Security Guide SAP Solution Manager 7 0 EHP 1 and SP 19

EhP1 (SP19)
Security Guide
Target Audience
n System administrators
n Technology consultants
n Application consultants
PUBLIC
Document version: 1.1 ‒ 03/30/2009
Document History
Caution
Before you start the implementation and configuration of SAP Solution Manager, make sure you
have the latest version of this document. You can find the latest version at the following location:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
The following table provides an overview of the most important document changes.
Support Date Description
Package
(Version)
SP15 06.02.2008 New roles for solution authorization. Authorization object D_SOL_VSBL
is now included in the roles for solutions SAP_SM_SOLUTION_*. The
authorization object is inactive in all other roles. See section: Roles in Solution
Manager. It needs to be granted in addition to the role for the functionality,
for instance Maintenance Optimizer.
New roles for:
n
Job Scheduling
n
Issue Management
n
Maintenance Optimizer (additional)
See section: Roles and Authorizations
New roles for work center navigation. See section Work Center Navigation Roles
and the example it contains
Composite role SAP_SM_BPMO_COMP for background user SM_BPMO. See
section: Communication Destinations.
SP16 New roles for Solution Documentation Assistant See sections: Roles and
Authorization and section Work Center Navigation Roles New roles for Third Party
Product: BMC AppSight for SAP Client Diagnostics See section: Roles and
Authorizations
SP17 Values for authorization object S_RFC in role SAP_SOLMANDIAG_E2E
extended
2/172 PUBLIC 03/30/2009

Package
(Version)
EhP1 (1.0) 15.12.2008 Changes in sections
n navigation in all work centers , see according sections on work center
navigation roles.
n menu entries for composite role SAP_SMWORK_ADMINISTRATOR_COMP
deleted due to restrictions in SAP NetWeaver Business Client (NWBC),
see section How to Create Composite Roles
n role extensions for Job Scheduling Management, see section Roles for
Job Scheduling Management
n role extension for SAP_SERVICE_CONNECT for SAProuter Update , see
section Roles for Infrastructure
n role extensions for Business Process Operation, authorization objects:
SM_BPM_AUT and SM_CNT_UPD, see section Roles for Business Process Operation
and Roles for SAP Engagement and Service Delivery
n new profile S_SD_CREATE for RFC connection BACK for message
creation, see section RFC Connections
n new profile S_SM_EXECUTE for RFC connection TMW for Solution
Documentation Assistant, see section RFC Connections
Note
The authorization profile S_SM_EXECUTE allows batch processing in
the managing system for managed systems. You can use this profile
also solely for this purpose. In this case, you have to assign the profile
to the according technical user, manually.
n new RFC user naming convention, see sections on technical users

n new roles in Quality Gate Management SAP_SM_QGM_* , see section
Roles for Change Request Management
n new roles for Business Process Change Analysis (BPCA) in Work Center: Test
Management, see sections Roles for Test Management and Work Center Test
Management
n new role for BI Reporting in Test Management SAP_BI_TWB
n new role SAP_QC_WSDL_ACCESS for technical user QCALIAS , see sections
Roles for Third Party Integration, and in technical users
n new role SAP_SUPPCF_DISP for Service Provider display authorization,
see section Roles for Service Desk for Service Provider
New general How to sections on
n
how to find documentation on individual authorization objects
n
how to create work center composite roles
New sections due to new developments
n
new roles for configuration, see section Roles for Configuration
n
new roles for Master Data Management (MDM) Administration Cockpit in
the System Administration work center, see section Roles for Master Data
Management
03/30/2009 PUBLIC 3/172

Package
(Version)
n
new roles in Downtime Management SAP_SM_DTM_* , see section Roles in
Downtime Management
n
new roles for Root Cause Analysis , see sections SAPSUPPORT User, Roles for
Root Cause Analysis, Roles for Configuration
n
SAP Support user SAPSUPPORT, see section SAPSUPPORT User
n
for automatically created business partners for SAP Engagement and Service
Delivery, see section Business Partners Created During Configuration
n
new work center navigation roles for Service Provider
SAP_SMWORK_SYS_MON_SPC, SAP_SMWORK_CHANGE_MAN_SPC,
SAP_SMWORK_INCIDENT_MAN_SPC, see Work Center for Service Provider Customers
n
new authorization role for Service Provider SAP_SM_SPC , see section
Service Provider—Specific Authorization
n
new work center navigation role MYHOME , see section MYHOME
n
special users and authorizations for CTC configuration tasks, see sections
on technical users and Roles for Business Connectivity Configuration
n
new work center composite role SAP_SMWORK_JOB_MAN_COMP, see section
How to Create Work Center Composite Roles
n
new roles for Custom Development Management Cockpit (CDMC) roles, see section
Roles for Custom Development Management Cockpit (CDMC)
n
new role for technical framework BI extractor SAP_SM_BI_EXTRACTOR,
see section Roles for BI—related Reporting
n
SAP NetWeaver Business Client (NWBC) where appropriate
SP19 Extensions in sections
n Roles for Implementation and Upgrade
Due to Help Center functionality: SAP_SOL_KW_ALL extended for
administration
n RFC Connections
New profile S_KWHELP for BACK destination
n Authorization object S_RFC
Function groups for profile S_KWHELP
n Technical Users in SAP Solution Manager System
New profile S_KWHELP for back destination
n Business Process Operations
4/172 PUBLIC 03/30/2009

Package
(Version)
Authorization object SM_BPM_AUT: per default Data Volume Management
(DVM) is deselected
n S-User Authorization for Data Download from SAP
Additional authorization LICKEY for request of license key required
n How to Create Work Center Composite Roles
The concept of composite roles does not work, if existing single roles
of the composite roles are extended by customers.
n User Management Tools, How to Assign Roles to Users, and Work Center Roles
Concept
see SAP Note 1272331 for more information on User Comparison.
Changes regarding authorization objects in roles delivered before
SP19
For changes in authorization objects in roles that are already delivered,
see SAP Note 834534 and SAP Note 831535.
n
SAP_SOLMANDIAG_E2E and according profile S_SMDIAG_E2E, see section
Technical Users in Solution Manager
n
SAP_SM_BASIC_SETTINGS, see section Roles for Configuration
n
SAP_SUPPDESK_ADMIN, see section Roles for Service Desk
n
SAP_SM_BATCH, see section Roles for Configuration
n
profiles S_CSMREG and S_AI_SMD_E2E, see section Authorization object S_RFC
and SAP Note 1296428.
n
SAP_SOL_KW_ALL, see section Roles for Implementation and Upgrade
New chapters
n
Secure Storage
03/30/2009 PUBLIC 5/172

Table of Contents
Chapter 1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2 Getting Started . . . . . . . . . . . . . . . . . . . . . . 13

2.1 Target Group of This Guide . . . . . . . . . . . . . . . . . . 13
2.2 SAP Solution Manager Scenarios and Functions . . . . . . . . . . . 14
2.3 Integration of Functions . . . . . . . . . . . . . . . . . . . . 14
2.4 Links for Additional Components on Service Marketplace . . . . . . . 15
2.5 Using SAP Solution Manager as Service Provider . . . . . . . . . . . 17
2.6 How to Use This Guide . . . . . . . . . . . . . . . . . . . . 17
Chapter 3 System Landscape . . . . . . . . . . . . . . . . . . . . . 23

3.1 Technical System Landscape . . . . . . . . . . . . . . . . . . 23
Chapter 4 Network and Communication Security . . . . . . . . . . . . . 25

4.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . 25
4.2 Communication Channels . . . . . . . . . . . . . . . . . . . 25
4.3 Communication Destinations . . . . . . . . . . . . . . . . . . 26
4.4 Internet Communication Framework . . . . . . . . . . . . . . . 33
4.5 Secure Socket Layer (SSL) for HTTP Connections . . . . . . . . . . . 34
4.6 HTTP Connect Service for SAP Support . . . . . . . . . . . . . . 35
4.7 File Transfer Protocol (FTP) . . . . . . . . . . . . . . . . . . . 35
4.8 Required TCP/IP Ports . . . . . . . . . . . . . . . . . . . . . 35
Chapter 5 User Administration and Authentication . . . . . . . . . . . . 37

5.1 User Management Tools . . . . . . . . . . . . . . . . . . . . 37
5.2 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . 38
5.3 Technical/Dialog Users Created/Used in Solution Manager System
Configuration . . . . . . . . . . . . . . . . . . . . . . . 38
5.4 Technical/Dialog Users Created/Used During Configuration in the Managed
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.5 User SAPSUPPORT . . . . . . . . . . . . . . . . . . . . . . 53
5.6 Business Partners Created During Configuration . . . . . . . . . . . 54
5.7 How to Create Users and Business Partners for End Users . . . . . . . . 55
5.8 Integration into Single Sign-On Environments (SSO) . . . . . . . . . 57
6/172 PUBLIC 03/30/2009

Chapter 6 Authorizations . . . . . . . . . . . . . . . . . . . . . . 59
6.1 Authorization Concept . . . . . . . . . . . . . . . . . . . . 59
6.2 RFC Connections to/from Managed Systems and Critical Authorization Objects 60
6.2.1 Trusted RFC Connections . . . . . . . . . . . . . . . . . . . 60
6.2.2 Authorization Object S_RFCACL . . . . . . . . . . . . . . . . 61
6.2.3 RFC Connections TRUSTED, READ, TMW, BACK . . . . . . . . . . 62
6.2.4 Authorization Object S_RFC . . . . . . . . . . . . . . . . . . 65
6.3 Roles for Solution Manager Configuration . . . . . . . . . . . . . 66
6.3.1 Roles for Basic Configuration of Solution Manager . . . . . . . . . . 66
6.3.2 Roles for Basic Configuration in Managed Systems . . . . . . . . . . 69
6.3.3 How to Create Roles for Scenario-Specific Configuration in Solution Manager 70
6.4 Authorization Roles and Profiles for End Users . . . . . . . . . . . . 72
6.4.1 Roles for Infrastructure . . . . . . . . . . . . . . . . . . . . 72
6.4.2 Roles for Implementation and Upgrade . . . . . . . . . . . . . . 75
6.4.3 Roles for Custom Development Management Cockpit . . . . . . . . . 79
6.4.4 Roles for Test Management . . . . . . . . . . . . . . . . . . . 80
6.4.5 Roles for System Monitoring and System Administration . . . . . . . . 82
6.4.6 Roles for Downtime Management . . . . . . . . . . . . . . . . 85
6.4.7 Roles for Master Data Management . . . . . . . . . . . . . . . . 85
6.4.8 Roles for Database Administration Cockpit . . . . . . . . . . . . . 87
6.4.9 Roles for Job Scheduling Management . . . . . . . . . . . . . . . 87
6.4.10 Roles for Business Process Operations . . . . . . . . . . . . . . . 88
6.4.11 Roles for SAP Engagement and Service Delivery . . . . . . . . . . . 89
6.4.12 Roles for Issue Management . . . . . . . . . . . . . . . . . . 91
6.4.13 Roles for Service Desk . . . . . . . . . . . . . . . . . . . . . 91
6.4.14 Roles for Change Control (Maintenance Optimizer) . . . . . . . . . 92
6.4.15 Roles for Change Request Management . . . . . . . . . . . . . . 93
6.4.16 Roles for Root Cause Analysis . . . . . . . . . . . . . . . . . . 96
6.4.17 Roles for BI-Related Reporting . . . . . . . . . . . . . . . . . 99
6.4.18 Role for TREX Administration . . . . . . . . . . . . . . . . . 100
6.4.19 Roles for Third Party Integration . . . . . . . . . . . . . . . . . 101
6.5 Roles for Configuration of Business System Connections . . . . . . . . 104
6.6 “How To” Guides . . . . . . . . . . . . . . . . . . . . . . 105
6.6.1 How to Update Authorizations after Support Package Upgrade . . . . . . 105
6.6.2 How to Create End User Roles . . . . . . . . . . . . . . . . . . 105
6.6.3 How to Assign Roles to Users . . . . . . . . . . . . . . . . . . 106
Chapter 7 Work Center Navigation Roles . . . . . . . . . . . . . . . . 109

7.1 Work Center Roles Concept . . . . . . . . . . . . . . . . . . 109
7.2 Basic Authorizations for Work Centers . . . . . . . . . . . . . . 109
7.3 My Home . . . . . . . . . . . . . . . . . . . . . . . . . 110
03/30/2009 PUBLIC 7/172

7.4 Implementation and Upgrade Work Center . . . . . . . . . . . . . 111
7.5 Test Management Work Center . . . . . . . . . . . . . . . . . 114
7.6 Job Management Work Center . . . . . . . . . . . . . . . . . 116
7.7 Incident Management Work Center . . . . . . . . . . . . . . . 118
7.8 Change Management Work Center . . . . . . . . . . . . . . . . 119
7.9 Business Process Operations Work Center . . . . . . . . . . . . . 120
7.10 SAP Engagement and Service Delivery Work Center . . . . . . . . . . 122
7.11 System Administration Work Center . . . . . . . . . . . . . . . 123
7.12 System Monitoring Work Center . . . . . . . . . . . . . . . . . 125
7.13 System Landscape Management Work Center . . . . . . . . . . . . 128
7.14 Root Cause Analysis Work Center . . . . . . . . . . . . . . . . 129
7.15 Solution Documentation Assistant Work Center . . . . . . . . . . . 130
7.16 Solution Manager Administration Work Center . . . . . . . . . . . 131
7.17 How to Create Work Center Composite Roles . . . . . . . . . . . . 133
Chapter 8 S-User Authorizations . . . . . . . . . . . . . . . . . . . . 135

8.1 S-User Concept . . . . . . . . . . . . . . . . . . . . . . . 135
8.2 SAP Support Portal Contact in SAP Solution Manager (Table: AISUSER) . . 135
8.3 S-User Authorization for Service Desk and Expert on Demand . . . . . . 135
8.4 S-User Authorization for Service Connection . . . . . . . . . . . . 136
8.5 S-User Authorization for Maintenance Optimizer . . . . . . . . . . 136
8.6 S-User Authorization for Data Download from SAP . . . . . . . . . . 137
Chapter 9 Service Provider and Service Provider Customer Specification . . . . 139

9.1 Service Provider Customer RFC Connections . . . . . . . . . . . . 139
9.2 Roles for Service Desk for Service Provider . . . . . . . . . . . . . 139
9.3 Service Provider—Specific Authorization . . . . . . . . . . . . . 140
9.4 Work Center for Service Provider Customers . . . . . . . . . . . . 141
9.5 S-User Authorization for Service Provider Customers . . . . . . . . . 142
9.6 Work Center Access for Customers . . . . . . . . . . . . . . . . 142
Chapter 10 Background Processes . . . . . . . . . . . . . . . . . . . . 145

10.1 Background Jobs for Infrastructure . . . . . . . . . . . . . . . . 145
10.2 Background Jobs for Implementation . . . . . . . . . . . . . . . 147
10.3 Background Jobs for Test Management . . . . . . . . . . . . . . 147
10.4 Background Jobs for Monitoring . . . . . . . . . . . . . . . . . 147
10.5 Background Jobs for BI Reporting . . . . . . . . . . . . . . . . 149
10.6 Background Jobs for Service Desk . . . . . . . . . . . . . . . . 149
10.7 Background Jobs for Change Request Management . . . . . . . . . . 150
10.8 Background Jobs for SAP Engagement and Service Delivery and Issue
Management . . . . . . . . . . . . . . . . . . . . . . . . 150
10.9 Background Jobs for Root Cause Analysis . . . . . . . . . . . . . . 152
8/172 PUBLIC 03/30/2009

10.10 Background Jobs for Third Party Products . . . . . . . . . . . . . 152
10.11 Background Jobs for Service Provider . . . . . . . . . . . . . . . 153
Chapter 11 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . 155

11.1 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 12 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . 157

12.1 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . 157
12.1.1 Terminology: System Landscape and Related Terms . . . . . . . . . 157
12.1.2 Terminology: Solution and Related Terms . . . . . . . . . . . . . 161
Chapter A Reference . . . . . . . . . . . . . . . . . . . . . . . . . 165

A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . 165
03/30/2009 PUBLIC 9/172

10/172 PUBLIC 03/30/2009
1 Security Guide
1 Security Guide
Caution
The following note ONLY applies to SAP customers in Germany and Austria
The extent of the usage of the software package „SAP Enhancement Package 1 for SAP Solution
Manager 7.0“ depends upon the type of maintenance contract you have signed. If you have a signed
contract for:
n SAP Enterprise Support
n Product Support for Large Enterprises
n SAP Premium Support
n SAP MaxAttention
you are authorized to use all functions in the software package, without any restrictions.
If you have signed exclusively standard support contracts, you are allowed to install this software
package, but you are only allowed to use a restricted functionality. You are not allowed to use the
following Enterprise Edition functions:
n Business Process Change Analyzer
n Quality Gate Management
n Custom Development Management Cockpit
Der folgende Hinweis betrifft NUR SAP Kunden in Deutschland und Österreich
Die Nutzungsmöglichkeiten des Softwarepaketes „SAP Enhancement Package 1 for SAP Solution
Manager 7.0“ sind von Ihrem Pflegevertrag abhängig.
Wenn Sie über einen Vertrag über:
n SAP Enterprise Support
n SAP Product Support for Large Enterprises
n SAP Premium Support
n SAP MaxAttention
verfügen, sind Sie berechtigt, alle Funktionen des Softwarepaketes ohne Einschränkungen
zu nutzen.
Wenn Sie ausschließlich Standard Support-Verträge abgeschlossen haben, dürfen Sie dieses
Softwarepaket installieren und mit eingeschränktem Funktionsumfang nutzen. Die im folgenden
aufgeführten Funktionen, die Bestandteil der Enterprise Edition sind, dürfen nicht genutzt werden:
n Business Process Change Analyzer
n Quality Gate Management
03/30/2009 PUBLIC 11/172

1 Security Guide
n Custom Development Management Cockpit

This Security Guide is updated in the SAP Service Marketplace at:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release> , for
each new support package and SAP Enhancement Package (EhP). For information due to corrections
between support packages see SAP Note 129482.
Integration
Security topics are relevant for the following phases:
n Installation and Upgrade
n Configuration
n Operation
Recommendation
Use this guide during all phases. For a detailed overview of which documentation is relevant for each
phase, see also SAP Note 1088980. Refer to the documents described in this note.
Constraints
This document is not in the installation guide, sizing guide or upgrade guide for Solution Manager.
These guides are only relevant for a certain phase of the software life cycle, whereas the security
guide provides information that is relevant for all life cycle phases. All support packages based on
SAP Enhancement Package 1 (EhP1) for SAP Solution Manager are based on CRM 5.0 and SAP
Enhancement Package 1 for SAP NetWeaver 7.0, so the security guides for these products also apply
to SAP Solution Manager.
Caution
Up to SAP Solution Manager Support Package 17, SAP Solution Manager is based on CRM 5.0 and
SAP NetWeaver 7.0. Use the security guides for these products if you use SAP Solution Manager SP17.
More Information
For a complete list of the available SAP Security Guides, see the SAP Service Marketplace:
http://service.sap.com/securityguides
12/172 PUBLIC 03/30/2009

2 Getting Started
2 Getting Started
This guide does not replace the daily operations handbook that we recommend customers to
create for their productive operations. With the increasing use of distributed systems and the
Internet for managing business data, the demands on security are also on the rise. When using a
distributed system, you need to be sure that your data and processes support your business needs
without allowing unauthorized access to critical information. User errors, negligence, or attempted
manipulation of your system should not result in loss of information or processing time. These
security requirements also apply to SAP Solution Manager. This guide helps you to secure your
system landscape. It covers the following SAP Solution Manager functions:
n Getting Started with information on the integrated functions/modularity concept, and a step
by step procedure to use this guide.
n Network and Communication Security with overviews of communication channels and
destinations in your system landscape, and information on ICF Framework.
n User Administration and Authentication with overviews of users and business partners, and
information on Single Sign—On.
n Authorizations with a detailed description of critical authorizations for the most relevant RFC
connections in your system landscape, and overviews of roles for functions and scenarios.
n Work Center Navigation with mappings of the work center views onto authorization roles.
n S-User Authorizations with information on S-users, and their authorization.
n Service Provider and Service Provider Customer Specification with information on Service
Provider—specific authorizations and security topics.
n Background Processes with overviews of background jobs per function.
n Traces and Logs with information on traces and log possibilities.
2.1 Target Group of This Guide
The target groups of this guide are readers who are already familiar with SAP Solution Manager and
configuration procedures in an implementation and/or upgrade project, that is technical consultants,
system administrators and/or application consultants.
n technology consultants: working with technical processes supported by SAP software during
implementation, when deciding which settings to make
n system administrators: optimizing the system during and after implementation
03/30/2009 PUBLIC 13/172

2 Getting Started
2.2 SAP Solution Manager Scenarios and Functions
n application consultants: mapping a company’s actual business processes to the processes and
functions supported by SAP software during implementation, and when deciding which settings
to make
2.2 SAP Solution Manager Scenarios and Functions
SAP Solution Manager is a tool which supports the entire product life-cycle of your business processes
and systems, within a system/platform. The product life-cycle can be regarded as a set of scenarios. A
scenario is a group of business process—related functions which support the sequential and logical
relationships of processes within the life-cycle of the product. We differentiate between scenarios
(for instance: Implementation/Upgrade of SAP Solutions or Service Desk), processes relating to these scenarios
(for instance: Roadmap) and functions that can be used in one or more scenarios (for example,
the function Document Management can be used in the scenario Implementation and/or the scenario Test
Management). The configuration of SAP Solution Manager uses this scenario-related approach.
Note
Usage data about the functions and scenarios used by the customer is sent to SAP. See: SAP Note
939897 (How to prevent this transfer).
More Information
If you have insifcient understanding of SAP Solution Manager and its applica-
tions, see the master guide for SAP Solution Manager in the Service Marketplace
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release>
and the according application help on the Help Portal http://help.sap.com/solutionmanager .
2.3 Integration of Functions
The life cycle of a product comprises various phases, such as implementation, operation, upgrade,
and so on. Tools can be used to realize a process within these phases. The tools integrate strongly
with each other to support seamless document and information flow over the whole life cycle. The
work center approach demonstrates this integration. To realize this integrated approach and at
the same time allow you the freedom to build and configure according to your company’s needs,
configuration and SAP template roles are function—related. Configuration and authorizations for
integrated functions are based on a modular approach.
14/172 PUBLIC 03/30/2009

2 Getting Started
2.4 Links for Additional Components on Service Marketplace
Example
All delivered template roles for end users contain only authorizations that are relevant for the
function they describe. Therefore, roles of different functions can be assigned to one user. You
must know which functions you want to use.
Before you can work with a scenario/function in the Solution Manager systems, you need to make all
relevant systems, databases, and servers known, and maintain primary units such as solutions and
logical components, and your business processes. This guide refers to all these as infrastructure. The
appendix of this guide contains a detailed definition of these terms. Infrastructure comprises all
entities that are the basis for scenarios.
Example
Roles are structured according to functions in scenarios and infrastructure. Roles for infrastructure
include roles for systems, roles for solutions, roles for Service Data Control Center, and so on.
Prerequisites
For a detailed description of scenarios and functions, see the master guide for SAP Solution Manager
Your Solution Manager system is the platform for administrative tasks in implementing, operating
and upgrading systems in your system landscape. It relies heavily on mandatory and optional
components implemented in addition to SAP Solution Manager. The following table gives you
an overview of these additional components.
Recommendation
To ensure a smooth integration of these components, familiarize yourself with their installation,
configuration, and operation.
Features
Additional Components
03/30/2009 PUBLIC 15/172

2 Getting Started
Component Where in the Service Marketplace? IMG Activities and

Other Information
Sources
System Landscape Directory (SLD) http://service.sap.com/sld Information and
or http://sdn.sap.com SAP NetWeaver Conguration
Capabilities Lifecycle Management Application Prerequisites SLD
Management System Landscape Directory (technical name:
SOLMAN_SLD_INFORMATI)
Software Life-Cycle Manager (SLM) http://service.sap.com/slm and Information and

http://help.sap.com/nw70 Functional Conguration
View Solution Life Cycle Management Software Prerequisites Change
Life Cycle Management Control scenario
(technical name:
SOLMAN_MOPZ_SLM_INFO)
Adobe Document Services (ADS) http://service.sap.com/adobe Information and

Configuration
Prerequisites ADS
setup (technical name:
SOLMAN_ADS_INFO)
Business Intelligence (BI) http://service.sap.com/bi Information and

Conguration
Prerequisites BI
(technical name:
SOLMAN_BI_CLIENT_INF)
SAP Quality Center by HP http://service.sap.com/solutionmanager Information and

SAP Quality Center by HP Conguration
Prerequisites Third
Party (technical name:
SOLMAN_THIRDPARTY_IN)
SAP Redwood Job Scheduling service.sap.com/job-scheduling Information and

Conguration
Prerequisites Third
Party (technical name:
SOLMAN_THIRDPARTY_IN)
One Transport Order service.sap.com/solutionmanager Media

Library Technical Papers
TREX http://help.sap.com/nw2004s Information and
Configuration
Prerequisites TREX
(technical name:
SOLMAN_TREX_INFO)
SAP TAO http://service.sap.com/saptao
Master Data Management (MDM) — http://service.sap.com/mdm and Used in System

MDM Administration Cockpit http://service.sap.com/installmdm Administration Work
Center
16/172 PUBLIC 03/30/2009

2 Getting Started
2.5 Using SAP Solution Manager as Service Provider
Component Where in the Service Marketplace? IMG Activities and

Other Information
Sources
SAP NetWeaver Administrator http://service.sap.com/nwa Used in System
Administration Work
Center
Adaptive Controlling (ACC) n for general information Used in System
http://sdn.sap.com/irj/sdn/adaptive Administration and
n for application help, such as starting System Landscape
and stopping an application service: Management Work
http://help.sap.com Centers
n for installation information
http://service.sap.com/instguides
Wily Introscope Used in Root Cause

http://bis.wdf.sap.corp:1080/twiki/bin/view/Main/IntroScope
Analysis and System
Monitoring Work
Center
More Information
For a comprehensive overview and to find out which additional components are relevant
for the configuration of your scenarios, see master guide for SAP Solution Manager
2.5 Using SAP Solution Manager as Service Provider
As a Service Provider, you provide services to your customers using Solution Manager. See the
section Service Provider and Service Provider Customer Specification. For more information on Service Provider
scenarios and definition, see the master guide for SAP Solution Manager in the Service Marketplace:
2.6 How to Use This Guide
This section tells you how to use this guide most efficiently.
For completeness, the guide includes overviews of topics, such as technical users, or RFC
connections. These overviews are bundled according to functions and modularity, as described in
section Integration of Functions. For example, the RFC connections overview allows you to either see all
RFC connections relevant for Solution Manager and its managed systems, or check certain types of
connections, such as all connections from SAP Solution Manager to SAP, or local connections. Or if
you are, for instance, interested in all users for Root Cause Analysis, you can see just the Root Cause
Analysis subsection in the technical users overview.
03/30/2009 PUBLIC 17/172

2 Getting Started
Each section contains, if possible, How to sections for critical procedures. For instance, if you read
the users for Service Desk section, you are referred to the document about how to create users and
business partners. Or, if you are informing yourself about roles for Service Desk, you are referred to
the section on how to create roles, assign them to users and maintain them.
As security topics are closery connected to configuration tasks, we refer to related sections of the
SAP Implementation Reference Guide (IMG) in transaction SPRO, if appropriate.
How you use this guide depends largely on your individual needs. If you are interested in one
function and all related security topics, you would look into each section and especially for your
topic. For instance, if you are interested in System Monitoring using a work center in SAP NetWeaver
Business Client, see the sections on technical users for System Monitoring, roles for System
Monitoring and System Monitoring work center, where you find the overviews of what you need
for System Monitoring. To integrate this information into your configuration procedure, use the
SAP Reference IMG.
The following step by step procedure gives you an outline of how to secure your network,
according to your system landscape settings, and create roles according to your company’s security
requirements.
Procedure
Step Description Remarks

1 Define your system landscape see master guide for Solution
Manager. http://service.sap.com/instguides SAP
Components SAP Solution Manager <current release>
2 Define the scenarios and functions see master guide for Solution
you use Manager. http://service.sap.com/instguides SAP
3 Define which additional see master guide for Solution
components are needed Manager. http://service.sap.com/instguides SAP
4 Get to know the concept of see this guide section Integration of Function
integration of functions
5 Create configuration user in see this section How to Create/Delete Users Created/Used During
Solution Manager system and Configuration in the Managed Systems: in automatic basic settings
managed systems configuration, the configuration user must only be created
in the managed system (for instance SOLMAN_ADMIN)
6 Assign authorizations to the see the section Roles for Basic Configuration in Managed Systems
configuration user in the managed
system
18/172 PUBLIC 03/30/2009

2 Getting Started

7 Configure basic settings using roles see conguration guide for Solution
for basic settings configuration Manager. http://service.sap.com/instguides
SAP Components SAP Solution Manager <current release>
(section Basic Settings) and section Roles for Basic Conguration
in Solution Manager
Note
Involves creation of technical users and so on.
8 Check your network and see section Network and Communication Security
communication security
9 see conguration guide for Solution
Recommendation
Manager. http://service.sap.com/instguides
Create an IMG project for the SAP Components SAP Solution Manager <current release>
functions and scenarios you want section Scenario—Specic and/or Service Provider—Specic Settings
to configure
10 see conguration guide for Solution
Recommendation
Manager. http://service.sap.com/instguides
Create roles for scenario—specific SAP Components SAP Solution Manager <current release>
functions section Scenario—Specic and/or Service Provider—Specic Settings
and section How to Create Roles for Scenario—Specic Conguration
in Solution Manager
11 Configure scenario—specific use IMG project
functions for your scenarios
Note
Without an IMG project, use transaction SPRO.
12 Assign work center navigation see section Work Center Navigation
roles (including work
center authorization role
SAP_SMWORK_BASIC) to your
end users
13 Develop your own authorization see section Authorization Concept
concept
14 Develop your own authorization see section Authorization Roles and Profiles for End Users
roles per function on basis of
SAP—delivered template roles
15 Assign authorization roles to your see section Work Center Navigation
users using the mapping tables for
work center navigation roles, and
authorization roles to your end
users
03/30/2009 PUBLIC 19/172

2 Getting Started
Example
System Monitoring (including KPI Reporting and IT Performance Reporting) using the work center
approach on SAP NetWeaver Business Client.
Caution
This example is a suggestion of how to configure this scenario from a security—relevant perspective.
The same example, from a configuration—relevant perspective, is used in the configuration guide.

1 Define your system landscape two productive managed systems, SLD, BI client is Solution
Manager client
2 Define which scenarios and System Monitoring and Reporting; Service Desk for message
functions you use creation
3 Define which additional System Landscape Directory, see section Links to Additional
components are needed Components in the Service Marketplace
4 Get to know the concept of n System Monitoring (sessions)
integration of functions n KPI Reporting and IT Performance Reporting (BI)
n work center for System Monitoring
n Service Desk message creation
n SAP NetWeaver Business Client
5 Create configuration user in Create configuration user (for instance: SOLMAN_ADMIN) in
Solution Manager system and managed systems
managed systems
6 Assign authorizations to the Assign roles to configuration user:
configuration user in the managed n for authorization object S_RFCACL
system n SAP_SDCCN_ALL
7 Configure basic settings using roles Use of automatic basic settings configuration via
for basic settings configuration SOLMAN_SETUP ( role for configuration user SOLMAN_ADMIN is
generated automatically). Includes the setup of Solution
Manager and of both managed systems
8 Check your network and n check RFC connections from Solution Manager to
communication security managed systems, RFC connection from managed system
to Solution Manager, RFC connections from Solution
Manager to SAP, and so on
n check SSL settings
9 Create an IMG project for the Create an IMG project for IMG node System Monitoring and Service
functions and scenarios you want Desk in transaction SPRO_ADMIN
to configure
20/172 PUBLIC 03/30/2009

2 Getting Started

10 Create roles for scenario—specific Create role for IMG project (or use profile SAP_ALL), and
functions assign it to your configuration user.
Note
For cross‒scenario configuration, see the IMG activity
for additional roles such as: SAP_SM_BI_EXTRACTOR,
SAP_BW_CCMS_SETUP, SAP_PI_CCMS_SETUP
11 Configure scenario—specific see created IMG project

functions for your scenarios
12 Assign work center navigation Assign roles as described:
roles, including work n SAP_SMWORK_SYS_MON
center authorization role n SAP_SMWORK_BASIC
(SAP_SMWORK_BASIC), to your
end users
13 Develop your own authorization customer—specific
concept
14 Develop your own authorization assign copies of roles (for System Monitoring and Service
roles per function on basis of Desk) to your end users, according to your customer
SAP—delivered template roles concept:
n SAP_SMSY_*
n SAP_SM_SOLUTION_*
n SAP_OP_DSWP_SM
n SAP_SETUP_DSWP_SM
n SAP_SM_BI_EXTRACTOR
n SAP_BW_CCMS_REPORTING
n SAP_SUPPDESK_CREATE
15 Assign authorization roles to your
users using the mapping tables for
work center navigation roles and
authorization roles, to your end
users
03/30/2009 PUBLIC 21/172

This page is intentionally left blank.
3 System Landscape
3 System Landscape
3.1 Technical System Landscape
SAP Solution Manager is based on AS ABAP and AS Java. To use SAP Solution Manager you need
SAP GUI, Web Browser or SAP NetWeaver Business Client (NWBC) (for work center functionality).
Communication with other systems is via RFC technology and Web Services.
More Information
For a detailed view of the overall system architecture of SAP Solution Manager, see master guide for
SAP Solution Manager in the Service Marketplace: http://service.sap.com/instguides SAP
Components SAP Solution Manager <current release>. .
03/30/2009 PUBLIC 23/172

4 Network and Communication Security
This section gives an overview of the communications concept for SAP Solution Manager, including
sections on topics related to HTTP connections and RFC connections.
4.1 Network Topology
Your network infrastructure must protect your system. It needs to support the communication
necessary for your business and your needs, without allowing unauthorized access. A well-defined
network topology can eliminate many security threats based on software flaws (at both the operating
system and application level) or network attacks such as eavesdropping. If users cannot log on to
your application or database servers at the operating system or database layer, then there is no way
for intruders to compromise the machines and gain access to the backend system’s database or files.
Additionally, if users are able to connect to the server LAN (local area network), they can exploit
well-known bugs and security holes in network services on the server machines. The network
topology for the Solution Manager is based on the topology used by the SAP NetWeaver platform.
Recommendation
The security guidelines and recommendations described in the SAP NetWeaver Security Guide
also apply to the Solution Manager.
4.2 Communication Channels
The table below shows the communication channels used by SAP Solution Manager, the protocol
used for the connection, and the type of data transferred.
Features
Communication Channels
03/30/2009 PUBLIC 25/172

4.3 Communication Destinations
Type of Data Transferred /

Communication Channel Protocol Function
Exchange of problem messages,
Solution Manager to OSS RFC retrieval of services
Solution Manager to managed for more information, see section
systems and back RFC RFC Connections
Update route permission table,
Solution Manager to managed content: IP addresses, see section
systems within customer network FTP File Transfer Protocol (FTP)
Solution Manager to SAP Service
Marketplace HTTP(S) Search for notes
Solution Manager Service Desk
to/from Third Party Service Desks SOAP over HTTP(S) Problem messages
Solution Manager to/from Quality Test requirements (send and
Center by HP SOAP over HTTP (S) receive data); Defect Management
SAP CPS SOAP over HTTP (S) Job Scheduling Management
SAP Productivity Pak by RWD SOAP over HTTP (S) Document Management
BMC AppSight for SAP Client
Diagnostics SOAP over HTTP (S)
The table below shows an overview of the main communication destinations used by SAP Solution
Manager (including its managed systems and SAP Support Portal).
Features
RFC Connections from SAP Solution Manager to Managed Systems
Target
RFC Destination Host System Logon Logon User
Name Name Number Client (Password) Use Remarks
Man-
SM_<SID>CLNT<Client>_LOGIN Cus- Customer- System Transactions
(ABAP connection) aged Sys- tomer- specific Monitoring, and SMSY or
tem specic Implementation SOLMAN_SETUP
and Distribution
26/172 PUBLIC 03/30/2009

Target
Man-
SM_<SID>CLNT<Client>_READ System- System- Default user: For read access Transaction SMSY
(ABAP connection) aged Sys- specific specific SM_<SID of for functions or SOLMAN_SETUP
tem Solution such as: System
Manager Monitoring,
system> Business Process
(automatically Operations,
generated, can Implementation
be defined by and Distribu-
customer via tion, Service
transaction Desk (Business
SMSY) Partners: see
IMG activity:
Create Key Users
SOLMAN_SUP_BUSPART)
Man-
SM_<SID>CLNT<Client>_TRUSTED System- System- System Log on through
(ABAP connection) aged Sys- specific specific Monitoring and a trusted
tem Implementation connection;
and Distribution transaction SMSY
or SOLMAN_SETUP
Man-
SM_<SID>CLNT<Client>_TMW System- System- Default user: Creating, Transaction SMSY
(ABAP connection) aged Sys- specific specific SMTW<SID of releasing or SOLMAN_SETUP
tem Solution transport
Manager requests
system>(au-
tomatically
generated, can
be dened by
customer via
transaction
SMSY)
BI,if BI is Man- System- System- For instance BI-relevant See IMG

Managed system aged Sys- specific specific ALEREMOTE scenarios: activity Connect
<SID>CLNT<Client> tem (customer- Root Cause Source System
specific) Analysis; System (technical name:
Monitoring (IT SOLMAN_SET_SOURCE_SY)
Performance
Reporting),
(Integration)
Test
Management
03/30/2009 PUBLIC 27/172

Target
BI,if BI is Man- System- System- Administrator BI-relevant See IMG
Managed system aged Sys- specific specific of managed functions: activity Connect
tem
<SID>CLNT<Client>DIALOG system Root Cause Source System
(customer- Analysis; System (technical name:
specific) Monitoring (IT SOLMAN_SET_SOURCE_SY)
Performance
Reporting),
(Integration)
Test
Management
<SID>_RZ20_<ANALYZEMan- System- System- Central Automatically
aged Sys- specific specific Monitoring created in
tem (CEN): transaction RZ21
n System for Remote System
Monitoring Connection
n Business
Process
Operations
<SID>_RZ20_COLLECT Man- System- System- CSMREG, see Central Moni- Automatically
aged Sys- specific specific section on toring(CEN): created in
tem technical users n System transaction RZ21
Monitoring for Remote System
n Business Connection
Process
Operations
RFC Connection from Managed System to SAP Solution Manager

RFC
Destination Target Host System Logon User
Name Name Number Logon Client (Password) Use How Created
Solution
SM_<SID>CLNT<Client>_BACK Customer- Default user: Send Service Transaction
(ABAP con- Manager specific SMB_<SID Desk mes- SMSY or
nection) System of managed sages, send SOLMAN_SETUP
Customer- system> session data,
specific automatically check locked
generated, customiz-
can be ing objects;
defined by Service Desk,
customer via System Moni-
transaction toring (Early-
SMSY) Watch Alert),
and Imple-
mentation
28/172 PUBLIC 03/30/2009

RFC
Destination Target Host System Logon User
Name Name Number Logon Client (Password) Use How Created
and Distribu-
tion
Note
The System Monitoring scenario provides support for functions such as Service Level Reporting,
EarlyWatch Alert, and System Monitoring. For instance, Early Watch Alert contains data on system
health. The data is collected automatically in the managed system, sent via RFC to the Solution
Manager system, and then analyzed in Solution Manager. If you want to transfer download data of a
service (EarlyWatch Alert and so on) from a managed system into a Solution Manager system, but
your managed system has no RFC connection to the Solution Manager system, see SAP Note 657306.
RFC Connections from SAP Solution Manager to SAP

Sys-
RFC tem Lo-
Destination Num- gon Logon User
Name Target Host Name ber Client (Password) Use Remarks
Maintain
technical settings
SAPOSS (ABAP OSS_RFC in transaction
connection) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 (CPIC) Notes Assistant OSS1
Exchange problem
messages with SAP
(function: Service
Desk), synchronize
system data with
Support Portal
and send data
about managed
systems; transfer of
solution, issue
data; transfer
feedback to
SAP (function:
Delivery of SAP Transaction
Services), Service SOLUTION_MANAGER;
S-User Connection, menu path:
SAP-OSS (ABAP (Customer- product data Edit Global
connection) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 specific) download Settings
03/30/2009 PUBLIC 29/172

Sys-
RFC tem Lo-
Retrieve
information about
which messages
SAP-OSS-LIST-O01 S-User have been changed
(ABAP connec- (Customer- at SAP (function: Created in
tion) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 specific) Service Desk) transaction SM59
User is a copy
of the SAPOSS
connection
to SDCC_OSS;
userSDCC_NEW
with default
password:
download
Note
Used by the Service If SDCCN is used
Data Control Center to locally, that
communicate with is Solution
the SAP Support Manager is
Portal frontend not Master
system; update System, SDCC_OSS
Service Definitions is created
SDCC_OSS (functions: System automatically
(ABAP See SAP Note Monitoring for EWA in the managed
connection) 763561 and Service Plan) system;
Send EarlyWatch
Alerts (functions:
System A copy of
SAPNET_RFC Monitoring for the SAPOSS
(ABAP EWA and Service connection to
connection) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 Plan) SAPNET_RFC
Service Preparation
Check (RTCCTOOL), Created
SAPNET_RTCC (function in SAP automatically by
(ABAP OSS_RFC Engagement and RTCCTOOL, copy of
connection) 01 001
/H/SAPROUTER/S//sapserv/H/oss001 (CPIC) Service Delivery) SAPOSS
Automatically
created, see IMG
activity Set Up
S-User SAP Connection
SM_SP_<customer (Customer- Service Provider for Customers
number> 01 001
/H/SAPROUTER/S//sapserv/H/oss001 specific) functionality
30/172 PUBLIC 03/30/2009

Sys-
RFC tem Lo-
(technical name:
SOLMAN_VAR_RFC_CUSTO)
Local Connections
Target
Destination Host System Logon User
Name Name Number Logon Client (Password) Use Remarks
BI, if BI For instance BI-relevant See IMG
client is the ALEREMOTE functions: activity Connect
productive (customer- Root Cause Source System
Solution specific) Analysis; (technical
Manager System name:
client<SID>CLNT<Client> Monitoring SOLMAN_SET_SOURCE_SY)
(IT
Performance
Reporting,
KPI
Reporting),
(Integration)
Test
Management
WEBADMIN Jco SMD_RFC Root Cause Role
Analysis SAP_SOLMANDIAG_E2E
(prole:
S_SMDIAG_E2E)
automatically
assigned to
user during
conguration
BPM_LOCAL_<Client> Business
SM_BPMO(customer- RFC is created
specic) Process during
Operations Business
Process
Operations
setup session,
see IMG
activity Create
Local RFC
Destination
and User
(technical
name:
SOLMAN_BPM_RFC_LOCAL)
03/30/2009 PUBLIC 31/172

CCMSPing RFC Connection

RFC Destination Logon User
Name Activation Type (Password) Use (Scenario) Remarks
Registered
CCMSPING.<server><SystemNr.> CSMREG (customer- Service Level User created during
Server Program specific) Reporting with configuration of
(program CCMSPING; system Central Monitoring
ccmsping.00) availability (CCMS),
overview in see IMG activity
System Monitoring Information and
work center; Conguration
IT Performance Prerequisites for
Reporting setting up a central
monitoring system CEN
(technical name:
SOLMAN_INPERF_CCMS)
System Landscape Directory (SLD) RFC Connections

RFC Destination Name Activation Type Use (Scenario) How Created
SLD_UC (Unicode) —> Registered Server General infrastructure Automatically created
analogue SLD_NUC program (program: using SLD
(Non-Unicode) SLD_UC) analogous to
SLD_NUC
SAPSLDAPI Registered Server General infrastructure Copy of SLD_UC or SLD_NUC

program (program: using SLD
SAPSLDAPI_<systemID>)
TREX RFC Connections

TREX_<server> (ABAP Registered Server Service Desk (Solution Transaction SM59;
connection) Program (program Database), SAP TREX can be administered
TREXRfcServer_<instance Engagement and using the TREX admin
number>) Service Delivery (Issue tool, see IMG activity
Management) Information and Configuration
Prerequisites for TREX Setup
IMSDEFAULT Start on explicit Document Management
(technical name:
host (program: (projects)
SOLMAN_TREX_INFO)
ims_server_admin.exe)
IMSDEFAULT_REG Registered Server

Program (program:
rfc_sapretrieval)
Internet Graphics Server (IGS) RFC Connection
32/172 PUBLIC 03/30/2009

4.4 Internet Communication Framework

GFW_ITS_RFC_DEST Registered Server All functions that use Transaction SM59
program (program: a graphical display, for
IGS.<SID>) instance: Root Cause
Analysis, EarlyWatch
Alert Reports, Service
Level Reports, BI
Reporting
More Information
n about configuring RFC connections from Solution Manager to managed systems, see IMG activity
Generate RFC Connections to/from Managed Systems (technical name: SOLMAN_GENERATE_RFCS)
n about configuring RFC connections from Solution Manager to SAP, see IMG activities under node
Connection to SAP
n about connections from Solution Manager to SAP, see IMG activity Information and Configuration
Prerequisites for Connections to SAP (technical name: SOLMAN_VAR_INFORM)
4.4 Internet Communication Framework
Most functions in SAP Solution Manager use either BSP or Web Dynpro technology. They are based
on HTTP protocol. The Internet Communication Framework (ICF) provides the infrastructure for
handling HTTP requests in work processes in an SAP system (server and client). It enables you to
use standard protocols (HTTP, HTTPS, and SMTP) for communication between systems through
the Internet. You do not need any additional SAP program libraries. The only condition is that
your system platform is Internet-compliant. This gives you a maximum amount of flexibility
in responding to varying communication requirements. Communication through the ICF has
the following benefits:
n Increased security: The HTTPS protocol guarantees secure data transmission at the same level as
modern security standards for RFC/SNC communication and other interfaces.
n Increased flexibility: Using the ICF, the user can open a connection to an SAP system across the
Internet from any location.
Caution
SAP delivers all ICF services inactive, for security reasons.
n Reduced technological barriers: The open HTTP standard is used worldwide, which makes it
efficient to install and configure.
03/30/2009 PUBLIC 33/172

4.5 Secure Socket Layer (SSL) for HTTP Connections
4.5 Secure Socket Layer (SSL) for HTTP Connections
Secure Socket Layer (SSL) allows you to create secure connections for HTTP.
Caution
You must set—up SSL for SAP NetWeaver ABAP and Java (for instance: Maintenance Optimizer and
SLM). See SAP Note 1138061.
Features
To set—up SSL in your system, follow the procedure described in SAP Note 510007.
See also the installation guide for SAP Solution Manager in the Service Marketplace:
http://service.sa.com/instguides SAP Components SAP Solution Manager <current release> .
Note
To check if SAP Cryptolib has been successfully implemented, run program SSF02. Set the flag get
version and choose execute. The system displays the current version of SAP Cryptolib.
Constraints
SSL only provides a secure channel between partners communicating directly in a network. SSL
protects the messages only while in transit, but offers no security for (XML) data in storage.
More Information
on: Maintenance Optimizer (SLM), see IMG activity Information and Configuration Prerequisites for Maintenance
Optimizer and SLM (technical name: SOLMAN_MOPZ_SLM_INFO).
Further Information on SSL
Information Source Remarks
Setting Up SSL on the Web Application Server
SAP Note 510007 (Procedure to set up SSL)
Web Dynpro ABAP FAQ (General authorization checks
SAP Note 1000000 for services and application are available over the ICF)
SAP Note 1153116
Web Dynpro ABAP checklist for creating problem
messages (If you create an error message for Web
Dynpro ABAP under component BC-WD-ABA, see the
SAP Note 938809 checklist in SAP Note)
SAP Note 810159 Subsequent installation of SAP JAVA CRYPTO TOOLKIT
Application help for security topics connected to ICF

services help.sap.com/nw07
34/172 PUBLIC 03/30/2009

4.6 HTTP Connect Service for SAP Support
Information Source Remarks

service.sap.com//instguides SAP Components
Installation guides SAP Solution Manager <current release>
System security for SAP NetWeaver ABAP and Java service.sap.com/security Media Library
(Help setting up system security for ABAP and Java) Literature
4.6 HTTP Connect Service for SAP Support
Due to the firewall between customer and SAP systems, it is not possible to display pages of BSPs or
Web Dynpro applications in SAP Solution Manager using standard service or support connections.
To receive support from SAP for these technology types, you need to set—up an HTTP Connect
Service. To do so, follow the descriptions in SAP Note 1072324. You need to maintain this connection
for on-site and remote support. Make this HTTP secure for remote support with HTTPS.
4.7 File Transfer Protocol (FTP)
FTP is a network protocol used to send data from one computer to another through a network such
as the Internet. You use FTP for SAProuter permission table.
Recommendation
We recommend protecting FTP communication with SAPFTP, using Secure Socket Shell (SSH). For
more information, see SAP Note 795131.
More Information
on the configuration task involved, see IMG activity Maintain Router Permission Table (technical name:
SOLMAN_SAPROUTER).
4.8 Required TCP/IP Ports
The following ports have to be opened up in your firewall, prior to installation.
Recommendation
Put the SAP Solution Manager system in the same subnet or DMZ of your managed landscape. If you
manage systems in different subnets, adapt your security settings and firewall accordingly.
03/30/2009 PUBLIC 35/172

4.8 Required TCP/IP Ports
Features
Ports for Communication to SAP Solution Manager
Established Connection
To Host/Destination Service on Destination
From Hosts/Source Host Host Host (Protocol) Format (example)
5<instance no.>00
Outside (or DMZ) Diagnostics Server J2EE engine (HTTP) (50100)
80<instance no.>
Outside (or DMZ) Diagnostics Server ITS (HTTP) (8000)
Introscope Manager
Outside (or DMZ) Diagnostics Server (HTTP) Default: 8081
4<instance no.>80
Diagnostics Server Diagnostics Server IGS (HTTP) (40180)
All managed systems 5<instance no.>04

(Diagnostics Agent) Diagnostics Server J2EE engine (P4) (50104)
All managed systems Message Server (HTTP) 81<instance no.>

(Diagnostics Agent) Diagnostics Server Note: not 36XX) (8101)
All managed systems Diagnostics Server Introscope Enterprise Default: 6001

(Introscope Agent) Manager (TCP/IP)
Ports for Communication with Managed Systems

Established Connection
From Host/Source Host To Hosts/Destination Service on Destination
Hosts Hosts (Protocol) Format (example)
Outside (or DMZ) All managed systems J2EE engine (HTTP) 5<instance no.>00
(50200)
Outside (or DMZ) All managed systems ITS (HTTP) 80<instance no.>
(8000)
All managed systems Associated managed J2EE engine (P4) 5<instance no.>04
(Diagnostics Agent) systems (50204)
More Information
on the current list of ports used by SAP, in the SAP Service Marketplace:
service.sap.com/security Infrastructure Security TCP/IP Ports Used by SAP Applica-
tions .
36/172 PUBLIC 03/30/2009

5 User Administration and Authentication
The SAP Solution Manager uses the user management and authentication mechanisms provided by
the SAP NetWeaver platform, in particular the SAP NetWeaver ABAP. If you use Root Cause Analysis,
the user management and authentication mechanisms provided by SAP NetWeaver Java are also used,
so the security recommendations and guidelines for user administration and authentication, as
described in the SAP NetWeaver ABAP Security Guide and the SAP NetWeaver Java Security Guide,
also apply to SAP Solution Manager. We also provide a list of the standard users required to operate
the Solution Manager. As the mechanisms provided by the SAP NetWeaver AS Java only apply for
Diagnostics, see its guide in the Service Marketplace: http://service.sap.com/diagnostics .
Technical users are usually created automatically. Third—party users are always created manually.
User overviews are classified according to whether they are created in the Solution Manager system
or in the managed system.
5.1 User Management Tools
User Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaver
ABAP, and Java tools (ABAP: SU01 and Java: UME), user types, and password policies. As SAP Solution
Manager is based on SAP NetWeaver ABAP and Java, the User Management Engine (UME) of the Java
stack is to be configured against the ABAP stack.
Features
Tools Overview
Object Recommended Tool Remarks
Users transaction SU01 User Management in the ABAP system(s)
Caution
For password security information, see SAP Note 862989 (NW
ABAP 7.0)
03/30/2009 PUBLIC 37/172

5.2 Secure Storage
Object Recommended Tool Remarks

PFCG roles transaction PFCG
Note
User Comparison feature was corrected, see SAP Note 1272331
J2EE security UME and the Visual Administration console to manage UME roles, and administration
roles and UME Administrator tool of the Java Application Server, to manage J2EE security roles.
roles (only Both of these tools are part of SAP NetWeaver Java. To integrate
applies to Java the Java-based authorizations supplied by J2EE security roles and
application, for UME roles with PFCG roles, you can integrate PFCG roles as groups
instance Root in SAP NetWeaver Java.
Cause Analysis)
Integration
Recommendation
You should use transaction SU01 to create users, and transaction PFCG to assign users to roles.
More Information
on UME conversion, see IMG activity: Convert UME (technical name: SOLMAN_CHANGE_UME)
5.2 Secure Storage
The secure storage stores encoded data, for instance access data of systems, SLD, SAP Portal
connection, and so on. The system uses the installation number of the system and the system ID
when creating the key for the secure storage.
Caution
If one or more of these values change, the system can no longer read the data in the secure storage.
More Information
SAP Note 816861 and SAP Note 1027439.
5.3 Technical/Dialog Users Created/Used in Solution

Manager System Configuration
The users in the following tables are created automatically or manually during configuration. The
overviews are structured by main functions/scenarios. Some users are relevant for more than one
scenario and are therefore mentioned more than once. Some users have already been created during
the installation process, such as:
38/172 PUBLIC 03/30/2009

5.3 Technical/Dialog Users Created/Used in Solution Manager System Configuration
n SAPJSF
n J2EE_ADMIN
n J2EE_GUEST
n DDIC
n ADSUSER
n ADS_AGENT
n SLDDSUSER
n SLDAPIUSER
Note
If your security policy does not permit the automatic creation of generic users, you need to create
them manually. Automatic creation of users is only possible if you use Java UME with ABAP. If you use
the Central User Administration (CUA), you need to create them manually.
Features
User for RFC Connection BACK (Infrastructure)
User (Password) Type Remarks
SMB_<managed system ID> System User Technical user “Back User”; assigned
roles/profiles:
n S_CUS_CMP for data read access
n S_CSMREG for central system repository data
n S_SD_CREATE and D_SOLMAN_RFC for Service
Desk messages
n S_BDLSM_READ SDCCN data (customer-specific)
for SDCCN Service Desk message from
managed systems
n S_KWHELP for Help Center, document display
see section: RFC Connections READ, TMW, BACK
Note
The role ZSOLMAN_BACK is created from a
template during automatic basic settings
configuration.
Users for General Infrastructure Set-up

SOLMAN_ADMIN (customer-specific) Dialog User User created for basic settings configuration by
automatic basic configuration, via transaction
SOLMAN_SETUP; see section Roles for Basic
Configuration in Solution Manager
03/30/2009 PUBLIC 39/172


SOLMAN_BTC (customer-specific) System User User created for background processing by
SOLMAN_SETUP; see section Roles for Basic
Configuration in Solution Manager
S-User (customer-specific) User in SAP Support User to exchange problem messages with SAP;
Portal retrieve information about which messages
have been changed at SAP; The S-user for the
SAP Support Portal must be requested via
http://service.sap.com; see section S-User
Authorizations
OSS_RFC (CPIC) Notes Assistant; Update Service Definitions;
Service Preparation Check (RTCCTOOL)
CTC2SM_<CTC runtime system ID> System User Technical user for CTC runtime, automatically
(automatically created) created when CTC runtime is activated;
responsible for communication from CTC to
Solution Manager; automatically assigned
profile for role SAP_SMSY_CTC_RT
SM2CTC<Solution Manager System User Technical user for CTC templates, automatically
ID><client> (automatically created when CTC runtime is activated. User is
created) responsible for communication from Solution
Manager to CTC, if the CTC runtime of the
Solution Manager J2EE stack is called for the
initial automatic basic configuration of Solution
Manager; automatically assigned role in the
related ABAP stack: SAP_J2EE_ADMIN
DDIC User for execution of CTC templates
SLDDSUSER (customer-specific) Dialog User Data Supplier user

SLDAPIUSER (customer-specific) Dialog User User for SLD connectivity, assigned role
SAP_SLD_CONFIGURATOR corresponds to J2EE
security role LcrInstanceWriterLD; allows you to
create, modify and delete CIM instances of the
Landscape Description and Name Reservation subset
(includes the LcrUser role).
Users for J2EE Integration (ABAP — UME)

SAPJSF (customer-specific) Communication User Technical user for SAP Java Security
Framework (display) ; assigned role:
SAP_BC_JSF_COMMUNICATION_RO
40/172 PUBLIC 03/30/2009


J2EE_ADMIN (customer-specific) Dialog User User for J2EE administration, assigned roles:
SAP_J2EE_ADMIN; SAP_BC_AI_LANDSCAPE_DB_RFC
J2EE_GUEST (customer-specific) Dialog User User for J2EE display rights, assigned role:
SAP_J2EE_GUEST
User for Graphical Display

SOLARSERVICE (customer-specific) Service User Technical user for accessing HTTP services in the
Solution Manager without login, assigned role:
SAP_SOL_LEARNING_MAP_DIS; for instance for
displaying HTML Learning Maps
Users for Business Process Operations and Job Scheduling Management Scenarios/Functions
SM_BPMO (customer-specific) Service User Technical user, authorized to call managed
system, assigned role: SAP_SM_BPMO_COMP
CSMREG (customer-specific) Communication User Technical user for data collection (to get
CCMS alerts) for Business Process Operations;
created in transaction RZ10; assigned role
SAP_BC_CSMREG; automatically assigned during
creation
ADSUSER (customer-specific) Service User Technical user for basic authentication ADS
ADS_AGENT (customer-specific) Service User Technical user for communication between
ABAP stack and J2EE stack on which the ADS
runs, assigned roles:
n SAP_BC_FP_ICF (if double stack: AS ABAP and
AS Java (with ADS)
n SAP_BC_FPADS_ICF (if AS ABAP and AS Java
on separate systems)
Users for Root Cause Analysis Scenario/Function

SMD_RFC Communication User Technical user, set in WEBADMIN JCo RFC
destination, for communication between ABAP
stack and Java stack; role SAP_SOLMANDIAG_E2E
(profile S_SMDIAG_E2E) automatically assigned
during configuration of Root Cause Analysis
03/30/2009 PUBLIC 41/172


SMD_BI_RFC Communication User Technical user for BI communication, in case BI
is implemented in another Solution Manager
client
SMD_ADMIN Communication User Technical user, needed by agent to connect to
Root Cause Analysis; automatically assigned
role: SAP_J2EE_ADMIN
SAPSUPPORT Dialog User User created for SAP Engagement and
Service Delivery by automatic basic settings
configuration, via transaction SOLMAN_SETUP; see
section User SAPSUPPORT
Users for Service Desk Scenario/Function

roles/profiles:
Caution
During automatic basic n S_SD_CREATE and D_SOLMAN_RFC for Service
configuration, the system Desk messages
automatically generates a user n S_BDLSM_READ SDCCN data (customer-specific)
password. If you change the for SDCCN Service Desk message from
password of this user in User managed systems
Management (transaction SU01), n S_KWHELP for Help Center, document display
you need to change the password see section: RFC Connections READ, TMW, BACK
for this user in its RFC destination
in the Solution Manager system
as well.
Note
When you generate RFC
connections using transaction
SMSY, you can alter user and
password settings for this user,
before generating the RFC
connection.
See section RFC Connections READ,
TMW, BACK
S-User (customer-specific) User in SAP Support Technical user to exchange problem messages
Portal with SAP; get information about which
messages have been changed at SAP; the S-user
for the SAP Support Portal must be requested
via http://service.sap.com; see section: S-User
Authorizations
42/172 PUBLIC 03/30/2009

Users for Change Control (Maintenance Optimizer) Scenario/Function

via http://service.sap.com; see section S-User
Authorizations
Users for SAP Engagement and Service Delivery Scenario

via http://service.sap.com; see section: S-User
Authorizations
ADSUSER Service User Technical user for basic authentication in ADS
ADS_AGENT Service User Technical user for communication between
ABAP stack and J2EE stack on which the ADS
runs, assigned roles:
n SAP_BC_FP_ICF (if double stack: AS ABAP and
AS Java (with ADS)
n SAP_BC_FPADS_ICF (if AS ABAP and AS Java
on separate systems)
SAPSUPPORT Dialog User User created for Service Delivery by
SOLMAN_SETUP; see section User SAPSUPPORT
Users for System Administration and System Monitoring Scenario/Function

SAP_SM_ALEREMOTE with profile S_BI-WX_RFC,
for configuration of general settings for BI
reporting, (see SAP Note 150315), in case BI is
ALEREMOTE Service User implemented in another logical system
03/30/2009 PUBLIC 43/172


roles/profiles:
Caution
as well.
Note
connection.
TMW, BACK
CSMREG (customer-specific) Communication User Technical user for System Monitoring and
BI IT Performance Reporting (Central CCMS)
data collection (to get CCMS alerts); created
in transaction RZ21 Technical Infrastructure
Configure Central System Create User CSMREG .
Role SAP_BC_CSMREG automatically assigned
during creation
OS—Level Administrator OS-Level User User to set up CCMS agents
Users for Third—Party Integration

Quality Center integration user Communication User User for Web Service; assigned role
(Test Management) SAP_QC_INTERFACE
Quality Center integration user System User User for WSDL access; assigned role
(Test Management): for instance SAP_QC_WSDL_ACCESS
QCALIAS
Quality Center integration user System User User for data exchange; assigned role
(Defect Management): for instance SAP_SUPPDESK_INTERFACE
DEFECTMAN
44/172 PUBLIC 03/30/2009


CPS integration user: for instance Communication User Technical user for communication between
CPSCOMM SAP CPS and SAP Solution Manager for
Job Scheduling Management; assigned
roles SAP_SM_REDWOOD_COMMUNICATION and
SAP_BC_REDWOOD_COMM_EXT_SDL
BMC integration user Communication User User for Web Service; assigned role
SAP_APPSIGHT_INTERFACE
External Service Desk integration Communication User User for data exchange; assigned
user roles SAP_SUPPDESK_ADMIN and
SAP_SUPPDESK_INTERFACE
Users for Implementation and Upgrade (Help Center Function)

roles/profiles:
Caution
as well.
Note
connection.
TMW, BACK
More Information
n on automated basic settings configuration of SAP Solution Manager, see configuration guide for
SAP Solution Manager in the Service Marketplace: http://service.sap.com/instguides
SAP Components SAP Solution Manager <current release>
03/30/2009 PUBLIC 45/172

5.4 Technical/Dialog Users Created/Used During Configuration in the Managed Systems
n users created during installation, see installation guide for SAP Solution Manager in the Service
Marketplace: http://service.sap.com/instguides SAP Components SAP Solution Manager
<current release>
5.4 Technical/Dialog Users Created/Used During

Configuration in the Managed Systems
The users in the following tables are created, automatically or manually, during configuration. The
overviews are structured according to main functions/scenarios. Some users are relevant for more
than one scenario and are therefore mentioned more than once.
Note
If your security policy does not permit the automatic creation of generic users, you need to create
them manually. Automatic creation of users is only possible if you use Java UME with ABAP. If you use
the Central User Administration (CUA), you need to create them manually.
Features
Users for RFC connections READ and TMW (Infrastructure)
role (release > = SAP NW ABAP and Java 6.10) and profile (release < SAP NW ABAP and Java 6.10) in
managed systems
User User Type Remarks
SM_<SID of Solution Manager
system>
Caution
During automatic basic Technical user, “READ User”, for read access;
configuration, the system automatically generated; see section RFC
automatically generates a user Connections READ, TMW, BACK
password. If you change the assigned roles/profiles:
password of this user in User n S_CUS_CMP for data read access
Management (transaction SU01), n S_CSMREG for central system repository data
you need to change the password n S_BDLSM_READ for SDCCN data
for this user in the RFC destination n S_USER_GRP for user group display of all users
in the Solution Manager system for Licence Administration Workbench (LAW), and
as well. automatic business partner generation
n S_AI_SMD_E2E for Root Cause Analysis
Note
Note
During automatic basic settings configuration
System User role ZSOLMAN_READ is created from template.
password settings for this user
46/172 PUBLIC 03/30/2009


connection.

TMW, BACK
Technical User “TMW User”, automatically
generated;see section RFC Connections READ,
TMW, BACK
The most important task of this technical user is
to create and release transport requests and tasks,
remotely, from Change Request Management.
Requests that are created in this way are known
to Change Request Management, which means
that Change Request Management can control
their distribution within the landscape. Assigned
roles/profiles.
SMTM<SID of Solution Manager n S_TMW_CREATE for creating and releasing
system> transport requests in development systems
and setting the project status switch for
creating transport requests
Recommendation
n S_TMW_IMPORT for importing transport
Requests that are created, requests into test systems (empty)
released, or imported locally n S_SM_EXECUTE for critical execution
cannot be identified with a change authorizations in managed systems, for
request by Change Request instance starting batch jobs for Solution
Management, and are therefore Documentation Assistant.
not part of the Change Request
Management transport control
and distribution process, so Note
we recommend that no users This authorization allows batch processing
(apart from administrators) are in the managing system for managed
authorized to create transport systems. You can also use this profile solely
requests or tasks in Change for this purpose. In this case, you have
Request Management-controlled to assign the profile to the technical user,
clients. System User manually.
User for CTC Configuration
03/30/2009 PUBLIC 47/172


SM2CTC<SID of Solution System User Technical user for CTC templates; automatically
Manager><Client> (Automatically created when CTC runtime is activated;
Created) responsible for communication from Solution
Manager to CTC, if the CTC runtime is called for
setting up business system connectivity (see
section Roles for Business Connectivity Configuration);
automatically assigned role in related ABAP
stack: SAP_J2EE_ADMIN
User for CTC Runtime Activation

SM2CTC<SID of Solution System User Technical user for CTC templates; automatically
Manager><Client> (Automatically created when CTC runtime is activated;
Created) responsible for communication from Solution
Manager to CTC, if the CTC runtime is called for
setting up business system connectivity (see
section Roles for Business Connectivity Configuration);
automatically assigned role in related ABAP
stack: SAP_J2EE_ADMIN
Users for Configuration of Business System Connections

During the configuration of business system connections, two technical users for the systems are
created. They are referred to in the following table as system A (for instance ERP) and system B (for
instance CRM).
<product name of system
A>2<product name of system Technical user to connect system A (ERP) with
B> example: ERP2CRM System User system B (CRM) assigned default profile SAP_ALL
<product name of system Technical user to connect system B (for instance
B>2<product name of system CRM) with system A (for instance ERP) assigned
A> example: CRM2ERP System User default profile SAP_ALL
Note
For more information on the configuration of business system connections, see the configuration
guide in the Service Marketplace: http://service.sap.com/instguides SAP Components
SAP Solution Manager <current release> .
Users for System Administration and System Monitoring Scenario/Function

role (release >= SAP NW ABAP and Java 6.10) and profile (release < SAP NW ABAP and Java 6.10) in
managed systems
48/172 PUBLIC 03/30/2009


system>
Caution
During automatic basic
configuration, the system
automatically generates a user
password. If you change the
password of this user in User
Management (transaction SU01),
you need to change the password
for this user in the RFC destination
as well.
Technical user, “READ User”, for read access;
Note automatically generated; see section RFC
When you generate RFC Connections READ, TMW, BACK
connections using transaction assigned roles/profiles:
SMSY, you can alter user and n S_CUS_CMP for data read access
password settings for this user n S_CSMREG for central system repository data
before generating the RFC n S_BDLSM_READ for SDCCN data
connection. n S_USER_GRP for user group display of all users
for Licence Administration Workbench (LAW),
See section RFC Connections READ, and automatic business partner generation
TMW, BACK System User n S_AI_SMD_E2E for Root Cause Analysis
CSMREG (Customer-Specific) Communication User Technical user for data collection (to get CCMS
alerts); created in transaction RZ21 Technical
Infrastructure Configure Central System Create User
CSMREG ; Role SAP_BC_CSMREG automatically
assigned during creation
ALEREMOTE (Customer-Specific) System User BI communication user, automatically assigned
profile S_BI-WX_RFC during connection of source
system
OS-Level Administrator OS-Level User User to set up CCMS agents
Users for Change Request Management Scenario/Function

role (release > Scenario/Function= SAP NW ABAP and Java 6.10) and profile (release < SAP NW ABAP
and Java 6.10) in managed systems
03/30/2009 PUBLIC 49/172


system>
Caution
as well.
for Licence Administration Workbench (LAW)
Technical User “TMW User”, automatically
generated;see section RFC Connections READ,
SMTM<SID of Solution Manager TMW, BACK
system> The most important task of this technical user is
to create and release transport requests and tasks,
Recommendation remotely, from Change Request Management.
Requests that are created, Requests that are created in this way are known
released, or imported locally to Change Request Management, which means
cannot be identified with a change that Change Request Management can control
request by Change Request the distribution of these requests within the
Management, and are therefore landscape. Assigned roles/profiles.
not part of the Change Request n S_TMW_CREATE for creating and releasing
Management transport control transport requests in development systems,
and distribution process, so and setting the project status switch for
we recommend that no users creating transport requests
(apart from administrators) are n S_TMW_IMPORT for importing transport
authorized to create transport requests into test systems (empty)
requests or tasks in Change n S_SM_EXECUTE for critical execution
authorizations in managed systems, for
Request Management-controlled
instance starting batch jobs for Solution
clients. System User
Documentation Assistant.
50/172 PUBLIC 03/30/2009

Note
This authorization allows batch processing
in the managing system for managed
systems. You can also use this profile solely
for this purpose. In this case, you have
to assign the profile to the technical user,
manually.
Users for Service Desk Scenario/Function

managed systems
system>
Caution
as well.
TMW, BACK System User n S_AI_SMD_E2Efor Root Cause Analysis
Users for Root Cause Analysis Scenario/Function

managed systems
03/30/2009 PUBLIC 51/172


system>
Caution
as well.
SMDAGENT_<SID> Communication User ABAP communication user for Wily Host,
assigned role SAP_IS_MONITORING and/or profile
S_IS_MONITOR
Users for Business Process Operations and Job Scheduling Management Scenarios/Functions
managed systems
SM_<SID of Solution Manager Technical user, “READ User”, for read access
system> to Business Process Monitoring; automatically
generated; see section RFC Connections READ,
TMW, BACK
Caution
assigned roles/profiles:
configuration, the system n S_CUS_CMP for data read access
automatically generates a user n S_CSMREG for central system repository data
password. If you change the n S_BDLSM_READ for SDCCN data
password of this user in User n S_USER_GRP for user group display of all users
and automatic business partner generation
System User n S_AI_SMD_E2E for Root Cause Analysis
52/172 PUBLIC 03/30/2009

5.5 User SAPSUPPORT

as well.
Note
password settings for this user
connection.
TMW, BACK
CSMREG (Customer-Specific) Communication User Technical user for data collection (to get
CCMS alerts; created in transaction RZ10; role
SAP_BC_CSMREG automatically assigned during
creation.
CPS user (for instance CPSCOMM) Communication User Technical user for communication between SAP
CPS and managed system
see IMG activity Create Communication User (technical
name: SOLMAN_REDWOOD_COMM)
More Information
about users created during installation, see installation guide for SAP Solution Manager in the Service
<current release>
5.5 User SAPSUPPORT
SAP delivers roles for users that are needed in customer Solution Manager systems for efficient
support. This user is required for:
n Root Cause Analysis
n SAP Engagement and Service Delivery
03/30/2009 PUBLIC 53/172

5.6 Business Partners Created During Configuration
This section gives an overview of the user.
Features
You create the dialog user SAPSUPPORT in your Solution Manager and managed systems, during basic
settings configuration. It is used by SAP Support for display access to Root Cause Analysis-related
transactions, and to check and perform services in your system. You can log on to the managed
systems with Single Sign—On (SSO), using the SAPSUPPORT user, reducing administrative effort. The
system creates the SAPSUPPORT user automatically, and assigns the relevant roles, during automatic
configuration of basic settings. If your security policies do not allow the use of generic users, you must
create the user SAPSUPPORT manually. You assign the following roles to this user during configuration:
n in the SAP Solution Manager system
l SAP_SOLMAN_ONSITE_ALL_COMP (containing all individual roles needed to check and perform
services) :
Note
To provide authorizations which meet your company’s requirements for restricted or full
access, SAP delivers two composite roles, see section Roles for SAP Engagement and Service Delivery.
u including SAP_RCA_DISP (containing minimal authorization for Root Cause Analysis)
Recommendation
Do not copy roles for Root Cause Analysis into your own name space, or change profiles.
See section Roles for Root Cause Analysis.
u including SAP_RCA_EXE (containing execution authorization for Root Cause Analysis)

u including SAP_DBA_DISP (containing display authorization for DBA Cockpit)
u including SAP_SMWORK_BASIC (containing basic authorization for work centers, see Work
Center Navigation Roles)
u including SAP_SMWORK_DIAG (work center navigation role)
n in the managed systems

l SAP_RCA_SAT_DISP (containing execution authorization for Root Cause Analysis)
n in the BI client
l SAP_BI_E2E (containing execution authorization for Root Cause Analysis)
5.6 Business Partners Created During Configuration
When you configure the SAP Solution Manager using the automatic basic settings configuration,
additional business partners for SAP Engagement and Service Delivery are created.
54/172 PUBLIC 03/30/2009

5.7 How to Create Users and Business Partners for End Users
Note
The creation of these users is not part of the SAP Reference IMG (transaction SPRO) for SAP Solution
Manager. If you are on a lower Support Package Level than SAP Solution Manager 7.0 EhP1, you
need to create these business partners manually.
Features
The business partners are created as follows:
First Name Last Name Remarks
SAP Technical Quality Manager Automatically assigned ID TQM or
SAPTQM
SAP Support Advisor Automatically assigned ID

SAPSUPAD
SAP Engagement Architect Automatically assigned ID SAPENAR

SAP Back Office Automatically assigned ID
SAPBACKO
SAP Consulting Automatically assigned ID SAPCON

Customer Program Management Automatically assigned ID CUSTPM
Customer Business Process Operations Automatically assigned ID CUSTBPM
Customer Custom Development Automatically assigned ID CUSTCD
Customer Technical Operations Automatically assigned ID CUSTTO
Customer Partner Automatically assigned ID CUSTPAR
Note
An additional business partner (name: SAP Support) is automatically created for user SAPSUPPORT
as soon as this user is created during the automatic basic settings configuration (see section:User
SAPSUPPORT).
More Information
on how to configure the basic settings, see Configuration Guide SAP Solution Manager in the Service
<current release> .
The following lists give an overview of functions that require users in Solution Manager system and
managed systems, and functions that require business partner users in the Solution Manager system:
Functions Requiring End Users for SAP Solution Manager and Managed Systems
03/30/2009 PUBLIC 55/172

n Implementation: if you use Implementation and subsequently Customizing Distribution to centrally

configure your managed systems. Implementation and Customizing Distribution use Trusted
RFC connections, which always require users in both systems.
n Test Management: if testers have to test in managed systems. Test Management uses Trusted RFC
connections, which always require users in both systems.
n Service Desk: for Key User (end user), see example below
n System Administration and System Monitoring (and Business Process Operations): if the system administrator
needs to check transactions in managed systems via SAP Solution Manager trusted RFC connection.
n Change Request Management: if the users in the Change Request Management process log on to the
managed systems via Solution Manager.
n Root Cause Analyses: user SAPSUPPORT is automatically created in the Solution Manager system as
well as the managed systems during Root Cause Analysis configuration.
Functions Requiring Business Partners Based on Users in SAP Solution Manager
n Delivery of SAP Services: if you use Issue Management.
n Service Desk: for Key User (end users) and processors of service desk messages, see example
underneath.
n Change Request Management
n Job Scheduling Management
n Change Control: functionality Maintenance Optimizer
Procedure
Create Users Using Transaction SU01
This paragraph tells you which area in User Management (transaction SU01) needs attention, and why.
1. Enter your user and choose change.
2. Enter the required data and save.
Address Data
n First Name and Last Name
l Function: Digital Signature
n E-Mail
l Function: Business Process Operations
l Function: Issue Management
l Function: Service Desk
l Function: E-Learning Management
The user can receive and send e-mails. This e-mail address can be any address, as long as it is
known to the mail server.
Note
Business Process Operations: for use of auto—reaction methods.
56/172 PUBLIC 03/30/2009

5.8 Integration into Single Sign-On Environments (SSO)
Create Business Partner Using Transaction BP_GEN

1. Choose User list -> Add system.
2. Select a system from which you want to create business partners.
3. Select users.
4. Choose Edit -> Create Business Partner.
5. Confirm your entries.
Example
You want to create end users for Service Desk functionality. The system landscape consists of SAP
Solution Manager and two managed systems, three systems in total.
You have to create all end users known to Solution Manager as Business Partners, in the Solution
Manager system and the managed systems.
1. Create users for all end users in all three systems, as described above.
2. Create business partners for end users, in the Solution Manager system, as described above.
Note
If you change e-mail addresses for users, you need to update your business partners in transaction
BP_GEN.
More Information
on how to create business partners, see IMG activity Create Key User (technical name:
SOLMAN_SUP_BUSPART)
The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP
NetWeaver. It uses various front ends (SAP GUI and Web browser, in this case an HTML Control). The
system opens several sessions on the server, that require, for example, a second logon. The user uses
SAP GUI to log on to a system, the application uses the SAP GUI for HTML Control to call another BSP
application, and the system then prompts the user to re-enter the logon data.
The security recommendations and guidelines for user administration and authentication, as
described in the SAP NetWeaver Security Guide (SAP Library), also apply to the SAP Solution Manager.
The supported mechanisms are:
n Secure Network Communications (SNC) : SNC authenticates users and provides an SSO environment when
using the SAP GUI for Windows or Remote Function Calls.
n SAP logon tickets: The Solution Manager supports the use of logon tickets for SSO when using a Web
browser to access Solution Manager documents via URLs from outside. Users can be issued a
logon ticket after they have authenticated themselves with the Solution Manager system. The
03/30/2009 PUBLIC 57/172

ticket can then be submitted to the system as an authentication token, each time the users access
documents via URLs from within the same Browser session. The user does not need to enter
a user ID or password for authentication, he can access the system directly after the system has
checked the logon ticket.
More Information
n on SNC, see Secure Network Communications (SAP Library) in the SAP NetWeaver Application
Server ABAP Security Guide.
n on how to use Single Sign-On, see Service Marketplace:http://service.sap.com/sso-smp.
58/172 PUBLIC 03/30/2009

6 Authorizations
6 Authorizations
This section contains:

n Authorization concept
This section explains the SAP authorization concept, and its main terms, such as role, profile
and so on.
n RFC connections and critical authorizations
RFC connections, like TRUSTED, READ, TMW and BACK, are basic to the concept of SAP Solution
Manager as managing platform and its managed systems. These connections are created
automatically, with users and profiles. This section explains related critical authorizations in
more detail.
n Roles for configuration
Configuration is performed by a technical consultant or system administrator who is familiar with
system administration. It includes such critical transactions as SU01 and PFCG. This section gives an
overview of pre-defined template roles for the basic settings configuration and how to create your
own roles for scenario—specific configuration.
n Roles and profiles for end users
Users who perform tasks in an application are referred to as end users. SAP delivers template roles
for end users to be able to perform tasks in an application. This section gives you an overview
of roles for these functions.
n Roles for configuration of business system connections
Using SAP Solution Manager as managing platform, you can configure most important business
system connections. This section gives you an overview of roles needed for CTC runtime activation
and configuration tracks.
n “How To”
This section contains procedures for authorization and user management.
6.1 Authorization Concept
Authorizations are defined by authorization objects, for instance authorization to remotely execute
function modules is in authorization object S_RFC. Authorization objects are in authorization roles. A
role is an authorization object container. When you maintain authorizations, you maintain the fields
of an authorization object. For instance, you define which function groups in authorization object
S_RFC (for instance function group SCCA) are to be executable by the user. When you have maintained
authorizations in authorization objects, you generate the authorization profile. This profile is then
03/30/2009 PUBLIC 59/172

6 Authorizations
6.2 RFC Connections to/from Managed Systems and Critical Authorization Objects
assigned to the user. You can generate different profiles from one role, depending upon how you
maintain the authorization objects in the role. Authorizations only function if authorizations are
maintained, and the profile is generated and assigned to the user. How you maintain authorization
objects and bundle them depends on your company’s security concept. You customize/maintain
your roles according to your company’s concept. Each company has different priorities, departments
and so on. As each business requires a different authorization concept, the template roles delivered by
SAP are only templates. Before you grant authorizations to your end users, you must have a clear
concept of who is to receive which authorizations, because you need to adjust your authorizations
over time due to company changes or extended use of Solution Manager functions. Here is what
you should consider when designing your authorization concept.
Procedure
1. Identify which functions of Solution Manager scenarios you use.
2. Create a menu matrix according to these functions.
3. Identify your roles.
4. Populate your menu matrix.
5. Create your roles from SAP template roles. Use a unique naming convention.
6. Maintain your roles.
7. Test your roles.
6.2 RFC Connections to/from Managed Systems and Critical

Authorization Objects
6.2.1 Trusted RFC Connections
In a heterogeneous system landscape with SAP Solution Manager as the managing platform, you
need RFC connections between SAP Solution Manager and the managed systems. The managed
system needs to be a Trusted System in the SAP Solution Manager, and vice versa. The SAP Solution
Manager server Trusting System trusts the user administration of the client (managed) Trusted
System. Trusted systems can log on to the Trusting System without password. The trusting
system controls user-specific data. This is a trusting-trusted RFC connection. You generate this
RFC connection in the SAP Solution Manager in the transaction SMSY. Trusted RFCs need to be
maintained from both sides, Solution Manager to managed system, and managed system to Solution
Manager system. To communicate with each other, the SAP Solution Manager and the managed
system need the same user name in their user administration (transaction SU01).
60/172 PUBLIC 03/30/2009

6 Authorizations
Note
Using SAP router between Solution Manager and managed systems may cause problems in some
functions, for instance BSP applications. To solve these, see SAP Note 555162.
6.2.2 Authorization Object S_RFCACL
The trusting RFC destination has the Current User setting in transaction SM59. Authorization errors
in the use of an RFC destination flagged as a Trusted System cause the following message to be sent: No
Authorization to logon as Trusted System (Trusted RC = #).
Prerequisites
To apply the authorization object, you need full access to transaction PFCG, in the SAP Solution
Manager system and the managed systems.
Features
To create the trusted RFC connection you need to have the authorization object S_RFCACL in the
Solution Manager and in the managed system for this user. The role SAP_S_RFCACL contains the
authorization object S_RFCACL, which consists of a number of authorization fields, which allow a
trusting trusted relationship between SAP Solution Manager and any managed system.
Due to the high potential risk of such an RFC connection, the authorization object S_RFCACL is not in
authorization profile SAP_ALL.
Caution
The authorization object is in role SAP_SM_BASIC_SETTINGS for initial basic configuration of Solution
Manager (supported by automatic configuration). If your security rules do not allow the use of this
authorization object, deactivate the authorization object in this role after basic settings configuration.
Constraints
Every authorization error when using an RFC destination flagged as a Trusted System, is a RABAX (ABAP
exception). The RABAX contains detailed error information. To analyze the error:
1. Choose transaction ST22 and the selection period.
2. Choose the entry under the user SAPSYS and the program name CALL_FUNCTION_SYSCALL_ONLY.
The paragraph Troubleshooting, contains the information necessary to correct the error.
Return Code
03/30/2009 PUBLIC 61/172

6 Authorizations
Return Code Explanation To Do

Create a corresponding user in the
Invalid logon data (user and client) client system for the user in the
0 for the trusting system server system (trusting system)
The calling system is not a trusted
system, or the system security ID Create the trusted RFC connection
1 is invalid. again.
Give the user the authorization,
or do not use the protected
The user has no authorization users DDIC or SAP* (see:
containing the authorization prole parameter and value:
object S_RFCACL, or is logged on as login/no_automatic_user_sapstar
2 the protected user DDIC or SAP*. = 0)
3 The timestamp of the logon data is Synchronize the system times

invalid. Check the system time in
the client and in the server, and the
validity date of the logon data.
More Information
n on authorization object S_RFCACL see: http://help.sap.com/nw70
n on role SAP_SM_BASIC_SETTINGS, see Roles for Basic Configuration
6.2.3 RFC Connections TRUSTED, READ, TMW, BACK
Before you can use these scenarios/functions, you must set—up your system landscape in the
Solution Manager. This includes:
n define all (managed) systems
n create logical components
n assign managed systems to logical components
n set-up your solution design
Note
For a detailed explanation of system landscape and solution design, see the SAP Solution Manager
master guide in the Service Marketplace: http://service.sap.com/instguides SAP
Components SAP Solution Manager <current release> .
Features
Data is transferred between SAP Solution Manager and its managed systems by RFC connections:
62/172 PUBLIC 03/30/2009

6 Authorizations
n READ (SM_<SID>CLNT<Client>_READ): transfers data, for instance in Customizing Distribution,

Change Request Management, Service Desk, Root Cause Analysis, or Monitoring. SID and client
refer to the connected managed system.
Assigned profiles:
l S_CUS_CMP for data read access
l S_CSMREG for central system repository data
l S_BDLSM_READ for SDCCN data
l S_USER_GRP for user group display of all users, for Licence Administration Workbench (LAW)
and automated business partner generation
l S_AI_SMD_E2E for Root Cause Analysis
n TMW (SM_<SID>CLNT<Client>_TMW): remote creation of transport requests with tasks for the
designated developers in the development systems, in Change Request Management. SID and
client refer to the connected managed system.
Assigned profiles:
l S_TMW_CREATE create and release transport requests in development systems, and set the project
status switch to create transport requests
l S_TMW_IMPORT import transport requests into test systems (empty)
l S_SM_EXECUTE critical execution authorizations in managed systems
n TRUSTED (SM_<SID>CLNT<Client>_TRUSTED): use of TBOMs in Test Management, customize data
transfer from the source system to the target system, and enter analysis transactions for System
Monitoring and Business Process Monitoring. SID and client refer to the connected managed
system. See section RFC Connection: TRUSTED
n BACK (SM_<SID>CLNT<Client>_BACK): send SDCCN data or messages from a managed system to
the SAP Solution Manager system; lock customizing objects against changes in Customizing
Distribution; integrate Change Request Management into the Service Desk. SID and client refer to
the SAP Solution Manager system.
Assigned profiles:
l S_CUS_CMP for data read access
l S_CSMREG for central system repository data
l S_SD_CREATE and D_SOLMAN_RFC for Service Desk messages
l S_BDLSM_READ for SDCCN data (customer-specific) collection
l S_KWHELP for Help Center functionality
To create these RFC connections, the system generates technical users for the RFC connection needed,
when you generate the RFC in transaction SMSY, or via automatic basic settings configuration, in
transaction SOLMAN_SETUP. These users are assigned to the profiles for data transfer.
Note
These profiles are more or less static. In case of RFC problems after generation, see SAP Note 176277:
Generating RFC trace information.
03/30/2009 PUBLIC 63/172

6 Authorizations
Example
The following screen shows you the dialog box for RFC generation in transaction SMSY, with three
partitions:
n RFCs from the Solution Manager to the managed system
n RFCs from the managed system to the Solution Manager
n RFCs to be generated
Figure 1: RFC Generation in Transaction SMSY
The system provides users, which are automatically created in the managed and managing system,
for the READ, TMW and BACK RFC connections, when you generate them. These users are also
automatically assigned profiles. If you want to use an existing user of your managed system, enter
it, with or without password. In this example, S8T is the Solution Manager system and DHZ is the
managed system, users and password are generated automatically by the system.
Note
For more information on the creation of RFC connections in automatic basic settings
configuration, see the configuration guide for SAP Solution Manager in the Service Marketplace:
64/172 PUBLIC 03/30/2009

6 Authorizations
6.2.4 Authorization Object S_RFC
Authorization object S_RFC controls RFC access to function groups. For instance, if you want a user to
be able to call function groups remotely, it needs authorization object S_RFC in the target system. SAP
Solution Manager interacts with its managed systems mainly via RFC, so this authorization object
must be assigned to certain technical users as well as end users. This section lists all profiles/roles with
authorization object S_RFC that must be assigned to technical users (for information on technical
users, see sections on technical users), and end users (for more information, see sections on roles
for end users). The following table gives an overview of the field values for the field RFC_NAME for
authorization object S_RFC in profiles/roles that are assigned to technical users during RFC generation
in transaction SMSY, and during automatic technical configuration of Solution Manager and managed
systems in transaction SOLMAN_SETUP.
Features
Profiles with Function Groups for S_RFC
Function Group Values in Field
Role/Profile RFC_NAME Remarks
S_CUS_CMP See SAP Note attachment: 831535 ( Used for comparing customizing
RFC Read) between systems, display only,
technical user READ RFC user,
see section on Technical Users in
managed system
S_CSMREG See SAP Note attachment: 831535 ( Used for CCMS Monitoring,
RFC Read) technical user READ RFC user,
see section onTechnical Users in
managed system
D_SOLMAN_RFC See SAP Note attachment: 831535 Compositional profile for general
(RFC for SDCCN BACK User) Solution Manager RFC user,
technical user BACK RFC user,
managing system
S_AI_SMD_E2E See SAP Note attachment: 831535 ( Used for Root Cause Analysis E2E
RFC Read) in the managed system; technical
user READ RFC user, see section on
Technical Users in managed system
SAP_SOLMANDIAG_E2E/ See SAP Note attachment: 831535 Used for Root Cause Analysis,
S_SMDIAG_E2E (Diagnostics SolMan RFC) technical user SMD_RFC, see section
on Technical Users in managing
system
03/30/2009 PUBLIC 65/172

6 Authorizations
6.3 Roles for Solution Manager Configuration
Function Group Values in Field

Role/Profile RFC_NAME Remarks
S_SM_EXECUTE See SAP Note attachment: 831535 Used for Solution Documentation
(RFC on Change Manager TMW Assistant and background
User) processing of TMW — user, see
section onTechnical Users in
managed system
S_KWHELP See SAP Note attachment: 831535 Used for Help Center; display of
(RFC on Help CenterTMW User) Knowledge Warehouse documents,
technical user BACK RFC user,
managing system
Note
Authorization object S_RFC can be traced with audit log trace in transaction SM19 and SM20. To
protect the deletion of traces, maintain field ACTVT with value 36 of authorization object S_RFC_ADM.
Example
The SYST function group is needed to call a system. If it is missing, the remote login in transaction SM59
causes the RFC_NO_AUTHORITY ABAP runtime error in the target system.
6.3.1 Roles for Basic Configuration of Solution Manager
The basic settings configuration for Solution Manager is mandatory. You have to configure all basic
settings before you start configuring scenario-specific settings and/or Service Provider-specific settings.
You can configure basic settings by using either:
n SAP Reference IMG via transaction SPRO or
n the automatic procedure via transaction SOLMAN_SETUP
The following paragraph gives you an overview of the roles used for the two procedures.
Caution
Roles for basic settings configuration are delivered by SAP as template roles, fully maintained for
automatic configuration, so all authorization fields without specific values contain authorization
value “*”.
66/172 PUBLIC 03/30/2009

6 Authorizations
Features
SAP Reference IMG
You must assign the following roles to the user who configures basic settings:
n SAP_SM_BASIC_SETTINGS
This role contains all authorization objects necessary for ABAP stack.
Caution
Value “*” allows full authorization for the authorization field. This is especially critical for
authorization objects S_RFC (function groups) and S_TABU_DIS (cross-table maintenance for
customizing). Because of differences in configuration tasks, values for these authorizations
cannot be delivered via a template role.
Other security-relevant authorization objects in this role:
l S_RFCACL
See section Authorization Object S_RFCACL.
Note
After the initial configuration, you can deactivate this authorization object, if you do not
want to assign it to your user.
l S_USER_GRP
If you use this role for manual configuration of the basic settings in transaction SPRO, you
need to either remove the authorization restriction in this authorization object, or copy the
authorization object and maintain it according to your needs.
Note
The authorization field CLASS is initially restricted to user group SAP_SM*. This user group
with default naming convention <SAP_SM*> is created automatically during automatic basic
settings configuration. All users created during the automatic basic settings configuration, in
Solution Manager, by user SOLMAN_ADMIN, are assigned this user group.
l S_USER_AGR
If you use this role for manual configuration of the basic settings in transaction SPRO, you
need to either remove the authorization restriction in this authorization object, or copy the
authorization object and maintain it according to your needs.
Note
The authorization field ACT_GROUP is initially restricted to roles with names SAP* and ZSAP*.
l S_DEVELOP
If you use this role for implementing SAP Notes via SAP Notes Assistant, you need to activate in
03/30/2009 PUBLIC 67/172

6 Authorizations
authorization object S_DEVELOP activity 16.

n SAP_SM_BATCH
This role contains authorizations for a defined user for background job processing (user
SOLMAN_BTC during automatic basic settings configuration). See also SAP Note 1314587.
Note
This role contains CRM - related authorization objects in authorization class CRM. When you
modify SAP standard customizing (for instance transaction types and/or status profiles), you must
maintain these authorization objects accordingly.
n SAP_SMWORK_BASICCONF_COMP
This composite role contains all work center navigation roles.
Note
Individual role SAP_SMWORK_BASIC contains all necessary OBN targets. Authorization objects of this
role are included in role SAP_SM_BASIC_SETTINGS.
n SAP_J2EE_ADMIN
n SAP_BI_E2E
To configure BI-related functions, you must assign these roles to your administration user. See
section Roles for BI-Related Functions.
n SAP_BW_CCMS_SETUP
To configure BI-related functions, you must assign these roles to your administration user, see
section Roles for BI-Related Functions.
Recommendation
You should also create an additional role for transactions SE03 and SE09.
Automatic Basic Settings Configuration
When you use the automatic basic settings configuration procedure, you create/use a user for
administration purposes: SOLMAN_ADMIN. The system assigns a template role, ZSOLMAN_ADMIN,
containing all necessary authorizations, to this user. This role is based on templates from the above
roles for manual configuration via SAP Reference IMG.
Note
The system assigns role SAP_SM_CONF_SEC because of its critical authorization object. You can select
it during automatic basic setting configuration, to implement SAP Notes via transaction SNOTE.
During automatic basic settings configuration, the configuration user SOLMAN_ADMIN creates the
following users:
68/172 PUBLIC 03/30/2009

6 Authorizations
n SOLMAN_BTC
Role SAP_SM_BATCH is automatically assigned, and contains all necessary authorization for batch
processing.
n SAPSUPPORT
See section SAPSUPPORT User
More Information
n about users SOLMAN_ADMIN and SOLMAN_BTC, see section on technical users in SAP Solution Manager
n about work center navigation roles included in composite role SAP_SMWORK_BASICCONF_COMP,
see section Work Center Navigation Roles
6.3.2 Roles for Basic Configuration in Managed Systems
The following functions require users with configuration authorization in the managed systems:
n Trusted RFC Connection
n Service Data Control Center
n Root Cause Analysis
Features
Trusted RFC Connection
Profile Type Remarks
See sections:
n Authorization Object S_RFCACL
Authorization object S_RFCACL ABAP n How to Create Roles for End Users
Service Data Control Center

Role/Profile Type Remarks
SAP_SDCCN_ALL / S_SDCCN_ALL ABAP See section Roles for Infrastructure
Root Cause Analysis
03/30/2009 PUBLIC 69/172

6 Authorizations
Role Type Remarks

Authorization to configure Root Cause Analysis
Caution
To configure Root Cause Analysis in the
managed system using the automatic initial
basic configuration procedure, you require
authorization to create users (transaction
SU01) and assign roles (transaction PFCG) in the
managed system. For security reasons, we do
not deliver roles for these critical transactions.
You need to create these roles and assign
them to the configuration user for Root Cause
SAP_RCA_CONF_ADMIN ABAP Analysis explicitly.
Administration role(s) for For security reasons, roles for these transactions
transaction SU01 and transaction are not delivered. You have to create them
PFCG ABAP yourself. See section How to Create Roles for End-Users
6.3.3 How to Create Roles for Scenario-Specific Configuration

in Solution Manager
As of SAP Solution Manager EhP1 there are no dedicated authorization roles for scenario-specific
configuration. This section tells you how to create your own roles for the configuration of scenarios.
Note
Configuration of scenario—specific functions can involve configuration of cross-scenario settings.
For these functions, additional configuration roles may be needed (if you do not use profile SAP_ALL).
They are specified in the IMG activity for cross-scenario functions.
Caution
Exception: BI—relevant functions require additional roles for setup, see section Roles for BI—Relevant
Functions.
Prerequisites
To be able to create authorization roles for scenario—specific configuration, you have created an IMG
project in transaction SPRO_ADMIN. For more information, see configuration guide for SAP Solution
Manager.
70/172 PUBLIC 03/30/2009

6 Authorizations
Procedure
Note
This procedure is based on the example customizing project in How to Create Customizing Projects
and Project IMGs.
1. Create an IMG Project (See section More Information)

Before you can create a role for scenario-specific configuration, you need to create an IMG project.
This project is the basis for role configuration as it contains all transactions you run later on.
2. Create a Role in Transaction PFCG
a) Choose transaction PFCG.
b) Enter a role name in your name space, for instance: ZROLE_IMG_MYPROJECT and choose button
Single Role.
c) Enter a description for your role, for instance: IMG project: Implementation/Upgrade as of
ST SP15.
d) Save your role.
Note
You are asked for a transport request.
3. Define Configuration Transactions for Your IMG Project
In role creation, transactions form the basis to easily maintain all necessary authorization objects.
When you enter a transaction in the menu tab in your role, the system traces all authorization
objects required for this transaction.
a) To receive all transactions which are contained in the customizing project, choose in the
menu: Utilities Customizing auth.
b) In the appearing dialog box, choose button Add to attach your customizing project or
customizing project view. In our case, we choose the customizing view that was created.
c) In the various dialog boxes, choose your customizing project or customizing project view, in
our case myproject.
The system automatically assigns all relevant transactions and authorization objects for your
customizing project or customizing project view.
d) Confirm your project assignment.
4. Maintain Authorization Objects
Authorization object defaults delivered by SAP contain minimal authorizations. To grant full
authorization for the according authorization objects you need to maintain these objects.
a) In the Role Maintenance, choose tab Authorizations.
b) Choose button Change.
c) Maintain all activity values per authorization object according to your needs, for instance if you
want to grant full authorization, always choose all activities.
03/30/2009 PUBLIC 71/172

6 Authorizations
6.4 Authorization Roles and Profiles for End Users
Caution
All authorization objects need to receive a green traffic light. Beware, that the authorization
trace does not trace values for critical authorization objects S_RFC and S_TABU_DIS.
d) Generate the profile.

e) To assign this profile to a user, choose tab User, add your user in the table and execute the
user comparison.
f) Save.
Result
You have now created a role for your specific IMG configuration project.
Caution
If a project or a project view was assigned to a role, you cannot manually assign any transactions to
this role and vice versa. You should therefore only use the role to generate and assign Customizing
authorizations.
More Information
n on: configuration and on how to create an IMG project, see:
l Document: How to Create Customizing Projects and Project IMGs on the Service Marketplace:
http://service.sap.com/solutionmanager Media Library Technical Papers.
l Conguration Guide for SAP Solution Manager on the Service Marketplace:
http://service.sap.com/instguides SAP Components Solution Manager
<current release>.
6.4.1 Roles for Infrastructure
The following paragraph gives you an overview of the roles relevant for infrastructure.
Caution
Roles for System Landscape Directory (SLD) and so on, are not mentioned here.
See the for SAP Solution Manager installation guide in the Service Marketplace:
or, for SLD, also http://sdn.sap.com SAP NetWeaver Capabilities Lifecycle Management
Application Management System Landscape Directory .
72/172 PUBLIC 03/30/2009

6 Authorizations
Features
Data Model
Name Type Remark
SAP_DMDDEF_DIS ABAP Display authorization for data
model
System Landscape Maintenance (Transaction SMSY)

In transaction SMSY you maintain databases, servers, systems, logical components and solutions.
Name Type Remark
SAP_SMSY_ALL ABAP Full authorization for transaction
SMSY, maintenance of systems,
servers, databases and logical
components
SAP_SMSY_DISP ABAP Display authorization for
transaction SMSY
Solution
A solution can be regarded as a container for systems, according to either the business process
running via various systems, or the system type.
Note
You can display the Solution ID in Work Center Solution Manager Administration Solutions or via
transaction SOLUTION_MANAGER Solution Overview Goto Technical Information .
Name Type Remark

SAP_SM_SOLUTION_ALL ABAP Full authorization for solutions
SAP_SM_SOLUTION_DIS ABAP Display authorization for solutions
Example
n Problem: Maintain One Solution and Display All Other Solutions

User A needs to use Maintenance Optimizer for a number of systems, which are in solution
XXX. The user should not be able to change or maintain any data in other existing solutions,
but should be able to display them.
Solution: Role SAP_SM_SOLUTION_DIS needs to be maintained in authorization object
D_SOL_VSBL. D_SOL_VSBL needs to be copied and maintained with act. 02 and solution ID for
solution XXX. The role for Maintenance Optimizer SAP_MAINT_OPT_ADMIN is assigned as well.
Explanation: D_SOL_VSBL with 03 + * and 02 + XXX gives authorization to display all solutions
but only editing rights for one. The user is only able to work with Maintenance Optimizer for the
03/30/2009 PUBLIC 73/172

6 Authorizations
solution with editing rights.

n Problem: Create Solution and Display Others
User A should be able to create solutions and display XXX and YYY.
Solution: In role SAP_SM_SOLUTION_ALL authorization object D_SOL_VSBL can be maintained as
follows: remove activities 02 + 06 (leaving 01 + 03) for solution IDs for XXX and YYY.
Explanation: Activity 01 is independent of solution IDs. Activity 03 grants display only for
the specified solutions.
Solution Directory
The Solution Directory can be regarded as a repository for solutions. You can specify business
processes for your solution, and/or transfer business processes from a project to your solution.
Name Type Remark
SAP_SOLMAN_DIRECTORY_ADMIN ABAP Administer data in Solution
Directory
SAP_SOLMAN_DIRECTORY_EDIT ABAP Maintain data in Solution
Directory
SAP_SOLMAN_DIRECTORY_DISPLAY ABAP Display data in Solution Directory
Solution Transfer
Name Type Remark
SAP_SOLUTION_TRANSFER ABAP Authorization to transfer solutions
Note
Solution Transfer: When you transfer solutions, all productive data of your chosen solutions is
transferred by default. When you make your solution known to SAP, its data is regularly updated by
a background job. For each solution, you can decide whether you want to transfer only productive
data, all data or no data. To disable it, see SAP Note 920153. During transfer, data is download to SAP
via transaction DMD_OPEN. This data package is only partially read and used by SAP. The system
bundles information aboot logical components and business processes at SAP, per customer. To view
the data of a solution, use report RDSMOP_VIEW_SOLUTION_XML to save the information sent to SAP as
an XML file on your local PC. You can then use the Internet Explorer to view this XML file.
Service Connection
74/172 PUBLIC 03/30/2009

6 Authorizations
Name Type Remark

SAP_SERVICE_CONNECT ABAP Authorizations for Service
Connection and SAProuter
SAP_SERVICE_CONNECT_DISP ABAP Display authorizations for Service
Connection
More Information
for a detailed explanation of roles for infrastructure, see the link in IMG activity: Information and
Configuration Prerequisites for System Landscape (technical name: SOLMAN_SYST_INFORMAT)
6.4.2 Roles for Implementation and Upgrade
The Implementation and Upgrade scenario contains a number of functions in combination. Other features
can complement the possible functions.
Features
Implementation and Upgrade Functions in the Solution Manager System
Roles for Implementation and Upgrade are predefined Composite Roles (technical abbreviation: *_COMP)
for business-related roles such as Project Manager (technical abbreviation: *_PM_*) or Technical
Consultant (technical abbreviation: *_TC_*). Composite roles are a set of individual roles that are
relevant for the business role.
Caution
Individual roles for Testing are only relevant for the standard testing functionality. There are
additional roles for Test Management in: Roles for Test Management.
Name Type Remarks

SAP_SOL_PM_COMP ABAP composite role Organize and plan a project
Create business content and
SAP_SOL_AC_COMP ABAP composite role document operational activities
SAP_SOL_TC_COMP ABAP composite role Perform technical configuration
SAP_SOL_BC_COMP ABAP composite role Develop customer-specific
programs and authorizations
SAP_SOL_RO_COMP ABAP composite role Read-only authorization for SAP
Solution Manager
SAP_SOL_RE_COMP ABAP composite role Read user by status (document
management)
03/30/2009 PUBLIC 75/172

6 Authorizations
Example
n Problem: Restrict System Landscape

The system administrator creates the system landscape for your project. The project manager
maintains all other data for the project, in the project administration. Your system administrator
should not have access to other project data than the system landscape information.
Solution: In role SAP_SOL_PROJ_ADMIN_* ( in composite role SAP_SOL_*_COMP), the user should
have the value 03 (display) for authorization object S_PROJECT, and the value SYST (access to
system landscape maintenance in a project) for authorization object S_PROJ_GEN.
n Problem: Change Request Management Activation
The technical consultant for the implementation of Change Request Management in the project
is responsible for activating the functionality in a template project. This can be done in the
project administration (transaction: SOLAR_PROJECT_ADMIN), but the user should not be able to
maintain any other data for the project, in the project administration.
Solution: In role SAP_SOL_PROJ_ADMIN_* ( in composite role SAP_SOL_*_COMP), the user should
have the value 03 (display) for authorization object S_PROJECT, and the value PROJ (project) for
authorization object S_CTS_ADMI. S_CTS_ADMI
E-Learning Management
Name Type Remarks
Individual role (in SAP_SOL*
composite roles), to use E-Learning
SAP_SOL_TRAINING_ALL ABAP management tool
SAP_SOL_TRAINING_EDIT ABAP Individual role (in SAP_SOL*
composite roles), to use E-Learning
management tool
Document Management
Roles in SAP Solution Manager System
You can control the access rights to documents in the project by assigning authorizations for
groups of documents, for instance you can specify that only the project management can change
documentation templates. The system saves Solution Manager documents in folders.
Name Type Remarks
Individual role (in SAP_SOL* composite roles), to:
n administer, create, edit, and delete documents during
implementation and upgrade
n administer, create, edit, and delete documents in test management
n use Help Center functionality
SAP_SOL_KW_ALL ABAP (authorization object S_IWB with full authorization)
76/172 PUBLIC 03/30/2009

6 Authorizations
Name Type Remarks

Individual role (in SAP_SOL* composite roles), to read documents.
(authorization object S_IWB with activity 33)
. You can display versions of a document with specified status values,
see also IMG — activity Assign Status Values for Read Authorization (technical
name: SOLMAN_DOC_READAUTHO)
Example
You can specify that a user can only display documents with the
SAP_SOL_KW_READ ABAP status Released, but not with status Review.
SAP_SOL_KW_DIS ABAP Individual role (in SAP_SOL* composite roles), to:
n display documents during implementation and upgrade
n display Help Center functionality
n display documents in test management
(authorization object S_IWB with activity 03)
Corresponding Roles in Managed Systems

Name Type Remarks
Authorization to administer Help
SAP_BC_WDHC_ADMINISTRATOR ABAP Center in managed system
SAP_BC_WDHC_POWERUSER ABAP Authorization to use Help Center
in managed system
Access to Knowledge Warehouse folders is controlled by the authorization object S_IWB. This
authorization object is contained in all Document Management single roles, see above table column
Remarks. If you want restrict this authorization for a special project, assign the project (ID) to field
IWB_FLDGRP (Folder Group).
Caution
You should keep the default values in the field IWB_AREA (area).
Example
n Problem: Digital Signature: Restrict by Authorization Group

User A can sign for the authorization group PROD (production), but not for the authorization
group QUAL (quality assurance).
Solution: In role SAP_SOL_KW_*, the user has the authorization value PROD for field SIGNAUTH,
in authorization object C_SIGN_BGR.
n Problem: Document Management: Unlock Documents
You want to allow a user to unlock documents which are locked by a status schema.
Solution: This can be controlled with the authorization object S_IWB and the activity 95.
03/30/2009 PUBLIC 77/172

6 Authorizations
Documents remain locked during signature procedure.

n Problem: Document Management: Restrict Project
You want users who are assigned to a project to only be able to search for, edit or display the
documents for this project.
Solution: This can be done with the combination of folder group and project authorizations.
When documents are created for a project, the system puts them in a folder group which is
assigned to the project, and its name, for instance the folder group with the name XYZ, is assigned
to the project. You restrict the following authorization objects:
l S_PROJECT with field PROJECT_ID
l S_IWB and S_IWB_ATTR with field IWB_FLDGRP
Changing of Roadmaps
Name Type Remarks
For administration: change
roadmaps (in addition to
SAP_RMDEF_RMAUTH_EXE ABAP SAP_SOL_*_COMP)
SAP_RMDEF_RMAUTH_DIS ABAP For display : display roadmaps (in

addition to SAP_SOL_*_COMP)
Solution Documentation Assistant

Name Type Remarks
Full authorization: needs to be
added to according composite
Implementation and Upgrade
(SAP_SOL_*_COMP) and work center
SAP_SDA_ALL ABAP navigation role
SAP_SDA_DIS ABAP Display authorization: needs
to be added to composite
Implementation and Upgrade
(SAP_SOL_*_COMP) and work center
navigation role
Implementation and Upgrade Functions in Managed Systems

Some functions require roles or profiles in the managed systems.
Note
SAP—delivered roles start with SAP namespace SAP. Profiles start with S_*. Roles and profiles for
managed systems are delivered with Software Component SAP_BASIS.
78/172 PUBLIC 03/30/2009

6 Authorizations
Functionality Role/Profile Remarks

Customizing Distribution and SAP_BC_CUS_ADMIN Administration of customizing
Comparison projects; authorization object
S_RFC is missing and needs to be
maintained (transaction PFCG).
Values:
n ACTI: 16
n RFC_NAME: S_SOLAR_RFC_00
n RFC_TYPE:
FUGR
SAP_BC_CUS_CUSTOMIZER To change customizing settings,

useSAP_BC_CUS_ADMIN
S_CUS_CMP
Customizing Scout and System SAP_SOLAR_SATELITE_SCOUT Customizing Scout

Landscape
SAP_SOLAR_SATELITE_SMSY System Landscape
BC Sets SAP_BCS_ACTIV Activate BC Sets; see SAP note
505603 Activate BC Sets
SAP_BCS_CREAT Create BC Sets
SAP_BCS_ADMIN Administration of BC Sets
More Information
n see IMG activity: Information and Configuration Prerequisites for Implementation (technical name:
SOLMAN_RECOMMEND)
n see IMG activity: Information and Configuration Prerequisites for Solution Documentation Assistant (technical
name: SOLMAN_SDA_INFO)
6.4.3 Roles for Custom Development Management Cockpit
Custom Development Management Cockpit can be accessed from the Implementation and Upgrade
work centers. It contains two use cases:
n Clearing Analysis
n Upgrade/Change Impact Analysis
Note
See use case description in the Application Help for SAP Solution Manager in the Help Portal:
http://help.sap.com SAP Solution Manager .
Both use cases involve several systems. The systems are connected by RFC.
03/30/2009 PUBLIC 79/172

6 Authorizations
Features
Custom Development Management Cockpit
Name Type Remarks
SAP_CDMC_USER ABAP Execution authorization for CDMC
Administration authorization for
CDMC including maintaining global
SAP_CDMC_MASTER ABAP settings and deleting CDMC projects
SAP_CDMC_STAT_SYSTEM ABAP This role can be used for the
technical user for the RFC
connection to the statistics
system in Clearing Analysis. It
contains only the authorizations
necessary for the tasks carried out
on the statistics system (activation
of statistics collection, import
of the collected statistics to the
control center, determination of
empty tables, syntax check for
source code objects)
6.4.4 Roles for Test Management
Test Management includes all functions relevant for testing. For detailed information about
the scenario, see the master guide for SAP Solution Manager in the Service Marketplace:
Features
Test Management in the Solution Manager System
Name Type Remarks
SAP_SOL_TESTER_COMP ABAP composite role Perform tests
Caution
Basic roles for other target groups, such as product manager or application consultant, which
contain the function Testing, are included in the composite roles for implementation and upgrade.
See Roles for Implementation and Upgrade in this document. Composite roles for implementation and
upgrade contain individual roles for individual functions.
Test Workbench (Workflow) in the Solution Manager System
80/172 PUBLIC 03/30/2009

6 Authorizations
Name Type Remarks

SAP_STWB_WORKFLOW_CREATE ABAP Use workflow
SAP_STWB_WORKFLOW_ADMIN ABAP Administration workflow,
authorization to create business
partners
SAP_STWB_WORKFLOW_DIS ABAP Display workflow
Note
You must use the roles for Test Workbench Workflow in combination with the composite roles for the
scenarios Upgrade and Implementation and Test Management.
Business Process Change Analysis (BPCA) in the Solution Manager System

This function is called via the Test Management work center. See Test Management Work Center.
Name Type Remarks
SAP_SM_BPCA_RES_ALL ABAP BPCA result execution
authorization
SAP_SM_BPCA_RES_DIS ABAP BPCA result display authorization
SAP_SM_BPCA_TBOM_ALL ABAP BPCA TBOM execution authorization
SAP_SM_BPCA_TBOM_DIS ABAP BPCA TBOM display authorization
Note
You must use the roles for Business Process Change Analysis in combination with:
n the composite roles for the scenario Upgrade and Implementation and/or Test Management, see Roles
for Implementation and Upgrade.
n SAP_SM_SOLUTION_*, if you work with solutions, see Roles for Infrastructure.
Test Management Roles in Managed Systems

Some functions in Test Management require corresponding roles or profiles in the managed systems.
Note
Roles delivered by SAP start with SAP namespace SAP. Profiles start with S_*. Roles and profiles for
managed systems are delivered with Software Component SAP_BASIS.
Function Role/Profile Remarks

CATT SAP_BC_CAT_TESTER Testing with CATT
SAP_BC_CAT_TESTORGANIZER Test Organization with CATT
eCatt See SAP note 519858
03/30/2009 PUBLIC 81/172

6 Authorizations
Function Role/Profile Remarks

Test Workbench SAP_TWB_TESTER Testing with Test Workbench
SAP_TWB_COORDINATOR Coordination with Test Workbench
SAP_TWB_ADMINISTRATOR Administration with Test
Workbench
Reporting Test Management in BI Client

Name Type Remarks
SAP_BI_TWB ABAP If you use an external BI system
for Solution Manager reporting,
you need to download this role
to your PC, and upload it to your
dedicated BI system, see section
Roles for BI-Related Functions
SAP_SM_BI_EXTRACTOR ABAP This role is generally needed for
BI—related functions, see section
Roles for BI-Related Functions
More Information
n see IMG activity: Information and Configuration Prerequisites for Test Management (technical name:
SOLMAN_INFO_TEST)
n see IMGactivity: Information and Configuration Prerequisites for Test Workbench (technical name:
SOLMAN_TEST_WF_INFO)
6.4.5 Roles for System Monitoring and System Administration
Roles for System Monitoring and System Administration include setup and/or operations of
EarlyWatch Alert; Service Level Reporting, System Monitoring, and Central System Administration.
The roles SAP_SV_SOLUTION_MANAGER (full authorization) and SAP_SV_SOLUTION_MANAGER_DISP
(display authorization) have authorization for all functions/sessions. To grant authorization for all
sessions in setup use SAP_SETUP_DSWP, and for operations, SAP_OP_DSWP.
Note
Each session type is identified by a bundle ID. To get the bundle ID for a session type:
1. Open the session in the Solution Manager.
2. Choose Goto Technical Information .
The bundle ID is in the field Session Package/Version.
82/172 PUBLIC 03/30/2009

6 Authorizations
Features
Roles and Profiles for Service Data Control Center (Transaction SDCCN) in the Solution
Manager System and Managed System
Roles/profiles for Service Data Control Center (SDCCN) are relevant for EarlyWatch Alert. SDCCN must
be active in the Solution Manager system and in the managed systems.
Note
Roles and profiles for managed systems are delivered with Software Component ST-PI. For systems
with SAP NW >=6.10, use SDCCN roles (for instance SAP_SDCCN_ALL), for systems with SAP NW < 6.10,
use profiles (for instance profile S_SDCCN_ALL).
Role Name Profile Name Type Remarks

Service Data Control
Center Administration,
SAP_SDCCN_ALL S_SDCCN_ALL ABAP change setup
Service Data Control
SAP_SDCCN_DIS S_SDCCN_DIS ABAP Center display only
SAP_SDCCN_EXE S_SDCCN_EXE ABAP Maintain Service Data
Control Center
EarlyWatch Alert in Solution Manager

Name Type Remarks
Full authorization for Early Watch
Alert session in operations setup
SAP_SETUP_DSWP_EWA ABAP (according to bundle ID)
SAP_OP_DSWP_EWA ABAP Full authorization for EarlyWatch
Alert session in operations
(according to bundle ID)
Central System Administration in Solution Manager

Name Type Remarks
Full authorization for Central
Service Administration session in
operations setup (according to
SAP_SETUP_DSWP_CSA ABAP bundle ID)
SAP_OP_DSWP_CSA ABAP Full authorization for Central
Service Administration session
in area operations (according to
bundle ID)
03/30/2009 PUBLIC 83/172

6 Authorizations
Example
n Problem: Restrict Session

The authorization object D_SOLMANBU controls the activities allowed for each session (bundle ID).
You want to restrict access to the self-service SAP EarlyWatch Health Check. SAP delivers no default
role for this session.
Solution: Copy role SAP_OP_DSWP, and maintain authorization object D_SOLMANBU. Enter bundle
ID EW_SELF.
n Problem: Restrict Monitoring Graphic
You want the user to able to display the monitoring graphic, but you want to grant no further
access to alerts or CSA sessions.
Solution: Rremove activities 80 and 81 from role SAP_OP_DSWP in authorization object
D_SOLM_ACT .
System Monitoring in Solution Manager

Name Type Remarks
Full authorization for System
Monitoring session in operations
SAP_SETUP_DSWP_SM ABAP setup (according to bundle ID)
SAP_OP_DSWP_SM ABAP Full authorization for System
Monitoring session in area
bundle ID)
System Monitoring and/or Central System Administration in Managed Systems

Name Type Remarks
SAP_BC_BASIS_ADMIN ABAP Contains main transactions for
basis administration
Service Level Reporting in Solution Manager

Name Type Remarks
SAP_SETUP_DSWP_SLR ABAP Full authorization for Service Level
Reporting session in operations
setup (according to bundle ID)
SAP_OP_DSWP_SLR ABAP Full authorization for Service Level
Reporting session in operations
(according to bundle ID)
Solution Reporting in Solution Manager
84/172 PUBLIC 03/30/2009

6 Authorizations
Name Type Remarks

Authorization for reporting and
maintaining system availability
SAP_SOL_REP_ADMIN ABAP data
SAP_SOL_REP_DISP ABAP Authorization for report execution
and display only
More Information
see IMG activity: Information and Configuration Prerequisites for System Monitoring and Administration (technical
name: SOLMAN_SYSADM_INFO)
6.4.6 Roles for Downtime Management
This paragraph gives you an overview of the roles for Downtime Management.
Features
Downtime Management
Name Type Remarks
Full authorization for Downtime
SAP_SM_DTM_ALL ABAP Management
Display authorization for
SAP_SM_DTM_DIS ABAP Downtime Management
6.4.7 Roles for Master Data Management
You can use the Master Data Management (MDM) Administration Cockpit in Solution Manager via the
System Administration work center, see section System Administration Work Center.
Features
The following roles are relevant for the Master Data Management (MDM) Administration Cockpit:
Issue Management
03/30/2009 PUBLIC 85/172

6 Authorizations
Name Type Remarks

Full authorization for all activities
for authorization object MDM_ADMIN.
Allows the user to see the list of MDM
servers and repositories for a MDM
system and their status in the MDM
Administration Cockpit:
n Display status of MDM servers
n Start and stop MDM server
n Display status of MDM repositories
n Load / unload MDM repository
n Archive, verify, repair
SAP_SM_ADMIN_COMPONENT_ALL ABAP repository
Execution authorization for
SAP_SM_ADMIN_COMPONENT_EXE ABAP authorization object MDM_ADMIN
SAP_SM_ADMIN_COMPONENT_DIS ABAP Display authorization for
authorization object MDM_ADMIN
Main authorization object is MDM_ADMIN.
Note
The roles do not substitute the MDM repository security concept but extend it to the ABAP
environment. The MDM repository role assigned to the user should allow at least the same activities
that are allowed by the SAP_SM_ADMIN_COMPONENT_* role. Otherwise, a user cannot perform the
activity with the MDM Administration Cockpit.
Caution
Roles SAP_SM_ADMIN_COMPONENT_ALL and SAP_SM_ADMIN_COMPONENT_EXE contain authorization
object S_RFC_ADM with activity 06 delete. This authorization allows you to delete all RFC destinations
of type G (HTTP to external server), except the RFC destination with naming convention MDM*. See
also SAP Note 1270045.
Integration
MDM is tightly integrated with the Database Administration (DBA) Cockpit and Downtime Management
(DTM). If you use DBA with MDM, you need to assign the DBA roles, see section Roles for Database Administration
Cockpit.
86/172 PUBLIC 03/30/2009

6 Authorizations
6.4.8 Roles for Database Administration Cockpit
You can access the Database Administration (DBA) Cockpit via the Master Data Management
Administration Cockpit and the System Administration and Root Cause Analysis work centers in
Solution Manager.
Features
Database Administration
Name Type Remarks
Role SAP_DBA_DISP, profile Display authorization for DBA
S_DBA_DISP ABAP Cockpit
6.4.9 Roles for Job Scheduling Management
Roles for Job Scheduling Management are listed below.
Note
For roles required for integration with Service Desk and/or Change Request Management, see
sections: Roles for Service Desk and Roles for Change Request Management.
Features
Job Scheduling Management
Name Type Remarks
Full authorization including
SAP_SM_SCHEDULER_ADMIN ABAP communication to external tool
Execution authorization including
SAP_SM_SCHEDULER_EXE ABAP communication to external tool
SAP_SM_SCHEDULER_DIS ABAP Display authorization
Integration
Job Scheduling Management can be integrated with SAP CPS, see section Roles for Third Party Integration.
More Information
see IMG activity: Information and Configuration Prerequisites for Job Scheduling Management (technical name:
SOLMAN_JSCHED_INFORM)
03/30/2009 PUBLIC 87/172

6 Authorizations
6.4.10 Roles for Business Process Operations
Business Process Operations roles are listed below.
Features
Business Process Operations
Name Type Remarks
Full authorization for Business
Process Operations session in
SAP_SETUP_DSWP_BPM ABAP bundle ID)
SAP_OP_DSWP_BPM ABAP Full authorization for Business
Process Operations session in
operations (according to bundle
ID)
SAP_SV_SOLUTION_MANAGER ABAP Full authorization for all sessions
in operations and operations setup
SAP_SV_SOLUTION_MANAGER_DISP ABAP Display authorization for all
sessions in operations and
operations setup
You can restrict access to Data Consistency Management and Data Volume Management (see section Work Center
Business Process Operations), using authorization object SM_BPM_AUT. Per default Data Volume Management
(DVM) is deselected. If you want to use Data Volume Management, you need to select DVM in the
authorization object.
Note
Each session type is identified by a bundle ID which must be in entered in fieldDSWPBUNDLE in
authorization object D_SOLMANBU. You can get the bundle ID for a session type as follows:
1. Open the session in the Solution Manager.
2. Choose Goto Technical Information .
The bundle ID is in the field Session Package/Version.
More Information
see IMG activity: Information and Configuration Prerequisites for Business Process Monitoring (technical name:
SOLMAN_BPM_INFO).
88/172 PUBLIC 03/30/2009

6 Authorizations
6.4.11 Roles for SAP Engagement and Service Delivery
You can assign roles for SAP Engagement and Service Delivery to your end-users and SAP Support
employees. Roles for SAP Engagement and Service Delivery are composite roles, which contain a
number of individual roles. The following paragraphs give you an overview of the two composite
roles and their individual roles. You should assign these roles to the user in your system which you
created for SAP Support employees. See User SAPSUPPORT in this document.
Note
See also SAP Note 872800.
Features
SAP Engagement and Service Delivery
For SAP Engagement and Service Delivery, SAP provides two main composite roles which
contain a number of individual roles. SAP_SOLMAN_ONSITE_ALL_COMP grants more authorization
than to SAP_SOLMAN_ONSITE_COMP. You can assign either SAP_SOLMAN_ONSITE_ALL_COMP or
SAP_SOLMAN_ONSITE_COMP. Role SAP_SOLMAN_ONSITE_ALL_COMP is automatically assigned to user
SAPSUPPORT during automatic configuration of Solution Manager basic settings.
Name Type Remarks

Authorizations include:
n assign to a solution logical
components and systems, but
not create or edit
n full authorization for Issue
Management
n create projects
n create scenarios, business
processes and steps
n open Business Process
maintenance, contact
maintenance and services
n full authorization for reporting
(transaction SOLAR_EVAL)
n full authorization for Test
Management
n display Root Cause Analysis,
run transactions
n transaction for System
Landscape Optimization
(SLO) Analytic Service
Note
Extra authorization object
SAP_SOLMAN_ONSITE_COMP ABAP composite role is not required, as execution
03/30/2009 PUBLIC 89/172

6 Authorizations
Name Type Remarks

requires GUID, which is
protected. The system does
not store data of previous runs
see section User SAPSUPPORT

SAP_SOLMAN_ONSITE_ALL_COMP ABAP composite role Additional and extended
authorizations include:
n create solutions, logical
component, and systems
n change authorization for Data
Transfer Configuration
n authorization for transactions
SE16 and SU01D
n transaction for System
Landscape Optimization
(SLO) Analytic Service
see section User SAPSUPPORT
Example
You want SAP employees to support you, but they should not be able to create systems,
logical components or solutions in your system. In this case, you grant composite role
SAP_SOLMAN_ONSITE_COMP.
More Information
n for up-to-date information on SAP Engagement and Service Delivery roles for SAP Support
employees, see: SAP Note 872800
Note
If one of the single roles mentioned is not contained in the composite role, please include the
according single role into the composite role according to your requirements.
n on basic configuration of SAP Solution Manager, see configuration guide for Solution Manager in
the Service Marketplace: http://service.sap.com/instguides SAP Components SAP Solution
Manager <current release>
n on roles for SAP Change and Transport Analysis Sessions, see SAP Note 1074808
90/172 PUBLIC 03/30/2009

6 Authorizations
6.4.12 Roles for Issue Management
The following paragraph gives you an overview of roles for Issue Management.
Features
Issue Management
Name Type Remarks
Full authorization for Issue
SAP_ISSUE_MANAGEMENT_ALL ABAP Management
Operations authorization for Issue
SAP_ISSUE_MANAGEMENT_EXE ABAP Management
SAP_ISSUE_MANAGEMENT_DIS ABAP Display authorization for Issue
Management
More Information
about Issue Management, see IMG activity: Information and Configuration Prerequisites for Issue Management
(technical name: SOLMAN_ISSUE_INFORMA)
6.4.13 Roles for Service Desk
These roles allow your end users to use the Service Desk.
Features
Service Desk
Name Type Remarks
Authorization to configure
the Service Desk, and
authorizations for the roles:
SAP_SUPPDESK_PROCESS,
SAP_SUPPDESK_DISPLAY, and
SAP_SUPPDESK_CREATE
Note
To maintain actions, you also need
SAP_SUPPDESK_ADMIN ABAP the role SAP_PPF_CONFIGURATOR
Authorization for message
(notification) processing, including
SAP_SUPPDESK_PROCESS ABAP the use of the solution database
03/30/2009 PUBLIC 91/172

6 Authorizations
Name Type Remarks

SAP_SUPPDESK_CREATE ABAP Create support messages from
the satellite systems or in the
central SAP Solution Manager
system. If a generic RFC user
creates notifications in the SAP
Solution Manager system (the user
is specified in the RFC destination in
transaction SM59 in the managed
satellite systems), you only have to
assign the role to this generic RFC
user.
SAP_SUPPDESK_DISPLAY ABAP Display user
More Information
for Service Desk, see IMG activity Information and Configuration Prerequisites for Service Desk (technical name:
SOLMAN_SD_INFORMATIO).
for Service Provider, see IMG activity Information and Configuration Prerequisites for Service Provider (technical
name: SOLMAN_SERVICEDESKINFO).
6.4.14 Roles for Change Control (Maintenance Optimizer)
The Maintenance Optimizer guides you through the planning, downloading, and implementation
of SAP support packages and patches for your managed systems.
Features
Maintenance Optimizer
Name Type Remarks
Full authorization for Maintenance
SAP_MAINT_OPT_ADMIN ABAP Optimizer
Display authorization for
SAP_MAINT_OPT_DISP ABAP Maintenance Optimizer
SAP_MAINT_OPT_ADD ABAP Authorization to write Stack Delta
XML folder into the EPS Outbox of
the operating system of Solution
Manager (Stack Delta XML folders
are relevant for JSPM (Java Support
Package Manager) and SAP Jup
(SAP Java Upgrade) in Java systems.
92/172 PUBLIC 03/30/2009

6 Authorizations
Integration
In the planning phase of Maintenance Optimizer, you can start a guided procedure to install your
downloaded packages. This procedure is in the function Change Request Management, see section
Roles for Change Request Management.
More Information
see IMG activity: Maintenance Optimizer (technical name: SOLMAN_MAINT_OPTIMIZ).
6.4.15 Roles for Change Request Management
Change Request Management manages your entire SAP Solution Manager projects (maintenance,
implementation, template, and upgrade), from change management and project planning, through
resource management and cost control, to physical transport of changes from the development
environment into the productive environment. Roles for Change Request Management are
business-oriented.
Features
Change Request Management
Name Type Remarks
SAP_CM_CHANGE_MANAGER_COMP ABAP composite role Approve or reject change requests
Corrections in the development
system; corrections in the
maintenance and development
SAP_CM_DEVELOPER_COMP ABAP composite role systems
Test corrections in the test system;
SAP_CM_TESTER_COMP ABAP composite role test and validate corrections
Import corrections into the
SAP_CM_OPERATOR_COMP ABAP composite role production system; task lists
Import corrections into the
production system; Approve
imports into the production
SAP_CM_PRODUCTIONMANAGER_COMP ABAP composite role systems
03/30/2009 PUBLIC 93/172

6 Authorizations
Name Type Remarks

SAP_SOCM_REQUESTER ABAP Create change requests
SAP_CM_ADMINISTRATOR_COMP ABAP composite role Customize and check Change
Request Management functions;
administrative and technical
maintenance; the task list
administrator in Change Request
Management deals with the
administrative and technical side
of maintenance cycles and urgent
corrections; in particular, the
Schedule Manager task lists
Schedule Manager
Developer Tester Prod. Manager Operator Administrator
Display X X X X X
Create X X
Change X
Delete X
Run X X X X X
Change status X X X X X
Quality Gate Management (only relevant for Change Request Management Work Center)
Name Type Remarks
SAP_SM_QGM_ALL ABAP Quality Gate Manager
SAP_SM_QGM_TRANSPORT ABAP User for Transport Activities
SAP_SM_QGM_STATUS_QM ABAP User to Set Q-Gate Status (QM)
SAP_SM_QGM_STATUS_QAB ABAP User to Set Q-Gate Status (QAB)
Roles and Profiles in Managed System
94/172 PUBLIC 03/30/2009

6 Authorizations
Role (Release >= 610) Profile (Release< 610) Remarks

SAP_CHANGEMAN_DEVELOPER S_TMW_DEVELO Authorizations for developers;
role and profile contain CTS
authorizations for developers: no
authorization to create transport
requests, and no authorization to
release transport requests, but to
create and release tasks.
SAP_CHANGEMAN_OPERATOR S_TMW_OPERA Authorizations for operators;
authorizations for operators:
all transport authorizations; no
configuration authorizations
SAP_CHANGEMAN_ADMIN S_TMW_ADMIN Authorizations for administrators;
authorizations for administrators:
all authorizations in the CTS
(including configuration)
The following table shows which transport methods are assigned to the background users in the
target client and in client 000, in Change Request Management. It also indicates which roles are
required for real users when using trusted RFC destinations:
Transport Methods
Create Create Task Release Task Release Import
Request Request Request
User in X
SOLTMW<SID><CLNT> X X X
Target
User Operator; Ad- Operator; Ad- Developer, Operator; Ad-
Client
ministrator ministrator Operator; Ad- ministrator
ministrator
User in TMSADM X
Client 000
User Operator; Ad-
ministrator
Note
(*) If you want developers in the Change Request Management scenario to start imports into a test
system automatically, you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of
the test system. You have to assign it the authorizations S_CTS_IMPALL and S_CTS_IMPSGL, which
are in S_CTS_ADMI. Do not use this method in production systems or in any other security-critical
systems. The system where you want to start the import automatically must have the same transport
directory as its preceding system.
03/30/2009 PUBLIC 95/172

6 Authorizations
Integration
n Import Authorization Checks
Change Request Management uses the import functions of the Transport Management System
(TMS). The TMS remote infrastructure is based on RFC connections that point only to the client 000
of a target system, so operators and administrators must have users in both the client into which
changes are imported, and in the client 000 of these systems.
n Automatic Imports
Imports must sometimes be performed automatically in test systems. If you want developers in
the Change Request Management scenario to start imports into a test system automatically, you
must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the test system. Since
S_TMW_IMPORT does not contain any authorization objects, you have to assign it the authorizations
S_CTS_IMPALL and S_CTS_IMPSGL, which are also in the authorization object S_CTS_ADMI.
Caution
n You can now possible start an import into this system from any satellite system in your domain
with the CPIC user TMSADM; so do not use this method in production or other security-critical
systems
n The system where you want to start the import automatically must have the same transport
directory as its preceding system. If the transport directories were different, the user who starts
the import would need addtobuffer authorization for buffer adjustment, which would present a
security risk not only for the system concerned, but also for the whole landscape (including the
production system).
6.4.16 Roles for Root Cause Analysis
The following tables display all roles needed for end users for Root Cause Analysis (roles for technical
users such as user SMD_RFC, see sections on technical users). Roles need to be assigned in the following
systems:
n Solution Manager system
n managed systems
n BI client
Features
Roles/Profiles in Solution Manager System
96/172 PUBLIC 03/30/2009

6 Authorizations
Name Type Remarks

Contains the required authorizations for
user SAPSUPPORT for E2E RCA tool Exceptions,
see SAP Note 828533.
Profile is automatically assigned during
Guided Procedure of Automatic Basic
Configuration of Solution Manager
Role is in SAP_SOLMAN_ONSITE_ALL_COMP
for user SAPSUPPORT.
Caution
You must not alter this role, as it contains
all mandatory authorizations for the
Profile S_RCA_DISP corresponds to SAPSUPPORT user. You can use this role in
role SAP_RCA_DISP ABAP SAP namespace.
Profile S_RCA_EXE corresponds to ABAP Contains application-relevant
role SAP_RCA_EXE authorizations for Root Cause Analysis.
This role contains delta authorizations
to SAP_RCA_DISP. Copy it into your own
namespace and maintain it.
Profile is automatically assigned during
Guided Procedure of Automatic Basic
Configuration of Solution Manager
Role is in SAP_SOLMAN_ONSITE_ALL_COMP
Example
A special user group for a certain
application of RCA should be granted:
n SAP_RCA_DISP
n ZSAP_RCA_EXE
Profile S_DBA_DISP corresponds to ABAP Authorization to display DBA Cockpit

role SAP_DBA_DISP
SAP_SMDIAG_WIZARD ABAP Authorization to transfer data from
Solution Manager to Root Cause Analysis
tool
SAP_SMDIAG_TEMPLATE ABAP Authorization to edit templates in the
Solution Manager system
SAP_JAVA_SUPPORT UME Assigned to user SAPSUPPORT
for all E2E RCA tools
SAP_JAVA_NWADMIN_CENTRAL_READONLYUME Assigned to user SAPSUPPORT
for E2E RCA tools Configuration and Availability
Roles in Managed Systems
03/30/2009 PUBLIC 97/172

6 Authorizations
Name Type Remark

Roles for system information and J2EE Assigned to user SAPSUPPORT; only
SQL Trace> for managed systems with Java
stack < 6.40 SP15, see SAP Note
1042450
Roles for XI application> UME /J2EE Assigned to user SAPSUPPORT;
only for managed system
with XI, see SAP Note
1042450, SAP_XI_DISPLAY_USER;
SAP_XI_MONITOR
Role SAP_RCA_SAT_DISP ABAP Assigned to user SAPSUPPORT, to

display RCA transactions
for E2E RCA tools Exceptions and
Traces
Profiles are automatically assigned
during Guided Procedure of
Automatic Basic Configuration of
Solution Manager
SAP_JAVA_SUPPORT UME Assigned to user SAPSUPPORT
for E2E RCA tools Exception,
Configuration, Traces, and Availability
SAP_JAVA_NWADMIN_CENTRAL_READONLYUME Assigned to user SAPSUPPORT
for E2E RCA tools Configuration and
Availability
Role in BI Client
Name Type Remark
SAP_BI_E2E ABAP For BI Reporting via Root
Cause Analysis; assigned to user
SAPSUPPORT, corresponds to profile
S_SMDIAG_BI
More Information
n for general information about Root Cause Analysis, see master guide for SAP Solution Manager in the
Service Marketplace: http://service.sap.com/instguides SAP Components SAP Solution
Manager <current release>.
n for SAPSUPPORT user, see section User SAPSUPPORT.
n for Solution Manager configuration, see SAP Solution Manager configuration guide in the Service
<current release>.
98/172 PUBLIC 03/30/2009

6 Authorizations
6.4.17 Roles for BI-Related Reporting
BI reporting is relevant for several scenarios. For instance, it is used for Test Workbench,IT
Performance reporting and Service Sessions.
Prerequisites
You have defined your BI — client. For more information about planning aspects regarding the setup
of your BI — client, see the Master Guide for SAP Solution Manager on the SAP Service Marketplace:
htpp://service.sap.com/instguides SAP Components SAP Solution Manager <current release> .
Features
BI reporting uses the Extractor Framework (EFWK). The extractor is relevant for collecting data for BI
reporting. It can be executed remotely in the managed system, or locally in the managing system. It is
restricted by authorization object AI_DIAGE2E. The following roles must be assigned for BI reporting.
BI−relevant roles
Name Type Remarks
E2E Diagnostics
SAP_BI_E2E / SAP_SM_BI_EXTRACTOR
Caution BI authorization to run E2E

SAP_BI_E2E: as of EhP1,download Diagnostics reporting (RCA). See
this role from SAP Note 1260676 ABAP section Roles for Root Cause Analysis
Test Workbench
SAP_BI_TWB / SAP_SM_BI_EXTRACTOR ABAP BI authorization for Test
Workbench reporting, see section
Roles for Test Management
IT Performance Reporting and KPI Reporting
Execution ABAP Authorization for reporting
SAP_BW_CCMS_REPORTING /
SAP_SM_BI_EXTRACTOR
Note
If your BI client is the Solution
Manager client, you can
assign the following roles
instead: SAP_OP_DSWP_SM
/ SAP_SM_SOLUTION_* /
SAP_SM_BI_EXTRACTOR.
See also section Work Center System

Monitoring.
03/30/2009 PUBLIC 99/172

6 Authorizations
Name Type Remarks

Setup ABAP Authorization to setup reporting
SAP_BW_CCMS_SETUP /
SAP_PI_CCMS_SETUP /
SAP_SM_BI_EXTRACTOR Note
If your BI client is the Solution
Manager client, you can
assign the following roles
instead: SAP_SETUP_DSWP_SM
See also section Work Center System

Monitoring.
EarlyWatch Alert Session
SAP_SM_BI_EXTRACTOR ABAP Authorization for user of job:
SM:EXEC SERVICES
Note
Job is scheduled during setup of
Solution Manager.
Note
Role SAP_SM_BI_EXTRACTOR allows use of extractor during setup of all BI-relevant reporting. This
role contains the following authorization objects:
n AI_DIAGE2E
n AI_CCMSBI
Authorization object AI_CCMSBI is delivered with full authorization for KPI reporting and Test
Workbench reporting. If you want to restrict authorization to one of these functions, you need to
maintain the values for field CCMSBI_SCE.
If you use an external BI system, you must download role SAP_SM_BI_EXTRACTOR from the Solution
Manager system to your PC, and upload it to your BI system. Choose in the transaction PFCG
menu Roles Upload/Download .
More Information
see IMG activity Information and Configuration Prerequisites for BI (technical name: SOLMAN_BI_CLIENT_INF)
6.4.18 Role for TREX Administration
TREX can be administered using the TREX Admin Tool.
100/172 PUBLIC 03/30/2009

6 Authorizations
Features
TREX
Name Type Remarks
SAP_BC_TREX_ADMIN ABAP For TREX configuration using the
TREX Admin tool
More Information
see IMG activity Information and Configuration Prerequisites (technical name: SOLMAN_TREX_INFO)
6.4.19 Roles for Third Party Integration
The following functions have interfaces to third party systems:

n Service Desk of any third party system Service Desk
n Test Management to Test Management by SAP Quality Center by HP
n Service Desk to Defect Management by SAP Quality Center by HP
n Job Scheduling Management with SAP Central Process Scheduling by Redwood
n SAP Productivity Pak by RWD
n BMC AppSight for SAP Client Diagnostics
Prerequisites
To use a third party system, such as SAP Quality Center by HP or SAP Central Process Scheduling by
Redwood, you need the corresponding adapter.
Note
See SAP Solution Manager Configuration Guide http://service.sap.com/instguides SAP
Components SAP Solution Manager <current release> .
Features
Service Desk Interface
Name Type Remarks
SAP_SUPPDESK_INTERFACE ABAP Authorization for bi-directional
interface and configuration; needs
to be assigned in addition to the
roles for the Service Desk scenario,
for instance SAP_SUPPDESK_ADMIN
SAP Quality Center by HP (Test Management)
03/30/2009 PUBLIC 101/172

6 Authorizations
Name Type Remarks

Full authorization to configure, send
and receive data to/from Quality Center;
needs to be assigned additionally to the
role for Implementation and Upgrade
SAP_QC_BY_HP_ADMIN ABAP scenario, for instance SAP_SOL_PM_COMP
Authorization to use the Requirements
tab in transactionSOLAR01, needs to be
assigned additionally to the role for
Implementation and Upgrade scenario,
SAP_QC_BY_HP_EXE ABAP for instance SAP_SOL_AC_COMP
Display authorization; needs to be
assigned additionally to the role for
Implementation and Upgrade scenario,
SAP_QC_BY_HP_DISP ABAP for instance SAP_SOL_RO_COMP
SAP_QC_INTERFACE ABAP Authorization for technical user
SAP_QC_WSDL_ACCESS ABAP Authorization for technical user QCALIAS
for WSDL access
SAP Quality Center by HP (Defect Management)

Name Type Remarks
Authorization for bi-directional
interface and configuration; needs to
be assigned in addition to the roles for
the Service Desk scenario, for instance
SAP_SUPPDESK_ADMIN
Recommendation
To restrict the services that can be
accessed, maintain authorization
field SRV_NAME in authorization object
S_SERVICE. Enter the following services:
n ICT_SERVICE_DESK_API*
SAP_SUPPDESK_INTERFACE ABAP n ICT_SERVICE_DESK_API_MQC*
SAP Central Process Scheduling by Redwood
102/172 PUBLIC 03/30/2009

6 Authorizations
Name Type Remarks

SAP_SM_REDWOOD_COMMUNICATION ABAP General authorization for the
technical communication user
(for instance CPSCOMM) between
Solution Manager and SAP Central
Process Scheduler, applied to
technical user in SAP Solution
Manager system
SAP_BC_REDWOOD_COMM_EXT_SDL ABAP Authorization for the technical
user between SAP Solution
Manager and SAP Central Process
Scheduler for configuration of
parameter SAP_EnableRfcServer
on the process server; applied to
technical communication user in
Solution Manager system
SAP_BC_REDWOOD_COMMUNICATION ABAP Authorization for the technical
user between managed (target)
system and SAP Central Process
Scheduler
Caution
If you have SAP Central Process Scheduler installed on your SAP Solution Manager Java stack, you
must also assign role SAP_J2EE_ADMIN to your technical communication user in the SAP Solution
Manager system. This authorization allows you to create the user in the UME of the Java stack.
BMC AppSight for SAP Client Diagnostics

Name Type Remarks
SAP_APPSIGHT_INTERFACE ABAP Authorization for technical user in
SAP Solution Manager system
Integration
For information on security issues for the individual third party products, see the product guides.
More Information
n on technical users in the Solution Manager system and managed systems, see sections on technical
users in this guide
n on SAP Quality Center by HP Integration Test Management, see IMG activity: Information
and Configuration Prerequisites for SAP Quality Center by HP (Test Management) (technical name:
SOLMAN_QC_INFORMATIO)
03/30/2009 PUBLIC 103/172

6 Authorizations
6.5 Roles for Configuration of Business System Connections
n on SAP Quality Center by HP Integration Defect Management, see IMG activity: Information
and Configuration Prerequisites for SAP Quality Center by HP (Defect Management) (technical name:
SOLMAN_QC_SUPPDESK_I)
n on SAP Central Process Scheduling by Redwood, see IMG activity: Information and Configuration
Prerequisites for SAP Central Process Scheduling (technical name: SOLMAN_REDWOOD_INFOR)
n on BMC AppSight for SAP Client Diagnostics, see IMG activity: Information and Configuration Prerequisites
for BMC AppSight for SAP Client Diagnostics (technical name: SOLMAN_BMC_INFO)
6.5 Roles for Configuration of Business System Connections
In SAP Solution Manager, you can connect your business systems in your system landscape. This
function can be performed in theSystem Landscape Management work center application Automatic
Technical Configuration.
Features
To access and use the Automatic Technical Configuration application, you need the following roles for
your end user:
Automatic Technical Configuration in System Landscape Management work center
Name Type Remarks
To run the configuration between
SAP_SMSY_ALL ABAP your business systems
SAP_BC_CTC ABAP To call CTC
work center navigation roles for See section Work Center Navigation
System Landscape Management
To perform the configuration, you need the following users and profile:
Configuration of Business System Connection
User Profile Remarks
For more information, see
conguration guide for
SAP Solution Manager in
the Service Marketplace:
http://service.sap.com/instguides
Administration users (for instance SAP Components SAP Solution
DDIC) profile SAP_ALL Manager <current release>
See section about technical users in
Technical users profile SAP_ALL managed systems
104/172 PUBLIC 03/30/2009

6 Authorizations
6.6 “How To” Guides
More Information
about CTC and CTC configuration in SAP Solution Manager, see SAP Solution Manager Configuration Guide:
http://service.sap.com/instguides SAP Components SAP Solution Manager <current release>.
6.6.1 How to Update Authorizations after Support Package

Upgrade
After the new installation and an update of your SAP Solution Manager system, you need to update
your tables with new default field values for authorization objects, in transaction SU25. This is
especially relevant for all new authorization objects delivered with an update.
Caution
When you update your system, you must import new roles and profiles from client 000 into your
productive client.
Procedure
1. Call transaction SU25.
2. Choose Information.
The dialog explains in detail what you need to do.
Recommendation
Perform at least the first step.
6.6.2 How to Create End User Roles
You need to grant authorizations for which SAP does not ship template roles, in the Solution Manager
and managed systems. To be able to assign the correct authorization you can create a dedicated
role for them. This section describes how to create your own roles, using the example of critical
authorizations of transactions SU01 (User Management) and PFCG (Role Management).
Features
1. Create a Role in Transaction PFCG
a) Choose transaction PFCG.
b) Enter a role name in your namespace, for instance: ZSU01_PFCG, and choose Single Role.
03/30/2009 PUBLIC 105/172

6 Authorizations
c) Enter a description for your role, for instance: Full authorization for SU01 and PFCG.
d) Go to tab menu and enter transactions SU01 and PFCG.
Note
The authorization objects required in role creation are maintained using transactions. When
you enter a transaction in the menu tab in your role, the system traces all authorization
objects required for this transaction.
e) Save your role.
Note
You are asked for a transport request.
2. Maintain Authorization Objects
Default authorization objects delivered by SAP contain only minimal authorizations. To grant
full authorization to authorization objects, you must edit them
a) Choose the Authorizations tab in the Role Maintenance.
b) Choose Change.
c) Maintain all activity values per authorization object, according to your needs, for instance if
you want to grant full authorization, always choose all activities.
Caution
All authorization objects need to have a green traffic light. If you are not sure about the
function of the authorization object, double-click the green line. The system opens the
documentation for this object in a separate window.
d) Generate the profile.

e) To assign this profile to a user, choose tab User, add your user in the table and perform the
user comparison.
f) Save.
6.6.3 How to Assign Roles to Users
After you have generated profiles from roles, assign the role to your users in one of the two ways
explained below.
Procedure
n Transaction SU01
1. Choose transaction SU01.
2. Enter the user and choose edit.
106/172 PUBLIC 03/30/2009

6 Authorizations
3. Go to Roles tab.
4. Enter your role.
5. Save.
n Transaction PFCG
1. Choose transaction PFCG.
2. Enter your role and choose edit.
3. Go to Users tab.
4. Enter the user name.
5. Choose the button User Comparison.
6. Save.
Note
For more information on User Comparison, see SAP Note 1272331.
03/30/2009 PUBLIC 107/172

7 Work Center Navigation Roles
The following sections give you an overview of all work centers and work center related roles. Each
section contains a table with a mapping of work center views, links and authorization roles that
should be assigned to users who perform the tasks.
7.1 Work Center Roles Concept
Work center navigation roles (naming convention: SAP_SMWORK_<work center>) are based on the
concept of authorization roles (transaction PFCG). In contrast to authorization roles, which contain
a number of authorization objects for authorization purposes, work center navigation roles are
only relevant for the navigation in the work center via menu entries. These menu entries are
a two—folder hierarchy. They display the menu hierarchy/entries in the SAP NetWeaver Business
Client (NWBC). The first level is the home page Web Dynpro application (WDA) of the work center
(for instance Incident Management). The second level consists of several related links, such as Service
Marketplace or Help Portal.
Constraints
Work center navigation roles are always individual roles. They only need to be assigned to the user.
Note
If you implement SAP Note 1272331, you should activate automatic user comparison, when saving
a role. To be able to mark the check for automatic user comparison when savin a role, edit the
respective role and go to menu Utilities Settings .
In addition, you must assign the according authorization roles for the scenarios/functions (for
instance SAP_SUPPDESK_* and SAP_SUPPCF_*). You must also assign the authorization role
SAP_SMWORK_BASIC, which contains all relevant work center—related authorizations to users, as well
as assigning work center navigation roles and authorization roles.
7.2 Basic Authorizations for Work Centers
Individual role SAP_SMWORK_BASIC contains all authorization objects for work centers, such as
authorization for POWL (table control) and navigation. Each end-user who works with work centers
03/30/2009 PUBLIC 109/172

7.3 My Home
needs the role SAP_SMWORK_BASIC. This role must be fully maintained, including profile generation
and user comparison.
Note
For technical restrictions, the profile S_SMWC_BA is delivered for the SAPSUPPORT user when
automatically assigning basic authorizations. See SAPSUPPORT user.
Features
The following authorization objects are relevant:
n CA_POWL
Authorizations for Personal Object Work List (POWL)
n S_ICF (inactive)
Authorization check for ICF services access.
Note
Authorization object S_ICF is delivered inactive, as it may only be relevant for service provider
functionality. For more information, see section Secure Service Logon.
Constraints
SAP_SMWORK_BASIC currently contains authorization objects that are relevant for all work centers. It
does not contain authorization objects that are required for individual work centers.
Example
If you use function PDF Print you need authorization object S_DEVELOP (activity: 03, object type
OBJTYPE: SMIM) to be able to display icons in the document.
7.3 My Home
This work center allows you to display overview data of all work centers you are assigned to.
Features
Mapping Root Cause Analysis work center to authorization roles
110/172 PUBLIC 03/30/2009

7.4 Implementation and Upgrade Work Center
View Link Mapping of Authorization

Roles (see Roles for
<scenario/function>)
Overview according to work center assigned see work center view Overview,
to the end user section Work Center Roles <work center>.
Work according to work center assigned see work center view Overview,
to the end user section Work Center Roles <work center>.
Reports according to work center assigned see work center view Reports, section
to the end user Work Center Roles <work center>.
Related Links SAP Solution Manager URL — link, no authorization
Certification required
Integration
This work center displays overviews, work—related topics and reports of all work centers that are
assigned to the user. It therefore integrates with these work centers.
Implementation and Upgrade work center (work center navigation role: SAP_SMWORK_IMPL)
Features
Mapping of Implementation and Upgrade work center onto authorization roles
Overview Project Implementation and Upgrade
(by business role, for example
Project Manager or Technical
Consultant) SAP_SOL_*_COMP
(especially individual role for
Project Administration)
Projects Implementation and Upgrade
(especially individual roles for:
n Project Administration
n Business Blueprint
n Configuration
03/30/2009 PUBLIC 111/172


Evaluate n Access Business Map URL - Service Marketplace: no
n Download Solution Composer authorization check
n Access SAP Best Practices
Access Business Process Repository Web Dynpro BPR - no authorization
Access Projects Implementation and Upgrade
Access Solution Directory SAP_SOLMAN_DIRECTORY_* /
SAP_SM_SOLUTION_*
Plan Create or Maintain Projects Implementation and Upgrade

Define Business Blueprint Implementation and Upgrade
Business Blueprint)
Show Roadmaps SAP_RMMAIN_DIS
Define New Roadmaps SAP_RMDEF_RMAUTH_*
Add or Change Structure Elements SAP_RMDEF_RMAUTH_*
Build Go to Technical Configuration Implementation and Upgrade

configuration)
Go to Business Process Implementation and Upgrade
Configuration (by business role, for example
(Business BlueprintSAP_SOLAR01_*)
Create Role-Specific Learning Map Implementation and Upgrade
112/172 PUBLIC 03/30/2009


E-Learning)
Customizing Distribution (all Implementation and Upgrade (by
links) business role, for example Project
Manager or Technical Consultant)
SAP_SOL_*_COMP (Customizing
Distribution)
BC-Sets (all links) No authorization check
Test Create Test Cases Implementation and Upgrade (by
business role, for example Project
SAP_SOL_*_COMP
Access Test Work List Implementation and Upgrade by

SAP_SOL_TESTER_COMP
Create Test Plan and Test Packages Implementation and Upgrade (by
SAP_SOL_*_COMP
Maintain Central Test Workbench Implementation and Upgrade (by

Settings business role, for example Project
SAP_SOL_*_COMP
Going Live Preparation Go to Solution Directory SAP_SOLMAN_DIRECTORY_*
Going Live Check URL - no authorization check

SAP EarlyWatch Alert SAP_SM_SOLUTION_* /
SAP_OP_DSWP_EWA
Reports Implementation and Upgrade (to

SAP_SOL_*_COMP
Common Tasks n Define Roadmap Implementation and Upgrade

n Maintain Roadmap (by business role, for example
Consultant) SAP_SOL_*_COMP,
changing (define and maintain) of
roadmaps SAP_RMDEF_RMAUTH_*
Issue Management SAP_ISSUE_MANAGEMENT_* /
SAP_SM_SOLUTION_*
03/30/2009 PUBLIC 113/172

7.5 Test Management Work Center

Related Links System Landscape SAP_SMSY_*
System Data Transfer transaction SMSY_SETUP (no

dedicated role, see section Roles for
Configuration)
Project Administration Implementation and Upgrade
(by business role, for instance
Copy Projects and Solutions SAP_SOL_PROJ_ADMIN_*,
SAP_SM_SOLUTION_*
Learning Maps Implementation and Upgrade

E-Learning)
Custom Development n SAP_CDMC_USER authorization
Management Cockpit(CDMC) to execute
n SAP_CDMC_MASTER authorization
to create CDMC specific projects
n SAP_CDMC_STAT_SYSTEM
Integration
For the integrated use of roles, see section Integration of Functions.
More Information
see IMG activity: Setup Work Center for Implementation (technical name: SOLMAN_WC_IMPL)
Test Management work center (navigation role: SAP_SMWORK_ITEST)
Features
Mapping of Test Management work center onto authorization roles
114/172 PUBLIC 03/30/2009


Overview All Links See row in this table
Test Preparation Projects: Evaluate Transactions and Implementation and Upgrade (by
TBOM business role, for example Project
SAP_SOL_*_COMP (Project
Evaluation SAP_SOL_PROJ_ADMIN_*)
and SAP_SM_BPCA_TBOM_*
Solutions: Evaluate Transactions Implementation and Upgrade (by
SAP_SOL_*_COMP (Project
Evaluation SAP_SOL_PROJ_ADMIN_*)
and SAP_SM_SOLUTION_*
Solution Directory SAP_SOLMAN_DIRECTORY_*
BP Change Analyzer Implementation and Upgrade

(according to business role,
for example Project Manager
or Technical Consultant)
SAP_SOL_*_COMP ) and
SAP_SM_BPCA_RES_*
Test Plan Management Implementation and Upgrade (by

Manager or Technical Consultant
SAP_SOL_*_COMP ), especially Test
Plan Management SAP_STWB_2_*
Tester Worklist Implementation and Upgrade
Consultant SAP_SOL_*_COMP ),
especially Test Plan Management
SAP_STWB_WORK_*
Test Evaluation Implementation and Upgrade

Consultant SAP_SOL_*_COMP ),
especially Test Plan Management
SAP_STWB_INFO_*
03/30/2009 PUBLIC 115/172

7.6 Job Management Work Center

Settings (Setup) See section Roles for Configuration
Reports Implementation and Upgrade (by
Manager or Technical Consultant
SAP_SOL_*_COMP) and
n SAP_SM_BI_EXTRACTOR
n SAP_BI_TWB
More Information
see IMG activity: Setup Test Management Work Center (technical name: SOLMAN_WC_TEST)
Job Management work center (work center navigation role: SAP_SMWORK_JOB_MAN)
Features
Mapping of Job Management work center onto authorization roles
Overview SAP_SM_SCHEDULER_*,
SAP_SM_SOLUTION_*
Job Request SAP_SM_SCHEDULER_*,

SAP_SM_SOLUTION_*
Job Monitoring SAP_OP_DSWP_BPM /

SAP_SM_SOLUTION_*
Job Documentation SAP_SM_SCHEDULER_*,

SAP_SM_SOLUTION_*
Task Inbox see section Work Center System

Administration, view Overview
Reporting SAP_SM_SCHEDULER_*,
SAP_SM_SOLUTION_*
116/172 PUBLIC 03/30/2009


Common Tasks Create Job Request SAP_SM_SCHEDULER_*,
SAP_SM_SOLUTION_*
Create Job Documentation SAP_SM_SCHEDULER_*,

SAP_SM_SOLUTION_*
Access Template SAP_SM_SCHEDULER_*,

SAP_SM_SOLUTION_*
Analyze Job SAP_SM_SCHEDULER_*,

SAP_SM_SOLUTION_*
Schedule Jobs SAP_SM_SCHEDULER_*,

SAP_SM_SOLUTION_*
Import Jobs SAP_SM_SCHEDULER_*,

SAP_SM_SOLUTION_*
Related Links Job Scheduling Template roles for all additional

transactions are not delivered with
software component ST, roles must
be created individually.
Process Scheduling Adapter: Template roles for transaction
Call CPS Scheduler CALL_CPS is not delivered with
Process Scheduling Adapter: Template roles for transaction
Transaction EXTSLD EXTSLD is not delivered with
Process Scheduling Adapter: URL — no authorization check
SAP Central Process Scheduling by
Redwood
Integration
This work center integrates with the following work centers:
n Incident Management: SAP_SMWORK_INCIDENT_MAN
n Change Management: SAP_SMWORK_CHANGE_MAN
n Business Process Operations: SAP_SMWORK_BPM
Recommendation
We recommend the template composite role for Job Management(SAP_SMWORK_JOBMAN_COMP), see
section: How to Create Work Center Composite Roles.
03/30/2009 PUBLIC 117/172

7.7 Incident Management Work Center
More Information
see IMG activity: Setup Work Center for Job Management (technical name: SOLMAN_WC_JSCHED)
7.7 Incident Management Work Center
Incident Management work center (work center navigation role: SAP_SMWORK_INCIDENT_MAN)

Mapping Incident Management work center onto authorization roles
View in Work Center Link Mapping of Authorization
Overview SAP_SUPPDESK_*; (and
SAP_SUPPCF_* for Service Provider)
Messages SAP_SUPPDESK_*; (and

SAP_SUPPCF_* for of Service
Provider)
Queries
Reports SAP_SUPPDESK_*; (and
Common Tasks New messages SAP_SUPPDESK_*; (and
Search for SAP Note URL - no authorization check
Integration
n Job Management: SAP_SMWORK_JOB_MAN
Recommendation
More Information
n on work center for Service Desk (standard), see IMG activity: Create Work Center for Incident Management
(Service Desk) (technical name: SOLMAN_SUPPDESK_WCS)
n on work center for Service Desk for Service Provider, see IMG activity: Create Work Center for Incident
Management (Service Provider) (technical name: SOLMAN_VAR_WC)
118/172 PUBLIC 03/30/2009

7.8 Change Management Work Center
7.8 Change Management Work Center
Change Management work center (work center navigation role: SAP_SMWORK_CHANGE_MAN)
Features
Mapping of Change Management work center onto authorization roles
Overview SAP_MAINT_OPT_* /
SAP_SM_SOLUTION_* /
SAP_CM_*_COMP / SAP_SM_QGM_*
Projects SAP_SM_QGM_*
Change Requests SAP_CM_*_COMP
Change Documents SAP_CM_*_COMP
Hot News SAP_SM_SOLUTION_*
Maintenance Optimizer SAP_MAINT_OPT_* /

SAP_SM_SOLUTION_*
License Management Authorization field S_ADMI_FCD

in authorization object
S_ADMI_FCD must contain
value SLIC
Queries
Reports SAP_SOL_REP_*/
SAP_SM_SOLUTION_*
Common Tasks New Change Request SAP_CM_*_COMP
New Maintenance Transaction SAP_MAINT_OPT_* /

SAP_SM_SOLUTION_*
Related Links Schedule Manager SAP_CM_*_COMP
Configuration Validation: SAP_SM_BI_EXTRACTOR

Maintenance
Recommendation
For more information see section
Roles for BI—Related Reporting.
Configuration Validation: SAP_SM_BI_EXTRACTOR
Reporting
Recommendation
For more information see section
Roles for BI—Related Reporting.
03/30/2009 PUBLIC 119/172

7.9 Business Process Operations Work Center
Integration
Recommendation
More Information
see IMG activity: Setup Work Center for Change Management (technical name: SOLMAN_WC_CHARM)
Business Process Operations work center (work center navigation role: SAP_SMWORK_BPM)
Features
Mapping of Business Process Operations work center onto authorization roles
View Link Mapping of Authorization Roles (see Roles for
Overview all SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*
Solution SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*
Note
Role SAP_OP_DSWP_BPM contains authorization object
SM_BPM_AUT with full authorization for operations categories:
n Business Process Monitoring (BPM)

n Data Consistency Management (DCM)
n Data Volume Management (DVM)
If you want to restrict authorization, you need to maintain
this authorization object.
Business Processes SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*
Alert Inbox SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*
120/172 PUBLIC 03/30/2009

Data Consistency SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*

Management
Note

Data Volume SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*
Management
Note

Reports SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*
Common Tasks Solution SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_*

Directory
Setup Business SAP_SETUP_DSWP_BPM /SAP_SM_SOLUTION_*
Process
Monitoring
Related Links Solution Manager SAP_SV_SOLUTION_MANAGER (full authorization for Operations and
Operation - Operations Setup)
transaction
SOLUTION_MANAGER
Note
If you want to create Service Desk messages, you need to assign role SAP_SUPPDESK_CREATE (and
SAP_SUPPCF_CREATE for service provider) to your user, see section Roles for Service Desk.
Integration
03/30/2009 PUBLIC 121/172

7.10 SAP Engagement and Service Delivery Work Center
Recommendation
More Information
see IMG activity: Setup Work Center for Business Process Operations (technical name: SOLMAN_WC_BPM)
7.10 SAP Engagement and Service Delivery Work Center
SAP Engagement and Service Delivery work center (work center navigation role:
SAP_SMWORK_SERVICE_DEV)
Features
Mapping of SAP Engagement and Service Delivery work center onto authorization roles
Overview SAP_SV_SOLUTION_MANAGER
SAP_ISSUE_MANAGEMENT_*
Solutions SAP_SM_SOLUTION_* /
SAP_OP_DSWP_BPM /
Business Processes SAP_SM_SOLUTION_* /

SAP_OP_DSWP_BPM /
SAP Delivered Services SAP_SV_SOLUTION_MANAGER /

SAP_SM_SOLUTION_*
Self Services
Top Issues SAP_ISSUE_MANAGEMENT_* /
SAP_SM_SOLUTION_*
Issues
Tasks
EarlyWatch Alert SAP_SM_SOLUTION_* /
SAP_OP_DSWP_EWA
Reports SAP_SOL_REP_* /
SAP_SM_SOLUTION_*
122/172 PUBLIC 03/30/2009

7.11 System Administration Work Center
Common Tasks Maintain System Data SAP_SMSY_*
Maintain Solution Data SAP_SM_SOLUTION_* /

SAP_SOLMAN_DIRECTORY_*
Maintain Project Blueprint SAP_SOL_*_COMP (especially

SAP_SOLAR01_*)
Maintain Project Configuration SAP_SOL_*_COMP (especially

SAP_SOLAR02_*)
Display Roadmap SAP_RMMAIN_DIS
Schedule Content Update SAP_SV_SOLUTION_MANAGER /

SAP_SM_SOLUTION_*
Related Links Solution Manager Operations SAP_SV_SOLUTION_MANAGER (full

authorization for Operations and
Operations Setup)
Issue Management SAP_ISSUE_MANAGEMENT_* /
SAP_SM_SOLUTION_*
Note
When you update an SAP Service, table entries or coding could be added or activated in your
system. You can grant or restrict authorization for updating SAP Services, with authorization object
SM_CNT_UPD.
More Information
see IMG activity: Setup Work Center for SAP Engagement and Service Delivery (technical name: SOLMAN_WC_ISSUE)
System Administration work center (navigation role:SAP_SMWORK_SYS_ADMIN)
Features
Mapping of System Administration work center onto authorization roles
Overview Task Management Recurring Pre-configured Tasks (CSA):
SAP_OP_DSWP_CSA
Ad-hoc, Not Roles depend on the nature of the tasks

Pre-configured Tasks
03/30/2009 PUBLIC 123/172


My Downtime SAP_SMSY_*
Management Tasks
Note
Start/stop of instances is managed by either:
n
Adaptive Computing (ACC): uses UME of
attached SAP NetWeaver Administrator
n
SAPControl: uses logon dialog for
identification
Job Scheduling SAP_SM_SCHEDULER_* / SAP_SM_SOLUTION_*
Management Tasks
Issue and Top Issue SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*
Management Tasks
Systems SAP_SMSY_*
Task Management See roles for relevant tasks, above, in table row
Task Management
Setup CSA SAP_SETUP_DSWP_CSA
User Management Template roles for authorizations for

transactions SU01, PFCG, SU10 or SUIM are
not delivered with software component
ST. Roles must be created individually, see
section How to Create Roles. Alternatively, role
SAP_BC_USER_ADMIN can be used.
Caution
Role contains full user administration
authorization.
Administration Tools Template roles for non-specific Solution
Manager transactions (functions) can be found
in the documentation for these functions.
Example
You operate a Master Data Management
(MDM) system in your system landscape. The
MDM Admin Cockpit automatically appears in
your tool list, see section Roles for Master Data
Management.
124/172 PUBLIC 03/30/2009

7.12 System Monitoring Work Center
Related Links DBA Cockpit SAP_BC_DB_ADMIN
Landscape Printing Template role for authorizations for transaction

Assistant PAL is not delivered with software component
ST. Role must be created individually.
License Management Authorization field S_ADMI_FCD in

authorization object S_ADMI_FCD must
contain value SLIC.
Adaptive Computing Refer to the documentation for Adaptive
Computing.
Manage System Favorites SAP_SMSY_* / SAP_SM_SOLUTION_*
Integration
This work center integrates with Work Center System Landscape Management. For the integrated
use of roles, see section Integration of Functions.
Recommendation
Use the template composite role for system aAdministrators (SAP_SMWORK_ADMINISTRATOR_COMP),
see section: How to Create Work Center Composite Roles.
More Information
See IMG activity: Setup Work Center for System Administration (technical name: SOLMAN_WCS_CSA)
System Monitoring work center (navigation role: SAP_SMWORK_SYS_MON)
Features
Mapping of System Monitoring work center onto authorization roles
Overview Systems / Solutions SAP_SMSY_* / SAP_SM_SOLUTION_*
03/30/2009 PUBLIC 125/172


System Status Systems / Solution SAP_SMSY_* / SAP_SM_SOLUTION_*
IT Performance SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*,

Reporting SAP_SM_BI_EXTRACTOR
Note
If your BI client is not the Solution Manager
client, you need roles SAP_BW_CCMS_REPORTING and
SAP_SM_BI_EXTRACTOR. If you use an external BI system,
you must download role SAP_SM_BI_EXTRACTOR from
the Solution Manager system to your PC, and upload
it to your BI system in transaction PFCG Roles
Upload/Download .
Alert Inbox System Alerts SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*
Create Messages SAP_SUPP*, for more information see section Roles for
Service Desk.
Proactive Monitoring System / Solutions SAP_SMSY_* / SAP_SM_SOLUTION_*
Nonspecific Solution Template roles for non-specific Solution Manager

Manager Transactions transactions (functions) are in the documentation of
these functions.
IT Performance SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*,
Note
If your BI client is not the Solution Manager
client, you need roles SAP_BW_CCMS_REPORTING and
SAP_SM_BI_EXTRACTOR. If you use an external BI system,
you must download role SAP_SM_BI_EXTRACTOR from
the Solution Manager system to your PC, and upload
it to your BI system in transaction PFCG Roles
Upload/Download .
Connectivity RFC Destinations SAP_SMSY_* Template role for authorization for
Monitoring transaction SM59 is not delivered with software
component ST. The role must be created individually.
Alternatively, role SAP_BC_USER_ADMIN can be used
Caution
Role contains full user administration authorization.
Job Monitoring Job Scheduling SAP_SM_SCHEDULER_*
Self Diagnosis SAP_SM_SOLUTION_*
126/172 PUBLIC 03/30/2009


Reports Report Views: SAP SAP_OP_DSWP_EWA / SAP_SM_SOLUTION_*
EarlyWatch Alert
Reporting
Report View: Service SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_*
Level Reporting
Report View: SAP_SOL_REP_* / SAP_SM_SOLUTION_*
Availability Reporting
Setup System Monitoring SAP_SETUP_DSWP_* / SAP_SM_SOLUTION_*
Service Level Reporting SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SLR
EarlyWatch Alert SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_EWA
Connectivity Transaction: SOLUTION_MANAGER (no authorization

Monitoring check)
IT Performance SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM /
Note
If your BI client is not the Solution Manager client
you need the following roles:
n
SAP_BW_CCMS_SETUP
n
SAP_PI_CCMS_SETUP
n
SAP_SM_BI_EXTRACTOR
If you use an external BI system, you must download
role SAP_SM_BI_EXTRACTOR from the Solution
Manager system to your PC, and upload it to
your BI system in transaction PFCG Roles
Upload/Download .
Recommendation
For more information see, section Roles for BI—Related
Reporting
Solutions SAP_SM_SOLUTION_*
Related Links Adaptive Computing SAP_SMSY_*
Managed System URL - no authorization check

Favorites
Wily Introscope URL - no authorization check
03/30/2009 PUBLIC 127/172

7.13 System Landscape Management Work Center
Note
You can set connection parameters for Adaptive Computing and Wily Introscope, see IMG activities:
n Connect Wily Introscope (technical name: SOLMAN_WILY_SERVER)
n Connect Adaptive Computing (technical name: SOLMAN_ACC_INTEG)
Integration
This work center integrates with System Landscape Management work center.
Recommendation
Use the template composite role for System Administrators SAP_SMWORK_ADMINISTRATOR_COMP). See
More Information
see IMG activity: Setup for System Monitoring Work Center (technical name: SOLMAN_WC_SYS)
7.13 System Landscape Management Work Center
System Landscape Management work center (navigation role: SAP_SMWORK_LANDSCAPE_MAN)
Features
Mapping of System Landscape Management work center onto authorization roles
Overview System Management SAP_SMSY_*
Downtime SAP_SM_DTM_*, SAP_SM_SOLUTION_DIS

Management
Transport
Management
System Management See under view Overview
Downtime Management See under view Overview
Transport Management See under view Overview
128/172 PUBLIC 03/30/2009

7.14 Root Cause Analysis Work Center

Related Links System Landscape SAP_SMSY_*
System Data Transfer SAP_SMSY_*
Service Connection SAP_SERVICE_CONNECT
Switch Framework Authorization objects:

Cockpit n
S_SWITCH
n
S_RFC with function group SFW_API_REMOTE
Note
You have to assign these authorization objects with the
values, eparately.
SAP Reference No authorization check
Landscape
Project Generation SAP_SOL_PROJ_ADMIN_*, SAP_SMSY_*
Automated Technical SAP_SMSY_ALL, SAP_BC_CTC

Configuration
Adaptive Computing Refer to the documentation for Adaptive Computing
Manage System SAP_SMSY_*, SAP_SM_SOLUTION_*
Favorites
More Information
see IMG activity: Setup Work Center for Landscape Maintenance (technical name: SOLMAN_SMSY_WC)
7.14 Root Cause Analysis Work Center
Root Cause Analysis work center (work center navigation role: SAP_SMWORK_DIAG)
Features
Mapping Root Cause Analysis work center onto authorization roles
03/30/2009 PUBLIC 129/172

7.15 Solution Documentation Assistant Work Center

All SAP_RCA_*, see section Roles for
Root Cause Analysis
More Information
see IMG activity: Setup Work Center for Root Cause Analysis (technical name: SOLMAN_WC_RCA)
7.15 Solution Documentation Assistant Work Center
Solution Documentation Assistant work center (work center navigation role: SAP_SMWORK_SDA)
Features
Mapping of Solution Documentation Assistant work center onto authorization roles
Overview all SAP_SDA_*;
SAP_SOL_*_COMP (esp.:
Analysis Projects
SAP_SOL_PROJ_ADMIN_ALL)
Analyses
Rule Database
Content Interface SAP_SDA_ALL
Common Tasks all SAP_SDA_*;

SAP_SOL_*_COMP (esp.:
Related Links Business Process Repository no authorization check

Project Administration SAP_SOL_PROJ_ADMIN_*
Business Blueprint SAP_SOLAR01_*
Solutions SAP_SOLMAN_DIRECTORY_*
Solution Manager System SAP_SMSY_*

Landscape
Integration
Solution Documentation Assistant integrates with function Business Blueprint (transaction SOLAR01).
130/172 PUBLIC 03/30/2009

7.16 Solution Manager Administration Work Center
More Information
see IMG activity: Setup Work Center for Solution Documentation Assistant (technical name: SOLMAN_WC_SDA)
Solution Manager Administration work center (navigation role: SAP_SMWORK_SETUP)
Features
Mapping of Solution Manager Administration work center onto authorization roles
Overview Solutions SAP_SM_SOLUTION_*
Projects SAP_SOL_PROJ_ADMIN_*
Solutions Solutions (Create) SAP_SM_SOLUTION_*
Service Connection SAP_SERVICE_CONNECT
Solution Transfer SAP_SOLUTION_TRANSFER
Global Solution Settings SAP_SOLMAN_DIRECTORY_*
Operations Setup (EarlyWatch SAP_SETUP_DSWP_EWA/

Alert) SAP_SM_SOLUTION_*
Projects Projects SAP_SOL_PROJ_ADMIN_*
Associated systems and solutions SAP_SMSY_*/ SAP_SM_SOLUTION_*
Compare and Adjust SAP_SOL_PM_COMP (especially

Start Template Collector SAP_SOL_PM_COMP
Reset User Settings Template role for authorizations

for SU01 is not delivered with
software component ST, role must
Refresh Search Index
Maintain Project Templates SAP_SOL_*_COMP (especially
SAP_SOL_PROJ_ADMIN_*)
Export and Import SAP_SOLAR_MIGRATION
03/30/2009 PUBLIC 131/172


Systems System Landscape Setup SAP_SMSY_*
System Landscape Maintenance SAP_SOLMAN_DIRECTORY_*/

SAP_SM_SOLUTION_*
RFC Destinations Template role for authorization for

transaction SM59 is not delivered
with software component ST, role
must be created individually.
Users Template roles for authorization
for transactionsSU01, PFCG,
BPor AISUSER are not delivered
with Software Component
ST, roles must be created
individually. Alternatively,
role SAP_BC_USER_ADMIN can be
used
Caution
This role contains full
administration authorization.
Specific Administration Setup System Administration SAP_SM_SOLUTION_* /
SAP_SETUP_DSWP_CSA
Service Level Reporting SAP_SM_SOLUTION_* /

SAP_SETUP_DSWP_SLR
System Monitoring SAP_SM_SOLUTION_* /

SAP_SETUP_DSWP_SM
EarlyWatch Alert SAP_SM_SOLUTION_* /

SAP_SETUP_DSWP_EWA
Connectivity Monitoring Transaction: SOLUTION_MANAGER

(no authorization check)
IT Performance Reporting SAP_SM_SOLUTION_* /
SAP_SETUP_DSWP_SM
Landscape Maintenance SAP_SMSY_*
Common Tasks RFC Connection Error

Related Links Reference Implementation Guide See section Roles for Configuration
(SPRO)
Automated Basic Configuration See section Roles for Configuration
Self Diagnosis SAP_SM_SOLUTION_*
132/172 PUBLIC 03/30/2009

7.17 How to Create Work Center Composite Roles
SAP delivers two composite roles for this work center:

n SAP_SMWORK_ADMINISTRATOR_COMP
n SAP_SMWORK_JOBMAN_COMP
This section describes how you can create a composite role for work centers, using the example of the
composite role for administrators. You want your system administrator to use Solution Manager
work centers. Your system administrator maintains your system landscape and ensures the smooth
running of all its systems. You need to grant work center navigation roles and authorizations roles
with full authorization, according to the mapping tables.
Note
If you use the existing roles, copy them, maintain all single authorization roles, and compare users.
Caution
If you want to adapt Work Center single roles of the SAP template composite roles, you need to
maintain them as single roles NOT included in the composite role. For instance, if you want to adapt
links in Work Center System Landscape Management of composite role SAP_SMWORK_ADMINISTRATOR_COMP,
you need to delete the SAP template single role SAP_SMWORK_LANDSCAPE_MAN included in the
composite role and assign you adapted ZSAP_SMWORK_LANDSCAPE role individually to the user.
Procedure
1. Create a composite role in transaction PFCG.
The procedure is similar to creating single roles, see section How to Create Roles for End Users.
2. Assign the following work centers in Roles tab:
n System Landscape Management (work center navigation role: SAP_SMWORK_LANDSCAPE_MAN)
n System Monitoring (work center navigation role: SAP_SMWORK_SYS_MON)
n System Administration (work center navigation role: SAP_SMWORK_SYS_ADMIN)
n Home (work center navigation role: SAP_SMWORK_MYHOME)
3. Assign the following authorization role for work centers: SAP_SMWORK_BASIC.
4. Assign the following authorization roles:
n System Landscape Maintenance: SAP_SMSY_ALL
n Solutions: SAP_SM_SOLUTION_ALL
n System Monitoring Setup: SAP_SETUP_DSWP_SM
n System Administration Setup: SAP_SETUP_DSWP_CSA
n System Monitoring Operations: SAP_OP_DSWP_SM
n System Administration Operations: SAP_OP_DSWP_CSA
n Service Connection: SAP_SERVICE_CONNECT
5. Maintain the authorization roles and generate the profiles.
03/30/2009 PUBLIC 133/172

6. Assign the composite role to your system administrator and compare users.
Caution
If you use SAP NetWeaver Business Client, do not populate or merge the menu, as the work
centers cannot be displayed accurately in the SAP NWBC, see section How to Configure SAP NetWeaver
Business Client in the configuration guide for SAP Solution Manager in the Service Marketplace:
Result
You have created a composite role for your system administrator.
Figure 2: Individual Roles for Composite Role SAP_SMWORK_ADMINISTRATOR_COMP
Note
All necessary roles are included, authorization objects maintained, profiles generated, and
users compared. Only roles for transactions that are delivered with Solution Manager (Software
Component: ST) are included.
More Information
on work centers in general, see IMG activity: Information and Configuration Prerequisites for Work Center
(technical name: SOLMAN_WCS_INFORMATI)
134/172 PUBLIC 03/30/2009

8 S-User Authorizations
8.1 S-User Concept
The S-user is needed to access SAP—internal systems via RFC destinations such as SAP-OSS and
SAP-OSS-LIST-O01 (see section Communication Destinations), and background jobs (see section Background
Jobs). (Authorized) S-users are needed to open the gate and trigger dedicated functions at SAP.
We distinguish between two uses of S—users:
n for RFC destinations: This S-user requires a password and has to be assigned to your customer
number. For security reasons it should have no authorizations since it could be misused for
direct logon.
n for dedicated functions (requires authorizations): See the following sections.
8.2 SAP Support Portal Contact in SAP Solution Manager

(Table: AISUSER)
End users who communicate with SAP Support Portal via RFC destination SAP-OSS need an SAP
Support Portal contact to SAP Solution Manager. You maintain the contact in table AISUSER
(transaction AISUSER). This contact corresponds to the S-user in the SAP Support Portal, without
the initial S.
More Information
see IMG activity: Assign S-User for SAP Support Portal functionality (SOLMAN_PROFILE_PARAM)
8.3 S-User Authorization for Service Desk and Expert on

Demand
Your S-user needs the following authorizations for SAP Support Portal functions.
Features
S-User Authorization for Service Desk and Expert on Demand
03/30/2009 PUBLIC 135/172

8.4 S-User Authorization for Service Connection
Activity Authorization
Create message ANLEG: Create SAP message
Send messages GOSAP: Send to SAP
WAUFN: Reopen SAP message
Confirm messages QUITT: Confirm SAP message
Display/change secure area PWDISP: Display secure area
PWCHGE: Change secure area
8.4 S-User Authorization for Service Connection
Your S-user needs the following authorizations in the SAP Support Portal, for the Service Connection
function.
Features
S-User Authorization for Service Connection
Open service connections SVER: Open Service Connection
Set-up/migrate a service connection SVER: Open Service Connection
INSTPROD: Maintain System Data
SAP notes search NOTES: Search for notes
8.5 S-User Authorization for Maintenance Optimizer
Your S-user needs the following authorization in the SAP Support Portal, for the Maintenance Optimizer
function.
Features
S-user Authorization for Maintenance Optimizer
Execute Maintenance Optimizer SWCATALOG Order Software in Software Catalog
136/172 PUBLIC 03/30/2009

8.6 S-User Authorization for Data Download from SAP
8.6 S-User Authorization for Data Download from SAP
Your S-user needs the following authorizations for the SAP Support Portal functions.
S-user Authorization Download Data from SAP
Administration ADMIN
Maintain all logon data GLOBAL
Maintain user data USER
Maintain system data INSTPROD
Request license key LICKEY
03/30/2009 PUBLIC 137/172

9 Service Provider and Service Provider Customer Specification
9 Service Provider and Service Provider

Customer Specification
This section gives an overview of topics for service providers, including service provider—specific
authorizations, and work centers for service provider customers.
9.1 Service Provider Customer RFC Connections
As a service provider, you need to create specific RFC connections to SAP for your customers.
Prerequisites
You need an S user without specific authorizations.
Features
Service Provider Customer RFC Connections from Solution Manager to SAP
Sys-
tem Lo-
RFC Destination Num- gon Logon User Use (Sce-
Name Target Host Name ber Client (Password) nario) Remarks
SM_SP_<customer 01 001
/H/SAPROUTER/S//sapserv/H/oss001 S-User (Cus- Service You
number> tomer—spe- Provider automatically
cic, no au- create customer
thorization RFCs based on
needed), see RFC SAP-OSS via
section S-User report
Authorizations
More Information
see IMG activity Setup SAP Connection for Customers (technical name: SOLMAN_VAR_RFC_CUSTO)
9.2 Roles for Service Desk for Service Provider
The function Service Desk for Service Provider extends the Service Desk functionality. Roles for
Service Desk and Service Provider are additive, that is, if your Solution Manager system is configured
03/30/2009 PUBLIC 139/172

9.3 Service Provider—Specific Authorization
for the Service Provider, you must grant your end users roles for Service Desk and Service Desk for
Service Provider. See section Roles for Service Desk.
Features
Additional Service Desk Roles for Service Provider and Software Partner
Caution
For Service Provider, you must maintain the Service Desk roles as described in SAP Note 834534, and
add Service Desk roles for Service Provider. Authorization object CRM_TXT_ID needs to be granted,
as well as Service Desk authorization objects.
Name Type Remarks

SAP_SUPPCF_ADMIN ABAP Administrator authorization for
creating and processing
SAP_SUPPCF_CREATE ABAP Key user (IT operator)
authorization to create messages
SAP_SUPPCF_PROCESS ABAP Support employee authorization
to process messages
SAP_SUPPCF_DISP ABAP Display authorization
More Information
n for Service Desk, see IMG activity Information and Configuration Prerequisites for Service Desk (technical
name: SOLMAN_SD_INFORMATIO).
n for Service Provider, see IMG activity Information and Configuration Prerequisites for Service Provider (technical
name: SOLMAN_SERVICEDESKINFO).
9.3 Service Provider—Specific Authorization
As a service provider, you need a complete view of all data for the specified scenarios, while your
customers should be able to display all data that is necessary for their specific business.
Features
You need the role SAP_SM_SPC.
More Information
see IMG activity Assign Service Provider Authorization (technical name: SOLMAN_SPC_AUTH).
140/172 PUBLIC 03/30/2009

9.4 Work Center for Service Provider Customers
9.4 Work Center for Service Provider Customers
The following work centers are available especially for customers of Service Providers. Functions that
can be executed with these work centers by customers of Service Providers are:
n Service Desk (Incident Management) (technical role name: SAP_SMWORK_INCIDENT_MAN_SPC)
create and change own messages; open service connections
n Change Management (technical role name: SAP_SMWORK_CHANGE_MAN_SPC)
process maintenance optimizer transactions
n System Monitoring (technical role name: SAP_SMWORK_SYS_MON_SPC)
display SAP EarlyWatch Alert reports and Service Level reports
Features
Mapping of Work Center Change Management to Authorization Roles
Overview SAP_MAINT_OPT_* /
SAP_SM_SOLUTION_*
Hot News SAP_SM_SOLUTION_*
Maintenance Optimizer SAP_MAINT_OPT_* /

SAP_SM_SOLUTION_*
License Management Authorization field S_ADMI_FCD

in authorization object
S_ADMI_FCD must contain
value SLIC
Common Task New Maintenance Transaction SAP_MAINT_OPT_* /
SAP_SM_SOLUTION_*
Mapping Work Center Incident Management to Authorization Roles

View in Work Center Link Mapping of Authorization
Overview SAP_SUPPDESK_* / SAP_SUPPCF_*
Messages SAP_SUPPDESK_* / SAP_SUPPCF_*
Common Tasks Search for SAP Note URL - no authorization check
New messages SAP_SUPPDESK_* / SAP_SUPPCF_*
Mapping of Work Center System Monitoring to Authorization Roles
03/30/2009 PUBLIC 141/172

9.5 S-User Authorization for Service Provider Customers

Reporting Report View: SAP Early Watch SAP_OP_DSWP_EWA /
Alert SAP_SM_SOLUTION_*
Report View: SAP EarlyWatch Alert SAP_OP_DSWP_SM /

for Solutions SAP_SM_SOLUTION_*,
SAP_SM_BI_EXTRACTOR
Note
If your BI client is not the
Solution Manager client, you need
roles SAP_BW_CCMS_REPORTING and
Report View: Service Level SAP_OP_DSWP_SLR /

Reporting SAP_SM_SOLUTION_*
9.5 S-User Authorization for Service Provider Customers
The S user of service provider customers needs the following authorizations in the SAP Support Portal.
Features
S-User Authorization for Service Provider Customer
Maintain System Data INSTPROD
Note
The assigned s user needs no authorization for the customer—specific RFC connections (RFC default
name: SM_SP_<Customer Number>).
9.6 Work Center Access for Customers
To grant access to Solution Manager work centers via HTTP, an HTTP request from a customer server
must be accepted by the Solution Manager server. Your customer should install a proxy server that is
enabled for cascading. This proxy should cascade requests from the customer to a proxy server on
your side. You route the request directly from your proxy server to the Solution Manager server.
142/172 PUBLIC 03/30/2009

9.6 Work Center Access for Customers
Integration
If you want to restrict customer access to certain services, see SAP Note 1281504 and SAP —
Partner—Specific Configuration in the IMG (transaction SPRO) .
03/30/2009 PUBLIC 143/172

10 Background Processes
This section gives an overview of background processes for each function.
10.1 Background Jobs for Infrastructure
Background jobs for Infrastructure.
Features
Background Jobs for Infrastructure
Background Job/Program, Report Use RFC Connection
REFRESH_ADMIN_DATA_FROM_SUPPORT/ Periodically reads administrative SAP-OSS
AI_SC_REFRESH_READ_ONLY_DATA data from SAP Support Portal
(System data synchronization in
SMSY)
SEND_SYSTEM_RELATIONSHIP_TO_SUPP/Periodically sends information SAP-OSS

AI_SC_SEND_SYSTEM_RELATIONSHIP about which systems are managed
by Solution Manager
SERVICE_CONNECTION_LISTENER/ Periodically checks in Solution SAP-OSS
AI_SC_LISTENER Manager, whether a service
connection is planned to be opened
LANDSCAPE FETCH/ RSGET_SMSY The job gets system data for Default: TMS/RFC
the Solution Manager system
landscape by automatic data
transfer from TMS/RFC or the
System Landscape Directory (SLD)
SM:SYNC CONTENT FROM SAP/ (DSWPJOB -> inactive)
RDSWPBACKGROUNDSERVICES_1
SM:MIGRATE_LANG_DEP_SAPSCRIPT/ (DSWPJOB ->

MIGRATE_LANG_DEP_SAPSCRIPT; MIGRATE_LANG_DEP_SAPSCRIPT
RMIGRATE_LANG_DEP_SAPSCRIPT inactive)
SM:CLEAR ARCHIVED DATA/ (DSWPJOB -> inactive)
RDARCH_CLEAN_DATABASE
SM:DYNAMIC TABU UPDATE/ Updates the table contents required

RDMD_DYNAMIC_TABU_UPDATE to operate the Solution Manager
(DSWPJOB)
03/30/2009 PUBLIC 145/172

10.1 Background Jobs for Infrastructure

SM:DMD CONSISTENCY/ Checks the consistency of a
RDMD_INCONSISTENCIES solution data model (DSWPJOB)
RDMD_INCONSISTENCIES/ (DSWPJOB)
RDMD_MIGRATE_OBJS_2_LANG_INDEP
SM:REMOVE INCONSISTENCIES/ Remove inconsistencies in the data

RDMD_REMOVE_INCON model (DSWPJOP)
SM:REORG APPLICATION LOG/ Reorganize Application Log
RDMD_REORG_APPLICATION_LOG (DSWPJOB)
SM:REFRESH ENTRYSCREEN/ Update solution list: the status of
RDSMOPSOLUTIONLISTUPDATE every solution is determined for
the overview list of all solutions
(the access screen in transaction
SOLUTION_MANAGER) (DSWPJOB)
SM:SERVICE ASSISTANT EVENTS/ (DSWPJOB -> inactive)

RDSVAS_EXECUTE_EVENTS
SM:HOURLY SERVICES/ (DSWPJOB -> inactive)

SM:UPDATE RULES/ A set of rules which controls

RDSWPRULESUPDATE the services and documents that
can be offered for information
about system infrastructure and
processes maintained in the
Solution Manager (DSWPJOB)
SM:SELFDIAGNOSIS/ Update Self-diagnosis (DSWPJOB)
RDSWP_SELF_DIAGNOSIS
SM:MIGRATE SESS DL./ (DSWPJOB)

RDSWP_SSA_MIGRATE_SESS_DL
SM:MOVE TO ARCHIVE QUEUE/ Move services and sessions to

RDSWP_SSA_MOVE_2_ARCHIVE_QUEUE archive queue (DSWPJOB)
EMAIL_NOTIFICATION Periodic background job to
(customer-specific)/ RSCONN01 send queued e-mails (manually
(variant SAP) scheduled via transaction SCOT)
-> see also IMG -> Cross-scenario
settings)
SM:RFC MONITORING/ Check RFC connections. To be run
RWBA_RFC_WATCHER hourly or daily (between 10 pm and
4 am). The job executes RFCPING
or RFC_PING.
SMSY_PPMS_DOWNLOAD_FROM_OSS Update of product data download SAP-OSS
from SAP Support Portal
146/172 PUBLIC 03/30/2009

10.2 Background Jobs for Implementation
10.2 Background Jobs for Implementation
Background jobs for Implementation.
Features
Background Jobs for Implementation
Job name (customer-specific)/ Asynchronous indexing and
RSTIRIDX de-indexing for Document
Management (manually, see also
IMG Cross-scenario Settings
Document Management Servers
Connect Index Server for Full Text
Search
SM:ACCELERATE DOC USAGE/ Accelerates the where-used list
RDMD_ACCELERATE_DOC_USAGE for documents in the Solution
(DSWPJOB)
10.3 Background Jobs for Test Management
Background jobs for Test Management
Features
Background Jobs for Test Management
Background Job/Program, Report Use RFC Connection Used
AGS_BPCA_TBOM_OUTDATE_CHECKER Check TBOM status
AGS_BPCA_TBOM_REFERENCE_CHECK Check Business Process Hierarchy
(BPH)
10.4 Background Jobs for Monitoring
There are two kinds of background jobs for Monitoring:

n background jobs for EWA, SLR, and CSA
n background jobs for Monitoring, with Solution Manager as a Central Monitoring System CEN)
Features
Background Jobs for EarlyWatch Alert, Service Level Reporting, Central System
Administration
03/30/2009 PUBLIC 147/172

10.4 Background Jobs for Monitoring
Background Job/ program, report Use RFC Connection used

/BDL/TASK_PROCESSOR Starts all tasks (maintenance) in TRUSTED or LOGIN
satellite systems for service sessions see RFC Connections
(for instance EarlyWatch Alert)
(automatically scheduled when
SDCCN is activate in satellite system)
SM:EXEC SERVICES/ Executes service sessions in

RDSMOPBACK_AUTOSESSIONS Solution Manager, carries out
services daily (or weekly) and
schedules new services (DSWPJOB)
SM:CSA SESSION REFRESH/ CSA Session Refresh (DSWPJOB).
DSVAS_APPL_CSA_REORG_TASKTABLE; The CSA session opens in the
RDSMOPSOL_MONIREFRESH background and runs every hour.
This updates the task status icons in
the SAP Solution Manager graphic.
SM:CSA UPDATE TASKSTATUS/ CSA Task Status Update (DSWPJOB)
DSVAS_APPL_CSA_UPD_TASKSTATUS updates status symbols of CSA
tasks in the graphical overview of
systems
SM:CSDCC HANDLE TASKS/ (DSWPJOB)
RCSDCCHANDLETASKS
SM:SESSIONS RESET/ Initialize session. The set-up

RDSMOP_SESSSION_RESET sessions are automatically reset
after a new ST-SER release is
implemented or a new Support
Package imported, so that these
sessions always run on the newest
check source code ( DSWPJOB)
SM:MIGRATE EWACUSTOMIZING/ Migrate EWA Customizing (DSWPJOB)
RDSWPMIGRATEEWACUSTOMIZING
SM:SET DEFAULT RATING/ Set default rating (DSWPJOB ->

RDSWPSETDEFAULTRATINGHIERARCHY inactive)
SM:SOLMAN MONITORING/ Supplies the monitoring object of
RDSWP_FILL_CCMS_ALERTS the CCMS for every solution with
data from the Solution Manager,
for example EWA, SL Rexporting
and transaction SDCCN. (DSWPJOB)
TRUSTED or READ
SM:DOWNLOAD DELETION/ Download data which is more than
RDSWPDOWNLOADDELETION 30 days old is deleted (DSWPJOB)
Program name: Update downtime status. To run
RDSWP_DTM_UPDATE_DT_STATUS daily, between 00:00 and 00:10;
period: 1.
148/172 PUBLIC 03/30/2009

10.5 Background Jobs for BI Reporting
Background Jobs for CCMS Monitoring

Background Job/ program, report Use RFC Connection
SAP_CCMS_MONI_BATCH_DP Local dispatch background job for
local method execution. Must be
activated in Client 000 of the CEN
system (SAP Solution Manager)
and the managed system.
SAP_CCMS_CENSYS_DISPATCHER Central dispatch background job,
must only be activated in Client
000 of the CEN system (Solution
Manager)
10.5 Background Jobs for BI Reporting
Reporting BI
Background Jobs for Reporting
BI_TCO_ACTIVATION Activate technical BI content,
see IMG activity Create BI User
in BI System (technical name:
SOLMAN_CR_BI_USER)
RDSWP_BI_BPM_EXTRACT Extract data from solution to

transfer table for Business Process
Data. See IMG activity Maintain
BI Reporting (technical name:
SOLMAN_BPM_BI)
10.6 Background Jobs for Service Desk
Background Jobs for Service Desk
Features
Background jobs for Service Desk
03/30/2009 PUBLIC 149/172

10.7 Background Jobs for Change Request Management

SM:RNOTIFUPDATE01/ Refreshes the contents of Support SAP-OSS-LIST-O01
RNOTIFUPDATE01 Desk or Expert-on-Demand
messages that have been processed
by SAP.
Recommendation
Deactivate this job and schedule a
customer-specific variant
( DSWPJOB).
SM:GET CSN COMPONENTS/ Transfer CSN Components to SAPOSS
DSWP_GET_CSN_COMPONENTS Solution Manager (DSWPJOB)
AI_SDK_FILL_FILE_TYPE_TABLE/ Only specified file types can be sent SAP-OSS
AI_SDK_FILL_FILE_TYPE_TABLE to SAP, for security reasons. All
other attachments sent are refused
by SAP. the program updates
the file type tables AISDK_FILETX
and AISDK_FILETY, for SAP
to be able to read all the
attachments which you send
with your message.
10.7 Background Jobs for Change Request Management
Background jobs for Change Request Management
Features
Background Jobs for Change Request Management
SM:TMWFLOW_CMSSYSCLO/ gets tracking data from systems, READ; TMWFLOW
/TMWFLOW/CMSSYSCOL2 asynchronously (DSWPJOB)
10.8 Background Jobs for SAP Engagement and Service

Delivery and Issue Management
Background jobs for SAP Engagement and Service Delivery and Issue Management.
Features
Background Jobs for SAP Engagement and Service Delivery
150/172 PUBLIC 03/30/2009

10.8 Background Jobs for SAP Engagement and Service Delivery and Issue Management

SM:GET CSN COMPONENTS/ Transfer CSN components to SAPOSS
DSWP_GET_CSN_COMPONENTS Solution Manager (DSWPJOB)
SM:SYNC SOLMAN INFO/ Self-Service: Components used by SAPOSS
RDSMOPSERVICEINFOS customers (DSWPJOB)
SM:TOP ISSUE TRANSFER/ Transfers the top issues that you SAP-OSS
RDSWPCI_TOPISSUE_TRANSFER have exchanged with SAP, once a
week (DSWPJOB).
SM:SURVEY TRANSFER/ Transfers the questionnaires for SAP-OSS
RDSWPCI_SURVEY_TRANSFER customer satisfaction with the
service session and issue processing,
to SAP (DSWPJOB).
SM:SEND_SOLUTIONS_TO_SAP/ Sends the data of the configured SAP-OSS
RDSMOPCOLLECTSOLUTIONDATA solutions to SAP (DSWPJOB).
SM_SYNC_SAP SESSIONS/ The session scheduling in the SAP-OSS
RDSWPCISERVICEPLAN; service plan is updated daily by SAP.
RDSMOPSERVICESESSIONS This report gets service plans from
RDSWPBACKGROUNDSERVICES_4; SAP.
RDSWPBACKGROUNDSERVICES_3; Get
Service plan from SAP (DSWPJOB
-> RDSMOPSERVICESESSIONS;
and RDSWPBACKGROUNDSERVICES_3
inactive)
SM:FILL ISSUE BUFFER TABLE/ Fill Issue Buffer table (previously in

DSWP_CI_ISSUE_BUFFER_TABLE DSWPJOB)
SM:MIGRATE_ISSUE_PROJECT_CONTEXT/(DSWPJOB)
RDSWPCI_ISSUE_PROJECT_CONTEXT1
SM:SYNC ISSUES FROM CRM/ Table DSWPISSUE contains

RDSWP_ISSUE_REFRESH information from the CRM
document and the support
message (context). This table is
updated (DSWPJOB).
SOLMAN_ISSUE_STATUS_REFRESH/ The SAP Solution Manager buffers
RBM_REFOBJ_BUFFER_UPDATE message attributes such as the
current user and the processing
status. This periodic job collects
these message attributes from the
message system and makes them
available for analysis.
03/30/2009 PUBLIC 151/172

10.9 Background Jobs for Root Cause Analysis
Note
Issue Management distinguishes between Top Issues and Issues. Top Issues bundle Issues which
contain the same problem. Issues describe potential problems. In contrast to Issues, Top Issues
are addressed to management. Issue data is sent via periodic background jobs (job: SM:TOP ISSUE
TRANSFER) once a week after the initial transfer. Initial transfer is done by dialog. You can avoid
sending data by deleting this job. If no data is sent to SAP, SAP Support can not provide proactive
support. For information on Top Issue data which is sent, see SAP Note 971138. To see the data of a
Top Issue, use report RDSMOP_VIEW_TOPISSUE_XML to save (as an XML file on your desktop) the
information that is sent to SAP. You can then use the Internet Explorer to view this XML file. Issue
Management makes use of WebDynpro Applications.
10.9 Background Jobs for Root Cause Analysis
Background Jobs for Root Cause Analysis
Features
Background Jobs for Root Cause Analysis
Background Job/Program/Report Use RFC Connection Used
SM:SOLMAN_DIAG_UPDATE/ Checks your Solution Manager and
RSOLDIAG_CHECK_FOR_UPDATE notifies it about the changes made
to relevant data and parameters
(DSWPJOB).
E2E_EFWK_WIZARD_BTC Called during Diagnostics
setup. The report schedules
the Resource Manager via report
E2E_EFWK_CREATE_RESOURCE_MGR.
The program name of
the Resource Manager is
E2E_EFWK_RESOURCE_MGR.
Scheduled once per minute
10.10 Background Jobs for Third Party Products
Background Jobs for Third Party Products
Features
Background Jobs for Third Party Products
152/172 PUBLIC 03/30/2009

10.11 Background Jobs for Service Provider

Job name (customer-specific) / SAP Quality Center by HP, to send
RS_SM_QC_REQUIREMENT_SYNC and Test Requirements and receive
RS_SM_QC_TESTRESULT_SYNC Test Results
10.11 Background Jobs for Service Provider
Background jobs for Service Provider
Features
Background Jobs for Service Provider
RPSMSY_MIGRATE_SYSTEM_USAGES see IMG activity Schedule
Background Job for service
provider (technical name:
SOLMAN_SPC_REPORT
03/30/2009 PUBLIC 153/172

11 Traces and Logs
11 Traces and Logs
This section provides an overview of the trace and log files that contain, for example, security-relevant
information, so that you can reproduce activities if a security breach does occur.
11.1 Traces and Logs
System Landscape:
n Update logs
n RFC logs
n Data save logs
Solution Manager Implementation:
n All tabs can be traced. Each change on a tab is recorded.
n No changes of the assigned object are logged (except documents).
n You can specify which project and tab can be traced.
n Documentation can get different versions when changed.
Solution Manager Operations:
n Traces are available in “Solution Directory”.
n All tabs can be traced. Each change on a tab can be recorded.
n No changes of the assigned object are logged (except documents).
n You can specify which solution is traced.
n Documentation can get different versions when changed
Customizing Distribution
n Each distribution is logged.
n Each distributed object is logged.
03/30/2009 PUBLIC 155/172

12 Appendix
12 Appendix
12.1 Glossary
12.1.1 Terminology: System Landscape and Related Terms
The Solution Manager is based on a system in a system landscape. Different terms are used to refer to this,
depending on how the system landscape is viewed. There are two semantic levels:
n overall view of systems and their role in the system landscape, and
n the technical level, referring to the technical attributes of a system, not its purpose in the system
landscape.
It depends on whether the focus is on a system’s purpose or on its technical properties. There are
several possible perspectives:
n general perspective
Term: System
n Solution Manager perspective (Solution Manager as the central management platform)
Terms: Managing System, Managed System
03/30/2009 PUBLIC 157/172

12 Appendix
12.1 Glossary
Figure 3:
n business process—oriented perspective (business process as main focus)

Term: Business System
Figure 4:
158/172 PUBLIC 03/30/2009

12 Appendix
12.1 Glossary
n technical perspective (technical attributes as main focus)

Term: System Type, System Component, System Component Type, Technical System
Figure 5:
Features
The following table contains definitions of how these term are used in documentation.
Definitions Infrastructure: System
Term Definition Additional Remarks
System Neutral definition from a general Used in general documentation, in
perspective. The name of the system is overviews and so on.
based on the SAP product definition. It
can be defined more closely (see above),
Example
for example, managed system, business
In your system landscape you maintain
system and/or technical system.
several systems.
Managing System The central managing system, usually Used in general Solution Manager
the Solution Manager system, from scenario and function documentation
the Solution Manager perspective. A in the system landscape.
managing system usually manages other Synonym: Central System
systems, which are called managed (CCMS-related)
systems.
Example
Your managing system is SAP Solution
Manager.
03/30/2009 PUBLIC 159/172

12 Appendix
12.1 Glossary

Managed System Any system that is managed by another Used in general Solution Manager
system, usually the central Solution scenario and function documentation
Manager system platform, from the in the system landscape. Synonym:
Solution Manager perspective. In this Remote System (CCMS-related)
sense, the Solution Manager system can
also be a managed system.
Example
You monitor your managed systems
regularly, using SAP Solution Manager.
Business System Any system used in a business scenario, Used in general Business Suite and
from a business perspective. Solution Manager documentation, for
Business Suite—related topics.
Example
You monitor all business systems on
which the business process steps run,
regularly.
System Type The type which the system can be, from Used in general Solution Manager
a technical perspective: system landscape documentation,
n ABAP with reference to the general system
n Java architecture.
n ABAP and Java
Example
The SAP Solution Manager system is
based on system types AS ABAP and AS
Java.
System Component A technical unit of a system which The main instance can be defined in
is itself defined by a main instance, more detail by server, client, software
depending on the application view (the component and so on. It can be installed
business purpose), from a technical independently.
perspective,.
Example
Please change the data of the main
instance for system component
Solution Manager Diagnostics.
160/172 PUBLIC 03/30/2009

12 Appendix
12.1 Glossary

System Component Type The underlying technology of the
Example
system component, from a technical
perspective. System component Solution Manager
Diagnostics is of system component
type Java.
Technical System A technical unit based on one or more
Example
instances, from a technical perspective.
Main instances can be installed in SAP Solution Manager is running on
one system, but also as independent (technical) system: SMP Client 200
(technical) systems with independent Solution Manager Diagnostics is
system IDs. It is defined by technical running on (technical) system: SMD
attributes, depending on the system
component type, such as:
n System ID
n Client
n Installation Number
n ...
12.1.2 Terminology: Solution and Related Terms
The life—cycle of a product comprises different phases, such as implementation, operation, and
optimization, which are all supported by SAP Solution Manager. In the operational phase, SAP
Solution Manager uses the technical unit Solution to bundle systems according to various criteria:
n related business process steps
n related systems by administration purpose
The term is related to another primary concept, the Logical Component. Technical systems are stored in
logical components, which are then referenced in the solution. The solution is uniquely defined by
its Leading System Role.
Features
The following table contains definitions of how these term are used in documentation.
Definitions Infrastructure: Solution
03/30/2009 PUBLIC 161/172

12 Appendix
12.1 Glossary

Solution A group of systems administered in SAP Used in general documentation, in
Solution Manager, which are managed overviews and so on. The solution
together. Solutions are independent is defined in the Solution Directory
of one another, e.g. all systems of one (transaction SOLMAN_DIRECTORY). Here,
subsidiary. all information about included systems
and business processes running on
these systems is stored. It forms the
basis for subsequent applications,
such as Monitoring, Job Scheduling
Management or Issue Management.
Example
See document Solution Concept and
Design on SAP Service Marketplace at:
http://service.sap.com/solutionmanager
Media Library Technical Papers .
Logical Component A set of technical systems with the Used in general documentation.
same SAP product release and main
instance, to be able to use these systems
in a system landscape uniformly in Example
various SAP Solution Manager use See document Logical Components
scenarios, i.e. in implementation, on SAP Service Marketplace at:
operational processing, and permanent http://service.sap.com/solutionmanager
optimization. It separates the Media Library Technical Papers .

abstract component level from
the physical system level, allowing
system-independent business process
definition.
Leading system role The system role of the business processes Used primarily in documentation for
documented in a solution, for instance Solution Directory.
production system or development
system. The default system role is
production, so all business processes
defined for this solution run in systems
with the system role: productive system.
Navigation role Used only for business process Used in relation to business process
operations: specifies the system role operations documentation.
used for navigation (checks, display) to
objects in managed systems.
Note
Change of navigation role is
user—specific and valid for all
solutions in the Solution Directory.
Example
User <XY> wants to check objects in
the development systems. The leading
162/172 PUBLIC 03/30/2009

12 Appendix
12.1 Glossary

role of the solution is production
system. The user specifies development
system as navigation role.
03/30/2009 PUBLIC 163/172

A Reference
A Reference
A.1 The Main SAP Documentation Types

The following is an overview of the most important documentation types that you need in the
various phases in the life cycle of SAP software.
Figure 6: Documentation Types in the Software Life Cycle
Cross-Phase Documentation
SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, as
well as many glossary entries in English and German.
n Target group:
l Relevant for all target groups
n Current version:
l On SAP Help Portal at http://help.sap.com Additional Information Glossary (direct
access) or Terminology (as terminology CD)
l In the SAP system in transaction STERM
03/30/2009 PUBLIC 165/172

A Reference
SAP Library is a collection of documentation for SAP software covering functions and processes.
n Target group:
l Consultants
l System administrators
l Project teams for implementations or upgrades
n Current version:
l On SAP Help Portal at http://help.sap.com (also available as documentation DVD)
The security guide describes the settings for a medium security level and offers suggestions for
raising security levels. A collective security guide is available for SAP NetWeaver. This document
contains general guidelines and suggestions. SAP applications have a security guide of their own.
n Target group:
l Technology consultants
l Solution consultants
n Current version:
l On SAP Service Marketplace at http://service.sap.com/securityguide
Implementation
The master guide is the starting point for implementing an SAP solution. It lists the required
installable units for each business or IT scenario. It provides scenario-specific descriptions of
preparation, execution, and follow-up of an implementation. It also provides references to other
documents, such as installation guides, the technical infrastructure guide and SAP Notes.
n Target group:
l Project teams for implementations
n Current version:
l On SAP Service Marketplace at http://service.sap.com/instguides
The installation guide describes the technical implementation of an installable unit, taking
into account the combinations of operating systems and databases. It does not describe any
business-related configuration.
n Target group:
n Current version:
Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycle
platform. One of its main functions is the configuration of business and IT scenarios. It contains
Customizing activities, transactions, and so on, as well as documentation.
166/172 PUBLIC 03/30/2009

A Reference
n Target group:
n Current version:
l In SAP Solution Manager
The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system.
The Customizing activities and their documentation are structured from a functional perspective.
(In order to configure a whole system landscape from a process-oriented perspective, SAP Solution
Manager, which refers to the relevant Customizing activities in the individual SAP systems, is used.)
n Target group:
l Project teams for implementations or upgrades
n Current version:
l In the SAP menu of the SAP system under Tools Customizing IMG
Production Operation
The technical operations manual is the starting point for operating a system that runs on SAP
NetWeaver, and precedes the solution operations guide. The manual refers users to the tools and
documentation that are needed to carry out various tasks, such as monitoring, backup/restore,
master data maintenance, transports, and tests.
n Target group:
n Current version:
The solution operations guide is used for operating an SAP application once all tasks in the
technical operations manual have been completed. It refers users to the tools and documentation
that are needed to carry out the various operations-related tasks.
n Target group:
n Current version:
Upgrade
The upgrade master guide is the starting point for upgrading the business and IT scenarios of an
SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an
upgrade. It also refers to other documents, such as the upgrade guides and SAP Notes.
03/30/2009 PUBLIC 167/172

A Reference
n Target group:
l Project teams for upgrades
n Current version:
The upgrade guide describes the technical upgrade of an installable unit, taking into account
the combinations of operating systems and databases. It does not describe any business-related
configuration.
n Target group:
n Current version:
Release notes are documents that contain short descriptions of new features in a particular release
or changes to existing features since the previous release. Release notes about ABAP developments
are the technical prerequisite for generating delta and upgrade Customizing in the Implementation
Guide (IMG).
n Target group:
l Consultants
n Current version:
l On SAP Service Marketplace at http://service.sap.com/releasenotes
l In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)
168/172 PUBLIC 03/30/2009

Typographic Conventions
Example Description
<Example> Angle brackets indicate that you replace these words or characters with appropriate
entries to make entries in the system, for example, “Enter your <User Name>”.
Example Arrows separating the parts of a navigation path, for example, menu options
Example
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the
documentation
http://www.sap.com Textual cross-references to an internet address
/example Quicklinks added to the internet address of a homepage to enable quick access to
specific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example n Words or characters quoted from the screen. These include field labels, screen titles,
pushbutton labels, menu names, and menu options.
n Cross-references to other documentation or published works
Example n Output on the screen following a user action, for example, messages
n Source code or syntax quoted directly from a program
n File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE Keys on the keyboard
03/30/2009 PUBLIC 169/172

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com
© Copyright 2009 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10,
z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented
by Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products
and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world. All other product and service names mentioned are the
trademarks of their respective companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies
(“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not
be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are
those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
This document was created using stylesheet 2007-12-10 (V7.2) / XSL-FO: V5.1 Gamma and XSLT processor SAXON 6.5.2
from Michael Kay (http://saxon.sf.net/), XSLT version 1.
170/172 PUBLIC 03/30/2009

Disclaimer
Some components of this product are based on Java™. Any code change in these components may cause unpredictable and
severe malfunctions and is therefore expressly prohibited, as is any decompilation of these components.
Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or
altered in any way.
Documentation in the SAP Service Marketplace

You can find this document at the following address: https://service.sap.com/instguides
03/30/2009 PUBLIC 171/172

SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com
© Copyright 2009 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be
changed without prior notice.

Security Guide SAP Solution Manager 7 0 EHP 1 and SP 19

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Security Guide SAP Solution Manager 7 0 EHP 1 and SP 19

Загружено:

Авторское право:

Доступные форматы

EhP1 (SP19)

2/172 PUBLIC 03/30/2009

n new RFC user naming convention, see sections on technical users

03/30/2009 PUBLIC 3/172

4/172 PUBLIC 03/30/2009

03/30/2009 PUBLIC 5/172

Chapter 1 Security Guide . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 Getting Started . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 3 System Landscape . . . . . . . . . . . . . . . . . . . . . 23

Chapter 4 Network and Communication Security . . . . . . . . . . . . . 25

Chapter 5 User Administration and Authentication . . . . . . . . . . . . 37

6/172 PUBLIC 03/30/2009

Chapter 7 Work Center Navigation Roles . . . . . . . . . . . . . . . . 109

03/30/2009 PUBLIC 7/172

Chapter 8 S-User Authorizations . . . . . . . . . . . . . . . . . . . . 135

Chapter 9 Service Provider and Service Provider Customer Specification . . . . 139

Chapter 10 Background Processes . . . . . . . . . . . . . . . . . . . . 145

8/172 PUBLIC 03/30/2009

Chapter 11 Traces and Logs . . . . . . . . . . . . . . . . . . . . . . 155

Chapter 12 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . 157

Chapter A Reference . . . . . . . . . . . . . . . . . . . . . . . . . 165

03/30/2009 PUBLIC 9/172

03/30/2009 PUBLIC 11/172

n Custom Development Management Cockpit

12/172 PUBLIC 03/30/2009

2.1 Target Group of This Guide

03/30/2009 PUBLIC 13/172

2.2 SAP Solution Manager Scenarios and Functions

2.3 Integration of Functions

14/172 PUBLIC 03/30/2009

2.4 Links for Additional Components on Service Marketplace

03/30/2009 PUBLIC 15/172

Component Where in the Service Marketplace? IMG Activities and

Software Life-Cycle Manager (SLM) http://service.sap.com/slm and Information and

Adobe Document Services (ADS) http://service.sap.com/adobe Information and

Business Intelligence (BI) http://service.sap.com/bi Information and

SAP Quality Center by HP http://service.sap.com/solutionmanager Information and

SAP Redwood Job Scheduling service.sap.com/job-scheduling Information and

One Transport Order service.sap.com/solutionmanager Media

SAP TAO http://service.sap.com/saptao

Master Data Management (MDM) — http://service.sap.com/mdm and Used in System

16/172 PUBLIC 03/30/2009

Component Where in the Service Marketplace? IMG Activities and

Wily Introscope Used in Root Cause

2.5 Using SAP Solution Manager as Service Provider

2.6 How to Use This Guide

03/30/2009 PUBLIC 17/172

Step Description Remarks

18/172 PUBLIC 03/30/2009

Step Description Remarks

03/30/2009 PUBLIC 19/172

Step Description Remarks

20/172 PUBLIC 03/30/2009

Step Description Remarks

11 Configure scenario—specific see created IMG project

03/30/2009 PUBLIC 21/172

3.1 Technical System Landscape

03/30/2009 PUBLIC 23/172

4 Network and Communication Security

4.1 Network Topology

4.2 Communication Channels

03/30/2009 PUBLIC 25/172

Type of Data Transferred /