SAP Ecc60 Security guide For basis people
-
Upload
muralikrishnakommineni -
Category
Documents
-
view
105 -
download
7
description
Transcript of SAP Ecc60 Security guide For basis people
-
SAP ERP Central Component Security Guide
Release 6 .0
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 2
Copyright Copyright 2004 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 3
Icons in Body Text
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
Typographic Conventions
Type Style Description
Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation. Example text Emphasized words or phrases in body text, graphic titles, and table
titles.
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 4
SAP ERP Central Component Security Guide ........................................................................ 10 Introduction .......................................................................................................................... 10 Before You Start .................................................................................................................. 11 Technical System Landscape.............................................................................................. 12 User Management and Authentication ................................................................................ 13
User Management............................................................................................................ 13
User Data Synchronization............................................................................................... 15
Integration with Single Sign-On Environments................................................................. 16
Authorizations ...................................................................................................................... 16 Network and Communication Security................................................................................. 17
Communication Channel Security .................................................................................... 18
Network Security .............................................................................................................. 19
Communication Destinations............................................................................................ 19
Data Storage Security.......................................................................................................... 19 Security for Other Applications ............................................................................................ 20 Trace and Log Files ............................................................................................................. 20 Cross-Application Components ........................................................................................... 21
Cross-Application Time Sheet (CA-TS) ........................................................................... 21
Authorizations ............................................................................................................... 21
Communication Destinations........................................................................................ 22
Self-Services .................................................................................................................... 23
Before You Start ........................................................................................................... 23
User Management ........................................................................................................ 24
Authorizations ............................................................................................................... 25
Editing Roles and Authorizations for Web Dynpro Services..................................... 27
Authorizations for Controlling Services (MSS, BUA) ................................................ 28
Authorizations for BW iViews (MSS)......................................................................... 28
Communication Destinations........................................................................................ 29
Accounting ........................................................................................................................... 30 Financial Accounting ........................................................................................................ 30
Authorizations in Financial Accounting......................................................................... 31
General Ledger Accounting (FI-GL) ............................................................................. 33
Consolidation ............................................................................................................ 34
Accounts Payable Accounting (FI-AP) ......................................................................... 35
Accounts Receivable Accounting (FI-AR) .................................................................... 36
Bank Accounting (FI-BL)............................................................................................... 37
Asset Accounting (FI-AA) ............................................................................................. 38
Travel Management (FI-TV) ......................................................................................... 39
Authorizations in the Special Purpose Ledger (FI-SL) ................................................. 40
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 5
Treasury........................................................................................................................ 41
Authorizations ........................................................................................................... 42
Accounting Engine ........................................................................................................... 44
Introduction ................................................................................................................... 44
Before You Start ........................................................................................................... 45
Technical System Landscape....................................................................................... 46
User Administration and Authentication ....................................................................... 47
User Management..................................................................................................... 47
Integration into Single Sign-On Environments.......................................................... 47
Authorizations ............................................................................................................... 48
Network and Communication Security ......................................................................... 48
Communication Channel Security............................................................................. 49
Communication Destinations .................................................................................... 49
Data Storage Security................................................................................................... 49
Financial Supply Chain Management .............................................................................. 50
Management of Internal Controls: Security Guide ........................................................... 50
Technical System Landscape....................................................................................... 51
User Management and Authorizations ......................................................................... 51
User Management..................................................................................................... 52
Roles and Authorizations Concept............................................................................ 53
Standard Roles and Authorization Objects ........................................................... 54
Editing MIC-Specific Roles.................................................................................... 55
Tasks: Central Structure Setup.......................................................................... 57
Tasks: Structure Setup Specific to Organizational Units ................................... 59
Tasks: Control Assessments and Tests ............................................................ 65
Tasks: Management Control Assessment and Test.......................................... 67
Tasks: Reporting and Sign-Off .......................................................................... 70
Assigning Roles to Persons .................................................................................. 71
Integration with Single Sign-On Environments ......................................................... 72
Communication Channel Security ................................................................................ 73
Data Storage Security................................................................................................... 73
Master Data Framework................................................................................................... 74
Introduction ................................................................................................................... 74
Before You Start ........................................................................................................... 75
Technical System Landscape....................................................................................... 76
User Administration and Authentication ....................................................................... 77
User Management..................................................................................................... 77
Integration into Single Sign-On Environments.......................................................... 77
Authorizations ............................................................................................................... 78
Network and Communication Security ......................................................................... 78
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 6
Communication Channel Security............................................................................. 79
Controlling ........................................................................................................................ 79
Authorizations in Controlling......................................................................................... 81
Authorizations in Profit Center Accounting ................................................................... 85
Network and Communication Security ......................................................................... 86
Communication Destinations .................................................................................... 86
SAP Banking .................................................................................................................... 87
SAP Financial Customer Information Management (FS-BP) ....................................... 87
Authorizations ........................................................................................................... 87
Network and Communication Security...................................................................... 88
Communication Destinations................................................................................. 88
Data Storage Security ............................................................................................... 88
Bank Customer Accounts (BCA) .................................................................................. 89
Authorizations ........................................................................................................... 89
Network and Communication Security...................................................................... 89
Data Storage Security ............................................................................................... 90
Important SAP Notes ................................................................................................ 90
Loans Management (FS-CML) ..................................................................................... 91
Authorizations ........................................................................................................... 91
Network and Communication Security...................................................................... 93
Data Storage Security ............................................................................................... 93
Collateral Management (CM)........................................................................................ 94
Authorizations ........................................................................................................... 94
Network Communication and Security...................................................................... 95
Strategic Enterprise Management (SEM) for Banks .................................................... 97
Authorizations ........................................................................................................... 97
Network and Communication Security...................................................................... 98
Communication Destinations................................................................................. 98
Data Storage Security ............................................................................................... 99
Reserve for Bad Debt (FS-RBD) ................................................................................ 100
Authorizations ......................................................................................................... 100
Network and Communication Security.................................................................... 105
Communication Destinations............................................................................... 105
Trace and Log Files ................................................................................................ 106
Incentive and Commission Management (ICM) ............................................................. 106
Statutory Reporting for Insurance (FS-SR) .................................................................... 107
Authorizations ............................................................................................................. 107
Data Storage Security................................................................................................. 107
Real Estate Management............................................................................................... 108
Public Sector Management ............................................................................................ 109
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 7
Authorizations ............................................................................................................. 109
Network and Communication Security ....................................................................... 112
Data Storage Security................................................................................................. 112
More Security Information........................................................................................... 112
Logistics ............................................................................................................................. 114 Materials Management (MM) ......................................................................................... 114
Purchasing and Service Industries (MM-PUR, MM SRV) .......................................... 114
Authorizations ......................................................................................................... 114
Network and Communication Security.................................................................... 116
Data Storage Security ............................................................................................. 118
Inventory Management (MM-IM): Authorizations ....................................................... 119
Logistics Invoice Verification (MM-IV): Authorizations ............................................... 120
Product Lifecycle Management (PLM) ........................................................................... 121
Authorizations ............................................................................................................. 121
Communication Destinations...................................................................................... 131
Important SAP Notes .................................................................................................. 131
Manufacturing................................................................................................................. 133
Authorizations ............................................................................................................. 133
Communication Destinations...................................................................................... 137
Logistics Execution (LE)................................................................................................. 138
Decentralized Warehouse Management (LE-IDW), Shipping (LE-SHP), Transportation (LE-TRA)..................................................................................................................... 138
Authorizations ......................................................................................................... 138
Network and Communication Security.................................................................... 141
Warehouse Management System (LE-WMS) ............................................................ 142
Authorizations ......................................................................................................... 142
Network and Communication Security.................................................................... 143
Task and Resource Management (LE-TRM), Yard Management (LE-YM), Cross Docking (LE-WM-CDK), Additional Logistical Services.............................................. 144
Authorizations ......................................................................................................... 144
Network and Communication Security.................................................................... 145
Retail .............................................................................................................................. 146
Network and Communication Security ....................................................................... 146
Authorizations ............................................................................................................. 148
Global Trade................................................................................................................... 150
Network and Communication Security ....................................................................... 150
Sales and Distribution (SD) ............................................................................................ 152
Human Capital Management ............................................................................................. 154 Personnel Management (PA) ......................................................................................... 154
Before You Start ......................................................................................................... 154
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 8
User Management ...................................................................................................... 155
Authorizations ............................................................................................................. 157
Communication Channel Security .............................................................................. 160
Communication Destinations...................................................................................... 160
Data Storage Security................................................................................................. 162
Security for Additional Applications ............................................................................ 164
Other Security-Relevant Information .......................................................................... 164
Personnel Time Management (PT) ................................................................................ 165
User Management ...................................................................................................... 165
Authorizations ............................................................................................................. 166
Communication Destinations...................................................................................... 167
Payroll (PY) .................................................................................................................... 168
Before You Start ......................................................................................................... 168
User Management ...................................................................................................... 168
Authorizations ............................................................................................................. 169
Communication Channel Security .............................................................................. 171
Communication Destinations...................................................................................... 171
Data Storage Security................................................................................................. 171
Security for Additional Applications ............................................................................ 172
Other Security-Relevant Information .......................................................................... 172
SAP Learning Solution ................................................................................................... 173
Technical System Landscape..................................................................................... 173
Persistence ............................................................................................................. 174
Learning Portal (LSOFE)......................................................................................... 175
Content Player (LSOCP)......................................................................................... 176
Offline Player (LSOOP)........................................................................................... 177
Authoring Environment (LSOAE) ............................................................................ 178
Environment for the Training Administrator ............................................................ 179
User Management ...................................................................................................... 180
Authorizations ............................................................................................................. 183
Communication Channel Security .............................................................................. 184
Other Security-Relevant Information .......................................................................... 188
SAP E-Recruiting ........................................................................................................... 190
Before You Start ......................................................................................................... 190
Technical System Landscape..................................................................................... 190
User Management ...................................................................................................... 192
Authorizations ............................................................................................................. 194
Communication Channel Security .............................................................................. 197
Communication Destinations...................................................................................... 197
Data Storage Security................................................................................................. 198
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 9
Defense Forces & Public Security ..................................................................................... 199 Before You Start ............................................................................................................. 199
Technical System Landscape ........................................................................................ 199
User Administration and Authentication ......................................................................... 199
User Management ...................................................................................................... 200
Authorizations................................................................................................................. 201
Network and Communication Security ........................................................................... 202
Data Storage Security .................................................................................................... 202
Appendix ............................................................................................................................ 202
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 10
SAP ERP Central Component Security Guide The following guide covers the information that you require to operate SAP ERP Central Component securely. To make the information more accessible, it been divided into a general part, containing information relevant for all components, and a separate part for specific application areas and their components.
Introduction This guide should not be regarded as a substitute for a daily operational
manual as recommended by SAP.
Target Group Technology consultants System administrators
The information contained in this document is not contained in the installation and configuration guides or the technical manuals and upgrade guides of the components cited below. Such guides are only relevant for a certain phase of the software life cycle, whereas security guides provide information that is relevant for all life cycle phases.
Why Is Security Necessary? With the increasing use of distributed systems and the Internet for managing business data, greater emphasis is being placed on the need for security. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system must not result in loss of information or processing time. These security requirements apply equally to SAP ERP Central Component. This document is designed to help you make SAP ERP Central Component secure.
About this Document The security guides give you an overview of the information for secure operation of SAP ERP Central Component. SAP ERP Central Component covers the core components Accounting, Logistics, and Human Resources and other components used across these core components. This guide cross-references information in existing security guides where available, or other relevant documentation where security aspects are discussed.
As SAP ERP Central Component is based on and uses SAP NetWeaver technology, it is essential you consult the SAP NetWeaver security guide: see SAP Help Portal at help.sap.com Documentation SAP NetWeaver Release/Language SAP NetWeaver Security SAP NetWeaver Security Guide. To view all of the security guides published by SAP, see SAP Service Marketplace at service.sap.com/securityguide. Overview of the Main Sections
The security guide comprises the following main sections:
Before You Start This section contains information about why security is necessary, how to use this document, and references to other security guides that are a basis for this security guide.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 11
Technical System Landscape This section is an overview of the technical components and communication paths used by SAP ERP Central Component.
User Management and Authentication This section provides an overview of the following user management and authentication aspects:
Recommended tools for user management. Required user types for SAP ERP Central Component Standard users delivered with SAP ERP Central Component Overview of the user synchronization strategy, if several components or
products are integrated
Overview of integration options in single sign-on environments Authorizations
This section provides an overview of the authorization concept that is applicable to SAP ERP Central Component.
Network and Communication Security This section provides an overview of the communication paths used by SAP ERP Central Component and the security mechanisms to be used. It also includes our recommendations for the network topology to restrict access at the network level.
Data Storage Security This section provides an overview of the critical data used by SAP ERP Central Component, and also the security mechanisms to be used.
Security for Third-Party or Additional Applications This section provides security information that applies to third-party or additional applications that are used together with SAP ERP Central Component.
Trace and Log Files This section provides an overview of the trace and log files that contain security-relevant information and that enable you to reproduce activities where, for example, there has been a breach of security.
Appendix This section provides references to secondary sources of information.
Before You Start Fundamental Security Guides SAP ERP Central Component is based on SAP NetWeaver. This means that the security guide for SAP NetWeaver is also applicable to SAP ERP Central Component. Whenever other guides are relevant, an appropriate reference is included in the documentation for the individual components in this guide.
For a complete list of the SAP Security Guides available, see SAP Service Marketplace at service.sap.com/securityguide. Important SAP Notes SAP Note 783758 provides any updates for this guide and adds important information.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 12
SAP Note 853497 contains information about saving temporary files when using Adobe Acrobat Reader in SAP applications.
SAP Note 138498 contains information on single sign-on solutions.
SAP Notes relating to security for the subcomponents of SAP ERP Central Component are referenced in the documentation for the individual components in this guide.
For further SAP notes on security, see SAP Service Marketplace at service.sap.com/security SAP Security Notes. Additional information For more information about specific topics, see the sources in the table below.
Additional Information
Contents SAP Service Marketplace Security service.sap.com/security Security Guides, SAP NetWeaver Security Guide
service.sap.com/securityguide
SAP NetWeaver documentation help.sap.com Documentation SAP NetWeaver
SAP NetWeaver installation guide service.sap.com SAP Support Portal Tools & Methods Installation Guides SAP NetWeaver
Related SAP notes service.sap.com/notes Platforms permitted service.sap.com/platforms Network security service.sap.com/network Technical infrastructure service.sap.com/ti SAP Solution Manager service.sap.com/solutionmanager
Technical System Landscape For information about the technical system landscape, see the sources listed in the table below.
More Information About the Technical System Landscape
Subject Guide/Tool SAP Service Marketplace Technical description of SAP ERP Central Component and the underlying technical components, such as SAP NetWeaver
Master guide
service.sap.com/instguides mySAP Business Suite Solutions mySAP ERP
Technical configuration high availability
Technical infrastructure guide
service.sap.com/ti
Security service.sap.com/security
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 13
User Management and Authentication SAP ERP Central Component uses the user management and authentication mechanisms of the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component.
In addition to these guidelines, SAP also supplies information on user management and authentication that is especially applicable to the subcomponents of SAP ERP Central Component in the following sections:
User Management [Seite 13] This section details the user management tools, the required user types, and the standard users supplied by SAP.
Synchronization of User Data [Seite 15] The components of SAP ERP Central Component can use user data together with other components. This section describes how theuser data is synchronized with these other sources.
Integration in Single Sign-On Environments [Seite 15] This section describes how SAP ERP Central Component supports single sign-on-mechanisms.
User Management Use SAP ERP Central Component user management uses the mechanisms provided by SAP NetWeaver Application Server for ABAP, such as tools, user types, and password concept. For an overview of how these mechanisms apply for SAP ERP Central Component, see the sections below. In addition, we provide a list of the standard users required for operating the subcomponents of SAP ERP Central Component.
User Management Tools
The following table shows the user management tools for SAP ERP Central Component.
User Management Tools
Tool Description User maintenance for ABAP-based systems (transaction SU01)
For more information about the authorization objects provided by the subcomponents of SAP ERP Central Component, see the relevant component in the section Authorizations.
Role maintenance with the profile generator for ABAP-based systems (PFCG)
For more information about the roles provided by the subcomponents of SAP ERP Central Component, see the relevant component in the section Authorizations.
Central User Administration (CUA) for the maintenance of multiple ABAP-based systems
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 14
User Management Engine (UME) Administration console for maintenance of users, roles, and authorizations in Java-based systems and in the Enterprise Portal The UME also provides persistence options, such as ABAP Engine.
For more information on the tools that SAP provides for user management with SAP NetWeaver, see SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide User Administration and Authentication.
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.
User types required for SAP ERP Central Component include, for example,
Individual users: Dialog users
Dialog users are used for SAP GUI for Windows.
Internet users for Web applications Same policies apply as for dialog users, but used for Internet connections.
Technical users: Service users are dialog users who are available for a large set of anonymous
users (for example, for anonymous system access via an ITS service).
Communication users are used for dialog-free communication between systems. Background users can be used for processing in the background.
For additional information on user types, see User Types in the SAP NetWeaver security guide.
Standard Users
The following table shows the standard users that are required to operate SAP ERP Central Component.
Standard Users
System User ID Type Password Description SAP Web AS
adm SAP system administrator
Mandatory SAP NetWeaver installation guide
SAP Web AS
SAP Service
SAP system service administrator
Mandatory SAP NetWeaver installation guide
SAP Web AS
SAP Standard ABAP Users (SAP*, DDIC, EARLYWATCH, SAPCPIC)
See SAP NetWeaver security guide
See SAP NetWeaver security guide
service.sap.com/securityguide SAP NetWeaver Security Guide Security Guides for the SAP NetWeaver Products SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 15
Technology User Authentication Protecting Standard Users
SAP Web AS
SAP Standard SAP Web AS Java Users
See SAP NetWeaver security guide
See SAP NetWeaver security guide
service.sap.com/securityguide SAP NetWeaver Security Guide Security Guides for the SAP NetWeaver Products SAP Web Application Server Security Guide SAP Web AS Security Guide for Java Technology Users and User Management Standard Users and Groups These users are used in applications that use Web Dynpro.
SAP ECC
SAP Users Dialog users Mandatory The number of users depends on the area of operation and the business data to be processed.
For more information on standard users in SAP NetWeaver, see SAP Help Portal at help.sap.com Documentation SAP NetWeaver Release xx/Language Security Identity Management Users and Roles (BC-SEC-USR) User Maintenance Logon and Password Security in the SAP System Password Rules. For information on user types, see SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide User Administration and Authentication User Management and the section headed User Types.
The users specified are delivered with SAP ERP Central Component.
User Data Synchronization Use By synchronizing user data, you can reduce effort and expense in the user management of your system landscape. Since SAP ERP Central Component is based on SAP NetWeaver, you can use all of the mechanisms for user synchronization in SAP NetWeaver here. For more information, see SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide User Administration and Authentication Integration of User Management in Your System Landscape.
You can use user data distributed across systems by replicating the data in a central directory, for example.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 16
Integration with Single Sign-On Environments Use SAP ERP Central Component supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver Application Server for ABAP Technology. Therefore, the security recommendations and guidelines for user management and authentication that are described in the security guide for SAP NetWeaver Application Server also apply to SAP ERP Central Component.
The supported mechanisms are listed below.
Secure Network Communications (SNC)
SNC is available for user authentication and provides an SSO environment when using SAP GUI for Windows or Remote Function Calls.
For more information, see SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide Security Guides for the SAP NetWeaver Products SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP Technology User Authentication Authentication and Single Sign-On Secure Network Communications (SNC). SAP Logon Tickets
SAP ERP Central Component supports the use of logon tickets for SSO when using a Web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication, but can access the system directly once it has checked the logon ticket.
For more information, see SAP Logon Tickets in the SAP NetWeaver Application Server security guide.
Client Certificates
As an alternative to user authentication using a user ID and passwords, users using a Web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, the user is authenticated on the Web server using the Secure Sockets Layer Protocol (SSL protocol). . User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information see Client Certificates in the SAP NetWeaver Application Server security guide.
Authorizations Use SAP ERP Central Component uses the authorization concept of SAP NetWeaver Application Server. Therefore, the security recommendations and guidelines for authorizations that are described in the Security Guide for SAP NetWeaver Application Server for ABAP also apply to SAP ERP Central Component. You can use authorizations to restrict the access of users to the system, and thereby protect transactions and programs from unauthorized access.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. For role maintenance in SAP NetWeaver Application Server for ABAP, use the profile generator (transaction PFCG), and in SAP NetWeaver
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 17
Application Server for Java, the user management console of User Management Engine (UME) . You can define user-specific menus using roles.
Standard Roles and Standard Authorization Objects
SAP delivers standard roles covering the most frequent business transactions. You can use these roles as a template for your own roles.
For a list of the standard roles and authorization objects used by the subcomponents of SAP ERP Central Component, see the section of this document relevant to each component.
For information on roles and authorizations in Travel Management (FI-TV) see the section Accounting under Financial Accounting.
Before using the roles listed, you may want to check whether the standard roles delivered by SAP meet your requirements. For more information about the authorization concept at SAP, see:
SAP Service Marketplace at service.sap.com/securityguide in SAP NetWeaver Security Guide Security Guides for the SAP NetWeaver Products SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP Technology SAP Authorization Concept
SAP Help Portal at help.sap.com Documentation SAP NetWeaver Release/Language Security Identity Management Users and Roles (BC-SEC-USR) SAP Authorization Concept Organizing Authorization Administration Organization if You Are Using the Profile Generator Role Maintenance
Authorizations for Customizing Settings
You can use customizing roles to control access to the configuration of ERP Central Component in the SAP Customizing Implementation Guide (IMG). For information on creating roles, see SAP Help Portal at help.sap.com Documentation SAP NetWeaver Release/Language Security Identity Management Users and Roles (BC-SEC-USR) SAP Authorization Concept Organizing Authorization Administration Organization if You Are Using the Profile Generator or Organization without the Profile Generator
Network and Communication Security Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the backend systems database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for SAP ERP Central Component is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver security guide also apply to SAP ERP Central Component. Details that relate directly to SAP ERP Central Component are described in the following sections:
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 18
Communication Channel Security [Seite 18] This section contains a description of the communication paths and protocols that are used by subcomponents of SAP ERP Central Component.
Network Security [Seite 19] This section contains information on the network topology recommended for the subcomponents of SAP ERP Central Component. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also contains a list of the ports required for operating the subcomponents of SAP ERP Central Component.
Communication Destinations [Seite 19] This section describes the data needed for the various communication paths, for example, which users are used for which communications.
For more information, see the following sections in the SAP NetWeaver security guide:
Network and Communication Security Security Aspects for Connectivity and Interoperability
Communication Channel Security Use Communication channels transfer a wide variety of different business data that needs to be protected from unauthorized access. SAP makes general recommendations and provides technology for the protection of your system landscape based on SAP NetWeaver.
The table below shows the communication paths used by SAP ERP Central Component, the protocol used for the connection, and the type of data transferred.
Communication Paths
Communication Paths Protocol Used Type of Data Transferred
Data Requiring Special Protection
Application server to application server
RFC, HTTP(S) Integration data Business data
Application server to third-party application
HTTP(S) Application data Passwords, business data, for example
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
For more information, see the SAP NetWeaver security guide: SAP Service Marketplace at service.sap.com/securityguide in the section Transport Layer Security. For information on security aspects if you integrate SAP ERP Central Component with SAP Business Intelligence and SAP Supply Chain Management, see SAP Service Marketplace at service.sap.com/securityguide:
SAP Supply Chain Management Authorizations/Communication Channel Security/Communication Destinations
SAP Business Information Warehouse Security Guides Communication Security Communication Destinations
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 19
Network Security Since SAP ERP Central Component is based on SAP NetWeaver technology, for information about network security, see the following sections of the SAP NetWeaver security guide on the SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver Security Guide Network and Communication Security:
Network Services This section contains information about services and ports that use SAP NetWeaver.
Using Firewall Systems for Access Control Here you can see information about firewall settings.
Using Multiple Network Zones Here you can get information about which parts of your application should be set up in which network segments.
If you provide services in the Internet, you should protect your network infrastructure with at least a firewall. You can further increase the security of your system or group of systems by placing the groups in different network segments, each of which you then protect from unauthorized access by a firewall. You should bear in mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one of your systems.
Communication Destinations Use The use of users and authorizations in an irresponsible manner can pose security risks. You should therefore follow the security rules below when communicating between ERP systems:
Employ the user types system and communication. Grant a user only the minimum authorizations. Choose a secure password and do not divulge it to anyone else. Only store user-specific logon data for users of type system and communication. Wherever possible, use trusted system functions instead of user-specific logon data.
For more information, see the application-specific part of this guide.
Data Storage Security Use For information on data storage security, see the SAP NetWeaver security guide at service.sap.com/securityguide in the section Operating System and Database Platform Security Guides.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 20
Security for Other Applications See the corresponding sections in the application-specific part of this guide.
Trace and Log Files Use The trace and log files of SAP ERP Central Component use the standard mechanisms of SAP NetWeaver. For more information, see the SAP NetWeaver Security Guide at service.sap.com/securityguide. If there is no information about trace and log files in the sections for the individual components of SAP ERP Central Component, you can assume that no sensitive data is updated in these files.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 21
Cross-Application Components
Cross-Application Time Sheet (CA-TS)
Authorizations The Cross-Application Time Sheet uses the authorization provided by the SAP Web Application Server. The security recommendations and guidelines for authorizations as set out in the SAP Web AS ABAP security guide therefore also apply to the Cross-Application Time Sheet.
The SAP Web Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles on the SAP Web AS ABAP, use the profile generator (transaction PFCG).
Standard Roles The following table shows examples of standard roles that are used by the Cross-Application Time Sheet.
Standard Roles
Role Description
SAP_EMPLOYEE Employee [Extern] Self-Service
SAP_HR_PT_TIME-ADMINISTRATOR Time Administrator [Extern]
SAP_ISR_RETAIL_STORE SAP Retail Store User
SAP_PS_CONFIRM Confirmations
SAP_HR_PT_TIME-SUPERVISOR Time Supervisor [Extern]
SAP_ISR_STORE_PERSONNEL Store Personnel Manager
SAP_HR_PT_TIME-MGMT-SPECIALIST Time Management Specialist [Extern]
Standard Authorization Objects In the Cross-Application Time Sheet environment, you require only the general authorizations for the relevant target applications. When assigning authorizations, base them on the authorizations for the CAT* transactions.
See also:
Note the special points listed in the following section of the SAP Library: Cross-Application Components Cross-Application Time Sheet Assigning Authorizations [Extern].
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 22
Communication Destinations Use Communication destinations are available for the Cross-Application Time Sheet component to post recorded data to the target applications.
Communication with Personnel Time Management
To post recorded time data to Personnel Time Management, you use BAPIs that enter the data in the interface tables PTEXDIR, PTEX2000, and PTEX2010. Data is communicated using BAPIs via IDocs:
If you run your Human Resources system in the same system as the Cross-Application Time Sheet, the data is posted synchronously.
If you run your Human Resources system in a different system from the Cross-Application Time Sheet, the data is posted asynchronously.
The BAPIs enable you to create, change, or delete Personnel Time Management data.
These BAPIs do not enable you to read or change any Cross-Application Time Sheet data within Personnel Time Management.
Technical Users
You require the following technical users for the communication:
To fill the interface tables, you require a user with authorizations for ALE communication with an SAP system and the relevant table authorizations.
These technical users do not require authorizations specific to the SAP HR solution.
For the subsequent background processing job to transfer data from the interface tables to the infotype databases, you require a technical user with the same authorizations that are required for the CAT6 transaction (Transfer Time Data to Time Management).
To enter time sheet data, you can read information about the time data from Personnel Time Management. You do not require any special users for this. You should base your employees authorizations on the authorizations for the CAT2 transaction.
Posting Data to Other Target Applications
There are no special communication destinations for posting data to the other target applications.
See also:
For more information, see the SAP Library:
For information about transferring time sheet data to the target applications, see: Cross-Application Components Cross-Application Time Sheet Transfer of Time Sheet Data to the Target Components [Extern].
For information about the Time Management ALE scenarios and working with distributed systems, see Scenarios in Applications ALE / EDI Business Processes [Extern].
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 23
Self-Services
Before You Start This section of the Security Guide provides you with information about the following self-service components:
Employee Self-Service (ESS) Manager Self-Service (MSS) Business Unit Analyst (BUA) Project Self-Services (PSS) E-Recruiting (ECR) HR Administrative Services (ASR) Higher Education and Research (IS-HER-CSS) General Parts (PCUI_GP)
If not stated otherwise, the security settings for user management and authorizations apply to all components.
If there is no special information for particular topics in that section, the settings outlined in the general SAP ERP Central Component Security Guide [Seite 1] apply also the self-service components.
For information about the system landscape and secure running of the SAP ERP Central Component, see the mySAP ERP Master Guide at service.sap.com/instguides mySAP Business Suite Solutions mySAP ERP. Fundamental Security Guides Scenario, Application or Component Security Guide
Important Sections
SAP NetWeaver Application Server ABAP SAP Authorization Concept [Extern]
SAP NetWeaver Application Server JAVA User Administration and Authentication [Extern]
Authorizations [Extern]
SAP ECC Industry Extension HE&R SAP ECC Industry Extension HE&R: Security Guide [Extern]
For a complete list of the SAP Security Guides available, see SAP Service Marketplace at securityguide.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 24
Important SAP Notes The following table presents the most important SAP Notes regarding security for the Self-Service applications:
Important SAP Notes
SAP Note Number Title Comment
857431 ESS: Authorizations and Roles for WD Services in ERP 2005.
This note contains the authorization objects, the default values defined for these objects, and the roles for Employee Self-Service (component EP-PCT-ESS).
844639 MSS: Authorizations and Roles for ERP 2005
This note contains the authorization objects and the default values defined for the Human Resources applications in Manager Self-Service (component EP-PCT-MGR-HR).
846439 PSS: Authorizations and Roles for Web Dynpro
This note contains the authorization objects and the default values defined for the Web Dynpro applications for Project Self-Services (component EP-PCT-PLM-PSS).
User Management Use User management for Self-Service applications uses the mechanisms (for example, tools, user types, and password concept) provided by SAP Web Application Server. For an overview of how these mechanisms apply for Self-Service applications, see the sections below. In addition, there is a list of the standard users that are necessary for operating the self-services.
User Management Tools The following table presents the tools used for managing users in Self-Service applications:
User Management Tools
Tool Detailed Description Prerequisites User and Role Maintenance (transaction PFCG)
You can use the Role Maintenance (PFCG) transaction to generate profiles for your self-service users.
For more information, see the Users and Roles [Extern] section in SAP Library for SAP NetWeaver (see also help.sap.com Documentation SAP NetWeaver).
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 25
User Types For more information about user types [Extern] , see the SAP NetWeaver Application Server Security Guide ABAP.
SAP recommends you set up the connection between the portal and the connected systems (ECC system, J2EE Engine, BI system) so that each individual user has access.
Standard Users Different standard users exist for the individual Self-Service components.
Components Standard Users Employee Self-Service Manager Self-Service Project Self-Service Business Unit Analyst
No standard users exist in the standard SAP system for these components.
E-Recruiting HR Administrative Services
For information about the standard users for these components, see the Human Capital Management section of the ERP Central Component security guide.
Higher Education and Research For information about the standard users for this component, see the security guide for this component.
Authorizations Use The Self-Service applications use the authorization concept of SAP NetWeaver Application Server. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver Security Guide for ABAP and SAP NetWeaver Security Guide for Java also apply to the Self-Service applications.
The SAP NetWeaver Application Server authorization concept is based on assigning authorizations to users based on roles. To maintain roles, use the Profile Generator (transaction PFCG). For more information, see Editing Roles and Authorizations for Web Dynpro Services [Seite 27].
The Self-Service applications for Human Resources also use the authorizations of the individual components. For more information, see the Human Capital Management section of the ERP Central Component Security Guide.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 26
Standard Roles Employee Self-Service The following table presents the standard roles used in Employee Self-Service applications:
Standard Roles for Employee Self-Service (ESS):
Role Description
SAP_ESSUSER_ERP05 Single role that comprises all non country-specific functions.
SAP_EMPLOYEE_ERP05_xx Single role comprising country-specific functions. A separate role exists for each country version (xx = country ID). The corresponding composite role is SAP_EMPLOYEE_ERP05.
In each case, the profile has been copied from the predefined composite role. The data required for ERP and the relevant NetWeaver authorizations have been added to this role.
The composite role is assigned to the individual employee.
Manager Self-Service, Business Unit Analyst, and Project Self-Services There are no standard roles for these components.
E-Recruiting and HR Administrative Services For information about the standard roles for these components, see the Human Capital Management section of the ERP Central Component Security Guide.
Higher Education and Research For information about the standard roles for this component, see the Security Guide for this component.
Standard Authorization Objects The following table presents the general authorization objects relevant for security that are used by the Self-Service applications.
Standard Authorization Objects for Self-Service Applications:
Authorization Object Field Value Description
S_RFC RFC_NAME Depends on service Saves data from RFC access to Web Dynpro frontend to the backend system.
S_SERVICE SRV_NAME * Additional object for Web Dynpro applications. Check that is run when external services are started.
This authorization object is needed when an employee, project lead or manager wants to start self-service applications.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 27
When you enter the value * for the authorization object S_SERVICE, you provide users with the authorization to start all applications. However, you can also assign authorizations for individual applications. In this case, use the syntax S_SERVICE-SRV_NAME = //, for example, sap.com/pcui_gp~xssexamples/AttendanceExample.
E-Recruiting and HR Administrative Services For information about the standard authorization objects for these components, see the Human Capital Management section of the ERP Central Component Security Guide.
Higher Education and Research For information about the standard authorization objects for this component, see the Security Guide for this component.
Internal Service Request and Personnel Change Requests For information about standard authorization objects for the Internal Service Request (ISR) and Personnel Change Requests, see SAP Note 623650.
Editing Roles and Authorizations for Web Dynpro Services Use Use this procedure to edit roles and the related Web Dynpro services and authorizations.
Procedure ...
1. Create a role in transaction PFCG or select the standard role that exists for the component. Choose Create Role or copy the existing standard role.
2. Assign the required services to the role.
a. Choose the Menu tab page and then Default Authorization.
The Service dialog box appears.
b. Set the External Service indicator.
c. Select WEBDYNPRO as the type of external service.
d. In the Service field, select the Web Dynpro service you require.
e. Choose Save.
The authorization objects and default values maintained for the service are displayed in the menu tree.
In the same way, select all Web Dynpro services you want to use.
3. Assign the required authorizations.
Choose the Authorizations tab page to maintain the authorization objects and values according to your requirements.
For more information about how to maintain roles, see Role Maintenance [Extern] in the Users and Roles section in SAP Library for SAP NetWeaver (see help.sap.com Documentation SAP NetWeaver).
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 28
Authorizations for Controlling Services (MSS, BUA) The following table presents the standard authorization objects that are used by the controlling services in Manager Self-Service (MSS) and Business Unit Analyst (BUA).
Standard Authorization Objects for Controlling Services:
Authorization Object Description K_CCA General authorization object for Cost Center Accounting.
Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.
K_ORDER General authorization object for internal orders. Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.
K_PCA Area responsible, Profit Center. Is checked in the relevant Monitor iViews, Master Data iViews, and Express Planning services.
K_CSKS_PLA Cost element planning. Is checked in the relevant Express Planning services.
K_FPB_EXP Authorization object for Express Planning. This authorization object checks the Express Planning Framework call and the planning round call. The actual plan data is protected by the authorization objects for the individual Express Planning services.
For more information about the fields for the authorization objects K_CCA, K_ORDER, and K_PCA, see SAP Note 15211.
Authorizations for BW iViews (MSS) In the case of BW iViews for Manager Self-Service, users need the standard BW authorizations for executing queries. For more information, see SAP Library for SAP NetWeaver, under Authorization Check When Executing a Query [Extern] (in the Data Warehouse Management section of the documentation for SAP NetWeaver Business Intelligence).
In Human Capital Management, BW queries use a BW variable for personalization. Data is read from the ODS object for personalization 0Pers_VAR. If required, you can fill this ODS object from structural authorizations (see Structural Authorizations - Values [Extern] (0PA_DS02) and Structural Authorizations - Hierarchy [Extern] (0PA_DS03)). For more information, see SAP Library for BI Content for Human Resources under Organizational Management ODS Objects. You can also access SAP Library from the SAP Help Portal (see help.sap.com Documentation SAP NetWeaver).
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 29
Communication Destinations To be able to run the individual self-service components, you have to set up the SAP Java Connector (JCo) connections on the Web Dynpro J2EE server. For more information about these connections, see the Business Package documentation for the relevant component (such as Employee Self-Service, Manager Self-Service, Business Unit Analyst) and choose Setting Up SAP Java Connector (JCo) Connections [Extern]
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 30
Accounting
Financial Accounting Network and Communication Security
Communication with external systems takes place using the standard channels provided by SAP basis technology:
Application Link Enabling (ALE) Standard interfaces to BW, CRM, and SRM systems Batch Input [Extern] Remote Function Call [Extern] (RFC) Business Application Programming Interface (BAPI) IDOC [Extern] SAP Exchange Infrastructure (XI) E-mail, fax
Financial Accounting has interfaces to Taxware and Vertex software used for performing tax calculations. In addition, there is an interface for the electronic advance return for tax on sales and purchases using Elster. Communication takes place by means of XI.
Payments and payment advice notes are dispatched per IDoc, and dunning notices sent by e-mail or fax.
Communication Destinations
All the technical users generally available can be used.
For payment requests from other components, see SAP Note 303205.
Data Storage Security
Many of the Financial Accounting transactions access sensitive data. Access to this kind of data, such as financial statements, is protected by standard authorization objects.
Important SAP Notes
See SAP Notes 303205 and 497712.
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 31
Authorizations in Financial Accounting Authorization Objects in Financial Accounting
Object Name FAGL_INST Customer Enhancements for General Ledger F_ACE_DST Accrual Engine: Accrual Objects F_ACE_PST Accrual Engine: Accrual/Deferral Postings F_BKPF_BES Accounting Document: Account Authorization for G/L Accounts F_BKPF_BLA Accounting Document: Authorization for Document Types F_BKPF_BUK Accounting Document: Authorization for Company Codes F_BKPF_BUP Accounting Document: Authorization for Posting Periods F_BKPF_GSB Accounting Document: Authorization for Business Areas F_BKPF_KOA Accounting Document: Authorization for Account Types F_BKPF_VW Accounting Document: Display/Change Default Values Document
Type/Posting Key F_FAGL_LDR General Ledger: Authorization for Ledger F_FAGL_SEG General Ledger: Authorization for Segment K_TP_VALU General Ledger: Authorization for Transfer Price Valuation F_FAGL_SKF General Ledger: Authorization for Transaction with Statistical Key Figures F_IT_ALV Line Item Display: Change and Save Layouts F_KMT_MGMT Account Assignment Model: Authorization for Maintenance and Use F_SKA1_AEN G/L Account: Change Authorization for Certain Fields F_SKA1_BES G/L Account: Account Authorization F_SKA1_BUK G/L Account: Authorization for Company Codes F_SKA1_KTP G/L Account: Authorization for Charts of Accounts F_T011 Balance Sheet: General Maintenance Authorization F_T011E Authorization for Financial Calendar F_T011_BUK Planning: Authorization for Company Codes F_T060_ACT Information System: Account Type/Activity for Evaluation View F_AVIK_AVA Payment Advice Note: Authorization for Payment Advice Note Types F_AVIK_BUK Payment Advice Note: Authorization for Company Codes F_BKPF_BED Accounting Document: Account Authorization for Customers F_BKPF_BEK Accounting Document: Account Authorization for Vendors F_BL_BANK Authorization for House Banks and Payment Methods F_BNKA_BUK Banks: Authorization for Company Codes F_FBCJ Cash Journal: General Authorization F_FEBB_BUK Bank Account Statement Company Code
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 32
F_FEBC_BUK Check Deposit/Lockbox Company Code F_KNA1_AEN Customer: Change Authorization for Certain Fields F_KNA1_APP Customer: Application Authorization F_KNA1_BED Customer: Accounts Authorization F_KNA1_BUK Customer: Authorization for Company Codes F_KNA1_GEN Customer: Central Data F_KNA1_GRP Customer: Accounts Group Authorization F_KNA1_KGD Customer: Change Authorization for Accounts Groups F_KNB1_ANA Customer: Authorization for Account Analysis F_KNKA_AEN Credit Management: Change Authorization for Certain Fields F_KNKA_KKB Credit Management: Authorization for Credit Control Area F_BNKA_MAN Banks: General Maintenance Authorization F_KNKK_BED Credit Management: Accounts Authorization F_LFA1_AEN Vendor: Change Authorization for Certain Fields F_LFA1_APP Vendor: Application Authorization F_LFA1_BEK Vendor: Accounts Authorization F_LFA1_BUK Vendor: Authorization for Company Codes F_LFA1_GEN Vendor: Central Data F_LFA1_GRP Vendor: Accounts Group Authorization F_MAHN_BUK Automatic Dunning: Authorization for Company Codes
The documentation for this refers to transaction F150. F_MAHN_KOA Automatic Dunning: Authorization for Account Types F_PAYRQ Authorization Object for Payment Requests F_PAYR_BUK Check Management: Action Authorization for Company Codes F_REGU_BUK Automatic Payment: Action Authorization for Company Codes
Refers to transaction F110. F_REGU_KOA Automatic Payment: Action Authorization for Account Types F_RPCODE Repetitive Code F_RQRSVIEW Bank Ledger: Viewer for Request Response Messages F_T042_BUK Customizing Payment Program: Authorization for Company Codes S_BTCH_JOB Background Processing: Operations on Background Jobs
Users you would like to authorize to start background processing must have authorization for activity RELE.
P_ABAP HR Reporting Protects payments from the payroll. See also SAP Note 303205 that describes an enhancement of the checks made using a function module.
F_WEB_EBPP Participation in EBPP Process via a Web Interface
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 33
General Ledger Accounting (FI-GL) Standard Roles in General Ledger Accounting
Role Name
SAP_AUDITOR_BA_FI_GL AIS - General Ledger (GLT0) SAP_FI_GL_ACCOUNT_CHANGE_REQUE General Ledger Account/Change Request SAP_FI_GL_ACCT_MASTER_DATA General Ledger Master Data Maintenance SAP_FI_GL_BALANCE_CARRYFORWARD Balance Carryforward SAP_FI_GL_CHANGE_PARKED_DOCUM Change Parked General Ledger Documents SAP_FI_GL_CLEAR_OPEN_ITEMS Clear Open General Ledger Items SAP_FI_GL_CONS_PREPARATIONS Preparation for Consolidation SAP_FI_GL_CURRENCY_VALUATION General Ledger Account Foreign Currency
Valuation SAP_FI_GL_DISPLAY_ACCT_BALANCE Display General Ledger Account Balances and
Items SAP_FI_GL_DISPLAY_DOCUMENTS Display General Ledger Documents SAP_FI_GL_DISPLAY_MASTER_DATA Display General Ledger Master Data SAP_FI_GL_DISPLAY_PARKED_DOCUM Display Parked Documents SAP_FI_GL_EXCHANGE_RATE_TABLE Maintain Currency Exchange Rates SAP_FI_GL_FIN_STATEMENT_REPORT Financial Statement Reports SAP_FI_GL_INTEREST_CALCULATION Interest Calculation for G/L Accounts SAP_FI_GL_INTEREST_RATE_TABLES Maintain Interest Rates SAP_FI_GL_KEY_REPORTS Key Reports: General Ledger Accounting SAP_FI_GL_PARK_DOCUMENT Park General Ledger Documents SAP_FI_GL_PERIOD_END_CLOSING Closing Procedures in General Ledger
Accounting SAP_FI_GL_PERIODIC_ENTRIES Enter Recurring General Ledger Postings SAP_FI_GL_POST_ENTRY Make General Ledger Postings SAP_FI_GL_POST_PARKED_DOCUMENT Post Parked Document SAP_FI_GL_RECURRING_DOCUMENTS Process Recurring Documents SAP_FI_GL_REVERSE-CHANGE Reverse/Change General Ledger Documents SAP_FI_GL_SAMPLE_ACCT_MASTER_D Sample Accounts SAP_FI_GL_SAMPLE_DOCUMENTS Edit Sample Documents
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 34
Consolidation Authorizations
Authorization Objects in Consolidation
Authorization Object Description
E_CS_BUNIT Consolidation unit
E_CS_CACTT Consolidation tasks
E_CS_CONGR Consolidation group
E_CS_DEFRM SAP Consolidation: Data entry layout
E_CS_DIMEN Dimension
E_CS_ITCLG Consolidation chart of accounts
E_CS_JEFRM SAP Consolidation: Journal entry layout
E_CS_PERMO Monitor, opening/closing of periods
E_CS_RPTNG Reporting with Report Writer/Report Painter and Drilldown Reports
E_CS_RVERS Version
For more information, see the Implementation Guide for Enterprise Controlling at Consolidation Preparing for Production Authorization Management. Authorization Profiles in Consolidation
Authorization Profile Description
E_CS_ALL Full Authorization for EC-CS
E_CS_DISPLAY Display Authorization for EC-CS
Standard Roles in Consolidation
Role Name
SAP_AUDITOR_BA_EC_CS AIS Consolidation
SAP_AUDITOR_BA_EC_CS_A AIS Consolidation (Authorizations)
SAP_EC_CS_FUNCTIONS_DETAIL Consolidation Detail Functions
SAP_EC_CS_FUNCTIONS_GENERAL Consolidation General Functions
SAP_EC_CS_OFFLINE_DATA_ENTRY Consolidation Offline Data Entry with Microsoft Access
SAP_EC_CS_RECONCILIATION Consolidation Reconciliation of Integrated Data
SAP_EC_CS_REPORT_ALL Consolidation All Reports
SAP_EC_CS_REPORT_CONSDATA Consolidation Reports with Consolidated Data
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 35
Network and Communication Security
Consolidation allows for offline entry of data using Microsoft ACCESS. Communication takes place via Remote Function Call (RFC).
Data Storage Security
The authorization objects listed earlier protect the data that is processed in Consolidation when consolidated statements are created.
Accounts Payable Accounting (FI-AP) Standard Roles in Accounts Payable Accounting
Role Name SAP_FI_AP_BALANCE_CARRYFORWARD Vendor Balance Carryforward SAP_FI_AP_CHANGE-REVERSE_INV Change/Reverse Vendor Invoices SAP_FI_AP_CHANGE_LINE_ITEMS Change Vendor Line Items SAP_FI_AP_CHANGE_PARKED_DOCUM Change Parked Vendor Documents SAP_FI_AP_CHECK_MAINTENANCE Check Processing SAP_FI_AP_CLEAR_OPEN_ITEMS Clear Vendor Line Items SAP_FI_AP_CORRESPONDENCE Correspondence Vendors SAP_FI_AP_DISPLAY_BALANCES Display Vendor Balances and Items SAP_FI_AP_DISPLAY_CHECKS Display Checks SAP_FI_AP_DISPLAY_DOCUMENTS Display Vendor Documents SAP_FI_AP_DISPLAY_MASTER_DATA Display Vendor Master Data SAP_FI_AP_DISPLAY_PARKED_DOCUM Display Parked Vendor Documents SAP_FI_AP_INTEREST_CALCULATION Vendor Interest Calculation SAP_FI_AP_INTERNET_FUNCTIONS Internet Functions in Accounts Payable
Accounting SAP_FI_AP_INVOICE_PROCESSING Entry of Vendor Invoices SAP_FI_AP_KEY_REPORTS Important Reports from Accounts Payable
Accounting SAP_FI_AP_MANUAL_PAYMENT Manual Payment SAP_FI_AP_PARK_DOCUMENT Park Vendor Documents SAP_FI_AP_PAYMENT_BILL_OF_EXCH Payment Transaction with Bill of Exchange SAP_FI_AP_PAYMENT_CHECKS Payment Program with Check Processing SAP_FI_AP_PAYMENT_PARAMETERS Display of Payment Run Parameters SAP_FI_AP_PAYMENT_PROPOSAL Create and Process Proposal for a Payment
Run SAP_FI_AP_PAYMENT_RUN Payment Run Update Run without Printing
Payment Medium SAP_FI_AP_PCARD Payment Card (Procurement Card)
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 36
SAP_FI_AP_PERIOD_END_ACTIVITY Accounts Payable Accounting Period Closing SAP_FI_AP_POST_PARKED_DOCUM Post Parked Vendor Document SAP_FI_AP_RECURRING_DOCUMENTS Vendor Recurring Entry Documents SAP_FI_AP_SAMPLE_DOCUMENTS Edit Sample Documents: Accounts Payable
Accounting SAP_FI_AP_VENDOR_MASTER_DATA Vendor Master Data Maintenance SAP_FI_AP_WITHHOLDING_TAX Withholding Tax Processing
Accounts Receivable Accounting (FI-AR) Authorizations
Standard Roles in Accounts Receivable Accounting
Role Name SAP_FI_AR_BALANCE_CARRYFORWARD Customer Balance Carryforward SAP_FI_AR_BILL_OF_EXCHANGE Process Bill of Exchange SAP_FI_AR_CHANGE-REVERSE Change/Reverse Customer Postings SAP_FI_AR_CHANGE_LINE_ITEMS Change Customer Items SAP_FI_AR_CHANGE_PARKED_DOCUM Change Parked Document SAP_FI_AR_CLEAR_OPEN_ITEMS Clear Customer Items SAP_FI_AR_CREDIT_MASTER_DATA Credit Management Master Data SAP_FI_AR_CUST_DOWN_PAYMENTS Processing of Customer Payments SAP_FI_AR_DISPLAY_CREDIT_INFO Display Credit Data SAP_FI_AR_DISPLAY_CUST_INFO Display Customer Information SAP_FI_AR_DISPLAY_DOCUMENTS Display Customer Documents SAP_FI_AR_DISPLAY_MASTER_DATA Display Customer Master Data SAP_FI_AR_DISPLAY_PARKED_DOCUM Display Parked Customer Document SAP_FI_AR_DUNNING_PROGRAM Dunning Program SAP_FI_AR_INTEREST_CALCULATION Customer Interest calculation SAP_FI_AR_INTERNET_FUNCTIONS Internet Functions for Accounts Receivable
Accounting SAP_FI_AR_KEY_REPORTS Important Reports for Accounts Receivable
Accounting SAP_FI_AR_MASTER_DATA Customer Master Data Maintenance SAP_FI_AR_PARK_DOCUMENT Park Customer Documents SAP_FI_AR_PAYMENT_CARD_PROCESS Payment Card Processing SAP_FI_AR_PERIOD_END_PROCESS Closing Operations: Accounts Receivable
Accounting SAP_FI_AR_POST_ENTRIES Post Customer Invoices and Credit Memos
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 37
SAP_FI_AR_POST_MANUAL_PAYMENTS Post Incoming Payments Manually SAP_FI_AR_POST_PARKED_DOCUMENT Post Parked Customer Document SAP_FI_AR_PRINT_CORRESPONDENCE Correspondence with Customers SAP_FI_AR_RECURRING_DOCUMENTS Customer Recurring Entry Documents SAP_FI_AR_SAMPLE_DOCUMENTS Customer Sample Documents SAP_FI_AR_VALUATION Valuation of Customer Items
Data Storage Security
You can store payment card numbers encoded in the database. For information about encoding credit card data, see SAP Note 633462.
Bank Accounting (FI-BL) Authorizations
Standard Roles in Bank Accounting
Role Name SAP_FI_BL_ACCOUNT_REPORTS Financial Status Information SAP_FI_BL_BANK_MASTERDAT_DISPL Display of Bank Master Data SAP_FI_BL_BANK_MASTER_DATA Maintenance of Bank Master Data SAP_FI_BL_BANK_STATEMENT Process Account Statement SAP_FI_BL_BILL_OF_EX_PRESENT Bill of Exchange Presentation SAP_FI_BL_BILL_OF_EX_REPORTS Reports on Bill of Exchange Holdings SAP_FI_BL_CASHED_CHECKS Cashed Checks SAP_FI_BL_CASH_JOURNAL Cash Journal SAP_FI_BL_CHECK_DELETE Deletion of Checks SAP_FI_BL_CHECK_DEPOSIT Check Deposit SAP_FI_BL_CHECK_MANAGEMENT Check Management SAP_FI_BL_CHECK_MGMENT_DISPLAY Display of Managed Checks SAP_FI_BL_INTRADAY_STATEMENT Import Intraday Account Statement Information
(USA) SAP_FI_BL_LOCKBOX Processing the Lockbox - Data SAP_FI_BL_ONLINE_PAYMENT Make Online Payments SAP_FI_BL_PAYMENT_TRANSACTIONS Payment Processing SAP_FI_BL_PAYME_ADVICE_REPORTS Payment Advice Note Reports SAP_FI_BL_POR_PROCEDURE Incoming Payments via ISR Procedure
(Switzerland) SAP_FI_BL_RETURNED_BILL_OF_EX Returned Bills of Exchange
-
SAP ERP Central Component Security Guide January 2006
SAP ERP Central Component Security Guide 38
Data Storage Security
You can store payment card numbers encoded in the database. For information about encoding credit card data, see SAP Note 633462.
Asset Accounting (FI-AA) Authorizations
Standard Roles in Asset Accounting
Role Name
SAP_AUDITOR_BA_FI_AA AIS Fixed Assets
SAP_AUDITOR_BA_FI_AA_A AIS Fixed Assets (Authorizations)
SAP_FI_AA_ASSET_ARCHIVING Archiving Activities
SAP_FI_AA_ASSET_CAPITALIZATION Capitalization of Asset under Construction
SAP_FI_AA_ASSET_ENVIRONMENT Worklist and Tools in Asset Accounting
SAP_FI_AA_ASSET_EXPLORER Asset Explorer
SAP_FI_AA_ASSET_INFOSYSTEM Asset Accounting Information System
SAP_FI_AA_ASSET_MASTER_DATA Asset Master Data Maintenance
SAP_FI_AA_ASSET_REVALUATION Revaluation Activiti