Академический Документы
Профессиональный Документы
Культура Документы
PUBLIC
%ETi^/ 8r1B'acc]Pf\1Wg
SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com
Some components of this product are based on Java. Any code change in these components may cause unpredictable and
severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.
Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or
altered in any way.
2/42
PUBLIC
2010-05-25
Document History
CAUTION
Before you start the implementation, make sure you have the latest version of this document.
You can find the latest version at the following location: http://service.sap.com/
securityguide.
The following table provides an overview of the most important document changes.
Version
Date
Description
1.0
2.0
2009-12-07
2010-06-15
First version
This is the update for SP03. For detailed information, refer to the appropriate SAP
central note.
2010-05-25
PUBLIC
3/42
Table of Contents
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 2
Chapter 3
Chapter 4
4.1
4.2
Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Enabling Activity Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Security Logging on Application Servers and Clients . . . . . . . . . . . . . . . . . . . . 15
Chapter 5
5.1
5.2
5.3
5.4
5.5
Chapter 6
6.1
6.2
Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Task Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Member Access Profile Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Chapter 7
7.1
7.2
4/42
PUBLIC
17
17
19
19
20
20
2010-05-25
Chapter 8
Chapter 9
Chapter 10
2010-05-25
PUBLIC
5/42
Introduction
1 Introduction
This document is not included as part of the Installation Guides, Configuration Guides, Technical
Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software
life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data, the demands
on security are also on the rise. When using a distributed system, you need to be sure that your data
and processes support your business needs without allowing unauthorized access to critical
information. User errors, negligence, or attempted manipulation on your system should not result in
loss of information or processing time. These demands on security apply likewise to Planning and
Consolidation. To assist you in securing your system, we provide this Security Guide.
About This Document
The Security Guide provides an overview of the security-relevant information that applies to the system
Overview of the Main Sections
2010-05-25
PUBLIC
7/42
Introduction
RLU Authorizations
This section provides details on the authorization concept that applies to Planning and
Consolidation.
RLU Network and Communication Security
This section provides an overview of the network topology and communication protocols used
by the application.
RLU Data Storage Security
This section describes the security aspects involved with saving data used by the application.
RLU Dispensable Functions with Impact on Security
This section describes which functions are not absolutely necessary and how you can deactivate
them.
RLU Trace and Log Files
This section provides a link to where trace and log files are located.
8/42
PUBLIC
2010-05-25
For a complete list of the available SAP Security Guides, see http://service.sap.com/
securityguide on the SAP Service Marketplace.
Important SAP Notes
The most important SAP Notes that apply to the security of the system are shown in the table below.
Important SAP Notes
SAP Note Number
Title
Comments
1336043
1401702
1426263
1475726
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Quick Links to Additional Information
Content
Security
Security Guides
Related SAP Notes
Released Platforms
Network Security
SAP Solution Manager
http://sdn.sap.com/irj/sdn/security
2010-05-25
https://service.sap.com/securityguide
https://service.sap.com/notes
https://service.sap.com/pam
https://service.sap.com/securityguide
https://service.sap.com/solutionmanager
PUBLIC
9/42
For information about the technical system landscape, see the Master Guide at http://
service.sap.com/instguidesEPM-BPC
7.5, version for the Microsoft platform .
2010-05-25
PUBLIC
11/42
Security Overview
4 Security Overview
When you first install the system, the following items apply:
] The installation user can access Server Manager locally on the application server, and access the
Administration Console and Administration for the Web from any client machine. (After
additional users are defined, they can also access the administration features remotely.)
] The system administrator can perform all administrative tasks, but does not have any access to
members.
] There are no other users defined. See User Setup [page 20].
] There is one Admin team defined that can be used as a sample. See Team Setup [page 20].
] There is one sample task profile that has full Administration privileges (PrimaryAdmin), and
another sample task profile that has full Administration privileges and dimension access
(SysAdmin). See Team Setup [page 20].
] Administrators must specifically assign task profiles to users or teams of users before they can access
any tasks. Similarly, if they do not assign member access profiles to users or teams to define access
to members of a secured dimension, no one has access to that dimension. See Member Access Profile
Setup [external document].
] In the event of a system crash of the .NET server, you can log on using the SysAdmin user.
Steps to Define Security
When normal access to the system is no longer available, SAP customers can log on to the .NET server
as SysAdmin (or other operating system users with administrative rights) to repair the Planning and
Consolidation installation.
2010-05-25
PUBLIC
13/42
Security Overview
4.1
Security Reports
Data auditing is a different kind of auditing that allows you to capture an audit trail of the
changes made to the database. Once data auditing is enabled and a change to the data is recorded,
you can run data audit report based on specified criteria.
Planning and Consolidation does not support auditing for logon failure.
Procedure
14/42
PUBLIC
2010-05-25
Security Overview
4.2
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
If logging is not enabled, only unexpected errors are written to the table tblLogs in the AppServer
database.
If you enable logging, as described below, additional logging information is written to the table
tblLogs.
To enable logging on an application server:
1. On the application server, open Component Services
2. Expand COM+ applications.
3. Select OSoftLogging and expand it.
4. Select Components and expand it.
5. Select OSoft.Services.Platform.Logging.LogHandler and open Properties.
6. Select the Activation tab.
7. Select Enable object construction and type DEBUG.
Client Logs
If logging is not enabled, all unexpected errors are written to the file <YYYY-MM-DD>.Exception.log in
the folder <Client cache directory>\PC_MS\Logging.
2010-05-25
PUBLIC
15/42
Security Overview
4.2
If you enable logging, as described below, additional logging information is written to the file <YYYYMM-DD>.Message.log, in the same folder.
To enable logging on a client:
1. Open the Windows Registry Editor.
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\SAP\BPC\COMMON. (If SAP\BPC\COMMON does not exist, you
must create it.)
3. From the Edit menu, select New String Value and create a string named Logging.
4. Select the string, and from the Edit menu, select Modify.
5. In Value data, enter 1 to switch on logging. (To switch off logging, enter 0 or clear the field.)
The SQE (Shared Query Engine) does not depend on this switch. To write an SQE log, you must create
a file, for example, EvDataServer_Debug.txt in <FileServer>\..\WebFolders\<Application set>
\<Application>\PrivatePublications\<UserID>.
16/42
PUBLIC
2010-05-25
5.1
If you are currently authenticating through Active Directory, there is a migration tool available
that allows you to convert your users over to authenticate through CMS. For more information,
see the Operations Guide.
This section contains information about user administration and authentication in the following topics:
>| User Authentication Process
>| Authenticating through CMS
>| Authenticating through Active Directory
>| Setting up Users
>| Setting up Teams
1.
2.
From the Logon window, credentials are either taken from the Windows operating system, or they
must be entered using an alternate ID. In the latter case, the user enters a domain, user ID, and
password.
The client creates a stub to call the Planning and Consolidation .NET Web server. This is configured
to use the credentials supplied by the user during logon.
2010-05-25
PUBLIC
17/42
5.1
3.
4.
5.
6.
7.
The system builds a SOAP request, including the user credentials. The request is sent to the
application server.
The system validates that the user connecting to the Web server is the same user identified by the
credentials.
The Web server calls the Planning and Consolidation authentication service to validate the user
credentials. If CMS has been configured, the user credentials are validated against the
BusinessObjects Enterprise SDK. If CMS authentication is not used, the user credentials are
validated directly against Active Directory. For more details, see Authenticating through CMS [page
19] and Authenticating through Active Directory [page 19].
If the user credentials are not valid, the authentication service returns Access is denied. If the
credentials are valid, the service returns Auth Success.
If the user is authenticated successfully, the Web server sends the results to the Planning and
Consolidation client. If the user is not authenticated, the Web server returns an HTTP 401 error.
1.
2.
3.
4.
5.
6.
7.
8.
The user navigates to the Planning and Consolidation home page. The Web server uses IIS Windows
(Integrated or Basic) authentication. If the user credentials are not valid, Windows prompts the
user to enter a user ID and password.
The client creates a stub to call the Planning and Consolidation application server.
The system builds a SOAP request, including the user credentials. The request is sent to the
application server.
The system validates that the user connecting to the Web server is same user identified by the
credentials.
The system calls the Planning and Consolidation authentication service to validate credentials.
If CMS has been configured, the user credentials are validated against the BusinessObjects
Enterprise SDK. If CMS authentication is not used, the user credentials are validated directly against
Active Directory. For more details, see Authenticating through CMS [page 19] and Authenticating through
Active Directory [page 19].
If the user credentials are not valid, the authentication service returns Access is denied. If the
credentials are valid, the service returns Auth Success.
If the user is authenticated successfully, the application server sends the results to the Planning
and Consolidation client. If the user is not authenticated, the Web server returns an HTTP 401
error.
18/42
PUBLIC
2010-05-25
5.2
In Server Manager, you can specify specific domains that are being used for Planning and
Consolidation users. In addition, filters can be applied to those domains to select specific users
from them. For more information, see the Operations Guide.
2010-05-25
PUBLIC
19/42
5.4
Setting Up Users
When you are adding new users from a domain to the system, you have the ability to select one
of the user-defined groups, and customize it further, if required.
When setting up users on the system, take the following considerations into account:
;2 We recommend that all users come from a single domain.
;2 We recommend that all users have access to the domain the server is on. If they do not have direct
access, the domain must be trusted between the server and user domain.
;2 The installation user must have rights to browse the users from all user domains.
Adding Users
You can add users in the Admin Console. To do so, choose Security Users , then expand the domain
name. In the Manage Users action pane, select Add New User, then enter the required data to specify the
domain, e-mail address, teams, task profiles, and member access profiles.
Modifying Users
You can modify a user definition in the Admin Console. To do so, choose Security Users . Select a
user. In the Manage Users Options task pane, choose Modify the selected user's definition. Follow the prompts in
the assistant.
NOTE
You can enable the server to be Sarbanes-Oxley compliant if you want all clients that access the
server to challenge users for a user name and password. See the Server Manager section of the
Application Help located at http://help.sap.com/epm.
20/42
PUBLIC
2010-05-25
5.5
Setting Up Teams
Features
Adding teams
To add a team, in the Admin Console by selecting Security Teams Add New Team . Enter data as
required.
Assigning team leaders
Assigning a team leader is useful when you want to give one person from the team special access rights,
for example, the rights to save templates to the team folder. A team leader that has ManageTemplate
privileges can save templates to their respective team folder. For more information, see the
ManageTemplate task in Task Profile Setup [external document].
In addition, a team leader is the only one who can save Data Manager conversion and transformation
files. See TeamLeadAdmin in Task Profile Setup [external document].
To assign a team leader, in the Admin Console select Security Teams , and select the desired user
from the team list.
Modifying teams
You can modify the definition of an existing team. When modifying a team, you can change everything
except the team name.
To modify a team definition, in the Admin Console select Security Teams . Select the team then
click Modify the selected team's definition. Follow the prompts in the assistant to revise the team definition,
revise selected team members, or assign different task and member access profiles.
2010-05-25
PUBLIC
21/42
Authorizations
6.1
6 Authorizations
A role is a predefined set of administration tasks. If you want to assign a user one or more administration
tasks, you must assign them one of the predefined administrator roles. Without one of these role
assignments, the user cannot perform any administrator tasks.
The three administrator roles are:
^" System Admin
^" Primary Admin
^" Secondary Admin
Default task rights
Task Profile
System Administrator (System Admin)
2010-05-25
Appset
DefineSecurity
OfflineAccess
Application
BusinessRules
DefineSecurity
Dimension
InsightAdmin
Lockings
ManageAudit
PUBLIC
23/42
Authorizations
6.1
|x
|x
|x
|x
|x
|x
|x
|x
|x
|x
|x
|x
|x
|x
|x
|x
ManageBook
ManageBPF
ManageComments
ManageContentLib
ManageDistributor
ManageEvDREDefaultStyle
ManageLiveReport
MISC
RemoveBPFInstances
ResetBPFInstances
UploadtoCompanyFolder
WebAdmin
Dimension
ManageBPF
ResetBPFInstances
RemoveBPFInstances
The following table describes the available tasks in the Administration interface:
Task
Application
Can be assigned to
Only the primary administrator (default)
Appset
Business Rules
Dimension
Lockings
Misc
Description
Can create, modify, and delete applications
in this application set, make changes to
dimensions and add dimensions, and
optimize applications.
Can create new application sets, modify
application sets, and set application set
parameters (in Web Admin Tasks).
Can define business rules.
Create, modify, process, and delete
dimensions and members.
Set up and edit concurrent locks, and define
and edit work status codes.
Can manage and validate custom menus and
view application set status.
The following table describes the available tasks in the AnalysisCollection interface:
Task
eAnalyze
24/42
Can be assigned to
Anyone
Description
Can access, manage and edit ad hoc and audit reports,
and access and save to the report library.
PUBLIC
2010-05-25
Authorizations
6.1
ManageEvDREDefaultStyle
ManageTemplate
SubmitData
The following table describes the available tasks in the Audit interface:
Task
ManageAudit
Can be assigned to
Only primary administrators (default)
Description
Can manage activity and data auditing.
The following table describes the available tasks in the BusinessProcessFlow interface:
Task
BPFExecution
ManageBPF
RemoveBPFInstances
ReopenBPFStep
ResetBPFInstances
Can be assigned to
Anyone
Anyone
Primary and secondary
administrators (default)
Anyone
Anyone. Assigned to
primary and secondary
administrators, by default.
Description
Can run BPFs from Interface for Office or Interface for the
Web.
Can create and edit BPFs.
Can remove BPF instances from the system.
Can reopen a BPF step if it is closed or completed.
If the previous step is completed by a reviewer, a user cannot
reopen the step directly even though the user has this task.
They can send an e-mail request to the reviewer to reopen.
Can reset a BPF instance.
End users cannot reset a set of or all BPF instances.
The following table describes the available tasks in the Collaboration interface:
Task
ManageDistributor
PublishOffline
2010-05-25
Can be assigned to
Description
Only primary administrator (default) This user or team can use the Offline Distributor.
Anyone
This user or team collects changes to offline input
schedules and sends data to a database.
PUBLIC
25/42
Authorizations
6.1
The following table describes the available tasks in the Comments interface:
Task
AddComment
ManageComments
Can be assigned to
Anyone
Primary administrator (by default), but can be
assigned to system and secondary
administrators.
Description
This user or team can add comments.
This user or team can remove or modify
comments.
Can be assigned to
Anyone
PackageExecute
Anyone
GeneralAdmin
26/42
PUBLIC
Description
This user or team can manage Data Manager
packages:
mt, Data upload
mt, Data download
mt, Validate and Process conversion files for
company
mt, Validate and Process transformation files for
company
mt, Data Preview
mt, Clear saved prompts
mt, View status based on user ID
mt, View schedule status based on user ID
mt, Run Specific package
mt, Run user package
mt, Maintain status based on user ID
mt, View status
This user or team can manage Data Manager
packages:
mt, Data Preview
mt, Clear saved prompts
mt, View status based on user ID
mt, View schedule status based on user ID
mt, Run Specific package
mt, Run user package
mt, Maintain status based on user ID
mt, View status
This user or team can perform tasks such as:
mt, New Transformation
mt, Test transformation with data
mt, New Conversion
mt, New Conversion Sheet
mt, Save Conversion
2010-05-25
Authorizations
6.1
PrimaryAdmin
TeamLeadAdmin
The following table describes the available tasks in the FileAccess interface:
Task
UpdateToCompanyFolder
Can be assigned to
Description
Secondary administrator, by default, but can Can add files to the Company folder.
be assigned to primary administrators.
The following table describes the available tasks in the Insight interface:
Task
Analysis
2010-05-25
Can be assigned to
Anyone
Description
Has the following access rights to Insight:
4df View Dashboard
4df Define KPI
4df View KPI Variance
4df Analysis
4df Define KPI Alerts
4df Design KPI Charts
4df View KPI Radar
PUBLIC
27/42
Authorizations
6.1
O View KPI
O Predictions
O Create KPI report (flash)
O Perform KPI on-demand predictions
O Comment viewing based on variance context results
O Action Manager viewing
O Add new and update actions based on owner
O Edit actions regardless of owner
O Insert KPI into Word/PowerPoint/Excel
Primary administrator (by default), Can administer Insight.
but can be assigned to secondary
administrators.
InsightAdmin
The following table describes the available tasks in the Journal interface:
Task
Can be assigned to
Primary, system and secondary
administrators. (No default assignment)
AdminJournal
CreateJournal
PostJournals
ReviewJournals
UnpostJournals
Anyone
Anyone
Anyone
Anyone
Description
Can manage journals as follows:
O Create and maintain journal templates
O Clear journal tables
O Create Journal
Can create, modify, or delete journal entries.
Can post, repost, or reopen journals.
Can review journals
Can unpost journal entries.
The following table describes the available tasks in the Publish interface:
Task
ManageBook
PublishBook
PublishFile
Can be assigned to
Description
Primary administrator (No default assignment) This user or team can create, edit and save
definition books.
Primary administrator (No default assignment) This user or team can publish a book of reports.
Primary administrator (No default assignment) Can post files to the Content Library or in
Interface for the Web.
The following table describes the available tasks in the Security interface:
Task
DefineSecurity
28/42
Can be assigned to
Only system and
primary
Description
Can manage users, task, and member access profiles.
PUBLIC
2010-05-25
Authorizations
6.1
OfflineAccess
administrators (by
default).
System administrator Can log on to Planning and Consolidation for Office when
(by default), but can be application set status is Not available.
assigned to anyone
This task security does not control access to Interface for the Web.
This means that users can log on to the interface without having this
task security.
The following table describes the available tasks in the ViewSystemReport interface:
Task
BPFReport
Can be assigned to
Anyone
Anyone
CommentReport
Anyone
Security Report
AuditReport
Workstatus report
Description
This user or team can run audit reports.
This user or team can run Business Process
Flow reports.
This user or team can run a comment
report.
This user or team can run security reports.
This user or team can run a work status
report.
The following table describes the available tasks in the WorkStatus interface:
Task
SetWorkStatus
Can be assigned to
Anyone
Description
This user or team can manage work status on a data region.
The following table describes the available tasks in the Web interface:
Task
AccessContentLib
CreateWebPage
LiveReport
ManageContentLib
ManageLiveReport
2010-05-25
Can be assigned to
Anyone
Description
This user or team can access, filter, and sort, and add pages to the
Content Library in the Web interface.
Anyone
This user or team can create new web pages in the Web interface.
Anyone
This user or team can access live reports in the Web interface.
Primary administrator Can manage all items in the Content Library.
(by default), but can be
assigned to system and
secondary
administrators.
Primary administrator This user or team allows you to manage live reports using drag and
(by default), but can be drop in the Web interface.
PUBLIC
29/42
Authorizations
6.2
WebAdmin
assigned to secondary
administrators.
Primary administrator Can do the following in Admin Tasks:
(by default), but can be 't, Set application parameters
assigned to secondary 't, Manage dimensions (make changes to existing dimensions
administrators.
based on dimension)
't, Manage document types and subtypes
't, Publish Non-Planning and Consolidation reports
't, Edit drill through tables
't, Publish Reports
't, Use Bulk Collaboration
To create a new task profile in the Admin Console, choose Security Task Profiles . Enter data as
required.
Tips for Assigning Task Profiles
't, The number of task profiles administrators can assign to a user is not limited. However, we
recommend that you do not assign multiple task profiles to users because it may cause confusion
in determining their ultimate access rights.
Task access security is cumulative, and tasks cannot be explicitly denied. As a result, assigning
multiple task profiles can create a situation where users have access to tasks that you may not want
them to have. For example, an administrator wants UserA to only retrieve data. If UserA belongs
to a team that possesses data-send task rights, UserA can also send data.
't, Administrators can assign multiple task profiles to a team. However, we recommend that you do
not assign multiple task profiles to a team because it may cause confusion in determining the
ultimate access rights of that team.
30/42
PUBLIC
2010-05-25
Authorizations
6.2
J;> By default, no one other than the system administrator has access to members. Member access
must be explicitly granted.
J;> A user can be assigned member access individually and through team membership.
J;> Member access privileges flow down the hierarchy, from parent to child.
J;> When in conflict, the least restrictive member access profile is applied.
J;> In case of a conflict between individual and team member access, the least restrictive setting is
applied.
J;> Denial of member access can be set only at the user level.
Defining Access to Members with Children
When defining access to a secured dimension that has one or more defined hierarchies, security is
applied to the member and all of its children. For example, if you grant access to a member that has 10
children, users with access to the parent member also have access to the 10 children.
You can restrict a child member of a parent with Read or Read and Write access by creating a separate
member access profile and assigning the child Denied access. Alternatively, you can use the same
member access profile as the parent, but create a new line item for the child.
Creating Member Access Profiles
You can add member access profiles from the Admin Console by choosing Security Member Access
Profiles Add a New Member Access Profile and follow the prompts in the New Member Access Profile
assistant. Be sure to choose Apply to process the new member access profiles
Modifying Member Access Profiles
You can modify an existing member access profile by selecting Modify the selected profile definition in the
Manage Profile Options action pane. Follow the prompts in the Modify Profile assistant.
Resolving Member Access Profile Conflicts
Since you can define member access by individual users and by teams, there may be situations in which
conflicts occur. The following topics describe some potential member access conflict scenarios and the
rules the system applies to resolve those conflicts. These scenarios are based on the assumption that
the Entity dimension is a secured dimension and has the following hierarchical structure:
Hierarchy
H1
Members
WorldWide1
Sales
SalesAsia
SalesEurope
H2
2010-05-25
WorldWide2
Asia
Korea
Japan
PUBLIC
SalesKorea
SalesJapan
ESalesAsia
SalesItaly
SalesFrance
ESalesEurope
SalesKorea
SalesJapan
31/42
Authorizations
6.2
Europe
eAsia
Italy
France
eEurope
ESalesAsia
SalesItaly
SalesFrance
ESalesEurope
Scenario 1:
vCB User1 belongs to Team1 and Team2.
vCB There are two member access profiles: ProfileA and ProfileB.
vCB ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile
ProfileA
ProfileB
Access
Read & Write
Read Only
Dimension
Entity
Entity
Member
Sales
SalesAsia
In this case, the least restrictive profile between the two, ProfileA (Read & Write), is applied. As a
result, ProfileB is ignored by the system, and User1 is able to send data to both SalesKorea and
SalesItaly.
EXAMPLE
Scenario 2:
vCB User1 belongs to Team1 and Team2
vCB There are two member access profiles: ProfileA and ProfileB.
vCB ProfileA is assigned to Team1 and ProfileB is assigned to Team2.
The member access profiles are described in the following table:
Member access profile
ProfileA
ProfileB
Access
Read Only
Read & Write
Dimension
Entity
Entity
Member
Sales
SalesAsia
In this case, the least restrictive profile between the two, ProfileB (Read & Write), is applied for the
child members of SalesAsia. As a result, ProfileA is ignored by the system, and User1 is able to send
data to SalesKorea, but not to SalesItaly.
32/42
PUBLIC
2010-05-25
Authorizations
6.2
Scenario 3:
?|m User1 does not belong to any team.
?|m There are two member access profiles: ProfileA and ProfileB.
?|m Both the profiles are assigned to the user.
The member access profiles are described in the following table:
Member access profile
ProfileA
ProfileB
Access
Denied
Read Only
Dimension
Entity
Entity
Member
SalesAsia
Sales
In this case, the least restrictive profile between the two, ProfileB (Read Only), is applied. As a
result, ProfileA is ignored by the system, and User1 is able to retrieve data from both SalesKorea
and SalesItaly.
Conflict Between Parent and Child Members
Authority always flows down the hierarchy from parent to child. Child members always have the access
level of their parents, unless otherwise specified.
EXAMPLE
Scenario 1:
?|m User1 belongs to Team1 and ProfileA is assigned to Team1.
?|m Two levels of member access profiles are defined for ProfileA.
The member access profiles for the ProfileA are described in the following table:
Member access profile
ProfileA
ProfileA
Access
Read & Write
Read Only
Dimension
Entity
Entity
Member
Sales
SalesAsia
In this case, the Read & Write access of the Sales member flows down to its children. This flow is
interrupted by assigning Read Only access to SalesAsia (a descendant of Sales), and SalesAsias
access flows down to its descendants. As a result, User1 is able to send data to SalesItaly, but not
to SalesKorea.
EXAMPLE
Scenario 2:
?|m User1 belongs to Team1 and ProfileA is assigned to Team1.
?|m ProfileA has two levels of member access profiles.
The member access profiles for the ProfileA are described in the following table:
2010-05-25
PUBLIC
33/42
Authorizations
6.2
Access
Read Only
Read & Write
Dimension
Entity
Entity
Member
Sales
SalesAsia
In this case, the Read Only access of the Sales member flows down to its children. This flow is
interrupted by assigning Read & Write access to SalesAsia (a descendant of Sales), and SalesAsias
access flows down to its descendants. As a result, User1 is able to send data to SalesKorea but not
to SalesItaly.
Conflict When the Same Member Belongs to Different Hierarchies
When a member belongs to different hierarchies, and there is a conflict in member access, the most
restrictive access is applied.
EXAMPLE
Scenario: ProfileA and ProfileB are assigned to User1. The member access profiles are described in
the following table:
Member access profile
ProfileA
ProfileB
Access
Read Only
Read & Write
Dimension
Entity
Entity
Member
WorldWide1
WorldWide2
In this case, ProfileB determines User1s access. As a result, User1 is able to send data to SalesKorea,
even if ProfileA denies User1 Write access to SalesKorea (in WorldWide1 hierarchy).
34/42
PUBLIC
2010-05-25
7.1
Your network infrastructure is important in protecting your system. Your network needs to support
the communication necessary for your business and your needs without allowing unauthorized access.
A well-defined network topology can eliminate many security threats based on software flaws (at both
the operating system and application level) or network attacks such as eavesdropping.
If users cannot log on to your application or database servers at the operating system or database layer,
then there is no way for intruders to compromise the machines and gain access to the back-end systems
database or files. Additionally, if users are not able to connect to the server LAN (local area network),
they cannot exploit well-known bugs and security holes in network services on the server machines.
Details that specifically apply to Planning and Consolidation are described in the following topics:
)MJ Communication Channel Security
This topic describes the communication paths and protocols used by the application.
)MJ Network Security
This topic describes the recommended network topology for the application. It shows the
appropriate network segments for the various client and server components and where to use
firewalls for access protection. It also includes a list of the ports needed to operate the application.
Protocol Used
2010-05-25
PUBLIC
35/42
7.2
Network Security
Data Requiring Special
Protection
Communication Path
Protocol Used
TCP/IP
NOTE
Communication with the Windows Active Directory is done by the native Windows Operation
System.
We recommend HTTPS for enhanced security. HTTPS is required if the client uses basic
authentication to access the .NET web/application server.
36/42
PUBLIC
2010-05-25
In Planning and Consolidation, user data is stored in CMS or Active Directory, and authorization data
is stored on the SQL database.
Business data is loaded by users and administrators and stored in the SAP database.
Some configuration data is loaded upon system installation; the configuration file is located on the .NET
server tier in \PC\Websrvr\web\ServerConfiguration.config. The system is preconfigured to provide a substantial
level of data protection, but you should also make sure that no one has access to the service accounts
defined during the installation.
The system uses a client-side file system to store metadata and template data temporarily because read,
write, delete, change, and query access for existing data may be required. This data is stored in the local
file system of the client within the \MyDocuments\OutlookSoft directory. We recommend that only users
and administrators have access to this directory.
Since Interface for the Web uses a browser as its interface, it uses cookies to store front-end metadata
and configuration information during individual user sessions. This data requires no special protection,
and no special measures to protect the cookies are necessary.
2010-05-25
PUBLIC
37/42
For the server installation, all functional modules are necessary and are used at runtime.
An installation contains a default application set named ApShell. This is the only component you can
remove after you complete your own application set development.
Client Installation
A Planning and Consolidation installation includes a Microsoft Office client and an Administration
client for different kinds of users. Users can install one or both.
2010-05-25
PUBLIC
39/42
10
The system provides log files on both the client side and the .NET server side. The client side log is
located in My Documents\BPC\Logging. The server log is located in (PC install dir)\Logging. Both logs are named
logmm-dd-yyyy.txt, where mm-dd-yyyy is the date to which that log applies. The system creates a new
log each day.
For more information about log and trace files, see the Operations Guide.
2010-05-25
PUBLIC
41/42
SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com