Вы находитесь на странице: 1из 45

Security Guide Document version: 1.2 – 2014-07-18

PUBLIC

SAP SCM 7.0 Component Security Guide

Release 700

Security Guide Document version: 1.2 – 2014-07-18 PUBLIC SAP SCM 7.0 Component Security Guide Release 700
© Copyright 2014 SAP AG or an SAP affiliate company. Alle Rechte vorbehalten. All rights

© Copyright 2014 SAP AG or an SAP affiliate company. Alle Rechte vorbehalten. All rights reserved. Tous droits réservés. Все права защищены.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Please see www.sap.com/corporate-en/legal/copyright/index.epx for disclaimer information and notices.

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

Typographic Conventions Table 1   Example   Description < Example>   Angle brackets

Typographic Conventions

Table 1

 

Example

 

Description

<Example>

 

Angle brackets indicate that you replace these words or characters with appropriate entries to

 

make entries in the system, for example, “Enter your <User

Name>”.

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example

Example Example Arrows separating the parts of a navigation path, for example, menu options

Example

Example Example Arrows separating the parts of a navigation path, for example, menu options

Arrows separating the parts of a navigation path, for example, menu options

Example

 

Emphasized words or expressions

Example

 

Words or characters that you enter in the system exactly as they appear in the documentation

 

Textual cross-references to an internet address

/example

 

Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web

 

Hyperlink to an SAP Note, for example, SAP Note 123456

Example

 

Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.

 

Cross-references to other documentation or published works

Example

 

Output on the screen following a user action, for example, messages

 

Source code or syntax quoted directly from a program

File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools

EXAMPLE

 

Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE
EXAMPLE
 

Keys on the keyboard

SAP SCM 7.0 Component Security Guide Typographic Conventions

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

3

Document History Caution Before you start the implementation, make sure you have the latest version

Document History

Caution Before you start the implementation, make sure you have the latest version of this

Caution

Before you start the implementation, make sure you have the latest version of this document. You can find the latest version at the following location: service.sap.com/securityguide.

The following table provides an overview of the most important document changes.

Table 2

Version

Date

Description

1.0

2008-11-21

New version

1.1

2010-03-26

Update of List of SAP Notes

1.2

2014-07-18

Addition of chapter Data Protection

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

4 All rights reserved.

SAP SCM 7.0 Component Security Guide Document History

Content 1 Introduction 7 2 Before You Start 9 3 Technical System Landscape 13 4

Content

1

Introduction

7

2

Before You Start

9

3

Technical System Landscape

13

4

User Administration and Authentication

14

4.1

User Management

14

4.2

User Data Synchronization

18

4.3

Integration Into Single Sign-On Environments

18

5

Authorizations

20

5.1

Standard Roles

20

5.2

Roles for SAP APO

21

5.3

Authorizations for SCM Basis

21

5.4

Maintaining Authorizations for SAP APO

21

5.5

Authorizations for Service Parts Planning

23

5.6

Maintaining Authorizations for SAP Forecasting and Replenishment

23

5.7

Maintaining Authorizations for Integration with SAP Components

23

5.8

Maintaining Authorizations for Enterprise Services

25

6

Network and Communication Security

26

6.1

Communication Channel Security

26

6.2

Network Security

27

6.3

Communication Destinations

28

7

Data Storage Security

30

8

Data Protection

31

8.1

Deletion of Personal Data

32

9

Security for Additional Applications

34

10

Enterprise Services Security

35

11

Other Security-Relevant Information

36

12

Trace and Log Files

38

A

Appendix

40

A.1

Related Security Guides

40

A.2

Related Information

40

B

Reference

41

B.1

The Main SAP Documentation Types

41

SAP SCM 7.0 Component Security Guide Content

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

5

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. 6 All rights reserved.

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

1 Introduction Caution This guide does not replace the daily operations handbook that we recommend

1

Introduction

CautionThis guide does not replace the daily operations handbook that we recommend customers create for

This guide does not replace the daily operations handbook that we recommend customers create for their specific productive operations.

This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereby the Security Guides provide information that is relevant for all life cycle phases.

Why is Security Necessary

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or processing time. These demands on security also apply to SAP Supply Chain Management (SAP SCM). To assist you in securing your SAP SCM component, we provide this Component Security Guide.

RecommendationWe strongly recommend that you also consult the SAP NetWeaver Security Guide.

We strongly recommend that you also consult the SAP NetWeaver Security Guide.

About This Document

This Security Guide provides an overview of the security-relevant information that applies to SAP SCM. It covers the following parts of the component:

SAP SCM 7.0 Server

SAP Advanced Planning and Optimization (SAP APO)

SAP SCM Optimizer (optional SAP APO component)

Embedded SAP BI 7.0 (only used and required for the SAP APO 7.0 component within SAP SCM 7.0)

Third party software: PTV eServer for SAP SCM 7.0

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start

This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.

Technical System Landscape

This section provides an overview of the technical components and communication paths that are used by the SAP SCM component.

User Administration and Authentication

This section provides an overview of the following user administration and authentication aspects:

Recommended tools to use for user management.

SAP SCM 7.0 Component Security Guide Introduction

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

7

○ User types that are required by the SAP SCM component. ○ Standard users that

User types that are required by the SAP SCM component.

Standard users that are delivered with the SAP SCM component.

Overview of the user synchronization strategy, if several components or products are involved.

Overview of how integration into Single Sign-On environments is possible.

Authorizations

This section provides an overview of the authorization concept that applies to the SAP SCM component.

Network and Communication Security

This section provides an overview of the communication paths used by the SAP SCM component and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.

Data Storage Security

This section provides an overview of any critical data that is used by the SAP SCM component and the security mechanisms that apply.

Security for Third-Party or Additional Applications

This section provides security information that applies to third-party or additional applications that are used with the SAP SCM component.

Other Security-Relevant Information

This section contains information about:

User Frontend

Enterprise Services

Virus Check of Document Attachments

Trace and Log Files

This section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach does occur.

Appendix

This section provides references to further information.

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

8

All rights reserved.

SAP SCM 7.0 Component Security Guide Introduction

2 Before You Start Fundamental Security Guides This Component Security Guide provides references to other

2 Before You Start

Fundamental Security Guides

This Component Security Guide provides references to other documentation. You can find this security-relevant documentation for the SAP SCM component as follows:

Table 3: Fundamental Security Guides and Documentation

Guide/Documentation

Full Path to the Guide

 

SAP NetWeaver Security Guide

service.sap.com/securityguide Security Guides (Complete)

service.sap.com/securityguide Security Guides (Complete) SAP NetWeaver 7.0

SAP NetWeaver 7.0

SAP NetWeaver Documentation

SAP NetWeaver Documentation help.sap.com SAP NetWeaver SAP NetWeaver 7.0

SAP NetWeaver

help.sap.com SAP NetWeaver SAP NetWeaver 7.0

SAP NetWeaver 7.0

(2004s) English SAP NetWeaver Library SAP
(2004s) English SAP NetWeaver Library SAP
(2004s) English SAP NetWeaver Library SAP

(2004s) English SAP NetWeaver Library SAP

 

NetWeaver by Key Capability

NetWeaver by Key Capability

SAP SCM Master Guide

 

SAP Business Suite

 

Applications

7.0

Applications 7.0 SAP SCM SAP SCM Server Server Master Guide SAP SCM 7.0 Using SAP SCM

SAP SCM

Applications 7.0 SAP SCM SAP SCM Server Server Master Guide SAP SCM 7.0 Using SAP SCM
Applications 7.0 SAP SCM SAP SCM Server Server Master Guide SAP SCM 7.0 Using SAP SCM

SAP SCM Server

Server

Master Guide SAP SCM 7.0

Using SAP SCM

SAP SCM Documentation

SAP SCM Documentation help.sap.com SAP Business Suite SAP Supply Chain

SAP Business Suite

SAP SCM Documentation help.sap.com SAP Business Suite SAP Supply Chain

SAP Supply Chain

Management

Management SAP SCM 7.0

SAP SCM 7.0

Management SAP SCM 7.0 Application Help EN SAP

Application Help EN

Management SAP SCM 7.0 Application Help EN SAP

SAP

Supply Chain Management (SAP SCM)

Supply Chain Management (SAP SCM)

SAP SCM Installation Guide

 

SAP Business Suite

 

Applications

SAP SCM

Applications SAP SCM SAP SCM Server Using SAP SCM

SAP SCM Server

SAP SCM Server Using SAP SCM

Using SAP SCM

7.0

Server

Server Installation Documentation SAP SCM 7.0

Installation Documentation SAP SCM 7.0

7.0 Server Installation Documentation SAP SCM 7.0

Related Security Guides

The following table provides an overview of all related Security Guides for this component.

Table 4: Related Security Guides

SAP Extended Warehouse Management Security Guide

service.sap.com/securityguide Warehouse Management

service.sap.com/securityguide Warehouse Management

SAP Extended

SAP Supply Network Collaboration Security Guide

SAP Supply Network

Collaboration

Collaboration

SAP Event Management Security Guide

SAP Event

Management

Management

SAP Forecasting and Replenishment Security Guide

Industry Scenario

Security Guides

SAP Forecasting and Replenishment

SAP Forecasting and Replenishment

Security Guides SAP Forecasting and Replenishment

Security Guides for SAP NetWeaver Products

For the Security Guides mentioned below, see SAP Service Marketplace at

NetWeaver 7.0 Security Guides (Complete)

.
.
Security Guides (Complete) service.sap.com/securityguide . SAP NetWeaver 7.0 Security Guides SAP SCM 7.0 Component

SAP NetWeaver 7.0 Security Guides

SAP SCM 7.0 Component Security Guide Before You Start

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

SAP

9

Table 5 Topic See Security Guides for SAP NetWeaver According to Usage Types   Application

Table 5

Topic

See

Security Guides for SAP NetWeaver According to Usage Types

 

Application Server (AS)

SAP NetWeaver Application Server ABAP Security Guide

SAP NetWeaver Application Server Java Security Guide

Internet Transaction Server Security

Interactive Forms Based on Adobe Software Security Guide

EP Core (EPC)

Portal Security Guide

 

Enterprise Portal (EP)

Knowledge Management Security Guide

Collaboration Security Guide

Business Information (BI)

SAP Business Information Warehouse Security Guide

Mobile Infrastructure (MI)

SAP Mobile Infrastructure Security Guide

Security Guides for Standalone Engines

SAP Content Server

SAP Content Server Security Guide

Operating System and Database Platforms

Operating System and Database Platforms

Security Guides for the Operating System and Database Platforms

SAP Max DB Security Guide

on SAP Service Marketplace at:

SAP NetWeaver 7.0

Security Guides (Complete)

Security Guides (Complete) SAP NetWeaver 7.0

SAP NetWeaver 7.0

Security Guides

Security Guides for the Operating

Security Guides for the Operating

System and Database Platforms

Database Access

Protection

Protection Max DB Security Guide
Max DB Security Guide

Max DB Security Guide

on SAP Help Portal at

help.sap.com SAP Databases
help.sap.com
SAP
Databases

NetWeaver

NetWeaver 7.0 Library EN

SAP Databases NetWeaver NetWeaver 7.0 Library EN SAP NetWeaver 7.0 (2004s) SAP SAP NetWeaver Library SAP

SAP NetWeaver 7.0 (2004s)

SAP

SAP NetWeaver Library

EN SAP NetWeaver 7.0 (2004s) SAP SAP NetWeaver Library SAP NetWeaver by Key Capability by Key

SAP NetWeaver by Key Capability

by Key Capability

Application Platform MaxDB

Note For a complete list of the available SAP Security Guides, see SAP Service Marketplace

Note

For a complete list of the available SAP Security Guides, see SAP Service Marketplace at service.sap.com/ securityguide.

Important SAP Notes

The most important SAP Notes that apply to the security of the SAP SCM component are shown in the table below.

Table 6: Important SAP Notes

SAP Note Number

Title

Comment

Changing the DBM, SYSDBA and DBA user passwords

This note provides information on changing the passwords.

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

10 All rights reserved.

SAP SCM 7.0 Component Security Guide Before You Start

SAP Note Number Title Comment 30724 Data protection and security in SAP Systems   128447

SAP Note Number

Title

Comment

Data protection and security in SAP Systems

 

Trusted/Trusting Systems

 

RFC destination for working globally with the liveCache

 

Authorizations in APO Demand Planning

A brief explanation of the concept behind authorizations in SAP APO for Demand Planning

APO: Authorizations too comprehensive/not user-specific

 

Global ATP: No logoff of user RFC_USER from APO system

 

SAPHTTP and SSL

This note provides information on setting up a secure connection (SSL) to the Web server, with SAPHTTP.

Setting-up SSL on the Web Application Server ABAP

 

Browsers supported by BSP

 

liveCache >= 7.4: Password change

 

Missing authorization object for database views

 

SCM 4.1 upgrade: Additional authorization checks

 

@stake, iDefense, Heise: SAP DB/ MaxDB security breaches

This note provides information about the secure operation of SAP DB/MaxDB and liveCache.

Authorization role for the SAP SCM – SAP R/3 integration

 

Subsequent implementation of a security level for documents

 

Standard user must be known to the DBM server

 

Role for managing the liveCache and LCA routines

 

Missing authority check in APO transaction

 

Missing authority check in APO transaction

 

SAP SCM 7.0 Component Security Guide Before You Start

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

11

Note For more SAP Notes about security, see SAP Service Marketplace at the following locations:
Note For more SAP Notes about security, see SAP Service Marketplace at the following locations:

Note

For more SAP Notes about security, see SAP Service Marketplace at the following locations:

SAP Security Notes

at the following locations: ● service.sap.com/security ● service.sap.com/securitynotes SAP Security Notes

Additional Information

For more information about specific topics, see the addresses on SAP Service Marketplace as shown in the table below.

Table 7: Quick Links to Additional Information

Content

Quick Link on the SAP Service Marketplace or SDN

Security

Security Guides

Related SAP Notes

Released Platforms

Network Security

SAP Solution Manager

SAP NetWeaver

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

12 All rights reserved.

SAP SCM 7.0 Component Security Guide Before You Start

3 Technical System Landscape The following table lists where you can find more information about

3 Technical System Landscape

The following table lists where you can find more information about the technical system landscape.

Table 8: More Information About the Technical System Landscape

Topic

Guide/Tool

Quick Link to the SAP Service Marketplace

Technical System Landscape

SAP SCM Master Guide

SAP Business Suite

Applications

SAP SCM 7.0 Server

Applications SAP SCM 7.0 Server SAP SCM SAP SCM Server Using Master Guide SCM 7.0
Applications SAP SCM 7.0 Server SAP SCM SAP SCM Server Using Master Guide SCM 7.0

SAP SCM

SAP SCM Server

Applications SAP SCM 7.0 Server SAP SCM SAP SCM Server Using Master Guide SCM 7.0

Using

Master Guide SCM 7.0

Technical System Landscape & Installation

SAP SCM Installation Guide(s)

SAP Business Suite

Applications

SAP SCM 7.0 Server

Installation Guide for SCM 7.0

Applications SAP SCM 7.0 Server Installation Guide for SCM 7.0 SAP SCM SAP SCM Server Installation

SAP SCM

Applications SAP SCM 7.0 Server Installation Guide for SCM 7.0 SAP SCM SAP SCM Server Installation

SAP SCM Server

Applications SAP SCM 7.0 Server Installation Guide for SCM 7.0 SAP SCM SAP SCM Server Installation

Installation Guides

Using

 

Technical Configuration, High Availability

Technical Infrastructure Guide

Security

Security Guide

SAP SCM 7.0 Component Security Guide Technical System Landscape

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

13

4 User Administration and Authentication The SAP SCM component uses the user management and authentication

4 User Administration and Authentication

The SAP SCM component uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to the SAP SCM component.

In addition to these guidelines, we include information about user administration and authentication that specifically applies to the SAP SCM component in the following topics:

User Management [page 14]

This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with the SAP SCM component.

User Data Synchronization [page 18]

The SAP SCM component shares user data with SAP NetWeaver. This topic describes how the user data is synchronized with these other sources.

Integration Into Single Sign-On Environments [page 18]

This topic describes how the SAP SCM component supports Single Sign-On mechanisms.

4.1 User Management

User management for the SAP SCM component uses the mechanisms provided by the SAP NetWeaver Application Server ABAP), for example, tools, user types, and password policies. For an overview of how these mechanisms apply for the SAP SCM component, see the sections below. In addition, we provide a list of the standard users required for operating the SAP SCM component.

User Administration Tools

The table below shows the tools to use for user management and user administration with the SAP SCM component.

Table 9: User Management Tools

Tool

Detailed Description

Prerequisites

User Management for the ABAP Engine (transaction SU01)

Use the user management transaction SU01 to maintain users in ABAP-based

 

systems.

Profile Generator (transaction PFCG)

Use the Profile Generator to create roles and assign authorizations to users in ABAP-based systems.

 

Central User Administration (CUA)

Use the CUA to centrally maintain users for multiple ABAP-based systems. Synchronization with a directory server is also supported.

 

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

14 All rights reserved.

SAP SCM 7.0 Component Security Guide User Administration and Authentication

Tool Detailed Description   Prerequisites User Management Engine (UME) administration console Use the

Tool

Detailed Description

 

Prerequisites

User Management Engine (UME) administration console

Use the Web-based UME administration console to maintain users, roles and authorizations in Java-based systems that use the UME for the user store, for example, the SAP J2EE Engine and the Enterprise Portal. The UME also supports various persistency options, such as the ABAP Engine or a directory server.

 

SAP J2EE Engine user management using the Visual Administrator

Use the Visual Administrator to maintain users and roles on the SAP J2EE Engine. The SAP J2EE Engine also supports a pluggable user store concept. The UME is the default user store.

 

SAP NetWeaver Identity Management 7.1

For an overview of the information necessary for securing operations with SAP NetWeaver Identity Management,

 

see the Security Guide available on the

SAP Help Portal at

SAP Help Portal at help.sap.com/
SAP NetWeaver Identity

SAP NetWeaver Identity

Management 7.1

.
.
Note For a detailed description of the user management tools available in SAP NetWeaver, see

Note

For a detailed description of the user management tools available in SAP NetWeaver, see the SAP NetWeaver

Security Guide on SAP Service Marketplace at

 

SAP NetWeaver 7.0 Security

Guides (Complete)

User Administration and Authentication

User Administration and Authentication

Guides (Complete) User Administration and Authentication User Management in the section User

User Management

Guides (Complete) User Administration and Authentication User Management in the section User

in the section User

Management Tools.

User Types

It can be necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.

The user types that are required for the SAP SCM component include:

Individual users:

Dialog users are used for individual, interactive system access.

Technical users comprise the following types:

Service users are dialog users that are available to a larger, anonymous group of users.

Communication users are used for dialog-free communication for external RFC calls.

Note For more information about these user types, see the SAP NetWeaver Security Guide on

Note

For more information about these user types, see the SAP NetWeaver Security Guide on SAP Service

Marketplace at

User Administration and Authentication

in the section User Management Tools.

User Management Tools . service.sap.com/securityguide SAP NetWeaver 7.0 Security Guides (Complete) User Management

SAP NetWeaver 7.0 Security Guides (Complete)

User Management Tools . service.sap.com/securityguide SAP NetWeaver 7.0 Security Guides (Complete) User Management
User Management Tools . service.sap.com/securityguide SAP NetWeaver 7.0 Security Guides (Complete) User Management

User Management

SAP SCM 7.0 Component Security Guide User Administration and Authentication

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

15

Standard Users The following table shows the standard users that are necessary to operate SAP

Standard Users

The following table shows the standard users that are necessary to operate SAP SCM 7.0:

Table 10: Standard Users

System

User ID

Delivered?

Type

Default Password

Detailed Description

 

SAP SCM 7.0 Server

<sapsid>adm

Yes

SAP System

To be entered

SAP SCM 7.0 Server <sapsid>adm Yes SAP System To be entered SAP SCM Installation  

SAP SCM Installation

 

Administrator

Guide

Guide Installation Document

Installation Document

 

SCM Server 7.0 <Operating

System / DB>

Installation

Documentation

Documentation

 

SAP SCM 7.0 Server

SAPService

Yes

SAP System

To be entered

SAP SCM 7.0 Server SAPService Yes SAP System To be entered SAP SCM Installation  

SAP SCM Installation

 

<sapsid>

Service

Guide

Guide Installation Document

Installation Document

 

Administrator

SCM Server 7.0 <Operating

System / DB>

Input for the

Installation

Installation
 

SAP Web AS

SAP Standard

Yes

See SAP

See SAP NetWeaver Security Guide

SAP Web AS SAP Standard Yes See SAP See SAP NetWeaver Security Guide SAP NetWeaver Security

SAP NetWeaver Security

ABAP Users

NetWeaver

Guide Security Guides for SAP NetWeaver According to Usage

Guide Security Guides for SAP NetWeaver According to Usage

(SAP*, DDIC,

Security Guide

 

EARLYWATCH,

Types

Types Security Guide for

Security Guide for

SAPCPIC)

Usage Type AS

Usage Type AS SAP

SAP

 

NetWeaver Application Server

ABAP Security Guide

ABAP Security Guide User

User

Authentication Protecting Standard Users

Authentication Protecting Standard Users

SAP Web AS

SAP Standard

Yes

See SAP

See SAP NetWeaver 7.0 Security Guide

SAP Web AS SAP Standard Yes See SAP See SAP NetWeaver 7.0 Security Guide SAP NetWeaver

SAP NetWeaver Security

J2EE Users

NetWeaver 7.0

Guide Security Guides for SAP NetWeaver According to Usage

Guide Security Guides for SAP NetWeaver According to Usage

(Administrator,

Security Guide

 

Guest,

Types

Types Security Guide for

Security Guide for

Emergency)

Usage Type AS

Usage Type AS SAP

SAP

 

NetWeaver Application Server

Java Security Guide Administration and

Java Security Guide Administration and

User

Authentication User Administration and Standard

Authentication User Administration and Standard

Users

Users Standard Users and

Standard Users and

Standard User Groups

Standard User Groups

SAP J2EE

SAPJSF

Yes

Communication

To be entered

SAP J2EE SAPJSF Yes Communication To be entered SAP SCM Installation  

SAP SCM Installation

 

Engine

user

Guide

Guide Installation Document

Installation Document

SCM Server 7.0 <Operating

System / DB>

Installation

Process

Process Input for the

Input for the

 

Installation

 

SAP SCM 7.0

RFC communication users (you need an RFC communication

No

Communication

The authorizations of the user depend on the business case. For more information, see

Communication Destinations [page 28] and Authorizations [page 20]

user

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

16 All rights reserved.

SAP SCM 7.0 Component Security Guide User Administration and Authentication

System User ID Delivered? Type Default Password Detailed Description   user for each RFC

System

User ID

Delivered?

Type

Default Password

Detailed Description

 

user for each RFC destination in the section Communication Destination)

   

Authorizations [page 20] in this Security Guide.

 

SAP SCM 7.0

Business processing users (you need a user in each component, for each employee working with the system)

No

Dialog user

To be entered

SAP SCM 7.0 documentation and Authorizations [page 20]

SAP liveCache

<lcid>adm

Yes

Operating system

To be changed

SAP liveCache <lcid>adm Yes Operating system To be changed SAP SCM Installation Guide:

SAP SCM Installation Guide:

user

Installation Document – SCM Server 7.0 <relevant Operating

System / DB>

Post

Post

Installation Activities

Installation Activities

Changing Passwords of Created

Users

Users and SAP Notes 25591

and SAP Notes 25591

and 616555.

 

SAP liveCache

SAP<sapsid>

Yes

MaxDB database

To be changed

SAP liveCache SAP<sapsid> Yes MaxDB database To be changed SAP SCM Installation Guide:

SAP SCM Installation Guide:

liveCache

user

Installation Document – SCM Server 7.0 <relevant Operating

database owner

System / DB>

Post

Post

Installation Activities

Installation Activities

Changing Passwords of Created

Users

Users and SAP Notes 25591

and SAP Notes 25591

and 616555.

 

SAP liveCache

CONTROL

Yes

MaxDB database

To be changed

SAP liveCache CONTROL Yes MaxDB database To be changed SAP SCM Installation Guide:

SAP SCM Installation Guide:

liveCache

user

Installation Document – SCM Server 7.0 <relevant Operating

database

manager

System / DB>

Post

Post

operator

Installation Activities Changing Passwords of Created

Installation Activities Changing Passwords of Created

Users

Users and SAP Notes 25591

and SAP Notes 25591

and 616555.

 

SAP liveCache

SUPERDBA

Yes

MaxDB database

To be changed

SAP liveCache SUPERDBA Yes MaxDB database To be changed SAP SCM Installation Guide:

SAP SCM Installation Guide:

user

Installation Document – SCM Server 7.0 <relevant Operating

System / DB>

Post

Post

Installation Activities Changing Passwords of Created

Installation Activities Changing Passwords of Created

SAP SCM 7.0 Component Security Guide User Administration and Authentication

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

17

System User ID Delivered? Type Default Password Detailed Description   liveCache    

System

User ID

Delivered?

Type

Default Password

Detailed Description

 

liveCache

     

Users

  liveCache       Users and SAP Notes 25591

and SAP Notes 25591

administration

and 616555.

user

Recommendation We recommend that you change the user IDs and passwords that are automatically created

Recommendation

We recommend that you change the user IDs and passwords that are automatically created during installation.

4.2 User Data Synchronization

To avoid administrative effort, you can use user data synchronization in your system landscape. Since the SAP SCM component is based on SAP NetWeaver, all the mechanisms for user data synchronization of SAP NetWeaver are available for SAP SCM.

NoteFor information about user data synchronization, see the SAP NetWeaver 7.0 Security Guide on SAP

For information about user data synchronization, see the SAP NetWeaver 7.0 Security Guide on SAP Service

Marketplace at

SAP NetWeaver 7.0 Security Guides (Complete)

.
.

User

Administration and Authentication

Integration of User Management in Your System Landscape

Integration of User Management in Your System Landscape

4.3 Integration Into Single Sign-On Environments

The SAP SCM component supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guide also apply to the SAP SCM component.

Note For more information about integration into Single Sign-On environments based on SAP NetWeaver, see

Note

For more information about integration into Single Sign-On environments based on SAP NetWeaver, see the SAP

NetWeaver 7.0 Security Guide on SAP Service Marketplace at

NetWeaver 7.0 Security Guides (Complete)

Single Sign-On

For more information about authentication on the SAP Web application server ABAP, see the SAP NetWeaver

7.0 Security Guide on SAP Services Marketplace at

SAP

Services Marketplace at service.sap.com/securityguide SAP User Administration and Authentication User Authentication

User Administration and Authentication

SAP User Administration and Authentication User Authentication and SAP NetWeaver 7.0 in the section

User Authentication and

SAP NetWeaver 7.0

in the section Integration into Single Sign-On Environments . Integration into Single Sign-On Environments.

Security Guides (Complete)

Security Guides for SAP NetWeaver According to Usage Types

Security Guides for SAP NetWeaver According to Usage Types

Security Guide for

Usage Type AS

SAP NetWeaver Application Server ABAP Security GuideUsage Type AS

. User Authentication
.
.

User Authentication

The most widely-used supported mechanisms are listed below.

Secure Network Communications (SNC)

SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.

For more information, see the SAP NetWeaver 7.0 Security Guide on SAP Service Marketplace at

SAP NetWeaver 7.0 Security Guides (Complete)

SAP NetWeaver 7.0 Security Guides (Complete) SAP NetWeaver 7.0 PUBLIC © Copyright 2014 SAP AG or

SAP NetWeaver 7.0

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

18 All rights reserved.

SAP SCM 7.0 Component Security Guide User Administration and Authentication

Security Guides Communications (SNC) Network and Communication Security . ● SAP logon tickets Transport Layer

Security Guides

Communications (SNC)

Security Guides Communications (SNC) Network and Communication Security . ● SAP logon tickets Transport Layer

Network and Communication Security

.
.

SAP logon tickets

and Communication Security . ● SAP logon tickets Transport Layer Security Secure Network The SAP SCM

Transport Layer Security

Security . ● SAP logon tickets Transport Layer Security Secure Network The SAP SCM component supports

Secure Network

The SAP SCM component supports the use of logon tickets for SSO when using a Web browser as the frontend client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

For more information, see the SAP NetWeaver 7.0 Security Guide on SAP Service Marketplace at

SAP NetWeaver 7.0 Security Guides (Complete)

SAP NetWeaver 7.0SAP NetWeaver 7.0 Security Guides (Complete) Security Guides User Administration and Authentication User

Security Guides

User Administration and AuthenticationSecurity Guides (Complete) SAP NetWeaver 7.0 Security Guides User Authentication and Single Sign-On . ● Client

User Authentication and Single Sign-On7.0 Security Guides User Administration and Authentication . ● Client certificates As an alternative to user

.
.

Client certificates

As an alternative to user authentication using a user ID and passwords, users using a Web browser as a frontend client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.

For more information, see the SAP NetWeaver 7.0 Security Guide on SAP Service Marketplace at

SAP NetWeaver 7.0 Security Guides (Complete)

SAP NetWeaver 7.0 Security Guides (Complete) SAP NetWeaver 7.0 Security Guides User Administration and

SAP NetWeaver 7.0

Security Guides

Security Guides (Complete) SAP NetWeaver 7.0 Security Guides User Administration and Authentication User Authentication

User Administration and Authentication

User Authentication and Single Sign-On7.0 Security Guides User Administration and Authentication . SAP SCM 7.0 Component Security Guide User Administration

.
.

SAP SCM 7.0 Component Security Guide User Administration and Authentication

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

19

5 Authorizations The SAP SCM component uses the authorization concept provided by SAP NetWeaver. Therefore,

5

Authorizations

The SAP SCM component uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP also apply to the SAP SCM component.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, you can use the Profile Generator (transaction PFCG) when using ABAP.

NoteFor information about role maintenance and the Profile Generator, see SAP Help Portal at help.sap.com

For information about role maintenance and the Profile Generator, see SAP Help Portal at

and the Profile Generator, see SAP Help Portal at help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s)
the Profile Generator, see SAP Help Portal at help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) English

SAP

NetWeaver SAP NetWeaver 7.0 (2004s) English

.
.
NetWeaver SAP NetWeaver 7.0 (2004s) English . Identity Management Key Capability Concept Security Organizing Authorization
NetWeaver SAP NetWeaver 7.0 (2004s) English . Identity Management Key Capability Concept Security Organizing Authorization

Identity Management

Key Capability

Concept

Security

Organizing Authorization Administration

SAP Library SAP NetWeaver Library

SAP Library SAP NetWeaver Library Users and Roles (BC-SEC-USR) SAP NetWeaver by Role SAP Authorization Organization
SAP Library SAP NetWeaver Library Users and Roles (BC-SEC-USR) SAP NetWeaver by Role SAP Authorization Organization

Users and Roles (BC-SEC-USR)

Library SAP NetWeaver Library Users and Roles (BC-SEC-USR) SAP NetWeaver by Role SAP Authorization Organization if

SAP NetWeaver by

Role

SAP Authorization

Organization if You Are Using the Profile Generator

Users and Roles (BC-SEC-USR) SAP NetWeaver by Role SAP Authorization Organization if You Are Using the

Maintenance

 

NoteFor information about the authorization concept of SAP NetWeaver, see SAP Help Portal at help.sap.com

For information about the authorization concept of SAP NetWeaver, see SAP Help Portal at

concept of SAP NetWeaver, see SAP Help Portal at help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s)
of SAP NetWeaver, see SAP Help Portal at help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) English

SAP NetWeaver

SAP NetWeaver 7.0 (2004s)

SAP NetWeaver 7.0 (2004s)

SAP NetWeaver SAP NetWeaver 7.0 (2004s) English SAP Library SAP NetWeaver Library SAP

English

SAP Library

SAP Library

SAP NetWeaver SAP NetWeaver 7.0 (2004s) English SAP Library SAP NetWeaver Library SAP

SAP NetWeaver Library

SAP NetWeaver SAP NetWeaver 7.0 (2004s) English SAP Library SAP NetWeaver Library SAP

SAP

NetWeaver by Key Capability

NetWeaver by Key Capability Security Identity Management Users and Roles (BC-SEC-USR) SAP

Security

Identity Management

Identity Management

Users and Roles (BC-SEC-USR)

Users and Roles (BC-SEC-USR)

SAP

Authorization Concept

.
.

5.1 Standard Roles

With the SAP SCM component, SAP delivers SAP standard roles to cover the common business cases. These roles can be used as examples, or as a copy master for your own roles.

Using input help, you can find the SAP standard roles in the Profile Generator (transaction code PFCG). You can use

search terms to restrict the selection to the required standard roles. For example, the search term *APO* lists all

APO-relevant SAP standard roles. The role short text helps you find the role for your business needs. The role documentation provides you with a detailed description of the role content.

Some of the components in SAP SCM have additional authorization methods. The relevant components and Customizing activities are shown in the following sections.

We strongly recommend that you conservatively assign the authorization profiles SAP_ALL and SAP_NEW to users

in your production system! If you are not careful, these profiles can weaken the overall security concept in your production system.

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

20 All rights reserved.

SAP SCM 7.0 Component Security Guide Authorizations

5.2 Roles for SAP APO For information about roles in SAP APO, see SAP Help

5.2 Roles for SAP APO

For information about roles in SAP APO, see SAP Help Portal at

Chain Management (SAP SCM)

SCM)

APO, see SAP Help Portal at Chain Management (SAP SCM) SCM) help.sap.com SAP Business Suite SAP
Help Portal at Chain Management (SAP SCM) SCM) help.sap.com SAP Business Suite SAP Supply SAP SCM

SAP Business Suite

Management (SAP SCM) SCM) help.sap.com SAP Business Suite SAP Supply SAP SCM 2007  Application Help

SAP Supply

(SAP SCM) SCM) help.sap.com SAP Business Suite SAP Supply SAP SCM 2007  Application Help EN

SAP SCM 2007

Application Help EN

SAP Supply Chain Management (SAPSuite SAP Supply SAP SCM 2007  Application Help EN SAP Advanced Planning and Optimization (SAP

 Application Help EN SAP Supply Chain Management (SAP SAP Advanced Planning and Optimization (SAP APO)

SAP Advanced Planning and Optimization (SAP APO)

Roles for SAP APO .

Planning and Optimization (SAP APO)  Roles for SAP APO . 5.3 Authorizations for SCM Basis

5.3 Authorizations for SCM Basis

Authorization object /SCMB/PESL – Define PSM Selection

The system uses the authorization object /SCMB/PESL on the Define Selection screen of the Planning Service

Manager. The authorization object enables users to save and delete their selections.

Defined fields

The fields ACTVT and USER are available to maintain the authorization object /SCMB/PESL.

You can choose the following activities for the ACTVT fields:

06 (Delete): Delete a Selection

34 (Save): Save a Selection (Create and Change)

In the USER field, you can enter the user for whose selection you want to execute the activities in the ACTVT field.

5.4 Maintaining Authorizations for SAP APO

Procedure

This procedure allows you to maintain authorizations for SAP Advanced Planning & Optimization (SAP APO).

Maintaining Master Data

1. In Customizing for SAP SCM, to define iPPE user profiles, choose

Advanced Planning and Optimization

Advanced Planning and Optimization

Master Data

Integrated Product and Process Engineering (iPPE)Master Data Settings for the iPPE Workbench

Settings for the iPPE Workbench

Professional

Define User Profiles for the iPPE Workbench ProfessionalProfessional .

.
.
User Profiles for the iPPE Workbench Professional . 2. Change the iPPE user profiles defined by

2. Change the iPPE user profiles defined by SAP in this Customizing activity by changing, copying, renaming, or creating new user profiles.

The SAP system includes the following user profiles:

Table 11: Standard User Profiles

User Profile

Explanation

S_PPEALL (Total Display)

This profile includes all the settings you need to work with the iPPE Workbench.

S_ASTACT (Process Structure)

Part of the S_PPEALL profile; calls up a process structure

as a selection tree in the detail area of the iPPE Workbench.

SAP SCM 7.0 Component Security Guide Authorizations

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

21

User Profile Explanation S_ASTCMP (Product Structure) Part of the S_PPEALL profile; calls up a product

User Profile

Explanation

S_ASTCMP (Product Structure)

Part of the S_PPEALL profile; calls up a product structure as a selection tree in the detail area of the iPPE Workbench.

S_ASTFLO (Factory Layout)

Part of the S_PPEALL profile; calls up a line structure as a selection tree in the detail area of the iPPE Workbench.

3. Change, copy, and rename the profiles, or create new profiles with the following options:

Model Definitions:

You define how the model definitions between the objects are displayed in the navigation area.

Product Lifecycle Management (PLM) Environment:

Here you define how objects from the PLM environment are displayed in the navigation area of the iPPE Workbench.

Reports:

You define the reports to be available for this profile in the iPPE Workbench Professional. You can only choose reports that you have already defined in the activity Define Reports for the Reporting Tree.

4. Save your entries.

Maintaining Authorizations for Supply Chain Planning

1. In Customizing for SAP SCM, to specify the person (planner) responsible, choose

Optimization

the person (planner) responsible, choose Optimization Supply Chain Planning Specify the Person (Planner)

Supply Chain Planning

responsible, choose Optimization Supply Chain Planning Specify the Person (Planner) Responsible . Advanced Planning

Specify the Person (Planner) Responsible

.
.

Advanced Planning and

2. To assign planning privileges to planners, you have to maintain the applications for which each planner is responsible as follows:

1. Choose New Entries.

2. Enter an identifier and description for each planner.

3. Select each area for which you want the planner to have privileges.

3. Save your entries.

Maintaining Authorizations for Supply Network Planning and Demand Planning

As of SAP SCM 4.1, planning books within Supply Network Planning (SNP) and Demand Planning (DP) have a new authorization concept. The main advantage is that the creation of the modification of planning books is controlled by authorizations and not by the system change option for the SAP APO component.

For more information about the authorization concept, see the SAP Note 400434.

Note Passwords / RFC Interface SAP APO does not use passwords; access is granted using

Note

Passwords / RFC Interface SAP APO does not use passwords; access is granted using RFC interfaces.

Trace Reads / Gateway User

The optimizers of SAP APO write traces (or dumps) to the local hard disk of the optimization server. The log folder of the local RFC Gateway is used. To protect this data, the read to the traces should be restricted to the gateway user.

Passwords / RFC Interface

SAP APO does not use passwords; access is granted using RFC interfaces.

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

22 All rights reserved.

SAP SCM 7.0 Component Security Guide Authorizations

5.5 Authorizations for Service Parts Planning Assigning Planners in Service Parts Planning In Service Parts

5.5 Authorizations for Service Parts Planning

Assigning Planners in Service Parts Planning

In Service Parts Planning (SPP), you can assign users to various planners at the location product level. For more

SAP Supply

Chain Management

Advanced Planning and Optimization (SAP APO) Service Parts Planning (SPP) Master Data and General Functions

for SPP

information, see the SPP documentation on SAP Help Portal at

information, see the SPP documentation on SAP Help Portal at SAP SCM 7.0 Application Help EN

SAP SCM 7.0information, see the SPP documentation on SAP Help Portal at Application Help EN Assigning Planners in

see the SPP documentation on SAP Help Portal at SAP SCM 7.0 Application Help EN Assigning

Application Help EN

on SAP Help Portal at SAP SCM 7.0 Application Help EN Assigning Planners in Service Parts

Assigning Planners in Service Parts Planning

.
.
Help EN Assigning Planners in Service Parts Planning . help.sap.com SAP Business Suite SAP Supply Chain
Help EN Assigning Planners in Service Parts Planning . help.sap.com SAP Business Suite SAP Supply Chain
Assigning Planners in Service Parts Planning . help.sap.com SAP Business Suite SAP Supply Chain Management (SAP

SAP Business Suite

in Service Parts Planning . help.sap.com SAP Business Suite SAP Supply Chain Management (SAP SCM) SAP

SAP Supply Chain Management (SAP SCM)

SAP Business Suite SAP Supply Chain Management (SAP SCM) SAP Roles in Service Parts Planning For

SAP

Roles in Service Parts Planning

For information about roles in SPP, see the SAP SCM documentation on SAP Help Portal at

SAP Business Suite

Management (SAP SCM)

Service Parts Planning (SPP)

service.sap.com SAP Supply Chain
service.sap.com
SAP Supply Chain
Parts Planning (SPP) service.sap.com SAP Supply Chain Roles for SAP Supply Chain Management SAP SCM 7.0

Roles for

SAP Supply Chain ManagementPlanning (SPP) service.sap.com SAP Supply Chain Roles for SAP SCM 7.0 Application Help EN SAP Advanced

SAP Supply Chain Roles for SAP Supply Chain Management SAP SCM 7.0 Application Help EN SAP

SAP SCM 7.0

Chain Roles for SAP Supply Chain Management SAP SCM 7.0 Application Help EN SAP Advanced Planning

Application Help EN

SAP Advanced Planning and Optimization (SAP APO)

.
.
Help EN SAP Advanced Planning and Optimization (SAP APO) . Roles for SAP APO 5.6 Maintaining

Roles for SAP APO

5.6 Maintaining Authorizations for SAP Forecasting and Replenishment

Procedure

For information about maintaining authorizations for SAP Forecasting and Replenishment, see the SAP Forecasting

and Replenishment Security Guide on SAP Service Marketplace at

Scenario Security Guides

Industry

.
.

5.7 Maintaining Authorizations for Integration with SAP Components

Procedure

Maintaining Authorizations for SAP APO – SAP ERP Integration Using Standard Roles for SAP APO – SAP ERP Integration

To integrate SAP APO and SAP ERP / SAP DIMP, use the following authorization roles for the RFC destination users, which are provided in SAP Note 727839:

SAP_SCM_INTEGRATION_SCM.SAP Authorization role for the SAP SCM – SAP ERP / SAP DIMP integration for

background users in SAP SCM.

SAP_SCM_INTEGRATION_R3.SAP Authorization role for the SAP SCM – SAP ERP integration for background

users in SAP ERP.

SAP_SCM_INTEGRATION_DIMP.SAP Authorization role for the SAP SCM – SAP DIMP integration for

background users in SAP DIMP.

SAP SCM 7.0 Component Security Guide Authorizations

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

23

Note For more information about the authorization roles for SAP APO – SAP ERP integration,

NoteFor more information about the authorization roles for SAP APO – SAP ERP integration, see

For more information about the authorization roles for SAP APO – SAP ERP integration, see SAP Note 727839.

Maintaining Authorizations for Available to Promise (ATP)

Available to Promise plays an important role in the integration of SAP APO and SAP ERP: The ATP check needs an RFC connection with a dialog user to perform the check. Since a dialog user within RFC connections is a safety flaw, you must minimize this flaw by performing the following steps:

1. Create a separate trusted system RFC connection for the ATP check.

NoteFor more information about trusted system RFC connections, see the SAP NetWeaver Security Guide on

For more information about trusted system RFC connections, see the SAP NetWeaver Security Guide on SAP

Service Marketplace at

Library

Security Guide on SAP Service Marketplace at Library service.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s)
Guide on SAP Service Marketplace at Library service.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Security English

SAP NetWeaver

SAP NetWeaver 7.0 (2004s)Service Marketplace at Library service.sap.com SAP NetWeaver Security English SAP SAP NetWeaver Library SAP NetWeaver by

Security

SAP NetWeaver SAP NetWeaver 7.0 (2004s) Security English SAP SAP NetWeaver Library SAP NetWeaver by Key
SAP NetWeaver SAP NetWeaver 7.0 (2004s) Security English SAP SAP NetWeaver Library SAP NetWeaver by Key

English

SAP NetWeaver SAP NetWeaver 7.0 (2004s) Security English SAP SAP NetWeaver Library SAP NetWeaver by Key

SAP

SAP NetWeaver Library

7.0 (2004s) Security English SAP SAP NetWeaver Library SAP NetWeaver by Key Capability SAP NetWeaver  
7.0 (2004s) Security English SAP SAP NetWeaver Library SAP NetWeaver by Key Capability SAP NetWeaver  

SAP NetWeaver by Key Capability

SAP SAP NetWeaver Library SAP NetWeaver by Key Capability SAP NetWeaver   RFC/ICF Security Guide RFC

SAP NetWeaver

 

RFC/ICF Security Guide

RFC/ICF Security Guide

RFC Scenarios

RFC Scenarios RFC Communication Between SAP Systems Network Security and Communication

RFC Communication Between SAP Systems

Network Security and CommunicationRFC Scenarios RFC Communication Between SAP Systems

Security

Security Guides for Connectivity and Interoperability Technologies

Using RFC Trusted System Networks

.
.

2. In Customizing for Integration with SAP Components, to assign the RFC connection to the ATP application, choose Integration via Core Interface (CIF) Basic Settings for Creating the System Landscape Assign RFC

Basic Settings for Creating the System Landscape Assign RFC Destinations to Various Application Cases . 3.

Destinations to Various Application Cases

.
.
Assign RFC Destinations to Various Application Cases . 3. For each SAP ERP user, create a

3. For each SAP ERP user, create a corresponding ATP user in SAP SCM.

4. Assign one or more of the following authorization roles to the user(s) in SAP SCM:

SAP_APO_ATP_CO (APO: ATP Controller)

SAP_APO_ATP_CU (APO: ATP Customizing User)

SAP_APO_ATP_EU (APO: ATP Expert User)

SAP_APO_ATP_SU (APO: ATP Standard User)

SAP_APO_ATP_RSP_ALL (APO: ALL ATP Authorizations)

5. Assign the authorization S_RFCACL_ALL to the users in SAP SCM.

This authorization is necessary to perform RFC calls.

NoteFor more information about the role maintenance and the SAP Profile Generator, see the SAP

For more information about the role maintenance and the SAP Profile Generator, see the SAP NetWeaver

7.0 Security Guide on SAP Help Portal at

the SAP NetWeaver 7.0 Security Guide on SAP Help Portal at help.sap.com SAP NetWeaver SAP NetWeaver
7.0 Security Guide on SAP Help Portal at help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) SAP

SAP NetWeaver

Guide on SAP Help Portal at help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) SAP NetWeaver 7.0

SAP NetWeaver 7.0

(2004s)

SAP NetWeaver 7.0 Library(2004s) SAP NetWeaver Library SAP NetWeaver by Key Capability

SAP NetWeaver Library

SAP NetWeaver by Key Capability

SAP NetWeaver by Key Capability
(2004s) SAP NetWeaver 7.0 Library SAP NetWeaver Library SAP NetWeaver by Key Capability
(2004s) SAP NetWeaver 7.0 Library SAP NetWeaver Library SAP NetWeaver by Key Capability
(2004s) SAP NetWeaver 7.0 Library SAP NetWeaver Library SAP NetWeaver by Key Capability
SAP NetWeaver Library SAP NetWeaver by Key Capability Organization if You Are Using the Profile Generator

Organization if You Are Using the Profile Generator

Organization if You Are Using the Profile Generator Role Maintenance . Security Identity Management Users and

Role Maintenance

.
.

Security Identity Management Users and Roles (BC-SEC-USR) SAP Authorization Concept Organizing

Authorization Administration

Maintaining Authorizations for Data Transfer to SAP NetWeaver BI Limiting Authorizations for Extraction

NoteYou can exclude DataSources from the extraction to SAP NetWeaver BI. Data that is stored

You can exclude DataSources from the extraction to SAP NetWeaver BI. Data that is stored in the extract structure of this DataSource cannot be transferred to SAP NetWeaver BI.

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

24 All rights reserved.

SAP SCM 7.0 Component Security Guide Authorizations

1. In Customizing for Integration with SAP Components choose Data Transfer to the SAP Business

1. In Customizing for Integration with SAP Components choose

1. In Customizing for Integration with SAP Components choose Data Transfer to the SAP Business Information

Data Transfer to the SAP Business Information

Warehouse

Data Transfer to the SAP Business Information Warehouse General Settings Limit Authorizations for Extraction . 2.

General Settings

to the SAP Business Information Warehouse General Settings Limit Authorizations for Extraction . 2. Choose New

Limit Authorizations for Extraction

.
.

2. Choose New Entries.

3. Choose a DataSource that you want to exclude from the extraction.

4. Choose the SAP NetWeaver BI system for which you want no more data for this DataSource to be extracted.

5. In the field Excl. Extr., enter whether you want to exclude the DataSource from the extraction.

6. Save your entries.

7. Specify a transport request.

5.8 Maintaining Authorizations for Enterprise Services

Accessing SAP functions via Web services follows the standard SAP authorization concept, which is based on authorizations for specific authorization objects. During the execution of a Web service, the system checks for the required authorization for an authorization object. If a user does not have this authorization, the execution is terminated, and an error message is displayed.

Enterprise services use standard authorization objects, such as authorization default values for Web services, that are available for SAP SCM. In addition, you need the authorization S_SERVICE to start external services. To create

and use Web services, you need the authorizations that belong to the role SAP_BC_WEBSERVICE_ADMIN and

authorization for the Internet Communication Framework (S_ICF_ADMIN).

For more information about authorizations for Web services, see the SAP NetWeaver documentation on SAP Help

Portal at

SAP Library SAP NetWeaver Developer’s Guide Fundamentals Using JavaCore Development Tasks Providing

and Consuming Web Services

Development Tasks Providing and Consuming Web Services help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web
Tasks Providing and Consuming Web Services help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Services

SAP NetWeaver

and Consuming Web Services help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Services Security Development

SAP NetWeaver 7.0 (2004s)

help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Services Security Development Developer’s Guide in .
help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Services Security Development Developer’s Guide in .
help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Services Security Development Developer’s Guide in .

Web Services Security

NetWeaver SAP NetWeaver 7.0 (2004s) Web Services Security Development Developer’s Guide in . Web Service Toolset

Development

SAP NetWeaver 7.0 (2004s) Web Services Security Development Developer’s Guide in . Web Service Toolset Authorization

Developer’s Guide in

.
.
Web Services Security Development Developer’s Guide in . Web Service Toolset Authorization SAP SCM 7.0 Component
Web Services Security Development Developer’s Guide in . Web Service Toolset Authorization SAP SCM 7.0 Component

Web Service Toolset

Authorization

SAP SCM 7.0 Component Security Guide Authorizations

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

25

6 Network and Communication Security Your network infrastructure is important in protecting your system. Your

6 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

The network topology for the SAP SCM component is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP SCM component. Details that specifically apply to the SAP SCM component are described in the following topics:

Communication Channel Security [page 26]

This topic describes the communication paths and protocols used by the SAP SCM component.

Network Security [page 27]

This topic describes the recommended network topology for the SAP SCM component. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate the SAP SCM component.

Communication Destinations [page 28]

This topic describes the information needed for the various communication paths, for example, which users are used for which communications.

For more information, see the following sections in the SAP NetWeaver Security Guide on SAP Service Marketplace

at

Guide :

Marketplace at Guide : service.sap.com/securityguide SAP NetWeaver 7.0 Security Guides (Complete) SAP NetWeaver

SAP NetWeaver 7.0 Security Guides (Complete)

SAP NetWeaver 7.0 Security Guides (Complete) SAP NetWeaver Security ● Network and Communication

SAP NetWeaver Security

Network and Communication Security

Security Guides for Connectivity and Interoperability Technologies

6.1 Communication Channel Security

Since communication channels transfer your business data, they should be protected against unauthorized access. SAP offers general recommendations to protect your system landscape, which is based on SAP NetWeaver.

Caution You should activate the Secure Network Communication (SNC) in all communication channels in SAP

Caution

You should activate the Secure Network Communication (SNC) in all communication channels in SAP SCM to achieve a secure system landscape.

For more information, see SAP Service Marketplace at

Security Guides (Complete) Transport Layer Security

SAP NetWeaver 7.0

Security service.sap.com/securityguide SAP NetWeaver 7.0 SAP NetWeaver 7.0 Security Guide . Network and Communication

SAP NetWeaver 7.0 Security Guide

.
.

Network and Communication Security

SAP NetWeaver 7.0 SAP NetWeaver 7.0 Security Guide . Network and Communication Security Secure Network Communications

Secure Network Communications

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

26 All rights reserved.

SAP SCM 7.0 Component Security Guide Network and Communication Security

For a detailed description of all communication channels within the SAP SCM component, see SAP

For a detailed description of all communication channels within the SAP SCM component, see SAP Service

Marketplace at

within the SAP SCM component, see SAP Service Marketplace at service.sap.com/scm SAP SCM Technology Architecture Overview

SAP SCM Technology

Marketplace at service.sap.com/scm SAP SCM Technology Architecture Overview . Note For more information about

Architecture Overview

.
.
Note For more information about the communication security of SAP NetWeaver, see the SAP NetWeaver

Note

For more information about the communication security of SAP NetWeaver, see the SAP NetWeaver Security

SAP NetWeaver 7.0 Security Guides

(Complete)

For more information about security aspects for connectivity and interoperability of SAP NetWeaver 7.0, see the

SAP NetWeaver Security Guide on the SAP Service Marketplace at

Weaver 7.0 Security Guides (Complete)

Connectivity and Interoperability

Guide on SAP Service Marketplace at

SAP NetWeaver 7.0 Security Guideon SAP Service Marketplace at service.sap.com/securityguide . Network and Communication Security .

.
.
SAP NetWeaver 7.0 Security Guide . Network and Communication Security .
SAP NetWeaver 7.0 Security Guide . Network and Communication Security .

Network and Communication Security

.
.

SAP

SAP NetWeaver 7.0 Security Guide

and Communication Security . service.sap.com/securityguide SAP SAP NetWeaver 7.0 Security Guide SAPNet Security Guides for

SAPNet Security Guides for

SAP SCM – SAP ERP

The integration of SAP SCM and SAP ERP is technically based on the Core Interface (CIF). Since CIF is technically based on the RFC provided by SAP NetWeaver, we strongly recommend that you consult the SAP NetWeaver Security Guide regarding communication channel security.

You should at least enable Secure Network Communication (SNC) while configuring the RFC destination for your SAP SCM – SAP ERP integration.

NoteFor more information about the integration of SAP SCM and SAP ERP, see the SCM

For more information about the integration of SAP SCM and SAP ERP, see the SCM Basis Documentation at

help.sap.com EN SCM Basis
help.sap.com
EN
SCM Basis

SAP Business Suite

at help.sap.com EN SCM Basis SAP Business Suite SAP Supply Chain Management SAP SCM 7.0 Integration

SAP Supply Chain Management

EN SCM Basis SAP Business Suite SAP Supply Chain Management SAP SCM 7.0 Integration via Core

SAP SCM 7.0

Integration via Core Interface (CIF)

SAP Supply Chain Management SAP SCM 7.0 Integration via Core Interface (CIF) Technical Integration . Application

Technical Integration

.
.
SAP Supply Chain Management SAP SCM 7.0 Integration via Core Interface (CIF) Technical Integration . Application

Application Help

6.2 Network Security

Your network infrastructure plays a key role in protecting your system. A well-defined network topology can eliminate many security threats based on software flaws (at the operating system and application level) or network attacks such as eavesdropping.

We offer general recommendations to protect your system landscape, based on SAP NetWeaver.

Note For information about network security for SAP NetWeaver 7.0, see the SAP NetWeaver 7.0

Note

For information about network security for SAP NetWeaver 7.0, see the SAP NetWeaver 7.0 Security Guide on

SAP Service Marketplace at

(Complete)

SAP NetWeaver 7.0 Security Guides

SAP NetWeaver 7.0 Security Guidesat (Complete) service.sap.com/securityguide SAP NetWeaver 7.0 Security Guides Network and Communication Security .

SAP NetWeaver 7.0 Security Guides SAP NetWeaver 7.0 Security Guides Network and Communication Security .

Network and Communication Security

.
.

A minimum security demand for your network infrastructure is the use of a firewall for all your services that are

provided over the Internet.

A more secure variant is to protect your systems (or groups of systems) by locating the system groups in different

network segments. Each system group has a firewall that protects it from unauthorized access. External security attacks can also come from the inside, if the intruder has already taken control of one of your systems.

SAP SCM 7.0 Component Security Guide Network and Communication Security

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company. All rights reserved.

27

Note For information about the technical components of your SAP SCM component, see SAP Service
Note For information about the technical components of your SAP SCM component, see SAP Service

Note

For information about the technical components of your SAP SCM component, see SAP Service Marketplace at

SAP Supply Chain Management

SAP SCM component, see SAP Service Marketplace at service.sap.com/scm SAP Supply Chain Management SAP SCM Technology

SAP SCM Technology

.
.
Note For information about access control using firewalls, see the SAP NetWeaver 7.0 Security Guide

Note

For information about access control using firewalls, see the SAP NetWeaver 7.0 Security Guide on SAP Service

Marketplace at

NetWeaver 7.0 Security Guides Control .

SAP NetWeaver 7.0 Security Guides (Complete)

SAP NetWeaver 7.0 Security Guides (Complete) SAP Network and Communication Security Using Firewall

SAPSAP NetWeaver 7.0 Security Guides (Complete) Network and Communication Security Using Firewall Systems

SAP NetWeaver 7.0 Security Guides (Complete) SAP Network and Communication Security Using Firewall Systems

Network and Communication Security

Using Firewall Systems for Access

SAP NetWeaver 7.0 Security Guides (Complete) SAP Network and Communication Security Using Firewall Systems for Access

Network Security for Enterprise Services

For more information about network security for Web services, see the SAP NetWeaver documentation on SAP Help

Portal at

NetWeaver Library SAP NetWeaver Developer’s Guide Fundamentals Using Java Core Development Tasks

Providing and Consuming Web Services

Tasks Providing and Consuming Web Services help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Service Toolset
Tasks Providing and Consuming Web Services help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Service Toolset

SAP NetWeaver

and Consuming Web Services help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Service Toolset SAP NetWeaver
and Consuming Web Services help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Service Toolset SAP NetWeaver

SAP NetWeaver 7.0 (2004s)

help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Service Toolset SAP NetWeaver 7.0 Library EN .
help.sap.com SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Service Toolset SAP NetWeaver 7.0 Library EN .

Web Service Toolset

SAP NetWeaver SAP NetWeaver 7.0 (2004s) Web Service Toolset SAP NetWeaver 7.0 Library EN . SAP

SAP NetWeaver 7.0 Library EN

.
.
SAP
SAP

Web Services Security

6.3 Communication Destinations

Caution If communication destinations are not implemented and used with care, their users and authorizations

Caution

If communication destinations are not implemented and used with care, their users and authorizations can cause high security flaws.

The following is a list of the “Golden Rules” for connection users and authorizations:

Choose user type: <system>.

Assign only the minimum required authorizations to the user.

Choose a secure and secret password for the user.

Store only connection user log-on data for users of type <system>.

Choose trusted system functionality whenever possible, rather than storing connection user log-on data.

The table below shows an overview of the communication destinations used by the SAP SCM 7.0 component.

Table 12: Connection Destinations

Destination

 

Delivered

Type

User, Authorizations

Description

SAPOSCOL_

 

Yes

RFC – TCP/IP

 

SAP SCM Customizing:

<DB_hostname>

<DB_hostname> SCM Installation Guide –

SCM Installation Guide –

SCM Server 7.0

SCM Server 7.0 Operating System Post-Installation Activities Checking the RFC Destination .

Operating

System Post-Installation Activities Checking the RFC Destination .

(SAP SCM central instance – DB instance)

SAP APO Supply Chain

SAP APO Supply Chain

No

RFC – ERP

 

SAP SCM Customizing:

Cockpit (SCC)

Cockpit (SCC) SAP Advanced Planning and

SAP

Cockpit (SCC) SAP Advanced Planning and

Advanced Planning and

Business Warehouse

Optimization

Cockpit (SCC)

Optimization Cockpit (SCC) Supply Chain Define

Supply Chain

Define

(BW)

(BW)

PUBLIC © Copyright 2014 SAP AG or an SAP affiliate company.

28 All rights reserved.

SAP SCM 7.0 Component Security Guide Network and Communication Security

Destination Delivered Type User, Authorizations Description           Default BW