Академический Документы
Профессиональный Документы
Культура Документы
Security Guide
Target Audience
n System administrators
n Technology consultants
n Application consultants
PUBLIC
Document version: 1.1 ‒ 03/30/2009
Document History
Caution
Before you start the implementation and configuration of SAP Solution Manager, make sure you
have the latest version of this document. You can find the latest version at the following location:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
The following table provides an overview of the most important document changes.
Support Date Description
Package
(Version)
SP15 06.02.2008 New roles for solution authorization. Authorization object D_SOL_VSBL
is now included in the roles for solutions SAP_SM_SOLUTION_*. The
authorization object is inactive in all other roles. See section: Roles in Solution
Manager. It needs to be granted in addition to the role for the functionality,
for instance Maintenance Optimizer.
New roles for:
n
Job Scheduling
n
Issue Management
n
Maintenance Optimizer (additional)
See section: Roles and Authorizations
New roles for work center navigation. See section Work Center Navigation Roles
and the example it contains
Composite role SAP_SM_BPMO_COMP for background user SM_BPMO. See
section: Communication Destinations.
SP16 New roles for Solution Documentation Assistant See sections: Roles and
Authorization and section Work Center Navigation Roles New roles for Third Party
Product: BMC AppSight for SAP Client Diagnostics See section: Roles and
Authorizations
SP17 Values for authorization object S_RFC in role SAP_SOLMANDIAG_E2E
extended
Note
The authorization profile S_SM_EXECUTE allows batch processing in
the managing system for managed systems. You can use this profile
also solely for this purpose. In this case, you have to assign the profile
to the according technical user, manually.
New chapters
n
Secure Storage
1 Security Guide
Caution
The following note ONLY applies to SAP customers in Germany and Austria
The extent of the usage of the software package „SAP Enhancement Package 1 for SAP Solution
Manager 7.0“ depends upon the type of maintenance contract you have signed. If you have a signed
contract for:
n SAP Enterprise Support
n Product Support for Large Enterprises
n SAP Premium Support
n SAP MaxAttention
you are authorized to use all functions in the software package, without any restrictions.
If you have signed exclusively standard support contracts, you are allowed to install this software
package, but you are only allowed to use a restricted functionality. You are not allowed to use the
following Enterprise Edition functions:
n Business Process Change Analyzer
n Quality Gate Management
n Custom Development Management Cockpit
Der folgende Hinweis betrifft NUR SAP Kunden in Deutschland und Österreich
Die Nutzungsmöglichkeiten des Softwarepaketes „SAP Enhancement Package 1 for SAP Solution
Manager 7.0“ sind von Ihrem Pflegevertrag abhängig.
Wenn Sie über einen Vertrag über:
n SAP Enterprise Support
n SAP Product Support for Large Enterprises
n SAP Premium Support
n SAP MaxAttention
verfügen, sind Sie berechtigt, alle Funktionen des Softwarepaketes ohne Einschränkungen
zu nutzen.
Wenn Sie ausschließlich Standard Support-Verträge abgeschlossen haben, dürfen Sie dieses
Softwarepaket installieren und mit eingeschränktem Funktionsumfang nutzen. Die im folgenden
aufgeführten Funktionen, die Bestandteil der Enterprise Edition sind, dürfen nicht genutzt werden:
n Business Process Change Analyzer
n Quality Gate Management
Integration
Security topics are relevant for the following phases:
n Installation and Upgrade
n Configuration
n Operation
Recommendation
Use this guide during all phases. For a detailed overview of which documentation is relevant for each
phase, see also SAP Note 1088980. Refer to the documents described in this note.
Constraints
This document is not in the installation guide, sizing guide or upgrade guide for Solution Manager.
These guides are only relevant for a certain phase of the software life cycle, whereas the security
guide provides information that is relevant for all life cycle phases. All support packages based on
SAP Enhancement Package 1 (EhP1) for SAP Solution Manager are based on CRM 5.0 and SAP
Enhancement Package 1 for SAP NetWeaver 7.0, so the security guides for these products also apply
to SAP Solution Manager.
Caution
Up to SAP Solution Manager Support Package 17, SAP Solution Manager is based on CRM 5.0 and
SAP NetWeaver 7.0. Use the security guides for these products if you use SAP Solution Manager SP17.
More Information
For a complete list of the available SAP Security Guides, see the SAP Service Marketplace:
http://service.sap.com/securityguides
2 Getting Started
This guide does not replace the daily operations handbook that we recommend customers to
create for their productive operations. With the increasing use of distributed systems and the
Internet for managing business data, the demands on security are also on the rise. When using a
distributed system, you need to be sure that your data and processes support your business needs
without allowing unauthorized access to critical information. User errors, negligence, or attempted
manipulation of your system should not result in loss of information or processing time. These
security requirements also apply to SAP Solution Manager. This guide helps you to secure your
system landscape. It covers the following SAP Solution Manager functions:
n Getting Started with information on the integrated functions/modularity concept, and a step
by step procedure to use this guide.
n Network and Communication Security with overviews of communication channels and
destinations in your system landscape, and information on ICF Framework.
n User Administration and Authentication with overviews of users and business partners, and
information on Single Sign—On.
n Authorizations with a detailed description of critical authorizations for the most relevant RFC
connections in your system landscape, and overviews of roles for functions and scenarios.
n Work Center Navigation with mappings of the work center views onto authorization roles.
n S-User Authorizations with information on S-users, and their authorization.
n Service Provider and Service Provider Customer Specification with information on Service
Provider—specific authorizations and security topics.
n Background Processes with overviews of background jobs per function.
n Traces and Logs with information on traces and log possibilities.
The target groups of this guide are readers who are already familiar with SAP Solution Manager and
configuration procedures in an implementation and/or upgrade project, that is technical consultants,
system administrators and/or application consultants.
n technology consultants: working with technical processes supported by SAP software during
implementation, when deciding which settings to make
n system administrators: optimizing the system during and after implementation
n application consultants: mapping a company’s actual business processes to the processes and
functions supported by SAP software during implementation, and when deciding which settings
to make
SAP Solution Manager is a tool which supports the entire product life-cycle of your business processes
and systems, within a system/platform. The product life-cycle can be regarded as a set of scenarios. A
scenario is a group of business process—related functions which support the sequential and logical
relationships of processes within the life-cycle of the product. We differentiate between scenarios
(for instance: Implementation/Upgrade of SAP Solutions or Service Desk), processes relating to these scenarios
(for instance: Roadmap) and functions that can be used in one or more scenarios (for example,
the function Document Management can be used in the scenario Implementation and/or the scenario Test
Management). The configuration of SAP Solution Manager uses this scenario-related approach.
Note
Usage data about the functions and scenarios used by the customer is sent to SAP. See: SAP Note
939897 (How to prevent this transfer).
More Information
If you have insifcient understanding of SAP Solution Manager and its applica-
tions, see the master guide for SAP Solution Manager in the Service Marketplace
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release>
and the according application help on the Help Portal http://help.sap.com/solutionmanager .
The life cycle of a product comprises various phases, such as implementation, operation, upgrade,
and so on. Tools can be used to realize a process within these phases. The tools integrate strongly
with each other to support seamless document and information flow over the whole life cycle. The
work center approach demonstrates this integration. To realize this integrated approach and at
the same time allow you the freedom to build and configure according to your company’s needs,
configuration and SAP template roles are function—related. Configuration and authorizations for
integrated functions are based on a modular approach.
Example
All delivered template roles for end users contain only authorizations that are relevant for the
function they describe. Therefore, roles of different functions can be assigned to one user. You
must know which functions you want to use.
Before you can work with a scenario/function in the Solution Manager systems, you need to make all
relevant systems, databases, and servers known, and maintain primary units such as solutions and
logical components, and your business processes. This guide refers to all these as infrastructure. The
appendix of this guide contains a detailed definition of these terms. Infrastructure comprises all
entities that are the basis for scenarios.
Example
Roles are structured according to functions in scenarios and infrastructure. Roles for infrastructure
include roles for systems, roles for solutions, roles for Service Data Control Center, and so on.
Prerequisites
For a detailed description of scenarios and functions, see the master guide for SAP Solution Manager
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
Your Solution Manager system is the platform for administrative tasks in implementing, operating
and upgrading systems in your system landscape. It relies heavily on mandatory and optional
components implemented in addition to SAP Solution Manager. The following table gives you
an overview of these additional components.
Recommendation
To ensure a smooth integration of these components, familiarize yourself with their installation,
configuration, and operation.
Features
Additional Components
More Information
For a comprehensive overview and to find out which additional components are relevant
for the configuration of your scenarios, see master guide for SAP Solution Manager
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release>
As a Service Provider, you provide services to your customers using Solution Manager. See the
section Service Provider and Service Provider Customer Specification. For more information on Service Provider
scenarios and definition, see the master guide for SAP Solution Manager in the Service Marketplace:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
This section tells you how to use this guide most efficiently.
For completeness, the guide includes overviews of topics, such as technical users, or RFC
connections. These overviews are bundled according to functions and modularity, as described in
section Integration of Functions. For example, the RFC connections overview allows you to either see all
RFC connections relevant for Solution Manager and its managed systems, or check certain types of
connections, such as all connections from SAP Solution Manager to SAP, or local connections. Or if
you are, for instance, interested in all users for Root Cause Analysis, you can see just the Root Cause
Analysis subsection in the technical users overview.
Each section contains, if possible, How to sections for critical procedures. For instance, if you read
the users for Service Desk section, you are referred to the document about how to create users and
business partners. Or, if you are informing yourself about roles for Service Desk, you are referred to
the section on how to create roles, assign them to users and maintain them.
As security topics are closery connected to configuration tasks, we refer to related sections of the
SAP Implementation Reference Guide (IMG) in transaction SPRO, if appropriate.
How you use this guide depends largely on your individual needs. If you are interested in one
function and all related security topics, you would look into each section and especially for your
topic. For instance, if you are interested in System Monitoring using a work center in SAP NetWeaver
Business Client, see the sections on technical users for System Monitoring, roles for System
Monitoring and System Monitoring work center, where you find the overviews of what you need
for System Monitoring. To integrate this information into your configuration procedure, use the
SAP Reference IMG.
The following step by step procedure gives you an outline of how to secure your network,
according to your system landscape settings, and create roles according to your company’s security
requirements.
Procedure
Note
Involves creation of technical users and so on.
8 Check your network and see section Network and Communication Security
communication security
9 see conguration guide for Solution
Recommendation
Manager. http://service.sap.com/instguides
Create an IMG project for the SAP Components SAP Solution Manager <current release>
functions and scenarios you want section Scenario—Specic and/or Service Provider—Specic Settings
to configure
10 see conguration guide for Solution
Recommendation
Manager. http://service.sap.com/instguides
Create roles for scenario—specific SAP Components SAP Solution Manager <current release>
functions section Scenario—Specic and/or Service Provider—Specic Settings
and section How to Create Roles for Scenario—Specic Conguration
in Solution Manager
11 Configure scenario—specific use IMG project
functions for your scenarios
Note
Without an IMG project, use transaction SPRO.
12 Assign work center navigation see section Work Center Navigation
roles (including work
center authorization role
SAP_SMWORK_BASIC) to your
end users
13 Develop your own authorization see section Authorization Concept
concept
14 Develop your own authorization see section Authorization Roles and Profiles for End Users
roles per function on basis of
SAP—delivered template roles
15 Assign authorization roles to your see section Work Center Navigation
users using the mapping tables for
work center navigation roles, and
authorization roles to your end
users
Example
System Monitoring (including KPI Reporting and IT Performance Reporting) using the work center
approach on SAP NetWeaver Business Client.
Caution
This example is a suggestion of how to configure this scenario from a security—relevant perspective.
The same example, from a configuration—relevant perspective, is used in the configuration guide.
Note
For cross‒scenario configuration, see the IMG activity
for additional roles such as: SAP_SM_BI_EXTRACTOR,
SAP_BW_CCMS_SETUP, SAP_PI_CCMS_SETUP
3 System Landscape
SAP Solution Manager is based on AS ABAP and AS Java. To use SAP Solution Manager you need
SAP GUI, Web Browser or SAP NetWeaver Business Client (NWBC) (for work center functionality).
Communication with other systems is via RFC technology and Web Services.
More Information
For a detailed view of the overall system architecture of SAP Solution Manager, see master guide for
SAP Solution Manager in the Service Marketplace: http://service.sap.com/instguides SAP
Components SAP Solution Manager <current release>. .
This section gives an overview of the communications concept for SAP Solution Manager, including
sections on topics related to HTTP connections and RFC connections.
Your network infrastructure must protect your system. It needs to support the communication
necessary for your business and your needs, without allowing unauthorized access. A well-defined
network topology can eliminate many security threats based on software flaws (at both the operating
system and application level) or network attacks such as eavesdropping. If users cannot log on to
your application or database servers at the operating system or database layer, then there is no way
for intruders to compromise the machines and gain access to the backend system’s database or files.
Additionally, if users are able to connect to the server LAN (local area network), they can exploit
well-known bugs and security holes in network services on the server machines. The network
topology for the Solution Manager is based on the topology used by the SAP NetWeaver platform.
Recommendation
The security guidelines and recommendations described in the SAP NetWeaver Security Guide
also apply to the Solution Manager.
The table below shows the communication channels used by SAP Solution Manager, the protocol
used for the connection, and the type of data transferred.
Features
Communication Channels
The table below shows an overview of the main communication destinations used by SAP Solution
Manager (including its managed systems and SAP Support Portal).
Features
RFC Connections from SAP Solution Manager to Managed Systems
Target
RFC Destination Host System Logon Logon User
Name Name Number Client (Password) Use Remarks
Man-
SM_<SID>CLNT<Client>_LOGIN Cus- Customer- System Transactions
(ABAP connection) aged Sys- tomer- specific Monitoring, and SMSY or
tem specic Implementation SOLMAN_SETUP
and Distribution
Target
RFC Destination Host System Logon Logon User
Name Name Number Client (Password) Use Remarks
Man-
SM_<SID>CLNT<Client>_READ System- System- Default user: For read access Transaction SMSY
(ABAP connection) aged Sys- specific specific SM_<SID of for functions or SOLMAN_SETUP
tem Solution such as: System
Manager Monitoring,
system> Business Process
(automatically Operations,
generated, can Implementation
be defined by and Distribu-
customer via tion, Service
transaction Desk (Business
SMSY) Partners: see
IMG activity:
Create Key Users
SOLMAN_SUP_BUSPART)
Man-
SM_<SID>CLNT<Client>_TRUSTED System- System- System Log on through
(ABAP connection) aged Sys- specific specific Monitoring and a trusted
tem Implementation connection;
and Distribution transaction SMSY
or SOLMAN_SETUP
Man-
SM_<SID>CLNT<Client>_TMW System- System- Default user: Creating, Transaction SMSY
(ABAP connection) aged Sys- specific specific SMTW<SID of releasing or SOLMAN_SETUP
tem Solution transport
Manager requests
system>(au-
tomatically
generated, can
be dened by
customer via
transaction
SMSY)
Target
RFC Destination Host System Logon Logon User
Name Name Number Client (Password) Use Remarks
BI,if BI is Man- System- System- Administrator BI-relevant See IMG
Managed system aged Sys- specific specific of managed functions: activity Connect
tem
<SID>CLNT<Client>DIALOG system Root Cause Source System
(customer- Analysis; System (technical name:
specific) Monitoring (IT SOLMAN_SET_SOURCE_SY)
Performance
Reporting),
(Integration)
Test
Management
<SID>_RZ20_<ANALYZEMan- System- System- Central Automatically
aged Sys- specific specific Monitoring created in
tem (CEN): transaction RZ21
n System for Remote System
Monitoring Connection
n Business
Process
Operations
<SID>_RZ20_COLLECT Man- System- System- CSMREG, see Central Moni- Automatically
aged Sys- specific specific section on toring(CEN): created in
tem technical users n System transaction RZ21
Monitoring for Remote System
n Business Connection
Process
Operations
RFC
Destination Target Host System Logon User
Name Name Number Logon Client (Password) Use How Created
and Distribu-
tion
Note
The System Monitoring scenario provides support for functions such as Service Level Reporting,
EarlyWatch Alert, and System Monitoring. For instance, Early Watch Alert contains data on system
health. The data is collected automatically in the managed system, sent via RFC to the Solution
Manager system, and then analyzed in Solution Manager. If you want to transfer download data of a
service (EarlyWatch Alert and so on) from a managed system into a Solution Manager system, but
your managed system has no RFC connection to the Solution Manager system, see SAP Note 657306.
Exchange problem
messages with SAP
(function: Service
Desk), synchronize
system data with
Support Portal
and send data
about managed
systems; transfer of
solution, issue
data; transfer
feedback to
SAP (function:
Delivery of SAP Transaction
Services), Service SOLUTION_MANAGER;
S-User Connection, menu path:
SAP-OSS (ABAP (Customer- product data Edit Global
connection) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 specific) download Settings
Sys-
RFC tem Lo-
Destination Num- gon Logon User
Name Target Host Name ber Client (Password) Use Remarks
Retrieve
information about
which messages
SAP-OSS-LIST-O01 S-User have been changed
(ABAP connec- (Customer- at SAP (function: Created in
tion) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 specific) Service Desk) transaction SM59
User is a copy
of the SAPOSS
connection
to SDCC_OSS;
userSDCC_NEW
with default
password:
download
Note
Used by the Service If SDCCN is used
Data Control Center to locally, that
communicate with is Solution
the SAP Support Manager is
Portal frontend not Master
system; update System, SDCC_OSS
Service Definitions is created
SDCC_OSS (functions: System automatically
(ABAP See SAP Note Monitoring for EWA in the managed
connection) 763561 and Service Plan) system;
Send EarlyWatch
Alerts (functions:
System A copy of
SAPNET_RFC Monitoring for the SAPOSS
(ABAP EWA and Service connection to
connection) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 Plan) SAPNET_RFC
Service Preparation
Check (RTCCTOOL), Created
SAPNET_RTCC (function in SAP automatically by
(ABAP OSS_RFC Engagement and RTCCTOOL, copy of
connection) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 (CPIC) Service Delivery) SAPOSS
Automatically
created, see IMG
activity Set Up
S-User SAP Connection
SM_SP_<customer (Customer- Service Provider for Customers
number> 01 001
/H/SAPROUTER/S//sapserv/H/oss001 specific) functionality
Sys-
RFC tem Lo-
Destination Num- gon Logon User
Name Target Host Name ber Client (Password) Use Remarks
(technical name:
SOLMAN_VAR_RFC_CUSTO)
Local Connections
Target
Destination Host System Logon User
Name Name Number Logon Client (Password) Use Remarks
BI, if BI For instance BI-relevant See IMG
client is the ALEREMOTE functions: activity Connect
productive (customer- Root Cause Source System
Solution specific) Analysis; (technical
Manager System name:
client<SID>CLNT<Client> Monitoring SOLMAN_SET_SOURCE_SY)
(IT
Performance
Reporting,
KPI
Reporting),
(Integration)
Test
Management
WEBADMIN Jco SMD_RFC Root Cause Role
Analysis SAP_SOLMANDIAG_E2E
(prole:
S_SMDIAG_E2E)
automatically
assigned to
user during
conguration
BPM_LOCAL_<Client> Business
SM_BPMO(customer- RFC is created
specic) Process during
Operations Business
Process
Operations
setup session,
see IMG
activity Create
Local RFC
Destination
and User
(technical
name:
SOLMAN_BPM_RFC_LOCAL)
More Information
n about configuring RFC connections from Solution Manager to managed systems, see IMG activity
Generate RFC Connections to/from Managed Systems (technical name: SOLMAN_GENERATE_RFCS)
n about configuring RFC connections from Solution Manager to SAP, see IMG activities under node
Connection to SAP
n about connections from Solution Manager to SAP, see IMG activity Information and Configuration
Prerequisites for Connections to SAP (technical name: SOLMAN_VAR_INFORM)
Most functions in SAP Solution Manager use either BSP or Web Dynpro technology. They are based
on HTTP protocol. The Internet Communication Framework (ICF) provides the infrastructure for
handling HTTP requests in work processes in an SAP system (server and client). It enables you to
use standard protocols (HTTP, HTTPS, and SMTP) for communication between systems through
the Internet. You do not need any additional SAP program libraries. The only condition is that
your system platform is Internet-compliant. This gives you a maximum amount of flexibility
in responding to varying communication requirements. Communication through the ICF has
the following benefits:
n Increased security: The HTTPS protocol guarantees secure data transmission at the same level as
modern security standards for RFC/SNC communication and other interfaces.
n Increased flexibility: Using the ICF, the user can open a connection to an SAP system across the
Internet from any location.
Caution
SAP delivers all ICF services inactive, for security reasons.
n Reduced technological barriers: The open HTTP standard is used worldwide, which makes it
efficient to install and configure.
Secure Socket Layer (SSL) allows you to create secure connections for HTTP.
Caution
You must set—up SSL for SAP NetWeaver ABAP and Java (for instance: Maintenance Optimizer and
SLM). See SAP Note 1138061.
Features
To set—up SSL in your system, follow the procedure described in SAP Note 510007.
See also the installation guide for SAP Solution Manager in the Service Marketplace:
http://service.sa.com/instguides SAP Components SAP Solution Manager <current release> .
Note
To check if SAP Cryptolib has been successfully implemented, run program SSF02. Set the flag get
version and choose execute. The system displays the current version of SAP Cryptolib.
Constraints
SSL only provides a secure channel between partners communicating directly in a network. SSL
protects the messages only while in transit, but offers no security for (XML) data in storage.
More Information
on: Maintenance Optimizer (SLM), see IMG activity Information and Configuration Prerequisites for Maintenance
Optimizer and SLM (technical name: SOLMAN_MOPZ_SLM_INFO).
Further Information on SSL
Information Source Remarks
Setting Up SSL on the Web Application Server
SAP Note 510007 (Procedure to set up SSL)
Web Dynpro ABAP FAQ (General authorization checks
SAP Note 1000000 for services and application are available over the ICF)
SAP Note 1153116
Web Dynpro ABAP checklist for creating problem
messages (If you create an error message for Web
Dynpro ABAP under component BC-WD-ABA, see the
SAP Note 938809 checklist in SAP Note)
SAP Note 810159 Subsequent installation of SAP JAVA CRYPTO TOOLKIT
Due to the firewall between customer and SAP systems, it is not possible to display pages of BSPs or
Web Dynpro applications in SAP Solution Manager using standard service or support connections.
To receive support from SAP for these technology types, you need to set—up an HTTP Connect
Service. To do so, follow the descriptions in SAP Note 1072324. You need to maintain this connection
for on-site and remote support. Make this HTTP secure for remote support with HTTPS.
FTP is a network protocol used to send data from one computer to another through a network such
as the Internet. You use FTP for SAProuter permission table.
Recommendation
We recommend protecting FTP communication with SAPFTP, using Secure Socket Shell (SSH). For
more information, see SAP Note 795131.
More Information
on the configuration task involved, see IMG activity Maintain Router Permission Table (technical name:
SOLMAN_SAPROUTER).
Recommendation
Put the SAP Solution Manager system in the same subnet or DMZ of your managed landscape. If you
manage systems in different subnets, adapt your security settings and firewall accordingly.
Features
Ports for Communication to SAP Solution Manager
Established Connection
To Host/Destination Service on Destination
From Hosts/Source Host Host Host (Protocol) Format (example)
5<instance no.>00
Outside (or DMZ) Diagnostics Server J2EE engine (HTTP) (50100)
80<instance no.>
Outside (or DMZ) Diagnostics Server ITS (HTTP) (8000)
Introscope Manager
Outside (or DMZ) Diagnostics Server (HTTP) Default: 8081
4<instance no.>80
Diagnostics Server Diagnostics Server IGS (HTTP) (40180)
Outside (or DMZ) All managed systems ITS (HTTP) 80<instance no.>
(8000)
All managed systems Associated managed J2EE engine (P4) 5<instance no.>04
(Diagnostics Agent) systems (50204)
More Information
on the current list of ports used by SAP, in the SAP Service Marketplace:
service.sap.com/security Infrastructure Security TCP/IP Ports Used by SAP Applica-
tions .
The SAP Solution Manager uses the user management and authentication mechanisms provided by
the SAP NetWeaver platform, in particular the SAP NetWeaver ABAP. If you use Root Cause Analysis,
the user management and authentication mechanisms provided by SAP NetWeaver Java are also used,
so the security recommendations and guidelines for user administration and authentication, as
described in the SAP NetWeaver ABAP Security Guide and the SAP NetWeaver Java Security Guide,
also apply to SAP Solution Manager. We also provide a list of the standard users required to operate
the Solution Manager. As the mechanisms provided by the SAP NetWeaver AS Java only apply for
Diagnostics, see its guide in the Service Marketplace: http://service.sap.com/diagnostics .
Technical users are usually created automatically. Third—party users are always created manually.
User overviews are classified according to whether they are created in the Solution Manager system
or in the managed system.
User Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaver
ABAP, and Java tools (ABAP: SU01 and Java: UME), user types, and password policies. As SAP Solution
Manager is based on SAP NetWeaver ABAP and Java, the User Management Engine (UME) of the Java
stack is to be configured against the ABAP stack.
Features
Tools Overview
Object Recommended Tool Remarks
Users transaction SU01 User Management in the ABAP system(s)
Caution
For password security information, see SAP Note 862989 (NW
ABAP 7.0)
Integration
Recommendation
You should use transaction SU01 to create users, and transaction PFCG to assign users to roles.
More Information
on UME conversion, see IMG activity: Convert UME (technical name: SOLMAN_CHANGE_UME)
The secure storage stores encoded data, for instance access data of systems, SLD, SAP Portal
connection, and so on. The system uses the installation number of the system and the system ID
when creating the key for the secure storage.
Caution
If one or more of these values change, the system can no longer read the data in the secure storage.
More Information
SAP Note 816861 and SAP Note 1027439.
The users in the following tables are created automatically or manually during configuration. The
overviews are structured by main functions/scenarios. Some users are relevant for more than one
scenario and are therefore mentioned more than once. Some users have already been created during
the installation process, such as:
n SAPJSF
n J2EE_ADMIN
n J2EE_GUEST
n DDIC
n ADSUSER
n ADS_AGENT
n SLDDSUSER
n SLDAPIUSER
Note
If your security policy does not permit the automatic creation of generic users, you need to create
them manually. Automatic creation of users is only possible if you use Java UME with ABAP. If you use
the Central User Administration (CUA), you need to create them manually.
Features
User for RFC Connection BACK (Infrastructure)
User (Password) Type Remarks
SMB_<managed system ID> System User Technical user “Back User”; assigned
roles/profiles:
n S_CUS_CMP for data read access
n S_CSMREG for central system repository data
n S_SD_CREATE and D_SOLMAN_RFC for Service
Desk messages
n S_BDLSM_READ SDCCN data (customer-specific)
for SDCCN Service Desk message from
managed systems
n S_KWHELP for Help Center, document display
see section: RFC Connections READ, TMW, BACK
Note
The role ZSOLMAN_BACK is created from a
template during automatic basic settings
configuration.
J2EE_GUEST (customer-specific) Dialog User User for J2EE display rights, assigned role:
SAP_J2EE_GUEST
Users for Business Process Operations and Job Scheduling Management Scenarios/Functions
User (Password) Type Remarks
SM_BPMO (customer-specific) Service User Technical user, authorized to call managed
system, assigned role: SAP_SM_BPMO_COMP
CSMREG (customer-specific) Communication User Technical user for data collection (to get
CCMS alerts) for Business Process Operations;
created in transaction RZ10; assigned role
SAP_BC_CSMREG; automatically assigned during
creation
ADSUSER (customer-specific) Service User Technical user for basic authentication ADS
ADS_AGENT (customer-specific) Service User Technical user for communication between
ABAP stack and J2EE stack on which the ADS
runs, assigned roles:
n SAP_BC_FP_ICF (if double stack: AS ABAP and
AS Java (with ADS)
n SAP_BC_FPADS_ICF (if AS ABAP and AS Java
on separate systems)
Note
When you generate RFC
connections using transaction
SMSY, you can alter user and
password settings for this user,
before generating the RFC
connection.
See section RFC Connections READ,
TMW, BACK
S-User (customer-specific) User in SAP Support Technical user to exchange problem messages
Portal with SAP; get information about which
messages have been changed at SAP; the S-user
for the SAP Support Portal must be requested
via http://service.sap.com; see section: S-User
Authorizations
Note
When you generate RFC
connections using transaction
SMSY, you can alter user and
password settings for this user,
before generating the RFC
connection.
See section RFC Connections READ,
TMW, BACK
CSMREG (customer-specific) Communication User Technical user for System Monitoring and
BI IT Performance Reporting (Central CCMS)
data collection (to get CCMS alerts); created
in transaction RZ21 Technical Infrastructure
Configure Central System Create User CSMREG .
Role SAP_BC_CSMREG automatically assigned
during creation
OS—Level Administrator OS-Level User User to set up CCMS agents
Quality Center integration user System User User for WSDL access; assigned role
(Test Management): for instance SAP_QC_WSDL_ACCESS
QCALIAS
Quality Center integration user System User User for data exchange; assigned role
(Defect Management): for instance SAP_SUPPDESK_INTERFACE
DEFECTMAN
BMC integration user Communication User User for Web Service; assigned role
SAP_APPSIGHT_INTERFACE
External Service Desk integration Communication User User for data exchange; assigned
user roles SAP_SUPPDESK_ADMIN and
SAP_SUPPDESK_INTERFACE
Note
When you generate RFC
connections using transaction
SMSY, you can alter user and
password settings for this user,
before generating the RFC
connection.
See section RFC Connections READ,
TMW, BACK
More Information
n on automated basic settings configuration of SAP Solution Manager, see configuration guide for
SAP Solution Manager in the Service Marketplace: http://service.sap.com/instguides
SAP Components SAP Solution Manager <current release>
n users created during installation, see installation guide for SAP Solution Manager in the Service
Marketplace: http://service.sap.com/instguides SAP Components SAP Solution Manager
<current release>
The users in the following tables are created, automatically or manually, during configuration. The
overviews are structured according to main functions/scenarios. Some users are relevant for more
than one scenario and are therefore mentioned more than once.
Note
If your security policy does not permit the automatic creation of generic users, you need to create
them manually. Automatic creation of users is only possible if you use Java UME with ABAP. If you use
the Central User Administration (CUA), you need to create them manually.
Features
Users for RFC connections READ and TMW (Infrastructure)
role (release > = SAP NW ABAP and Java 6.10) and profile (release < SAP NW ABAP and Java 6.10) in
managed systems
User User Type Remarks
SM_<SID of Solution Manager
system>
Caution
During automatic basic Technical user, “READ User”, for read access;
configuration, the system automatically generated; see section RFC
automatically generates a user Connections READ, TMW, BACK
password. If you change the assigned roles/profiles:
password of this user in User n S_CUS_CMP for data read access
Management (transaction SU01), n S_CSMREG for central system repository data
you need to change the password n S_BDLSM_READ for SDCCN data
for this user in the RFC destination n S_USER_GRP for user group display of all users
in the Solution Manager system for Licence Administration Workbench (LAW), and
as well. automatic business partner generation
n S_AI_SMD_E2E for Root Cause Analysis
Note
When you generate RFC
Note
connections using transaction
During automatic basic settings configuration
SMSY, you can alter user and
System User role ZSOLMAN_READ is created from template.
password settings for this user
Note
For more information on the configuration of business system connections, see the configuration
guide in the Service Marketplace: http://service.sap.com/instguides SAP Components
SAP Solution Manager <current release> .
Caution
During automatic basic
configuration, the system
automatically generates a user
password. If you change the
password of this user in User
Management (transaction SU01),
you need to change the password
for this user in the RFC destination
in the Solution Manager system
as well.
Technical user, “READ User”, for read access;
Note automatically generated; see section RFC
When you generate RFC Connections READ, TMW, BACK
connections using transaction assigned roles/profiles:
SMSY, you can alter user and n S_CUS_CMP for data read access
password settings for this user n S_CSMREG for central system repository data
before generating the RFC n S_BDLSM_READ for SDCCN data
connection. n S_USER_GRP for user group display of all users
for Licence Administration Workbench (LAW),
See section RFC Connections READ, and automatic business partner generation
TMW, BACK System User n S_AI_SMD_E2E for Root Cause Analysis
CSMREG (Customer-Specific) Communication User Technical user for data collection (to get CCMS
alerts); created in transaction RZ21 Technical
Infrastructure Configure Central System Create User
CSMREG ; Role SAP_BC_CSMREG automatically
assigned during creation
ALEREMOTE (Customer-Specific) System User BI communication user, automatically assigned
profile S_BI-WX_RFC during connection of source
system
OS-Level Administrator OS-Level User User to set up CCMS agents
Caution
During automatic basic
configuration, the system
automatically generates a user
password. If you change the
password of this user in User
Management (transaction SU01),
you need to change the password
for this user in the RFC destination
in the Solution Manager system
as well.
Technical user, “READ User”, for read access;
Note automatically generated; see section RFC
When you generate RFC Connections READ, TMW, BACK
connections using transaction assigned roles/profiles:
SMSY, you can alter user and n S_CUS_CMP for data read access
password settings for this user n S_CSMREG for central system repository data
before generating the RFC n S_BDLSM_READ for SDCCN data
connection. n S_USER_GRP for user group display of all users
for Licence Administration Workbench (LAW)
See section RFC Connections READ, and automatic business partner generation
TMW, BACK System User n S_AI_SMD_E2E for Root Cause Analysis
Technical User “TMW User”, automatically
generated;see section RFC Connections READ,
SMTM<SID of Solution Manager TMW, BACK
system> The most important task of this technical user is
to create and release transport requests and tasks,
Recommendation remotely, from Change Request Management.
Requests that are created, Requests that are created in this way are known
released, or imported locally to Change Request Management, which means
cannot be identified with a change that Change Request Management can control
request by Change Request the distribution of these requests within the
Management, and are therefore landscape. Assigned roles/profiles.
not part of the Change Request n S_TMW_CREATE for creating and releasing
Management transport control transport requests in development systems,
and distribution process, so and setting the project status switch for
we recommend that no users creating transport requests
(apart from administrators) are n S_TMW_IMPORT for importing transport
authorized to create transport requests into test systems (empty)
requests or tasks in Change n S_SM_EXECUTE for critical execution
authorizations in managed systems, for
Request Management-controlled
instance starting batch jobs for Solution
clients. System User
Documentation Assistant.
Note
This authorization allows batch processing
in the managing system for managed
systems. You can also use this profile solely
for this purpose. In this case, you have
to assign the profile to the technical user,
manually.
Caution
During automatic basic
configuration, the system
automatically generates a user
password. If you change the
password of this user in User
Management (transaction SU01),
you need to change the password
for this user in the RFC destination
in the Solution Manager system
as well.
Technical user, “READ User”, for read access;
Note automatically generated; see section RFC
When you generate RFC Connections READ, TMW, BACK
connections using transaction assigned roles/profiles:
SMSY, you can alter user and n S_CUS_CMP for data read access
password settings for this user n S_CSMREG for central system repository data
before generating the RFC n S_BDLSM_READ for SDCCN data
connection. n S_USER_GRP for user group display of all users
for Licence Administration Workbench (LAW)
See section RFC Connections READ, and automatic business partner generation
TMW, BACK System User n S_AI_SMD_E2Efor Root Cause Analysis
Caution
During automatic basic
configuration, the system
automatically generates a user
password. If you change the
password of this user in User
Management (transaction SU01),
you need to change the password
for this user in the RFC destination
in the Solution Manager system
as well.
Technical user, “READ User”, for read access;
Note automatically generated; see section RFC
When you generate RFC Connections READ, TMW, BACK
connections using transaction assigned roles/profiles:
SMSY, you can alter user and n S_CUS_CMP for data read access
password settings for this user n S_CSMREG for central system repository data
before generating the RFC n S_BDLSM_READ for SDCCN data
connection. n S_USER_GRP for user group display of all users
for Licence Administration Workbench (LAW)
See section RFC Connections READ, and automatic business partner generation
TMW, BACK System User n S_AI_SMD_E2E for Root Cause Analysis
SMDAGENT_<SID> Communication User ABAP communication user for Wily Host,
assigned role SAP_IS_MONITORING and/or profile
S_IS_MONITOR
Users for Business Process Operations and Job Scheduling Management Scenarios/Functions
role (release >= SAP NW ABAP and Java 6.10) and profile (release < SAP NW ABAP and Java 6.10) in
managed systems
User User Type Remarks
SM_<SID of Solution Manager Technical user, “READ User”, for read access
system> to Business Process Monitoring; automatically
generated; see section RFC Connections READ,
TMW, BACK
Caution
assigned roles/profiles:
During automatic basic
configuration, the system n S_CUS_CMP for data read access
automatically generates a user n S_CSMREG for central system repository data
password. If you change the n S_BDLSM_READ for SDCCN data
password of this user in User n S_USER_GRP for user group display of all users
for Licence Administration Workbench (LAW)
Management (transaction SU01),
and automatic business partner generation
you need to change the password
for this user in the RFC destination
System User n S_AI_SMD_E2E for Root Cause Analysis
Note
When you generate RFC
connections using transaction
SMSY, you can alter user and
password settings for this user
before generating the RFC
connection.
See section RFC Connections READ,
TMW, BACK
CSMREG (Customer-Specific) Communication User Technical user for data collection (to get
CCMS alerts; created in transaction RZ10; role
SAP_BC_CSMREG automatically assigned during
creation.
CPS user (for instance CPSCOMM) Communication User Technical user for communication between SAP
CPS and managed system
see IMG activity Create Communication User (technical
name: SOLMAN_REDWOOD_COMM)
More Information
about users created during installation, see installation guide for SAP Solution Manager in the Service
Marketplace: http://service.sap.com/instguides SAP Components SAP Solution Manager
<current release>
SAP delivers roles for users that are needed in customer Solution Manager systems for efficient
support. This user is required for:
n Root Cause Analysis
n SAP Engagement and Service Delivery
Features
You create the dialog user SAPSUPPORT in your Solution Manager and managed systems, during basic
settings configuration. It is used by SAP Support for display access to Root Cause Analysis-related
transactions, and to check and perform services in your system. You can log on to the managed
systems with Single Sign—On (SSO), using the SAPSUPPORT user, reducing administrative effort. The
system creates the SAPSUPPORT user automatically, and assigns the relevant roles, during automatic
configuration of basic settings. If your security policies do not allow the use of generic users, you must
create the user SAPSUPPORT manually. You assign the following roles to this user during configuration:
n in the SAP Solution Manager system
l SAP_SOLMAN_ONSITE_ALL_COMP (containing all individual roles needed to check and perform
services) :
Note
To provide authorizations which meet your company’s requirements for restricted or full
access, SAP delivers two composite roles, see section Roles for SAP Engagement and Service Delivery.
u including SAP_RCA_DISP (containing minimal authorization for Root Cause Analysis)
Recommendation
Do not copy roles for Root Cause Analysis into your own name space, or change profiles.
See section Roles for Root Cause Analysis.
When you configure the SAP Solution Manager using the automatic basic settings configuration,
additional business partners for SAP Engagement and Service Delivery are created.
Note
The creation of these users is not part of the SAP Reference IMG (transaction SPRO) for SAP Solution
Manager. If you are on a lower Support Package Level than SAP Solution Manager 7.0 EhP1, you
need to create these business partners manually.
Features
The business partners are created as follows:
First Name Last Name Remarks
SAP Technical Quality Manager Automatically assigned ID TQM or
SAPTQM
Note
An additional business partner (name: SAP Support) is automatically created for user SAPSUPPORT
as soon as this user is created during the automatic basic settings configuration (see section:User
SAPSUPPORT).
More Information
on how to configure the basic settings, see Configuration Guide SAP Solution Manager in the Service
Marketplace: http://service.sap.com/instguides SAP Components SAP Solution Manager
<current release> .
5.7 How to Create Users and Business Partners for End Users
The following lists give an overview of functions that require users in Solution Manager system and
managed systems, and functions that require business partner users in the Solution Manager system:
Functions Requiring End Users for SAP Solution Manager and Managed Systems
Procedure
Create Users Using Transaction SU01
This paragraph tells you which area in User Management (transaction SU01) needs attention, and why.
1. Enter your user and choose change.
2. Enter the required data and save.
Address Data
n First Name and Last Name
l Function: Digital Signature
n E-Mail
l Function: Business Process Operations
l Function: Issue Management
l Function: Service Desk
l Function: E-Learning Management
The user can receive and send e-mails. This e-mail address can be any address, as long as it is
known to the mail server.
Note
Business Process Operations: for use of auto—reaction methods.
Example
You want to create end users for Service Desk functionality. The system landscape consists of SAP
Solution Manager and two managed systems, three systems in total.
You have to create all end users known to Solution Manager as Business Partners, in the Solution
Manager system and the managed systems.
1. Create users for all end users in all three systems, as described above.
2. Create business partners for end users, in the Solution Manager system, as described above.
Note
If you change e-mail addresses for users, you need to update your business partners in transaction
BP_GEN.
More Information
on how to create business partners, see IMG activity Create Key User (technical name:
SOLMAN_SUP_BUSPART)
The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP
NetWeaver. It uses various front ends (SAP GUI and Web browser, in this case an HTML Control). The
system opens several sessions on the server, that require, for example, a second logon. The user uses
SAP GUI to log on to a system, the application uses the SAP GUI for HTML Control to call another BSP
application, and the system then prompts the user to re-enter the logon data.
The security recommendations and guidelines for user administration and authentication, as
described in the SAP NetWeaver Security Guide (SAP Library), also apply to the SAP Solution Manager.
The supported mechanisms are:
n Secure Network Communications (SNC) : SNC authenticates users and provides an SSO environment when
using the SAP GUI for Windows or Remote Function Calls.
n SAP logon tickets: The Solution Manager supports the use of logon tickets for SSO when using a Web
browser to access Solution Manager documents via URLs from outside. Users can be issued a
logon ticket after they have authenticated themselves with the Solution Manager system. The
ticket can then be submitted to the system as an authentication token, each time the users access
documents via URLs from within the same Browser session. The user does not need to enter
a user ID or password for authentication, he can access the system directly after the system has
checked the logon ticket.
More Information
n on SNC, see Secure Network Communications (SAP Library) in the SAP NetWeaver Application
Server ABAP Security Guide.
n on how to use Single Sign-On, see Service Marketplace:http://service.sap.com/sso-smp.
6 Authorizations
Authorizations are defined by authorization objects, for instance authorization to remotely execute
function modules is in authorization object S_RFC. Authorization objects are in authorization roles. A
role is an authorization object container. When you maintain authorizations, you maintain the fields
of an authorization object. For instance, you define which function groups in authorization object
S_RFC (for instance function group SCCA) are to be executable by the user. When you have maintained
authorizations in authorization objects, you generate the authorization profile. This profile is then
assigned to the user. You can generate different profiles from one role, depending upon how you
maintain the authorization objects in the role. Authorizations only function if authorizations are
maintained, and the profile is generated and assigned to the user. How you maintain authorization
objects and bundle them depends on your company’s security concept. You customize/maintain
your roles according to your company’s concept. Each company has different priorities, departments
and so on. As each business requires a different authorization concept, the template roles delivered by
SAP are only templates. Before you grant authorizations to your end users, you must have a clear
concept of who is to receive which authorizations, because you need to adjust your authorizations
over time due to company changes or extended use of Solution Manager functions. Here is what
you should consider when designing your authorization concept.
Procedure
1. Identify which functions of Solution Manager scenarios you use.
2. Create a menu matrix according to these functions.
3. Identify your roles.
4. Populate your menu matrix.
5. Create your roles from SAP template roles. Use a unique naming convention.
6. Maintain your roles.
7. Test your roles.
In a heterogeneous system landscape with SAP Solution Manager as the managing platform, you
need RFC connections between SAP Solution Manager and the managed systems. The managed
system needs to be a Trusted System in the SAP Solution Manager, and vice versa. The SAP Solution
Manager server Trusting System trusts the user administration of the client (managed) Trusted
System. Trusted systems can log on to the Trusting System without password. The trusting
system controls user-specific data. This is a trusting-trusted RFC connection. You generate this
RFC connection in the SAP Solution Manager in the transaction SMSY. Trusted RFCs need to be
maintained from both sides, Solution Manager to managed system, and managed system to Solution
Manager system. To communicate with each other, the SAP Solution Manager and the managed
system need the same user name in their user administration (transaction SU01).
Note
Using SAP router between Solution Manager and managed systems may cause problems in some
functions, for instance BSP applications. To solve these, see SAP Note 555162.
The trusting RFC destination has the Current User setting in transaction SM59. Authorization errors
in the use of an RFC destination flagged as a Trusted System cause the following message to be sent: No
Authorization to logon as Trusted System (Trusted RC = #).
Prerequisites
To apply the authorization object, you need full access to transaction PFCG, in the SAP Solution
Manager system and the managed systems.
Features
To create the trusted RFC connection you need to have the authorization object S_RFCACL in the
Solution Manager and in the managed system for this user. The role SAP_S_RFCACL contains the
authorization object S_RFCACL, which consists of a number of authorization fields, which allow a
trusting trusted relationship between SAP Solution Manager and any managed system.
Due to the high potential risk of such an RFC connection, the authorization object S_RFCACL is not in
authorization profile SAP_ALL.
Caution
The authorization object is in role SAP_SM_BASIC_SETTINGS for initial basic configuration of Solution
Manager (supported by automatic configuration). If your security rules do not allow the use of this
authorization object, deactivate the authorization object in this role after basic settings configuration.
Constraints
Every authorization error when using an RFC destination flagged as a Trusted System, is a RABAX (ABAP
exception). The RABAX contains detailed error information. To analyze the error:
1. Choose transaction ST22 and the selection period.
2. Choose the entry under the user SAPSYS and the program name CALL_FUNCTION_SYSCALL_ONLY.
The paragraph Troubleshooting, contains the information necessary to correct the error.
Return Code
More Information
n on authorization object S_RFCACL see: http://help.sap.com/nw70
n on role SAP_SM_BASIC_SETTINGS, see Roles for Basic Configuration
Before you can use these scenarios/functions, you must set—up your system landscape in the
Solution Manager. This includes:
n define all (managed) systems
n create logical components
n assign managed systems to logical components
n set-up your solution design
Note
For a detailed explanation of system landscape and solution design, see the SAP Solution Manager
master guide in the Service Marketplace: http://service.sap.com/instguides SAP
Components SAP Solution Manager <current release> .
Features
Data is transferred between SAP Solution Manager and its managed systems by RFC connections:
Note
These profiles are more or less static. In case of RFC problems after generation, see SAP Note 176277:
Generating RFC trace information.
Example
The following screen shows you the dialog box for RFC generation in transaction SMSY, with three
partitions:
n RFCs from the Solution Manager to the managed system
n RFCs to be generated
The system provides users, which are automatically created in the managed and managing system,
for the READ, TMW and BACK RFC connections, when you generate them. These users are also
automatically assigned profiles. If you want to use an existing user of your managed system, enter
it, with or without password. In this example, S8T is the Solution Manager system and DHZ is the
managed system, users and password are generated automatically by the system.
Note
For more information on the creation of RFC connections in automatic basic settings
configuration, see the configuration guide for SAP Solution Manager in the Service Marketplace:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
Authorization object S_RFC controls RFC access to function groups. For instance, if you want a user to
be able to call function groups remotely, it needs authorization object S_RFC in the target system. SAP
Solution Manager interacts with its managed systems mainly via RFC, so this authorization object
must be assigned to certain technical users as well as end users. This section lists all profiles/roles with
authorization object S_RFC that must be assigned to technical users (for information on technical
users, see sections on technical users), and end users (for more information, see sections on roles
for end users). The following table gives an overview of the field values for the field RFC_NAME for
authorization object S_RFC in profiles/roles that are assigned to technical users during RFC generation
in transaction SMSY, and during automatic technical configuration of Solution Manager and managed
systems in transaction SOLMAN_SETUP.
Features
Profiles with Function Groups for S_RFC
Function Group Values in Field
Role/Profile RFC_NAME Remarks
S_CUS_CMP See SAP Note attachment: 831535 ( Used for comparing customizing
RFC Read) between systems, display only,
technical user READ RFC user,
see section on Technical Users in
managed system
S_CSMREG See SAP Note attachment: 831535 ( Used for CCMS Monitoring,
RFC Read) technical user READ RFC user,
see section onTechnical Users in
managed system
D_SOLMAN_RFC See SAP Note attachment: 831535 Compositional profile for general
(RFC for SDCCN BACK User) Solution Manager RFC user,
technical user BACK RFC user,
see section on Technical Users in
managing system
S_AI_SMD_E2E See SAP Note attachment: 831535 ( Used for Root Cause Analysis E2E
RFC Read) in the managed system; technical
user READ RFC user, see section on
Technical Users in managed system
SAP_SOLMANDIAG_E2E/ See SAP Note attachment: 831535 Used for Root Cause Analysis,
S_SMDIAG_E2E (Diagnostics SolMan RFC) technical user SMD_RFC, see section
on Technical Users in managing
system
Note
Authorization object S_RFC can be traced with audit log trace in transaction SM19 and SM20. To
protect the deletion of traces, maintain field ACTVT with value 36 of authorization object S_RFC_ADM.
Example
The SYST function group is needed to call a system. If it is missing, the remote login in transaction SM59
causes the RFC_NO_AUTHORITY ABAP runtime error in the target system.
The basic settings configuration for Solution Manager is mandatory. You have to configure all basic
settings before you start configuring scenario-specific settings and/or Service Provider-specific settings.
You can configure basic settings by using either:
n SAP Reference IMG via transaction SPRO or
n the automatic procedure via transaction SOLMAN_SETUP
The following paragraph gives you an overview of the roles used for the two procedures.
Caution
Roles for basic settings configuration are delivered by SAP as template roles, fully maintained for
automatic configuration, so all authorization fields without specific values contain authorization
value “*”.
Features
SAP Reference IMG
You must assign the following roles to the user who configures basic settings:
n SAP_SM_BASIC_SETTINGS
This role contains all authorization objects necessary for ABAP stack.
Caution
Value “*” allows full authorization for the authorization field. This is especially critical for
authorization objects S_RFC (function groups) and S_TABU_DIS (cross-table maintenance for
customizing). Because of differences in configuration tasks, values for these authorizations
cannot be delivered via a template role.
Other security-relevant authorization objects in this role:
l S_RFCACL
See section Authorization Object S_RFCACL.
Note
After the initial configuration, you can deactivate this authorization object, if you do not
want to assign it to your user.
l S_USER_GRP
If you use this role for manual configuration of the basic settings in transaction SPRO, you
need to either remove the authorization restriction in this authorization object, or copy the
authorization object and maintain it according to your needs.
Note
The authorization field CLASS is initially restricted to user group SAP_SM*. This user group
with default naming convention <SAP_SM*> is created automatically during automatic basic
settings configuration. All users created during the automatic basic settings configuration, in
Solution Manager, by user SOLMAN_ADMIN, are assigned this user group.
l S_USER_AGR
If you use this role for manual configuration of the basic settings in transaction SPRO, you
need to either remove the authorization restriction in this authorization object, or copy the
authorization object and maintain it according to your needs.
Note
The authorization field ACT_GROUP is initially restricted to roles with names SAP* and ZSAP*.
l S_DEVELOP
If you use this role for implementing SAP Notes via SAP Notes Assistant, you need to activate in
Note
This role contains CRM - related authorization objects in authorization class CRM. When you
modify SAP standard customizing (for instance transaction types and/or status profiles), you must
maintain these authorization objects accordingly.
n SAP_SMWORK_BASICCONF_COMP
This composite role contains all work center navigation roles.
Note
Individual role SAP_SMWORK_BASIC contains all necessary OBN targets. Authorization objects of this
role are included in role SAP_SM_BASIC_SETTINGS.
n SAP_J2EE_ADMIN
n SAP_BI_E2E
To configure BI-related functions, you must assign these roles to your administration user. See
section Roles for BI-Related Functions.
n SAP_BW_CCMS_SETUP
To configure BI-related functions, you must assign these roles to your administration user, see
section Roles for BI-Related Functions.
Recommendation
You should also create an additional role for transactions SE03 and SE09.
Automatic Basic Settings Configuration
When you use the automatic basic settings configuration procedure, you create/use a user for
administration purposes: SOLMAN_ADMIN. The system assigns a template role, ZSOLMAN_ADMIN,
containing all necessary authorizations, to this user. This role is based on templates from the above
roles for manual configuration via SAP Reference IMG.
Note
The system assigns role SAP_SM_CONF_SEC because of its critical authorization object. You can select
it during automatic basic setting configuration, to implement SAP Notes via transaction SNOTE.
During automatic basic settings configuration, the configuration user SOLMAN_ADMIN creates the
following users:
n SOLMAN_BTC
Role SAP_SM_BATCH is automatically assigned, and contains all necessary authorization for batch
processing.
n SAPSUPPORT
See section SAPSUPPORT User
More Information
n about users SOLMAN_ADMIN and SOLMAN_BTC, see section on technical users in SAP Solution Manager
n about work center navigation roles included in composite role SAP_SMWORK_BASICCONF_COMP,
see section Work Center Navigation Roles
The following functions require users with configuration authorization in the managed systems:
n Trusted RFC Connection
n Service Data Control Center
n Root Cause Analysis
Features
Trusted RFC Connection
Profile Type Remarks
See sections:
n Authorization Object S_RFCACL
Authorization object S_RFCACL ABAP n How to Create Roles for End Users
Caution
To configure Root Cause Analysis in the
managed system using the automatic initial
basic configuration procedure, you require
authorization to create users (transaction
SU01) and assign roles (transaction PFCG) in the
managed system. For security reasons, we do
not deliver roles for these critical transactions.
You need to create these roles and assign
them to the configuration user for Root Cause
SAP_RCA_CONF_ADMIN ABAP Analysis explicitly.
Administration role(s) for For security reasons, roles for these transactions
transaction SU01 and transaction are not delivered. You have to create them
PFCG ABAP yourself. See section How to Create Roles for End-Users
As of SAP Solution Manager EhP1 there are no dedicated authorization roles for scenario-specific
configuration. This section tells you how to create your own roles for the configuration of scenarios.
Note
Configuration of scenario—specific functions can involve configuration of cross-scenario settings.
For these functions, additional configuration roles may be needed (if you do not use profile SAP_ALL).
They are specified in the IMG activity for cross-scenario functions.
Caution
Exception: BI—relevant functions require additional roles for setup, see section Roles for BI—Relevant
Functions.
Prerequisites
To be able to create authorization roles for scenario—specific configuration, you have created an IMG
project in transaction SPRO_ADMIN. For more information, see configuration guide for SAP Solution
Manager.
Procedure
Note
This procedure is based on the example customizing project in How to Create Customizing Projects
and Project IMGs.
Note
You are asked for a transport request.
3. Define Configuration Transactions for Your IMG Project
In role creation, transactions form the basis to easily maintain all necessary authorization objects.
When you enter a transaction in the menu tab in your role, the system traces all authorization
objects required for this transaction.
a) To receive all transactions which are contained in the customizing project, choose in the
menu: Utilities Customizing auth.
b) In the appearing dialog box, choose button Add to attach your customizing project or
customizing project view. In our case, we choose the customizing view that was created.
c) In the various dialog boxes, choose your customizing project or customizing project view, in
our case myproject.
The system automatically assigns all relevant transactions and authorization objects for your
customizing project or customizing project view.
d) Confirm your project assignment.
4. Maintain Authorization Objects
Authorization object defaults delivered by SAP contain minimal authorizations. To grant full
authorization for the according authorization objects you need to maintain these objects.
a) In the Role Maintenance, choose tab Authorizations.
b) Choose button Change.
c) Maintain all activity values per authorization object according to your needs, for instance if you
want to grant full authorization, always choose all activities.
Caution
All authorization objects need to receive a green traffic light. Beware, that the authorization
trace does not trace values for critical authorization objects S_RFC and S_TABU_DIS.
Result
You have now created a role for your specific IMG configuration project.
Caution
If a project or a project view was assigned to a role, you cannot manually assign any transactions to
this role and vice versa. You should therefore only use the role to generate and assign Customizing
authorizations.
More Information
n on: configuration and on how to create an IMG project, see:
l Document: How to Create Customizing Projects and Project IMGs on the Service Marketplace:
http://service.sap.com/solutionmanager Media Library Technical Papers.
l Conguration Guide for SAP Solution Manager on the Service Marketplace:
http://service.sap.com/instguides SAP Components Solution Manager
<current release>.
The following paragraph gives you an overview of the roles relevant for infrastructure.
Caution
Roles for System Landscape Directory (SLD) and so on, are not mentioned here.
See the for SAP Solution Manager installation guide in the Service Marketplace:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release>
or, for SLD, also http://sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management
Application Management System Landscape Directory .
Features
Data Model
Name Type Remark
SAP_DMDDEF_DIS ABAP Display authorization for data
model
Solution
A solution can be regarded as a container for systems, according to either the business process
running via various systems, or the system type.
Note
You can display the Solution ID in Work Center Solution Manager Administration Solutions or via
transaction SOLUTION_MANAGER Solution Overview Goto Technical Information .
Example
Solution Directory
The Solution Directory can be regarded as a repository for solutions. You can specify business
processes for your solution, and/or transfer business processes from a project to your solution.
Name Type Remark
SAP_SOLMAN_DIRECTORY_ADMIN ABAP Administer data in Solution
Directory
SAP_SOLMAN_DIRECTORY_EDIT ABAP Maintain data in Solution
Directory
SAP_SOLMAN_DIRECTORY_DISPLAY ABAP Display data in Solution Directory
Solution Transfer
Name Type Remark
SAP_SOLUTION_TRANSFER ABAP Authorization to transfer solutions
Note
Solution Transfer: When you transfer solutions, all productive data of your chosen solutions is
transferred by default. When you make your solution known to SAP, its data is regularly updated by
a background job. For each solution, you can decide whether you want to transfer only productive
data, all data or no data. To disable it, see SAP Note 920153. During transfer, data is download to SAP
via transaction DMD_OPEN. This data package is only partially read and used by SAP. The system
bundles information aboot logical components and business processes at SAP, per customer. To view
the data of a solution, use report RDSMOP_VIEW_SOLUTION_XML to save the information sent to SAP as
an XML file on your local PC. You can then use the Internet Explorer to view this XML file.
Service Connection
More Information
for a detailed explanation of roles for infrastructure, see the link in IMG activity: Information and
Configuration Prerequisites for System Landscape (technical name: SOLMAN_SYST_INFORMAT)
The Implementation and Upgrade scenario contains a number of functions in combination. Other features
can complement the possible functions.
Features
Implementation and Upgrade Functions in the Solution Manager System
Roles for Implementation and Upgrade are predefined Composite Roles (technical abbreviation: *_COMP)
for business-related roles such as Project Manager (technical abbreviation: *_PM_*) or Technical
Consultant (technical abbreviation: *_TC_*). Composite roles are a set of individual roles that are
relevant for the business role.
Caution
Individual roles for Testing are only relevant for the standard testing functionality. There are
additional roles for Test Management in: Roles for Test Management.
Example
E-Learning Management
Name Type Remarks
Individual role (in SAP_SOL*
composite roles), to use E-Learning
SAP_SOL_TRAINING_ALL ABAP management tool
SAP_SOL_TRAINING_EDIT ABAP Individual role (in SAP_SOL*
composite roles), to use E-Learning
management tool
Document Management
Roles in SAP Solution Manager System
You can control the access rights to documents in the project by assigning authorizations for
groups of documents, for instance you can specify that only the project management can change
documentation templates. The system saves Solution Manager documents in folders.
Name Type Remarks
Individual role (in SAP_SOL* composite roles), to:
n administer, create, edit, and delete documents during
implementation and upgrade
n administer, create, edit, and delete documents in test management
n use Help Center functionality
SAP_SOL_KW_ALL ABAP (authorization object S_IWB with full authorization)
Example
You can specify that a user can only display documents with the
SAP_SOL_KW_READ ABAP status Released, but not with status Review.
SAP_SOL_KW_DIS ABAP Individual role (in SAP_SOL* composite roles), to:
n display documents during implementation and upgrade
n display Help Center functionality
n display documents in test management
(authorization object S_IWB with activity 03)
Access to Knowledge Warehouse folders is controlled by the authorization object S_IWB. This
authorization object is contained in all Document Management single roles, see above table column
Remarks. If you want restrict this authorization for a special project, assign the project (ID) to field
IWB_FLDGRP (Folder Group).
Caution
You should keep the default values in the field IWB_AREA (area).
Example
Note
SAP—delivered roles start with SAP namespace SAP. Profiles start with S_*. Roles and profiles for
managed systems are delivered with Software Component SAP_BASIS.
More Information
n see IMG activity: Information and Configuration Prerequisites for Implementation (technical name:
SOLMAN_RECOMMEND)
n see IMG activity: Information and Configuration Prerequisites for Solution Documentation Assistant (technical
name: SOLMAN_SDA_INFO)
Custom Development Management Cockpit can be accessed from the Implementation and Upgrade
work centers. It contains two use cases:
n Clearing Analysis
n Upgrade/Change Impact Analysis
Note
See use case description in the Application Help for SAP Solution Manager in the Help Portal:
http://help.sap.com SAP Solution Manager .
Both use cases involve several systems. The systems are connected by RFC.
Features
Custom Development Management Cockpit
Name Type Remarks
SAP_CDMC_USER ABAP Execution authorization for CDMC
Administration authorization for
CDMC including maintaining global
SAP_CDMC_MASTER ABAP settings and deleting CDMC projects
SAP_CDMC_STAT_SYSTEM ABAP This role can be used for the
technical user for the RFC
connection to the statistics
system in Clearing Analysis. It
contains only the authorizations
necessary for the tasks carried out
on the statistics system (activation
of statistics collection, import
of the collected statistics to the
control center, determination of
empty tables, syntax check for
source code objects)
Test Management includes all functions relevant for testing. For detailed information about
the scenario, see the master guide for SAP Solution Manager in the Service Marketplace:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
Features
Test Management in the Solution Manager System
Name Type Remarks
SAP_SOL_TESTER_COMP ABAP composite role Perform tests
Caution
Basic roles for other target groups, such as product manager or application consultant, which
contain the function Testing, are included in the composite roles for implementation and upgrade.
See Roles for Implementation and Upgrade in this document. Composite roles for implementation and
upgrade contain individual roles for individual functions.
Note
You must use the roles for Test Workbench Workflow in combination with the composite roles for the
scenarios Upgrade and Implementation and Test Management.
Note
You must use the roles for Business Process Change Analysis in combination with:
n the composite roles for the scenario Upgrade and Implementation and/or Test Management, see Roles
for Implementation and Upgrade.
n SAP_SM_SOLUTION_*, if you work with solutions, see Roles for Infrastructure.
Note
Roles delivered by SAP start with SAP namespace SAP. Profiles start with S_*. Roles and profiles for
managed systems are delivered with Software Component SAP_BASIS.
More Information
n see IMG activity: Information and Configuration Prerequisites for Test Management (technical name:
SOLMAN_INFO_TEST)
n see IMGactivity: Information and Configuration Prerequisites for Test Workbench (technical name:
SOLMAN_TEST_WF_INFO)
Roles for System Monitoring and System Administration include setup and/or operations of
EarlyWatch Alert; Service Level Reporting, System Monitoring, and Central System Administration.
The roles SAP_SV_SOLUTION_MANAGER (full authorization) and SAP_SV_SOLUTION_MANAGER_DISP
(display authorization) have authorization for all functions/sessions. To grant authorization for all
sessions in setup use SAP_SETUP_DSWP, and for operations, SAP_OP_DSWP.
Note
Each session type is identified by a bundle ID. To get the bundle ID for a session type:
1. Open the session in the Solution Manager.
2. Choose Goto Technical Information .
The bundle ID is in the field Session Package/Version.
Features
Roles and Profiles for Service Data Control Center (Transaction SDCCN) in the Solution
Manager System and Managed System
Roles/profiles for Service Data Control Center (SDCCN) are relevant for EarlyWatch Alert. SDCCN must
be active in the Solution Manager system and in the managed systems.
Note
Roles and profiles for managed systems are delivered with Software Component ST-PI. For systems
with SAP NW >=6.10, use SDCCN roles (for instance SAP_SDCCN_ALL), for systems with SAP NW < 6.10,
use profiles (for instance profile S_SDCCN_ALL).
Example
More Information
see IMG activity: Information and Configuration Prerequisites for System Monitoring and Administration (technical
name: SOLMAN_SYSADM_INFO)
This paragraph gives you an overview of the roles for Downtime Management.
Features
Downtime Management
Name Type Remarks
Full authorization for Downtime
SAP_SM_DTM_ALL ABAP Management
Display authorization for
SAP_SM_DTM_DIS ABAP Downtime Management
You can use the Master Data Management (MDM) Administration Cockpit in Solution Manager via the
System Administration work center, see section System Administration Work Center.
Features
The following roles are relevant for the Master Data Management (MDM) Administration Cockpit:
Issue Management
Note
The roles do not substitute the MDM repository security concept but extend it to the ABAP
environment. The MDM repository role assigned to the user should allow at least the same activities
that are allowed by the SAP_SM_ADMIN_COMPONENT_* role. Otherwise, a user cannot perform the
activity with the MDM Administration Cockpit.
Caution
Roles SAP_SM_ADMIN_COMPONENT_ALL and SAP_SM_ADMIN_COMPONENT_EXE contain authorization
object S_RFC_ADM with activity 06 delete. This authorization allows you to delete all RFC destinations
of type G (HTTP to external server), except the RFC destination with naming convention MDM*. See
also SAP Note 1270045.
Integration
MDM is tightly integrated with the Database Administration (DBA) Cockpit and Downtime Management
(DTM). If you use DBA with MDM, you need to assign the DBA roles, see section Roles for Database Administration
Cockpit.
You can access the Database Administration (DBA) Cockpit via the Master Data Management
Administration Cockpit and the System Administration and Root Cause Analysis work centers in
Solution Manager.
Features
Database Administration
Name Type Remarks
Role SAP_DBA_DISP, profile Display authorization for DBA
S_DBA_DISP ABAP Cockpit
Note
For roles required for integration with Service Desk and/or Change Request Management, see
sections: Roles for Service Desk and Roles for Change Request Management.
Features
Job Scheduling Management
Name Type Remarks
Full authorization including
SAP_SM_SCHEDULER_ADMIN ABAP communication to external tool
Execution authorization including
SAP_SM_SCHEDULER_EXE ABAP communication to external tool
SAP_SM_SCHEDULER_DIS ABAP Display authorization
Integration
Job Scheduling Management can be integrated with SAP CPS, see section Roles for Third Party Integration.
More Information
see IMG activity: Information and Configuration Prerequisites for Job Scheduling Management (technical name:
SOLMAN_JSCHED_INFORM)
Features
Business Process Operations
Name Type Remarks
Full authorization for Business
Process Operations session in
operations setup (according to
SAP_SETUP_DSWP_BPM ABAP bundle ID)
SAP_OP_DSWP_BPM ABAP Full authorization for Business
Process Operations session in
operations (according to bundle
ID)
SAP_SV_SOLUTION_MANAGER ABAP Full authorization for all sessions
in operations and operations setup
SAP_SV_SOLUTION_MANAGER_DISP ABAP Display authorization for all
sessions in operations and
operations setup
You can restrict access to Data Consistency Management and Data Volume Management (see section Work Center
Business Process Operations), using authorization object SM_BPM_AUT. Per default Data Volume Management
(DVM) is deselected. If you want to use Data Volume Management, you need to select DVM in the
authorization object.
Note
Each session type is identified by a bundle ID which must be in entered in fieldDSWPBUNDLE in
authorization object D_SOLMANBU. You can get the bundle ID for a session type as follows:
1. Open the session in the Solution Manager.
2. Choose Goto Technical Information .
The bundle ID is in the field Session Package/Version.
More Information
see IMG activity: Information and Configuration Prerequisites for Business Process Monitoring (technical name:
SOLMAN_BPM_INFO).
You can assign roles for SAP Engagement and Service Delivery to your end-users and SAP Support
employees. Roles for SAP Engagement and Service Delivery are composite roles, which contain a
number of individual roles. The following paragraphs give you an overview of the two composite
roles and their individual roles. You should assign these roles to the user in your system which you
created for SAP Support employees. See User SAPSUPPORT in this document.
Note
See also SAP Note 872800.
Features
SAP Engagement and Service Delivery
For SAP Engagement and Service Delivery, SAP provides two main composite roles which
contain a number of individual roles. SAP_SOLMAN_ONSITE_ALL_COMP grants more authorization
than to SAP_SOLMAN_ONSITE_COMP. You can assign either SAP_SOLMAN_ONSITE_ALL_COMP or
SAP_SOLMAN_ONSITE_COMP. Role SAP_SOLMAN_ONSITE_ALL_COMP is automatically assigned to user
SAPSUPPORT during automatic configuration of Solution Manager basic settings.
Note
Extra authorization object
SAP_SOLMAN_ONSITE_COMP ABAP composite role is not required, as execution
Example
You want SAP employees to support you, but they should not be able to create systems,
logical components or solutions in your system. In this case, you grant composite role
SAP_SOLMAN_ONSITE_COMP.
More Information
n for up-to-date information on SAP Engagement and Service Delivery roles for SAP Support
employees, see: SAP Note 872800
Note
If one of the single roles mentioned is not contained in the composite role, please include the
according single role into the composite role according to your requirements.
n on basic configuration of SAP Solution Manager, see configuration guide for Solution Manager in
the Service Marketplace: http://service.sap.com/instguides SAP Components SAP Solution
Manager <current release>
n on roles for SAP Change and Transport Analysis Sessions, see SAP Note 1074808
The following paragraph gives you an overview of roles for Issue Management.
Features
Issue Management
Name Type Remarks
Full authorization for Issue
SAP_ISSUE_MANAGEMENT_ALL ABAP Management
Operations authorization for Issue
SAP_ISSUE_MANAGEMENT_EXE ABAP Management
SAP_ISSUE_MANAGEMENT_DIS ABAP Display authorization for Issue
Management
More Information
about Issue Management, see IMG activity: Information and Configuration Prerequisites for Issue Management
(technical name: SOLMAN_ISSUE_INFORMA)
These roles allow your end users to use the Service Desk.
Features
Service Desk
Name Type Remarks
Authorization to configure
the Service Desk, and
authorizations for the roles:
SAP_SUPPDESK_PROCESS,
SAP_SUPPDESK_DISPLAY, and
SAP_SUPPDESK_CREATE
Note
To maintain actions, you also need
SAP_SUPPDESK_ADMIN ABAP the role SAP_PPF_CONFIGURATOR
Authorization for message
(notification) processing, including
SAP_SUPPDESK_PROCESS ABAP the use of the solution database
More Information
for Service Desk, see IMG activity Information and Configuration Prerequisites for Service Desk (technical name:
SOLMAN_SD_INFORMATIO).
for Service Provider, see IMG activity Information and Configuration Prerequisites for Service Provider (technical
name: SOLMAN_SERVICEDESKINFO).
The Maintenance Optimizer guides you through the planning, downloading, and implementation
of SAP support packages and patches for your managed systems.
Features
Maintenance Optimizer
Name Type Remarks
Full authorization for Maintenance
SAP_MAINT_OPT_ADMIN ABAP Optimizer
Display authorization for
SAP_MAINT_OPT_DISP ABAP Maintenance Optimizer
SAP_MAINT_OPT_ADD ABAP Authorization to write Stack Delta
XML folder into the EPS Outbox of
the operating system of Solution
Manager (Stack Delta XML folders
are relevant for JSPM (Java Support
Package Manager) and SAP Jup
(SAP Java Upgrade) in Java systems.
Integration
In the planning phase of Maintenance Optimizer, you can start a guided procedure to install your
downloaded packages. This procedure is in the function Change Request Management, see section
Roles for Change Request Management.
More Information
see IMG activity: Maintenance Optimizer (technical name: SOLMAN_MAINT_OPTIMIZ).
Change Request Management manages your entire SAP Solution Manager projects (maintenance,
implementation, template, and upgrade), from change management and project planning, through
resource management and cost control, to physical transport of changes from the development
environment into the productive environment. Roles for Change Request Management are
business-oriented.
Features
Change Request Management
Name Type Remarks
SAP_CM_CHANGE_MANAGER_COMP ABAP composite role Approve or reject change requests
Corrections in the development
system; corrections in the
maintenance and development
SAP_CM_DEVELOPER_COMP ABAP composite role systems
Test corrections in the test system;
SAP_CM_TESTER_COMP ABAP composite role test and validate corrections
Import corrections into the
SAP_CM_OPERATOR_COMP ABAP composite role production system; task lists
Import corrections into the
production system; Approve
imports into the production
SAP_CM_PRODUCTIONMANAGER_COMP ABAP composite role systems
Schedule Manager
Developer Tester Prod. Manager Operator Administrator
Display X X X X X
Create X X
Change X
Delete X
Run X X X X X
Change status X X X X X
Quality Gate Management (only relevant for Change Request Management Work Center)
Name Type Remarks
SAP_SM_QGM_ALL ABAP Quality Gate Manager
SAP_SM_QGM_TRANSPORT ABAP User for Transport Activities
SAP_SM_QGM_STATUS_QM ABAP User to Set Q-Gate Status (QM)
SAP_SM_QGM_STATUS_QAB ABAP User to Set Q-Gate Status (QAB)
The following table shows which transport methods are assigned to the background users in the
target client and in client 000, in Change Request Management. It also indicates which roles are
required for real users when using trusted RFC destinations:
Transport Methods
Create Create Task Release Task Release Import
Request Request Request
User in X
SOLTMW<SID><CLNT> X X X
Target
User Operator; Ad- Operator; Ad- Developer, Operator; Ad-
Client
ministrator ministrator Operator; Ad- ministrator
ministrator
User in TMSADM X
Client 000
User Operator; Ad-
ministrator
Note
(*) If you want developers in the Change Request Management scenario to start imports into a test
system automatically, you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of
the test system. You have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL, which
are in S_CTS_ADMI. Do not use this method in production systems or in any other security-critical
systems. The system where you want to start the import automatically must have the same transport
directory as its preceding system.
Integration
n Import Authorization Checks
Change Request Management uses the import functions of the Transport Management System
(TMS). The TMS remote infrastructure is based on RFC connections that point only to the client 000
of a target system, so operators and administrators must have users in both the client into which
changes are imported, and in the client 000 of these systems.
n Automatic Imports
Imports must sometimes be performed automatically in test systems. If you want developers in
the Change Request Management scenario to start imports into a test system automatically, you
must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the test system. Since
S_TMW_IMPORT does not contain any authorization objects, you have to assign it the authorizations
S_CTS_IMPALL and S_CTS_IMPSGL, which are also in the authorization object S_CTS_ADMI.
Caution
n You can now possible start an import into this system from any satellite system in your domain
with the CPIC user TMSADM; so do not use this method in production or other security-critical
systems
n The system where you want to start the import automatically must have the same transport
directory as its preceding system. If the transport directories were different, the user who starts
the import would need addtobuffer authorization for buffer adjustment, which would present a
security risk not only for the system concerned, but also for the whole landscape (including the
production system).
The following tables display all roles needed for end users for Root Cause Analysis (roles for technical
users such as user SMD_RFC, see sections on technical users). Roles need to be assigned in the following
systems:
n Solution Manager system
n managed systems
n BI client
Features
Roles/Profiles in Solution Manager System
Caution
You must not alter this role, as it contains
all mandatory authorizations for the
Profile S_RCA_DISP corresponds to SAPSUPPORT user. You can use this role in
role SAP_RCA_DISP ABAP SAP namespace.
Profile S_RCA_EXE corresponds to ABAP Contains application-relevant
role SAP_RCA_EXE authorizations for Root Cause Analysis.
This role contains delta authorizations
to SAP_RCA_DISP. Copy it into your own
namespace and maintain it.
Profile is automatically assigned during
Guided Procedure of Automatic Basic
Configuration of Solution Manager
Role is in SAP_SOLMAN_ONSITE_ALL_COMP
Example
A special user group for a certain
application of RCA should be granted:
n SAP_RCA_DISP
n ZSAP_RCA_EXE
Role in BI Client
Name Type Remark
SAP_BI_E2E ABAP For BI Reporting via Root
Cause Analysis; assigned to user
SAPSUPPORT, corresponds to profile
S_SMDIAG_BI
More Information
n for general information about Root Cause Analysis, see master guide for SAP Solution Manager in the
Service Marketplace: http://service.sap.com/instguides SAP Components SAP Solution
Manager <current release>.
n for SAPSUPPORT user, see section User SAPSUPPORT.
n for Solution Manager configuration, see SAP Solution Manager configuration guide in the Service
Marketplace: http://service.sap.com/instguides SAP Components SAP Solution Manager
<current release>.
BI reporting is relevant for several scenarios. For instance, it is used for Test Workbench,IT
Performance reporting and Service Sessions.
Prerequisites
You have defined your BI — client. For more information about planning aspects regarding the setup
of your BI — client, see the Master Guide for SAP Solution Manager on the SAP Service Marketplace:
htpp://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
Features
BI reporting uses the Extractor Framework (EFWK). The extractor is relevant for collecting data for BI
reporting. It can be executed remotely in the managed system, or locally in the managing system. It is
restricted by authorization object AI_DIAGE2E. The following roles must be assigned for BI reporting.
BI−relevant roles
Name Type Remarks
E2E Diagnostics
SAP_BI_E2E / SAP_SM_BI_EXTRACTOR
Note
Job is scheduled during setup of
Solution Manager.
Note
Role SAP_SM_BI_EXTRACTOR allows use of extractor during setup of all BI-relevant reporting. This
role contains the following authorization objects:
n AI_DIAGE2E
n AI_CCMSBI
Authorization object AI_CCMSBI is delivered with full authorization for KPI reporting and Test
Workbench reporting. If you want to restrict authorization to one of these functions, you need to
maintain the values for field CCMSBI_SCE.
If you use an external BI system, you must download role SAP_SM_BI_EXTRACTOR from the Solution
Manager system to your PC, and upload it to your BI system. Choose in the transaction PFCG
menu Roles Upload/Download .
More Information
see IMG activity Information and Configuration Prerequisites for BI (technical name: SOLMAN_BI_CLIENT_INF)
Features
TREX
Name Type Remarks
SAP_BC_TREX_ADMIN ABAP For TREX configuration using the
TREX Admin tool
More Information
see IMG activity Information and Configuration Prerequisites (technical name: SOLMAN_TREX_INFO)
Prerequisites
To use a third party system, such as SAP Quality Center by HP or SAP Central Process Scheduling by
Redwood, you need the corresponding adapter.
Note
See SAP Solution Manager Configuration Guide http://service.sap.com/instguides SAP
Components SAP Solution Manager <current release> .
Features
Service Desk Interface
Name Type Remarks
SAP_SUPPDESK_INTERFACE ABAP Authorization for bi-directional
interface and configuration; needs
to be assigned in addition to the
roles for the Service Desk scenario,
for instance SAP_SUPPDESK_ADMIN
Recommendation
To restrict the services that can be
accessed, maintain authorization
field SRV_NAME in authorization object
S_SERVICE. Enter the following services:
n ICT_SERVICE_DESK_API*
SAP_SUPPDESK_INTERFACE ABAP n ICT_SERVICE_DESK_API_MQC*
Caution
If you have SAP Central Process Scheduler installed on your SAP Solution Manager Java stack, you
must also assign role SAP_J2EE_ADMIN to your technical communication user in the SAP Solution
Manager system. This authorization allows you to create the user in the UME of the Java stack.
Integration
For information on security issues for the individual third party products, see the product guides.
More Information
n on technical users in the Solution Manager system and managed systems, see sections on technical
users in this guide
n on SAP Quality Center by HP Integration Test Management, see IMG activity: Information
and Configuration Prerequisites for SAP Quality Center by HP (Test Management) (technical name:
SOLMAN_QC_INFORMATIO)
n on SAP Quality Center by HP Integration Defect Management, see IMG activity: Information
and Configuration Prerequisites for SAP Quality Center by HP (Defect Management) (technical name:
SOLMAN_QC_SUPPDESK_I)
n on SAP Central Process Scheduling by Redwood, see IMG activity: Information and Configuration
Prerequisites for SAP Central Process Scheduling (technical name: SOLMAN_REDWOOD_INFOR)
n on BMC AppSight for SAP Client Diagnostics, see IMG activity: Information and Configuration Prerequisites
for BMC AppSight for SAP Client Diagnostics (technical name: SOLMAN_BMC_INFO)
In SAP Solution Manager, you can connect your business systems in your system landscape. This
function can be performed in theSystem Landscape Management work center application Automatic
Technical Configuration.
Features
To access and use the Automatic Technical Configuration application, you need the following roles for
your end user:
Automatic Technical Configuration in System Landscape Management work center
Name Type Remarks
To run the configuration between
SAP_SMSY_ALL ABAP your business systems
SAP_BC_CTC ABAP To call CTC
work center navigation roles for See section Work Center Navigation
System Landscape Management
To perform the configuration, you need the following users and profile:
Configuration of Business System Connection
User Profile Remarks
For more information, see
conguration guide for
SAP Solution Manager in
the Service Marketplace:
http://service.sap.com/instguides
Administration users (for instance SAP Components SAP Solution
DDIC) profile SAP_ALL Manager <current release>
See section about technical users in
Technical users profile SAP_ALL managed systems
More Information
about CTC and CTC configuration in SAP Solution Manager, see SAP Solution Manager Configuration Guide:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release>.
After the new installation and an update of your SAP Solution Manager system, you need to update
your tables with new default field values for authorization objects, in transaction SU25. This is
especially relevant for all new authorization objects delivered with an update.
Caution
When you update your system, you must import new roles and profiles from client 000 into your
productive client.
Procedure
1. Call transaction SU25.
2. Choose Information.
The dialog explains in detail what you need to do.
Recommendation
Perform at least the first step.
You need to grant authorizations for which SAP does not ship template roles, in the Solution Manager
and managed systems. To be able to assign the correct authorization you can create a dedicated
role for them. This section describes how to create your own roles, using the example of critical
authorizations of transactions SU01 (User Management) and PFCG (Role Management).
Features
1. Create a Role in Transaction PFCG
a) Choose transaction PFCG.
b) Enter a role name in your namespace, for instance: ZSU01_PFCG, and choose Single Role.
c) Enter a description for your role, for instance: Full authorization for SU01 and PFCG.
d) Go to tab menu and enter transactions SU01 and PFCG.
Note
The authorization objects required in role creation are maintained using transactions. When
you enter a transaction in the menu tab in your role, the system traces all authorization
objects required for this transaction.
e) Save your role.
Note
You are asked for a transport request.
2. Maintain Authorization Objects
Default authorization objects delivered by SAP contain only minimal authorizations. To grant
full authorization to authorization objects, you must edit them
a) Choose the Authorizations tab in the Role Maintenance.
b) Choose Change.
c) Maintain all activity values per authorization object, according to your needs, for instance if
you want to grant full authorization, always choose all activities.
Caution
All authorization objects need to have a green traffic light. If you are not sure about the
function of the authorization object, double-click the green line. The system opens the
documentation for this object in a separate window.
After you have generated profiles from roles, assign the role to your users in one of the two ways
explained below.
Procedure
n Transaction SU01
1. Choose transaction SU01.
2. Enter the user and choose edit.
3. Go to Roles tab.
4. Enter your role.
5. Save.
n Transaction PFCG
1. Choose transaction PFCG.
2. Enter your role and choose edit.
3. Go to Users tab.
4. Enter the user name.
5. Choose the button User Comparison.
6. Save.
Note
For more information on User Comparison, see SAP Note 1272331.
The following sections give you an overview of all work centers and work center related roles. Each
section contains a table with a mapping of work center views, links and authorization roles that
should be assigned to users who perform the tasks.
Work center navigation roles (naming convention: SAP_SMWORK_<work center>) are based on the
concept of authorization roles (transaction PFCG). In contrast to authorization roles, which contain
a number of authorization objects for authorization purposes, work center navigation roles are
only relevant for the navigation in the work center via menu entries. These menu entries are
a two—folder hierarchy. They display the menu hierarchy/entries in the SAP NetWeaver Business
Client (NWBC). The first level is the home page Web Dynpro application (WDA) of the work center
(for instance Incident Management). The second level consists of several related links, such as Service
Marketplace or Help Portal.
Constraints
Work center navigation roles are always individual roles. They only need to be assigned to the user.
Note
If you implement SAP Note 1272331, you should activate automatic user comparison, when saving
a role. To be able to mark the check for automatic user comparison when savin a role, edit the
respective role and go to menu Utilities Settings .
In addition, you must assign the according authorization roles for the scenarios/functions (for
instance SAP_SUPPDESK_* and SAP_SUPPCF_*). You must also assign the authorization role
SAP_SMWORK_BASIC, which contains all relevant work center—related authorizations to users, as well
as assigning work center navigation roles and authorization roles.
Individual role SAP_SMWORK_BASIC contains all authorization objects for work centers, such as
authorization for POWL (table control) and navigation. Each end-user who works with work centers
needs the role SAP_SMWORK_BASIC. This role must be fully maintained, including profile generation
and user comparison.
Note
For technical restrictions, the profile S_SMWC_BA is delivered for the SAPSUPPORT user when
automatically assigning basic authorizations. See SAPSUPPORT user.
Features
The following authorization objects are relevant:
n CA_POWL
Authorizations for Personal Object Work List (POWL)
n S_ICF (inactive)
Authorization check for ICF services access.
Note
Authorization object S_ICF is delivered inactive, as it may only be relevant for service provider
functionality. For more information, see section Secure Service Logon.
Constraints
SAP_SMWORK_BASIC currently contains authorization objects that are relevant for all work centers. It
does not contain authorization objects that are required for individual work centers.
Example
If you use function PDF Print you need authorization object S_DEVELOP (activity: 03, object type
OBJTYPE: SMIM) to be able to display icons in the document.
7.3 My Home
This work center allows you to display overview data of all work centers you are assigned to.
Features
Mapping Root Cause Analysis work center to authorization roles
Integration
This work center displays overviews, work—related topics and reports of all work centers that are
assigned to the user. It therefore integrates with these work centers.
Implementation and Upgrade work center (work center navigation role: SAP_SMWORK_IMPL)
Features
Mapping of Implementation and Upgrade work center onto authorization roles
View Link Mapping of Authorization
Roles (see Roles for
<scenario/function>)
Overview Project Implementation and Upgrade
(by business role, for example
Project Manager or Technical
Consultant) SAP_SOL_*_COMP
(especially individual role for
Project Administration)
Projects Implementation and Upgrade
(by business role, for example
Project Manager or Technical
Consultant) SAP_SOL_*_COMP
(especially individual roles for:
n Project Administration
n Business Blueprint
n Configuration
Create Test Plan and Test Packages Implementation and Upgrade (by
business role, for example Project
Manager or Technical Consultant)
SAP_SOL_*_COMP
Integration
For the integrated use of roles, see section Integration of Functions.
More Information
see IMG activity: Setup Work Center for Implementation (technical name: SOLMAN_WC_IMPL)
Features
Mapping of Test Management work center onto authorization roles
More Information
see IMG activity: Setup Test Management Work Center (technical name: SOLMAN_WC_TEST)
Features
Mapping of Job Management work center onto authorization roles
View Link Mapping of Authorization
Roles (see Roles for
<scenario/function>)
Overview SAP_SM_SCHEDULER_*,
SAP_SM_SOLUTION_*
Integration
This work center integrates with the following work centers:
n Incident Management: SAP_SMWORK_INCIDENT_MAN
n Change Management: SAP_SMWORK_CHANGE_MAN
n Business Process Operations: SAP_SMWORK_BPM
Recommendation
We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP), see
section: How to Create Work Center Composite Roles.
More Information
see IMG activity: Setup Work Center for Job Management (technical name: SOLMAN_WC_JSCHED)
Integration
This work center integrates with the following work centers:
n Job Management: SAP_SMWORK_JOB_MAN
n Change Management: SAP_SMWORK_CHANGE_MAN
n Business Process Operations: SAP_SMWORK_BPM
Recommendation
We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP), see
section: How to Create Work Center Composite Roles.
More Information
n on work center for Service Desk (standard), see IMG activity: Create Work Center for Incident Management
(Service Desk) (technical name: SOLMAN_SUPPDESK_WCS)
n on work center for Service Desk for Service Provider, see IMG activity: Create Work Center for Incident
Management (Service Provider) (technical name: SOLMAN_VAR_WC)
Features
Mapping of Change Management work center onto authorization roles
View Link Mapping of Authorization
Roles (see Roles for
<scenario/function>)
Overview SAP_MAINT_OPT_* /
SAP_SM_SOLUTION_* /
SAP_CM_*_COMP / SAP_SM_QGM_*
Projects SAP_SM_QGM_*
Integration
This work center integrates with the following work centers:
n Incident Management: SAP_SMWORK_INCIDENT_MAN
n Job Management: SAP_SMWORK_JOB_MAN
n Business Process Operations: SAP_SMWORK_BPM
Recommendation
We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP), see
section: How to Create Work Center Composite Roles.
More Information
see IMG activity: Setup Work Center for Change Management (technical name: SOLMAN_WC_CHARM)
Business Process Operations work center (work center navigation role: SAP_SMWORK_BPM)
Features
Mapping of Business Process Operations work center onto authorization roles
View Link Mapping of Authorization Roles (see Roles for
<scenario/function>)
Overview all SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*
Note
Role SAP_OP_DSWP_BPM contains authorization object
SM_BPM_AUT with full authorization for operations categories:
Note
If you want to create Service Desk messages, you need to assign role SAP_SUPPDESK_CREATE (and
SAP_SUPPCF_CREATE for service provider) to your user, see section Roles for Service Desk.
Integration
This work center integrates with the following work centers:
n Incident Management: SAP_SMWORK_INCIDENT_MAN
n Change Management: SAP_SMWORK_CHANGE_MAN
n Job Management: SAP_SMWORK_JOB_MAN
Recommendation
We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP), see
section: How to Create Work Center Composite Roles.
More Information
see IMG activity: Setup Work Center for Business Process Operations (technical name: SOLMAN_WC_BPM)
SAP Engagement and Service Delivery work center (work center navigation role:
SAP_SMWORK_SERVICE_DEV)
Features
Mapping of SAP Engagement and Service Delivery work center onto authorization roles
View Link Mapping of Authorization
Roles (see Roles for
<scenario/function>)
Overview SAP_SV_SOLUTION_MANAGER
/ SAP_SM_SOLUTION_* /
SAP_ISSUE_MANAGEMENT_*
Solutions SAP_SM_SOLUTION_* /
SAP_OP_DSWP_BPM /
SAP_ISSUE_MANAGEMENT_*
Reports SAP_SOL_REP_* /
SAP_SM_SOLUTION_*
Note
When you update an SAP Service, table entries or coding could be added or activated in your
system. You can grant or restrict authorization for updating SAP Services, with authorization object
SM_CNT_UPD.
More Information
see IMG activity: Setup Work Center for SAP Engagement and Service Delivery (technical name: SOLMAN_WC_ISSUE)
Features
Mapping of System Administration work center onto authorization roles
View Link Mapping of Authorization Roles (see Roles for
<scenario/function>)
Overview Task Management Recurring Pre-configured Tasks (CSA):
SAP_OP_DSWP_CSA
Task Management See roles for relevant tasks, above, in table row
Task Management
Setup CSA SAP_SETUP_DSWP_CSA
Caution
Role contains full user administration
authorization.
Administration Tools Template roles for non-specific Solution
Manager transactions (functions) can be found
in the documentation for these functions.
Example
You operate a Master Data Management
(MDM) system in your system landscape. The
MDM Admin Cockpit automatically appears in
your tool list, see section Roles for Master Data
Management.
Integration
This work center integrates with Work Center System Landscape Management. For the integrated
use of roles, see section Integration of Functions.
Recommendation
Use the template composite role for system aAdministrators (SAP_SMWORK_ADMINISTRATOR_COMP),
see section: How to Create Work Center Composite Roles.
More Information
See IMG activity: Setup Work Center for System Administration (technical name: SOLMAN_WCS_CSA)
Features
Mapping of System Monitoring work center onto authorization roles
View Link Mapping of Authorization Roles (see Roles for
<scenario/function>)
Overview Systems / Solutions SAP_SMSY_* / SAP_SM_SOLUTION_*
Note
If your BI client is not the Solution Manager
client, you need roles SAP_BW_CCMS_REPORTING and
SAP_SM_BI_EXTRACTOR. If you use an external BI system,
you must download role SAP_SM_BI_EXTRACTOR from
the Solution Manager system to your PC, and upload
it to your BI system in transaction PFCG Roles
Upload/Download .
Alert Inbox System Alerts SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*
Create Messages SAP_SUPP*, for more information see section Roles for
Service Desk.
Proactive Monitoring System / Solutions SAP_SMSY_* / SAP_SM_SOLUTION_*
Note
If your BI client is not the Solution Manager
client, you need roles SAP_BW_CCMS_REPORTING and
SAP_SM_BI_EXTRACTOR. If you use an external BI system,
you must download role SAP_SM_BI_EXTRACTOR from
the Solution Manager system to your PC, and upload
it to your BI system in transaction PFCG Roles
Upload/Download .
Connectivity RFC Destinations SAP_SMSY_* Template role for authorization for
Monitoring transaction SM59 is not delivered with software
component ST. The role must be created individually.
Alternatively, role SAP_BC_USER_ADMIN can be used
Caution
Role contains full user administration authorization.
Job Monitoring Job Scheduling SAP_SM_SCHEDULER_*
Note
If your BI client is not the Solution Manager client
you need the following roles:
n
SAP_BW_CCMS_SETUP
n
SAP_PI_CCMS_SETUP
n
SAP_SM_BI_EXTRACTOR
If you use an external BI system, you must download
role SAP_SM_BI_EXTRACTOR from the Solution
Manager system to your PC, and upload it to
your BI system in transaction PFCG Roles
Upload/Download .
Recommendation
For more information see, section Roles for BI—Related
Reporting
Solutions SAP_SM_SOLUTION_*
Note
You can set connection parameters for Adaptive Computing and Wily Introscope, see IMG activities:
n Connect Wily Introscope (technical name: SOLMAN_WILY_SERVER)
n Connect Adaptive Computing (technical name: SOLMAN_ACC_INTEG)
Integration
This work center integrates with System Landscape Management work center.
Recommendation
Use the template composite role for System Administrators SAP_SMWORK_ADMINISTRATOR_COMP). See
section: How to Create Work Center Composite Roles.
More Information
see IMG activity: Setup for System Monitoring Work Center (technical name: SOLMAN_WC_SYS)
Features
Mapping of System Landscape Management work center onto authorization roles
View Link Mapping of Authorization Roles (see Roles for
<scenario/function>)
Overview System Management SAP_SMSY_*
Note
You have to assign these authorization objects with the
values, eparately.
SAP Reference No authorization check
Landscape
Project Generation SAP_SOL_PROJ_ADMIN_*, SAP_SMSY_*
More Information
see IMG activity: Setup Work Center for Landscape Maintenance (technical name: SOLMAN_SMSY_WC)
Root Cause Analysis work center (work center navigation role: SAP_SMWORK_DIAG)
Features
Mapping Root Cause Analysis work center onto authorization roles
More Information
see IMG activity: Setup Work Center for Root Cause Analysis (technical name: SOLMAN_WC_RCA)
Solution Documentation Assistant work center (work center navigation role: SAP_SMWORK_SDA)
Features
Mapping of Solution Documentation Assistant work center onto authorization roles
View Link Mapping of Authorization
Roles (see Roles for
<scenario/function>)
Overview all SAP_SDA_*;
SAP_SOL_*_COMP (esp.:
Analysis Projects
SAP_SOL_PROJ_ADMIN_ALL)
Analyses
Rule Database
Solutions SAP_SOLMAN_DIRECTORY_*
Integration
Solution Documentation Assistant integrates with function Business Blueprint (transaction SOLAR01).
More Information
see IMG activity: Setup Work Center for Solution Documentation Assistant (technical name: SOLMAN_WC_SDA)
Features
Mapping of Solution Manager Administration work center onto authorization roles
View Link Mapping of Authorization
Roles (see Roles for
<scenario/function>)
Overview Solutions SAP_SM_SOLUTION_*
Projects SAP_SOL_PROJ_ADMIN_*
Caution
This role contains full
administration authorization.
Specific Administration Setup System Administration SAP_SM_SOLUTION_* /
SAP_SETUP_DSWP_CSA
n SAP_SMWORK_JOBMAN_COMP
This section describes how you can create a composite role for work centers, using the example of the
composite role for administrators. You want your system administrator to use Solution Manager
work centers. Your system administrator maintains your system landscape and ensures the smooth
running of all its systems. You need to grant work center navigation roles and authorizations roles
with full authorization, according to the mapping tables.
Note
If you use the existing roles, copy them, maintain all single authorization roles, and compare users.
Caution
If you want to adapt Work Center single roles of the SAP template composite roles, you need to
maintain them as single roles NOT included in the composite role. For instance, if you want to adapt
links in Work Center System Landscape Management of composite role SAP_SMWORK_ADMINISTRATOR_COMP,
you need to delete the SAP template single role SAP_SMWORK_LANDSCAPE_MAN included in the
composite role and assign you adapted ZSAP_SMWORK_LANDSCAPE role individually to the user.
Procedure
1. Create a composite role in transaction PFCG.
The procedure is similar to creating single roles, see section How to Create Roles for End Users.
2. Assign the following work centers in Roles tab:
n System Landscape Management (work center navigation role: SAP_SMWORK_LANDSCAPE_MAN)
n System Monitoring (work center navigation role: SAP_SMWORK_SYS_MON)
n System Administration (work center navigation role: SAP_SMWORK_SYS_ADMIN)
n Home (work center navigation role: SAP_SMWORK_MYHOME)
3. Assign the following authorization role for work centers: SAP_SMWORK_BASIC.
4. Assign the following authorization roles:
n System Landscape Maintenance: SAP_SMSY_ALL
n Solutions: SAP_SM_SOLUTION_ALL
n System Monitoring Setup: SAP_SETUP_DSWP_SM
n System Administration Setup: SAP_SETUP_DSWP_CSA
n System Monitoring Operations: SAP_OP_DSWP_SM
n System Administration Operations: SAP_OP_DSWP_CSA
n Service Connection: SAP_SERVICE_CONNECT
5. Maintain the authorization roles and generate the profiles.
6. Assign the composite role to your system administrator and compare users.
Caution
If you use SAP NetWeaver Business Client, do not populate or merge the menu, as the work
centers cannot be displayed accurately in the SAP NWBC, see section How to Configure SAP NetWeaver
Business Client in the configuration guide for SAP Solution Manager in the Service Marketplace:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
Result
You have created a composite role for your system administrator.
Note
All necessary roles are included, authorization objects maintained, profiles generated, and
users compared. Only roles for transactions that are delivered with Solution Manager (Software
Component: ST) are included.
More Information
on work centers in general, see IMG activity: Information and Configuration Prerequisites for Work Center
(technical name: SOLMAN_WCS_INFORMATI)
8 S-User Authorizations
The S-user is needed to access SAP—internal systems via RFC destinations such as SAP-OSS and
SAP-OSS-LIST-O01 (see section Communication Destinations), and background jobs (see section Background
Jobs). (Authorized) S-users are needed to open the gate and trigger dedicated functions at SAP.
We distinguish between two uses of S—users:
n for RFC destinations: This S-user requires a password and has to be assigned to your customer
number. For security reasons it should have no authorizations since it could be misused for
direct logon.
n for dedicated functions (requires authorizations): See the following sections.
End users who communicate with SAP Support Portal via RFC destination SAP-OSS need an SAP
Support Portal contact to SAP Solution Manager. You maintain the contact in table AISUSER
(transaction AISUSER). This contact corresponds to the S-user in the SAP Support Portal, without
the initial S.
More Information
see IMG activity: Assign S-User for SAP Support Portal functionality (SOLMAN_PROFILE_PARAM)
Your S-user needs the following authorizations for SAP Support Portal functions.
Features
S-User Authorization for Service Desk and Expert on Demand
Activity Authorization
Create message ANLEG: Create SAP message
Send messages GOSAP: Send to SAP
WAUFN: Reopen SAP message
Confirm messages QUITT: Confirm SAP message
Display/change secure area PWDISP: Display secure area
PWCHGE: Change secure area
Your S-user needs the following authorizations in the SAP Support Portal, for the Service Connection
function.
Features
S-User Authorization for Service Connection
Activity Authorization
Open service connections SVER: Open Service Connection
Set-up/migrate a service connection SVER: Open Service Connection
INSTPROD: Maintain System Data
SAP notes search NOTES: Search for notes
Your S-user needs the following authorization in the SAP Support Portal, for the Maintenance Optimizer
function.
Features
S-user Authorization for Maintenance Optimizer
Activity Authorization
Execute Maintenance Optimizer SWCATALOG Order Software in Software Catalog
Your S-user needs the following authorizations for the SAP Support Portal functions.
S-user Authorization Download Data from SAP
Activity Authorization
Administration ADMIN
This section gives an overview of topics for service providers, including service provider—specific
authorizations, and work centers for service provider customers.
As a service provider, you need to create specific RFC connections to SAP for your customers.
Prerequisites
You need an S user without specific authorizations.
Features
Service Provider Customer RFC Connections from Solution Manager to SAP
Sys-
tem Lo-
RFC Destination Num- gon Logon User Use (Sce-
Name Target Host Name ber Client (Password) nario) Remarks
SM_SP_<customer 01 001
/H/SAPROUTER/S//sapserv/H/oss001 S-User (Cus- Service You
number> tomer—spe- Provider automatically
cic, no au- create customer
thorization RFCs based on
needed), see RFC SAP-OSS via
section S-User report
Authorizations
More Information
see IMG activity Setup SAP Connection for Customers (technical name: SOLMAN_VAR_RFC_CUSTO)
The function Service Desk for Service Provider extends the Service Desk functionality. Roles for
Service Desk and Service Provider are additive, that is, if your Solution Manager system is configured
for the Service Provider, you must grant your end users roles for Service Desk and Service Desk for
Service Provider. See section Roles for Service Desk.
Features
Additional Service Desk Roles for Service Provider and Software Partner
Caution
For Service Provider, you must maintain the Service Desk roles as described in SAP Note 834534, and
add Service Desk roles for Service Provider. Authorization object CRM_TXT_ID needs to be granted,
as well as Service Desk authorization objects.
More Information
n for Service Desk, see IMG activity Information and Configuration Prerequisites for Service Desk (technical
name: SOLMAN_SD_INFORMATIO).
n for Service Provider, see IMG activity Information and Configuration Prerequisites for Service Provider (technical
name: SOLMAN_SERVICEDESKINFO).
As a service provider, you need a complete view of all data for the specified scenarios, while your
customers should be able to display all data that is necessary for their specific business.
Features
You need the role SAP_SM_SPC.
More Information
see IMG activity Assign Service Provider Authorization (technical name: SOLMAN_SPC_AUTH).
The following work centers are available especially for customers of Service Providers. Functions that
can be executed with these work centers by customers of Service Providers are:
n Service Desk (Incident Management) (technical role name: SAP_SMWORK_INCIDENT_MAN_SPC)
create and change own messages; open service connections
n Change Management (technical role name: SAP_SMWORK_CHANGE_MAN_SPC)
process maintenance optimizer transactions
n System Monitoring (technical role name: SAP_SMWORK_SYS_MON_SPC)
display SAP EarlyWatch Alert reports and Service Level reports
Features
Mapping of Work Center Change Management to Authorization Roles
View Link Mapping of Authorization
Roles (see Roles for
<scenario/function>)
Overview SAP_MAINT_OPT_* /
SAP_SM_SOLUTION_*
Note
If your BI client is not the
Solution Manager client, you need
roles SAP_BW_CCMS_REPORTING and
SAP_SM_BI_EXTRACTOR.
The S user of service provider customers needs the following authorizations in the SAP Support Portal.
Features
S-User Authorization for Service Provider Customer
Activity Authorization
Maintain System Data INSTPROD
Note
The assigned s user needs no authorization for the customer—specific RFC connections (RFC default
name: SM_SP_<Customer Number>).
To grant access to Solution Manager work centers via HTTP, an HTTP request from a customer server
must be accepted by the Solution Manager server. Your customer should install a proxy server that is
enabled for cascading. This proxy should cascade requests from the customer to a proxy server on
your side. You route the request directly from your proxy server to the Solution Manager server.
Integration
If you want to restrict customer access to certain services, see SAP Note 1281504 and SAP —
Partner—Specific Configuration in the IMG (transaction SPRO) .
10 Background Processes
Features
Background Jobs for Infrastructure
Background Job/Program, Report Use RFC Connection
REFRESH_ADMIN_DATA_FROM_SUPPORT/ Periodically reads administrative SAP-OSS
AI_SC_REFRESH_READ_ONLY_DATA data from SAP Support Portal
(System data synchronization in
SMSY)
Features
Background Jobs for Implementation
Background Job/Program, Report Use RFC Connection
Job name (customer-specific)/ Asynchronous indexing and
RSTIRIDX de-indexing for Document
Management (manually, see also
IMG Cross-scenario Settings
Document Management Servers
Connect Index Server for Full Text
Search
SM:ACCELERATE DOC USAGE/ Accelerates the where-used list
RDMD_ACCELERATE_DOC_USAGE for documents in the Solution
(DSWPJOB)
Features
Background Jobs for Test Management
Background Job/Program, Report Use RFC Connection Used
AGS_BPCA_TBOM_OUTDATE_CHECKER Check TBOM status
AGS_BPCA_TBOM_REFERENCE_CHECK Check Business Process Hierarchy
(BPH)
Features
Background Jobs for EarlyWatch Alert, Service Level Reporting, Central System
Administration
Reporting BI
Background Jobs for Reporting
Background Job/Program, Report Use RFC Connection
BI_TCO_ACTIVATION Activate technical BI content,
see IMG activity Create BI User
in BI System (technical name:
SOLMAN_CR_BI_USER)
Features
Background jobs for Service Desk
Recommendation
Deactivate this job and schedule a
customer-specific variant
( DSWPJOB).
SM:GET CSN COMPONENTS/ Transfer CSN Components to SAPOSS
DSWP_GET_CSN_COMPONENTS Solution Manager (DSWPJOB)
AI_SDK_FILL_FILE_TYPE_TABLE/ Only specified file types can be sent SAP-OSS
AI_SDK_FILL_FILE_TYPE_TABLE to SAP, for security reasons. All
other attachments sent are refused
by SAP. the program updates
the file type tables AISDK_FILETX
and AISDK_FILETY, for SAP
to be able to read all the
attachments which you send
with your message.
Features
Background Jobs for Change Request Management
Background Job/Program, Report Use RFC Connection
SM:TMWFLOW_CMSSYSCLO/ gets tracking data from systems, READ; TMWFLOW
/TMWFLOW/CMSSYSCOL2 asynchronously (DSWPJOB)
Background jobs for SAP Engagement and Service Delivery and Issue Management.
Features
Background Jobs for SAP Engagement and Service Delivery
SM:MIGRATE_ISSUE_PROJECT_CONTEXT/(DSWPJOB)
RDSWPCI_ISSUE_PROJECT_CONTEXT1
Note
Issue Management distinguishes between Top Issues and Issues. Top Issues bundle Issues which
contain the same problem. Issues describe potential problems. In contrast to Issues, Top Issues
are addressed to management. Issue data is sent via periodic background jobs (job: SM:TOP ISSUE
TRANSFER) once a week after the initial transfer. Initial transfer is done by dialog. You can avoid
sending data by deleting this job. If no data is sent to SAP, SAP Support can not provide proactive
support. For information on Top Issue data which is sent, see SAP Note 971138. To see the data of a
Top Issue, use report RDSMOP_VIEW_TOPISSUE_XML to save (as an XML file on your desktop) the
information that is sent to SAP. You can then use the Internet Explorer to view this XML file. Issue
Management makes use of WebDynpro Applications.
Features
Background Jobs for Root Cause Analysis
Background Job/Program/Report Use RFC Connection Used
SM:SOLMAN_DIAG_UPDATE/ Checks your Solution Manager and
RSOLDIAG_CHECK_FOR_UPDATE notifies it about the changes made
to relevant data and parameters
(DSWPJOB).
E2E_EFWK_WIZARD_BTC Called during Diagnostics
setup. The report schedules
the Resource Manager via report
E2E_EFWK_CREATE_RESOURCE_MGR.
The program name of
the Resource Manager is
E2E_EFWK_RESOURCE_MGR.
Scheduled once per minute
Features
Background Jobs for Third Party Products
Features
Background Jobs for Service Provider
Background Job/Program, Report Use RFC Connection
RPSMSY_MIGRATE_SYSTEM_USAGES see IMG activity Schedule
Background Job for service
provider (technical name:
SOLMAN_SPC_REPORT
This section provides an overview of the trace and log files that contain, for example, security-relevant
information, so that you can reproduce activities if a security breach does occur.
System Landscape:
n Update logs
n RFC logs
n Data save logs
Solution Manager Implementation:
n All tabs can be traced. Each change on a tab is recorded.
n No changes of the assigned object are logged (except documents).
n You can specify which project and tab can be traced.
n Documentation can get different versions when changed.
Solution Manager Operations:
n Traces are available in “Solution Directory”.
n All tabs can be traced. Each change on a tab can be recorded.
n No changes of the assigned object are logged (except documents).
n You can specify which solution is traced.
n Documentation can get different versions when changed
Customizing Distribution
n Each distribution is logged.
n Each distributed object is logged.
12 Appendix
12.1 Glossary
The Solution Manager is based on a system in a system landscape. Different terms are used to refer to this,
depending on how the system landscape is viewed. There are two semantic levels:
n overall view of systems and their role in the system landscape, and
n the technical level, referring to the technical attributes of a system, not its purpose in the system
landscape.
It depends on whether the focus is on a system’s purpose or on its technical properties. There are
several possible perspectives:
n general perspective
Term: System
n Solution Manager perspective (Solution Manager as the central management platform)
Terms: Managing System, Managed System
Figure 3:
Figure 4:
Figure 5:
Features
The following table contains definitions of how these term are used in documentation.
Definitions Infrastructure: System
Term Definition Additional Remarks
System Neutral definition from a general Used in general documentation, in
perspective. The name of the system is overviews and so on.
based on the SAP product definition. It
can be defined more closely (see above),
Example
for example, managed system, business
In your system landscape you maintain
system and/or technical system.
several systems.
Managing System The central managing system, usually Used in general Solution Manager
the Solution Manager system, from scenario and function documentation
the Solution Manager perspective. A in the system landscape.
managing system usually manages other Synonym: Central System
systems, which are called managed (CCMS-related)
systems.
Example
Your managing system is SAP Solution
Manager.
Example
You monitor all business systems on
which the business process steps run,
regularly.
System Type The type which the system can be, from Used in general Solution Manager
a technical perspective: system landscape documentation,
n ABAP with reference to the general system
n Java architecture.
n ABAP and Java
Example
The SAP Solution Manager system is
based on system types AS ABAP and AS
Java.
System Component A technical unit of a system which The main instance can be defined in
is itself defined by a main instance, more detail by server, client, software
depending on the application view (the component and so on. It can be installed
business purpose), from a technical independently.
perspective,.
Example
Please change the data of the main
instance for system component
Solution Manager Diagnostics.
The life—cycle of a product comprises different phases, such as implementation, operation, and
optimization, which are all supported by SAP Solution Manager. In the operational phase, SAP
Solution Manager uses the technical unit Solution to bundle systems according to various criteria:
n related business process steps
n related systems by administration purpose
The term is related to another primary concept, the Logical Component. Technical systems are stored in
logical components, which are then referenced in the solution. The solution is uniquely defined by
its Leading System Role.
Features
The following table contains definitions of how these term are used in documentation.
Definitions Infrastructure: Solution
Example
See document Solution Concept and
Design on SAP Service Marketplace at:
http://service.sap.com/solutionmanager
Media Library Technical Papers .
Logical Component A set of technical systems with the Used in general documentation.
same SAP product release and main
instance, to be able to use these systems
in a system landscape uniformly in Example
various SAP Solution Manager use See document Logical Components
scenarios, i.e. in implementation, on SAP Service Marketplace at:
operational processing, and permanent http://service.sap.com/solutionmanager
Example
User <XY> wants to check objects in
the development systems. The leading
A Reference
Cross-Phase Documentation
SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as
well as many glossary entries in English and German.
n Target group:
l Relevant for all target groups
n Current version:
l On SAP Help Portal at http://help.sap.com Additional Information Glossary (direct
access) or Terminology (as terminology CD)
l In the SAP system in transaction STERM
SAP Library is a collection of documentation for SAP software covering functions and processes.
n Target group:
l Consultants
l System administrators
l Project teams for implementations or upgrades
n Current version:
l On SAP Help Portal at http://help.sap.com (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for
raising security levels. A collective security guide is available for SAP NetWeaver. This document
contains general guidelines and suggestions. SAP applications have a security guide of their own.
n Target group:
l System administrators
l Technology consultants
l Solution consultants
n Current version:
l On SAP Service Marketplace at http://service.sap.com/securityguide
Implementation
The master guide is the starting point for implementing an SAP solution. It lists the required
installable units for each business or IT scenario. It provides scenario-specific descriptions of
preparation, execution, and follow-up of an implementation. It also provides references to other
documents, such as installation guides, the technical infrastructure guide and SAP Notes.
n Target group:
l Technology consultants
l Project teams for implementations
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
The installation guide describes the technical implementation of an installable unit, taking
into account the combinations of operating systems and databases. It does not describe any
business-related configuration.
n Target group:
l Technology consultants
l Project teams for implementations
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycle
platform. One of its main functions is the configuration of business and IT scenarios. It contains
Customizing activities, transactions, and so on, as well as documentation.
n Target group:
l Technology consultants
l Solution consultants
l Project teams for implementations
n Current version:
l In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system.
The Customizing activities and their documentation are structured from a functional perspective.
(In order to configure a whole system landscape from a process-oriented perspective, SAP Solution
Manager, which refers to the relevant Customizing activities in the individual SAP systems, is used.)
n Target group:
l Solution consultants
l Project teams for implementations or upgrades
n Current version:
l In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver, and precedes the solution operations guide. The manual refers users to the tools and
documentation that are needed to carry out various tasks, such as monitoring, backup/restore,
master data maintenance, transports, and tests.
n Target group:
l System administrators
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
The solution operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed. It refers users to the tools and documentation
that are needed to carry out the various operations-related tasks.
n Target group:
l System administrators
l Technology consultants
l Solution consultants
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of an
SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an
upgrade. It also refers to other documents, such as the upgrade guides and SAP Notes.
n Target group:
l Technology consultants
l Project teams for upgrades
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
The upgrade guide describes the technical upgrade of an installable unit, taking into account
the combinations of operating systems and databases. It does not describe any business-related
configuration.
n Target group:
l Technology consultants
l Project teams for upgrades
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
Release notes are documents that contain short descriptions of new features in a particular release
or changes to existing features since the previous release. Release notes about ABAP developments
are the technical prerequisite for generating delta and upgrade Customizing in the Implementation
Guide (IMG).
n Target group:
l Consultants
l Project teams for upgrades
n Current version:
l On SAP Service Marketplace at http://service.sap.com/releasenotes
l In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
Example Description
<Example> Angle brackets indicate that you replace these words or characters with appropriate
entries to make entries in the system, for example, “Enter your <User Name>”.
Example Arrows separating the parts of a navigation path, for example, menu options
Example
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the
documentation
http://www.sap.com Textual cross-references to an internet address
/example Quicklinks added to the internet address of a homepage to enable quick access to
specific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example n Words or characters quoted from the screen. These include field labels, screen titles,
pushbutton labels, menu names, and menu options.
n Cross-references to other documentation or published works
Example n Output on the screen following a user action, for example, messages
n Source code or syntax quoted directly from a program
n File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE Keys on the keyboard