECC system – Non-SAP system

RFC, HTTP Application data/Idocs (messages for store order, store goods receipt, outgoing purchase order)

-

SAP ECC system – Adobe Document Services (ADS)

HTTP Application data (printer output from ERP purchase, for example, purchase order printout)

Price, delivery and payment conditions, and contract numbers, for example, should be able to be transferred encrypted. The necessary security measures are dependent on whether you have installed ADS behind or in front of the firewall.

Supplier Portal (mySAP Supplier Relationship Management) → SAP ECC system

RFC, HTTP Application data (purchase order confirmations) for Supplier Self-Service (SUS)

Quantities, dates, prices

SAP ECC system – SAP APO system

RFC Application data (conditions/purchase orders)

Dependent on whether you have placed SAP SCM and SAP ECC in front of, or behind the firewall.

SAP ECC system – SAP SCM system (Event Manager)

RFC Application data Quantities, dates

You can protect RFC connections using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. For more information about encryption, see:

● General information about encryption

SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security

● Encryption of ALE data

SAP NetWeaver-security guide under Security Aspects for Connectivity and Interoperability → Security Guide ALE (ALE Applications)

● Encryption via SUS output

mySAP SRM Application security guide on SAP Service Marketplace at service.sap.com/securityguide → mySAP Supplier Relationship Management (SRM) Security Guide → Network and Communication Security

For more information about communication channel security between SAP ECC systems and SAP Supply Chain Management systems (SAP SCM systems), see the SAP SCM security guide on the SAP Service Marketplace at service.sap.com/securityguide → SAP Supply Chain Management → SAP Supply Chain Management Security Guide → Network and Communication Security.



Data Storage Security Check whether the conditions are classified as sensitive data. You can protect conditions with the following authorization objects:

Authorization Objects for Conditions


V_KONH_EKO Purchasing Organization in Master Condition

V_KONH_VKS Condition: Authorization for Condition Types



Inventory Management (MM-IM): Authorizations Standard Roles The following table shows the standard roles that you can use for the Inventory Management (MM-IM) component.

Standard Roles

Role Description

SAP_MM_IM_ARCHIVING Archive Material Documents

SAP_MM_IM_BALANCE_LIST GR/IR Balance List

SAP_MM_IM_CYCLE_COUNTING Cycle Counting

SAP_MM_IM_DISPLAY List Display

SAP_MM_IM_GM_FOR_RETAIL Goods Movement (Retail)

SAP_MM_IM_GOODS_MOVEMENTS Goods Movement

SAP_MM_IM_GOODS_MOVEMENT_EMPTY Goods Movement

SAP_MM_IM_INVENTORY_ARCHIVE Physical Inventory Archiving

SAP_MM_IM_INVENTORY_CONTROL Physical Inventory

SAP_MM_IM_INVENTORY_EXECUTION Physical Inventory Execution

SAP_MM_IM_INVENTORY_REPORTING Physical Inventory - Reporting

SAP_MM_IM_INVENTORY_SAMPLING Physical Inventory Sampling

SAP_MM_IM_PERIODIC_PROCESSING Periodic Processing

SAP_MM_IM_REPORTS Reports

SAP_MM_IM_RESERVATION_MAINTAIN Reservations

SAP_MM_IM_VENDOR_CONSIGNMENT Vendor Consignment

Standard Authorization Objects The following table shows the standard authorization objects that you can use for the Inventory Management (MM-IM) component. Standard Authorization Objects: Inventory Management Authorization Object Description

M_ISEG_WDB Phys. Inv: Difference Posting in Plant

M_ISEG_WIB Phys. Inv: Phys. Inv Document in Plant

M_ISEG_WZL Phys. Inv: Count in Plant

M_ISEG_WZB Phys. Inv: Count and Difference Posting in Plant

M_MSEG_BMB Material Documents: Movement Type

M_MBNK_ALL Material Documents: Number Range Maintenance

M_MSEG_WMB Material Documents: Plant



M_MRES_BWA Reservations: Movement Type

M_MRES_WWA Reservations: Plant

M_MWOF_ACT Control for Split Valuation of Value (MBWO)

M_SKPF_VGA Inventory Sampling: Transaction

M_SKPF_WRK Inventory Sampling: Plant

M_MSEG_BWA Goods Movement: Movement Type

M_MSEG_LGO Goods Movement: Storage Location

M_MSEG_WWA Goods Movements: Plant

M_MSEG_BWF Goods Receipt for Production Order: Movement Type

M_MSEG_WWF Goods Receipt for Production Order: Plant

M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type

M_MSEG_WWE Goods Receipt for Purchase Order: Plant

Logistics Invoice Verification (MM-IV): Authorizations Standard Roles The following table shows the standard roles that you can use for the Logistics Invoice Verification (MM-IV) component.

Standard Roles: Logistics Invoice Verification

Role Description

SAP_MM_IV_CLERK_AUTO Automatic Settlements

SAP_MM_IV_CLERK_BATCH1 Enter Invoices for Verification in the Background

SAP_MM_IV_CLERK_BATCH2 Manual Processing of Invoices Verified in the Background

SAP_MM_IV_CLERK_GRIR_MAINTAIN GR/IR Clearing Account Maintenance

SAP_MM_IV_CLERK_GRIR_MAITAIN GR/IR Clearing Account Maintenance

SAP_MM_IV_CLERK_ONLINE Online Invoice Verification

SAP_MM_IV_CLERK_PARK Park Invoices

SAP_MM_IV_CLERK_RELEASE Invoice Release

SAP_MM_IV_SUPPLIER_FINANCE Settlement Information for Vendor (External Supplier) on the Internet

SAP_MM_IV_CLERK_AUTO Automatic Settlements



Standard Authorization Objects The following table shows the standard authorization objects that you can use for the Logistics Invoice Verification (MM-IV) component.

Standard Authorization Objects: Logistics Invoice Verification


M_RECH_WRK Invoices: Plant

M_RECH_AKZ Invoices: Accept Invoice Verification Differences Manually

M_RECH_EKG Invoice Release: Purchasing Group

M_RECH_SPG Invoices: Blocking Reasons

Product Lifecycle Management (PLM)

Authorizations The applications in Product Lifecycle Management (PLM) use the following objects for the authorization checks:

● Composite roles

● Standard roles

● Profile

● Authorization objects

Composite roles The following table shows the composite roles used by applications in PLM.

Composite Role Description

SAP_EHS_IHS_SPECIALIST Industrial Hygiene and Safety Professional

SAP_WP_BD_ADMIN EH&S Administrator

Standard roles The following tables show the standard roles used by applications in PLM.

Roles: Cross-Application (CA)

Role Description

SAP_CA_CL_DISPLAY Product Data Management – Display Classification Information

SAP_CA_CL_MAINTAIN Product Data Management: Classification

SAP_CA_DMS_ADMIN Administration Tasks in DMS

SAP_CA_DMS_DISPLAY Product Data Management: Displaying Documents



SAP_CA_DMS_MAINTAIN Product Data Management: Classification

SAP_CA_NO_NOTIF_GENERAL General Notification Processing

SAP_CA_NO_NOTIF_ISR Creation of Internal Service Request

SAP_CA_NO_NOTIFVIAWEB_EXT General Notification Creation on Web

SAP_CA_NO_NOTIFVIAWEB_INT General Notification Creation on the Web - Link

Roles: Customer Service (CS)

Role Description

SAP_CS_AG_CUST_ORDER_COMPLETE Processing of Sales Order Settlement and Billing Document

SAP_CS_AG_CUST_ORDER_DISPLAY Display of Service Agreements, Sales Orders and Billing Documents

SAP_CS_AG_CUST_ORDER_PROCESS Processing of Sales Order and Customer Repair Order

SAP_CS_AG_PROCESS Processing of Service Agreements

SAP_CS_AG_WARRANTIES_DISPLAY Display Warranties

SAP_CS_AG_WARRANTIES_PROCESS Processing of Warranties

SAP_CS_CI_ADMIN Customer Interaction Center Administration

SAP_CS_CI_AGENT Customer Interaction Center (Front Office)

SAP_CS_CI_INFOSYSTEM Contact History for Groups and Agents

SAP_CS_CM_SOL_DATA_BASE_PROC Processing of Solution Database

SAP_CS_IB_INSTALLED_BASE_DISPL Display of Installed Base

SAP_CS_IB_INSTALLED_BASE_PROC Processing of Installed Base

SAP_CS_SE_DISPLAY_NOTIF_ORDERS Display of Service Notifications and Orders

SAP_CS_SE_PROCESS_NOTIF_ORDERS Processing of Service Notifications and Orders

Roles: Environment, Health & Safety (EH&S)

Role Description

SAP_EHS_BD_UTIL Tools

SAP_EHS_DGP_DATABASEFILLING Dangerous Goods Master Filling

SAP_EHS_DGP_DATASENDING Data Distribution – Dangerous Goods

SAP_EHS_DGP_DATATRANSFER Data Transfer, External – Dangerous Goods

SAP_EHS_DGP_DISPLAYLIST Dangerous Goods Master Lists

SAP_EHS_DGP_MASTERDATA Dangerous Goods Master Management

SAP_EHS_DGP_MASTERDATASHOW Dangerous Goods Master Information

SAP_EHS_DGP_PHRASES Dangerous Goods Text Module Management

SAP_EHS_DGP_REPORTINFO Report Information System – Dangerous Goods

SAP_EHS_DGP_SUBSTANCEDATA Dangerous Goods Basic Data Management

SAP_EHS_HSM_AGENT Agent

SAP_EHS_HSM_INFO Reporting



SAP_EHS_HSM_LABEL Global Label Management

SAP_EHS_HSM_MATERIA Material

SAP_EHS_HSM_REPORT Report

SAP_EHS_HSM_SUBSTANCE Substance

SAP_EHS_HSM_WORKAREA Work Area

SAP_EHS_IHS_AGENT Agent Management

SAP_EHS_IHS_AMOUNTDETERMIATION Amount Determination

SAP_EHS_IHS_BUSINESSPARTNER Business Partners – Industrial Hygiene and Safety

SAP_EHS_IHS_EXPOSURELOG Exposure Log

SAP_EHS_IHS_INCIDENTLOG Incident/Accident Management

SAP_EHS_IHS_INFOSYSTEM Industrial Hygiene and Safety Reporting

SAP_EHS_IHS_INJURYLOG Injury/Illness Log

SAP_EHS_IHS_PHRASES Phrase Management – Industrial Hygiene and Safety

SAP_EHS_IHS_REPORTINFO Report Information System – Industrial Hygiene and Safety

SAP_EHS_IHS_RISKASSESSMENT Risk Assessment

SAP_EHS_IHS_SERVICE Service

SAP_EHS_IHS_WORKAREA Industrial Hygiene and Safety Professional

SAP_EHS_OH_AMBSERV Work Area Management

SAP_EHS_OH_ASSIGN Person Assignment

SAP_EHS_OH_BUPT Business Partners – Occupational Health

SAP_EHS_OH_EVAL Reporting

SAP_EHS_OH_EVAL_NEW Reporting

SAP_EHS_OH_EXAM Examinations and Tests

SAP_EHS_OH_IMPORT Medical Data Import

SAP_EHS_OH_INJURYLOG Incident/Accident Log and Injury/Illness Log

SAP_EHS_OH_MEDSERV Medical Services

SAP_EHS_OH_PERSSEL Person Selection and Scheduling

SAP_EHS_OH_QUEST Question Catalogs and Questionnaires

SAP_EHS_OH_SERVICE Industrial Hygiene and Safety Link

SAP_EHS_OH_SET Current Settings

SAP_EHS_SAF_UTIL Tools

SAP_EHS_SAF_SUBSTANCESHOW Specification Display

SAP_EHS_SAF_SUBSTANCEINFO Specification Information System

SAP_EHS_SAF_SUBSTANCEDATA Substance

SAP_EHS_SAF_REPORTSHOW EH&S Report Information System

SAP_EHS_SAF_REPORTSHIPPING Report Shipping



SAP_EHS_SAF_REPORTINFO Report Information System – Product Safety

SAP_EHS_SAF_REPORTGENERATION Report Definition

SAP_EHS_SAF_REPORTEDIT Report

SAP_EHS_SAF_PHRASES Phrase Management – Product Safety

SAP_EHS_SAF_LABEL Global Label Management

SAP_EHS_SAF_DATATRANSFER Data Transfer, External – Product Safety

SAP_EHS_SAF_DATASENDING Data Distribution

SAP_EHS_SAF_BOMBOS Bill of Materials Composition

SAP_EHS_WA_BUSINESSPARTNER Waste Management Business Partner

SAP_EHS_WA_DATATRANSFER Data Transfer, External – Waste Management

SAP_EHS_WA_DISPOSAL_DOCUMENTS Disposal Documents

SAP_EHS_WA_DISPOSAL_PROCESSING Disposal Processing

SAP_EHS_WA_EHSW_1 Report Tree – Waste Management

SAP_EHS_WA_INFOSYSTEM Waste Information System

SAP_EHS_WA_REPORTEDIT Report Management - Waste Management

SAP_EHS_WA_REPORTGENERATION Report Creation – Waste Management

SAP_EHS_WA_REPORTSHIPPING Report Shipping - Waste Management

SAP_EHS_WA_WASTE_SPEZIFICATION Master Data - Specification

SAP_EHS_WA_WASTECODE Waste Codes

SAP_EHS_WA_WASTEINFO Waste Information

SAP_WP_BD_ADMIN EH&S Administrator

SAP_WP_DG_SPECIALIST Dangerous Goods Specialist

SAP_WP_HSM_SPECIALIST Hazardous Substance Manager

SAP_WP_IHS_SPECIALIST Industrial Hygiene and Safety Professional

SAP_WP_OH_PHYSICIAN Occupational Physician

SAP_WP_PS_SPECIALIST Product Safety Specialist

Roles: Logistics (LO)

Role Description

SAP_LO_ECH_MAINTAIN Engineering Change Management

SAP_LO_EMPLOYEE Employee Self-Service (LO)

SAP_LO_MD_BOM_DISPLAY Complete BOM Display

SAP_LO_MD_BOM_MAINTAIN Complete BOM Processing

SAP_LO_MD_CUSTOMER_DISPLAY Display Customer Master

SAP_LO_MD_CUSTOMER_MAINTAIN Customer Master Maintenance

SAP_LO_MD_MBOM_MAINTAIN Material BOM Processing

SAP_LO_MD_MM_MATERIAL_DISPLAY Display Material Master Data

SAP_LO_MD_MM_MATERIAL_DISPLAY Maintain Material Master



SAP_LO_MD_OBOM_MAINTAIN Order BOM Processing

SAP_LO_MD_PBOM_MAINTAIN WBS BOM Processing

SAP_LO_MD_SERIAL_NO_DISPLAY Display of Serial Numbers

SAP_LO_MD_SERIAL_NO_PROCESS Processing of Serial Numbers

SAP_LO_MD_VENDOR_DISPLAY Display Vendor Master

SAP_LO_MD_VENDOR_MAINTAIN Vendor Master Maintenance

SAP_LO_PP_RTG_DISPLAY Routing Display

SAP_LO_PP_RTG_MAINTAIN Routing Maintenance

SAP_LO_VC_DEP_MAINTAIN Variant Configuration Modeling

SAP_LO_VC_ESALES Connection to CRM

SAP_LO_VC_MAINTAIN Complete Variant Configuration

SAP_LO_VC_ORDER_PROC Order Processing – Variant Configuration

SAP_LO_VC_SIMULATION Variant Configuration Simulation

Roles: Plant Maintenance (PM)

Role Description

SAP_PM_ALM_ME_ADMINISTRATOR Asset Life-Cycle Management - Administrator (Mobile Engine)

SAP_PM_ALM_ME_ENGINEER Asset Life-Cycle Management - Administrator (Mobile Engine)

SAP_PM_DATATRANSFER Data Transfer and Download Structure for Plant Maintenance

SAP_PM_EQM_BILL_OF_MAT_DISPL Display of Bill of Material

SAP_PM_EQM_BILL_OF_MAT_PROC Processing of Bill of Material

SAP_PM_EQM_EQUIPMENT_DISPLAY Display of Equipment

SAP_PM_EQM_EQUIPMENT_PROCESS Processing of Equipment

SAP_PM_EQM_FUNC_LOC_DISPLAY Display of Functional Location

SAP_PM_EQM_FUNC_LOC_PROCESS Processing of Functional Location

SAP_PM_EQM_ME_READ_LIST_DISPL Display of Measurement Reading Entry List

SAP_PM_EQM_ME_READ_LIST_PROC Processing of Measurement Reading Entry List

SAP_PM_EQM_MEAS_POINTS_DISPLAY Display of Measuring Points

SAP_PM_EQM_MEAS_POINTS_PROCESS Processing of Measuring Points

SAP_PM_EQM_PERMITS_ISSUE_DISPL Issue and Display of Permits

SAP_PM_EQM_PERMITS_PROCESS Processing of Permits

SAP_PM_EQM_PROCESS_OBJECT_LINK Processing of Object Link

SAP_PM_EQM_PROD_RESOURC_DISPL Display of Production Resources and Tools

SAP_PM_EQM_PROD_RESOURC_PROC Processing of Production Resources and Tools

SAP_PM_EQM_REF_FUNC_LOC_PROC Processing of Reference Location

SAP_PM_EQM_WORK_CENT_EVALUATE Evaluation of Work Centers



SAP_PM_EQM_WORK_CENTERS_DISPL Display of Work Centers

SAP_PM_EQM_WORK_CENTERS_PROC Processing of Work Centers

SAP_PM_IS_INFO-SYSTEM_CONFIG Configuration of Information System

SAP_PM_IS_TASKS_ANALYSIS_PERF Execution of Analyses

SAP_PM_PRM_MAIN_PLANS_DISPLAY Display of Maintenance Plans

SAP_PM_PRM_MAIN_PLANS_REV_PROC Processing of Maintenance Plans and Revisions

SAP_PM_PRM_MAIN_PLANS_SCHEDULE Scheduling of Maintenance Plans

SAP_PM_PRM_TASKS_LISTS_DISPLAY Display of Task Lists

SAP_PM_PRM_TASKS_LISTS_PROCESS Processing of Task Lists

SAP_PM_WOC_COMP_CONF_DIS Display of Completion Confirmation

SAP_PM_WOC_COMP_CONF_PROC_CANC Processing and Cancellation of Completion Confirmation

SAP_PM_WOC_CONF_POSTPROC Postprocessing of Completion Confirmation

SAP_PM_WOC_HISTORICAL_ORD_DISP Display of Historical Orders

SAP_PM_WOC_HISTORICAL_ORD_PROC Processing of Historical Orders

SAP_PM_WOC_MEAS_DOC_DISPLAY Display of Measurement Documents

SAP_PM_WOC_MEAS_DOC_MAINTAIN Processing of Measurement Documents

SAP_PM_WOC_NOTIFICATION_DISPL Display of Notification

SAP_PM_WOC_NOTIFICATION_PP Creation of Notification

SAP_PM_WOC_NOTIFICATION_PROC Processing of Notification

SAP_PM_WOC_ORDER_DISPLAY Display of Order

SAP_PM_WOC_ORDER_PROCESS Processing of Order

SAP_PM_WOC_ORDER_SCHEDULE Scheduling of Order

SAP_PM_WOC_PROCESS_PLANNING Resource Planning

SAP_PM_WOC_REFURBISHM_ORD_PROC Processing of Refurbishment Order

SAP_PM_WOC_WCM_ENGINEER Safety Engineer

SAP_PM_WOC_WCM_INFO Information Functions for Work Clearance Management

SAP_PM_WOC_WCM_PLANNER Work Clearance Planner

SAP_PM_WOC_WCM_REQUESTER Work Clearance Requester

SAP_PM_WOC_WORK_MANAGEMENT Work Management in Plant Maintenance and Customer Service

Roles: Project System

Role Description

SAP_PS_ARCHIVING Archive Project Data

SAP_PS_BASIC_WRKPL Work Center Master Data

SAP_PS_BASIC_WRKPL_DISPL Display Work Center Master Data

SAP_PS_BUDGET_PROJ Project Budgeting



SAP_PS_CLAIM Collaboration

SAP_PS_CEP Claim Management

SAP_PS_CO_MODEL_PROJ Allocation Templates

SAP_PS_CONFIRM Confirm

SAP_PS_DATES Project Dates

SAP_PS_DATES_DISPLAY Display Project Dates

SAP_PS_DOCUMENTS Documents

SAP_PS_DOCUMENTS_DISPLAY Display Documents

SAP_PS_EXECUTE_CO_REPORTS Execute Controlling Reports

SAP_PS_FUNDS_COMMITMENT Display Project Dates

SAP_PS_GROUPING Requirements Grouping

SAP_PS_LINE_MANAGER PS Input for the Line Manager Generic Role

SAP_PS_MASS_CHANGE Mass Change

SAP_PS_MATERIAL Material in Projects

SAP_PS_MATERIAL_DISPL Display Material in Projects

SAP_PS_MONITOR_MAT_DATES Monitoring Dates for Material

SAP_PS_OVERALL_CO_PLAN_PROJ Overall CO Planning for Projects

SAP_PS_PAYMENTS_ACTUAL Actual Project Payments

SAP_PS_PAYMENTS_PLAN Planned Project Payments

SAP_PS_PER_CO_PLAN_PROJ Periodic CO Planning for Projects

SAP_PS_PEREND_PROJ_COLL Period-End Closing – Collective Project Processing

SAP_PS_PEREND_PROJ_IND Period-End Closing – Individual Project Processing

SAP_PS_PEREND_PROJ_PAYMENT Payment Transfer to Period

SAP_PS_PEREND_PROJ_WLM Worklist for Period

SAP_PS_PERS_RES_EVAL Evaluate Personnel Resources

SAP_PS_PERS_RES_PLAN Plan Personnel Resources

SAP_PS_PROGRESS Progress Determination

SAP_PS_PROJ_YEAREND Year-End Closing for Projects

SAP_PS_REP_CLAIM Claim Reports

SAP_PS_REP_COST_SUMMARIZ Summarized Cost Reports

SAP_PS_REP_COSTS Cost Reports

SAP_PS_REP_LINE_ITEM Line Item Reports

SAP_PS_REP_MATERIAL Material Reports

SAP_PS_REP_PAYMENTS Payment Reports

SAP_PS_REP_PROGRESS Progress Reports

SAP_PS_REP_REVENUES Revenue and Profitability Reports

SAP_PS_REP_STRUCT Structure Reports

SAP_PS_REP_TOOLS Information System - Tools



SAP_PS_RM_ADMINISTRATOR Administrator for Public Sector Records Management

SAP_PS_RM_HEAD Manager Public Sector Records Management

SAP_PS_RM_REGISTRAR Recorder for Public Sector Records Management

SAP_PS_RM_USER Processor Public Sector Records Management

SAP_PS_SALES_PRICING Calculate Sales Price

SAP_PS_STD_STRUCT Standard Structures

SAP_PS_STD_STRUCT_DISPL Display Standard Structures

SAP_PS_STRUCT Project Structures

SAP_PS_STRUCT_DISPL Display Project Structures

SAP_PS_TRANSFER_PRICE_ACTUAL Actual Transfer Prices

SAP_PS_TRANSFER_PRICE_PLAN Plan Transfer Prices

Roles: Quality Management (QM)

Role Description

SAP_QM_ADMIN Administrator

SAP_QM_BATCH_INFO Display of Batch Data

SAP_QM_CA_CERTVIAWEB_EXT Processing Certificates on the Web

SAP_QM_CA_CERTVIAWEB_INT Link: Certificates on the Web

SAP_QM_CA_INCOMING_CERT Monitoring of Certificate Receipt

SAP_QM_CA_OUTCERT_MAINT Administration of Certificate Master Data

SAP_QM_CA_OUTGOING_CERT Creation of Certificates in Sales and Distribution

SAP_QM_IM_COSTS Administration of QM Orders

SAP_QM_IM_COSTS_DISPLAY Display of Quality-Related Costs

SAP_QM_IM_DEFECTS_REC Defects Recording

SAP_QM_IM_LOT_COMPLETION Inspection Lot Completion

SAP_QM_IM_LOT_MAINTAIN Processing of Inspection Lots

SAP_QM_IM_QMANAG_WORKLIST Worklist for Quality Managers

SAP_QM_IM_QPLANNER_INSP Inspection Processing by Quality Planner

SAP_QM_IM_RES_REC Results Recording

SAP_QM_IM_RESULTSVIAWEB_EXT Results Recording on the Web

SAP_QM_IM_RESULTSVIAWEB_INT Link: Results Recording on the Web

SAP_QM_IM_SAMPLE Sample Management

SAP_QM_IT_CALIB_INFO Calibration Information

SAP_QM_IT_CALIB_INSP Calibration Inspection

SAP_QM_IT_CALIB_PLANNING Calibration Planning

SAP_QM_IT_CALIB_PROCUREMENT Procurement of Test Equipment

SAP_QM_IT_EQUI_MAINTAIN Maintenance of Test Equipment

SAP_QM_IT_PM_NOTIF Processing of Maintenance Notifications



SAP_QM_PP_OPERATOR Production Worker

SAP_QM_PP_SUPERVISOR Production Supervisor

SAP_QM_PT_BASIC_DATA Maintenance of Basic Data

SAP_QM_PT_CHANGE_MANAG_DISPLAY Change Management - Display

SAP_QM_PT_IPLANNING Inspection Planning

SAP_QM_PT_LOG_MASTER_DISPLAY Logistics Master Data - Display

SAP_QM_PT_LOG_MASTER_MAINT Logistics Master Data - Edit

SAP_QM_PT_MAT_MANAG_DISPLAY Display of Materials Management Information

SAP_QM_PT_QMANAG_MASTER_DISP Display of Logistics Master Data for Quality Managers

SAP_QM_QC_CONTROL_ALL General Quality Control

SAP_QM_QC_QMIS Quality Evaluations (QMIS)

SAP_QM_QC_QMIS_ALL General Quality Evaluations (QMIS)

SAP_QM_QMANAG_GR Quality Manager – Goods Receipt

SAP_QM_QMANAG_PP Quality Manager - Production

SAP_QM_QN_NOTIF_BASIC Extended Processing of Notifications

SAP_QM_QN_NOTIF_DISPLAY Display of Quality Notifications

SAP_QM_QN_NOTIF_MAINT Processing of Notifications

SAP_QM_QN_NOTIFVIAWEB_EXT Notifications on the Web – Processing

SAP_QM_QN_NOTIFVIAWEB_INT Link: Notifications on the Web

SAP_QM_QN_TASK_MAINT Processing of Tasks

SAP_QM_QN_TASK_PROCESSOR Task Processor

Roles: General

Role Description

SAP_MM_SE_CLERK Service Entry Clerk

SAP_PLMIFO_MAT_MAINTAIN Material Master Maintenance plus RFC Authorization

SAP_PP_BD_RTG_DISPLAY Routing Display

SAP_PP_BD_RTG_MAINTAIN Work Scheduling - Maintenance

SAP_PP_PS_PRT Project System – Production Resources/Tools

SAP_PP_SFC_OCM Production Order - Order Change Management

Profiles The following table shows the profiles used by applications in PLM. There are several profiles, beginning with the same character string, for some applications. In this case, the table contains the table the starting character string and the wildcard character* (wild card). You can display all the profiles in the profile list (transaction SU02).



Profile Description

B_MASSMAIN Mass maintenance tool

C_A.AV Composite profile for person in charge of work scheduling

C_A.KONSTRUK Composite profile for person in charge of engineering/design

C_AENR_* List of profiles for change management

C_ALL PP: All authorizations for master data/classif. system

C_CAP_ALL All authorizations for standard value calculation with CAPP

C_CV_ALL All authorizations for Document Management

C_EHSH_* List of profiles for occupational health

C_EHSH_* List of profiles for EH&S

C_FHMI_* List of profiles for production resources/tools

C_MSTL_* List of profiles for material BOMs

C_PS_* List of profiles for Project Systems

C_ROUT_* List of profiles for task lists

C_SHE_* List of profile for list of profiles for EH&S

E_CS_* List of profiles for EC-CS

I_PM_* List of profiles for Plant Maintenance

M_* List of profiles for Materials Management

Q_* List of profiles for Quality Management

Z_CUSMM01 Maintain Customizing for MM

Z_CUSMM02 Display Customizing for MM

Z_CUSPM01 Maintain Customizing for PM

Z_CUSPM02 Display Customizing for PM

Z_CUSPP01 Maintain Customizing for PP

Z_CUSPP02 Display Customizing for PP

Z_CUSPS01 Maintain Customizing for PS

Z_CUSPS02 Display Customizing for PS

Z_CUSQM01 Maintain Customizing for QM

Z_CUSQM02 Display Customizing for QM

Authorization objects All the authorization objects of an application are grouped into one object class. You can display the authorization objects by choosing Role Maintenance (transaction PFCG) Environment → Authorization Objects → Display.

The following table shows the object classes for the authorization objects used by applications in PLM.



Object Classes for Authorization Objects

Object Class Description

CLAS Classification

CV Document Management

EHS EH&S

LO Logistics - General

Exclusively the authorization objects for the variant configuration (character string C_LOVC_*).

MM_G Materials Management – Master Data

MM_S Materials Management – External Services

PM Plant Maintenance

PP Production Planning

Authorization objects for the following applications:

• Change management (character string C_AENR_*)

• Task lists (character string C_ROUT*)

• BOMs (character string C_STUE_*)

PS Project System

QA Quality Management

Communication Destinations The SAP standard system does not supply any communication destinations for Product Lifecycle Management (PLM). In the area of CAD integration, an external CAD system starts communication with the SAP system. A call back calls the SAP system back. This communication take place via Remote Function Call (RFC).

Important SAP Notes Note the following SAP Notes with security-related information.

SAP Note Short Text

13128 General info on authorizations in Project System

24441 CR134 No authorization to reflect change in HR

35100 Changing BOMs with hist. requirement w/o change no.

40586 No authorization for maintaining view V_QDEB

61886 SAP enhancement CNEX0002: No authorization

67713 Authorization check in routing with C_ROUT

192748 Creating PM order for notif. w/o IW34 authorization

198079 No check of authorization S_TCODE for CALL

327801 IW22: Authorization K_ORDER



332997 PS-IS: Authorization check for BEBD

368574 PM/CS Authorization Check

371269 ECH: Authorizations for Customizing parameter

379041 Authorization check for multi-level equipment list

385510 Authorization for EDI translator/middleware

407758 Authorization for evaluations of notifications

414858 Authorization check for mass change

420878 BOM change without change number possible

424731 Component assignment without BOM history

426494 Differentiation of history requirement

457086 OINI: No authorization for changing

522426 Consulting: Authorizations in the Project System

532231 Data transfer and authorization concept

554415 FAQ 2: Authorization check

555812 CDESK: CAD desktop: Required authorizations

558586 Authorization check for mass change II

568313 CJ20N, CN22: General layout

568522 Undoing changes in BOM

569048 Undoing changes in BOM

638781 Project authorization via partner functions

671580 PS Cash Management: Customizing for commitment items

755020 Authorization check for EHS.report & report tempatle



Manufacturing

Authorizations The applications in Manufacturing use the following objects for the authorization checks:

● Standard Roles

● Profile

● Authorization Objects

Standard Roles The following table shows the standard roles used by applications in Manufacturing.

Roles: Basic Data

Role Description

SAP_PP_BD_RTG_MAINTAIN Work Scheduling - Maintenance

SAP_PP_BD_WKC_DISPLAY Work Center Display

SAP_PP_BD_WKC_MAINTAIN Work Center Maintenance

SAP_PP_MATERIAL_MANAGEMENT Materials Management Production

SAP_PP_PS_PRT Project System – Production Resources/Tools

SAP_LO_PP_RTG_DISPLAY Routing Display

SAP_LO_PP_RTG_MAINTAIN Routing Maintenance

SAP_LO_PP_WRKC_DISPLAY Work Center Display

SAP_LO_PP_WRKC_MAINTAIN Work Center Maintenance

Roles: Capacity Planning (PP-CRP)

Role Description

SAP_PP_CAPA_PLAN Plan Capacities

SAP_PP_CAPA_PLAN Evaluate Capacity Planning

Roles: Kanban (PP-KAB)

Role Description

SAP_PP_KAB_CONTROL KANBAN Control

SAP_PP_KAB_REPORTING KANBAN Evaluation

Roles: Production Planning (PP-MP)

Role Description

SAP_PP_MP_FORECAST Material Forecast

SAP_PP_MP_LONG_TERM_PLANNING Long-Term Planning

SAP_PP_MP_MPS_PLANNING Master Production Scheduling



Roles: Requirements Planning (PP-MRP)

Role Description

SAP_PP_MRP_COORDINATION MRP PP - Coordination

SAP_PP_MRP_EVALUATIONS MRP PP - Evaluation

SAP_PP_MRP_MASTER_DATA MRP PP – Master Data

SAP_PP_MRP_PLANNED_ORDER MRP PP – Planned Order

SAP_PP_MRP_PLANNING MRP PP – Planning Execution

Roles: Production Orders (PP-SFC)

Role Description

SAP_PP_SFC_CONFIRMATIONS Production Order - Confirmations

SAP_PP_SFC_GM Production Order – Goods Movements

SAP_PP_SFC_MAT_MANAGEMENT Production Order – Materials Management

SAP_PP_SFC_OCM Production Order - Order Change Management

SAP_PP_SFC_ORDER_EXCEPTIONS Production Order – Reprocessing

SAP_PP_SFC_ORDERS Production Order – Processing

SAP_PP_SFC_PERFORMANCE Production Order – Production Information System

SAP_PP_SFC_PRODUCTION_OPERATOR Production Operator in Production

SAP_PP_SFC_PRT Production Order – Production Resource/Tool

SAP_PP_SFC_WM Production Order - Warehouse Management

Roles: Repetitive Manufacturing (PP-REM)

Role Description

SAP_PP_REM_CONFIRMATION Repetitive Manufacturing - Backflushing

SAP_PP_REM_MASTERDATACHANGE Repetitive Manufacturing – Change Master Data

SAP_PP_REM_MASTERDATADISPL Repetitive Manufacturing – Display Master Data

SAP_PP_REM_PLANNING Repetitive Manufacturing - Planning

SAP_PP_REM_PRODUCTION Repetitive Manufacturing - Production

SAP_PP_REM_REPORTING Repetitive Manufacturing - Evaluations

Roles: Process Industries (PI)

Role Description

SAP_PP_PI_BATCH_RECORD_EXP Edit Batch Record

SAP_PP_PI_BATCH_RECORD_SUPER Approve Batch Record

SAP_PP_PI_CAPA_EVAL_STD Perform Capacity Evaluations

SAP_PP_PI_CAPACITY_EXP Edit Capacity

SAP_PP_PI_CTRL_RECIPE_EXP Monitor Control Recipe

SAP_PP_PI_CUST_PROCMGMT Customizing for Process Management

SAP_PP_PI_DOWNTIME_EXP Record Downtime



SAP_PP_PI_DOWNTIME_SUPER Settings for Downtimes

SAP_PP_PI_GOODS_MOVE_EXP Enter Goods Movement for Order

SAP_PP_PI_GOODS_MOVE_HU_EXP Enter Goods Movements with Handling Units

SAP_PP_PI_GOODS_MOVE_HU_SUPER Cancel Goods Movements with Handling Units

SAP_PP_PI_MA_BATCH_REC_WL_CUM MiniApp: Worklist for Batch Records - Accumulated

SAP_PP_PI_MA_PI_SHEET_WL_CUM MiniApp: Worklist for PI Sheets - Accumulated SAP_PP_PI_MA_PROC_ORDER_WL_CUM MiniApp: Worklist for Process Orders - Accumulated

SAP_PP_PI_MASTER_RECIPE_EXP Edit Master Recipe

SAP_PP_PI_MASTER_RECIPE_STD Display Master Recipe

SAP_PP_PI_MAT_STAGING_EXP Execute Material Staging for Order

SAP_PP_PI_MAT_STAGING_STD Display Material Staging for Order

SAP_PP_PI_MFG_COCKPIT_1_EXP Edit Manufacturing Cockpit for Manager/Engineer

SAP_PP_PI_MFG_COCKPIT_2_EXP Edit Manufacturing Cockpit for Plant Manager

SAP_PP_PI_MPARTS_INFO_STD Evaluate Missing Parts Info System

SAP_PP_PI_ORDER_CONF_EXP Enter Order Confirmation

SAP_PP_PI_ORDER_CONF_STD Display Order Confirmation

SAP_PP_PI_ORDER_CONF_SUPER Correct Order Confirmations

SAP_PP_PI_ORDER_INFO_STD Evaluate Order Info System

SAP_PP_PI_ORDER_RECORD_EXP Store Order Record

SAP_PP_PI_ORDER_RECORD_STD Display Order Record

SAP_PP_PI_PI_SHEET_EXP Maintain PI Sheet

SAP_PP_PI_PI_SHEET_SUPER Check PI Sheet and Set to “Technically Complete”

SAP_PP_PI_PROC_MESSAGE_EXP Edit Process Message

SAP_PP_PI_PROC_ORDER_EXP_CHNG Change Process Order

SAP_PP_PI_PROC_ORDER_EXP_CREA Create Process Order

SAP_PP_PI_PROC_ORDER_STD Display Process Order

SAP_PP_PI_PROD_CAMPAIGN_EXP Edit Production Campaign

SAP_PP_PI_PROD_CAMPAIGN_STD Display Production Campaign

SAP_PP_PI_PROD_VERSION_EXP Edit Production Version

SAP_PP_PI_PROD_VERSION_STD Display Production Version

SAP_PP_PI_RESOURCE_EXP Edit Resource

SAP_PP_PI_RESOURCE_STD Display Resource

SAP_PP_PI_RESOURCE_SUPER Resource Settings

SAP_PP_PI_SF_INFO_STD Evaluate Shop Floor Information System

SAP_PP_PI_STD_TEXT_EXP Edit Standard Text

Profiles The following table shows the profiles used by applications in Manufacturing.



Profile Description

C_KANBAN_ALL Profile with All Authorizations for KANBAN Production Control

C_KAPA_ALL PP: Capacity Planning

C_KAPA_ANZ PP Capacity Planning Display Authorizations

C_KAPA_CUST PP: Set & Variables Maintenance for Capacity Planning

C_LFPL_ALL Long-Term Planning: All Authorizations

C_MESS_ALL PP-PI Process Messages: All Authorizations

C_MREC_ALL PP-PI Master Recipe: Authorizations for All Transactions

C_MREC_CHA PP-PI Master Recipe: Change Authorization

C_MREC_CRE PP-PI Master Recipe: Create Authorization

C_MREC_MAT PP-PI Master Recipe: Material Master Update

C_MREC_RPL PP-PI Master Recipe: Authorization for Mass Replacement

C_MREC_SHO PP-PI Master Recipe: Display Authorization

C_MREC_USE PP-PI Master Recipe: Authorization for Where-Used Lists

C_MSTL_ALL PP Material BOMs: Maintenance and Display Authorizations

C_MSTL_ANZ PP Material BOMs: Display Authorizations

C_PBED_ANZ Display Profile for Demand Management

C_PB_ALL Maintenance and Display Authorizations for Demand Mgmt

C_PB_REO Authorization for Reorganization in Demand Management

C_POI_ALL All Authorizations for POI Interface

C_PPPI_ALL PP-PI: All Authorizations for Processing Manufacturing

C_PRCHAR_ALL PP-PI: All Authorizations for Ext. Access to Proc. Charact.

Authorization Objects All the authorization objects of an application are grouped into one object class. You can display the authorization objects by choosing Role Maintenance (transaction PFCG) Environment → Authorization Objects → Display.

The following table shows the object classes for the authorization objects used by applications in Manufacturing.

Object Classes for Authorization Objects


PP Production Planning

PPE Integrated Product and Process Engineering



LO Logistics - General

Authorization objects

• C_CF_QUEUE Authorization object for displaying/maintaining contents of CIF queue

• C_PPE_PS iPPE: PS -iPPE interface (Component assignment)

• C_PPE_PS iPPE: PS -iPPE interface (Interface)

Communication Destinations In Manufacturing, the following programming elements are used for communicating with external systems:

● Remote Function Call (RFC)

● Business Integration Programming Interface (BAPI)

It is not necessary to encrypt the data.



Logistics Execution (LE)

Decentralized Warehouse Management (LE-IDW), Shipping (LE-SHP), Transportation (LE-TRA)

Authorizations Standard Roles The following table shows the standard roles used by the components Decentralized Warehouse Management (LE-IDW), Transportation (LE-TRA), and Shipping (LE-SHP).

Standard Roles

Role Description

SAP_LE_BASIC_DATA_DISPLAY Logistics Execution: Display Master Data

SAP_LE_GATE_KEEPER Register Persons and Means of Transport at Checkpoint

SAP_LE_GATE_KEEPER_WEB Register Persons and Means of Transport at Checkpoint (WEB)

SAP_LE_GOODS_ISSUE_DELIVERY Post Goods Issue for Outbound Deliveries

SAP_LE_GOODS_RECEIPT_DELIVERY Post Goods Receipt for Inbound Deliveries

SAP_LE_INB_DELIVERY_DISPLAY Display Inbound Deliveries

SAP_LE_INB_DEL_PROCESSING Process Inbound Deliveries

SAP_LE_INB_MONITORING Monitor Inbound Delivery Process

SAP_LE_INB_STATISTICS Standard Analyses for the Inbound Delivery

SAP_LE_LOAD_DELIVERY Load Outbound Deliveries

SAP_LE_MASTER_DATA_MAINTENANCE Master Data Maintenance

SAP_LE_OUTBOUND_POD Proof of Delivery for Outbound Deliveries (POD)

SAP_LE_OUTB_DELIVERY_DISPLAY Display Outbound Deliveries

SAP_LE_OUTB_DEL_PROCESSING Process Outbound Deliveries

SAP_LE_OUTB_MONITORING Monitor Outbound Delivery Process

SAP_LE_OUTB_STATISTICS Standard Analyses for the Outbound Delivery

SAP_LE_PACKING_DELIVERY Pack Deliveries

SAP_LE_PACKING_STATION Packing Station (WEB)

SAP_LE_PICKING_WAVES Process Wave Picks



SAP_LE_POD_HANDHELD Proof of Delivery in Handheld Terminal from Customer’s View

SAP_LE_POD_WEB Proof of Delivery in Internet from Customer’s View

SAP_LE_R2R3_DECENTRAL_SHIPPING R/2-R/3 Link: Decentralized Shipping

SAP_LE_R2R3_MONITORING R/2-R/3 Link: Monitoring

SAP_LE_SHIPPING_NOTIFICATION Process Inbound Deliveries from Supplier’s View in Internet

SAP_LE_TMS_ARCHIVING Archiving of Transportation and Shipment Cost Documents

SAP_LE_TMS_BACKGROUND Background Transactions in Shipment

SAP_LE_TMS_CAPACITY_ANALYSIS Perform Analyses for Utilization and Free Capacity

SAP_LE_TMS_CARRIER_WEB Internet Transactions for the Forwarding Agent

SAP_LE_TMS_CURRENT_ANALYSIS Perform Current Evaluations for Shipments

SAP_LE_TMS_DISPLAY Display Documents in Shipment

SAP_LE_TMS_EXECUTION Execute Planned Shipments

SAP_LE_TMS_EXTERNAL_TPS Interface to External Transportation Planning System

SAP_LE_TMS_MAINTAIN_SCD Create, Process, and Display Shipment Costs

SAP_LE_TMS_MAINTAIN_SCD_COND Maintain Conditions in Shipment Costs Environment

SAP_LE_TMS_MAINT_SHP_MASTER Maintain Master Data in the Transportation Environment

SAP_LE_TMS_MONITOR_PLANNING Monitor Shipment Planning

SAP_LE_TMS_MONITOR_SHPCOSTS Monitor Shipment Costs Calculation and Settlement

SAP_LE_TMS_OTHERS Other Transportation Transactions (Without Composite Role)

SAP_LE_TMS_PLANNING Create, Change, and Display Shipments

SAP_LE_TMS_RULES Define Rules for Multiple Shipment Creation

SAP_LE_TMS_STATISTIC_ANALYSIS Perform Statistical Analyses for Shipments

SAP_LE_TMS_TP_SERVICE_AGENT Interface for Shipment Planning in Cooperation with Forwarding Agents

SAP_LE_WMS_APPOINTMENTS Door Appointments

SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM

SAP_LE_WMS_INFORMATION Warehouse Information

SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data

SAP_LE_WMS_LOAD Workload in Warehouse

SAP_LE_WMS_MONITORING Warehouse Monitoring

SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM

SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM



SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM

SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM

SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring in WM

SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management

SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM

SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP

SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment

SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM

SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM

SAP_LE_WMS_STATISTICS Analysis in WM

SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM

SAP_LE_WMS_TO_CONFIRM Confirm Transfer Order in WM

SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WM

SAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM

SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM

SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance

Standard Authorization Objects The following tables show security-relevant authorization objects used by the components Decentralized Warehouse Management, Transportation, and Shipment.

Standard Authorization Objects: Decentralized Warehouse Management


L_BWLVS Movement Type in the Warehouse Management System

L_LGNUM Warehouse Number/Storage Type

L_SFUNC Special Functions in Warehouse Management

L_TCODE Transaction Codes in the Warehouse Management System

Standard Authorization Objects: Transportation


V_VFKK_FKA Shipment Cost Processing: Auth. for Shipment Cost Type

V_VTTK_SHT Shipment Processing: Authorization for Shipment Type

V_VTTK_TDL Shipment Processing: Authorization for Forwarding Agents

V_VTTK_TDS Shipment Processing: Auth. for Transport Planning Points

V_VTTK_TSA Transportation Proc.: Authorization for Shipment Type Status



Standard Authorization Objects: Shipping


V_LECI_CKP Checkpoint: Authorization for Checkpoint

V_LIKP_VST Delivery: Authorization for Shipping Points

V_VBSK_GRA Deliveries: Authorization for Delivery Group Type

Network and Communication Security General Your network infrastructure is extremely important in protecting your system. Therefore refer to the general notes for SAP ECC under Network and Communication Security [Seite 17].

Communication Channel Security The following table shows the communication paths that the components Decentralized Warehouse Management, Transportation (LE-TRA), and Shipping (LE-SHP) use, the protocol used for the connection, and the type of data transferred.

Communication Paths

Communication Path



Note

SAP ECC system – another SAP ECC system or external system

RFC Application data (inbound and outbound deliveries)

- Decentralized Warehouse Management, communication via BAPI IDoc interface

You can protect RFC connections using Secure Network Communications (SNC). For more information, see the SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security.

Technical Users: You can use the workflow user WF-BATCH to generate inbound and outbound deliveries. The user must have authorization to create an inbound delivery.



Warehouse Management System (LE-WMS)

Authorizations Standard Roles The following table shows the standard roles you can use for Warehouse Management.

Standard Roles: Warehouse Management

Role Description

SAP_LE_BASIC_DATA_DISPLAY Logistics Execution: Display Master Data

SAP_LE_GATE_KEEPER Register Persons and Means of Transport at Checkpoint

SAP_LE_GATE_KEEPER_WEB Register Persons and Means of Transport at Checkpoint (WEB)

SAP_LE_PACKING_DELIVERY Pack Deliveries

SAP_LE_PACKING_STATION Packing Station (WEB)

SAP_LE_PICKING_WAVES Process Wave Picks

SAP_LE_WMS_APPOINTMENTS Door Appointments

SAP_LE_WMS_CYCLE_COUNTING Perform Cycle Counting in WM

SAP_LE_WMS_INFORMATION Warehouse Information

SAP_LE_WMS_LIS_STATISTICS LIS WM Statistics Data

SAP_LE_WMS_LOAD Workload in Warehouse

SAP_LE_WMS_MONITORING Warehouse Monitoring

SAP_LE_WMS_ONE_TIME_TASK One-Time Tasks in WM

SAP_LE_WMS_PC_PROCESSING Edit Posting Change Notice in WM

SAP_LE_WMS_PHYS_INVENTORY Physical Inventory in WM

SAP_LE_WMS_PHYS_INVENTORY_CNT Physical Inventory Count in WM

SAP_LE_WMS_PHYS_INVENTORY_MON Physical Inventory Analysis and Monitoring in WM

SAP_LE_WMS_QUALITY_MANAGEMENT WM Quality Management

SAP_LE_WMS_R2R3_COUPLING R/2-R/3 Coupling in WM

SAP_LE_WMS_REPLENISH_INTERNAL Internal WM Replenishment

SAP_LE_WMS_REPLENISHMENT_WMPP Replenishment WM-PP

SAP_LE_WMS_RF_ADMIN Administration of Radio Frequency Link in WM

SAP_LE_WMS_RF_PROCESSING Radio Frequency (RF) in WM

SAP_LE_WMS_STATISTICS Analysis in WM

SAP_LE_WMS_STOCK_ADJUSTMENTS Stock Adjustment WM-IM



SAP_LE_WMS_TO_CONFIRM Confirm Transfer Order in WM

SAP_LE_WMS_TO_EXCEPTION_HANDL Exception Handling of Transfer Orders in WM

SAP_LE_WMS_TO_PREPARATION Transfer Order Processing in WM

SAP_LE_WMS_TR_PROCESSING Transfer Requirement Processing in WM

SAP_LE_WMS_WHSE_MAINTENANCE Warehouse Maintenance

SAP_LO_HU_GOODS_MOVEMENTS Goods Movements with Handling Units

SAP_LO_HU_MASTER_DATA Master Data for Handling Units

SAP_LO_HU_PACKING Pack Handling Units


Communication Channel Security The table below shows the communication paths used by the Warehouse Management System (LE-WMS) component, the protocol used for the link, and the type of data transferred.

Communication Paths

Communication Path



SAP ECC System – Non-SAP System (external Warehouse Management System)

RFC Application data (ALE distribution)

-

RFC connections can be protected using Secure Network Communications (SNC). For more information, see:

● General information about encryption

SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security

● Security of Application Link Enabling (ALE)

SAPNetWeaver-Security Guide under Security Aspects for Connectivity and Interoperability → Security Guide ALE (ALE Applications)

Technical Users: To use ALE, create one or several users with authorization for the standard ALE transactions.



Task and Resource Management (LE-TRM), Yard Management (LE-YM), Cross Docking (LE-WM-CDK), Additional Logistical Services

Authorizations Standard Roles You can use standard roles for the Warehouse Management System. For more information about these standard roles for the Warehouse Management System, see Authorizations [Seite 142].

Standard Authorization Objects The following table shows the security-relevant authorization objects that the component Logistics Execution (EA-APPL) uses:

Application Authorization Object Description

Task and Resource Management

L_EXECUTE Execution activities in TRM

L_MONITOR Monitoring activities in TRM

Value-Added Services: L_MON_VAS L_MON_VAS

Cross-docking L_MON_XDCK L_MON_XDCK

Yard Management L_MON_YARD L_MON_YARD

L_VEHICLE L_VEHICLE

L_YARD L_YARD

L_YRD_MTHD L_YRD_MTHD

For more information, see the SAP ECC documentation in the SAP Help Portal at help.sap.com → Documentation → mySAP ERP → SAP ERP Central Component:

● Task and Resource Management:

SAP ERP Central Component → Logistics→ Logistics Execution (LE) → Task and Resource Management (LE-TRM) → Other Functions → Authorization Checks

● Value-Added Services:

SAP ERP Central Component → Logistics → Logistics Execution (LE) → Warehouse Management System (WMS) → Value-Added Services (LE-WM-VAS) → Other Functions → Authorization Objects

● Cross-docking

SAP ERP Central Component → Logistics → Logistics Execution (LE) → Warehouse-Management-System (WMS) → Cross-Docking (LE-WM-DCK) → Other Functions → Authorization Checks

● Yard Management:

SAP ERP Central Component → Logistics → Logistics Execution (LE) → Yard Management → Other Functions → Authorization Checks




Communication Channel Security The following table shows the communication paths that the component Task and Resource Management (as part of Logistics Execution, EA_APPL 500) uses, the protocol used for the connection, and the type of data transferred:

Communication Paths

Communication Path



SAP ECC system – external system (SAP or non-SAP system)

RFC Application data -

You can protect RFC connections using Secure Network Communications (SNC). For more information, see the SAP NetWeaver security guide under Network and Communication Security → Transport Layer Security.



Retail


DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol. For more information, see the SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security.

Communication Channel Security Link to Mobile Data Entry in SAP Retail Store The following table shows the communication paths that you use when you implement SAP Retail Store by linking to a mobile device (non-SAP product). You can find more information about the link to SAP Retail Store in the SAP Help Portal at help.sap.com → Documentation → SAP ERP Central Component → ECC → Logistics → SAP Retail → Distributed Data Processing → SAP Retail Store → PDC link in SAP Retail Store.

Communication Paths

Communication Path Protocol Used Type of Data Transferred


SAP ECC System – SAP Exchange Infrastructure (SAP XI)


SAP Exchange Infrastructure – Server for Mobile Data Entry


You need a technical user for SAP Exchange Infrastructure for the RFC inbound interface when implementing mobile data. Assign the authorizations for the relevant application to the user.

Communication Paths for Forecasting and Replenishment For more information about the security of communication paths for the Business Scenario Forecasting & Replenishment, see the Forecasting and Replenishment Security Guide on the SAP Service Marketplace at service.sap.com/securityguide → Industry Scenario Security Guides → SAP Forecasting and Replenishment: Security Guide.

Other Communication Paths for SAP for Retail The following table shows the communication paths for all remaining system connections for SAP for Retail.



Communication Paths

Application Communication Path



PRICAT SAP ECC System – Manufacturer’s system

RFC (or other log that supports IDocs)

Application data -

Store physical inventory

SAP ECC System – Store’s system


Application data -

POS interface SAP ECC System – POS System


Application data Credit card information

AFS/SAP Retail interface

SAP ECC System – AFS System

RFC ALE messages -

Interface for space management systems

SAP ECC System – Space Optimization System


Interface to SAP Business Information Warehouse (SAP BW)

SAP ECC System – SAP BW System


For more information about communication paths, see the SAP Help Portal at help.sap.com → Documentation → mySAP ERP → ECC → Logistics → SAP for Retail as follows:

● PRICAT

SAP Retail → Distributed Data Processing → Transfer of PRICAT Messages

● Store Physical Inventory

SAP Retail → Merchandise Logistics → Physical Inventory → Physical Inventory: Support for Carrying Out a Store Physical Inventory

● POS Interface

SAP Retail → Distributed Data Processing → POS Interface

● AFS/SAP Retail interface

SAP Retail → Distributed Data Processing → AFS to SAP Retail Interface

● Interface for space management systems

SAP Retail → Distributed Data Processing → Application Link Enabling (ALE) → Interface for Space Management Systems

For more information about communication security with SAP BW Systems, see the NetWeaver Security Guide on the SAP Service Marketplace at service.sap.com/securityguide → SAP NetWeaver 04 Security Guide (Complete) → Security Guides for SAP NetWeaver According to Usage Types → Security



Guides for Usage Type BI → SAP Business Information Warehouse Security Guide → Communication Security.

Authorizations Standard Authorization Objects The following tables show the authorization objects used by the Retail component. However, you use other SAP ECC authorization objects in the Retail component. You can find more information about these authorization objects in other sections of the SAP ECC Security Guide.

Standard Authorization Objects: Retail (Software Component SAP-APPL)


W_APPT IS-R Authorization Appointment

W_ASORT Authorization for Assortment Maintenance

W_ASORT_ST Authorization for the Assignment of Assortments to Plants

W_AUFT_BAA IS-R Authorization Document Type Allocation Table

W_AUFT_BAR IS-R Authorization Document Type Allocation Rule

W_AUFT_RMB IS-R Authorization Allocation Table: Display/Confirmation per Plant

W_CM_CDT IS-R Authorization for Maintenance of Article Hierarchies

W_FRM IS-R Authorization for Merchandise Distribution

W_GROUPTYP Authorization to Manage Site Grouping

W_LISTVERF IS-R Authorization to Use Listing Procedure

W_LIST_EAC Authorization Acceptance for Listing Errors

W_MARKDOWN IS-R Markdown Planning Authorization: MTYP, MATCL, SOrg, DChl

W_ONLSTORE Authorization for Starting Online Store

W_PCAT_LAY Authorization: Product Catalog - Layout Area

W_PCAT_MTN Authorization: Product Catalog - Maintenance

W_PRICATIN Retail Authorization: Create and Maintenance PRICAT per Purchasing Group

W_REF_SITE Authorization to Clean MMSITEREF Table

W_SRS_POS Authorizations for Open Store Physical Inventory

W_SRS_VKPF Retail Store – Authorization for Daily Price Maintenance

W_STRU_CHG IS-R Authorization: Allow Changes to Structured Material

W_STWB_WRK SAP Retail Store: Stores

W_TRAN_CCR IS-R Authorization: SAP Transaction

W_VKPR_PLT IS-R Authorization Sales Price Calculation: Distribution Chain/Price List

W_VKPR_VKO IS-R Authorization Sales Price Calculation Distribution Chain

W_VKPR_VTL IS-R Authorization Sales Price Calculation: Distribution Chain

W_VKPR_WRK IS-R Authorization Sales Price Calculation: Distribution Chain/Plant



W_WAKH_EKO IS-R Authorization Action: Purchasing Organization/Purchasing Group

W_WAKH_MAT IS-R Authorization Action: Material Number

W_WAKH_THE IS-R Authorization Promotion: Theme

W_WAKH_VKO IS-R Authorization Action: Sales Organization/Distribution Channel

W_WBEF_WRK IS-R Authorization Sales Price Revaluation: Distribution Chain/Plant

W_WIND_TYP IS-R Automatic Document Adjustment: Authorization for Document Type

W_WTAD_AM IS-R Authorization for Additionals Monitor

W_WTAD_ASL IS-R Authorization Additionals: Vendor/Purchase Order List

W_WTAD_IR Request Additionals-IDoc via BAPI Call Function

W_WTAD_ISU IS-R Authorization: Status Update for Additionals IDoc

W_WTRA_LOG Runtime Measurement - Authorization to Delete Data Records

W_WXP_DESI MAP: Design Planning Scenario

W_WXP_HIER Merchandise and Assortment Planning: Planning Hierarchy

W_WXP_INT Merchandise and Assortment Planning: Planning Interfaces

W_WXP_LAY MAP: Planning Layouts and Variants

W_WXP_PLAN MAP: Planning Scenario Planning

Standard Authorization Objects: Retail (Software Component EA-RETAIL)


WLM Assignment of Articles for Layout Modules

WLMLOCLIST Creation of Assortments per Layout Module and Store

WLMVREL Release of Layout Module Version

WLMVV Layout Module Version Variant Maintenance

WLWBENT Access to Layout Workbench

WPLGACT Call External Space Management

WRF_CDT_H Article Hierarchy: Horizontal Hierarchy Maintenance

WRF_CDT_V Article Hierarchy: Vertical Hierarchy and Attribute Maintenance

WRF_FOLUP Authorization Follow-Up/Replacement Material Relationships

WRF_GH_AUT Generic Hierarchy: Authorization Check

WRF_OTBSPR Authorization Check OTB Special Release

W_BUDG_TY Budget Type

W_COCO Authorization for Condition Contract

W_RFAPC_GN Authorization for Operative SPS: General

W_RFAPC_RL Authorization for Operative SPS: Release

W_RF_MPA Authorization Object for Markdown Profile Assignment

W_RF_WLAY Authorization Object Layout

C_WRFCHVAL Authorization: Characteristic Value Maintenance



Global Trade


Communication Channel Security Connection to a SAP FSCM System For Global Trade Management (EA-GLTRADE), you can also use an external SAP FSCM System to create forward exchange transactions. If you install SAP FSCM on a separate system, you need a RFC connection. If you install SAP FSCM together with Global Trade Management on a system, you do not need an RFC connection.

Communication Path

Communication Path



SAP ERP System – SAP FSCM System (Financial Supply Chain Management)


RFC connections can be protected using Secure Network Communications (SNC). For more information about setting up RFC connections and the prerequisites (authorizations), see the ERP Implementation Guide (IMG) under Logistics General → SAP Global Trade Management → Currency Hedges → Maintain RFC Destination of the CFM System. For more information about encryption, see the SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security.

Connection to an External Global Trade Services System (GTS System) For Global Trade Management (EA-CLTRADE), you can opt to connect an external GTS system. You can use this to check whether the contract data for Global Trade Management adheres to the existing legal requirements (import/export controls, global trade data).

Communication Path

Communication Path



SAP ERP System – GTS System




All users in the SAP ECC system can call the functions on the GTS server using an RFC entry In this RFC entry, you specify a user that is used uniquely for communication with GTS. Assign this communication user to the following roles for SAP Compliance Management: Role Description

/SAPSLL/LEG_ARCH GTS Archiving

/SAPSLL/LEG_LCE_APP GTS Legal Control Export: Specialist

/SAPSLL/LEG_LCI_APP GTS Legal Control Import: Specialist

/SAPSLL/LEG_SPL_APP GTS Sanctioned Party List: Specialist

/SAPSLL/LEG_SYS_COMM GTS (Technical) System Communication

The RFC connection can be protected using Secure Network Communications (SNC). For more information about encryption, see the SAP NetWeaver Security Guide under Network and Communication Security → Transport Layer Security.



Sales and Distribution (SD) Before You Start Important SAP Notes The most important SAP Notes that apply to component security are shown in the table below.

Important SAP Notes


766703 FAQ: Credit card encryption in R/3 system

633462 Encrypting credit card data

791178 Credit card encryption in AR back end

727839 Authorization role for the SAP SCM - SAP R/3 integration

128447 Trusted/Trusting Systems Necessary for Customizing of the RFC relationship for trusted/trusting systems

Authorizations Standard Roles The following table shows the standard roles that are used by the SD component.

Standard Roles

Role Name

SAP_AUDITOR_BA_SD Audit Information System - Sales Revenue

SAP_AUDITOR_BA_SD_A Audit Information System - Sales Revenue

SAP_AUDITOR_TAX_SD AIS - Tax Audit Sales and Distribution

SAP_AUDITOR_TAX_SD_A AIS - Tax Audit Sales and Distribution (Authorization)

SAP_LO_SD_BACKORDERS Backorder Processing

SAP_LO_SD_BILLING_BATCH Process Billing by Batch

SAP_LO_SD_BILLING_DISPLAY Display Billing Documents

SAP_LO_SD_BILLING_PROCESSING Billing Processing Online

SAP_LO_SD_BLOCKED_BILLING_DOC Release Blocked Billing Documents

SAP_LO_SD_CONTRACT_PROCESSING Contract Processing

SAP_LO_SD_CREDIT_MANAGEMENT Credit Management in Sales Documents

SAP_LO_SD_DEALS_PROMOTI_PROCES Sales Deals & Promotions

SAP_LO_SD_INFORMATION_DISPLAY Display Customer & Material Information



SAP_LO_SD_INFORMATION_PROCESSI Maintaining Customer & Material Information

SAP_LO_SD_INQUIRY_PROCESSING Inquiry Processing

SAP_LO_SD_INVOICELIST_PROCESSI Invoice List Processing

SAP_LO_SD_OUTPUT_PROCESS Output Process

SAP_LO_SD_PRICING_DISPLAY Display Pricing

SAP_LO_SD_PRICING_MAINTAIN Maintain Pricing

SAP_LO_SD_QUOTATION_PROCESSING Quotation Processing

SAP_LO_SD_REBATE_PROCESSING Rebate Processing

SAP_LO_SD_RELEASE_FOR_DELIVERY Release Orders for Delivery

SAP_LO_SD_RETURN_PROCESSING Return Order Processing

SAP_LO_SD_SALES_DISPLAY Display Sales Information

SAP_LO_SD_SALES_ORD_PROCESSING Sales Order Processing

SAP_LO_SD_SALES_PERFORMANCE Sales Performance

SAP_LO_SD_SALES_SUPPORT Sales Support

SAP_LO_SD_SCHED_AGR_PROCESSING Scheduling Agreement Processing

Network and Communication Security SD calls the ERP availability check, and this communicates with APO. The relevant component is SD-BF-AC. First, master and planning data are exchanged between APO and ERP, and then planning transactions in APO are called up from ERP. Technically, this proceeds as follows: The APO – ATP dialog is called up from the sales order in dialog mode. The APO view of the ATP (transaction /SAPAPO/AC03) is displayed using the view Availability Overview (transaction CO09).

For more information, see SAP Service Marketplace at service.sap.com/securityguide → SAP Supply Chain Management → SAP Supply Chain Management Security Guide SCM 4.1 → Authorization → Integration with SAP Components → Integration of SAP APO and SAP R/3 → Authorization Roles for SAP APO – SAP R/3 Integration → Available to Promise (ATP).

Communication Destinations Create a batch input user as required. This is not included in the standard delivery.

For more information, see Batch Input Authorizations [Extern].

Data Storage Security Credit card numbers are stored in the SAP component SD. As this data is particularly sensitive, it requires additional protection and encryption.

For more information on credit card number encryption, see SAP Note 766703.



Human Capital Management

Personnel Management (PA)

Before You Start Important SAP Notes The following table presents the most important SAP Notes regarding security for Personnel Management.

Important SAP Notes


138526 Authorization check in reports incorrect PA-PA-XX

138533 Authorization check for SUBTY does not function PA-PA-XX

138706 Authorization problems, analysis preparations PA-PA-XX

142865 SAPDBPNP authorization check is too strict PA-PA-XX

142896 No access on personnel number despite authorization PA-PA-XX

148525 Search help selects too little data PA-PA-XX

151207 Authorization check symmetric double-check PA-XX

362675 Deactivating P_ORIGIN; activating P_PERNR PA-PA-XX

383290 External object types and structural authorizations PA-BC

385319 Change of master data in a productive Payroll PA-PA-IT

385635 Authorization check with employee subgroup change PA-BC

390373 External relationships: Creation of classes PA-BC

495971 Workflow 01000015 is not triggered when changing address

PA-PA-XX

514893 Ad hoc query: Hit list differs from the output PA-IS

552184 Information on the object type of the central person PA

693156 Authorization check for reentry PA-PA-XX

724149 HRALX: Masking sensitive data BC-BMT-OM-CRM

23611 Collective Note: Security in SAP Products BC-SEC

30724 Data protection and security in SAP Systems BC-SEC



Additional Information ● For extensive documentation on authorization objects in Personnel Management, see

SAP Library or SAP Help Portal under ERP Central Component → Human Resources → Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for Human Resources [Extern].

● For some country versions, additional information is also available:

Country version Germany

○ Leitfaden Datenschutz für SAP R/3 in SAP Service Marketplace at service.sap.com for the country version Germany

Country version Great Britain (PA-PA-GB)

○ For an Implementation and User Guide for E-Filing Incoming, see SAP Service Marketplace at service.sap.com under the customer page for the country version Payroll Great Britain in the Media Center.

Country version Switzerland (PA-PF-CH)

○ For documentation on the settings and functions for the authorization object P_CH_PK for Pension Fund Switzerland, see SAP Library or SAP Help Portal under ERP Central Component → Human Resources → Payroll → Payroll Switzerland → Pension Fund → Reference Guide for the Pension Fund → Authorizations → Authorization Object P_CH_PK [Extern].

User Management User management for Personnel Management uses the mechanisms provided by SAP Web Application Server (ABAP, Java, or ABAP and Java), for example, tools, user types, and password policies. For an overview of how these mechanisms apply for Personnel Management, see the sections below. In addition, there is a list of the standard users that are necessary for operating Personnel Management.

User Management Tools The table below shows the tools for user management in Personnel Management.




You can use the Role Maintenance transaction PFCG to generate profiles for your Personnel Management users.

User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not users who run background processing jobs.



The user types required for Personnel Management include:

● Individual users

○ Administration users for

■ Personnel Administration

■ Benefits Administration

○ Managers for



■ Compensation Administration

■ Training and Event Management

○ Specialists for



■ Compensation Administration

■ Training and Event Management

● Technical users

Technical users are required for the following business processes:

○ WF-BATCH user

If you want to use the workflow functions for the different Personnel Management functions, you must create a WF-BATCH system user in the standard system.

○ Distribution of master data through ALE technology. For more information, see the documentation for the report RHALEINI (HR: ALE Distribution of HR Master Data).

○ Compensation Management (PA-CM): For the integration with the Award function, the technical user requires authorization for the following functions:

■ Call RFC function module HRCM_RFC_LTI_ACCRUALDATA_GET (Determine awards data for accumulating accruals)

■ Read the Award infotype (0382), authorization object P_ORGIN

○ Budget Management (PA-PM)

■ You use background processing to create commitments in accounting with a RFC connection. Depending on the process and the system landscape used, it may be necessary to set up a user for the background processing. You can use your own user (an additional logon is required) or set up a special commitment engine user.

For more information about these user types, see the SAP Web AS ABAP Security Guide under User Types.



Authorizations Personnel Management uses the authorization provided by SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to Personnel Management.

The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user management console for SAP Web AS Java.

Standard Roles The following table shows the standard roles that are used by Personnel Management.

Standard Roles

Function Description

SAP_HR_BN* Roles assigned to component PA-BN (Benefits)

SAP_HR_CM*

Roles assigned to component PA-CM (Compensation Management)

SAP_HR_CP*

Roles assigned to component PA-CM-CP (Personnel Cost Planning)

SAP_ESSUSER_ERP05 Role with all non country-specific functions for Employee Self-Service.

For more information, see the Security Guide for Self-Services [Seite 23].

SAP_EMPLOYEE_ERP05_xx Roles related to the Employee Self-Service country versions

SAP_HR_OS*

Roles assigned to component PA-OS (Organizational Management)

SAP_HR_PA_xx_* Roles related to international and country versions of the component PA-PA (Personnel Administration)

SAP_HR_PA_XF*

Roles assigned to the component CA-GTF-XF (SAP Expert Finder)

SAP_HR_PA_PF_xx_*

Roles assigned to component PA-PF (Pension Fund)

SAP_HR_PD* Roles assigned to component PA-PD (Personnel Development)

SAP_HR_RC*

Roles assigned to component PA-RC (Recruitment)

SAP_HR_REPORTING Role for Human Resources Analyst

SAP_AUDITOR_TAX_HR

This role is relevant for Germany only.

Role HR-DE Steuerprüfung § 147 AO (Muster) assigned to the component PA-PA-DE (Personnel Administration Germany).



SAP_ASR_EMPLOYEE Enhancement of the role SAP_ESSUSER_ERP05 for the employees that use the functions of the component PA-AS (HR Administrative Services)

SAP_ASR_MANAGER Enhancement of the role SAP_ESSUSER_ERP05 with functions for the persons with personnel responsibility that use the functions of the component PA-AS (HR Administrative Services)

SAP_ASR_ADMINISTRATOR Enhancement of the role SAP_HR_PA_xx_* for the HR administrators that use the functions of the component PA-AS (HR Administrative Services)

For the roles marked with an asterisk (*), several roles exist for each of the components. For roles with “xx”, where “xx” represents the SAP country key, various roles exist for each of the country versions.

Standard Authorization Objects The following table shows the most important central security-relevant authorization objects used by Personnel Management.

For more information about Personnel Management authorizations, see SAP Library under ERP Central Component → Human Resources → Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for Human Resources [Extern].

Most Important Standard Authorization Objects

Authorization Object

Field Value Description

P_ORGIN HR Master Data Used when checking authorizations for HR infotypes. The check takes place when HR infotypes are edited or read.

P_ORGINCON

HR Master Data with Context

This authorization object consists of the same fields as the authorization object P_ORGIN, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be included in the HR master data.

P_ORGXX

HR Master Data – Extended Check

With this object you can determine whether other fields are also to be checked. You can determine whether this check is to be performed in addition to or instead of the HR Master Data authorization check.

P_P_ORGXXCON

HR Master Data – Extended Check with Context

This authorization object consists of the same fields as the authorization object P_ORGXX, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be



included in the HR master data.

P_TCODE HR: Transaction Code

This authorization object checks certain specific transactions in SAP Human Resources Management.

PLOG

Personnel Planning Used to indicate the types of information processing a user is authorized to perform.

PLOG_CON

Personnel Planning with Context

This authorization object consists of the same fields as the object PLOG, and also includes the field PROFL (structural profile). The check for this object means that user-specific contexts can be included in the HR master data.

P_ASRCONT Authorization for Process Content

The Authorization for Process Content object is used by the authorization check for HR Administrative Services. It checks the authorization for access to various process contents and also runs through the authorization objects that you have specified in Customizing in T77S0 (see note below). For more information, see Authorization Concept of HCM Processes and Forms [Extern].

In Customizing, you can determine whether specific authorization objects are to be checked. All central switches and settings for the Human Resources authorization check are summarized in table T77S0 in the Group for semantic short text for PD Plan AUTSW. Note that changes to the settings severely affect your authorization concept.

For more information about changing the main authorization switch, see the Implementation Guide (IMG) for Personnel Administration under Tools → Authorization Management.



Communication Channel Security Use The table below shows the communication paths used by Personnel Management, the protocol used for the connection, and the type of data transferred.

Communication Path

Communication Path



Interface Toolbox (Transaction PU12)

ALE Master data, Benefits data, Organizational data as defined by the user

SAP BW Extractor Program Master data, Organizational data, Personnel Development data

SAP CO

(for distributed systems)

RFC Cost centers, orders, and so on

Authorizations for CO objects are required here

External Files ASCII Personnel Administration data

Applicable only for country versions Australia and New Zealand

Microsoft Word Report Interface with SAP NetWeaver

Office Integration



Communication Destinations Use Specific communication destinations are available for some Personnel Management components and Personnel Administration country-specific components.

Benefits (PA-BN)

When evaluating retirement benefits for employees, service-related data is sent to an external system using IDocs. The Benefits system places the IDocs in a special port. External systems can collect the IDocs from this port. The external systems evaluate the retirement benefits based on the transferred data and then send them with an inbound IDoc back to the SAP system.

There are no special functions from the Benefits system side to protect this data.



Enterprise Compensation Management (PA-EC)

Using IDocs, you communicate with banks and brokers through the SAP Business Connector. The transferred data must be encrypted.

For more information, see the documentation for the following reports:

● RHECM_GRANT_IDOC_OUT (Export LTI Grant Data)

● RHECM_PARTICIPANT_IDOC_OUT (Export LTI Participant Data)

● RHECM_EXERCISE_IDOC_IN (Import LTI Exercise Data)

Compensation Management (PA-CM)

The self-service scenario Salary Benchmarking (HRCMP0053) exchanges data with external benchmarking providers. You communicate synchronously and online using HTTPS.

SAP Expert Finder (CA-GTF-XF)

The component SAP Expert Finder can exchange data with external systems using RFC.

Personnel Administration

● HR Administrative Services

HR Administrative Services can transfer personal data from SAP E-Recruiting and return data to SAP E-Recruiting. For more information, see the Security Guide for SAP E-Recruiting under Technical System Landscape [Seite 190] and Communication Destinations [Seite 197].

● B2A Manager – Authorities Communication

Some country versions use the B2A Manager to exchange data with the authorities. For example, in the German country version (PA-PA-DE) you can exchange data with social insurance bodies and health insurance funds.

The B2A Manager supports the following communication channels and encryption procedures, depending on the recipient:

○ Communication channels

■ E-mail with file attachments

■ HTTPS (Hyper Text Transfer Protocol Secure Sockets)

○ Encryption procedures

■ PEM (Privacy Enhanced Mail)

■ PKCS#7 (Public Key Cryptography Standard No.7)

● Pension Fund (PA-PF)

○ You can create files with SAP List Viewer (ALV) and TemSe (Temporary Sequential Objects).

○ There is no encryption of data in the standard system.

○ Country version Netherlands (PA-PF-NL): You can upload the inbound data using the GBA interface (Gemeentelijke Basis Administratie).

● Country version Germany (PA-PA-DE)

Employees can submit their tax returns in electronic form (ELSTER). Data is communicated using HTTP. The data is encrypted with PKCS#7. The tax authorities specify the procedure.



● Country version USA

For the VET and EEO reports for the country version USA, you can exchange data with local servers or terminals. With this function you can download files from the application server to a presentation server. This results in text files with the output format .txt, as required by the authorities. This output format is legally compliant.

The data is not encrypted in the standard system. You decide to what extent you want to encrypt data if you want to send data to the Federal Commission or the Department of Labor.

● Country version Great Britain

You can communicate with the GB Inland Revenue Gateway. The communication channel is encrypted with 128 SSL. Employee tax data is transferred with RFC connections and HTTPS.

Data Storage Security The infotypes in Personnel Management contain particularly sensitive data. This data is protected by central authorization objects.

For more information about authorization objects, see Authorizations [Seite 157].

Examples of infotypes containing particularly sensitive data:

● International infotypes for Personnel Administration (PA-PA)

○ Personal Data (0002)

○ Basic Pay (0008)

○ Bank Details (0009)

○ Family Member/Dependents (0021)

● Personnel Development (PA-PD)

○ Qualifications

○ Appraisals

● Personnel Cost Planning and Simulation (PA-CP)

○ Planning of Personnel Costs (0666), contains salary-based information

● Enterprise Compensation Management (PA-EC)

○ LTI Grant (0761)

○ LTI Exercise (0762)

● Management of Global Employees (PA-GE)

○ Compensation Package Offer (0706)

Other sensitive Personnel Management data

● Budget Management



The Budget Management component accesses the salary data of employees and displays data from the Controlling (CO) and Funds Management (FI-FM) components. The standard authorization concept for Human Resources, Controlling, and Funds Management is used for these processes. The following authorization objects are also available to protect the data:

○ P_ENCTYPE (HR: PBC - Financing): Determines which funds reservation types a user can access and which activities the user is allowed to perform.

○ P_ENGINE (HR: Authorization for Automatic Commitment Creation): Determines which activities a user is allowed to perform when creating commitments.

● Pension Fund (PA-PF)

Access to salary data, pensions and benefits entitlements is protected by the following authorization objects:

○ P_ORIGIN (HR: Master Data)

○ P_CH_CK (HR-CH: Pension Fund: Account Access)

○ P_NL_PKEV (Bevoegdheidsobject voor PF-gebeurtenissen)

● SAP Expert Finder (CA-GTF-XF)

For the connection with the external LDAP system, the user should only have read access to the data. The role SAP_HR_PA_XF_SERVICE_USER_DOC (HR Expert Finder: Service User for Access Search Engine) is available for this.

● Personnel Cost Planning (PA-CM-CP and PA-CP)

The old Personnel Cost Planning (PA-CM-CP) and the new Personnel Cost Planning and Simulation (PA-CP) components both save salary-relevant information to the clusters of the database PCL5. You can control access rights using the authorization object P_TCODE (HR: Transaction Code).

● Employee Interaction Center (PA-EIC)

The EIC Authentication infotype (0816) enables question and response pairs to be saved that an agent of Employee Interaction Center then uses to identify a calling employee. You can only maintain the infotype with the Authentication for EIC Employee Self-Service.

● HR Administrative Services (PA-AS)

The personnel file and all process instances are saved with intermediate statuses and history to the Case Management databases.

● Particularly sensitive data in the country versions

○ The transfer of salary and tax data using the B2A Manager is protected by the authorization object P_B2A (HR-B2A: B2A Manager).

○ Country version USA (PA-PA-US)

The social security number (SSN) in the Personal Data infotype (0002)

○ Country version Canada (PA-PA-CA)

The social insurance number (SNI) in the Personal Data infotype (0002)

○ Country version Australia (PA-PA-AU)

The Tax File Number (TFN) in the TFN Australia infotype (0227)

○ Country version New Zealand (PA-PA-NZ)



The Employee IRD Number in the IRD Nbr New Zealand infotype (0309). There are several ways to access this number:

■ Directly, using the IRD Nbr New Zealand infotype (0309) with the transaction Maintain HR Master Data (PA30)

■ Using the IRD Number pushbutton in the Tax New Zealand infotype (0313)

The necessary authorizations to read or change the IRD number depend on the authorizations in the user profile.

Security for Additional Applications Personnel Administration country-specific components use several reports that store security-relevant and sensitive data. This data includes employee data relating to salary, tax, social insurance, pension contributions, and garnishments.

The data is stored in temporary sequential (TemSe) files and used when printing legal forms, statistics, and business reports. Access to TemSe is controlled by the authorization object S_TMS_ACT. Data encryption is not necessary here. For a list of all reports and programs using TemSe, see the Personnel Administration documentation for your country version.

You can also download data directly from the front-end server (for example, PC/terminal) or application server without first storing the data records in the TemSe. To do so, you copy the data to a data carrier that you can then send to the authorities.

Other Security-Relevant Information Use Other security-relevant Customizing for infotype records

With the field Access Auth. (Access Authorization) in Table V_T582A (Infotype attributes (Customizing)), you can control access to an infotype record depending on whether the record belongs to the area of responsibility of a person responsible on the current date. For more information, see the Implementation Guide for Personnel Management under Personnel Administration → Customizing Procedures → Infotypes → Infotypes. Note in particular the help for the Access Authorization field.

Technical utilities without integrated authorization check

The following technical utilities read data without the user’s authorizations being checked. You should therefore only assign relevant report authorizations to roles containing system administrator functions.

● Reports with the prefix RHDBST*: Database statistics

● Reports with the prefix RHCHECK*: Consistency checks for Organizational Management and Personnel Development data.

If required, you can use the following reports (developed for SAP internal use) for testing purposes. However, SAP does not accept any responsibility for these reports:

● Report RPCHKCONSISTENCY: (Consistency check for HR master data)

● Report RPUSCNTC (Find Inconsistencies in Time Constraints)



Authorizations for the Implementation Guide for HR Administrative Services

The views in the Implementation Guide for HR Administrative Services are protected separately by a grouping for the authorization check to prevent users without authorization maintaining person-related data. Under the field name DICBERCLS (Authorization Group), you can set the following in the authorization object S_TABU_DIS:

● Switch PASC: Authorization check for all views of HR Administrative Services in which no Customizing settings were made that affect authorization checks for the users of HR Administrative Services.

● Switch PASA: Additional authorization check for the views that may possibly affect the authorization check for users of HR Administrative Services.

Personnel Time Management (PT)

User Management It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

You require technical users for the following tasks in Personnel Time Management:

● To upload time events from the external time recording system you use the RPTCC106 report (HR-PDC: Download Upload Request for Time Events). You will normally schedule the report as a background processing job. For this you require a technical user. The authorizations of the technical user should be based on the authorizations for the PT80 transaction (Subsystem Connection).

Time events are uploaded from the subsystem by an IDOC, which stores the time events in the CC1 TEV interface table. For the upload, you require a technical user with authorizations for communication with an SAP system via Application Link Enabling (ALE) and the required table authorizations. The technical user does not require authorizations specific to the SAP HR solution.

You require a technical user with authorizations for the PT45 transaction (HR-PDC: Post Person Time Events) for the background processing job that transfers the time events from the interface table to the relevant Time Management tables.

● You require two types of technical users for BAPIs that store data in one of the PTEXDIR, PTEX2000, PTEX2003, or PTEX2010 interface tables.

○ To fill the interface tables, you require a user with authorizations for ALE communication with an SAP system and the relevant table authorizations.

○ For the subsequent background processing job to transfer data from the interface tables to the infotype database tables, you require a technical user with the same authorizations that are required for the CAT6 transaction (Transfer Time Data to Time Management).

○ For technical users for the BAPIs that have read access to the infotypes, you can use the same authorizations as contained in the SAP_HR_PT_TIME-ADMINISTRATOR role.



● You also require technical users for all other ALE scenarios and BAPIs in Personnel Time Management.

For more information, see Communication Destinations [Seite 167].

Authorizations

The Personnel Time Management component uses the authorization provided by the SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to the Time Management component.


Standard Roles The following table shows examples of standard roles that are used by the Time Management component.

Standard Roles

Role Description

SAP_HR_PT_SHIFT-PLANNER Shift Planner [Extern]

SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]

SAP_HR_PT_TIME-LABOR-ANALYST Time and Labor Analyst [Extern]

SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]

SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]

SAP_ESSUSER_ERP05 Employee [Extern] Self-Service

SAP_HR_PT_US_PS_TIME-ADM Time Recording Administrator

This role is used only in the Public Sector in the country version for the USA.

Authorization Objects The Time Management component uses the Personnel Management authorization objects; it does not have any of its own.

For more information about the authorizations, see:

● The SAP Library. Choose Human Resources → Personnel Management → Personnel Administration → Technical Processes in Personnel Administration → Authorizations for Human Resources [Extern].

● The Implementation Guide for Personnel Time Management: Choose Management of Roles and Authorizations.



Communication Destinations Use Special communication destinations are available for some Time Management components.

Connection to External Time Recording Terminals

Time Management supports a connection to external time recording systems (using the HR-PDC interface). Data is communicated using asynchronous BAPIs via IDocs.

For more information, see the SAP Library and choose Personnel Time Management → Integration with Other Components → Connection to External Time Management Systems [Extern].

External Interfaces to Personnel Time Management

You can use the Time Management BAPIs to exchange data with other time management software. The BAPIs enable you to read, create, change, or delete the time management data.

See also:

For more detailed information, see

● The SAP Library in the description of the ALE scenarios for Personnel Time Management under Scenarios in Applications → ALE/EDI Business Processes [Extern].

● SAP Note 44103: Setting Up the PDC Interface



Payroll (PY)

Before You Start Important SAP Notes The following table presents the most important SAP Notes regarding security for Payroll.

Important SAP Notes


430595 Tax Reporter Transaction and Spool Security

Only valid for the USA country version

Additional Information For more information about Payroll security, see the Personnel Management [Seite 154] Security Guide.

User Management User management for Payroll uses the mechanisms provided by the SAP Web Application Server (ABAP and Java), for example, tools, user types, and password policies. For an overview of how these mechanisms apply for Payroll, see the sections below. In addition, there is a list of the standard users that are necessary for operating Payroll.

User Management Tools The table below shows the tools to use for user management with Payroll.




You can use the Role Maintenance transaction PFCG to generate profiles for your Payroll users.

User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.



The user types required for Payroll include:


○ Administration user

○ Payroll manager

○ Payroll specialist

● Technical users

○ Payroll procedure administrator

○ ALE user for posting payroll results to Accounting

For more information about these user types, see the SAP Web AS ABAP Security Guide under User Types.

Authorizations The Payroll component uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as set out in the SAP Web AS ABAP security guide therefore also apply to Payroll.


Standard Roles The following table shows examples of standard roles that are used by the Payroll component.

Standard Roles

Role Description

SAP_HR_PY_xx_PAYROLL-ADM Payroll administrator <xx>

SAP_HR_PY_xx_PAYROLL-MANAGER Payroll manager <xx>

SAP_HR_PY_xx_PAYROLL-PROC-ADM Payroll procedure administrator <xx>

SAP_HR_PY_xx_PAYROLL-SPEC Payroll specialist <xx>

SAP_HR_PY_xx_* Roles for mapping country-specific tasks within payroll.

SAP_HR_PY_PAYROLL-LOAN-ADM Loan accounting administrator

xx stands for the country key. For the roles marked with an asterisk (*), additional roles exist for each of the countries.

You can find additional roles in the description of Personnel Management standard roles.



Standard Authorization Objects The following table displays the security-relevant authorization objects used by payroll.


Authorization Objects Description Value Description

P_PBSPWE Process Workbench Engine (PWE) authorization

Authorizations for the Process Workbench Engine (PWE)

P_PCLX HR: Cluster Check when accessing HR files on the PCLx (x = 1, 2, 3, 4) databases

P_PCR HR: Personnel control record

Authorization check for the personnel control record (transaction PA03)

P_PE01 HR: Authorization for personnel calculation schemes

Authorization check for personnel calculation schemes

P_PE02 HR: Authorization for personnel calculation rule

Authorization check for personnel calculation rules

P_PYEVDOC HR: Posting document Protection of actions on payroll posting documents

P_PYEVRUN HR: Posting run Control of actions that are possible for posting runs

P_OCWBENCH HR: Activities in the Off-Cycle Workbench

Used for the authorization check in the Off-Cycle Workbench.

P_B2A HR-B2A: B2A Manager Used to determine the authorization check for the B2A Manager. The B2A Manager must first be employed.

P_USTR Tax report authorization (only the USA country version)

Authorizations for the tax report (only the USA country version)

S_TMS_ACT Actions to/on TemSe objects

The authorization determines who may execute which operations on which TemSe objects



Communication Channel Security Use The table below shows the communication paths used by Payroll, the protocol used for the connection, and the type of data transferred.

Communication Paths

Communication Path



Interface Toolbox (Transaction PU12)

ALE Determined by the user

Display posting runs (transaction PCP0)

ALE Data for cost accounting

BSI Tax Factory for tax calculation

RFC Tax data for the USA country version

RFC connections can be protected using Secure Network Communication (SNC). For more information, see Transport Layer Security in the SAP NetWeaver Security Guide.

Communication Destinations The following table provides an overview of the communication destinations that Payroll uses.


Destination Delivered Type Description

BSI For USA country version

RFC with the function module PAYROLL_TAX_CALC_US

PAYROLL_TAX_CALC_US_50



Data Storage Security Use Payroll results are condensed and stored on an INDX-type table Access is protected by read and write authorizations in the standard system for the infotypes and authorizations for the required clusters.



Security for Additional Applications Use The country versions for payroll use reports in which sensitive data is displayed. For example, this data can be from the following sensitive areas:

● Salary

● Tax

● Social insurance

● Pension contributions

● Court orders

This data is stored in temporary sequential (TemSe) files to create and output legal forms, statistics, and analyses. Likewise, this technology is used to download data for the front end or application server directly, without storing the data as TemSe objects beforehand. The data can then be transferred from the front end or the application server to a data medium that can be transferred to the authorities.

You can control access to the TemSe objects within the ECC system using the authorization object S_TMS_ACT (TemSe: Actions at/to TemSe objects). Data encryption is not necessary here.

You can find information about the TemSe objects for your country version in the Payroll documentation for your country version.

Other Security-Relevant Information Use There is the following security-relevant information for the USA country-version:

● You can update the Taxability model using the Interface Toolbox (transaction PU12). There are currently no special authorizations for this.

● You have the option of preventing unauthorized or accidental updates to the PCL4 database.

○ You can activate or deactivate the authorization checks for the tax return using the feature UTXSS.

○ You can determine the codes for spool authorizations depending on the tax company and the tax class using the feature UTXSP.

For more information, see the documentation for these features.



SAP Learning Solution

Technical System Landscape The SAP Learning Solution provides very versatile installation and integration options. The distributed system architecture enables a scalable solution. Knowledge of the communication channels and of the relationships between the individual components is important to enable you to select the optimum security strategy.

The following graphic provides an overview of the technical system landscape of the SAP Learning Solution.

Technical System Landscape

Offline Learning

EP

Content Player

my SAP ERP

SAP ECC Core

Learning Content

Search

AnalyticalReporting

SAP ProcessIntegration

(PI / XI)

ExternalLMS

Authoring

SAP BW

AuthoringEnvironmentLSOAE

Learner‘s user interface

Author‘s user interface

Manager‘s user interface

Business Logic

Legend

Offl

ine

Play

erLS

OO

P

SAP J2EE EngineLSOCP

CMS EP

Lear

ning

Port

alB

P fo

rLe

arni

ngC

olla

bora

tion

Web

AS

+ LS

OFE

Add

-On

TREX EP

mySAP HRPerformanceManagement

Personnel DevelopmentMaster Data

SAP ECCHCM Extension

IncludesLSOTM Training

Management (noadd-on)

Communication between the individual components is handled using RFC and HTTP. This enables you to distribute the components on multiple servers and thus to safeguard individual communication channels and servers specifically. If there are no specifically critical security requirements, you can combine all components on one server. The advantage of using a distributed system landscape is that it enables you to maximize security for individual components. The advantage of using a single server is that it enables you to reduce costs and improve system performance.



Persistence Use The following table contains a classification of the data that is saved in the SAP Learning Solution and specifies the tables in which it is saved. The SAP Learning Solution stores all data centrally in the ERP system.

Persistence of the Training Catalog

Table ● Objects and their attributes: HRPnnnn

● Relationships: HRP1001 or additional data in HRPADnnn

Remarks PD infotype framework. Courses, course types, and course groups are object types for which data is stored in infotypes. Links between the objects are realized using relationships. Relationship data is stored in transparent tables.

Components Used ● LSOFE (read/write)

● ERP system (read/write)

● LSOCP (read/write)

Most Important Authorization Objects ● P_ORGIN

● P_APPL

● PLOG

Persistence of Completion Information, Progress Data, SCORM Data

Table LSOLEARN* tables of package LSO_LEARNERACCOUNT

Remarks LSOLEARNING_C contains data for results feedback from the Content Player to the ERP system. All other data is used by the Content Player only.

Components Used ● LSOCP (read/write)

● ERP system (read)

Persistence of Test Results

Table LSOTACLRN* tables of package LSO_TAC_DD

Components Used ● LSOCP (write)

● ERP system (read)



Persistence of Publishing Information

Table ● LSOTACAS* tables of package LSO_TAC_DD for tests

● LSOLU* tables of package LSO_LEARNERACCOUNT

Components Used ● LSOAE (read/write)

● LSOCP (read)


Persistence of Digital Signatures

Table LSOLEARNESIGN* tables of package LSO_LEARNERACCOUNT

Components Used ● LSOFE (read)


Learning Portal (LSOFE) The Learning Portal (LSOFE) is the entry point for learners in SAP Learning Solution. The Learning Portal can be called directly by the SAP WAS or it can be integrated as an iView in SAP Enterprise Portal.

The following graphic provides an overview of the technical system landscape for the Learning Portal.

Learning Portal

Browser

SAP EnterprisePortal

(optional)LSOFE mySAP ERP

HTTPHTTPS

HTTPHTTPS

HTTPHTTPS+SSO2

TrustedRFC

RFC

ExternalLMS

SOAP

Learner 1

Learner 3Learner 2 Learner 4

Learner 7

Learner 5Learner 6



The learner requires a user in SAP Web AS. No special authorizations are required for the user since the front end does not contain a persistence layer. All data is stored in the ERP system.

Configuration Settings

Components Remarks

Browser ● JavaScript must be active.

● SAP Web AS requires cookies for session handling.

● HTTP 1.1 is strongly recommended.

SAP Enterprise Portal ● It may be necessary to map users between the user in the SAP Enterprise Portal and the Web AS user.

● You must maintain the RFC connection with the ERP system.

SAP ERP ● Trusted relationship is required between SAP Web AS and the ERP system.

● If you want to implement the Objective Setting and Appraisals component, an HTTP/HTTPS channel is also required.

Content Player (LSOCP) The Content Player (LSOCP) is called using a URL from the Learning Portal to play Web-based training courses (WBTs). The Content Player does not have a persistence layer. It reads and writes all data to the ERP system.

The following graphic provides an overview of the technical system landscape for the Content Player.

Content Player

Browser

ContentManagement

SystemLSOCP mySAP ERP

HTTPHTTPS

HTTPHTTPS

RFC

Content Player 1

Content Player 2Content Player 4 Content Player 3




Components Remarks


● Java VM must be active.

● SUN Java Plug-In 1.4.2 must be installed (but only if you want to use tests created with LSO Test Author).


● Cookies are required for Session Handling.

Offline Player (LSOOP) The Offline Player enables you to play instructional content offline without network access. It reads the instructional content and synchronizes the learner’s progress using the Content Player. Instructional content and learning progress are stored in the local file system. In the standard system, this is the learner’s home directory.

The following graphic provides an overview of the technical system landscape for the Offline Player.

Content Player

Browser LSOOP LSOCPHTTPHTTP

HTTPS

Offline Player 1 Offline Player 1 Offline Player 2




Components Remarks





● Cookies are required for session handling.

LSOOP ● Java 2 SDK 1.4.2 must be installed.

Authoring Environment (LSOAE) The Authoring Environment (LSOAE) must be installed locally on the author’s PC. The Authoring Environment can be used online or offline. In online mode, you require a connection to the ERP system and the Content Management System. If you use it in offline mode, all data is stored in the local file system. You can choose the directory in which to store data. The data comprises course content and configuration data. You can protect this data at operating system level.

The following graphic provides an overview of the technical system landscape for the Authoring Environment.

Authoring Environment

Browser

ContentManagement

SystemLSOAE mySAP ERP

HTTP

WEBDAVRFC

Author 1

Author 2 Author 1 Author 3

TREX

HTTP

Author 4



The Authoring Environment contains a special version of the Content Player that plays course content locally that is currently being played using the Authoring Environment. Similar to the Offline Player, you cannot use this local Content Player remote. You can only call it from the PC on which it is installed.


Components Remarks





● Cookies are required for session handling.

LSOAE300 ● Java 2 SDK 1.4.2 must be installed.

Environment for the Training Administrator The SAP GUI transactions required for the training administrator role are available in the ERP system. The following graphic provides an overview of the technical system landscape for the back end.

Environment for the Training Administrator

SAP GUISAP Enterprise

Portal(optional)

mySAP ERPDIAG

User2User1 User3 User4

Process Integration (PI/XI)

RFC

User5



User Management User management for SAP Learning Solution uses the mechanisms provided by the SAP Web Application Server (ABAP and Java), for example, tools, user types, and password policies. See the sections below for an overview of how these mechanisms apply to SAP Learning Solution. In addition, there is a list of the standard users that are necessary for operating SAP Learning Solution.

User Management Tools The table below shows the tools implemented for user management in SAP Learning Solution.



User and role maintenance in SAP Web AS ABAP (transactions SU01, PFCG)

For more information, see Users and Roles (BC-SEC-USR) [Extern].

User Management Engine of SAP Web AS Java

For more information, see User Management Engine [Extern].

User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not users who run background processing jobs.

The user types required for SAP Learning Solution include:


○ Access to Training Management (LSOTM) is done by means of dialog users. Access is either directly through SAP GUI or indirectly through the Authoring Environment (LSOAE).

○ Access to the Learning Portal (LPO) is handled by means of Internet users. The required users must exist in the front-end system (LSOFE) and in the Training Management system (LSOTM) if the components are installed on separate systems.

○ Access to SAP Enterprise Portal (EP) is handled by means of Internet users. Authors access the Content Management System (CMS) in SAP Enterprise Portal indirectly from the Authoring Environment (LSOAE). Learners access it via the browser if the LPO is embedded in EP or if you use Collaboration in EP.

● Technical users:

○ A communication user is used to access Training Management (LSOTM) when playing courses on the Content Player (LSOCP).

○ A communication user is used to access the Content Management System in SAP Enterprise Portal when playing courses on the Content Player (LSOCP).



○ A communication user is used for communication with external learning management systems (LMS) from the Training Management system (LSOTM) to access the Exchange Infrastructure (XI).

For more information on these user types, see User Types [Extern] in the SAP Web AS ABAP Security Guide.

This table contains details of user management for the various user types in the different tools of SAP Learning Solution.

User Types in the Learning Portal

User Type Description Role / Authorization Name in Graphic of Technology Landscape [Seite 175]

Depends on the operating system used

Learner in local operating system

Browser authorization Learner 1

Portal user Learner in SAP Enterprise Portal

No special authorization for the SAP Learning Solution

Learner 2

Dialog user Learner in SAP Web AS No special authorization for the SAP Learning Solution

Learner 3

Communication user

Learner in ERP system SAP_HR_LSO_LEARNER

Learner 4

Service user Collaboration in the ERP system


Learner 5

Portal user Collaboration in the SAP Enterprise Portal


Learner 6

Anonymous External LMS Depends on LMS used

Learner 7

User Types in the Content Player




Browser authorization Content Player 1

Anonymous Content Player in SAP J2EE

Content Player 2

Communication user Content Player in the ERP system

SAP_HR_LSO_COURSEPLAYER

Content Player 3



Depends on the CMS used

Content Player in the Content Management System (CMS)

Read access via HTTP/HTTPS

Content Player 4

User Types in the Offline Player




Browser authorization Offline Player 1

Anonymous Content Player in SAP J2EE

Offline Player 2

User Types in the Authoring Environment




Browser authorization

Authorization for Java 2 SDK 1.4.2

Author 1

Depends on the CMS used

Author in the CMS Authorization to lock, unlock, read, create, delete, and write data via WEB-DAV

Author 2

Communication user Author in the ERP system

SAP_HR_LSO_AUTHOR

Author 3

Anonymous Author Author 4

User Types in the Training Coordinator’s Environment




SAP GUI authorization User 1

Dialog user Administrator in ERP system

SAP_HR_LSO_DEVELOPMANAGER

SAP_HR_LSO_HRMANAGER

SAP_HR_LSO_SPECIALIST

SAP_HR_LSO_TRAININGADMIN

SAP_HR_LSO_TRAININGMANAGER

AP_HR_LSO_ACCOUNTINGADMIN

SAP_HR_LSO_FOLLOWUPADMIN

User 2



SAP_HR_LSO_PARTICIPADMIN

SAP_HR_LSO_RESOURCEADMIN

Collaboration in the ERP system

No special authorization for SAP Learning Solution

User 3 Service user

XI user XI access authorization User 5

Portal user Collaboration in SAP Enterprise Portal

No special authorization for SAP Learning Solution

User 4

Authorizations SAP Learning Solution component uses the authorization provided by the SAP Web Application Server. Therefore, the security recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to SAP Learning Solution.

The SAP Web Application Server authorization concept is based on assigning authorizations to users on the basis of roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user administration console for SAP Web AS Java.

Standard Authorization Objects The following table shows the security-relevant authorization objects that are used by the SAP Learning Solution.



P_ORGIN HRPnnn PD Infotype Framework: course, course types, and course groups

Used to determine and check a user’s authorizations at the level of HR master data

P_APPL Used to control read and write authorizations for Applicant Management infotypes.

PLOG Used at the level of Personnel Planning data to specify the types of information a user may receive.

Standard Roles The following table shows the standard roles that are used by SAP Learning Solution. For more information, see User Management [Seite 180].



Standard Roles

Role Description

SAP_HR_LSO_ACCOUNTINGADMIN Training accounting

SAP_HR_LSO_AUTHOR Course author or instructional designer

SAP_HR_LSO_COURSEPLAYER User of the Content Player

SAP_HR_LSO_DEVELOPMANAGER Personnel Development Manager Training

SAP_HR_LSO_FOLLOWUPADMIN Course follow-up

SAP_HR_LSO_HR-MANAGER HR Manager Training

SAP_HR_LSO_LEARNER Learner

SAP_HR_LSO_MANAGER Manager

SAP_HR_LSO_PARTICIPADMIN Participation administration

SAP_HR_LSO_RESOURCEADMIN Manage resources

SAP_HR_LSO_SPECIALIST System Specialist Training

SAP_HR_LSO_TRAININGADMIN Training Administrator

SAP_HR_LSO_TRAININGMANAGER Training Manager

Communication Channel Security The following graphic displays an overview of the communication channels listed in the tables below.

Technical System Landscape and Communication Channels

LSOFE LSOAELSOOPECC

SAP Web AS ABAP SAP Web AS JAVA

LSOCP EP 6.0

Java 2 SDK

RFC

RFC / JCo

RFC / JCo

TrustedRFC

HTTPHTTPS

WEBDAVHTTPHTTPS

HTTP

HTTPHTTPS



The tables below show the communication paths used by SAP Learning Solution, the protocol used for the connection, and the type of data transferred.

For a better understanding of the table, you should also display the graphics, which provide an overview of the technology landscape.

Learning Portal See also: Learning Portal (LSOFE) [Seite 175]

Communication Paths for the Learning Portal: Inbound Relationships

Communication Path Protocol Used Authentication Remarks

Browser HTTP, HTTPS All authentications supported by the SAP Web AS, typically form-based-logon or standard authentication.

Anonymous is supported. However, you should not use it since unique learner assignment is not possible in the back end.

With standard authentication, passwords are transferred in plain text. Consequently, you should protect the transports using SSL.

SAP Enterprise Portal, iView Server

HTTP, HTTPS All authentications supported by the SAP Web AS. Typically, you can use the Single-Sign-On Ticket (SSO) here since logon has been done in the Enterprise Portal already.

For SSO, you must import the Enterprise Portal certificate into the SAP Web AS.

Communication Paths for the Learning Portal: Outbound Relationships

Communication Path Protocol Used Authentication Remark

ERP system RFC Trusted RFC

SAP Enterprise Portal / Collaboration

RFC Ticket User4 for authentification, User3 for RFC authorization



Content Player See also: Content Player (LSOCP) [Seite 176]

Communication Paths for the Learning Portal: Inbound Relationships


Browser HTTP, HTTPS All authentications supported by the SAP Web AS/J2EE. The standard system uses anonymous. You do not require advanced authentication in the standard system since access is protected by a ticket.

Access to the Content Player is protected by a ticket. The ticket ensures that content can only be called one time using the URL. Only one ticket is valid at any one time.

Communication Paths for the Content Player: Outbound Relationships


Content Management System

HTTP, HTTPS Anonymous, Basic You store the user for authentication when you configure the Content Player.

If you use HTTPS, you must set up HTTPS Support of the J2EE Engine. X509 certificate management is realized using the J2EE Engine.

ERP system RFC (JCo) User/password You store the user for authentication when you configure the Content Player.

You must create a service user for the Content Player in the ERP system.



Offline Player See also: Offline Player (LSOOP) [Seite 177]

Communication Paths for the Offline Player: Inbound Relationships


Browser HTTP Anonymous The Offline Player can be called from a local PC only.

Communication Paths for the Offline Player: Outbound Relationships


LSOCP HTTP, HTTPS All authentications of the SAP Web AS/J2EE.

Authoring Environment See also: Authoring Environment (LSOAE) [Seite 178]

Communication Paths for the Authoring Environment: Inbound Relationships


Browser HTTP Anonymous The Offline Player can be called from a local PC only.

Communication Paths for the Authoring Environment: Outbound Relationships


Content Management System

WebDAV, via HTTP, HTTPS

Anonymous, Basic WebDav is an enhancement of the http protocol.

The Authoring Environment does not contain a separate truststore for X509 certificates.

The Security Provider and the truststore of the Java 2 SDK installation is used. X509 certificates may have to be imported from the Content Management System if you want to use encrypted communication with SSL.



ERP system RFC (JCo) User/password Credentials must be entered in a dialog box when switching to online mode.

Environment of the Training Administrator in the Back End See also: Environment for the Training Administrator [Seite 179]

Communication Paths for the Back End: Inbound Relationships


SAP GUI DIAG Standard SAP GUI

Communication Paths for the Back End: Outbound Relationships


SAP Enterprise Portal RFC With a SSO 2 Ticket. You store the user and password for generating the ticket in Customizing

Only necessary if integration with Collaboration for SAP NetWeaver is active.

External Learning Management System (via XI)

SOAP Anonymous



Other Security-Relevant Information Profile Parameters To ensure communication between the systems, you must set the following profile parameters using the Profile Parameter Maintenance transaction (RZ11):

mySAP ERP

● For communication with Single Sign-On Tickets (SSO) via RFC connections, you must set the login/accept_sso2_ticket (Accept SSO ticket logon for this (component) system) in the ERP system.

● For communication with cookies using connections via http protocols, you must set the parameter login/create_sso2_ticket in the ERP system.



SAP Web AS ABAP

● For authentication with SSO2, you must set the login/accept_sso2_ticket (Accept SSO ticket logon for this (component) system) in the ERP system.

● If you want to implement the Objective Setting and Appraisals component, you must also set the parameter login/create_sso2_ticket.

For more information, see the documentation for the parameters in transaction RZ11.



SAP E-Recruiting

Before You Start Important SAP Notes The following table presents the most important SAP Notes regarding security for E-Recruiting.

Important SAP Notes


711701 Composite SAP note: Security in E-Recruiting

For more relevant SAP Notes, see the Security Guide for Personnel Management under Before You Start [Seite 154].

Technical System Landscape The following graphics provide an overview of the technical system landscape of SAP E-Recruiting.

Functional Architecture

Non SAP

SAP

Back-end ERP

Recruitment service providers

Job exchange

Internalcareer page

Firewall Other tools

Back office

Non-ERP system

External career page

E-Recruiting



The “E-Recruiting Box”

System for text retrieval TREX

KPro

SAP Web AS

DBBusiness partner

SAP E-RecruitingIndex

Technologies used:• Presentation logic: Business Server Pages (BSP), HTML, HTMLB,

JavaScript• Business logic: ABAP/OO

Basic Architecture

Firewall

Internal user (browser -

SSO optional)

System administrator

(SAP GUI)

HTTP(S) SMTP (Mail)

Internet

HTTP(S)

External user (Web browser)

RFC RFC (ALE)

TRexE-

Recruiting

DB

DMZ Intranet

Application gateway/

proxy gateway

SMTP (Mail)

mySAPERP

mySAPERP

PA-AS*

* HR administrative services

SAP XI

SAP XI Non-SAP system



Scaling: Example with three application servers

Firewall

Router

TRex

HTTP(S)Firewall

DMZ Extranet Intranet

HTTPS HTTP(S)

RFC

RFC (ALE)RFC, SQL, and so on

Application gateway/load

balancer

WAS 6.20

e_Recruiting

e_Recruiting

e_Recruiting

Internet

mySAPERP

PA-ESSAP XI

SAP XI Non SAP

User Management User management for SAP E-Recruiting uses the mechanisms provided by SAP Web Application Server (ABAP, Java, or ABAP and Java), for example, tools, user types, and password policies. For an overview of how these mechanisms apply for SAP E-Recruiting, see the sections below. In addition, there is a list of the standard users that are necessary for operating SAP E-Recruiting.

User Management Tools The table below shows the tools to use for user management with SAP E-Recruiting.




You can use the Role Maintenance transaction PFCG to generate profiles for your SAP E-Recruiting users.

Technical Settings for User Management in SAP E-Recruiting

For more information on user profiles, see the Implementation Guide for SAP E-Recruiting under Technical Settings → User Administration.



Workflow Settings For more information, see the Implementation Guide for SAP E-Recruiting under Technical Settings → Workflow → Workflow in E-Recruiting.

You use the SAP Workflow.

User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

The user types required for SAP E-Recruiting are:

For more information, see the Implementation Guide for SAP E-Recruiting under Technical Settings → User Administration → Create Special Users.

● Reference user

You can create reference users to simplify authorization maintenance. You assign different roles to each reference user. If you then assign a reference user to a user, the user inherits all of the reference user’s role attributes and authorization profile.

...

● Communication user

To enable access to documents in the document area, you create a user that is assigned to the contentserver service (IMG activity: Set Up Access to Documents). This user is a purely technical user, only required for communication with the Web Application Server.

● Service user

Some scenarios are accessible for registered users only; other scenarios are also accessible for unregistered users (registration, job postings, direct application). You must assign a service user to these services so that an unregistered user can use these services.

● WF-BATCH user

To use the workflow functions, you must create a WF-BATCH system user in the standard system.

In SAP E-Recruiting you must also assign this user (in addition to the other users) to a candidate. You can do this by using the report RCF_CREATE_USER.

● Standard user

Information on the following themes is available in the Implementation Guide for SAP E-Recruiting under Technical Settings → User Administration:

○ User profile

○ Roles (transaction PFCG)

○ Special users

● SAP Workflow: WF-BATCH user

For more information, see the Implementation Guide for SAP E-Recruiting under Technical Settings → Workflow → Workflow in E-Recruiting.



Authorizations SAP E-Recruiting uses the authorization provided by the SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to SAP E-Recruiting.

The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user administration console for SAP Web AS Java.

Standard Roles The following table presents the standard roles that are used by SAP E-Recruiting.

Standard Roles

Rule Description

SAP_RCF_BUSINESS_ADMINISTRATOR Administrator

Administrator for e-recruiting

SAP_RCF_CONTENT_SERVER Access for search engine

Access to the search engine TREX

SAP_RCF_DATA_TYPIST Data entry clerk

SAP_RCF_DECISION_MAKER Decision maker

The role contains the authorization for a minimum data entry for incoming paper applications.

SAP_RCF_EXTERNAL_CANDIDATE External candidate

This role is allowed to display its own data only. It can see only those job postings that you have published via the external posting channels using the form for external job postings.

SAP_RCF_INTERNAL_CANDIDATE Internal candidate

This role is allowed to display its own data only. It can see only those job postings that you have published via the internal posting channels using the form for internal job postings.

It cannot access the following data:

● Requisition data

● Job posting data

● Data for the application

● Data for the selection process



SAP_RCF_MANAGER Manager

This role can access the following data:

● Candidate data: All the candidates who are qualified employees are displayed.

● Publication: It sees those job postings that you have published via the relevant posting channels using the form for internal and external job postings.

● Requisition data and data for the selection process: It can see only the data for which it is also responsible.

SAP_RCF_MANAGER_ASSISTANT Manager assistant

SAP_RCF_RECRUITER Recruiter

This role also contains the authorization for minimum data entry. It can access the following data:

● Candidate data: All the candidates who are qualified employees are displayed.

● All job postings

● All requisition data

● All application data

● All data for the selection process

SAP_RCF_SUCCESSION_PLANNER Succession planner

This role contains the following aspects:

● Display of all candidates who are part of the talent pool

● Requisition data: Shows in the system all requisitions of the Succession Planning subarea

● Candidacy data: Shows all candidacies who have been created in the system as part of Succession Planning

Applications, job postings, and publications are not required for this role.

SAP_RCF_REST_SUCCESSIONPLANNER Succession planner with restricted authorizations who has to request approval of the requisitions and job postings. For this purpose, you require an approval procedure.

SAP_RCF_REQUISITION_REQUESTER Requester

Requester of a requisition

SAP_RCF_RESTRICTED_RECRUITER Restricted recruiter

Recruiter who is not authorized to release requisitions. For this purpose, an approval process is required.



SAP_RCF_TALENT_CONSULTANT Talent consultant

This role is used only for the career portal and no longer in the e-recruiting standard.

SAP_RCF_UNREGISTERED_CANDIDATE Unregistered candidates (service users)

Standard Authorization Objects The following table presents the authorization objects relevant for security that are used by SAP E-Recruiting.



P_RCF_APPL PCF_APPL Authorization check when SAP E-Recruiting applications are called up

See all entries in table

T77RCF_LOG_APPL

R_RCF_VIEW RCF_VIEW Authorization object that, within the scope of SAP E-Recruiting, defines which data overviews a particular user can access.

P_RCF_POOL RCF_POOL Authorization object that, within the scope of SAP E-Recruiting, defines what type of direct access to candidates in the talent pool is possible for a particular user.

The following types of direct access to the candidate pool are available:

● Status-independent access to candidates (DIRECT_ACC)

● Identification of multiple applicants (DUPL_CHECK)

● Maintenance of candidate data (CAND_MAINT)

P_RCF_STAT RCF_STAT Authorization object that, within the scope of SAP E-Recruiting, defines the authorization for status changes to SAP E-Recruiting objects (such as candidates, applications, and candidacies).

SAP E-Recruiting is divided into several applications. For each application, you can assign authorizations and allocate them to the relevant roles. These applications are checked in the authorization object P_RCF_APPL. For a list of applications and their values and descriptions, see table T77RCF_LOG_APPL.



Communication Channel Security Use The table below shows the communication paths used by SAP E-Recruiting, the protocol used for the connection, and the type of data transferred.

Communication Paths

Communication Path



Front-end client that uses SAP GUI for Windows for the application server

DIAG All Customizing data Passwords

Front-end client that uses a Web browser for the application server

HTTP, HTTPS All application data Passwords



Communication Destinations The following table shows an overview of the communication destinations that SAP E-Recruiting implements.

Depending on which application you implement to manage your HR master data, you use the following communication destinations:

● If you use the SAP GUI transactions for maintaining HR master data (such as PA* transactions), communication with SAP E-Recruiting is via RFC connections.

● If you use the application HR Administrative Services, communication with SAP E-Recruiting is via an SAP NetWeaver PI.


Destination Shipped Type Users, Authorizations Description

From SAP E-Recruiting to SAP Human Resources

No RFC See Implementation Guide (IMG)

IMG: SAP E-Recruiting → Recruitment → Applicant Tracking → Activities → Set Up Data Transfer for New Employees

From SAP Human Resources to SAP E-Recruiting

No RFC See IMG SAP E-Recruiting → Basic Settings → SAP ERP Central Component (ECC) Integration → Software Runs on Different Instances → Set Up Data Transfer from SAP ECC (SAP ERP Central Component)



From SAP E-Recruiting to TREX

No RFC See IMG SAP E-Recruiting → Basic Settings → User Administration → Create Special Users

SAP E-Recruiting → Basic Settings → Search Engine → Set Up Search Engine for E-Recruiting

From SAP E-Recruiting to HR Administrative Services

No XI messages

Transfer data for an external candidate when making the relevant settings

From HR Administrative Services to SAP E-Recruiting

No XI messages

Return personnel number of the former external candidate to SAP E-Recruiting

Changes to HR master data are transferred to SAP E-Recruiting by means of master data distribution in the ALE scenario.

Data Storage Security The SAP E-Recruiting data is saved as follows:

● If you use SAP E-Recruiting integrated with other SAP applications, the data is saved in the SAP Web AS or SAP ECC databases.

● If you use SAP E-Recruiting as a standalone application, the data is saved directly in the SAP E-Recruiting databases. You do not require any other databases in addition to this standard.

The application uses a Web browser. The BSP (Business Server Pages) environment must accept cookies.



Defense Forces & Public Security

Before You Start Basic Recommendations The Defense Forces & Public Security component is based on the SAP ERP Central component. For this reason, the relevant Security Guide also applies. The Security Guide for the Defense Forces & Public Security component contains only information about component-specific features.

Technical System Landscape Use For a presentation of the multilevel system landscape, see the documentation for mySAP ERP in SAP Library under Defense Forces & Public Security → Support for the Domestic Base and Operations and Exercises → System Architecture and Offline Capabilities.

User Administration and Authentication The Defense Forces & Public Security component uses the user administration and authentication mechanisms of the SAP NetWeaver platform, in particular of the SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the Defense Forces & Public Security component.

The following component-specific tools are also used for user administration. For more information, see the documentation for mySAP ERP in SAP Library under Defense Forces & Public Security → System Architecture.

In addition to these guidelines, we also provide you with information about user administration and authentication, specific to the Defense Forces & Public Security component, in the following section:

● User Management [Seite 200]



User Management User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not users who run background processing jobs.

The user types required for the Defense Forces & Public Security applications are:

● Individual users:

○ Dialog users are used for the following functions for the SAP GUI for Windows or RFC connections:

- Personnel assignment

- Human Resources infotypes

- Qualification management

- Management of flying hours

The other users are usually the same as the users listed for Human Resources. Note in particular the users for Personnel Management. For more information, see User Management [Seite 155].

You may want to differentiate users according to target and actual planning. This cannot be defined in the standard system, however, since it depends on your particular organization.

Standard Users No particular standard users are provided for the Defense Forces & Public Security component. You are advised to divide up your users according to business-related processes. This means that you could define the following business-related user groups, for example:

● The process of material assignment for a soldier or individual

You could further divide the user group by the following users:

○ Users that are only responsible for the target planning (materials requirements in the organization on a job/position level)

○ Users that are responsible for the actual planning and goods issue

● The process of managing flying hours

User group for defining the annual flying hours program and recording the actual flying hours

● The personnel development process

User group for defining the qualification block hierarchy, that is, the grouping of qualifications according to business criteria

For master data maintenance, the guidelines in the Security Guide for Personnel Management (PA) [Seite 154] apply.

.



Authorizations The Defense Forces & Public Security component uses the authorization provided by the SAP Web Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide ABAP and SAP Web AS Security Guide Java also apply to Defense Forces & Public Security.

The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS ABAP and the User Management Engine’s user administration console for SAP Web AS Java.

Standard Roles Roles and authorization profiles are not defined for Defense Forces & Public Security.

Standard Authorization Objects The following table presents the authorization objects relevant for security that are used by the Defense Forces & Public Security applications.


Authorization Object Class Value Description

C_DRAW_TCD CV Authorization for Document Activities

C_KLAH_BKP CLAS Authorization for Class Maintenance

C_TCLA_BKA CLAS Authorization for Class Types

EXTBAT_CRE LO Create External Batch Structure for Purchase Orders

EXTBAT_MNT LO Change External Batch Structures

I_ROUT PM PM: Task Lists

I_TCODE PM PM: Transaction Code

PLOG HR Personnel Planning

C_PVS_PNID PPE iPPE Node: External Key

C_PVS_PNTY PPE iPPE Node: Type

C_PVS_PVID PPE iPPE Variant: External Key

C_PPE_PAID PPE iPPE Alternative: External Key

C_PVS_PATY PPE iPPE Alternative: Type

C_PVS_PVTY PPE iPPE Variant: Type

S_SCD0 BC_Z Change Documents

S_TCODE

AAAB Transaction Code Check at Transaction Start

DF_FOR_REL DFPS Force Element: Relationships

M_MATE_STA MM_G Material Master: Maintenance Statuses

M_MATE_WRK MM_G Material Master: Plants

M_MSEG_BMB MM_B Material Documents: Movement Type

M_MSEG_MWB MM_B Material Documents: Plant



M_MSEG_BWA MM_B Goods Movements: Movement Type

M_MSEG_LGO MM_B Goods Movements: Storage Location

M_MSEG_WWA MM_B Goods Movements: Plant

In addition, Defense Forces & Public Security uses the Human Resources authorization objects. For more information, see the description of the Human Resources authorization objects, in particular those for Personnel Management.

Network and Communication Security Subareas of Defense Forces & Public Security use the standard functions in the infotype framework for Personnel Administration and Personnel Development. For more information, see the Security Guide for Personnel Management.

In the case of the material assignment function, the existing interfaces (BAPIs) are used to communicate with applications outside of Human Resources, such as Materials Management.

Data Storage Security Data is stored in databases in the SAP system. For general information about the security of the data storage, see the Security Guide for Personnel Management, for example.

Note that the following infotypes may contain sensitive data:

● Personal Features (0804)

● Sanctions (0802)

Appendix For more information about the security of SAP applications see SAP Service Marketplace at service.sap.com/security.

You can also access additional security guides via SAP Service Marketplace at service.sap.com/securityguide.

For more information about security issues, see SAP Service Marketplace at service.sap.com followed by:

Topic SAP Service Marketplace

Master guides, installation guides, upgrade guides, and Solution Management guides

/instguides

/ibc

Related notes /notes

Platforms /platforms

Network security /network

/securityguide

Technical infrastructure /ti

SAP Solution Manager /solutionmanager