Security GuideSAP Supplier Relationship Management powered by SAPNetWeaver®Using SAP SRM Server 7.02

Target Audience

n System administratorsn Technology consultants

PUBLICDocument version: 1.4 ‒ 10/24/2011

Document History

Caution

Before you start the implementation, make sure you have the latest version of this document. Youcan find the latest version at the following location: http://service.sap.com/securityguide.

The following table provides an overview of the most important document changes:

Version Date Description

1.3 11/8/2011 Updated and enhanced for SAP enhancement package 2 for SAP SRM 7.0.

2/80 PUBLIC 10/24/2011

Table of Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 51.1 Target Audience . . . . . . . . . . . . . . . . . . . . . . . 51.2 Why Is Security Necessary? . . . . . . . . . . . . . . . . . . . 51.3 About This Document . . . . . . . . . . . . . . . . . . . . 5

Chapter 2 Before You Start . . . . . . . . . . . . . . . . . . . . . . 92.1 Fundamental Security Guides . . . . . . . . . . . . . . . . . . 92.2 Important SAP Notes . . . . . . . . . . . . . . . . . . . . . 112.3 Additional Information . . . . . . . . . . . . . . . . . . . . 11

Chapter 3 Technical System Landscape Information . . . . . . . . . . . . 133.1 Technical System Landscape . . . . . . . . . . . . . . . . . . 133.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 4 Security Aspects of Data, Data Flow, and Processes . . . . . . . . 214.1 Overview of the Business Scenarios . . . . . . . . . . . . . . . . 214.2 Software Component Matrix . . . . . . . . . . . . . . . . . . 214.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and

Relevant Components . . . . . . . . . . . . . . . . . . . . 21

Chapter 5 User Administration and Authentication Information . . . . . . . 315.1 User Administration and Authentication . . . . . . . . . . . . . . 315.2 User Management . . . . . . . . . . . . . . . . . . . . . . 325.3 Integration into Single Sign-On Landscapes . . . . . . . . . . . . . 33

Chapter 6 Authorization Information . . . . . . . . . . . . . . . . . . 356.1 Authorizations . . . . . . . . . . . . . . . . . . . . . . . 356.2 Business Add-In to Restrict Visibility of Product Categories . . . . . . . 366.3 RFC Authorization Checks . . . . . . . . . . . . . . . . . . . 37

Chapter 7 Session Security Protection . . . . . . . . . . . . . . . . . . 39

Chapter 8 Network and Communication Security . . . . . . . . . . . . . 418.1 Communication Channel Security . . . . . . . . . . . . . . . . 41

10/24/2011 PUBLIC 3/80

8.2 Network Security . . . . . . . . . . . . . . . . . . . . . . 448.3 Communication Destinations . . . . . . . . . . . . . . . . . . 45

Chapter 9 Internet Communication Framework Security . . . . . . . . . . 47

Chapter 10 Data Storage Security . . . . . . . . . . . . . . . . . . . . 49

Chapter 11 Enterprise Services Security . . . . . . . . . . . . . . . . . 51

Chapter 12 Auditing and Logging . . . . . . . . . . . . . . . . . . . . 53

Chapter 13 Services for Security Lifecycle Management . . . . . . . . . . . 61

Chapter 14 Other Security Relevant Information . . . . . . . . . . . . . . 6314.1 Payment Card Security . . . . . . . . . . . . . . . . . . . . 6314.2 Credit Card Usage Overview . . . . . . . . . . . . . . . . . . 6414.3 Customizing . . . . . . . . . . . . . . . . . . . . . . . . 6414.4 Masked/Unmasked Display . . . . . . . . . . . . . . . . . . . 6514.5 Deleting Stored Credit Card Information . . . . . . . . . . . . . . 66

Chapter 15 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . 6715.1 Data Privacy Statement . . . . . . . . . . . . . . . . . . . . 6715.2 Virus Checking of Document Attachments . . . . . . . . . . . . . 6815.3 Additional Related Guides . . . . . . . . . . . . . . . . . . . 6815.4 Additional Information . . . . . . . . . . . . . . . . . . . . 69

Chapter A Reference . . . . . . . . . . . . . . . . . . . . . . . . . 73A.1 The Main SAP Documentation Types . . . . . . . . . . . . . . . 73

4/80 PUBLIC 10/24/2011

1 Introduction

1 Introduction

SAP SRM runs on multiple NetWeaver releases, but in this document we only refer to thelatest release

Caution

This guide does not replace the administration or operation guides that are available for productiveoperations.

1.1 Target Audience

n Technology consultantsn System administrators

This document is not included as part of the installation guides, technical operation manuals, orupgrade guides. Such guides are only relevant for a certain phase of the software life cycle, whereasthe security guides provide information that is relevant for all life cycle phases.

1.2 Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, thedemands on security are also on the rise. When using a distributed system, you need to be surethat your data and processes support your business needs without allowing unauthorized access tocritical information. User errors, negligence, or attempted manipulation on your system should notresult in loss of information or processing time. These demands on security apply likewise to theSAP Supplier Relationship Management (SAP SRM) solution. To assist you in securing SAP SRM, weprovide this Security Guide.

1.3 About This Document

This security guide provides an overview of the security-relevant information that applies to SAPSupplier Relationship Management (SAP SRM).

10/24/2011 PUBLIC 5/80

1 Introduction1.3 About This Document

In many cases, the required information has already been provided in other security guides and inthe configuration information or installation guides. In these cases, we have provided a reference tothe appropriate guides.Security in the context of an SAP SRM solution comprises the following aspects:

n User authentication

n Support of Single Sign-Onn Administration and checking of user authorizations to prevent unauthorized access to saved datan Secure data transfer between users and the SAP SRM application components, especially in the

case of browser-based access using the Internetn General access control, including protection of the system against unauthorized external accessn Safeguarding of data against unauthorized access when business data is being exchanged between

SAP SRM and external systems, especially in the case of data exchange with supplier systemsusing the Internet

The individual components of the SAP SRM solution are based on the standard technology of SAPNetWeaver, like SAP NetWeaver Web Application Server, ABAP Web Dynpro, and SAProuter. Thismeans that only the official precepts of the SAP security strategy are used. The standard tools andmechanisms of the SAP NetWeaver platform are used.This security guide focuses on specific SAP SRM implementations ‒ the standard case is covered bythe security guides of the respective basis technologies.For more a more detailed overview of business scenarios, including graphical representations, seethe master guide at http://service.sap.com/instguides SAP Business Suite Applications SAPSRM SAP SRM Server 7.02 .

Overview of the Main Sections

The security guide comprises the following main sections:

n Before You StartThis section contains information about why security is necessary, how to use this document, andreferences to other security guides that build the foundation for this security guide.

n Technical System Landscape InformationThis section provides an overview of the technical components and communication paths thatare used by SAP SRM.

n Security Aspects of Data, Data Flow, and ProcessesThis section provides an overview of security aspects involved throughout the most-widely usedprocesses within SAP SRM.

n User Administration and AuthenticationThis section provides an overview of the following user administration and authentication aspects:l Recommended tools to use for user management.l User types that are required by SAP SRM.l Standard users that are delivered with SAP SRM.

l Overview of the user synchronization strategy, if several components or products are involved.

6/80 PUBLIC 10/24/2011

1 Introduction1.3 About This Document

l Overview of how integration into Single Sign-On environments is possible.n Authorizations

This section provides an overview of the authorization concept that applies to SAP SRM.n Session Security Protection

This section provides information about activating secure session management, which preventsjavascript or plug-ins from accessing the SAP logon ticket or security session cookie(s).

n Network and Communication SecurityThis section provides an overview of the communication paths used by SAP SRM and the securitymechanisms that apply. It also includes our recommendations for the network topology torestrict access at network level.

n Internet Communication Framework SecurityThis section provides an overview of the Internet Communication Framework (ICF) servicesthat are used by SAP SRM.

n Data Storage SecurityThis section provides an overview of any critical data that is used by SAP SRM and the securitymechanisms that apply.

n Security for Third-Party or Additional ApplicationsThis section provides security information that applies to third-party or additional applicationsthat are used with SAP SRM.

n Dispensable Functions with Impacts on SecurityThis section provides an overview of functions that have impacts on security and can be disabled orremoved from the system.

n Enterprise Services SecurityThis section provides an overview about the security aspects that apply to the enterprise servicesdelivered with SAP SRM.

n Security-Relevant Logging and TracingThis section provides an overview of the trace and log files that contain security-relevantinformation so that you can, for example, reproduce activities if a security breach occurs.

n Services for Security Lifecycle ManagementThis section provides an overview of services provided by Active Global Support that are availableto assist you in maintaining security in your SAP systems on an ongoing basis.

n AppendixThis section provides references to further information.

10/24/2011 PUBLIC 7/80

This page is left blank for documentsthat are printed on both sides.

2 Before You Start

2 Before You Start

2.1 Fundamental Security Guides

SAP Supplier Relationship Management (SAP SRM) is built on the technology of SAP NetWeaver.Therefore, the corresponding security guides also apply to the SAP SRM solution. Pay particularattention to the most-relevant sections or specific restrictions as indicated in the table below.

Fundamental Security Guides

Scenario, Application or Component SecurityGuide

Most-Relevant Sections

SAP NetWeaver Security Guide See http://help.sap.com SAP NetWeaverSAP Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide

Introduction to Security with the SAP NetWeaver Platform

Topic See

Technical System Landscape http://help.sap.com SAP NetWeaver SAPNetweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Technical System Landscape

User Administration and Authentication http://help.sap.com SAP NetWeaver SAPNetweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide User Administration andAuthentication

Network and Transport Layer Security http://help.sap.com SAP NetWeaver SAPNetweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Network and CommunicationSecurity

Secure Programming Secure Programming - ABAP

10/24/2011 PUBLIC 9/80

2 Before You Start2.1 Fundamental Security Guides

Security Guides for SAP NetWeaver According to Usage Types

Usage Type See

SAP NetWeaver Application Server® SAP NetWeaver Application Server ABAP SecurityGuide at http://help.sap.com SAP NetWeaverSAP Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guides for SAPNetWeaver According to Usage Types Security Guide forUsage Type AS SAP NetWeaver Application Server ABAPSecurity GuideSAP NetWeaver Application Server Java SecurityGuide at http://help.sap.com SAP NetWeaverSAP Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guides for SAPNetWeaver According to Usage Types Security Guide forUsage Type AS SAP NetWeaver Application Server JavaSecurity GuideVirus Protection and SAP GUI Integrity Checks athttp://help.sap.com SAP NetWeaver SAP

Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guides for SAPNetWeaver According to Usage Types Security Guide forUsage Type AS Virus Protection and SAP GUI IntegrityChecks

SAP NetWeaver Portal Portal Security Guide at http://help.sap.com

SAP NetWeaver SAP Netweaver Platform SAPNetWeaver 7.3 Security Information Security GuideSecurity Guides for Usage Types EPC and EP

SAP NetWeaver Business Intelligence (SAP NetWeaverBI)

Security Guide for SAP NetWeaver BusinessIntelligence (SAP NetWeaver BI) athttp://help.sap.com SAP NetWeaver SAP

Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guide for Usage TypeBI

SAP NetWeaver Process Integration (SAP NetWeaverPI)

SAP NetWeaver Process Integration (SAP NetWeaverPI) athttp://help.sap.com SAP NetWeaver SAP

Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guide for Usage TypePI

10/80 PUBLIC 10/24/2011

2 Before You Start2.2 Important SAP Notes

Security Guides for Standalone Engines

Engine See

Search and Classification TREX Search and Classification (TREX) Security Guidehttp://help.sap.com SAP NetWeaver SAP

Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guides for StandaloneEngines, Clients and Tools Search and Classification (TREX)Security Guide

For a complete list of available SAP security guides, see SAP Service Marketplace athttp://service.sap.com/securityguide .

2.2 Important SAP Notes

The most important SAP Notes that apply to the security of SAP SRM are shown in the table below.

Title SAP Note Number

Availability of the SAP Security Guide 39267

Data protection text for supplier maintenance 843740

Unauthorized usage of application functionality —SRM Catalog

1507294

Unauthorized usage of application functionality —SUP Portal

1507296

SAP NetWeaver Process Integration: ReleaseRecommendation

1515223

Table CRMATAB is empty 1501685

Note

For more SAP Notes on security, see SAP Service Marketplace athttp://service.sap.com/securitynotes .

2.3 Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

10/24/2011 PUBLIC 11/80

2 Before You Start2.3 Additional Information

Content Quick Links on the SAP Service Marketplace orSAP Developer Network (SDN)

Security http://service.sap.com/security

Security Guides http://service.sap.com/securityguide

Related SAP Notes http://service.sap.com/notes

Released platforms http://service.sap.com/platforms

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

12/80 PUBLIC 10/24/2011

3 Technical System Landscape Information

3 Technical System LandscapeInformation

3.1 Technical System Landscape

SAP Supplier Relationship Management (SAP SRM) supports various presentation technologies onwhich the individual SAP SRM components run. They are used for user access and data transfer. Thearchitecture, determined by the respective presentation technology, is crucial for the security of anSAP SRM system. The architecture determines the security concept.The figure below shows an overview of the technical system landscape for SAP SRM.

Figure 1: Technical System Landscape for SAP SRM

Formore information about the technical system landscape, see the resources listed in the table below.

Topic Guide/Tool Quick Link to the SAP ServiceMarketplace or SDN

Technical description for SAP SRMand the underlying componentssuch as SAP NetWeaver

Master Guide http://service.sap.com/instguides

High availability High Availability for SAP Solutions http://sdn.sap.com/irj/sdn/ha

10/24/2011 PUBLIC 13/80

3 Technical System Landscape Information3.2 Architecture

Technical landscape design See applicable documents http://sdn.sap.com/irj/sdn/landscapedesign

Security See applicable documents http://sdn.sap.com/irj/sdn/security

3.2 Architecture

The architecture of an SAP Supplier Relationship Management (SAP SRM) system landscape isdependent on the security measures taken. These, in turn, are determined by the data to betransferred and the data channels.In an SAP SRM system landscape, there are two types of channels for data exchanges. The followingrequire careful attention in terms of provision of security during data exchange using externalinterfaces:

n Exchange of data using external user interfacesn Exchange of data and documents using external system interfaces

In both cases, the SAP SRM security concept incorporates a Demilitarized Zone (DMZ) that isdelimited by an internal and an external firewall. Within the DMZ there is an application gateway.

Recommendation

We recommend that you use SAPWebDispatcher. URLs and ports for the systems behind the internalfirewall can be configured in any way and are not known to users outside of the external firewall.In this way, the SAP SRM security concept follows the general SAP security standards that are usedon a worldwide basis.For more information about SAP Web Dispatcher, seehttp://help.sap.com SAP NetWeaver SAP NetWeaver 7.3 Security Information Security Security

Guides for Standalone Engines, Clients and Tools Security Information SAP Web Dispatcher .

Exchange of Data Using External User Interfaces

Data exchange using external user interfaces occurs in SAP SRM in the following ways:

n Data exchange using the application gateway, using either ABAP Web Dynpro Applications orBusiness Server Pages (BSP) technologyBSP is used for Supplier Self-Services (SUS) and Registration of Suppliers (ROS)

n Data exchange using the Java applet Live Auction Cockpit Web Presentation Server (LACWPS),which is also available using the application gateway

Data Exchange Using the Application Gateway for Applications with Web Front Ends

The following SAP SRM scenarios, where the Web front end is based on ABAP Web Dynpro or BSPtechnology, work on this principle:

14/80 PUBLIC 10/24/2011

3 Technical System Landscape Information3.2 Architecture

n Self-Service Procurement

n Plan-Driven Procurement

n Service Procurement

n Catalog Content Managementn Analyticsn Strategic Sourcing (with RFx, but without LACWPS)n Operational Contract Management

The following figure shows the basic representation of the communication paths of the SAP SRMcomponents to the outside, using the application gateway:

Figure 2: Basic Representation of the Communication Paths of the SAP SRM Components to theOutside Using the Application Gateway

The SAP Web Dispatcher functions as an application gateway and is used as a switch betweenthe Internet and your SAP SRM Server system, which consists of one or more SAP NetWeaverApplication Servers. This is why you have only one point of access for HTTP(S) requests in yoursystem. SAP Web Dispatcher also balances the load so that the request is always sent to the serverwith the greatest capacity.For more information about using Web Dynpro ABAP technology, see http://help.sap.com

SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security Information Security Guide SecurityGuides for SAP NetWeaver According to Usage Type Security Aspects for Usage Type DI and Other DevelopmentTechnologies Security Issues for Web Dynpro ABAP .For more information about SAP Web Dispatcher, see

10/24/2011 PUBLIC 15/80

3 Technical System Landscape Information3.2 Architecture

http://help.sap.com SAP NetWeaver SAP NetWeaver 7.3 Security Information Security SecurityGuides for Standalone Engines, Clients and Tools Security Information SAP Web Dispatcher .SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) using the internalfirewall of the DMZ.In this way, the SAP SRM security concept, like all other SAP solutions, is entirely based on thegeneral SAP security standards.The following figure shows the underlying architecture of the system landscape:

System Landscape Architecture

Figure 3: Underlying Architecture of the System Landscape

For external access, a landscape as illustrated in figure 2 is recommended. The landscape enablesaccess constraints to the external-facing portal and Web Dynpro applications using a Web dispatcherconfiguration.For more information, see:

n SAP Note 517484

n http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Security Guides for SAP NetWeaver According to Usage Types Security Guides forUsage Types EPC and EP Portal Security Guide .

16/80 PUBLIC 10/24/2011

3 Technical System Landscape Information3.2 Architecture

Data Exchange Using the Java Applet Live Auction Cockpit Web Presentation Server (LACWPS) 6.0

In the SAP SRM business scenario Strategic Sourcing, a Java applet is loaded in the browser of an externalsupplier for live auctions. This is not the case for auctions using the sourcing application in SAPBidding Engine. The Java applet communicates with the server part of LACWPS on the J2EE Engine7.3 using the application gateway.The following figure shows the basic representation of the communication paths of the SAP SRMcomponents including the LACWPS 6.0 to the outside:

Figure 4: Basic Representation of the Communication Paths of the SAP SRM Components IncludingLACWPS 6.0 to the Outside

The ABAP Web Dynpro technology allows external suppliers in the Strategic Sourcing business scenarioto participate in RFXs that are created and evaluated using SAP Bidding Engine. Auctions can beconverted into live auctions and are then processed in the LACWPS.LACWPS is a Java component on presentation level whose runtime environment is the J2EE Engine ofSAP Web AS 7.3.LACWPS consists of a server part that runs on the J2EE Engine and a Java applet that is loaded intothe browser of the user, where it is executed locally. The applet communicates with the server partusing HTTP(S). The server communicates with SAP SRM Server using RFC. The Java applet forthe Live Auction is digitally signed.Communication between the Java applet and LACWPS occurs using the application gateway that existsin the DMZ, which is just like any HTTP(S)-based communication with the Internet. Communicationwith the Internet that occurs using HTTP(S) always makes use of the application gateway.All security aspects are dealt with by SAP NetWeaver Application Server (SAP NetWeaver AS).

10/24/2011 PUBLIC 17/80

3 Technical System Landscape Information3.2 Architecture

Exchange of Data Using External System Interfaces

The following figure shows how data in the form of documents is exchanged using external systeminterfaces:

Figure 5: Exchange of Data Using External System Interfaces

In an SAP SRM system landscape, SAP NetWeaver Process Integration (SAP NetWeaver PI) is used totransfer data in the form of documents using external system interfaces. SAP NetWeaver PI is againconnected to the Internet using the SAP Web Dispatcher that is located in the DMZ.All security aspects are dealt with by SAP Web Dispatcher and SAP NetWeaver PI.For more information, see http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAPNetWeaver 7.3 Security Security Security Guides for SAP NetWeaver According to Usage Types SecurityGuides for Usage Type PI .

More InformationFormore information about the technical system landscape, see the resources listed in the table below.

Topic Guide/Tool Quick Link to SAP Service Marketplace orSDN

Technical description forSAP SRM and the underlyingcomponents such as SAPNetWeaver

Master Guide http://service.sap.com/instguides

High availability (general) High Availability for SAP Solutions http://www.sdn.sap.com/irj/sdn/ha

18/80 PUBLIC 10/24/2011

3 Technical System Landscape Information3.2 Architecture

Topic Guide/Tool Quick Link to SAP Service Marketplace orSDN

Technical landscape design See applicable documents http://www.sdn.sap.com/irj/sdn/landscapedesign

Security See applicable documents http://www.sdn.sap.com/irj/sdn/security

10/24/2011 PUBLIC 19/80

This page is left blank for documentsthat are printed on both sides.

4 Security Aspects of Data, Data Flow, and Processes

4 Security Aspects of Data, Data Flow,and Processes

4.1 Overview of the Business Scenarios

Before you start the security setup, you need to decide which SAP Supplier Relationship Management(SAP SRM) components need to be installed. You should also have carried out a rough sizing exerciseto answer questions on the technical setup.You can use this Security Guide to define the network structure, for example, firewalls, routers, loadbalancing, protocols used, and the required configuration of the components, as well as a concept foruser administration.In this section you can find the Software Component Matrix, and details of the components used foreach business scenario.

Note

For more information about the individual business scenarios, see the SAP SRMMaster Guide onSAP Service Marketplace at http://service.sap.com/instguides Installation and Upgrade GuidesSAP Business Suite Applications SAP SRM SAP SRM Server 7.02 .

4.2 Software Component Matrix

For information about the software components of SAP Supplier RelationshipManagement (SAP SRM), see the SAP SRM Master Guide on SAP Service Marketplace athttp://service.sap.com/instguides SAP Business Suite Applications SAP SRM SAP SRM

Server 7.02 .

4.3 SAP Supplier Relationship Management (SAP SRM)Business Scenarios and Relevant Components

The following section provides an overview of the business scenarios and variants available in SAPenhancement package 2 for SAP Supplier Relationship Management 7.0 (SAP SRM 7.02) and a textualdescription of the relevant components:

n Operational Contract Management

10/24/2011 PUBLIC 21/80

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

n Service Procurementl Service Procurement (Classic)l Service Procurement External Staffing

n Strategic Sourcingl Strategic Sourcing with RFxl Strategic Sourcing with Live Auction

n Plan-Driven Procurementl Plan-Driven Procurement with Plant Maintenance

l Plan-Driven Procurement with Supplier Integration

n Catalog Content Managementn Self-Service Procurementl Self-Service Procurement (Classic)l Self-Service Procurement (Extended Classic)

n Analyticsl Spend Analysisl Supplier Evaluation

n SAP SRM, Procurement for Public Sector (PPS)n Supplier Self-Services as Part of Service Procurement and Plan-Driven Procurement

For detailed information about the business scenarios and business processes in SAP SRM, see theSAP SRMmaster guide on SAP Service Marketplace at http://service.sap.com/instguides

SAP Business Suite Applications SAP SRM SAP SRM Server 7.02 .

Recommendation

Because you cannot mix HTTP and HTTPS, we recommend that you use HTTPS to ensure secureconnectivity between all of your SAP systems.

Operational Contract Management

Operational Contract Management enables your purchasers to create, change, and monitor centralcontracts. They can use the catalogs provided by SAP Enhancement Package 2 for SRM-MDMCatalog7.0 to add items to contracts. SAP NetWeaver 7.0 Business Intelligence Content Add-On 5 (SAPNetWeaver 7.0 BI Content Add-On 5) is used to carry out evaluations. The highest available release ofSAP NetWeaver Process Integration (SAP NetWeaver PI) is also necessary in this business scenario toupload external flat files for product category hierarchies and supplier hierarchies. You can distributecentral contracts to SAP enhancement package 6 for SAP ERP using Process Integration to use themas a source of supply, or as schedule agreements using IDocs.The SAP enhancement package 2 for SAP SRM 7.0 Server front end uses ABAP Web Dynprotechnology. The front end of SAP enhancement package 2 for SRM-MDM Catalog 7.0 uses JavaWeb Dynpro technology. SAP enhancement package 3 for SAP NetWeaver Business Intelligence7.0 (SAP enhancement package 3 for SAP NetWeaver BI 7.0) is realized using Business Server Pages(BSP) technology.

22/80 PUBLIC 10/24/2011

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

Depending on the requirements of the SAP Enhancement Package 2 for SAP SRM 7.0 installation, thatis whether SAP SRM Server 7.02 should be available using the Internet, and depending on the internalsecurity policy, the following has to be carried out:Mandatory steps

n SAP SRM Server 7.02:Enable SAP NetWeaver Application Server (SAP NetWeaver AS) 7.3 ABAP SSL (configureHyperText Transfer Protocol with SSL (HTTPS) protocol)Enable secure RFC connections to the SAP enhancement package 6 for SAP ERP CentralComponent system to distribute central contracts as schedule agreements

n SRM-MDM Catalog 7.02:Enable SAP NetWeaver AS 7.3 Java Secure Sockets Layer (SSL)See the documentation on Transport Layer Security in the SAP Netweaver Security Guide athttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide forUsage Type AS SAP NetWeaver Application Server Java Security Guide

n SAP NetWeaver 7.3:Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n Configure SAPNetWeaver Portal for secure access and connection to and from SAP SRMServer 7.02n Configure SAP NetWeaver Portal for secure access and connection to and from SRM-MDM

Catalog 7.02n Configure SAP NetWeaver Portal for secure access and connection to and from SAP NetWeaver 7.3n Configure Single Sign-On (SSO) between SAP SRM Server 7.02, SRM-MDM Catalog 7.02, and SAP

NetWeaver 7.3n If necessary, configure Secure Network Communication (SNC) connections between SAP SRM

Server 7.02 and the back-end systemn If necessary, configure SNC connections between SAP SRM Server 7.02 or your back-end system

and SAP NetWeaver 7.3n If necessary, connect SAP SRM Server 7.02, SAP SRM Server for supplier self-services (SUS), and

SAP SRM-MDM Catalog 7.02 using HTTPS and file transfer protocol with SSL (FTPS) and SNCto SAP NetWeaver PIFor more information, see SAP NetWeaver Process Integration Security Guide athttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guide for Usage Type PI and Network and CommunicationSecurity at http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver7.3 Security Information Security Guide Network and Communication Security

Service Procurement

The Service Procurement business scenario is used to cover the entire service procurement process.The SAP SRM Server for Supplier Self-Services (SUS) Web front end uses Business Server Pages (BSP)technology.

10/24/2011 PUBLIC 23/80

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

Mandatory steps

n SAP SRM Server for supplier self-services (SUS):Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n Configure SAPNetWeaver Portal for secure access and connection to and from SAP SRMServer 7.02

Depending on whether SAP SRM Server 7.02 is also to be made available using the Internet, ordepending on the internal security policy, the following might also be necessary:Further steps

n SAP SRM Server 7.02:Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n SAP SRM-MDM Catalog 7.02:Enable SAP NetWeaver AS 7.3 Java SSL (configure HTTPS protocol)

n SAP NetWeaver 7.3:Enable SAP NetWeaver AS 7.3 - SAP WEB AS ABAP SSL (configure HTTPS protocol)

n Configure SAPNetWeaver Portal for secure access and connection to and from SAP SRMServer 7.02n Configure SAP NetWeaver Portal for secure access and connection to and from SRM-MDM

Catalog 7.02n Configure SAP NetWeaver Portal for secure access and connection to and from SAP NetWeaver 7.3n Configure SSO between SAP SRM Server 7.02, SRM-MDMCatalog 7.02 and SAP NetWeaver 7.3n If necessary, configure SNC connections between SAP SRM Server 7.02 and the back-end systemn If necessary, configure SNC connections between SAP SRM Server 7.02 or your back-end system

and SAP NetWeaver 7.3n If necessary, connect SAP SRM Server 7.02, SAP SRM Server for supplier self-services (SUS), and

SAP SRM-MDMCatalog 7.02 to the highest available release of SAP NetWeaver PI using HTTPS andfile transfer protocol with SSL (FTPS) and SNCFor more information, see SAP NetWeaver Process Integration Security Guide athttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guide for Usage Type PI and Network and CommunicationSecurity at http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver7.3 Security Information Security Guide Network and Communication Security

Note

The SAP SRM@ERP2005 business scenario Supplier Self-Registration is identical to the above businessscenario Service Procurement in the SAP SRM standard.

Strategic Sourcing

Within Strategic Sourcing, RFxs are created in SAP SRM Server 7.02 and suppliers are invited to participatein these RFxs by submitting bids. RFxs can also be converted into Live Auctions. Live auctionsoccur in Live Auction Cockpit Web Presentation Server 6.0 (LACWPS 6.0), or you can run liveauctions on the ABAP server. In Java, Live Auction Cockpit partly runs on a J2EE Engine and a Java

24/80 PUBLIC 10/24/2011

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

applet that communicates with the server. The Java applet is loaded into the user’s browser and isexecuted locally. In ABAP, Live Auction Cockpit partly runs on the ABAP server and a Java applet thatcommunicates with the server. The Java applet is delivered to the client using Business Server Pages(BSP) technology. The applet is loaded into the user’s browser and executed locally.Mandatory steps

n SAP Bidding Engine:Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n Live Auction Cockpit Web Presentation Server 6.0:Enable SAP NetWeaver AS 7.3 Java SSL

n Configure SAP NetWeaver Portal for secure access and connection to and from SAP Bidding Enginen Configure SAP NetWeaver Portal for secure access and connection to and from SAP LACWPS 6.0

on SAP WEB AS 7.3 - SAP WEB AS JAVA

Depending on whether the components also to be made available using the Internet, or depending onthe internal security policy, the following might also be necessary:Further steps

n Enable SRM-MDM Catalog 7.02:SAP NetWeaver AS 7.3 Java SSL (configure HTTPS protocol)

n Enable SAP NetWeaver 7.3:SAP Web AS 7.3 ABAP SSL (configure HTTPS protocol)

n Configure SAP NetWeaver Portal for secure access and connection to and from SRM-MDMCatalog 7.02

n Configure SAP NetWeaver Portal for secure access and connection to and from SAP NetWeaver 7.3n If necessary, configure SNC connections between SAP SRM Server and the back-end systemn If necessary, configure SNC connections between SAP SRM Server or your back-end system and

SAP NetWeaver 7.3

Note

Integration into cFoldersIn case of collaborative bidding processes, the Strategic Sourcing business scenario supports integrationinto cFolders. In the productive environment, the SAP SRM system is located in the intranet zone,while the cFolders system is in the demilitarized zone (DMZ).Setting up a Remote Function Call (RFC) connection between SAP SRM and the cFolders systemis a potential security risk because it opens a system connection from outside the intranet, that isfrom the DMZ.However, this connection can be additionally protected by placing an SAProuter between thesystems. SAProuter is an SAP program that acts as an intermediate station (proxy) in a networkconnection between SAP Systems, or between SAP Systems and external networks.The system connection is used exclusively for the RFC protocol. HTTP is not necessary.For more information, see the cProjects Suite Security Guides at

10/24/2011 PUBLIC 25/80

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

http://service.sap.com/securityguide.Plan-Driven Procurement

Plan-Driven Procurement automates and streamlines ordering processes for core materials that arerequired regularly. Suppliers can process purchase orders directly in SAP SRM Server for supplierself-services (SUS). The purchase orders are transferred to SAP SRM Server for supplier self-services(SUS) from the back-end system using SAP NetWeaver PI.The Web front end of SAP SRM Server for supplier self-services (SUS) is realized using Business ServerPages (BSP) technology. Since suppliers log on to SAP SRM Server for supplier self-services (SUS)using the Internet, we strongly recommend the use of the HTTPS protocol for SAP SRM Server forsupplier self-services (SUS).Mandatory steps

n SAP SRM Server for supplier self-services (SUS):Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n Configure SAP NetWeaver Portal for secure access and connection to and from SAP SRM Serverfor supplier self-services (SUS)

Depending on whether SAP SRM Server for supplier self-services (SUS) is also to be made availableusing the Internet, or depending on the internal security policy, the followingmight also be necessary:Further steps

n SAP SRM Server 7.02:Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n SAP NetWeaver 7.3:Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n Configure SAPNetWeaver Portal for secure access and connection to and from SAP SRMServer 7.02n Configure SAP NetWeaver Portal for secure access and connection to and from SAP NetWeaver 7.3n If necessary, configure SNC connections between SAP SRM Server 7.02 and the back-end systemn If necessary, configure SNC connections between SAP SRM Server 7.02 or your back-end system

and SAP NetWeaver 7.3n If necessary, connect SAP SRM Server 7.02, SAP SRM Server for supplier self-services (SUS), and

SAP SRM-MDMCatalog 7.02 to the highest available release of SAP NetWeaver PI using HTTPS andfile transfer protocol with SSL (FTPS) and SNCFor more information, see SAP NetWeaver Process Integration Security Guide athttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guide for Usage Type PI and Network and CommunicationSecurity at http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver7.3 Security Information Security Guide Network and Communication Security .

Catalog Content Management

The user interface of the Catalog Content Management business scenario is realized using Java Web Dynprotechnology. Catalogs can be uploaded using the file system and the MDM Import Manager in XML or

26/80 PUBLIC 10/24/2011

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

Excel formats. Contract data can be loaded using SAP NetWeaver PI and the MDM Import Managerfrom SAP SRM Server 7.02 system.In the scope of a procurement process, transfer of product data from SRM-MDM Catalog 7.02 toSAP SRM Server 7.02 occurs using HTTP(S) in accordance with the Open Catalog Interface (OCI)specification using the user browser.Mandatory steps

n Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)n Enable SAP NetWeaver AS 7.3 Java SSL (configure HTTPS protocol)n Configure SAP NetWeaver Portal for secure access and connection to and from SRM-MDM

Catalog 7.02n If necessary, connect to the MDM Import Server port file system of SRM-MDM Catalog 7.02 using

FTPS to SAP NetWeaver PIFor more information, see SAP NetWeaver Process Integration Security Guide athttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guide for Usage Type PI .

For more information about SAP NetWeaver Master Data Managenemt (MDM), see SAP ServiceMarketplace at http://service.sap.com/installmdm.

Self-Service Procurement

The business scenario Self-Service Procurement enables your employees to create and manage their ownrequirement requests. They can search in catalogs provided by SAP enhancement package 2 forSRM-MDM Catalog 7.0. SAP NetWeaver 7.0 Business Intelligence Content Add-On 5 (SAP NetWeaver7.0 BI Content Add-On 5) is used to carry out evaluations.Mandatory Steps

n SAP SRM Server 7.02:Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n SRM-MDM Catalog 7.02:Enable SAP NetWeaver AS 7.3 Java SSL (configure HTTPS protocol)

n SAP NetWeaver 7.3: Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)n Configure SAP NetWeaver Portal for secure access and connection to and from SAP NetWeaver 7.3n Configure SAP NetWeaver Portal for secure access and connection to and from SRM-MDM

Catalog 7.02n Configure SAP NetWeaver Portal for secure access and connection to and from SAP NetWeaver 7.3n Configure SSO between SAP SRM Server 7.02, SRM-MDMCatalog 7.01 and SAP NetWeaver 7.3n If necessary, configure SNC connections between SAP SRM Server 7.02 and the back-end systemn If necessary, configure SNC connections between SAP SRM Server 7.02 or your back-end system

and SAP NetWeaver 7.3

10/24/2011 PUBLIC 27/80

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

Note

The Self-Service Procurement (Extended Classic) business scenario is almost the same as the Self-ServiceProcurement (Classic) business scenario, except that it is extended by a SUS system that is connected tothe ECC (ERP Central Component) system.

Analytics

Within the Spend Analysis and the Supplier Evaluation business scenarios in SAP enhancement package 2for SAP SRM 7.0, you are able to consolidate data in SAP enhancement package 3 for SAP NetWeaverBusiness Intelligence 7.0 (SAP enhancement package 3 for SAP NetWeaver BI 7.0) and to carry outevaluations. The data for this comes from SRM Server 7.02 or its back-end system using RemoteFunction Call (RFC) or Secure Network Communication (SNC). Users access the reports using a Webfront end that is realized using Business Server Pages (BSP) technology.

Note

If SAP enhancement package 3 for SAP NetWeaver Business Intelligence 7.0 (SAP enhancementpackage 3 for SAP NetWeaver BI 7.0) reports are also made available to suppliers, SAP enhancementpackage 3 for SAP NetWeaver BI 7.0 has to be accessible using the Internet. If it is only available to thepurchasers, it depends on the individual realization of the scenario, that is:

n Should the SAP SRM system landscape be available to the purchasers with the Internet or onlywith the intranet?

n Does the internal security policy require HTTPS to be used for all Web-based applications?

Mandatory steps:

n Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)n Configure SAP NetWeaver Portal for secure access or connection to and from SRM-MDMCatalog

7.02n If necessary, configure SNC connections between SAP SRM Server 7.02 or your back-end system

and SAP NetWeaver 7.3

SAP SRM, Procurement for Public Sector (PPS)

For SAP SRM, Procurement for Public Sector (PPS), SAP Supplier Relationship Management (SAPSRM) must be deployed as an extended classic scenario. Multi back end deployment is not supportedfor PPS.The security guidelines are relevant for the following PPS scenarios:

n Public Sourcing and Tenderingn Contract Management and Administrationn Operational Procurement

28/80 PUBLIC 10/24/2011

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

n Procurement Services

There are other components such as SAP Document Builder 7.31 that can be used to createdocuments. SRM-MDM Catalog 7.02 can be used to add items from public catalogs into documents,and SAP enhancement package 3 for SAP NetWeaver Business Intelligence 7.0 (SAP enhancementpackage 3 for SAP NetWeaver BI 7.0) can be used to carry out evaluations.The Web front end of SRM-MDM Catalog 7.02 uses Java Web Dynpro technology. SAP enhancementpackage 3 for SAP NetWeaver BI 7.0 is realized using Business Server Pages (BSP) technology andJava Web Dynpro technology.Depending on the internal security policy, the following steps are mandatory:Mandatory Steps

n Role-based access can be provided to the users for accessing specific PPS functions using theProcurement role that is part of a predefined business package of SAP enhancement package 3 for SAPNetWeaver 7.0

n SAP Document Builder 7.31 can be integrated into the SAP SRM Server using the Web servicestechnology or using SAP NetWeaver PI (configure HTTPS protocol for URL)

n SAP SRM Server 7.02:Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n SRM-MDM Catalog 7.01:Enable SAP NetWeaver AS 7.3 Java SSL (configure HTTPS protocol)

n SAP NetWeaver 7.3:Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n Configure SAPNetWeaver Portal for secure access and connection to and from SAP SRMServer 7.02n Configure SAP NetWeaver Portal for secure access and connection to and from SRM-MDM

Catalog 7.02n Configure SAP NetWeaver Portal for secure access and connection to and from SAP NetWeaver 7.3n Configure SSO between SAP SRM Server 7.02, SRM-MDMCatalog 7.02 and SAP NetWeaver 7.3n If necessary, configure SNC connections between SAP SRM Server 7.02 and the back-end systemn If necessary, configure SNC connections between SAP SRM Server 7.02 and the SAP Document

Builder 7.31 systemn If necessary, configure SNC connections between SAP SRM Server 7.02 or your back-end system

and SAP NetWeaver 7.3

Supplier Self-Services as Part of Service Procurement and Plan-Driven Procurement

The Supplier Self-Services (SUS) solution can be used with the Service Procurement, the Plan-DrivenProcurement and the Supplier Qualification business scenarios. Depending on the landscape deployment,the solution can be positioned in the intranet or the DMZ. Based on security considerations, thefollowing deployment options are available:Behind the Firewall Scenario

SUS can be deployed either on a separate server or on SAP SRM Server 7.02. If it is deployed on SAPSRM Server 7.02, SUS can be activated in the same client or in a different one. For security reasons

10/24/2011 PUBLIC 29/80

4 Security Aspects of Data, Data Flow, and Processes4.3 SAP Supplier Relationship Management (SAP SRM) Business Scenarios and Relevant Components

we do not recommend using SUS in the same client as SAP SRM Server 7.02 in your productiveenvironment. In all cases it is mandatory to install the highest available release of SAP NetWeaver PI toenable integration between SAP SRM Server 7.02 and SAP SRM Server for SUS.For more information, see SAP Note 573383.Similarly, to deploy the Plan-Driven Procurement business scenario behind the firewall, SUS can bepositioned either in a separate server or as an add-on in the same server as the SAP ERP Server.For more information, see SAP Note 963000.The Web front end of SAP SRM Server for SUS is realized using Business Server Pages (BSP)technology. Since suppliers log on to SAP SRM Server for SUS using the Internet, we stronglyrecommend the use of the HTTPS protocol for SAP SRM Server for SUS.Outside the Firewall Scenario

In this case it is only possible to implement SUS in a separate server, since the connection toprocurement systems is achieved using SAP NetWeaver PI.Mandatory Steps

n SAP SRM Server for supplier self-services (SUS):Enable SAP NetWeaver AS 7.3 ABAP SSL (configure HTTPS protocol)

n Configure SAP NetWeaver Portal for secure access and connection to and from SAP SRM Serverfor SUS

n If necessary, connect SAP SRM Server 7.0 and SAP SRM Server for SUS using HTTPS and SNC tothe highest available release of SAP NetWeaver PI

n If necessary, configure SNC connections between SAP NetWeaver PI and the back-end systemFor more information, see SAP NetWeaver Process Integration Security Guide athttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guide for Usage Type PI and Network and CommunicationSecurity at http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver7.3 Security Information Security Guide Network and Communication Security .

30/80 PUBLIC 10/24/2011

5 User Administration and Authentication Information

5 User Administration and AuthenticationInformation

SAP Supplier Relationship Management (SAP SRM) uses the user management and authenticationmechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaverApplication Server ABAP and Java. Therefore, the security recommendations and guidelines for useradministration and authentication as described in the SAP NetWeaver Application Server ABAPSecurity Guide and SAP NetWeaver Application Server Java Security Guide also apply to SAP SRM.In addition to these guidelines, the following topics supply information about user administrationand authentication that specifically apply to SAP SRM:

n User Administration and Authentication [page 31]This topic describes how user data is protected from unauthorized access and the aspects ofauthorization.

n User Management [page 32]This topic lists the tools to use for user management, the types of users required, and the standardusers that are delivered with SAP SRM.

n Integration into Single Sign-On Landscapes [page 33]This topic describes how SAP SRM supports Single Sign-On mechanisms.

5.1 User Administration and Authentication

SAP Supplier Relationship Management (SAP SRM) uses the user management and authenticationmechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaverApplication Server ABAP and Java. Therefore, the security recommendations and guidelines for useradministration and authentication as described in the SAP NetWeaver Application Server ABAPSecurity Guide on SAP Help Portal at http://help.sap.com SAP NetWeaver SAP NetweaverPlatform SAP NetWeaver 7.3 Security Information Security Guide Security Guides for SAP NetWeaverAccording to Usage Types Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP SecurityGuide and in the SAP NetWeaver Application Server Java Security Guide on SAP Help Portal athttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide forUsage Type AS SAP NetWeaver Application Server Java Security Guide also apply to SAP SRM.In addition to these guidelines, we include information about user administration and authenticationthat specifically applies to SAP SRM in the following topics:

10/24/2011 PUBLIC 31/80

5 User Administration and Authentication Information5.2 User Management

n User ManagementThis topic lists the tools to use for user management, the types of users required, and the standardusers that are delivered with SAP SRM.

n Integration into Single Sign-On EnvironmentsThis topic describes how SAP SRM supports Single Sign-On mechanisms.

5.2 User Management

User management for SAP SRM uses the mechanisms provided with the SAP NetWeaver ApplicationServer ABAP and Java, for example, tools, user types, and password policies. For an overview of howthese mechanisms apply for SAP SRM, see the sections below.User Administration ToolsThe table below shows the tools to use for user management and user administration with SAP SRM.

User Management Tools

Tool Detailed Description

User and role maintenance with SAP NetWeaver ASABAP (Transactions SU01, PFCG)

For more information, see SAP Help Portal for SAPNetWeaver at http://help.sap.com SAP NetweaverPlatform SAP NetWeaver 7.3 Security InformationSecurity User Administration and Authentication UserManagement Identity Management User and RoleAdministration of AS ABAP .

User Management Engine with SAP NetWeaver ASJava

For more information, see SAP Help Portal for SAPNetWeaver at http://help.sap.com SAP NetweaverPlatform SAP NetWeaver 7.3 Security InformationSecurity User Administration and Authentication UserManagement Identity Management User Management ofthe Application Server Java User Management Engine .

Transaction USERS_GEN For a detailed description of the transaction, includingprerequisites that must be fulfilled, see Customizingfor SAP Supplier Relationship Management underSRM Server Master Data Create Users Import Users

from File or from Other System .

Create Supplier For more information, see SAP Help Portal forSAP Supplier Relationship Management underhttp://help.sap.com Master Data User and

Employee Data .

Maintain Employee Data For more information, see SAP Help Portal forSAP Supplier Relationship Management underhttp://help.sap.com Master Data User and

Employee Data .

32/80 PUBLIC 10/24/2011

5 User Administration and Authentication Information5.3 Integration into Single Sign-On Landscapes

User TypesIt is often necessary to specify different security policies for different types of users. For example,your policy may specify that individual users who perform tasks interactively have to change theirpasswords on a regular basis, but not those users under which background processing jobs run. Theuser types that are required for SAP SRM include the following:

n Dialog users are used for accessing SAP SRMWeb Dynpro applications.n Technical users:l Communication users are used in creating SPML connections.l Background users include WF_BATCH, CLEAN_REQREQ_UP and BBP_STATUS2 users.

For more information on these user types, see the SAP NetWeaver AS ABAP Security Guide onSAP Help Portal for SAP NetWeaver at http://help.sap.com SAP Netweaver SAP NetweaverPlatform SAP NetWeaver 7.3 Security Information Security Guide SAP NetWeaver According to UsageTypes Security Guide for Usage Type AS SAP NetWeaver Application Server ABAP Security Guide UserAuthentication User Types .SAP Supplier Relationship Management (SAP SRM) supports user authentication with user accountsand passwords. It also supports user authentication using X.509 certificates, which enables integrationwith public key infrastructure.SAP SRM supports PFCG roles and SAP NetWeaver Portal roles.New users can only be created by the user administrator or by a manager. A user administratoror manager must also approve the actual release of a new account if a new user created it byself-registration.Standard UsersWe do not deliver standard users with SAP SRM.

Recommendation

We recommend changing the user IDs and passwords for users that are automatically created duringinstallation. In SAP SRM, users are automatically created if you create an organizational structure intransaction PPOMA by extracting a structure from the back-end system.

5.3 Integration into Single Sign-On Landscapes

SAP Supplier Relationship Management (SAP SRM) supports the Single Sign-On (SSO) mechanismsprovided by SAP NetWeaver. Therefore, the security recommendations and guidelines for useradministration and authentication as described in the SAP NetWeaver Security Guide alsoapply to SAP SRM. You can find the SAP NetWeaver Security Guide on SAP Help Portal athttp://help.sap.com SAP Netweaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide .

10/24/2011 PUBLIC 33/80

5 User Administration and Authentication Information5.3 Integration into Single Sign-On Landscapes

For more information about the available authentication mechanisms, see SAP Help Portal athttp://help.sap.com SAP Netweaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide forUsage Type AS SAP NetWeaver Application Server ABAP Security Guide User Authentication Authenticationand Single Sign-On .

34/80 PUBLIC 10/24/2011

6 Authorization Information

6 Authorization Information

SAP Supplier Relationship Management (SAP SRM) uses the authorization concept provided bythe SAP NetWeaver AS ABAP or AS JAVA. Therefore, the recommendations and guidelines forauthorizations as described in the SAP NetWeaver AS Security Guide ABAP and SAP NetWeaverAS Security Guide Java also apply to SAP SRM.The SAP NetWeaver authorization concept is based on assigning authorizations to users based onroles. For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and theUser Management Engine’s user administration console on the AS Java.

Note

For more information about how to create roles, see http://help.sap.com SAP NetWeaverSAP NetWeaver Library Business Services SAP Records Management Role Maintenance .

6.1 Authorizations

In SAP Supplier Relationship Management (SAP SRM), one or more predefined roles are assignedto each user or user account. Depending on the role, the user is authorized to carry out certaintransactions and access certain data. In addition, each user or user account is assigned to its companyand/or organizational unit. By way of this assignment, the user inherits additional attributes thatfurther restrict access.In the standard SAP SRM delivery, customers receive predefined role templates which they can adaptto their specific requirements. The roles must be copied to the customer namespace and maintainedthere. The standard roles include roles for managers, employees, and so on.Individual users access SAP SRM transactions and data using their browsers and then transfer sensitiveconfidential data. This information must be protected against unauthorized access. As standard, thisis taken care of by encoding all data during the transfer from the Web Server to the browser. SAP SRMfollows the standard in this case and supports secure HyperText Transfer Protocol (HTTP).

Roles for System Configuration

Users who want to set up or configure an SAP SRM Server system are assigned to the SAP SRMAdministrator role, which provides them with the required authorizations. The required Customizingauthorizations ensure that these setup users are able to carry out Customizing projects.

10/24/2011 PUBLIC 35/80

6 Authorization Information6.2 Business Add-In to Restrict Visibility of Product Categories

For more information, see http://help.sap.com SAP NetWeaver SAP Netweaver PlatformSAP NetWeaver 7.3 Security Information Security Guide User Administration and Authentication UserManagement .

Caution

SAP SRM does not supply separate Customizing or setup roles. Instead, you should use the functionsprovided in Role Maintenance using transaction PFCG. Here, you can define a role correspondingto your individual Customizing project, with all the authorizations you need to access thecorresponding Customizing activities.

For a complete overview of all relevant SAP roles, see SAP Note 1261825.

New Roles for SAP SRM 7.02

New Portal Roles

n Operational Purchaser(EhP2)n Operational Purchaser(ERP/SRM-EhP2)n Operational Purchaser(ERP-EhP2)n Strategic Purchaser(EhP2)n Procurement(Ehp2)

New PFCG Roles

n /SAPSRM/OP_PURCHASER_EHP2n /SAPSRM/ST_PURCHASER_EHP2n /SAPPSSRM/EMPLOYEE_EHP1

Changes to Standard Roles for SAP Supplier Relationship Management 7.02

1. Profiles are not shipped along with roles.2. ‘*’ or full authorization is no longer available for all authorization objects in the roles.3. Authorization proposals must be maintained for all the SRM webdynpro applications and

configurations, reports, transaction codes and BSP applications in Transaction SU22. Theseproposals are read during maintenance of authorization data when the roles are created.

6.2 Business Add-In to Restrict Visibility of ProductCategories

By default, the input help for product categories, which users with the bidder role can open duringbid processing or RFx response processing, displays all available product category values. If youwant to restrict the visibility of product category values for users with the bidder role, you can do

36/80 PUBLIC 10/24/2011

6 Authorization Information6.3 RFC Authorization Checks

this by implementing the method GET_CATEGORY in the Business Add-In (BAdI) BBP_F4_READ_ONEXIT. Once the BAdI has been implemented, only those product category values that were definedusing GET_CATEGORY can be selected by the user.

6.3 RFC Authorization Checks

It is important to create an authorization concept that limits the number of RFC authorizations thatyou need. The RFC authority check is automatically provided by the RFC framework.You can configure authorizations for RFC-enabled function modules. For more information, seeSAP Help Portal for SAP NetWeaver at http://help.sap.com SAP NetWeaver SAP NetweaverPlatform SAP NetWeaver 7.3 Security Information Security Guide Security Guides for Connectivity andInteroperability Technologies RFC/ICF Security Guide RFC Scenarios RFC Communication Between SAPSystems Authorizations Creating an Authorization Concept for RFC .

10/24/2011 PUBLIC 37/80

This page is left blank for documentsthat are printed on both sides.

7 Session Security Protection

7 Session Security Protection

To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookie(s), werecommend activating secure session management. We also highly recommend using SSL to protectthe network communications where these security-relevant cookies are transferred.

Session Security Protection on the AS ABAP

To prevent access in javascript or plug-ins to the SAP logon ticket and security session cookie(s)(SAP_SESSIONID_<sid>_<client>), activate secure session.management. With an existing securitysession, users can then start applications that require a user logon without logging on again. Whena security session is ended, the system also ends all applications that are linked to this securitysession. Use the transaction SICF_SESSIONS to specify the following parameter values shown in thetable below in your AS ABAP system:

Session Security Protection Profile Parameters

Profile Parameter Recommended Value Comment

icf/set_HTTPonly_flag_on_cookies 0 Client-Dependent

login/ticket_only_by_https 1 Not Client-Dependent

For more information and detailed instructions, see SAP Help Portal at http://help.sap.com

SAP NetWeaver SAP NetWeaver Platform Security Information Security Guide Security Guides for SAPNetWeaver According to Usage Types Security Guide for Usage Type AS SAP NetWeaver Application ServerABAP Security Guide User Authentication Additional Information on User Authentication Authentication onthe AS ABAP Using SAML 2.0 Activating HTTP Security Session Management on AS ABAP in the ASABAP security documentation.

Session Security Protection on the AS Java

In the Config Tool, edit the following properties for the Web Container service, which controlsecurity-related aspects of HTTP sessions:

Property Recommended Value

SessionIdRegenerationEnabled true

SystemCookiesDataProtection true

SystemCookiesHTTPSProtection true

10/24/2011 PUBLIC 39/80

7 Session Security Protection

For more information and detailed instructions, see SAP Help Portal at http://help.sap.com

SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security Information Security GuideSecurity Guides for SAP NetWeaver According to Usage Types Security Guide for Usage Type AS SAP NetWeaverApplication Server Java Security Guide Other Security Relevant Information Protecting Sessions Security .

40/80 PUBLIC 10/24/2011

8 Network and Communication Security

8 Network and Communication Security

Your network infrastructure is important in protecting your system. Your network needs to supportthe communication necessary for your business needs without allowing unauthorized access. Awell-defined network topology can eliminate many security threats based on software flaws (at boththe operating system and application level) or network attacks such as eavesdropping. If users cannotlog on to your application or database servers at the operating system or database layer, then there isno way for intruders to compromise the machines and gain access to the back-end system’s databaseor files. Additionally, if users cannot connect to the LAN (local area network) server, then they cannotexploit well-known bugs and security holes in network services on the server machines.The network topology for the SAP Supplier Relationship Management (SAP SRM) solution isbased on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines andrecommendations described in the SAP NetWeaver Security Guide also apply to SAP SRM.Details that specifically apply to SAP SRM are described in the following topics:

n Communication Channel Security [page 41]This topic describes the communication paths and protocols used by SAP SRM.

n Network Security [page 44]This topic describes the recommended network topology for SAP SRM. It shows the appropriatenetwork segments for the various client and server components and where to use firewalls foraccess protection. It also includes a list of the ports needed to operate SAP SRM.

n Communication Destinations [page 45]This topic describes the information needed for the various communication paths, for example,which users are used for which communications.

For more information, see http://help.sap.com SAP NetWeaver SAP Netweaver PlatformSAP NetWeaver 7.3 Security Information Security Guide Network and Communication Security andhttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guides for Connectivity and Interoperability Technologies .

8.1 Communication Channel Security

This section deals with measures to protect data transfer from unauthorized access.Data is transferred by means of HTTPS (SSL encryption), which is also used in SAP system landscapes.HTTPS refers to HTTP (HyperText Transfer Protocol) connections that are protected with the SecureSockets Layer (SSL) protocol.

10/24/2011 PUBLIC 41/80

8 Network and Communication Security8.1 Communication Channel Security

Recommendation

We strongly recommend using secure protocols (SSL, SNC) whenever possible.

Caution

We recommend that you use the same protocol ‒ either HTTP or HTTPS ‒ consistently in allsystem objects. All the deployed objects must be configured in exactly the same way regardingHTTP(S). This is necessary to avoid problems caused by JavaScript-based communication betweenthe individual layers.

The mechanisms to use for transport layer security and encryption depend on the protocols used.For Internet protocols such as HTTP, you can use the SSL protocol to provide the protection.For SAP protocols such as dialog and Remote Function Call (RFC), you can use Secure NetworkCommunication (SNC) connections.For more information, see the SAP NetWeaver Process Integration Security Guide athttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guide for Usage Type PI SAP NetWeaver Process Integration SecurityGuide and Network and Communication Security at http://help.sap.com SAP NetWeaverSAP Netweaver Platform SAP NetWeaver 7.3 Security Information Security Guide Network and CommunicationSecurity .The following sections under Network and Communication Security are particularly relevant:

n Basic Network Topology for SAP Systemsn Network Services

n Using Firewall Systems for Access Controll Application-Level Gateways Provided by SAP

uExample Network Topology Using a SAProuter

uExample Network Topology When Using SAP Remote Servicesn Using Multiple Network Zonesn Transport Layer Securityl Secure Network Communications (SNC)l SNC-Protected Communication Paths in SAP Systems

n Additional Information on Network Security

Enabling SSL (HTTPS) for SAP NetWeaver Application Server (SAP NetWeaver AS)

This section is relevant for all Web applications that are based on ABAP Web Dynpro or on BSP.This safeguards data against unauthorized access when business data is exchanged between SAP SRMand external systems, especially in the case of data exchange with supplier systems using the Internet.The electronic exchange of business data between SAP SRM and a connected supplier must also beprotected. Purchase orders and shipping notifications contain confidential information that an SAPSRM customer wants to protect from unauthorized access. Here, SAP SRM again makes use ofthe standard Internet features. With the HTTP adapter, SAP NetWeaver Exchange Infrastructure

42/80 PUBLIC 10/24/2011

8 Network and Communication Security8.1 Communication Channel Security

supports the Secure HTTP protocol. By means of this protocol, all data is saved during the entiretransfer from the sending system to the receiving system. Regarding the automatic authenticationof the participating systems, SAP SRM relies on the exchange of certificates, which guaranteesstate-of-the-art security.The communication channels within the SAP SRM system landscape can be made secure usingHTTPS (SSL). However, it only makes sense to use this coding technology to achieve overall securityfor the channels.For more information and before making the SSL settings for the SAP Web AS 7.3, seehttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Network and Communication Security Transport Layer Security .

SAP NetWeaver Portal and Web Dynpro SSL Configuration

Enter SSL in SAP NetWeaver Portal systemmaintenance for the SAP SRM system entry. Enable SSL forSAP NetWeaver Portal server as well.For more information, see http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAPNetWeaver 7.3 Security Information Security Guide Network and Communication Security Transport LayerSecurity and SAP Note 510007.

Enabling SSL for J2EE 7.3

This section is relevant if you want to implement the SAP SRM scenario Strategic Sourcing withLACWPS 6.0. LACWPS runs on the J2EE of SAP Web AS 7.3. This section is not relevant for you ifyou are planning to use Live Auction on ABAP.For more information about configuring SSL for LACWPS 6.0, see http://help.sap.com SAPNetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security Information Security Guide Network andCommunication Security .

Secure Connection of Application Systems to SAP NetWeaver Process Integration (SAPNetWeaver PI)

All SAP NetWeaver PI runtime components using the HTTP protocol support the encryption of theHTTP data stream using the SSL protocol, also known as HTTPS.Depending on the protocol used, all data is transmitted through the network (intranet or Internet) inplain text. This also applies to the transmission of passwords. To maintain the confidentiality of yourdata, you can apply transport layer encryption to the connection between the business systems, theintegration server, the adapters, and the Web browser.

Recommendation

We recommend that you use encryption when you transmit passwords, orders, company-specificinformation, or any other data that you consider sensitive.

You can use SSL or Secure Network Communication SNC to increase the security of the followingconnections:

10/24/2011 PUBLIC 43/80

8 Network and Communication Security8.2 Network Security

n Between adapters and integration servern Between business systems and integration servern Between Partner Connectivity Kit (PCK) and integration servern Between business systems and adapters

Adapters, business systems, and integration servers communicate with each other using the RFC orHTTP protocol. To secure the protocol, use either SNC or SSL.For more information, see http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAPNetWeaver 7.3 Security Information Security Guide Security Guides for SAP NetWeaver According to UsageTypes Security Guide for Usage Type PI SAP NetWeaver Process Integration Security Guide .

Integration of SAP enhancement package 2 for SAP SRM 7.0 into SAP NetWeaver Portal

Ensure that you have downloaded all relevant portal roles for SAP SRM Server 7.01 from SAP ServiceMarketplace at http://service.sap.com/swdc .For more information, see http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAPNetWeaver 7.3 Security Information Security Guide Security Guides for SAP NetWeaver According to UsageTypes Security Guides for Usage Types EPC and EP Portal Security Guide .

Caution

n The SAP NetWeaver Portal and the connected back-end systems must use the same protocol. Thismeans they must both either use HTTP, or HTTPS; no other combination is possible.

n The SAP NetWeaver Portal and the connected back-end systemmust be in the same domain.n If you wish to implement your own SAP SRM Server ABAP 7.01 Web Dynpro based applications,

you must ensure that the iViews have Enterprise Portal Client Framework (EPCF) level "2".

Secure E-Mail Use in SAP SRM

Both offline approval and offline bidding require e-mail transfer.For information about secure e-mail use in the SAP system, see SAP Note 149926.For information about offline approval and offline bidding, see http://help.sap.com SAP BusinessSuite SAP Supplier Relationship Management Functions Business Workflow Process-Controlled WorkflowsApproval Workflow Offline Approval and http://help.sap.com SAP Business Suite SAP SupplierRelationship Management Functions Sourcing SAP Bidding Engine Bidding Offline Bidding .This is relevant for secure e-mail transfer by encryption and signature.

8.2 Network Security

SAP Supplier Relationship Management (SAP SRM) is a solution with many external interfaces,including interfaces to the Internet. This makes SAP SRM vulnerable to attempts from outsiders toaccess confidential data. Studies have shown that unauthorized access by internal employees also

44/80 PUBLIC 10/24/2011

8 Network and Communication Security8.3 Communication Destinations

represents a considerable risk. As a pure business solution, SAP SRM can offer protection in this regardbased on the authorization concept within SAP NetWeaver Application Server (SAP NetWeaver AS).For more information, see http://help.sap.com SAP NetWeaver SAP Netweaver PlatformSAP NetWeaver 7.3 Security Information Security Guide User Administration and Authentication UserManagement .SAP SRM is embedded in a comprehensive protection concept that offers protection on a physicallevel and also, through additional firewalls, protected access to all levels of an IT infrastructure.We recommend that you protect the different SAP SRM components using appropriate firewalls.This includes setting up a DMZ (Demilitarized Zone) that protects all critical components fromdirect access using the Internet. We also recommend that you install protection against access to theentire data store of the various SAP SRM applications components.

n For more information about firewalls and the relevant settings, see http://help.sap.com

SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security Information Security GuideNetwork and Communication Security Using Firewall Systems for Access Control .

n For more information on the settings for Security Network Communications (SNC), seehttp://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security

Information Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide forUsage Type AS .

8.3 Communication Destinations

SAP Supplier Relationship Management (SAP SRM) does not deliver any Remote Function Call(RFC) destinations.The following table shows an overview of the systems and components relevant for SAP SRM. Fordetailed information about all relevant communication destinations for SAP SRM such as RFC, IDoc,and so on, as well as information about the authorizations required by the communication users inSAP SRM, see SAP Solution Manager under Solutions/Applications SAP SRM Configuration SAPSRM 7.0 EHP 2 Basic Settings for SAP SRM System Connections .

Destination Delivered Type

SAP ERP (Classic Scenario) No RFCs and SOA Services

SAP ERP (Extended ClassicScenario)

No RFcs and IDocs

SAP Customer RelationshipManagement (SAP CRM)

No RFCs and SOA Services

Collaboration Projects (cPro) No XML communication using SAP NetWeaver ProcessIntegration (SAP NetWeaver PI) (Web services)

CFolders No RFCs

10/24/2011 PUBLIC 45/80

8 Network and Communication Security8.3 Communication Destinations

Global Trade Services (GTS) No RFCs and SOA Services

SAP Sourcing OnDemand No SOA Services

Supplier Self-Services (SUS) No RFCs, Web Services using XML communication, andSOA Services

MM, Self-Service Procurement inSAP ERP

No RFCs and Web Services using XML communication

SAP NetWeaver PI No RFCs

SRM-MDM Server No XML communication using SAP NetWeaver PI andFile Transfer Protocol (FTP)

More InformationFor information about the recommended profile for the RFC user, see SAP Note 642202.

46/80 PUBLIC 10/24/2011

9 Internet Communication Framework Security

9 Internet Communication FrameworkSecurity

You should only activate those services that are needed for the applications running in your system.You should activate the following services for SAP Supplier Relationship Management (SAP SRM):

n For SAP SRM, the services under the following namespaces are needed:

l /sap/bc/webdynpro/sapsrm

l /sap/bc/srm

l /sap/bc/bsp/sapsrm

l /sap/sapsrm/

l /default_host/sap/bc/srm

l /default_host/sap/bc/webdynpro/sapsrm

l /default_host/sap/bc/bsp/sapsrm

n If you are using NetWeaver Business Client, activate the services under/default_host/sap/bc/nwbc/srm.

n If you are using Procurement for Public Sector (PPS), activate the services under/default_host/sap/bc/webdynpro/sappssrm.

n If you are using Live Auction Cockpit, activate the service /sap/lacmessaging.

Use transaction SICF to activate these services.If your firewall(s) use URL filtering, also note the URLs used for the services and adjust your firewallsettings accordingly.For more information, see SAP Help Portal for SAP NetWeaver under SAP NetWeaver Library SAPNetWeaver by Key Capability Application Platform by Key Capability Platform-Wide Services ConnectivityComponents of SAP Communication Technology Communication Between ABAP and Non-ABAP TechnologiesInternet Communication Framework Development Server-Side Development Creating and Configuring an ICFService Activating and Deactivating ICF Services .For more information about ICF security, see the RFC/ICF Security Guide on SAP Help Portal for SAPNetWeaver under http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver7.3 Security Information Security Guide Security Guides for Connectivity and Interoperability TechnologiesRFC/ICF Security Guide .

10/24/2011 PUBLIC 47/80

This page is left blank for documentsthat are printed on both sides.

10 Data Storage Security

10 Data Storage Security

SAP Supplier Relationship Management (SAP SRM) runs using SAP standard technologies only anddoes not use any external tools. The UI is realized using ABAP Web Dynpro. This means that thereare no persistent cookies and no authentication data beyond the usual amount.For more information about the use of ABAP Web Dynpro, see http://help.sap.com SAPNetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 Security Information Security Guide SecurityGuides for SAP NetWeaver According to Usage Types Security Aspects for Usage Type DI and Other DevelopmentTechnologies .

Data Storage

Security-relevant and personal data (for users and business partners) is stored in the standard SAPdatabase tables. Access to these tables is protected by the SAP authorization checks.

10/24/2011 PUBLIC 49/80

This page is left blank for documentsthat are printed on both sides.

11 Enterprise Services Security

11 Enterprise Services Security

The following chapters in the NetWeaver Security Guide and documentation are relevant for allenterprise services delivered with SAP Supplier Relationship Management (SAP SRM):

n http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guides for Connectivity and Interoperability Technologies Web ServicesSecurity

n http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guide for Usage Type AS SAP NetWeaver Application Server JavaSecurity Guide Communication Security for Web Services Recommended WS Security Scenarios

n http://help.sap.com SAP NetWeaver SAP Netweaver Platform SAP NetWeaver 7.3 SecurityInformation Security Guide Security Guides for SAP NetWeaver According to Usage Types Security Guide forUsage Type PI SAP NetWeaver Process Integration Security Guide

For SAP SRM-specific security issues, note that enterprise services have been created to enable thefollowing:

n Secure communication between the SAP SRM system and the supplier’s system outside thefirewall.

n Back-end system integration

Recommendation

We recommend using user propagation to set up SOA services. For more information, see SAPLibrary on SAP Help Portal at http://help.sap.com Technology Consultant’s Guide EnablingBusiness-to-Business Processes Small Business Partner and Subsidiary Integration Configuration of Usage Type ProcessIntegration (PI) Communication and Security Configuration of Principal Propagation Configuring the Sender .

10/24/2011 PUBLIC 51/80

This page is left blank for documentsthat are printed on both sides.

12 Auditing and Logging

12 Auditing and Logging

This function allows users to log changes on various SAP objects to appraise and retrace them. Tofulfill the legal auditing and logging requirements, SAP NetWeaver provides standard tools andfunctions.For more information about auditing and logging, see http://help.sap.com SAP NetWeaverSAP Netweaver Platform SAP NetWeaver 7.3 Security Information Security Guide Security Aspects for SystemManagement Auditing and Logging .This section specifies the most relevant items regarding auditing and logging in SAP SRM.

Details

Version History of SU01-User and Business Partner

SU01-UserThe user information system provides you with information about users, roles, profiles,authorizations, and related objects.The following figure shows the navigation within the user information system:

10/24/2011 PUBLIC 53/80

12 Auditing and Logging

Figure 6: Navigation in the User Information System

You can use the standard transaction SU01 under Information Change Documents for Users to display alog table. You can also use transaction SUIM to enter the User Information System that provides youwith a wide range of functions relating to user history.The following figure shows a table that lists all the actions that have changed user data so far:

54/80 PUBLIC 10/24/2011

12 Auditing and Logging

Figure 7: Changed Documents

Business PartnerYou can use the standard transaction BP under Extras Change History For This Partner to display alog table that depends on a selected field.The following figure shows all the changes that were ever carried out:

10/24/2011 PUBLIC 55/80

12 Auditing and Logging

Figure 8: Changes Made

The following figure shows that the change log can be detailed on field level:

56/80 PUBLIC 10/24/2011

12 Auditing and Logging

Figure 9: Change Log on Field Level

Change Documents of Business Documents

Change documents are another logging tool available to you. A change document logs changes to abusiness object. You access the change documents by selecting Tracking Change Documents fromwithin the corresponding business document.The following figure shows every change made to the business document down to the field level:

10/24/2011 PUBLIC 57/80

12 Auditing and Logging

Figure 10: Business Document Changes

Change Documents Specific to SAP SRM Infotypes

You can use the standard transaction PPOMA_BBP to monitor changes to the following set of tab cards:

Tab Card Infotypes

Function 5500 EBP Function

Responsibility 5501 EBP Product Responsibility

Extended Attributes 5502 EBP Location5503 EBP Order Value Limits

You activate change documents in the Customizing table T77CDOC_CUST.The report RHCDOC_DISPLAY enables you to display the change documents created for changesmade to personnel planning infotypes.The following figure shows the change documents created for personnel planning infotypes:

58/80 PUBLIC 10/24/2011

12 Auditing and Logging

Figure 11: Infotype Document Changes

Note that the system performance deteriorates if you activate the creation of change documentsfor all personnel planning infotypes. Therefore, you should only activate the creation of changedocuments for the combination of plan version, object type, and infotype or subtype for which yourequire this function.

Application Monitoring

In addition to the previous document changes, SAP SRM provides an application monitor to evaluatevarious critical system and document statuses and changes. The main purpose of the monitor is tomonitor the errors of the business documents.The monitoring results are only available in the portal to the administrator and are presented ingraphical form in an iView in the Administration Work Center. Authorization to view and processalerts is handled by portal role and iView assignment, as well as in authorization object BBP_FUNCT(MON_ALERTS). The monitoring information is read from the SAP SRM backend, and is recorded inthe Statistic Records in CCMS (monitors under: SAP Enterprise Buyer Monitors).The following figure shows the SAP Enterprise Buyer Monitor:

10/24/2011 PUBLIC 59/80

12 Auditing and Logging

Figure 12: SAP Enterprise Buyer Monitor

60/80 PUBLIC 10/24/2011

13 Services for Security Lifecycle Management

13 Services for Security LifecycleManagement

The following services are available from Active Global Support to assist you in maintaining securityin your SAP systems on an ongoing basis.

Security Chapter in the EarlyWatch Alert (EWA) Report

This service regularly monitors the Security chapter in the EarlyWarch Alert report of your system. Ittells you the following:

n Whether SAP Security Notes have been identified as missing on your system.In this case, analyze and implement the identified notes, if possible. If you cannot implement thenotes, the report should be able to help you decide on how to handle the individual cases.

n Whether an accumulation of critical basis authorizations has been identified.In this case, verify whether the accumulation of critical basis authorizations is okay for yoursystem. If not, correct the situation. If you consider the situation okay, you should still check forany significant changes compared to former EWA reports.

n Whether standard users with default passwords have been identified on your system.In this case, change the corresponding passwords to non-default values.

Security Optimization Service (SOS)

The Security Optimization Service can be used for a more thorough security analysis of your system,including:

n Critical authorizations in detail

n Security-relevant configuration parametersn Critical users

n Missing security patches

This service is available as a self service within the SAP Solution Manager or as a remote or on-siteservice. We recommend you use it regularly (for example, once a year) and in particular aftersignificant system changes or in preparation of a system audit.

Security Configuration Validation

The Security Configuration Validation can be used to continuously monitor a system landscape forcompliance to predefined settings, for example, from your company-specific SAP Security Policy. Thisprimarily covers configuration parameters, but it also covers critical security properties like the

10/24/2011 PUBLIC 61/80

13 Services for Security Lifecycle Management

existence of a non-trivial Gateway configuration or making sure standard users do not have defaultpasswords.

Security in the RunSAP Methodology / Secure Operations Standard

With the E2E Solution Operations Standard Security service, a best practice recommendation isavailable on how to operate SAP systems and landscapes in secure manner. It guides you throughthe most important security operation areas and links to detailed security information from SAP’sknowledge base wherever appropriate.

More Information

For more details on these services, see the following:

n EarlyWatch Alert: http://service.sap.com/ewan Security Optimization Service / Security Notes Report: http://service.sap.com/sosn Comprehensive list of Security Notes: http://service.sap.com/securitynotesn Configuration Validation: http://service.sap.com/changecontroln RunSAP Roadmap, including the Security and the Secure Operations Standard:

http://service.sap.com/runsap

See the RunSAP chapters 2.6.3, 3.6.3 and 5.6.3

62/80 PUBLIC 10/24/2011

14 Other Security Relevant Information

14 Other Security Relevant Information

14.1 Payment Card Security

You specify procurement card as payment method when creating a requirement coverage request.The settlement data is transferred to the Enterprise Buyer system. At the same time, the systemgenerates an invoice for all purchases that were made using a procurement card. The invoice isupdated in accounts payable accounting in the backend and blocked for payment. The system canthen pay the invoice during the payment run.The card information is displayed in the item details of Shopping Cart and Purchase Order. Itis masked.The system generates an invoice for all purchases that were made using a procurement card. Theinvoice is updated in accounts payable accounting in the backend and blocked for payment. Thesystem can then pay the invoice during the payment run. The Enterprise Buyer system creates aninvoice for the bank or card company from the settlement data and updates this in Accounting in thebackend using message type ACLPAY. The invoice is blocked and can be paid at a specific point in time.The offsetting entry is made to the clearing account specified in Customizing. The system generatesG/L account postings from the individual purchases. These postings clear the clearing account anddebit the expense account defined for the procurement card. At the same time, the system debits thecost object (for example, the cost center or project).

10/24/2011 PUBLIC 63/80

14 Other Security Relevant Information14.2 Credit Card Usage Overview

14.2 Credit Card Usage Overview

Figure 13:

Technical components are involved in the creditcard/payment process

SRM

What components are necessary (ABAP, ABA)? ABAP

What is the information flow (for example, CRM ->PI -> FI -> SD)?

SRM->PI->FI

What technical methods are used to encrypt/decryptcredit card information?

MASK and UNMASK

What tracing and logging is used? SRM LOGGING MECHANISM

Can the customer upgrade from previous releases? Yes, upgrade is possible. Customization required forupgrade

Are alternatives, like tokens, supported? NO

14.3 Customizing

The following customizing activities are required as a prerequisite to enable PCI-relevant settingswithin this component:

n You must configure the IDOC settings for PCARD.n Youmust define number ranges. To do this, run transaction SPRO and go to SAP Refrence IMG

SAP Supplier Relationship Management SRM Server Procurement Card Define Number Ranges .n You must define the card company. To do this, run transaction SPRO and go to SAP Refrence

IMG SAP Supplier Relationship Management SRM Server Procurement Card Define Card Company

64/80 PUBLIC 10/24/2011

14 Other Security Relevant Information14.4 Masked/Unmasked Display

n You must allocate the company code. To do this, run transaction SPRO and go to SAP RefrenceIMG SAP Supplier Relationship Management SRM Server Procurement Card Allocate Company Code

n You must define blocking reasons. To do this, run transaction SPRO and go to SAP RefrenceIMG SAP Supplier Relationship Management SRM Server Procurement Card Define Blocking Reasons

n You must process procurement card reasons. To do this, run transaction SPRO and go to SAPRefrence IMG SAP Supplier Relationship Management SRM Server Procurement Card ProcessProcurement Card

n You must manage commitments. To do this, run transaction SPRO and go to SAP RefrenceIMG SAP Supplier Relationship Management SRM Server Procurement Card Manage Commitments

n You must define product categories for procurement card. To do this, run transaction SPRO andgo to SAP Refrence IMG SAP Supplier Relationship Management SRM Server Procurement CardDefine Product Categories for Procurement Card

The following credit card/payment card-specific customizing activities are relevant for thiscomponent:

n You must define the card company. To do this, run transaction SPRO and go to SAP RefrenceIMG SAP Supplier Relationship Management SRM Server Procurement Card Define Card Company

n You must allocate company code. To do this, run transaction SPRO and go to SAP RefrenceIMG SAP Supplier Relationship Management SRM Server Procurement Card Allocate Company Code

n You must define blocking reasons. To do this, run transaction SPRO and go to SAP RefrenceIMG SAP Supplier Relationship Management SRM Server Procurement Card Define Blocking Reasons

n You must process procurement card reasons. To do this, run transaction SPRO and go to SAPRefrence IMG SAP Supplier Relationship Management SRM Server Procurement Card ProcessProcurement Card

Note

The P-Card number range should be maintained correctly and should not coincide with otherSAP SRM number ranges.

Upgrade

During an upgrade the Credit Card Details must be maintained again. If the entries in AllocateCompany Code customizing activity are deleted then the card details are also deleted, therefore thisinformation should be stored safely in this customizing activity.

14.4 Masked/Unmasked Display

The display of credit card information is masked by default. The character used for masked displaycannot be Customized.

10/24/2011 PUBLIC 65/80

14 Other Security Relevant Information14.5 Deleting Stored Credit Card Information

14.5 Deleting Stored Credit Card Information

To delete stored credit card information, go to Customizing for SAP SRM under SRM ServerProcurement Card Define Company Card . Here credit card information is stored and can be completelydeleted.

66/80 PUBLIC 10/24/2011

15 Appendix

15 Appendix

15.1 Data Privacy Statement

In the SAP Supplier Relationship Management (SAP SRM) system, personal user data, such as thename and address, is saved in the user master record. To comply with legal requirements, this userdata can only be saved and used if the affected user actively consents to this. To do so, the user mustselect a checkbox at the end of the text that is displayed on the corresponding interfaces.Note that the checkbox is not initially set.

Caution

In some countries explicit written consent from external partners, for example suppliers, may benecessary.

You can activate the data privacy function for the following services:

n Supplier Registration (in SAP SRM) and Supplier Registration (in SAP SRM Server

for SUS)

In these cases the supplier as an external user selects the checkbox to allow the supplier datato be saved.

n Business Partner Maintenance (in SAP SRM) and User Maintenance (in SAP SRM Server

for SUS)

The internal processor selects the checkbox and confirms that the external user, whose data isbeing processed, is aware of and consents to the data being saved.

Customizing

You define the Customizing settings for the data privacy statement in Customizing for SAP SupplierRelationship Management under SRM ServerYou define the Customizing settings for the data privacy statement in Customizing for SAP SupplierRelationship Management under SRM Server Master Data Business Partner Specify Data PrivacySettings for Suppliers .You define the Customizing settings for the data privacy statement in Customizing for SAP SRMServer for SUS under Supplier Self-Services Settings for User Interface Specify Data Privacy Settings forSuppliers .In the Customizing tables you can activate or deactivate the data privacy function and define thetechnical names of the texts to be displayed.

10/24/2011 PUBLIC 67/80

15 Appendix15.2 Virus Checking of Document Attachments

Note

The texts that are displayed to the external user on self-registration and to the internal user whenmaintaining business partners are predefined in the system as General Texts. You can use transactionSE61 to copy and modify them to suit your requirements.

15.2 Virus Checking of Document Attachments

SAP Supplier Relationship Management (SAP SRM) provides you with the opportunity to checkdocuments that you attach to SAP SRM documents with a virus scanner before they are storedin the database.You must have a virus scanner installed and must have configured it correctly. You define theCustomizing settings for virus checking in Customizing for SAP SRM under SAP Web ApplicationServer Base System Administration Virus Scan Interface .The virus scanning functions in SAP SRM are activated when you implement the BusinessAdd-In (BAdI) BBP_ATT_CHECK. SAP supplies the BAdI BBP_ATT_VIRSCAN as an exampleimplementation. The interface contains a structure that is used in SAP SRM for the storage ofattachments. The field PHIO_FNAME contains the file name and the tabular field PHIO_CONTENTcontains the file part of the attachment, that is where the actual file is stored. Viruses are dealt with inthe implementation. For example, the data part is deleted.Function BBP_PD_MSG_ADD should also be implemented, as it communicates messages such aswarnings, additional information, and errors to a central log. These messages are then transferredto the user interface.

15.3 Additional Related Guides

Area/Topic Guide/Documentation Link

SAP SRM SAP SRMMaster Guide http://service.sap.com

/instguides SAP Business SuiteApplications SAP SRM SAP SRMServer 7.02 Master Guide

SAP NetWeaver SAP NetWeaver Security Guide http://help.sap.com

SAP NetWeaver SAP NetweaverPlatform SAP NetWeaver 7.3Security Information Security Guide

68/80 PUBLIC 10/24/2011

15 Appendix15.4 Additional Information

15.4 Additional Information

Special Information for Live Auction Cockpit Web Presentation Server (LACWPS) 6.0

Note that this only relates to the SAP SRM business scenario Strategic Sourcing with LACWPS 6.0. Thisdoes not apply to Live Auction on ABAP.

Which Part of LACWPS 6.0 should Be Set Up in which Network Segment?

The client portion of LACWPS (Java applet) is deployed on the Internet. The applet communicateswith LACWPS on a J2EE server. This is why the external user has to allow the applet to be downloaded.The server portion, that is SAP Web AS should be located on the Local Area Network (LAN).The SAP Enterprise Resource Planning (ERP) system should be located on the LAN.

Where Exactly Is Data Stored?

System configuration data is stored in the properties files on the SAP Web AS. System configurationdata is shipped with the system.Runtime transactional data is stored in the database of the SAP system. Transactional data is storedduring runtime of the application.No temporary data is stored anywhere else.

Which Type of Data Access Is Required at what Point in Time?

Read access of system configuration data is required during server startups.Read and write access to transactional data is required during runtime.

What Level of Protection Is Recommended for which Data?

System administration permissions should be used to restrict access to LACWPS propertiesconfiguration in the Web AS Visual Administrator. Customers must ensure that only systemadministrators should have access to Web AS Visual Administrator. Configuration data in Web ASVisual Administrator is protected by a password.

Note

Password EncryptionAccess to the SAP Web AS Visual Administrator needs a password.This password is set during the installation of Web AS. For the LACWPS scenario, the username isJ2EE_ADMIN and the password is the one set by the first user.Before deployment of the application, a dummy password is stored as a file in the deployment ExportAdministration Regulations (EAR) file. Once the application is deployed, the value is internallyencrypted in the database in J2EE and can only be accessed through J2EE Visual Administrator.After the deployment, you must change the password using Visual Administrator. The VisualAdministrator tool can be configured for Secure Sockets Layer (SSL) to secure communicationbetween Visual Administrator and the J2EE server.In the User Management Engine (UME) of the J2EE Engine, the properties values are stored in the

10/24/2011 PUBLIC 69/80

15 Appendix15.4 Additional Information

same way. It is not necessary to encrypt the content of the password to be stored as real values in DB,since communication between Visual Administrator and the J2EE server can be secure as well.Remote Function Call (RFC) users should be created for RFC and Java Remote Function Call (JCo)connections to the SAP systems.JCO-RFC-Password for Live Auction Cockpit to SAP SRM server:The dummy password that is stored in the LAC deployable application is required for the RFCconnection between the Live Auction Cockpit application and the SAP SRM Server. Once WebAS has been installed and the LAC application has been deployed, it is necessary to use theWebAS Visual Administrator to configure this JCO-RFC-Password/ Username so that the Live AuctionCockpit application can run. (At present, this JCO RFC password is visually encrypted as “*****”when it is entered, as in the SAP backend system transaction SU01. Only a user with administratorauthorization on the J2EE engine can reset the password, as in the SAP backend system transactionSU01.

Does the application require an Internet browser as the user interface?

The Live Auction Cockpit client (Java applet) requires an Internet browser.Cookies are only used by User Management Engine (UME) for Single Sign-On (SSO) tickets.

Which RFC/JCo destinations are delivered/required?

The Live Auction Cockpit application establishes RFC connections via JCo.(There is no need to maintain RFC destinations in transaction SM 59 for Live Auction Cockpit sincethe JCo server is not used.)

What is the minimum authorization required by the communication user for RFC/JCo connections?

The communication user can be defined as a system user in a production system where there is noneed for JCo/ABAP debugger.If the debugger needs to be used, the communication user must be defined as a dialog user.Furthermore, the user must have both purchaser and supplier profiles for Live Auction Cockpit. (In aproductive system, a dialog (RFC) user always represents a limited security risk.)

SSO and SAP Logon Tickets

The Live Auction Cockpit application uses UME API to verify Single Sign-On tickets. No user data isreplicated since all user data is in SAP Bidding Engine in SAP SRM Server. (User data synchronizationis not required.)By default, the Live Auction Cockpit application accepts SAP Logon Tickets.

n Details for Logon Scenario for Live Auction:Purchaser and Bidder log onto SAP SRM through the standard logon page.

n Inside the Bidding Engine auction user interface (Sourcing) the Live Auction Cockpit applet is launched.n For Single Sign-On and user validation the Java user management client is used.

70/80 PUBLIC 10/24/2011

15 Appendix15.4 Additional Information

n If the applet’s URL is typed directly into the browser window, the user is validated through theUME Logon Applet and redirected to a UME logon page. After successful logon, the user isdirected back to the applet.

Figure 14:

Digitally-signed Java applet

As of SAP SRM 5.0/LAC WPS 5.0 the Java applet is digitally signed. The user must confirm that heor she agrees to this usage.

Authorization and roles

No roles are delivered with Live Auction Cockpit. All roles are delivered with SAP SRM Server. SeeSAP Note 1593439 for information related to Live Auction authorizations.

Are authorization technologies other than roles used?

Yes, bidders must be added to an auction’s invitation list to view and bid on that auction using LiveAuction Cockpit.Bidders are added to this invitation list (in the SAP SRM Server system) when the auction is created.Since this is a private auction (SAP Bidding Engine) where there is no self-registration or subscription.

User interface settings

Live Auction Cockpit can preserve and restore various user interface (UI) settings so that the users donot need to adjust the UI each time they log on. This functionality works in Live Auction ABAP in thesame way as in Live Auction based on J2EE engine. These settings include:

n Divider location

n Dropdown box selection

10/24/2011 PUBLIC 71/80

15 Appendix15.4 Additional Information

n Tab selection

n Table column order

n Table column width

All UI settings are stored as a browser cookie. Therefore, the user’s Web browser must be configuredto accept cookies to take advantage of this feature. If the user’s Web browser is configured to blockcookies, then UI settings are not preserved. However, all other Live Auction Cockpit features remainfunctional.

Note

No personal information is stored in the browser cookie.

Special Information for SRM-MDM Catalog

For information about MDM, see http://service.sap.com/installmdm.

Special Consideration for Offline Bidding

In SAP SRM, offline bidding using e-mail is possible. However, offline bidding does not provide asecure application configuration by default. This approach can cause a security issue because it is notprotected by strong encryption or by certificates.For this reason, SAP SRM does not support any scenario except in-house e-mail.

Note

Even with in-house e-mail, secure execution of offline bidding cannot be guaranteed.

72/80 PUBLIC 10/24/2011

A Reference

A Reference

A.1 The Main SAP Documentation Types

The following is an overview of themost important documentation types that you need in thevarious phases in the life cycle of SAP software.

Cross-Phase Documentation

SAPterm is SAP’s terminology database. It contains SAP-specific vocabulary in over 30 languages, aswell as many glossary entries in English and German.

n Target group:l Relevant for all target groups

n Current version:l On SAP Help Portal at http://help.sap.com Glossary

l In the SAP system in transaction STERM

SAP Library is a collection of documentation for SAP software covering functions and processes.

n Target group:l Consultants

l System administratorsl Project teams for implementations or upgrades

n Current version:l On SAP Help Portal at http://help.sap.com (also available as documentation DVD)

The security guide describes the settings for a medium security level and offers suggestions forraising security levels. A collective security guide is available for SAP NetWeaver. This documentcontains general guidelines and suggestions. SAP applications have a security guide of their own.

n Target group:l System administratorsl Technology consultantsl Solution consultants

n Current version:l On SAP Service Marketplace at http://service.sap.com/securityguide

Implementation

Themaster guide is the starting point for implementing an SAP solution. It lists the requiredinstallable units for each business or IT scenario. It provides scenario-specific descriptions of

10/24/2011 PUBLIC 73/80

A ReferenceA.1 The Main SAP Documentation Types

preparation, execution, and follow-up of an implementation. It also provides references to otherdocuments, such as installation guides, the technical infrastructure guide and SAP Notes.

n Target group:l Technology consultantsl Project teams for implementations

n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides

The installation guide describes the technical implementation of an installable unit, takinginto account the combinations of operating systems and databases. It does not describe anybusiness-related configuration.

n Target group:l Technology consultantsl Project teams for implementations

n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides

Configuration Documentation in SAP Solution Manager ‒ SAP Solution Manager is a life-cycleplatform. One of its main functions is the configuration of business scenarios, business processes,and implementable steps. It contains Customizing activities, transactions, and so on, as well asdocumentation.

n Target group:l Technology consultantsl Solution consultants

l Project teams for implementationsn Current version:l In SAP Solution Manager

The Implementation Guide (IMG) is a tool for configuring (Customizing) a single SAP system.The Customizing activities and their documentation are structured from a functional perspective.(In order to configure a whole system landscape from a process-oriented perspective, SAP SolutionManager, which refers to the relevant Customizing activities in the individual SAP systems, is used.)

n Target group:l Solution consultants

l Project teams for implementations or upgradesn Current version:l In the SAP menu of the SAP system under Tools Customizing IMG

Production Operation

The technical operations manual is the starting point for operating a system that runs on SAPNetWeaver, and precedes the application operations guides of SAP Business Suite. The manual refers

74/80 PUBLIC 10/24/2011

A ReferenceA.1 The Main SAP Documentation Types

users to the tools and documentation that are needed to carry out various tasks, such as monitoring,backup/restore, master data maintenance, transports, and tests.

n Target group:l System administrators

n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides

The application operations guide is used for operating an SAP application once all tasks in thetechnical operations manual have been completed. It refers users to the tools and documentationthat are needed to carry out the various operations-related tasks.

n Target group:l System administratorsl Technology consultantsl Solution consultants

n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides

Upgrade

The upgrade master guide is the starting point for upgrading the business scenarios and processes ofan SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up ofan upgrade. It also refers to other documents, such as upgrade guides and SAP Notes.

n Target group:l Technology consultantsl Project teams for upgrades

n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides

The upgrade guide describes the technical upgrade of an installable unit, taking into accountthe combinations of operating systems and databases. It does not describe any business-relatedconfiguration.

n Target group:l Technology consultantsl Project teams for upgrades

n Current version:l On SAP Service Marketplace at http://service.sap.com/instguides

Release notes are documents that contain short descriptions of new features in a particular releaseor changes to existing features since the previous release. Release notes about ABAP developmentsare the technical prerequisite for generating delta and upgrade Customizing in the ImplementationGuide (IMG).

n Target group:

10/24/2011 PUBLIC 75/80

A ReferenceA.1 The Main SAP Documentation Types

l Consultants

l Project teams for upgradesn Current version:l On SAP Service Marketplace at http://service.sap.com/releasenotesl In the SAP menu of the SAP system under Help Release Notes (only ABAP developments)

76/80 PUBLIC 10/24/2011

Typographic Conventions

Example Description

<Example> Angle brackets indicate that you replace these words or characters with appropriateentries to make entries in the system, for example, “Enter your <User Name>”.

ExampleExample

Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressions

Example Words or characters that you enter in the system exactly as they appear in thedocumentation

http://www.sap.com Textual cross-references to an internet address

/example Quicklinks added to the internet address of a homepage to enable quick access tospecific content on the Web

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

Example n Words or characters quoted from the screen. These include field labels, screen titles,pushbutton labels, menu names, and menu options.

n Cross-references to other documentation or published works

Example n Output on the screen following a user action, for example, messagesn Source code or syntax quoted directly from a programn File and directory names and their paths, names of variables and parameters, and

names of installation, upgrade, and database tools

EXAMPLE Technical names of system objects. These include report names, program names,transaction codes, database table names, and key concepts of a programming languagewhen they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

10/24/2011 PUBLIC 77/80

SAP AGDietmar-Hopp-Allee 16

69190 WalldorfGermany

T +49/18 05/34 34 34F +49/18 05/34 34 20

www.sap.com

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permissionof SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10,z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe SystemsIncorporated in the United States and/or other countries.Oracle and Java are registered trademarks of Oracle.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and otherSAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarksof SAP AG in Germany and other countries.Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence,Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarksor registered trademarks of Business Objects Software Ltd. Business Objects is an SAP companySybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentionedherein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.All other product and service names mentioned are the trademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies(“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall notbe liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services arethose that are set forth in the express warranty statements accompanying such products and services, if any. Nothing hereinshould be construed as constituting an additional warranty.

This document was created using stylesheet 2007-12-10 (V7.2) / XSL-FO: V5.1 Gamma and XSLT processor SAXON 6.5.2from Michael Kay (http://saxon.sf.net/), XSLT version 1.

78/80 PUBLIC 10/24/2011

DisclaimerSome components of this product are based on Java™. Any code change in these components may cause unpredictable andsevere malfunctions and is therefore expressly prohibited, as is any decompilation of these components.Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified oraltered in any way.

Documentation in the SAP Service MarketplaceYou can find this document at the following address: http://service.sap.com/instguides

10/24/2011 PUBLIC 79/80

SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +49/18 05/34 34 34F +49/18 05/34 34 20www.sap.com

© Copyright 2011 SAP AG. All rights reserved.Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigungdurch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden.