SAP Security Guide SRM2007 SP03
Transcript of SAP Security Guide SRM2007 SP03
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 1/90
Application Security Guide
SAPSRM 2007Using SAP® SRM Server 6.0, SAP SRM-MDM
Catalog, SAP NetWeaver Portal 7.0
Document Version 2.0 - October 2007
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 2/90
©Copyright 2006 SAP AG. All rights reserved.
No part of this publication may be reproduced ortransmitted in any form or for any purpose without theexpress permission of SAP AG. The informationcontained herein may be changed without prior notice.
Some software products marketed by SAP AG and itsdistributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint areregistered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, ParallelSysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,Intelligent Miner, WebSphere, Netfinity, Tivoli, andInformix are trademarks or registered trademarks of IBM
Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registeredtrademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame,WinFrame, VideoFrame, and MultiWin are trademarks orregistered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks orregistered trademarks of W3C®, World Wide WebConsortium, Massachusetts Institute of Technology.
J ava is a registered trademark of Sun Microsystems, Inc.
J avaScript is a registered trademark of SunMicrosystems, Inc., used under license for technologyinvented and implemented by Netscape.
MaxDB is a trademark of SQL AB, Sweden.
SAP, R/3, SAP, SAP.com, xApps, xApp, SAPNetWeaver, and other SAP products and servicesmentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG inGermany and in several other countries all over theworld. All other product and service names mentioned arethe trademarks of their respective companies. Datacontained in this document serves informational purposesonly. National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposesonly, without representation or warranty of any kind, andSAP Group shall not be liable for errors or omissions withrespect to the materials. The only warranties for SAPGroup products and services are those that are set forthin the express warranty statements accompanying suchproducts and services, if any. Nothing herein should beconstrued as constituting an additional warranty.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 3/90
Typographic Conventions
Type Style Represents
Example Text Words or characters that appearon the screen. These includefield names, screen titles, andpushbuttons, as well as menunames, paths, and options.
Cross-references to other
documentationExample text Emphasized words or phrases in
body text, titles of graphics, andtables
EXAMPLE TEXT Names of elements in thesystem. These include reportnames, program names,transaction codes, table names,and individual key words of aprogramming language, whensurrounded by body text, forexample, SELECT and
INCLUDE.Example text Screen output. This includes file
and directory names and theirpaths, messages, names of variables and parameters,source code, as well as namesof installation, upgrade, anddatabase tools.
Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in the
documentation.<Example text> Variable user entry. Pointed
brackets indicate that youreplace these words andcharacters with appropriateentries.
EXAMPLE TEXT Keys on the keyboard, forexample, function keys (such asF2) or the Ctrl key.
Icons
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 4/90
Contents
March 2007 4
Contents
1 Introduct ion......................................................................................51.1 Target Audience ...............................................................................5
1.2 About this Document .......................................................................5
2 Before You Start ..............................................................................6
2.1 Fundamental Securi ty Guides ........................................................6
2.2 Important SAP Notes .......................................................................7
2.3 Additional Information .....................................................................7
2.4 Overview of the Bus iness Scenarios .............................................7
2.5 Software Component Matrix ...........................................................92.6 The SAP SRM Business Scenarios and Relevant Components 12
3 Technical System Landscape ......................................................28
3.1 Architecture ....................................................................................28
4 Network Security and Communication Securit y........................33
4.1 Communication Channel Security................................................33
4.2 Network Securi ty ............................................................................37
4.3 Communication Destinations .......................................................37
5 Data Storage Secur it y ...................................................................396 Auditing and Logging ...................................................................40
7 User Administration and Authent ication ....................................46
7.1 User Management ..........................................................................46
7.2 Integration into Single Sign-On Landscapes ..............................46
8 Authorizations ...............................................................................47
8.1 ABAP Roles for SAP SRM Server 6.0 (Enterprise Buyer) ..........48
8.2 ABAP Roles for SAP SRM Server 6.0 (SUS)................................68
8.3 ABAP Authorization Objects for SAP SRM Server 6.0 (CategoryManagement) ........................................................................................74
8.4 Portal Roles (for NetWeaver Portal 7.0) .......................................76
8.5 Changes to the Author ization Check ...........................................84
9 Appendix ........................................................................................86
9.1 Data Privacy Statement .................................................................86
9.2 Virus Checking of Document Attachments .................................86
9.3 Additional Related Guides ............................................................87
9.4 Additional Information ...................................................................88
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 5/90
Introduction
March 2007 5
1 Introduction
This guide does not replace the administration or operations guides that are availablefor productive operations.
1.1 Target Audience
Technology consultants
System administrators
This document is not included as part of the installation guides, SAP Solution Manager content(configuration information), technical operation manuals, or upgrade guides. Such guides are onlyrelevant for a certain phase of the software life cycle, whereby the security guides provideinformation that is relevant for all life cycle phases.
1.2 About this Document
The solution SAP Supplier Relationship Management (SAP SRM) consists of different components,such as SAP Enterprise Buyer (EBP), SAP Bidding Engine (both reside on SRM Server), and LiveAuction Cockpit.
This cross-component security guide provides security-relevant information for the individual SRMcomponents.
In many cases, the required information has already been provided in other security guides and inthe configuration information or installation guides. In these cases, we have provided a reference to
the relevant sections within these guides.
Security in the context of an SRM solution comprises the following aspects:
User authentication
Support of Single Sign-On
Administration and checking of user authorizations to prevent unauthorized access to saveddata
Secure data transfer between users and the SRM application components, especially in thecase of browser-based access via the Internet
General access control, including protection of the system against unauthorized external
access Safeguarding of data against unauthorized access when business data is being exchanged
between SRM and external systems, especially in the case of data exchange with suppliersystems via the Internet
The individual components of the SAP SRM solution are based on the standard technology of SAPNetWeaver, like SAP Web Application Server (including Internet Transaction Server) andSAProuter. This means that only the official precepts of the SAP security strategy are used. Thestandard tools and mechanisms of the SAP NetWeaver platform are used.In 80 percent of cases, an SAP SRM system landscape comprises Enterprise Buyer and LiveAuction Cockpit. The User Management Engine (UME) is only required with SAP NetWeaver Portaland this is why UME is not covered by this guide.
This Security Guide focuses on specific SAP SRM implementations – the standard case is covered
by the security guides of the respective basis technologies.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 6/90
Before You Start
March 2007 6
2 Before You Start
SAP has recently changed some of the naming of SAP products. Note that the oldnames are still in use and therefore the following product names are synonymous:
New Name Old Name
SAP SRM 2007 mySAP SRM 6.0
SAP NetWeaver 7.0 SAP NetWeaver 2004s
2.1 Fundamental Security Guides
SAP SRM is built on the technology of SAP NetWeaver. Therefore, the corresponding security
guides also apply to the SAP SRM solution. Pay particular attention to the most relevant sectionsas indicated in the table below.
Fundamental Security Guides
Scenario, Application or ComponentSecurity Guide
Most-Relevant Sections
SAP NetWeaver Security Guide See tables below.
Introduction to Security with the SAP NetWeaver Platform
Topic See
Technical System Landscape Technical System Landscape
User Administration and Authentication User Administration and Authentication
Network and Transport Layer Security Network and Communication Security
Secure Programming Secure Programming
Secur ity Guides for SAP NetWeaver According to Usage Types
Usage Type See
Application Server (AS) SAP NetWeaver Application Server ABAPSecurity Guide
SAP NetWeaver Application Server J ava SecurityGuide
Internet Transaction Server Security
Virus Protection and SAP GUI Integrity Checks
NetWeaver Portal (EP) Portal Security Guide
Business Information (BI) Security Guide for SAP NetWeaver BI
Process Integration (PI) SAP NetWeaver Process Integration SecurityGuide
Security Guides for Standalone Engines
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 7/90
Before You Start
March 2007 7
Engine See
Search and Classification (TREX) Search and Classification (TREX) Security Guide
For a complete list of the available SAP Security Guides, see SAP Service Marketplace atservice.sap.com/securityguide .
2.2 Important SAP Notes
The most important SAP Notes that apply to SAP SRM are shown in the table below:
SAP Note Number Title
39267 Availability of the SAP Security Guide
595519 Include EBP in a portal
843740 Data protection text for vendor maintenance
420085 Logon Ticket Cache
For more SAP Notes on security, see SAP Service Marketplace atservice.sap.com/security SAP Security Notes SAP Notes on SAP
Security or the notes for the application area BC-J AS-SEC and BC-SEC.
2.3 Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
Content Quick Link on the SAP Service Marketplace
Security http://service.sap.com/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes http://service.sap.com/notes
Released platforms http://service.sap.com/platforms
Network security http://service.sap.com/network
http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
2.4 Overview of the Business Scenarios
Before you start the security setup, you need to decide which SRM components need to beinstalled. You should also have carried out a rough sizing exercise to answer questions on thetechnical setup.
You can use this Security Guide to define the network structure, for example firewalls, routers, loadbalancing, protocols used, and the necessary configuration of the components, as well as aconcept for user administration.
In this section, you can find the Software Component Matrix, and details of the components usedfor each business scenario.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 8/90
Before You Start
March 2007 8
For more information about the business scenarios, see the SAP SRM Master Guideon SAP Service Marketplace atservice.sap.com/instguides SAP Business
Suite Applications
SAP SRM
Using SRM Server 6.0.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 9/90
Before You Start
March 2007 9
2.5 Software Component Matrix
This section provides an overview of which business scenarios use which components in this SAP
Business Suite solution. The exact locations of the required software components on the corresponding DVD(s) and CD(s)that are shipped with the SAP SRM 6.0 package can be found underservice.sap.com/instguides SAP Business Suite Applications SAP SRM.
Software Components SRM Business Scenarios
SAP
Delivered
Content
S e l f S e r v i c e P r o c u r e m e n t
P l a n D r i v e n P
r o c u r e m e n t
S e r v i c e P r o c
u r e m e n t
C a t a l o g C o n t e n t M a n a g e m e
A n a l y t i c s
C a t e g o r y M a n a g e m e n t
C o n t r a c t M a n
a g e m e n t
S t r a t e g i c
S o
u r c i n g
SAP®Supplier Relationship
Management Server 6.0
(SAP SRM Server 6.0,
based on SAP®Web
Application Server
7.00, comprises SAP®
Enterprise Buyer, SAP®
Bidding Engine and Supplier
Self-Services)
M M M M M M M M
Live Auction Cockpit web
presentation server
(LACWPS) 6.0
- - - - - - - M (i)
SRM-MDM Catalog 1.0 O O O M - - O O
SAP WebAS ABAP 7.00 M M M M M M M M
SAP WebAS J ava 7.00 M M M M M M M MSAP NetWeaver®2004s
Search and Classification
(TREX)
O M - - - O O O
SAP NetWeaver®BI 7.0 O O O - M M O O
SAP
NetWeaver®BI_CONT
7.03
O O O - M M O O
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 10/90
Before You Start
March 2007 10
SAP NetWeaver®
Enterprise Portal 7.0
M M M M M M M M
Business
Package for
SRM Server
6.0
M M M M M M M M
Business
Package for
Category
Management
O O O O O M O O
SAP NetWeaver®Process
Integration 7.0
O M M O M
(iii)
- O O
XI Content
for SAP SRM
Server 6.0
O M M O - - O O
XI Content
for SAP
NetWeaver
BI Content
7.03
O O O O - - - -
XI Content for
SRM-MDM
Catalog
O O O O - - O O
SAP NetWeaver®MDM 5.5 M O - M M
(iii)
- O O
SAP NetWeaver®Adobe
Document Server 7.0
O O M - - - O O
Duet 1.0 O - - - - - M
(ii)
-
cProject 4.0 - O - O - O - O
SAP Document Builder - - - - - - M
(ii)
-
SAP®R/3 OLTP as of 3.1i up
to SAP®R/3 Enterprise 4.70,
ERP 1.0, ERP 2.0
(SAP R/3 4.6C or higher
recommended)
M M O - O O O O
SAP R/3 Plug-In 2004.1 or
higher if one is available
M M O - O O O O
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 11/90
Before You Start
March 2007 11
SAP GUI 7.0 or Higher M M M M M M M M
0 = Optional business or technology enhancement for this scenarioLegend:
M = Mandatory minimum requirement for the deployment variants of this scenario
(i) With Live Auction
(ii) Legal & Operational Contract Collaboration
(iii) For Master Data Harmonization / Consolidation
You require SAP®NetWeaver 2004s TREX in the following cases:
o When you use the contract management application to search for information such asvendor texts, internal notes, and attachments.
o When you want to use the metadata search functionality or use BI accelerator within
Analytics.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 12/90
Before You Start
March 2007 12
2.6 The SAP SRM Business Scenarios and Relevant
Components The following section provides an overview of the business scenarios of SAP SRM with a diagramof the component landscape and a textual description of the relevant components:
Contract Management
Service Procurement
Strategic Sourcing
Plan-Driven Procurement
Catalog Content Management (SRM-MDM Catalog)
Self-Service Procurement
Spend Analysis
Legend:
XML
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 13/90
Before You Start
March 2007 13
Contract Management
Contract Management enables your purchasers to create, change, and monitor purchasingcontracts. They can use the catalogs provided by SAP SRM-MDM Catalog to add items tocontracts. SAP BI 7.0 is used to carry out evaluations. SAP Exchange Infrastructure (XI) is also
necessary in this business scenario to upload external flat files for product category hierarchies andsupplier hierarchies.
The SRM Server (EBP) Web front-end uses ABAP Web Dynpro technology. The Web front-end of SAP SRM-MDM Catalog 1.0 uses J ava Web Dynpro technology. SAP Business Intelligence isrealized using Business Server Pages (BSP) technology.
Depending on the requirements of the SRM 6.0 installation (should SRM Server (EBP) be availablevia the Internet?) and depending on the internal Security Policy, the following has to be carried out:
SAP SRM Server 6.0Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
SAP SRM-MDM Catalog 1.0:Enable SAP Web AS J ava 7.0 SSL (See Transport Layer Security on the SAP J 2EE
Engine: Section Configuring the Use of SSL on the SAP J2EE Engine)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 14/90
Before You Start
March 2007 14
SAP BI 7.0:Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and fromSAP SRM Server 6.0
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog 1.0
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP BI 7.0
Configure SSO between SAP SRM Server 6.0, SAP SRM-MDM Catalog 1.0 and SAP BI7.0
If necessary, configure SNC connections between SAP SRM Server and the back-endsystem
If necessary, configure SNC connections between SAP SRM Server/backend system andSAP BI 7.0
If necessary, connect SAP SRM Server 6.0 (EBP), SAP SRM Server 6.0 (SUS), and SAPSRM-MDM Catalog via HTTPS and FTPS and SNC to SAP Exchange Infrastructure (XI)(See SAP NetWeaver Process Integration Security Guide and Network andCommunication Security)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 15/90
Before You Start
March 2007 15
Service Procurement
This business scenario is used to cover the entire service procurement process.
The SRM Server (SUS) web front-end uses Business Server Pages (BSP) technology.
Necessary steps:
SAP SRM Server 6.0 (SUS):Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
Configure Enterprise Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0 (SUS)
Depending on whether SAP SRM Server (EBP) is also to be made available via the internet, ordepending on the internal Security Policy, the following might also be necessary:
SAP SRM Server 6.0:Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
SAP SRM-MDM Catalog 1.0:Enable SAP Web AS 7.0 J ava SSL (configure HTTPS protocol)
SAP BI 7.0:Enable SAP Web AS 7.0 SSL (configure HTTPS protocol)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 16/90
Before You Start
March 2007 16
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog 1.0
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP BI 7.0
Configure SSO between SAP SRM Server 6.0, SAP SRM-MDM Catalog.0 and SAP BI 7.0
If necessary, configure SNC connections between SAP SRM Server and the back-endsystem
If necessary, configure SNC connections between SAP SRM Server/backend system andSAP BI 7.0
If necessary, connect SAP SRM Server 6.0 (EBP), SAP SRM Server 6.0 (SUS), and SAPSRM-MDM Catalog via HTTPS and FTPS and SNC to SAP Exchange Infrastructure (XI)(See SAP NetWeaver Process Integration Security Guide and Network andCommunication Security)
The SRM@ERP2005 business scenario Supplier Self-Registration is identical to theabove business scenario Service Procurement in the SAP SRM standard.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 17/90
Before You Start
March 2007 17
Strategic Sourcing
Within Strategic Sourcing, bid invitations are created in SAP SRM Server and suppliers are invitedto participate in these bid invitations by submitting bids. Bid invitations can also be converted intolive auctions. Live auctions occur in SAP Live Auction Cockpit (LAC) WPS. SAP LAC WPS consistsof a server part running on an SAP J 2EE 7.0 and a J ava applet that communicates with the server.
The J ava applet is loaded into the browser of the user and is executed locally.
Necessary steps:
SAP SRM Server 6.0 (EBP/Bidding Engine):Enable SAP Web AS ABAP 7.0 SSL (configure HTTPS protocol)
SAP LAC WPS 6.0Enable SAP Web AS J ava 7.0 SSL
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0 (EBP/Bidding Engine)
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from for SAPLAC WPS 6.0
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 18/90
Before You Start
March 2007 18
Optional (if components are accessed via the Internet or if the Intranet Security Policy requiresusage of HTTPS):
Enable SAP SRM-MDM Catalog 1.0:SAP Web AS 7.0 J ava SSL (configure HTTPS protocol)
Enable SAP BI 7.0: SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog 1.0
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP BI 7.0
If necessary, configure SNC connections between SAP SRM Server and the back-endsystem
If necessary, configure SNC connections between SAP SRM Server/backend system andSAP BI 7.0
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 19/90
Before You Start
March 2007 19
Plan-Driven Procurement
Plan-Driven Procurement (Direct Procurement) automates and streamlines ordering processes forregularly-needed core materials. Suppliers can process purchase orders directly in SAP SRMServer (SUS). The purchase orders are transferred to SAP SRM Server (SUS) from the back-endsystem via SAP Exchange Infrastructure (XI).
The Web front-end of SAP SRM Server (SUS) is realized using Business Server Pages (BSP)technology.
Since suppliers log on to SAP SRM Server (SUS) via the Internet, the HTTPS protocol shoulddefinitely be configured for SAP SRM Server (SUS).
Necessary steps:
SAP SRM Server 6.0 (SUS):Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0 (SUS)
If SAP SRM Server (EBP) is also to be accessed via the Internet, or depending on the internalSecurity Policy, it might be necessary to do the following:
SAP SRM Server 6.0 (EBP):Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
SAP BI 7.0:Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 20/90
Before You Start
March 2007 20
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0 (EBP)
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP BI 7.0
If necessary, configure SNC connections between SAP SRM Server and the back-endsystem
If necessary, configure SNC connections between SAP SRM Server/backend system andSAP BI 7.0
If necessary, connect SAP SRM Server 6.0 (EBP) and SAP SRM Server 6.0 (SUS) viaHTTPS and SNC to SAP Exchange Infrastructure(See SAP NetWeaver Process Integration Security Guide and Network andCommunication Security)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 21/90
Before You Start
March 2007 21
Catalog Content Management (SRM-MDM Catalog)
The SRM-MDM Catalog search UI is realized using J ava Web Dynpro technology. Catalogs can beuploaded via the file system using the MDM Import Manager in XML or Excel format. Contract datacan be loaded via SAP Exchange Infrastructure (XI) and the MDM Import Manager from SAP SRMServer system.
In the scope of a procurement process, transfer of product data from SAP SRM-MDM Catalog toSAP SRM Server occurs via HTTP(S) in accordance with the Open Catalog Interface (OCI)specification via the user browser.
Necessary steps:
Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
Enable SAP Web AS 7.0 J ava SSL (configure HTTPS protocol)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 22/90
Before You Start
March 2007 22
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog 1.0If necessary, connect SAP SRM-MDM Catalog via FTPS to SAP Exchange Infrastructure(XI)(see SAP NetWeaver Process Integration Security Guide and Network and CommunicationSecurity).
For MDM Security related information, refer to the SAP NetWeaver MDM 5.5 Security Guide onSAP Service Marketplace atservice.sap.com/mdm Installation & Upgrade Guides
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 23/90
Before You Start
March 2007 23
Self-Service Procurement
Self-Service Procurement (Indirect Procurement) enables your employees to create and managetheir own requirement requests. They can search in catalogs provided by SAP SRM-MDM Catalog.SAP BI 7.0 is used to carry out evaluations.
Depending on the requirements of the SRM 6.0 installation (should SAP SRM Server (EBP) beavailable via the Internet?) and depending on the internal Security Policy, the following has to becarried out:
SAP SRM Server 6.0:Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
SAP SRM-MDM Catalog 1.0:Enable SAP Web AS 7.0 J ava SSL (configure HTTPS protocol)
SAP BI 7.0:
Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog 1.0
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP BI 7.0
Configure SSO between SAP SRM Server 6.0, SAP SRM-MDM Catalog 1.0 and SAP BI7.0
If necessary, configure SNC connections between SAP SRM Server and the back-endsystem
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 24/90
Before You Start
March 2007 24
If necessary, configure SNC connections between SAP SRM Server/backend system andSAP BI 7.0
The Extended Self-Service Procurement business scenario is almost the same as thestandard Self-Service Procurement business scenario, except that it is extended by aSUS system that is connected to the SAP ECC system.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 25/90
Before You Start
March 2007 25
Category Management
Category Management enables your employees to create sourcing, contracting and operationsstrategies, to transform these strategies into initiatives, and to manage these initiatives.
Necessary steps:
SAP SRM Server 6.0:Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
SAP BI 7.0:Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP BI 7.0
For security relevant information on Collaborative Project Management (cProjects) 4.0, refer tothe SAP Project and Portfolio Management 4.00 Security Guide on SAP Service Marketplaceatservice.sap.com/instguides SAP Business Suite Applications SAP PLM
using cProject Suite 4.00.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 26/90
Before You Start
March 2007 26
Spend Analysis
SRM 6.0 enables you to consolidate data in SAP Business Intelligence (SAP BI) and to carry outevaluations. The data for this comes from SAP SRM Server or its back-end system via RFC/SNC.Users access the reports via a Web front-end that is realized using BSP technology.
If BI reports are also made available to suppliers, SAP BI has to be accessible via theInternet. If it is only available to the purchasers, it depends on the individualrealization of the scenario:
Should the SRM system landscape be available to the purchasers via the Internetor only via the Intranet?
Does the internal security policy require that HTTPS be used for all Web-basedapplications?
Necessary steps:
Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 27/90
Before You Start
March 2007 27
Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog
If necessary, configure SNC between SAP SRM Server/backend system and SAPBusiness Intelligence
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 28/90
Technical System Landscape
March 2007 28
3 Technical System LandscapeSRM supports various presentation technologies on which the individual SRM components run andvia which user access and data transfer occurs. The architecture, determined by the respective
presentation technology, is crucial for the security of an SRM system. The architecture determinesthe security concept.
3.1 Architecture
The architecture of an SRM system landscape is heavily dependent on the security measures thatare in turn determined by the data to be transferred and the data channels.
In an SRM system landscape, there are two types of channel via which data is exchanged andwhich require careful attention in terms of provision of security during data exchange via externalinterfaces:
Exchange of data via external user interfaces
Exchange of data/documents via external system interfaces
In both cases, the SRM security concept incorporates a Demilitarized Zone (DMZ) that is delimitedby an internal and an external firewall. Within the DMZ there is an application gateway.
We recommend that you use SAP Web Dispatcher. URLs and ports for the systemsbehind the internal firewall can be configured in any way and are not known to usersoutside of the external firewall.
In this way, the SRM security concept follows the usual SAP security standards thatare used on a world-wide basis.
Exchange of Data via External User Interfaces
Data exchange via external user interfaces occurs in SRM in the following ways:
Data exchange via the application gateway using an internal Internet Transaction Server(ITS) or for components with Web front-end on Business Server Pages (BSP) technologyBSP is used for Supplier Self-Services (SUS) and Supplier Registration (ROS)
ITS is only relevant in certain use cases depending on which SRM 6.0 SP is installed.
Data exchange via J ava applet Live Auction Cockpit WPS(also via application gateway)
Data exchange via Duet
Data Exchange via the Application Gateway for Applications with Web Frontends
The following SRM scenarios, where the Web front-end is based on ITS or BSP technology, workon this principle:
Self-Service Procurement
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 29/90
Technical System Landscape
March 2007 29
Plan-Driven Procurement
Service Procurement
Catalog Content Management
Spend Analysis
(Strategic Sourcing with Bidding Engine but without LAC WPS)
Contract Management
Basic Representation of the Communication Paths of the SRM Components to the Outsidevia the Application Gateway.
The SAP Web Dispatcher functions as an application gateway and is used as a "software Webswitch" between the Internet and your SAP SRM Server system, which consists of one or moreWeb Application Servers. You therefore have only one point of access for HTTP(S) requests inyour system. Furthermore, SAP Web Dispatcher balances the load, so that the request is alwayssent to the server with the greatest capacity.
For more information, see the documentation about SAP Web Dispatcher.
SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) via the internalfirewall of the DMZ.
All security aspects are dealt with via the ITS and SAP Web AS.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 30/90
Technical System Landscape
March 2007 30
In this way, the SRM security concept, like all other SAP solutions, is entirely based on the generalSAP security standards.
System Landscape Architecture
For external access a landscape as illustrated in the above figure is recommended. The landscapeenables constraint on accesses to the external facing portal and Web Dynpro applications througha web dispatcher configuration.
See also:
http://service.sap.com/notes SAP Note 517484 (Inactive Services in theInternet Communication Framework)
Portal Security Guide
Security Issues in Web Dynpro for ABAP
Data Exchange via Java Applet Live Auction Cockpit WPS
In the SRM business scenario Strategic Sourcing, a J ava applet is loaded in the browser of anexternal supplier for live auctions (not for auctions via the Sourcing application in SRM BiddingEngine). This applet communicates with the server part of LAC on the SAP J 2EE Engine 7.0 via theapplication gateway.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 31/90
Technical System Landscape
March 2007 31
Basic Representation of the Communication Paths of the SRM Components Including LACWPS 6.0 to the Outside.
The ABAP Sourcing application allows external suppliers to participate in bid invitations that arecreated and evaluated using SAP Bidding Engine. Auctions can be converted into live auctions andare then processed in LAC.
LAC is a J ava component LAC WPS on presentation level whose runtime environment is the J 2EEEngine of SAP Web AS 7.0.
LAC WPS consists of a server part that runs on J2EE 7.0 and a J ava Applet that is loaded into thebrowser of the user and executed locally there. The applet communicates via HTTP(S) with theserver part. The server communicates with SAP SRM Server via RFC. A digitally signed version of the J ava applet for the functions Approval Preview and Follow-On Documents (document history) isavailable in addition to the unsigned applet currently in use.
Communication between the J ava applet and the LAC WPS server occurs just like any HTTP(S)-
based communication with the Internet via application gateway that exists in the DMZ. (Each typeof communication with the Internet that occurs via HTTP(S) makes use of the application gateway.)
All security aspects are dealt with by SAP Web AS.
Data Exchange via Duet User Interface
The specifics of the Duet user interface are covered in the Duet 1.0: SAP Administration Guide. You can find this guide on SAP Service Marketplace atservice.sap.com/instguides SAP
xApps Duet Duet 1.0 Duet 1.0: SAP Administration Guide.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 32/90
Technical System Landscape
March 2007 32
Exchange of Data/Documents via External System Interfaces
In an SRM system landscape, the Exchange Infrastructure (XI) is used to transfer data in the form
of documents via external system interfaces. Here, too, XI is connected to the Internet via the SAPWeb Dispatcher located in the DMZ.
All security aspects are dealt with by SAP Web Dispatcher and XI.
For more information, see SAP Web Dispatcher and SAP NetWeaver Process IntegrationSecurity Guide
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 33/90
Network Security and Communication Security
March 2007 33
4 Network Security and Communication Security Your network infrastructure is important in protecting your system. Your network needs to supportthe communication necessary for your business needs without allowing unauthorized access. A
well-defined network topology can eliminate many security threats based on software flaws (at boththe operating system and application level) or network attacks such as eavesdropping. If userscannot log on to your application or database servers at the operating system or database layer,then there is no way for intruders to compromise the machines and gain access to the back-endsystem’s database or files. Additionally, if users cannot connect to the LAN (local area network)server, they also cannot exploit well-known bugs and security holes in network services on theserver machines.
The network topology for SAP SRM solution is based on the topology used by the SAP NetWeaverplatform. Therefore, the security guidelines and recommendations described in the SAP NetWeaverSecurity Guide also apply to SAP SRM.
4.1 Communication Channel Security
This section deals with measures to protect data that is being transferred from unauthorizedaccess.
Data transfer is by means of HTTPS (SSL encryption) that is also used in SAP system landscapes.
We recommend using the same protocol – either HTTP or HTTPS – consistently in allsystem objects. This means all the deployed objects have to be configured in exactlythe same way regarding HTTP(S) throughout. This is done especially to avoidproblems caused by J avaScript-based communication between the single layers.
The mechanisms to use for transport layer security and encryption depend on the protocols used.For Internet protocols such as HTTP, you can use the Secure Sockets Layer (SSL) protocol toprovide the protection. For SAP protocols such as dialog and RFC, you can use Secure NetworkCommunications. See Network Security for SAP Web AS ABAP and Network Security for the SAP
J 2EE Engine for an overview of the corresponding SAP Web AS connections and the securitymechanism to use.
We recommend that you consult the following documentation in the SAP NetWeaver SecurityGuide Network and Communication Security.
See the following topics:
Basic Network Topology for SAP Systems Network Services
Using Firewall Systems for Access Control
Application-Level Gateways Provided by SAP
Example Network Topology Using an SAProuter
Example Network Topology When Using SAP Remote Services
Using Multiple Network Zones
Transport Layer Security
Secure Network Communications (SNC)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 34/90
Network Security and Communication Security
March 2007 34
SNC-Protected Communication Paths in SAP Systems
Additional Information on Network Security
Enabling SSL (HTTPS) for SAP Web Application Server 7.0
This section is relevant for all Web applications that are based both on the ITS 7.0 and on BSP,that is all scenarios with the exception of Strategic Sourcing with LAC WPS 6.0.
This safeguards data against unauthorized access when business data is being exchangedbetween SRM and external systems, especially in the case of data exchange with supplier systemsvia the Internet.
The electronic exchange of business data between SRM and a connected supplier must also beprotected. Purchase orders and shipping notifications contain confidential information that an SAPSRM customer wants to protect from unauthorized access. Here also, SRM makes use of thestandard Internet features. With the HTTP adapter, SAP Exchange Infrastructure supports theSecure HTTP protocol. By means of this protocol, all data is saved during the entire transfer fromthe sending system to the receiving system. As far as the automatic authentication of theparticipating systems, SAP SRM relies on the exchange of certificates, which guarantees state-of-the-art security.
The communication channels within the SAP SRM system landscape can be made secure usingHTTPS (SSL). However, it only makes sense to use this coding technology to achieve overallsecurity for the channels.
Consult the Network and Transport Layer Security guide before carrying out the SSL settings forthe SAP Web AS 7.0:
Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP
o Configuring the SAP Web AS for Supporting SSL
To carry out the SSL settings for the ITS 7.0 (internal ITS on SAP Web AS 7.0) proceed inaccordance with the following sections of the SAP NetWeaver Application Server Security Guide:
Internet Transaction Server Security
o A Secure Network Infrastructure for the ITS
o Protecting the Server and Network Components
o TCP Ports Used by the ITS
For security issues regarding SRM applications with a Web front-end on BSP-basis,see Security Aspects for BSP.
Portal and Web Dynpro SSL Configuration
Enter SSL in Portal system maintenance for the SRM system entry and enable SSL for the Portalserver as well. For more information, see topics Configuring the SAP Web AS for Supporting SSLand Configuration Settings and SAP Note 510007: Setting up SSL on the Web Application Server.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 35/90
Network Security and Communication Security
March 2007 35
Enabling SSL for J2EE 7.0
This section is relevant if you want to implement the SRM scenario Strategic Sourcing with LACWPS 6.0 (LAC WPS runs on the J 2EE of SAP Web AS 7.0).
To configure SSL for LAC on J 2EE 7.0, proceed in accordance with the following documentation: Configuring the Use of SSL on the SAP J 2EE Engine
See also:
Security Guide for Connectivity with the SAP J 2EE Engine
Transport Layer Security on the SAP J 2EE Engine
Secure Connection of Application Systems to SAP XI
All XI runtime components using the HTTP protocol support the encryption of the HTTP datastream by means of the SSL protocol, also known as HTTPS. HTTPS data streams are completelytransparent to the Exchange Infrastructure.
Depending on the protocol used, all data (including passwords) is transmitted through the network(Intranet or Internet) in plain text. To maintain the confidentiality of this data, you can applytransport layer encryption to the connection between the business systems, the Integration Server,the adapters, and the Web browser.
We especially recommend that you use encryption when you transmit passwords,orders, company-specific information or any other data that you consider sensitive.
You can use Secure Sockets Layer (SSL) or Secure Network Communication (SNC) to increasethe security of the following connections:
Between adapters and Integration Server
Between business systems and Integration Server
Between PCK and Integration Server
Between business systems and adapters
Adapters, business systems, and Integration Servers communicate with each other using the RFCor HTTP protocol, which can be secured by SNC or SSL respectively.
Find detailed information here:
SAP NetWeaver Process Integration Security Guide Network and Communication SecurityHTTP and SSL and Adapter-Specific Security Configuration
Here you find information to send and receive messages with the Adapter Engine using HTTPS/SSL: Configuration Guide - SAP XI 7.0: Chapter 10 Communication and Security and 10.1 HTTPSConfiguration for the Adapter Engine.
Integration of SAP SRM Server (EBP) Services into SAPNetWeaver Portal
Ensure that you have downloaded all of the relevant portal roles for SRM 6.0 from SAP ServiceMarketplace at service.sap.com/swdc . Here you can also find the current Business Packagefor SAP SRM 6.0.
Security Information:
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 36/90
Network Security and Communication Security
March 2007 36
Portal Security Guide Network and Communication Security Communication ChannelSecurity Communication between Internal Components / Communication with BackendSystems.
Important Note: The portal and the connected back-end systems must use the same
protocol (both use HTTP or both use HTTPS; no other combination ispossible).
The portal and the connected back-end system must be in the samedomain.
If you wish to implement your own SAP SRM Server (EBP) services, youmust ensure that the iViews of the EBP services have EPCF level "2".
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 37/90
Network Security and Communication Security
March 2007 37
4.2 Network Security
General Access Control, Including Protection of the System and Stored Data Against
Unauthorized External Access,General Standards: Firewalls, DMZ, SNCSAP Standards: ITS, SAProuter
SAP SRM is a solution with many external interfaces, including interfaces to the Internet. Thismakes SAP SRM vulnerable to attempts from outsiders to access confidential data. Indeed, studieshave shown that unauthorized access by internal employees also represents a considerable risk.As a pure business solution, SAP SRM can offer protection in this regard based on theAuthorization Concept within SAP Web AS (SAP Authorization Concept). It is important tounderstand that SAP SRM is embedded in a comprehensive protection concept that offersprotection both on a physical level and also, through additional firewalls, protected access to alllevels of an IT infrastructure. As the SAP SRM architecture graphic shows, we recommendprotecting the different SRM components using appropriate firewalls. This includes setting up aDMZ (Demilitarized Zone) that protects all critical components from direct access via the Internet.
Furthermore, we recommend installing protection against access to the entire data store of thevarious SRM applications components.
For more information on firewalls and the relevant settings, see the section Network andCommunication Security Using Firewall Systems for Access Control ( for firewall settings) inthe SAP NetWeaver Security Guide and SAProuter in the SRM documentation (for SAProutersettings).
For more information on the settings for Security Network Communications (SNC), see thesection SNC-protected Communication in the SAP NetWeaver Application Server SecurityGuide.
See also:Additional Information on Network Security
4.3 Communication Destinations
All relevant communication destinations (such as RFC, IDoc, and so on) for SAP SRM aredescribed in SAP Solution Manager.
The following table provides an overview of where to find the relevant information in SAP SolutionManager:
Configuration Settings for Solution / Business Scenario
Path in SAP Solution Manager Section
SAP SRM 2007 SAP Solution Manager Configuration SAP SRM 2007 Basic Settings for SAP SRM
SystemConnections
Self-Service Procurement SAP Solution Manager Configuration
SAP SRM 2007 Basic Settings for Self-Service Procurement
SystemConnections
Plan-Driven Procurement SAP Solution Manager Configuration
SAP SRM 2007 Basic Settings forPlan-Driven Procurement
SystemConnections
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 38/90
Network Security and Communication Security
March 2007 38
Configuration Settings for Solution / Business Scenario
Path in SAP Solution Manager Section
Service Procurement SAP Solution Manager Configuration
Structures SAP SRM 2007 BasicSettings for Service Procurement
SystemConnections
Spend Analysis SAP Solution Manager Configuration
Structures SAP SRM 2007 BasicSettings for Spend Analysis
SystemConnections
Strategic Sourcing SAP Solution Manager Configuration
Structures SAP SRM 2007 BasicSettings for SAP SRM
SystemConnections
Contract Management SAP Solution Manager Configuration
Structures SAP SRM 2007 BasicSettings for SAP SRM
SystemConnections
SRM-MDM Catalog (CatalogContent Management)
SAP Solution Manager ConfigurationStructures SAP SRM 2007 BasicSettings for SRM-MDM Catalog(Catalog Content Management)
SystemConnections
Category Management SAP Solution Manager Configuration
Structures SAP SRM 2007 Basic
Settings for Category Management
Backend Configuration
IntegratecProjectsandIntegrate the SAPBI System
Duet SAP Solution Manager Configuration
Structures SAP SRM 2007 Basic
Settings for SAP SRM
Duet
ConfigurationContent for Duet
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 39/90
User Administration and Authentication
March 2007 39
5 Data Storage SecuritySRM runs using SAP standard technologies only (SAP NetWeaver Application Server ABAPSecurity Guide, SAP NetWeaver Application Server J ava Security Guide) and does not use any
external tools. The UI is realized using the Internet Transaction Server, Business Server Pages,and Web Dynpro. This means that there are no persistent cookies and authentication data beyondthe usual amount.
For more information about the use of the Internet Transaction Server, Business Server Pages andWeb Dynpro, see:
Security Aspects for BSP
Internet Transaction Server
Security Aspects of Web Dynpro for J ava and Security Issues in Web Dynpro for ABAP
Data Storage
Security-relevant and personal data (for users and business partners) is stored in the standard SAPdatabase tables. Access to these tables is protected by the SAP authorization checks.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 40/90
User Administration and Authentication
March 2007 40
6 Auditing and Logging To log changes on various SAP objects to appraise and retrace them afterwards and to fulfill thelegal auditing and logging requirements, SAP NetWeaver provides standard tools and functions.
These are described in the SAP NetWeaver Security Guide under Auditing and Logging and arerelevant if you use SAP SRM.
The most relevant items regarding auditing and logging in SAP SRM are specified below:
Version History of SU01-User and Business Partner
SU01-User
Using the standard transaction SU01, menu path Information -> Change Documents for Users, alog table is displayed. This table lists all the actions that have changed user data so far:
You can also use transaction SUIM to enter the User Information System that provides you with awide range of functions relating to user history:
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 41/90
User Administration and Authentication
March 2007 41
Business Partner
Using the standard transaction BP, menu path Extras -> Change History -> For This Partner , a logtable is displayed depending on a changed field selected. The table contains all the changes evercarried out:
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 42/90
User Administration and Authentication
March 2007 42
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 43/90
User Administration and Authentication
March 2007 43
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 44/90
User Administration and Authentication
March 2007 44
Change Documents of Business Documents
Change documents are another logging tool available to you. A change document logs changes toa business object. You access the change documents by selecting Tracking Change Documents
from within the corresponding business document. This view shows every change made to thebusiness document down to the field level.
Appl ication Monitor ing
SRM provides a number of application monitors to evaluate various critical system and documentstatuses, changes, and errors. The monitoring results are only available in the portal to the
administrator and are presented in graphical form in an iView in the Administration Work Center.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 45/90
User Administration and Authentication
March 2007 45
Authorization to view and process alerts is handled by portal role and iView assignment as well asin authorization object BBP_FUNCT (MON_ALERTS). The monitoring information is read from theSRM back-end, and is recorded in the Statistic Records in CCMS (monitors under: SAP EnterpriseBuyer Monitors).
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 46/90
User Administration and Authentication
March 2007 46
7 User Administration and Authentication This section describes how user data is protected from unauthorized access and the aspects of authorization.
User Administration and Authentication is based on standard SAP NetWeaver Application Serverfunctionality. At a minimum, users need to be authenticated on the SAP NetWeaver Portal, basedon SAP NetWeaver Application Server J ava, and the SAP SRM Server, based on SAP NetWeaverApplication Server ABAP.
For more information about User Administration and Authentication on the SAP NetWeaverApplication Server, refer to
SAP NetWeaver Security Guide User Administration and Authentication
SAP NetWeaver Application Server ABAP Security Guide User Authentication
SAP NetWeaver Application Server Java Security Guide User Administration and Authentication
Portal Security Guide User Administration and Authentication
Internet Transaction Server Security Authenticating Users
7.1 User Management
SAP SRM supports user authentication using user accounts and passwords. It also supports userauthentication using X.509 certificates and, this way, integrates seamlessly with public keyinfrastructure.
The following types of roles are supported:
SAP SRM Server roles and portal roles.
New users can only be created by the user administrator or by a manager. In the case of self-registration by new users, the actual release of the new account has to be approved by the useradministrator or manager.
7.2 Integration into Single Sign-On LandscapesSupport of Single Sign-On on SRM
SAP SRM consists of a range of different application components, and certain SAP SRM usersmust access several of these applications. Therefore, the support of Single Sign-On (SSO) is asignificant benefit. In SAP SRM the standard SSO mechanism is used (the initial applicationgenerates the SSO cookie, which is stored in the user’s web browser and other applications acceptit). (For security reasons, the cookie is placed in the main memory and is automatically deleted as
soon as the user actively logs off or closes the browser.) Using this cookie, users can access allSRM applications for which they are authorized without having to authenticate themselves again,that is, go through the authentication process again. When the user accesses applications basedon SAP R/3, such as SAP EBP, the cookie is converted to an SAP Logon ticket on-the-fly.
Single Sign-On in SRM is supported with the SAP NetWeaver Portal.
For more information on SSO and Authentication Methods on SAP Web AS, see:
SAP NetWeaver Application Server Security Guide Authentication and Single Sign-On
User Authentication and Single Sign-On Using Logon Tickets
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 47/90
Authorizations
March 2007 47
8 AuthorizationsIn SAP SRM one or more predefined roles are assigned to each user or user account. Dependingon the role, the user is authorized to carry out certain transactions and access certain data. In
addition, each user or user account is assigned to its company and/or organizational unit. By way of this assignment, the user inherits additional attributes that further restrict access, for example,employees may only assign purchase orders to their own cost centers.
In the standard SAP SRM delivery, customers receive predefined role templates that they canextend or adapt to their specific requirements. The standard roles include roles for managers,employees, and so on.
Individual users access SRM transactions and data via their browsers and then transfer sensitiveconfidential data. This information must be protected against unauthorized access. As standard,this is taken care of by encoding all data during the transfer from the Web Server to the browser.SRM follows the standard in this case and supports secure HTTP.
Roles for System Configuration
Users wanting to set up or configure an SAP SRM Server system are assigned to the SRM Administrator role, which provides them with the required authorizations. The necessaryCustomizing authorizations ensure that these setup users are able to carry out IMG projects.
For more information, see Identity Management Users and Roles (BC-SEC-USR).
SRM does not supply separate Customizing or setup roles. Instead, you should usethe functions provided in Role Maintenance (transaction PFCG). Here you can definea role corresponding to your individual IMG project with all the authorizations youneed to access the corresponding IMG activities. For more information about building
a role for a Customizing project, see the documentation for the transaction PFCG.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 48/90
Authorizations
March 2007 48
8.1 ABAP Roles for SAP SRM Server 6.0 (EnterpriseBuyer)
The following roles are delivered:
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
Manager EditAttributes
AAAB S_RFC BBPMAINAPP
BBP_BID_WF_APP
SAP_EC_BBP_MANAGER
ProcessCompanyData(hosted)
S_TCODE BBP_BID_WF_REV
SAP_BBP_STAL_MANAGER
BBP BBP_FUNCT(BBP_FUNCT=BE_F4_HELP)
BBP_CTR_WF_RVW
SAP_BBP_MULTI_MANAGER
BBP_PD_PO(ACTVT: 03;BBP_PROCTY=empty)
BBP_POC_DISPLY
BBP_QUO_WF_REV
BBP_QUOT_EXTWF
BBPBWSC1
BBPMAINAPP
BBPPU05
BBPPU07
BBPRP01BBPSC07
BWSP
T*
Purchasing Assistant
SAP_EC_BBP_SECRETARY
CreatePublic Templates
BBP BBP_FUNCT(BBP_FUNCT=BE_F4_HELP)
BBPPU04
SAP_BBP_STAL_SECRETARY
EnterPurchaseOrderResponse
BBP_PD_PO(ACTVT: 03;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_PO
SAP_BBP_MULTI_SECRETARY
ConfirmGoods /ServicesCentrally
BBP_PD_CNF(ACTVT: 01, 02,03;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_CNF
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 49/90
Authorizations
March 2007 49
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
Enter Invoice/ CreditMemoCentrally
BBP_PD_PO(ACTVT: 03;BBP_PROCTY=empty)
BBPPU10
ShoppingCarts perCost Center
BBP_PD_SC(ACTVT: 01, 02,03, 04, 06, 33;BBP_PROCTY=empty)
BBPSC03
ShoppingCarts perProduct
BBPSC04
PreselectSuppliers
BBPSC06
Purchasing
Assistant
ProfessionalPurchaser
SAP_EC_BBP_PURCHASER
CreatePublic Templates
B_BUPA_RLT(RLTYP=BBP000,BBP005,BBPUP001,BBPUP002,BBPUP003,CRM007)
BBP_LA_ BIZAPI
BBP_BID_DISP
SAP_BBP_STAL_PUR
CHASER
Confirm
Goods /ServicesCentrally
BBP_PD_CNF
(ACTVT: 01, 02,03, 06,33;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_CNF
SAP_BBP_MULTI_PURCHASER
Enter Invoice/ CreditMemo
B_USERST_T BBP_BID_EXTSO
InvoiceMonitor
CRM_BUHI BBP_BID_WF_APP
Settings for
InvoiceMonitor
S_ICF BBP_BID_WF_CRE
ProcessPurchaseOrder
BBP_PD_PO(Actvt 01, 02, 03,06, 33, C4, C5;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_PO
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 50/90
Authorizations
March 2007 50
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
IssuePurchaseOrder
BBP BBP_PD_PO(Actvt 04,;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_PO
ProcessPurchaseOrderResponse
BBP_PD_PCO(ACTVT: 01, 02,03, 04, 06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty; )
BBP_PD_PCO
ProcessGlobalOutlineAgreement
BBP_FUNCT(BBP_FUNCT=BE_F4_HELP,CR_COMPANY,EVAL_VEND,CTR_NOV)
BBP_CTR_DISP
ProcessContract
BBP_PD_AUC(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_EXT_CR
IssueContract
BBP_PD_BID(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_EXT_PO
PerformMassChanges
BBP_PD_CNF(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_EXT_WF
ChangeSuppliers inContracts
BBP_PD_CTR(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_WF_CRE
PurchaseOrderEvaluationper Contract
BBP_PD_INV(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_WF_RVW
UploadContracts
BBP_PD_PCO(ACTVT<>G7;BBP_PROCTY=empty)
BBP_POC_DISPLY
DownloadContracts
BBP_PD_PO(ACTVT<>G7;BBP_PROCTY=empty)
BBP_POC_EDIT
ProcessQuotaArrangement
BBP_PD_VL(ACTVT=01,02,03,06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORG
empty)
BBP_PD_VL
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 51/90
Authorizations
March 2007 51
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
Process BidInvitation
BBP_PD_SC(ACTVT<>G7;BBP_PROCTY=empty)
BBP_QUO_WF_REV
Process Bidas Substitute
BBP_PD_VL(ACTVT<>G7;BBP_PROCTY=empty)
BBP_QUOT_DISP
ProcessAuction
BBP_VEND(BBP_OBJTYP=BUS2200,BUS2202)
BBP_QUOT_EXTWF
ShoppingCartEvaluationper Cost
Center
BC_A S_BTCH_ADM(BTCADMIN:empty)
BBPAVLDISP
ShoppingCartEvaluationper Product
S_ADMI_FCD(NADM)
BBPCF07
ManageBusinessPartner Data
S_BTCH_J OB(job action: PLAN,RELE)
BBPDIFF
ManageBusinessPartner(Hosted)
S_CTS_ADMI(TABL)
BBPIV07
Edit
Addresses
S_SPO_DEV BBPIV09
ProcessSupplier List
BBP_PD_VL(ACTVT=01,02,03,06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty
)
BBP_PD_VL
ReassignWorkload
BBP_PD_PO
BBP_PD_SC
BBP_PD_BID
BBP_PD_CTR
ACTVT =02
BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty
BBPPCO_WF
DisplayChanges
S_USER_PRO(01, 02, 03, 07,22; PROFILE=empty)
BBPPO01
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 52/90
Authorizations
March 2007 52
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
PreselectSuppliers
S_XMB_AUTH(ACTVT: 03, 16;SXMBACTION:RUNTIME)
BBPPU02
BC_Z S_APPL_LOG(03)
BBPPU04
S_IDOCCTRL BBPPU05
BBPPU06
BBPPU07
BBPPU10
BBPQADISP
BBPQAMAINT
BBPRP01
BBPSC03
BBPSC04
BBPSC06
BBPSC11
BBPSC14
BBPSC15
BBPSC16
BBPSC17
BBPSC18
BBPSC19
BBPSHOWVD
BBPVE01
BWSP
BWWF_WI_DECI
CRMD_ORDER
Purchasing Manager
SAP_BBP_STAL_PURCHASE_
MANAGER
SAP_BBP_MULTI_PURCHASE_MANAGER
OperationalPurchaser
SAP_EC_BBP_OP_PURCHASER
CreatePublic Templates
/SAPCND/CM(application: BBP;use: PR)
BBP_BID_DISP
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 53/90
Authorizations
March 2007 53
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
SAP_BBP_STAL_OPERAT_ PURCHASER
ConfirmGoods /ServicesCentrally
BBP_PD_CNF(ACTVT: 01, 02,03, 06,33;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_CNF
Enter Invoice/ CreditMemo
B_BUPR_BZT BBP_BID_EXTSO
InvoiceMonitor
B_USERST_T BBP_BID_WF_CRE
Settings forInvoice
Monitor
CRM_BUHI BBP_BID_WF_REV
ProcessPurchaseOrders
BBP_PD_PO(Actvt 01, 02, 03,06, 33, C4, C5;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_PO
IssuePurchaseOrders
BBP BBP_PD_PO(Actvt 04,;BBP_PROCTYPempty;
BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_PO
EnterPurchaseOrderResponse
BBP_PD_PCO(ACTVT: 01, 02,03, 04, 06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty; )
BBP_PD_PCO
ProcessPurchase
OrderResponse
BBP_PD_PCO(ACTVT: 01, 02,
03, 04, 06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty; )
BBP_PD_PCO
AssignGlobalOutlineAgreement
BBP_PD_BID(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_EXT_WF
Process BidInvitations
BBP_PD_CNF(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_MAIN
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 54/90
Authorizations
March 2007 54
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
Process Bidas Substitute
BBP_PD_CTR(ACTVT=01, 02,03;BBP_PROCTY=empty)
BBP_CTR_WF_CRE
ProcessAuctions
BBP_PD_INV(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_WF_RVW
Carry OutSourcing
BBP_PD_PCO(ACTVT<>G7;BBP_PROCTY=empty)
BBP_POC_DISPLY
ProcessQuotaArrangement
BBP_PD_VL(ACTVT=01,02,03,06;
BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_VL
Analysis SCper CostCenter
BBP_PD_QUO(ACTVT<>G7;BBP_PROCTY=empty)
BBP_POC_WF_REQ
Analysis SCper Product
BBP_PD_SC(ACTVT<>G7;BBP_PROCTY=empty)
BBP_PPF_CONT
EditAddresses
BBP_VEND(BBP_OBJTYP=BUS2200,BUS2202)
BBP_QUO_WF_REV
DisplayChanges
M_BBP_PC(PCMAS_ACT =03, 04)
BBP_QUOT_DISP
PreselectSuppliers
BC_A S_BTCH_ADM(BTCADMIN:empty)
BBP_TRIGG_MEN
S_ADMI_FCD(NADM)
BBPAVLDISP
S_BTCH_J OB
(job action: RELE)
BBPCF07
S_CTS_ADMI(TABL)
BBPDIFF
S_SPO_DEV BBPIV07
S_USER_AGR(01, 02, 03, 22,36, 64, 78;ACT_GROUP=empty)
BBPIV09
S_USER_GRP(01, 02, 03, 06,22, 78; CLASS=empty)
BBPMAINAPP
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 55/90
Authorizations
March 2007 55
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
S_USER_PRO(01, 02, 03, 07,22; PROFILE=empty)
BBPPCO_WF
S_XMB_AUTH(ACTVT:16;SXMBACTION:RUNTIME)
BBPPO01
BC_Z S_APPL_LOG(03)
BBPPU02
S_IDOCCTRL BBPPU04
BBPPU05
BBPPU06
BBPPU07
BBPPU10
BBPQADISP
BBPQAMAINT
BBPRP01
BBPSC03
BBPSC04
BBPSC06
BBPSC11
BBPSC14
BBPSC15
BBPSC16
BBPSC17
BBPSC18
BBPSC19
BBPSHOWVD
BBPVE01
BWSP
BWWF_WI_DECI
CRMD_ORDER
Strategic Purchaser Process BidInvitation
AAAB /SAPCND/CM(application: BBP;use: PR)
BACV BBP_AUC_SRM_EX
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 56/90
Authorizations
March 2007 56
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
SAP_EC_BBP_ST_PURCHASER
Process Bidas Substitute
B_BUPA_RLT(RLTYP=000000,BBP000,BBP001,BBP003,BBP004,BBP005,BUP001,BUP002,BUP003,BUP004,BUP005,CRM007,CRM008)
BBP_LA_ BIZAPI
BBP_BID_DISP
SAP_BBP_STAL_STRAT_PURCHASER
ProcessAuction
B_BUPR_BZT BBP_LA_ MAINTENANCE
BBP_BID_EVAL
ProcessGlobalOutlineAgreement
B_USERST_T BBPMAINAPP
BBP_BID_EXTSO
ProcessContract
CRM_BUHI BBP_BID_WF_APP
IssueContract
S_TCODE BBP_BID_WF_CRE
PerformMassChanges
BBP BBP_BUDGET BBP_BID_WF_REV
UploadContracts
BBP_CTR_2(ACTVT: 01, 02,
03, 04, 06;BBP_PROCTY:empty;BBP_SECTN:empty;BBP_SENSTV:empty)
BBP_CFOLDER
DownloadContracts
BBP_FUNCT(BBP_FUNCT=BE_F4_HELP,CR_COMPANY,EVAL_VEND,CTR_NOV)
BBP_CTR_DISP
ChangeSuppliers inContracts
BBP_PD_AUC(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_DC
PurchaseOrderEvaluationper Contract
BBP_PD_BID(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_EXT_CR
ProcessQuotaArrangement
BBP_PD_VL(ACTVT=01,02,03,06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORG
empty)
BBP_PD_VL
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 57/90
Authorizations
March 2007 57
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
ProcessSupplier List
BBP_PD_VL(ACTVT=01,02,03,06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)
BBP_PD_VL
ManageBusinessPartner Data
BBP_PD_INV(ACTVT<>G7;BBP_PROCTY=empty)
BBP_CTR_WF_CRE
EditAddresses
BBP_PD_PCO(ACTVT<>G7;BBP_PROCTY=
empty)
BBP_CTR_WF_RVW
ReassignWorkload
BBP_PD_PO
BBP_PD_SC
BBP_PD_BID
BBP_PD_CTR
ACTVT =02
BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty
BBPPCO_WF
PreselectSuppliers
BBP_PD_QUO(ACTVT<>G7;BBP_PROCTY=empty)
BBP_POC_DISPLY
BBP_PD_SC(ACTVT<>G7;BBP_PROCTY=empty)
BBP_POC_EDIT
BBP_PD_VL(ACTVT<>G7;BBP_PROCTY=empty)
BBP_POC_WF_REQ
BBP_VEND(BBP_OBJTYP=
BUS2200,BUS2202)
BBP_PPF
M_BBP_PC BBP_QUO_WF_REV
BC_A S_BTCH_ADM(BTCADMIN:empty)
BBP_QUOT_DISP
S_ADMI_FCD(NADM)
BBP_QUOT_EXTWF
S_BTCH_J OB(job action: RELE)
BBPAVLDISP
S_CTS_ADMI(TABL)
BBPBWSC1
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 58/90
Authorizations
March 2007 58
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
S_SPO_DEV BBPCF07
S_USER_AGR(01, 02, 03, 22,36, 64, 78;ACT_GROUP=empty)
BBPCF09
S_USER_GRP(01, 02, 03, 06,22, 78; CLASS=empty)
BBPDIFF
S_USER_PRO(01, 02, 03, 07,22; PROFILE=empty)
BBPIV07
S_XMB_AUTH
(ACTVT:16;SXMBACTION:RUNTIME)
BBPMAINAPP
S_DEVELOP BBPPCO_WF
BC_Z S_APPL_LOG(03)
BBPPO01
S_IDOCCTRL BBPPU02
BBPPU04
BBPPU05
BBPPU06
BBPPU07
BBPPU10
BBPQADISP
BBPQAMAINT
BBPRP01
BBPSC03
BBPSC04
BBPSC06
BBPSC07
BBPSC11
BBPSC14BBPSC15
BBPSC16
BBPSC17
BBPSC18
BBPSC19
BBPSHOWVD
BBPSOCO01
BBPVE01
BBPVE01
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 59/90
Authorizations
March 2007 59
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
BWSP
BWWF_WI_DECI
CRMD_ORDER
T*
Content Manager ImportProductMasterHierarchies
AAAB /SAPCND/CM(application: BBP;use: PR)
COMM_A TTRSET
COMM_ATTRSET
SAP_EC_BBP_CONTENT_MANAGER
ImportProducts
COM_ASET(ACVT =01, 02,03, 06)
COMM_PCAT_LOC
COMM_HIERARCHY
SAP_BBP_STAL_CON
TENT_MANAGER
Process
Products
COM_CAT
(ACVT =01, 02,03)
CRM_PR
D
COMM_PCAT_LOC
ActivateProducts
COM_HIER(ACVT =01, 02,03)
BBP_CT COMM_PCAT_PROFILE
Data Transferfrom ProductMaster toCatalog
COM_IL (ACTVT=F370 01, 02, 03,06; RELTYPE:PRDCTI,PRDCTN,PRDMPI,PRDMPN,PRDVND,PRDVNI)
MaintainProducts inSUS
COM_PRD (01,02, 03, 06)
ContentManager
COM_PRD_CT(01, 02, 03, 06)
S_IFC
S_RFC
S_TCODE
BC_A S_BTCH_J OB(job action: PLAN,RELE)
S_XMB_AUTH
(ACTVT:16;SXMBACTION:RUNTIME)
S_DATASET(ACVT =33)
BC_Z S_APPL_LOG(ACVT 03;ALG_OBJ ECT:COM_PRODUCT _CATALOG;ALG_SUBOBJ :EXPORT_XML)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 60/90
Authorizations
March 2007 60
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
Component Planner ComponentPlanning forOrders
AAAB S_TCODE / Standard only
SAP_EC_BBP_PLANNER
ComponentPlanning forProjects
SAP_BBP_STAL_PLANNER
ChangeSettings
ComponentsPlanner
Internal Dispatcher ConfirmGoods /Services
Centrally
AAAB S_TCODE / Standard only
SAP_BBP_STAL_RECIPIENT
InternalDispatcher
BBP_PD_CNF(BBP_PROCTY=empty)
BBP_PD_CNF
SAP_BBP_MULTI_RECIPIENT
BBP_PD_PO(ACTVT: 03;BBP_PROCTY=empty)
Account s PayableClerk
Enter Invoice/ CreditMemo
AAAB S_TCODE / Standard only
SAP_EC_BBP_ACCO
UNTANT
Invoice
Monitor
S_ICF
SAP_BBP_STAL_ACCOUNTANT
Settings forInvoiceMonitor
BBP BBP_FUNCT(BBP_FUNCT=BE_F4_HELP)
SAP_BBP_MULTI_ACCOUNTANT
IssueDocument
BBP_PD_CNF(ACTVT: 03;BBP_PROCTY=empty)
BackendPosting(Hosted)
BBP_PD_INV(ACTVT<>G7;BBP_PROCTY=empty)
BBP_PD_PO
(ACTVT: 03;BBP_PROCTY=empty)
Bidder Process Bid AAAB /SAPCND/CM(application: BBP;use: PR)
BACV BBP_CFOLDER
SAP_EC_BBP_BIDDER
ProcessUser Data
B_BUP A_RLT BBP_CFOLDER
BBPGLOBAL
SAP_BBP_STAL_BIDDER
Alert Inbox B_BUPR_BZT BBP_FRAMEWORK
BBPMAINNEW
SAP_BBP_MULTI_BIDDER
S_PRO_AUTH(03)
BBP_LA_ BIZAPI
BBPST01
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 61/90
Authorizations
March 2007 61
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
S_RFC BBP_LA_ MAINTENANCE
BBPVENDOR
S_TCODE BBPFAKEWP
BBPWI
BBP BBP_PD_AUC(ACTVT: 03;BBP_PROCTY=empty)
RFC1
BBP_PD_BID(ACTVT: 03;BBP_PROCTY=empty)
RSAN
BBP_PD_QUO(ACTVT=01, 02,
03, 33;BBP_PROCTY=empty)
SDIF
BBP_VEND(ACTVT: 01, 02,03, 06;BBP_OBJ TYP:BUS2200,BUS2202,BUS2208)
SDIFRUN TIME
BC_A S_BTCH_ADM(BTCADMIN:empty)
SI17_V
S_TABU_DIS
(03)
SKBW
BC_Z S_BDS_DS(ACTV: 01, 02,03, 04, 30;CLASSTYPE:BO, CL, OT)
SSCV
HR PLOG (INFOTYP:1000, 1001, 1222,5500, 5501, 5502,5503; ISTAT: 1;OTYPE: BP, CP,O, S, US, P;SUBTYP: A002,B002, A003,B003, A008,
A208, B008,A012, B012,B207, B208,B209, A490,B490, A491,B491, A492,B492, A493,B493, A494,B494, 0020,0100, 0200, 0300)
SU_USER
SURL
SUSO
SUSW
SWLWFIN
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 62/90
Authorizations
March 2007 62
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
SWOR
SYST
SYSU
WP_USER_MENU
Supplier EnterDelivery /Service
AAAB BBP_PD_CNF
ACTVT 01, 03
BBP_PD_CNF
SAP_EC_BBP_VENDOR
Enter Invoice/ CreditMemo
B_BUP A_RLT BBP_FRAMEWORK
BBP_CFOLDER
SAP_BBP_STAL_VEN
DOR
Process
User Data
B_BUPR_BZT BBPADD
REXT
BBP_QUOT
SAP_BBP_MULTI_VENDOR
EditAddresses
S_PRO_AUTH(03)
BBPFAKEWP
BBPGLOBAL
BBP_PD_INV(ACTVT: 01, 03;BBP_PROCTY=empty)
SDIFRUN TIME
BBPWI
BBP_PD_PO(ACTVT: 03;BBP_PROCTY=empty)
SI17_V SWK1
BBP_VEND(ACTVT: 01, 02,
03, 06;BBP_OBJ TYP:BUS2203,BUS2205)
SKBW
BC_A S_TABU_DIS(03)
SSCV
BC_Z S_BDS_DS(ACTV: 01, 02,03, 04, 30;CLASSTYPE:BO, CL, OT)
SU_USER
HR PLOG (INFOTYP:1000, 1001, 1222,5500, 5501, 5502,
5503; ISTAT: 1;OTYPE: BP, CP,O, S, US, P;SUBTYP: A002,B002, A003,B003, A008,A208, B008,A012, B012,B207, B208,B209, A490,B490, A491,B491, A492,B492, A493,B493, A494,B494, 0020,0100, 0200, 0300)
SURL
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 63/90
Authorizations
March 2007 63
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
SUSO
SUSW
SWLWFIN
SWOR
SYST
SYSU
WP_USER_MENU
Company Administ rator (MarketSet)
ProcessLocalAccounting
Data
AAAB S_TCODE BBPPU09
SAP_EC_BBP_COMPANY_ADMIN
Customizable Messages
BBP BBP_FUNCT(MON_ALERTS)
BBPSHOWVD
SAP_BBP_MULTI_COMPANY_ADMIN
Messages inXML
BP_PD_SC(ACTVT: 01, 02,03, 06;BBP_PROCTY=empty)
SYST
DefineImpersonalAccount
BC_A S_TABU_CLI
Process F I-Backend
S_TABU_DIS(ACTVT: 02, 03)
ProcessSupplierNumber inBackend
BC_C S_TRANSLAT(ACTVT: 02)
Process TaxCode
MonitorShoppingCart
Administ rator ApplicationMonitors
AAAB B_BUPA_ATT * *
SAP_BC_BMT_WFM_ ADMIN Migration
SAP_EC_BBP_ADMINISTRATOR
MonitorShoppingCarts
B_BUPA_FDG
SAP_BBP_STAL_ADMINISTRATOR
MonitorContractDistribution
B_BUPA_GRP
SAP_BBP_MULTI_ADMINISTRATOR
MonitorBusinessPartner
B_BUPA_RLT
Synchronization withBackend
B_BUPR_BZT
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 64/90
Authorizations
March 2007 64
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
ManageUser Data
B_BUPR_FDG
Edit InternalAddresses
B_CCARD
ManageBusinessPartners
COM_ASET
Edit ExternalAddresses
CRM_BUHI
EditAttributes
S_RFC
Administrator
S_TCODE
BBP BBP_BUYER
BBP_FUNCT
BBP_PD_AUC(03)
BBP_PD_BID(03)
BBP_PD_CNF(03)
BBP_PD_CTR(03)
BBP_PD_INV(03)
BBP_PD_PCO(03)
BBP_PD_PO (03)
BBP_PD_QUO(03)
BBP_PD_SC(ACTVT: 01, 02,03, 04, 06)
M_BBP_IM_1
M_BBP_PC
BC_A S_ADMI_FCD
S_ARCHIVE
S_BTCH_ADM
S_BTCH_J OB
S_BTCH_NAM
S_CTS_ADMI
S_DATASET
S_ENQUE
S_GUI
S_RZL_ADM
S_TABU_CLI
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 65/90
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 66/90
Authorizations
March 2007 66
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
P_TCODE
Create Supp lier (Dummy)
AAAB B_BUPR_BZT(ACTVT 01, 02,03; RELTYPBUR010)
/ BBPMAINNEW
SAP_EC_BBP_CREA TEVENDOR
S_TCODE
Create User (Dummy)
SAP_EC_BBP_CREA TEUSER
AAAB B_BUPA_RLT / BBPAT03
S_TCODE BBPAT04
HR PLOG (INFOTYP:1000, 1001, 1222,5500, 5501, 5502,5503; ISTAT: 1;OTYPE: BP, CP,O, S, US, P;SUBTYP: A002,B002, A003,B003, A008,A208, B008,A012, B012,B207, B208,B209, A490,B490, A491,B491, A492,
B492, A493,B493, A494,B494, 0020,0100, 0200, 0300)
SubscribeMarketplace
Subscribe toEBP onMarketplace
AAAB B_BUPA_RLT ARFC BBPSUBSCRIBE
SAP_EC_BBP_SUBSCRIBE_MARKETPLC
S_RFC BBP_ATTR_ORG
S_TCODE BBP_ATTR_PD
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 67/90
Authorizations
March 2007 67
Roles/TechnicalNames
Services(menuoption)
Auth.Group
Auth. Object s S_RFC S_TCODE
HR PLOG (INFOTYP:1000, 1001, 1222,5500, 5501, 5502,5503; ISTAT: 1;OTYPE: BP, CP,O, S, US, P;SUBTYP: A002,B002, A003,B003, A008,A208, B008,A012, B012,B207, B208,B209, A490,B490, A491,B491, A492,B492, A493,B493, A494,B494, 0020,
0100, 0200, 0300)
BBP_FRAMEWORK
BBPFAKEWP
RFC1
RSAN
SDIFRUN TIME
SSCV
SUSW
SWOR
SYSTSYSU
SAP_BBP_CMS_CON TRACT_CREATOR
BBP_CMS;S_SERVICE
SAP_EC_BBP_EMPLOYEE
BBP_CMS;S_SERVICE
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 68/90
Authorizations
March 2007 68
8.2 ABAP Roles for SAP SRM Server 6.0 (SUS)
Roles/
Technical Names
Folder Menu Option Auth.
Group
Author izat ion Objects
Order Processor Search
SAP_EC_SUS_ORDER_ PROCESSOR
Purchase Orders All AAAB B_BUPA_ATT
New B_BUPA_FDG
Changed B_BUPA_GRP
In Process B_BUPA_RLT
Confirmed B_BUPR_BZT
Partially Confirmed S_TCODE (SICF)
Rejected S_RFC
Canceled byCustomer
Administration Own Data BBP BBP_FUNCT
Messages Read Messages BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2232,BUS2235; BBP_SUBTY: ‘ ‘ )
BBP BBP_SUS_AC
BC_A S_ADMI_FCD (NADM)
S_ARCHIVE
S_USER_GRP (ACTVT: 02, 03, 05)
BC_Z S_BDS_DS (ACTVT: 03;CLASSNAME: DEVC_STXD_BITMAP;CLASSTYPE: OT)
HR PLOG
SAR Processor Search
SAP_EC_SUS_SAR_PROCESSOR
SchedulingAgreement Releases
All AAAB B_BUPA_ATT
New B_BUPA_FDG
Delivery Block B_BUPA_GRP
In Process B_BUPA_RLT
B_BUPR_BZT
S_TCODE (SICF)
S_RFC
Administration Own Data BBP BBP_FUNCT
Messages Read Messages BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2232,BUS2235; BBP_ SUBTY: SR)
BBP BBP_SUS_AC
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 69/90
Authorizations
March 2007 69
Roles/Technical Names
Folder Menu Option Auth.Group
Author izat ion Objects
BC_A S_ADMI_FCD (NADM)
S_ARCHIVE
S_USER_GRP (ACTVT: 02, 03, 05)
BC_Z S_BDS_DS (ACTVT: 03;CLASSNAME: DEVC_STXD_BITMAP;CLASSTYPE: OT)
HR PLOG
Invoicer Search
SAP_EC_SUS_INVOICER
Purchase Orders All AAAB B_BUPA_ATT
Changed B_BUPA_FDG
In Process B_BUPA_GRP
Confirmed B_BUPA_RLT
Partly Confirmed B_BUPR_BZT
S_TCODE (SICF)
Confirmations Canceled S_RFC
In Process
CompletionReported
Rejected
All
In Process
Approved
Notifications fromPurchaser
Goods Receipt - All
Goods Receipt –New
Cancellation of Goods Receipt – All
Cancellation of Goods Receipt –New
Return Delivery - All
Return Delivery -New
ShippingNotifications
All
Sent
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 70/90
Authorizations
March 2007 70
Roles/Technical Names
Folder Menu Option Auth.Group
Author izat ion Objects
Invoices and CreditMemos
All
In Process BBP BBP_FUNCT
Document Sent BBP BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2231,BUS2232, BUS2233, BUS2234,BUS2235; BBP_SUBTY: ‘ ‘, ‘CA’, ‘CF’,‘RT’, ‘SR’)
Approved BC_A S_ADMI_FCD (NADM)
Rejected S_USER_GRP (ACTVT: 02, 03, 05)
Create Invoice S_ARCHIVE
Administration Own Data BC_Z S_BDS_DS (ACTVT: 03;CLASSNAME: DEVC_STXD_BITMAP;
CLASSTYPE: OT)
Messages Read Messages HR PLOG
BBP BBP_SUS_AC
Supplier Preselect Search
SAP_EC_SUS_ROS_PROCESSOR
Manage BusinessPartners
Transfer Supplier AAAB B_BUPA_ATT
Preselect Suppliers B_BUPA_FDG
Supplier Monitor B_BUPA_GRP
B_BUPA_RLT
B_BUPR_BZT
S_RFC
S_TCODE
BBP BBP_SUS_AC
BC_A S_ADMI_FCD
S_USER_AGR
S_USER_GRP
S_USER_PRO
HR PLOG
Dispatcher Search
SAP_EC_SUS_DISPATCHER
Purchase Orders All AAAB B_BUPA_ATT
New
Changed
In Process
Confirmed
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 71/90
Authorizations
March 2007 71
Roles/Technical Names
Folder Menu Option Auth.Group
Author izat ion Objects
Partly Confirmed
ShippingNotifications
All B_BUPA_FDG
In Process B_BUPA_GRP
Sent B_BUPA_RLT
Notifications fromPurchaser
Goods Receipt – All S_RFC
Goods Receipt –New
Cancellation of Goods Receipt – All
Cancellation of Goods Receipt –New
Return Delivery – All
Return Delivery -New
Administration Own Data B_BUPR_BZT
Messages Read Messages S_TCODE (SICF)
BBP BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2231,
BUS2232, BUS2233, BUS2235;BBP_SUBTY: ‘ ’, CA, CF, RT)
BBP BBP_SUS_AC
BC_A S_ADMI_FCD (NADM)
S_USER_GRP (ACTVT: 02, 03, 05)
S_ARCHIVE
BC_Z S_BDS_DS (ACTVT: 03;CLASSNAME: DEVC_STXD_BITMAP;CLASSTYPE: OT)
BBP BBP_SUS_AC
HR PLOG
Service Agent Search
SAP_EC_SUS_SERVICE _AGENT
Purchase Orders Confirmed AAAB B_BUPA_ATT
In Process
Partly Confirmed
Confirmations All B_BUPA_FDG
In Process B_BUPA_GRP
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 72/90
Authorizations
March 2007 72
Roles/Technical Names
Folder Menu Option Auth.Group
Author izat ion Objects
CompletionReported
S_RFC
Cancelled B_BUPA_RLT
Approved B_BUPR_BZT
Rejected S_TCODE (SICF)
Administration Own Data BBP BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2232,BUS2233, BUS2235; BBP_SUBTY: ‘ ‘)
Messages Read Messages BC_A S_ADMI_FCD (NADM)
S_USER_GRP (ACTVT: 02, 03, 05)
S_ARCHIVE
BBP BBP_SUS_AC
HR PLOG
Service Manager
SAP_EC_SUS_MANAGER
Evaluations AAAB
S_TCODE (SICF)
S_RFC
BC_A S_ADMI_FCD (NADM)
BBP BBP_SUS_AC
BBP_SUS_P2 (ACTVT: 03;BBP_OBJ TYP: BUS2235;BBP_SUBTY: ‘ ‘)
Supplier Administrator
Search
SAP_EC_SUS_ADMIN_V
ENDOR
Administration Create User AAAB B_BUPA_ATT
Find User B_BUPA_FDG
Own Data B_BUPA_GRP
Company Data B_BUPA_RLT
Customer List B_BUPR_BZT
Messages Read Messages S_TCODE (SICF, SU01)
BBP BBP_SUS_ P2 (ACTVT: 03;BBP_OBJ TYP: BUS2235;BBP_SUBTY: ‘ ‘)
BC_A S_ADMI_FCD (NADM)
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 73/90
Authorizations
March 2007 73
Roles/Technical Names
Folder Menu Option Auth.Group
Author izat ion Objects
S_USER_AGR
S_USER_GRP
S_USER_PRO
BBP BBP_SUS_AC
HR PLOG
Purchaser Administrator
Search
SAP_EC_SUS_ADMIN_PURCHASER
Administration Create User AAAB B_BUPA_ATT
Find User B_BUPA_FDG
Own Data B_BUPA_GRP
Find Supplier B_BUPA_RLT (ACTVT: 01, 02, 03)
Notifications fromPurchaser
Goods Receipt - All B_BUPR_BZT
Goods Receipt -New
S_TCODE (BBP_SUS_BP_ADM,SICF, SU01)
S_RFC
Cancellation of Goods Receipt - All
BBP BBP_SUS_P2 (ACTVT: 02, 03;BBP_OBJ TYP: BUS2235;BBP_SUBTY: *)
Cancellation of Goods Receipt -New
BC_A S_ADMI_FCD (NADM)
Return Delivery - All S_USER_AGR
Return Delivery -New
S_USER_GRP
S_ARCHIVE
Purchase Orders All S_USER_PRO
New BBP BBP_SUS_AC
Changed HR PLOG
In Process
Confirmed
Partly Confirmed
Rejected
Canceled byCustomer
ShippingNotifications
All
In Process
Sent
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 74/90
Authorizations
March 2007 74
Roles/Technical Names
Folder Menu Option Auth.Group
Author izat ion Objects
Confirmations All
In Process
CompletionReported
Approved
Rejected
Canceled
Invoices and CreditMemos
All
In Process
Document Sent
Approved
Rejected
Messages Process Messages
Read Messages
Bidder Search
SAP_EC_SUS_BIDDER Bid Invitations AAAB S_TCODE (SICF)
S_RFC
BC_A S_ADMI_FCD (NADM)
BBP BBP_SUS_ P2 (ACTVT: 03,BBP_OBJ TYP: BUS2235,BBP_SUBTY: ‘ ‘)
BBP BBP_SUS_AC
8.3 ABAP Authorization Objects for SAP SRM Server 6.0(Category Management)
There are no roles delivered for Category Management. Authorization is controlled by usingthe delivered Authorization Object (BBP_CM_OBJ) that must be configured and assigned toexisting roles (or users)
Assign the Authorization Object BBP_CM_OBJ to the relevant roles. This object has twoparameters:
Object Type refers to the Program (PROG), Methodology (METH) or Initiative (INIT)
Activity refers to the authorizations Create orGenerate, Change, and Display for the objecttypes.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 75/90
Authorizations
March 2007 75
For details refer to the section Solution Manager under the section SAP Solution Manager
Solutions/Applications SAP SRM Configuration Structures SAP SRM 2007 Basic
Settings for Category Management Backend Configuration Assigning Backend Authorizations.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 76/90
Authorizations
March 2007 76
8.4 Portal Roles (for NetWeaver Portal 7.0)
Portal Role Top Level Entry iView iView Transaction Code Component
Employee Self-Service
Employee Self-Services
Shop Appl. wda_l_fp_gaf
Appl. Parametersapsrm_mode=CREATE&sapsrm_botype=BUS2121&sapsrm_portalbaseurl=<Portal.BaseURL>&sapsrm_pcdlocation=<IView.ID>
Config./SAPSRM/WDAC_GAF_SC
EBP
Check Status Appl. Powl
Appl.ParameterAPPLID=SAPSRM_E_CHECK
STATUSConfig./SAPSRM/WDA_POWL_SC
EBP
Manager Home Cost Center Overview CMD=LDOC&INFOCUBE=0SR_C02&QUERY=0SR_C02_Q0002&VARIABLE_SCREEN=X
BI
PO Val per Requester CMD=LDOC&INFOCUBE=0SR_C02&QUERY=0SR_C02_Q0001&VARIABLE_SCREEN=X
BI
Purchase Values per Order CMD=LDOC&INFOCUBE=0BBP_C02&QUERY=0BBP_C02 _Q009&VARIABLE_SCREEN=X
BI
Info CMD=LDOC&INFOCUBE=0BBP_SC&QUERY=0BBP_SC_ Q014&VARIABLE_SCREEN=X
BI
Approved CMD=LDOC&INFOCUBE=0BBP_SCA&QUERY=0BBP_SCA_Q002&VARIABLE_SCREEN=X
BI
Purchasing Assistant
Purchasing My Purchasing Documents Appl. Powl
Appl.Parameter
APPLID=SAPSRM_PA_PURCHASING
Config./SAPSRM/WDA_POWL
EBP
Process Public Templates BBPSC05 EBP
Confirm Goods / ServicesCentrally
BBPCF03 EBP
Enter Invoice / Credit MemoCentrally
BBPIV03 EBP
Preselect Supplier /sap/ros_prescreen/main.do SUS
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 77/90
Authorizations
March 2007 77
Portal Role Top Level Entry iView iView Transaction Code Component
OperationalPurchaser
Home Open Approvals:Confirmations
CMD=LDOC&INFOCUBE=0BBP_CON&QUERY=0BBP_CONF_Q010&VARIABLE_SCREEN=X
BI
Overview of Return Deliveries CMD=LDOC&INFOCUBE=0BBP_CON&QUERY=0BBP_CONF_Q013&VARIABLE_SCREEN=X
BI
Contract Usage cmd=ldoc&TEMP LATE_ ID=0TPL_0BBP_CT_Q004
BI
Status of Documents CMD=LDOC&INFOCUBE=0BBP_CON&QUERY=0BBP_CONF_Q007&VARIABLE_SCREEN=X
BI
Status CMD=LDOC&INFOCUBE=0BBP_PO&QUERY=0BBP_PO_ Q007&VARIABLE_SCREEN=X
BI
per Order No with Items CMD=LDOC&INFOCUBE=0BBP_PO&QUERY=0BBP_PO_ Q008&VARIABLE_SCREEN=X
BI
Accepted Quantities perOrder and Item
CMD=LDOC&INFOCUBE=0BBP_PO&QUERY=0BBP_PO_ Q010&VARIABLE_SCREEN=X
BI
Status CMD=LDOC&INFOCUBE=0BBP_SC&QUERY=0BBP_SC_ Q007&VARIABLE_SCREEN=X
BI
Pending Shopping Carts cmd=ldoc&TEMPLATE_ID=0TPL_0BBP_SC_Q004_V02
BI
Shopping Cart per CostCenter
bbp_bw_sc4 EBP
Shopping Cart per Product bbp_bw_sc3 EBP
Purchasing My Purchasing Documents Appl. Powl
Appl.ParameterAPPLID=SAPSRM_OP_PURCHASING
Config./SAPSRM/WDA_POWL
EBP
Carry Out Sourcing Appl. wda_ l_fp_gaf Appl.Parametersapsrm_mode=CREATE&sap
srm_botype=AOBSOCO&sapsrm_portalbaseurl=<Portal.BaseURL>&sapsrm_pcdlocation=<IView.ID>
Config./SAPSRM/WDAC_L_FP_GAF _SOCO
EBP
Issue Purchase Order BBP_PPF EBP
Process Public Templates bbpsc05 EBP
Confirm Goods / ServicesCentrally
Bbpcf03 EBP
Enter Invoice / Credit MemoCentrally
BBPIV03 EBP
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 78/90
Authorizations
March 2007 78
Portal Role Top Level Entry iView iView Transaction Code Component
My Sourcing Documents Appl. Powl
Appl.ParameterAPPLID=SAPSRM_OP _Sourc
ingConfig./SAPSRM/WDA_POWL
EBP
Preselect Supplier sap/ros_prescreen/main.do SUS
Edit Addresses BBPADDRINTV EBP
Display Changes BBP_SUPP_MONI EBP
My Invoicing Documents Appl. Powl
Appl.ParameterAPPLID=SAPSRM_OP _ INVOICING
Config./SAPSRM/WDA_POWL
EBP
Invoice Monitor Appl. bbp_inv_main EBP
Settings for Invoice Monitor Appl. bbp_iv_ims_cust EBP
StrategicPurchaser
Home ABC Analysis forSuppliers(Lorenz Curve)
CMD=LDOC&INFOCUBE=0SR_MC01&QUERY=0SR_MC01_Q0007&VARIABLE_SCREEN=X
BI
Top 15 Suppliers CMD=LDOC&INFOCUBE=0SR_FIC01&QUERY=0SR_FIC01_Q0004&VARIABLE_SCREEN=X
BI
Invoice Value per Supplierand G/L Account in Period
CMD=LDOC&INFOCUBE=0SR_FIC01&QUERY=0SR_FIC0
1_Q0001&VARIABLE_SCREEN=X
BI
Net Invoice Volume w/wo PORef
CMD=LDOC&INFOCUBE=0SR_FIC01&QUERY=0SR_FIC01_Q0002&VARIABLE_SCREEN=X
BI
Pareto Analysis According toPO Vol
CMD=LDOC&INFOCUBE=0SR_MC02&QUERY=0SR_MC02_Q0004&VARIABLE_SCREEN=X
BI
Procurement Value Analysis CMD=LDOC&INFOCUBE=0SR_MC01&QUERY=0SR_MC01_Q0001&VARIABLE_SCREEN=X
BI
Procurement ValuesAccording to UNSPSC Code
CMD=LDOC&INFOCUBE=0BBP_C01&QUERY=0SR_MC01 _Q0008&VARIABLE_SCREEN=X
BI
Spend Analysis CMD=LDOC&INFOCUBE=0BBP_C01&QUERY=0SR_FIC01_Q0001&VARIABLE_SCREEN=X
BI
Analysis Report: SupplierEvaluation
CMD=LDOC&INFOCUBE=0SR_VE_C1&QUERY=0SR_VE_ C1_Q013&VARIABLE_SCREEN=X
BI
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 79/90
Authorizations
March 2007 79
Portal Role Top Level Entry iView iView Transaction Code Component
Cobweb Diagram SupplierScores
CMD=LDOC&INFOCUBE=0SR_VE_C1&QUERY=0SR_VE_ C1_Q010&VARIABLE_SCREEN=X
BI
Supplier Portfolio with POValue and Overall Score
CMD=LDOC&INFOCUBE=0SR_VE_M1&QUERY=0SR_VE _M1_Q001&VARIABLE_SCREEN=X
BI
Supplier Portfolio Analysis cmd=ldoc&TEMPLATE_ID=0TPL_SR_VE_PORTFOLIO
BI
Top and Bottom Supplier cmd=ldoc&TEMPLATE_ID=0TPL_SR_VE_TOPVENDORS
BI
Contract Details CMD=LDOC&INFOCUBE=0SRCT_DS1&QUERY=0SRCT_ DS1_Q003&VARIABLE_SCREEN=X
BI
Expiring Contracts CMD=LDOC&INFOCUBE=0S
RCT_DS1&QUERY=0SRCT_ DS1_Q004&VARIABLE_SCREEN=X
BI
Maverick Buying Analysis CMD=LDOC&INFOCUBE=0SR_MC02&QUERY=0SR_MC02_Q0002&VARIABLE_SCREEN=X
BI
Contract Analysis cmd=ldoc&TEMPLATE_ID=0TPL_0BBP_CT_Q003
BI
Price Trend Analysis perProduct
CMD=LDOC&INFOCUBE=0SR_MC01&QUERY=0SR_MC01_Q0005&VARIABLE_SCREEN=X
BI
Workload per Purchasing
Group
CMD=LDOC&INFOCUBE=0S
R_MC02&QUERY=0SR_MC02_Q0003&VARIABLE_SCREEN=X
BI
Relationship Analysis cmd=ldoc&TEMPLATE_ID=0TPL_0BBP_C01_Q03032
BI
Supplier P rofile cmd=ldoc&TEMP LATE_ ID=0TPL_SR_VE_PROFILE
BI
StrategicPurchasing
My Sourcing Documents Appl. Powl
Appl.ParameterAPPLID=SAPSRM_SP_Sourcing
Config./SAPSRM/WDA_POWL
EBP
My Contract Documents Appl. Powl
Appl.ParameterAPPLID=SAPSRM_SP_CONTRACTMANAGEMENT
Config./SAPSRM/WDA_POWL
EBP
Issue Contract BBP_PPF_CONT EBP
My Business PartnerDocuments
Appl. Powl
Appl.ParameterAPPLID=SAPSRM_SP_BUSINESSPARTNER
Config./SAPSRM/WDA_POWL
EBP
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 80/90
Authorizations
March 2007 80
Portal Role Top Level Entry iView iView Transaction Code Component
Process Supplier List Bbpavlmaint EBP
Manage Business Partners BBPMAININT EBP
Edit Addresses BBPADDRINTV EBP
Preselect Supplier sap/ros_prescreen/main.do SUS
Display Changes BBP_SUPP_MONI EBP
SRM ComponentPlanner
ComponentPlanning
Component Planning forOrders
BBPOR01 EBP
Component Planning forProjects
BBPPS01 EBP
Goods Recipient Home Open Item Analysis CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q002&VARIABLE_SCREEN=X
BI
Delayed Delivery CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q009&VARIABLE_SCREEN=X
BI
Deadline Monitoring - CurrentValues for Req. Delivery Date
CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q013&VARIABLE_SCREEN=X
BI
Confirmation DocumentOverview
CMD=LDOC&INFOCUBE=0SR_MC02&QUERY=0SR_MC02_Q2001&VARIABLE_SCREEN=X
BI
CentralConfirmation
My Central ConfirmationDocuments
Appl. Powl
Appl.ParameterAPPLID=SAPSRM_R_CENTRALCONFIRMATION
Config./SAPSRM/WDA_POWL
EBP
Confirm Goods / ServicesCentrally
BBPCF03 EBP
Find Goods Recipient BBP_PM01 EBP
Invoicer Home Excessive Invoices CMD=LDOC&INFOCUBE=0SR_MC02&QUERY=0SR_MC02_Q3002&VARIABLE_SCREEN=X
BI
Invoice Document Overview CMD=LDOC&INFOCUBE=0SR_MC02&QUERY=0SR_MC02_Q3001&VARIABLE_SCREEN=X
BI
Invoice Status CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_ Q007&VARIABLE_SCREEN=X
BI
Invoice Analysis cmd=ldoc&TEMPLATE_ ID=0TPL_BBP_DS1_Q002
BI
Open Items (Invoices) CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q004&VARIABLE_SCREEN=X
BI
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 81/90
Authorizations
March 2007 81
Portal Role Top Level Entry iView iView Transaction Code Component
Variance Invoice Val/Order Val CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q006&VARIABLE_SCREEN=X
BI
Contract CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_ Q012&VARIABLE_SCREEN=X
BI
Invoice Number with Items CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_ Q008&VARIABLE_SCREEN=X
BI
Product/Product Cat CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_ Q006&VARIABLE_SCREEN=X
BI
Supplier CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_
Q002&VARIABLE_SCREEN=X
BI
Invoicing My Invoicing Documents Appl. P owl
Appl.ParameterAPPLID=SAPSRM_I_INVOICING
Config./SAPSRM/WDA_POWL
EBP
Invoice Monitor Appl. bbp_inv_main EBP
Settings for Invoice Monitor Appl. bbp_iv_ims_cust EBP
Enter Invoice / Credit MemoCentrally
BBPIV03 EBP
Issue Document BBP_TRIGG EBP
Backend Posting (Hosted) BBPBC1 EBP
SRM Administrator SRMAdministration
Application Monitor BBPADM_Cockpit EBP
Monitor Shopping Carts BBP_MON_SC EBP
Monitor Contract Distribution BBP_CTR_MON EBP
Monitor Business Partner BBP_SUPP_MONI EBP
Manage Business Partners BBPMAININT EBP
Manage Employee Data BBPUM01 EBP
Edit External Addresses BBPADDRINTV EBP
Edit Internal Addresses BBPADDRINTC EBP
Edit Attributes BBPATTRMAINT EBP
Synchronization withBackends
BBP_CLEANER EBP
General Attributes PPOMA_BBP EBP
Invoicer Invoicing
Invoice BBPIV09/!?subtype=IV EBP
Credit Memo BBPIV09/!?subtype=CM EBP
Subsequent Credit BBPIV09/!?subtype=SC EBP
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 82/90
Authorizations
March 2007 82
Portal Role Top Level Entry iView iView Transaction Code Component
Subsequent Debit BBPIV09/!?subtype=SD EBP
Invoice/Credit Memo BBPIV03 EBP
Invoice Management ABAP Web Dynpro:
bbp_inv_main
EBP
Invoice Post Processing MIR4 ECC
Document Overview BSP_APPLICATION:SRM_DOC_LIST/doc_overview.htm
EBP
Document Quick Access BSP_APPLICATION:SRM_DOC_QUICKAC/quickaccess.htm
EBP
Excessive Invoice Document 0TPLI_0SR_MC02_Q3002 BI
Report Overview J ava Web Dynpro:
mss~lpa/ReportLaunchpadApp?role=IVC&instance=REP
ECC
Supplier OrderCollaboration
My Order CollaborationDocuments
Appl. Powl
Appl.ParameterAPPLID=SAPSRM_S_ORDERCOLLABORATION
Config./SAPSRM/WDA_SRM_S_COLLAB
EBP
Process User Data BBPMAINEXT EBP
Edit Addresses BBPADDREXT EBP
Confirmation Information TEMPLATE_ID=0BBP_CONF _SP _Q001
BI
PO History TEMPLATE_ID=0BBP_DS1_SP_Q001
BI
Open Deliveries TEMPLATE_ID=0BBP_DS1_SP_Q002
BI
Open Invoices TEMPLATE_ID=0BBP_DS1_SP_Q003
BI
PO Information TEMPLATE_ID=0BBP_PO_SP_Q001
BI
Contract History TEMPLATE_ID=0BBP_PO_SP_Q003
BI
Bidder Bid Invitations
and Auctions
Bid Overview Appl. Powl
Appl.ParameterAPPLID=SAPSRM_B_RFXANDAUCTIONS
Config./SAPSRM/WDA_POWL
EBP
CategoryManagement
Administ rator (com.sap.pct.srm.cm.administrator)
CategoryManagement(com.sap.pct.srm.cm.category_management)
Administrator Work Center com.sap.pct.srm.cm.administrator_work_center
SRM-CM
Application ConfigurationCheck
com.sap.pct.srm.cm.application_config_check
SRM-CM
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 83/90
Authorizations
March 2007 83
Portal Role Top Level Entry iView iView Transaction Code Component
Category Manager (com.sap.pct.srm.cm_category_manager)
CategoryManagement(com.sap.pct.srm.cm.category_man
agement)
CM Work Center com.sap.pct.srm.cm.cm_work _center
SRM-CM
Chief ProcurementOffice(com.sap.pct.srm.cm.chief_procurement_officer)
CategoryManagement(com.sap.pct.srm.cm.category_management)
CPO Work Center com.sap.pct.srm.cm.cpo_work _center
SRM-CM
All other roles are “supported roles” (showcase roles with suffix “_” showcase that can be used bythe customer for a normal implementation).
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 84/90
Authorizations
March 2007 84
8.5 Changes to the Authorization Check
The following authorization objects have been extended or newly created for SAP SRM 6.0:
AuthorizationObject
Technical Name New or Extended (Descrip tion)
Purchasingcontract
BBP_PD_CTR Extended with: 33 (Read attachments), C4 (Cleardocuments), C5 (Change cleared documents), G7 (Cancelattachments)
Purchasingcontract
BBP_CTR_2 New: authorization object for use of the extended contractauthorization (in addition to and not alternatively toBBP_PD_CTR). Activate the extended contractauthorization in Customizing. For more information, see theImplementation Guide (IMG) for Supplier RelationshipManagement: SRM Server Cross-Application Basic
Settings
Activate Extended Authorizations for Contracts.Auction BBP_PD_AUC Extended with: 33 (Read attachments), 45 (Allow substitute
for a bidder), 69 (Reset), 74 (Allow/block bidder), A3(Start/Pause/Continue),C5 (Change public auctions), G7(Cancel attachments), PA (Extend validity), PU (Publish)
Bid invitation BBP_PD_BID Extended with: 33 (Read attachments), C5 (Change publicbid invitations), G7 (Cancel attachments), PU (Publish)
SUS Action BBP_SUS_AC New: User authorization per SUS action
Functions BBP_FUNCT Extended with: CTR_NOV (Mass transfer of a supplier intoall relevant contracts), PO_NOV (Mass transfer of asupplier into all relevant purchase orders), GLOB_ACCSS
(SUS: Confirm purchase orders of other users)
Bid BBP_PD_QUO Extended with: 33 (Read attachments), 75 (Accept), G7(Cancel attachments)
Purchase orderresponse
BBP_PD_PCO Extended with: G7 (Cancel attachments)
Purchase order BBP_PD_PO Extended with: 33 (Read attachments), C4 (Cleardocuments), C5 ( Change cleared documents), G7 (Cancelattachments)
Confirmation BBP_PD_CNF Extended with: 33 (Read attachments), G7 (Cancelattachments)
Shopping cart BBP_PD_SC Extended with: 33 (Read attachments), G7 (Cancelattachments), SO (Process in Sourcing)
Supplier list BBP_PD_VL Extended with: G7 (Cancel attachments)
Invoice BBP_PD_INV Extended with: 33 (Read attachments), 36 (Processexceptions), G7 (Cancel attachments)
SUSdocuments[new]
BBP_SUS_P2 New: Replaces BBP_SUS_PD and allows more detailedassignment of authorizations through a combination of document type and subtype.
ObjectAuthorizationfor Category
BBP_CM_OBJ New: Authorization object for Category Management. Formore information refer to the Solution Manager under: SAPSolution Manager Solutions/Applications SAP SRM
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 85/90
Authorizations
March 2007 85
Management Configuration Structures SAP SRM 2007 BasicSettings for Category Management BackendConfiguration Assigning Backend Authorizations.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 86/90
Appendix
March 2007 86
9 Appendix
9.1 Data Privacy Statement
In the SRM system, personal user data, such as the name and address, is saved in the user masterrecord. To comply with legal requirements, functionality is available that only allows saving andusing of this user data if the affected user actively consents to this. This occurs via the display of atext on the relevant interfaces: the user must fill a checkbox at the end of the text to save it. Thecheckbox is not initially set.
In some countries, depending on the valid legal regulations, explicit written consentfrom external partners, such as suppliers, may be necessary.
You can activate the data privacy function for the following services:
Supplier Regis tration (SRM) and Suppl ier Registration (SUS)
In these cases the supplier as an external user must check the box to allow the supplierdata to be saved.
Business Partner Maintenance (SRM) and User Maintenance (SUS)
The internal processor checks the box and thus confirms that the external user, whose datais being processed, is aware of and consents to the data being saved.
Customizing
To make the Customizing settings for the data privacy statement for SRM, see the ImplementationGuide (IMG) for Supplier Relationship Management: SRM Server Master Data BusinessPartner Specify Data Privacy Settings for Vendors.
To make the Customizing settings for SUS, see the IMG for Supplier Relationship Management:Supplier Self-Services Settings for the User Interface Data Privacy Settings for Suppliers.
In these Customizing tables you can activate or deactivate the data privacy function and define thetechnical names of the texts to be displayed.
The texts that are displayed to the external user on self-registration and to the internaluser when maintaining business partners are predefined in the system as GeneralTexts. You can use transaction SE61 to copy them and modify them to suit yourrequirements.
9.2 Virus Checking of Document Attachments
SRM provides you with the opportunity to check documents that you attach to SRM documents witha virus scanner before they are stored in the database.
You must have a virus scanner installed and must have configured it correctly. For moreinformation, see SAP Implementation Guide SAP Web Application Server System Administration Virus Scanner Interface.
The virus scanning functions in SRM are activated when you implement BAdI BBP_ATT_CHECK.SAP supplies BAdI BBP_ATT_VIRSCAN as an example implementation. The interface contains astructure that is used in SRM for storage of attachments. The field PHIO_FNAME contains the file
name and the tabular field PHIO_CONTENT contains the file part of the attachment (where the
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 87/90
Appendix
March 2007 87
actual file is stored). Viruses are dealt with in the implementation. For example, the data part isdeleted.
An implementation of the function BBP_PD_MSG_ADD is also important. The messages from thisfunction are transferred to the user interface.
9.3 Additional Related Guides
Area/Topic
Guide/Documentation
Link:…
SRM SRM Master Guide service.sap.com/instguides SAP
Business Suite Applications SAP SRM UsingSAP SRM Server 6.0 Master Guide - SAP SRM
SRM-MDM Catalog SRM-MDM Catalogconfigurationinformation
SAP Solution Manager Solutions/Applications
SAP SRM Configuration Structures SAP
SRM 2007 Basic Settings for SRM-MDM
Catalog (Catalog Content Management)
LAC SRM 6.0 -InstallationDocumentation
service.sap.com/instguides SAP
Business Suite Applications SAP SRM UsingSAP SRM Server 6.0 Installation Documentation- SRM 6.0
Category Management ConfigurationGuide for SAPSRM CategoryManagement
SAP Solution Manager Solutions/Applications
SAP SRM Configuration Structures SAP
SRM 2007 Basic Settings for CategoryManagement
Duet Duet for MicrosoftOffice and SAP
Guides
service.sap.com/instguides SAP xApps
Duet Duet 1.0 Duet 1.0:SAP
Administration Guide/SAP Installation Guide/SAPMaster Guide/SAP Operations Guide
You can find more guides related to the SAP NetWeaver platform on SAP Service Marketplace atservice.sap.com/instguides SAP NetWeaver Release 2004s.
You can find SRM-related guides on SAP Service Marketplace atservice.sap.com/instguides SAP Business Suite Applications SAP SRM Using
SAP SRM Server 6.0.
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 88/90
Appendix
March 2007 88
9.4 Additional Information
Special Information for Live Auction Cockpit 6.0
(Only relates to the SRM scenario Strategic Sourcing with LAC WPS 6.0.)
Which part of Live Auction Cockpit should be set up in which network segment?
The client portion of Live Auction Cockpit (Java applet) is deployed on the Internet. The appletcommunicates with LAC on J 2EE (7.0) server. Therefore the external user has to allow the appletto be downloaded.
The server portion (Web AS) should be located on the LAN. The SAP system (ERP) should be located on the LAN.
Where exactly is data stored?
System configuration data is stored in properties files on the Web AS. (System configuration data isshipped with the system.)
Runtime transactional data is stored in the database of the SAP system. (Transactional data isstored during runtime of the application.)No temporary data is stored anywhere else.
Which type of data access is required at what point in time?
Read access of system configuration data is required during server start-ups.Read and write accesses to transactional data are required during runtime.
What l evel of protection is recommended fo r which data?
Administration system permissions should be used to restrict access to Live Auction Cockpitproperties configuration in the Web AS Visual Administrator. Customers must ensure that onlysystem administrators should have access to Web AS Visual Administrator. Configuration data inWeb AS Visual Administrator is protected by a password.
Password Encryption
Access to SAP Web AS Visual Administrator needs a password:
This password is set during the installation of Web AS. For the LAC scenario, theusername is J 2EE_ADMIN and password is what was set by the first accessing user.
Only a dummy password is stored as a file in the deployment EAR file beforedeployment of the application. Once the application is deployed, the value is internallyencrypted in the database in J 2EE and can only be accessed through J2EE Visual Administrator .
After the deployment, it is necessary for you to change the password via the Visual
Administrator . (The Visual Administrator tool can be configured for the use of SSL. Sothe communication between Visual Administrator and J2EE server can be secured.)
(In UME [part of the part of the J 2EE 7.0], the properties values are stored in thesame way. It is not necessary to encrypt the content of the password to be stored asreal values in DB since communication between Visual Admin and J 2EE server canbe secure as well.)
RFC users should be created for RFC/J Co connections to the SAP systems.
J CO-RFC-Password for Live Auction Cockpit to SAP SRM server:
The dummy password that is stored in the LAC deployable application is required forthe RFC connection between the Live Auction Cockpit application and SAP SRMServer. Once Web AS has been installed and the LAC application has been deployed,
it is necessary to use the Web AS Visual Administrator to configure this J CO-RFC-
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 89/90
Appendix
March 2007 89
Password/ Username so that the Live Auction Cockpit application can run.(At present, this J CO RFC password is visually encrypted as “*****” when it is entered
just like in R/3 transaction SU01. A user with administrator authorization on the J2EEengine can only reset the password, just like in the R/3 transaction SU01.)
Does the application require an Internet browser as the user interface?
The Live Auction Cockpit client (Java applet) requires an Internet browser.Cookies are only used by User Management Engine (UME) for Single Sign-On (SSO) tickets.
Which RFC/JCo destinations are delivered/required?
The Live Auction Cockpit application establishes RFC connections via J Co.(There is no need to maintain RFC destinations in SM 59 for Live Auction Cockpit since the J Coserver is not used.)
What is the minimum authorization required by the communication user for RFC/JCoconnections?
The communication user can be defined as a system user in a production system where this is no
need for JCo/ABAP debugger.If the debugger needs to be used, the communication user must be defined as a dialog user.Furthermore, the user must have both purchaser and supplier profiles for Live Auction Cockpit.(In a productive system, a dialog (RFC) user always represents a limited security risk.)
SSO and SAP Logon Tickets
The Live Auction Cockpit application uses UME API to verify Single Sign-On tickets.No user data is replicated since all user data is in SAP Bidding Engine in SAP SRM Server.(User data synchronization is not required.)
By default, the Live Auction Cockpit application accepts SAP Logon Tickets.
Details fo r Login Scenario for Li ve Auction: Purchaser and Bidder log into SRM throughthe standard login page.
Inside the Bidding Engine auction user interface (Sourcing) the Live Auction Cockpit applet islaunched.
For Single Sign-On and user validation the Java user management client is used.
If the applet’s URL is directly typed into the browser window, the user is validated through theUME Logon Applet and redirected to a UME login page. After successful login, the user isredirected back to the applet.
SRMServe
WebDynpro
SRM Live Auction 6.0
User
Launch Applet
thru SSO
SAP J 2EE Server 7.0
UME
UME
Logon
App
7/27/2019 SAP Security Guide SRM2007 SP03
http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 90/90
Appendix
Digitally-signed Java applet
As of SAP SRM 5.0/LAC WPS 5.0 the J ava applet is digitally signed. The user must confirm that heor she agrees to this usage.
Author ization and roles
No roles are delivered with Live Auction Cockpit. All roles are delivered with SAP SRM Server.Customers do not need to create any additional roles.
Are author izat ion technologies other than ro les used?
Yes, bidders must be added to an auction’s invitation list to view and bid on that auction using LiveAuction Cockpit.Bidders are added into this invitation list (in the SAP SRM Server system) when the auction iscreated. Since this is a private auction (SAP Bidding Engine) there is no self-registration orsubscription.
User interface settings
Live Auction Cockpit can preserve and restore various user interface (UI) settings so that the end
users do not need to adjust the UI each time they log in. These settings include:
Divider location
Dropdown box selection
Tab selection
Table column order
Table column width
All UI settings are stored as a browser cookie. Therefore, the end user's web browser must beconfigured to accept cookies to take advantage of this feature. If the end user's web browser isconfigured to block cookies, then UI settings are not preserved. However, all other Live Auction
Cockpit features remain functional.
No personal information is stored in the browser cookie.
Special Information for SRM-MDM Catalog
For information about SRM MDM Catalog, see the SAP MDM 5.5 SP04 Security Guide atservice.sap.com/installmdm .
Special Consideration for Offline Approvals
In SAP SRM, offline approval using e-mail is possible. However, offline approval does not provide asecure application configuration by default This approach can cause a security issue because it is