Professional Documents
Culture Documents
mySAP
TM
SRM 4.0
Using SAP Enterprise Buyer 5.0, SAP Supplier Self-Services 2.0, SAP Catalog Content Management 1.0, SAP Enterprise Portal 6.0 Document Version 2.1 - February 11, 2005
SAP AG Neurottstrae 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Copyright 2003 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
JAVA is a registered trademark of Sun Microsystems, Inc. JAVASCRIPT is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MarketSet and Enterprise Buyer are jointly owned trademarks of
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix and Informix Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries. ORACLE is a registered trademark of ORACLE Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc. HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
SAP AG and Commerce One. SAP, SAP Logo, R/2, R/3, mySAP, mySAP.com, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Disclaimer Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java Source Code delivered with this product is only to be used by SAPs Support Services and may not be modified or altered in any way.
Typographic Conventions
Type Style Example Text Represents Words or characters that appear on the screen. These include field names, screen titles, and pushbuttons, as well as menu names, paths, and options. Cross-references to other documentation Example text Emphasized words or phrases in body text, titles of graphics, and tables Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE. Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code, as well as names of installation, upgrade, and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries. Keys on the keyboard, for example, function keys (such as F2) or the Ctrl key.
Icons
Icon Meaning Caution Example Note Recommendation Syntax
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Contents
Contents
Introduction .......................................................................................5
Important SAP Notes..............................................................................................................6 Other Security Guides............................................................................................................6 Overview of the Scenarios.....................................................................................................8
Authorizations .................................................................................29
1) ABAP Roles for SRM 4.0/ Enterprise Buyer 5.0 ............................................................30 2) ABAP Roles for SRM 4.0 (SUS Deployment) .................................................................44 3) Catalog Content Management Roles..............................................................................48 4) Portal Roles (for Enterprise Portal 6.0) ..........................................................................49 Changes to the Authorization Check .................................................................................54
Appendix ..........................................................................................60
Virus Checking of Document Attachments .......................................................................60
February 2005
Introduction
Introduction
This guide does not replace the daily operations handbooks that we recommend customers create for their specific productive operations.
About this Guide The solution mySAP Supplier Relationship Management (mySAP SRM) consists of different components, such as SAP Enterprise Buyer (EBP), SAP Bidding Engine (both reside on SRM Server) and Live Auction. This cross-component security guide provides security-relevant information for the individual SRM components. In many cases, the required information has already been provided in other security guides and in configuration and installation guides. In these cases, we have provided a reference to the relevant sections within these guides. Security in the context of an SRM Solution comprises the following aspects: User authentication Support of Single Sign-On Administration and checking of user authorizations in order to prevent unauthorized access to saved data Secure data transfer between users and the SRM application components, especially in the case of browser-based access via the Internet General access control, including protection of the system against unauthorized external access Safeguarding of data against unauthorized access when business data is being exchanged between SRM and external systems, especially in the case of data exchange with supplier systems via the Internet
The individual components of the mySAP SRM solution are based on SAP standard technology, like SAP Web Application Server (including Internet Transaction Server) and SAProuter. This means that only the official precepts of the SAP Security strategy are used. The standard tools and mechanisms of the SAP NetWeaver Platform are used. In eighty percent of cases, a SRM system landscape comprises Enterprise Buyer and Live Auction. The User Management Engine (UME) is only required in conjunction with Enterprise Portal and this is why UME is not covered by this guide. This Security Guide focuses on specific mySAP SRM implementations the standard case is covered by the security guides of the respective basis technologies.
February 2005
Introduction
This document is not part of the installation, configuration, or operation process for update guides as these are often written for a certain phase of the software lifecycle. The information contained in this guide pertains to all phases of the software lifecycle.
For more SAP Notes on security, see the SAP Service Marketplace at http://service.sap.com/security -> SAP Security Notes -> SAP Notes on mySAP Security or the notes for the application area BC-JAS-SEC and BC-SEC.
Related Security Guides for SAP NetWeaver Components Components Operating System and Database Platforms Operating System and Database Platforms Application Platform SAP Web Application Server SAP Web Application Server Security Guide Operating System and Database Platform Security Guides See
February 2005
Introduction
SAP Content Server SAP Knowledge Warehouse People Integration Portal SAP Mobile Infrastructure Information Integration SAP Business Information Warehouse Security Guide SAP Knowledge Management
SAP Web AS Security Guide for ABAP Technology SAP Web AS Security Guide for Java Technology Internet Transaction Server Security Security Aspects in Development Security Aspects with SAP Web AS System Management
SAP Content Server Security Guide SAP Knowledge Warehouse Security Guide
Portal Platform Security Guide Security Guide for SAP Mobile Infrastructure
SAP Business Information Warehouse Security Guide Knowledge Management Security Guide: Guide Search and Classification (TREX) Security Guide Content Management Security
Process Integration SAP Exchange Infrastructure SAP Exchange Infrastructure Security Guide
Under Appendix -> Related Guides, you can find a composition of all useful SRM and SAP documents mentioned in this guide.
February 2005
Introduction
SAP Supplier Relationship Management Server 5.0 (SAP SRM Server) (Based on SAP Web Application Server 6.40, comprises SAP Enterprise Buyer, SAP Bidding Engine and Supplier Self-Service) SAP Internet Transaction Server (SAP ITS) 6.20/ 6.40 SAP Internet Pricing and Configurator 4.0 (SAP IPC) SAP Business Warehouse 3.5 (SAP BW) plus SAP BI Content 3.5.2 Add-On SAP Catalog Content Management 1.0 Add-On Search & Classification (TREX) 6.1 SAP Enterprise Portal 6.0 (Portal Server) Live Auction Cockpit Web Presentation Server 2.0 (LACWPS) SAP Exchange Infrastructure 3.0 (SAP XI)
M O O M M O -O
M O O -O O -M
M -O M M O O O
M --M M O -M
M O O O O O -O
-O O -O
February 2005
Spend Analysis M M -M 8
Self-Service Procurement
Plan-Driven Procurement
Service Procurement
Strategic Sourcing
Introduction
Self-Service Procurement
Self-Service Procurement
Application Gateway
HTTPS / OCI
HTTP(S)
Firewall
ITS
IPC 4.0
(IDOC)
R/3 Plug_In
RFC
TREX 6.1
RFC
HTTP(S) XML
XI Integration Engine
XI Cont. CCM 1.0
XML
XI 3.0
XI Cont. RosettaNet 1.0
Self-Service Procurement (Indirect Procurement) enables your employees to create and manage their own requirement requests. They can search in catalogs provided by SAP CCM. SAP BI 3.5 is used to carry out evaluations. The SRM Server (EBP) Web front end uses Internet Transaction Server (ITS) technology. With NetWeaver 04, the ITS 6.40 is part of the SAP-Kernels 6.40. ITS 6.20, a separate UI installing application, can also be used. The Web front end of SAP CCM 1.0 and SAP Business Intelligence is realized using Business Server Pages (BSP) technology. Depending on the requirements of the SRM 4.0 installation (should SRM Server (EBP) be available via the Internet?) and depending on the internal Security Policy, the following has to be carried out: SAP SRM Server 5.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP CCM 1.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5 Configure SSO between SAP SRM Server 5.0, SAP CCM 1.0 and SAP BI 3.5
February 2005
Introduction
If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5
Plan-Driven Procurement
Plan-Driven Procurement
Application Gateway
HTTP(S)
Firewall
ITS
BSP IPC 4.0 R/3 3.1i SAP ECC 5.0 MM FI / CO IPC 4.0 SAP SRM SERVER 5.0 SUS XI Proxy XI Int. Framew. Engine
SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In
RFC
(IDOC)
R/3 Plug_In
TREX 6.1
(Contracts)
Separate IPC for SUS not needed if SUS and EBP are implemented in the same SAP system
RFC IDOC
RFC
RFC
HTTP(S)
IDOC Adapt.
XI Cont. SRM Server 5.0
XI Integration Engine
XML
XI 3.0
Plan-Driven Procurement (Direct Procurement) automates and streamlines ordering processes for regularly needed core materials. Suppliers can process purchase orders directly in the SAP SRM Server (SUS). The purchase orders are transferred to the SAP SRM Server (SUS) from the backend system via SAP Exchange Infrastructure (XI). The Web front end of the SAP SRM Server (SUS) is realized using BSP technology. Since suppliers log onto the SAP SRM Server (SUS) via the Internet, the HTTPS protocol should definitely be configured for the SAP SRM Server (SUS). Necessary steps: SAP SRM Server 5.0 (SUS): Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (SUS)
If SAP SRM Server (EBP) is also to be accessed via the Internet, or depending on the internal Security Policy, it might be necessary to do the following: SAP SRM Server 5.0 (EBP): Enable WebAS 6.40 SSL (configure HTTPS protocol)
February 2005
10
Introduction
SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (EBP) Configure Application Gateway for SAP BI 3.5 If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5 If necessary, connect SAP SRM Server 5.0 (EBP) and SAP SRM Server 5.0 (SUS) via HTTPS and SNC to the SAP Exchange Infrastructure (See XI Security Guide: Section HTTP and SSL and RFC and SNC)
Service Procurement
Service Procurement
Application Gateway
HTTPS / OCI
HTTPS
Firewall
ITS
IPC 4.0
RFC
TREX 6.1
Separate IPC for SUS not needed if SUS and EBP are implemented RFC in the same SAP system
IPC 4.0
HTTP(S)
XML
XML
XI Integration Engine
XML
XI 3.0
This business scenario is used to cover the entire service procurement process. Necessary steps: SAP SRM Server 5.0 (SUS): Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 (SUS)
Depending on whether the SAP SRM Server (EBP) is also to be made available via the internet, or depending on the internal Security Policy, the following might also be necessary:
February 2005
11
Introduction
SAP SRM Server 5.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP CCM 1.0: Enable WebAS 6.40 SSL (configure HTTPS protocol) SAP BI 3.5: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP SRM Server 5.0 Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5 Configure SSO between SAP SRM Server 5.0, SAP CCM 1.0 and SAP BI 3.5 If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SAP SRM Server/backend system and SAP BI 3.5 If necessary, connect SAP SRM Server 5.0 (EBP), SAP SRM Server 5.0 (SUS), and SAP CCM 1.0 via HTTPS and SNC to the SAP Exchange Infrastructure (XI) (See XI Security Guide: Section HTTP and SSL and RFC and SNC)
Application Gateway
HTTP(S)
Firewall
BSP
ITS
RFC
TREX 6.1
TREX 6.1
(Contracts)
HTTP(S)
XML
XI Integration Engine
XI Cont. CCM 1.0
XML
Masterdata Contractdata
XI 3.0
February 2005
12
Introduction
In SAP CCM 1.0, suppliers can upload their catalogs. The necessary function is provided in the Web front end. The Web front end is realized using Business Server Pages (BSP) technology. The upload occurs via the HTTPS protocol. The catalog is in XML or CSV format. The catalog is mapped in the SAP Exchange Infrastructure (XI) to convert it into SAP CCM XML format. Contract data can be loaded via the SAP Exchange Infrastructure (XI) from the SRM Server System. TREX (Search and Classification) helps you search for products in the catalog. In the scope of a procurement process, transfer of product data from SAP CCM to SAP SRM Server occurs via HTTP(S) in accordance with the Open Catalog Interface (OCI) specification via the user browser. Necessary steps: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM 1.0 (See CCM Configuration Guide: Section Setting Parameters for Internet Communication Manager) Configure SSO between SAP CCM and SAP SRM Server (See CCM Configuration Guide: Section Using SAP Catalog Content Management with SAP Enterprise Buyer) Configure TREX http(s) protocol (See TREX Installation Guide: Section Configuration of the HTTP Connection) If necessary, connect SAP CCM via HTTPS and SNC to the SAP Exchange Infrastructure (XI) (See CCM Configuration Guide: Section SAP Exchange Infrastructure and XI Security Guide: Section HTTP and SSL and RFC and SNC)
February 2005
13
Introduction
Strategic Sourcing
Strategic Sourcing
Application Gateway
HTTPS / OCI
HTTPS
ITS
IPC 4.0
(IDOC)
RFC
TREX 6.1
XML
XI Integration Engine
XI Cont. CCM 1.0
XML
XI 3.0
Within Strategic Souring, bid invitations are created in SAP SRM Server and suppliers are invited to participate in these bid invitations by submitting bids. Bid invitations can also be converted into Live Auctions. Live Auctions occur in the SAP LACWPS (Live Auction Cockpit). SAP LACWPS consists of a server part running on a SAP J2EE 6.40 and a Java Applet that communicates with the server. The Java applet is loaded into the browser of the user and is executed locally. Necessary steps: SAP SRM Server 5.0 (EBP/ Bidding Engine): Enable WebAS 6.40 SSL (configure HTTPS protocol) Enable SAP J2EE 6.40 (SAP LACWPS) SSL (See Transport Layer Security on the SAP J2EE Engine: Section Configuring the Use of SSL on the SAP J2EE Engine) Configure Application Gateway for SAP SRM Server 5.0 (EBP/Bidding Engine) Configure Application Gateway for SAP LACWPS 2.0
Optional (if components are accessed via the Internet): Enable SAP CCM 1.0: WebAS 6.40 SSL (configure HTTPS protocol) Enable SAP BI 3.5: WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM 1.0 Configure Application Gateway for SAP BI 3.5
February 2005
14
Introduction
If necessary, configure SNC connections between SAP SRM Server and backend system If necessary, configure SNC connections between SRM Server/backend system and SAP BI 3.5
Spend Analysis
Spend Analysis
Application Gateway
HTTP(S)
Firewall
SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In
ITS
R/3 Plug_In
TREX 6.1
(Contracts)
RFC
RFC
SRM 4.0 enables you to consolidate data in mySAP Business Intelligence (SAP BI) and to carry out evaluations. The data for this comes from the SAP SRM Server or its backend system via RFC/SNC. Users access the reports via a Web front end that is realized using BSP technology.
If BW reports are also made available to suppliers, SAP BI has to be accessible via the Internet. If it is only available to the purchasers, it depends on the individual realization of the scenario: Necessary steps: Enable WebAS 6.40 SSL (configure HTTPS protocol) Configure Application Gateway for SAP CCM Should the SRM system landscape be available to the purchasers via the Internet or only via the Intranet? Does the internal security policy require that HTTPS be used for all Web-based applications?
February 2005
15
Introduction
If necessary, configure SNC between SAP SRM Server/backend system and SAP Business Intelligence
February 2005
16
Architecture
The architecture of an SRM system landscape is heavily dependent on the security measures that are in turn determined by the data to be transferred and the data channels. In an SRM system landscape, there are two types of channel via which data is exchanged and which require careful attention in terms of provision of security during data exchange via external interfaces: Exchange of data via external user interfaces Exchange of data/documents via external system interfaces
In both cases, the SRM security concept incorporates a Demilitarized Zone (DMZ) that is delimited by an internal and an external firewall. Within the DMZ there is an application gateway. (SAP recommends that you use the SAP Web Dispatcher.) URLs and ports for the systems behind the internal firewall can be configured in any way and are not known to users outside of the external firewall. In this way, the SRM security concept follows the usual SAP security standards (that are used on a world-wide basis).
February 2005
17
1. Data Exchange via the Application Gateway for Applications with Web Front ends on ITS and BSP Technology The following SRM scenarios, where the Web front end is based on ITS or BSP technology, work on this principle: Self-Service Procurement Plan-Driven Procurement Service Procurement Catalog Content Management Spend Analysis (Strategic Sourcing with Bidding Engine but without LAC WPS)
Firewall DMZ
Application Gateway (SAP Web Dispatcher)
HTTP(S)/ OCI HTTP(S)
SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In
ITS
BSP
BSP
R/3 Plug_In
RFC
RFC
Basic representation of the communication paths of the SRM components to the outside via the application gateway.
The SAP Web Dispatcher functions as an Application Gateway and is used as a "software Web switch" between the Internet and your SRM Server system, which consists of one or more Web Application Servers. You therefore have only one point of access for HTTP(S) requests in your system. Furthermore, the SAP Web dispatcher balances the load, so that the request is always sent to the server with the greatest capacity. More information: SAP Web Dispatcher
February 2005
18
The SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) via the internal firewall of the DMZ. All security aspects are dealt with via the ITS and the SAP WAS. In this way, the SRM security concept, like all other SAP solutions, is entirely based on the general SAP security standards.
2. Data Exchange via JAVA Applet Live Auction Cockpit WPS In the SRM scenario Strategic Sourcing a JAVA Applet is loaded in the browser of an external supplier for Live Auctions (not for auctions via the Sourcing Cockpit of the SRM Bidding Engine). This applet communicates with the server part of the LAC on the J2EE 6.40 via the application gateway.
Firewall DMZ
Application Gateway (SAP Web Dispatcher)
HTTP(S)/ OCI HTTP(S)
BSP
SAP BW 3.5
BI CONT 3.5.2 R/3 Plug_In
ITS
R/3 Plug_In
JCo
RFC
RFC
Basic representation of the communication paths of the SRM components incl. LAC WPS 2.0 to the outside. The ABAP application Sourcing Cockpit allows external suppliers to participate in bid invitations that are created and evaluated using the SAP Bidding Engine. Auctions can be converted into Live Auctions and are then processed in the LAC. LAC is a JAVA component LAC WPS on presentation level whose runtime environment is the J2EE of SAP WAS 6.40.
February 2005
19
LAC WPS consists of a server part that runs on J2EE 6.40 and a Java Applet that is loaded into the browser of the user and executed locally there. The applet communicates via HTTP(S) with the server part. The server communicates with the SRM Server via RFC. Communication between the JAVA applet and the LAC WPS server occurs just like any HTTP(S) based communication with the Internet via Application Gateway that exists in the DMZ. (Each type of communication with the Internet that occurs via HTTP(S) makes use of the Application Gateway.) All security aspects are dealt with by SAP WAS.
February 2005
20
R/3
FI/CO
R/3 Plug-In
Internal Zone
RFC HTTP(S)
RFC
XI 3.0
XI Integration Engine
XML HTTP(S) & TCP / IP
DMZ Firewall
HTTP(S)
Internet Firewall
In an SRM system landscape, the Exchange Infrastructure (XI) is used to transfer data in the form of documents via external system interfaces. Here, too, the Exchange Infrastructure of SAP Web Dispatcher is on an HTTP(S) Web server in the DMZ. All security aspects are dealt with by the SAP Web Dispatcher and the Exchange Infrastructure. (For more information, see SAP Web Dispatcher and SAP Exchange Infrastructure Security Guide)
See the following table for more information about the technical system landscape: Topic Technical System Landscape Guide/Tool SRM Master Guide Quick Link to the SAP Service Marketplace (service.sap.com) http://service.sap.com/instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Master Guide - mySAP SRM
February 2005
21
February 2005
22
Consult the Network and Transport Layer Security guide before carrying out the SSL settings for the SAP WAS 6.40: Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP o Configuring the SAP Web AS for Supporting SSL
To carry out the SSL settings for the ITS 6.40 (internal ITS on WAS 6.40) proceed in accordance with the following sections of the WEB AS Security Guide: Internet Transaction Server Security o o o A Secure Network Infrastructure for the ITS Protecting the Server and Network Components TCP Ports Used by the ITS
For security issues in regard of the SRM applications with Web front end on BSPbasis, note the following documentation: Security Aspects for BSP
See also: Security Guide for Connectivity with the SAP J2EE Engine Transport Layer Security on the SAP J2EE Engine
February 2005
23
Adapters, business systems, and Integration Servers communicate with each other using the RFC or HTTP protocol, which can be secured by SNC or SSL respectively. Find detailed information here: SAP Exchange Infrastructure Security Guide -> Chapter Network and Communication Security -> HTTP and SSL and Security Configuration Here you find information to send and receive messages with the Adapter Engine using HTTPS/ SSL: Configuration Guide - SAP XI 3.0: Chapter 10 Communication and Security and 10.1 HTTPS Configuration for the Adapter Engine
Integration of EBP Services into Enterprise Portal Ensure that you downloaded all relevant portal roles for SRM 4.0 from the iView studio at http://www.iviewstudio.com/. Here you can also find the actual Business Package of SRM 5.0. Security Information: Portal Platform Security Guide -> Secure Communications -> Communication Between Internal Components -> Communication with Backend Systems Note: The portal and the ITS of the EBP system must run under the same protocol (both under http or both under HTTPS, no other combination is possible) The portal and the ITS of the EBP system must be in the same domain If you wish to implement your own EBP services, you must ensure that the iViews of the EBP services have EPCF level "2"
February 2005
24
Network Security
General Access Control, Including Protection of the System and Stored Data Against Unauthorized External Access, General Standards: Firewalls, DMZ, SNC SAP Standards: ITS, SAProuter mySAP SRM is a solution with many external interfaces, including interfaces to the Internet. This makes mySAP SRM vulnerable to attempts from outsiders to access confidential data. Indeed, studies have shown that unauthorized access by internal employees also represents a considerable risk. As a pure business solution, mySAP SRM can offer protection in this regard bases on the Authorization Concept within SAP WAS (SAP Authorization Concept). It is important to understand that SRM is embedded in a comprehensive protection concept that offers protection both on a physical level and also, through additional firewalls, protected access to all levels of an IT infrastructure. As the SRM architecture graphics shows, SAP recommends protecting the different SRM components using appropriate firewalls. This includes setting up a DMZ (Demilitarized Zone) that protects all critical components from direct access via the Internet. Furthermore, SAP recommends installing protection against access to the entire data store of the various SRM applications components. For more information on firewalls and the relevant settings, see the section Network and Communication Security -> Using Firewall Systems for Access Control ( for firewall settings) in the SAP NetWeaver Security Guide and SAProuter in the SRM documentation (for SAProuter settings). For more information on the settings for Security Network Communications (SNC), see the section SNC-protected Communication in the SAP WebAS Security Guide. See also: Additional Information on Network Security
Communication Destinations
All relevant communication destinations (such as RFC, IDoc, and so on) for mySAP SRM are described in the Business Scenario Configuration Guides. The following table provides an overview of the relevant sections: Business Scenario Configuration Guide SRM 4.0 Self-Service Procurement Section System Connections Where to find SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Self-Service Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Plan-Driven Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Strategic Sourcing SAP Service Marketplace: http://service.sap.com/ibc -> for
System Connections
System Connections
System Connections
February 2005
25
mySAP SRM -> Catalog Content Management SRM 4.0 Service Procurement SAP Service Procurement with Loose Supplier Integration/with Close Supplier Integration System Connections SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Service Procurement SAP Service Marketplace: http://service.sap.com/ibc -> for mySAP SRM -> Spend Analysis
February 2005
26
See Using X.509 Client Certificates to get a procedure for configuring the system for the use of X.509 client certificates.
User Management
In general, SRM supports user authentication using user accounts and passwords. It also supports user authentication using X.509 certificates and, this way, integrates seamlessly with public key infrastructure. The following types of roles are supported: SRM Server roles and portal roles. New users can only be created by the user administrator or by a manager. In the case of selfregistration by new users, the actual release of the new account has to be approved by the user administrator or manager.
To use the user approval workflow, the workflow WS10000192 has to be activated and the indicator Approval Indicator has to be set in the IMG under SRM Server -> Master Data -> Create Users -> Set Approval Indicator. As standard, creation of users is always approval-relevant.
February 2005
27
February 2005
28
Authorizations
Authorizations
In SRM one or more predefined roles are assigned to each user or user account. Depending on the role, the user is authorized to carry out certain transactions and access certain data. In addition, each user or user account is assigned to its company and/or organizational unit. By way of this assignment, the user inherits additional attributes that further restrict his access, for example, employees may only assign purchase orders to their own cost centers. In the standard SRM delivery, customers receive predefined role templates that they can extend or adapt to their specific requirements. The standard roles include roles for managers, employees, and so on. Individual users access SRM transactions and data via their browsers and then transfer sensitive confidential data. This information must be protected against unauthorized access. As standard, this is taken care of by encoding all data during the transfer from the Web Server to the browser. SRM follows the standard in this case and supports secure HTTP.
SRM does not supply separate Customizing or setup roles. Instead, you should use the functions provided in Role Maintenance (transaction PFCG).
February 2005
29
Authorizations
Authorization Group
AAAB
Authorization Objects
B_BUPA_RLT (02,03) B_BUPR_BZT (ACTVT 02; RELTYP BUR010) S_ME_SYNC (38) S_PRO_AUTH (03) S_RFC S_TCODE
S_RFC
S_TCODE
ARFC
BBP_BGRD_APPROVAL
SAP_BBP_STAL_EM Shop (one PLOYEE screen) SAP_BBP_MULTI_E MPLOYEE Check Status Confirm Goods/Services Enter Invoice/Credit Memo Inbox OLD Approval
BBP
BBP_FUNCT BBP_PD_CNF BBP_PD_INV BBP_PD_PO (ACTVT: 03) BBP_PD_QUO (ACTVT: 03, 75) BBP_PD_SC (ACTVT: 01, 02, 03, 04, 06) M_BBP_PC
BBP_OCI_AGENT
BBP_CROO BBP_POC_WF_APP M_CTR BBP_CROO BBP_POC_WF_REV M_INV BBP_CROO BBP_QUOT_EXTST M_SC BBP_FRAM EWORK BBP_SC_DARKAPP_IAC
BC_A
C_DML (ACTVT: 03) S_DATASET (ACTV: 33, 34; PROGRAM: SAPLSWT01) S_TABU_DIS (03) S_USER_GRP (02, 03)
BC_C
S_DEVELOP (ACTVT: 16; Package: dummy; object name: BUS*; object type: SOBJ; authorization group = dummy)
February 2005
30
Authorizations
Authorization Group
BC_Z
Authorization Objects
S_OC_DOC S_OC_FOLCR S_OC_ROLE S_OC_SEND S_OC_TCD ( SO01, SO02, SO03, SO04)
S_RFC
S_TCODE
S_BDS_DS (01, SSCV 02, 03, 04, 06) S_WF_LVIEW S_WF_WI HR PLOG P_TCODE (PF*, PP*) SU_USER SURL SUSO SUSW SWEL SWLWFIN SWOR SWWA SYST SYSU
BBPPU02 BBPPU03 BBPPU05 BBPPU08 BBPPU11 BBPPU12 BBPPU16 BBPPU17 BBPSC08 BBPSC10 BBPST01
Manager
SAP_EC_BBP_MAN AGER SAP_BBP_STAL_MA NAGER SAP_BBP_MULTI_M ANAGER
S_RFC S_TCODE
BBPMAINA PP
BBP_POC_DISPLY BBP_QUOT_EXTWF
February 2005
31
Authorizations
Authorization Group
Authorization Objects
S_RFC
S_TCODE
BBPSC07 BWSP T*
Purchasing Assistant
SAP_EC_BBP_SEC RETARY
Shop
BBPSC01
AAAB
S_TCODE
BBP_BW_SC3
BBP
SAP_BBP_STAL_SE Enter Purchase CRETARY Order Response SAP_BBP_MULTI_S ECRETARY Confirm Goods / Services Centrally Enter Invoice / Credit Memo Centrally Shopping Carts per Cost Center Shopping Carts per Product Vendor Prescreening
BBPIV03
BBPPU02
BBPPU04 BBPPU05
BBPPU06
Professional Purchaser
SAP_EC_BBP_PUR CHASER
Shop
BBPSC01
AAAB
BBP_AUC_SRM_EX
BBPSC05 BBPCF03
BBP_BID_EVAL BBP_BID_EXTSO
SAP_BBP_STAL_PU Confirm Goods / RCHASER Services Centrally SAP_BBP_MULTI_P URCHASER Enter Invoice / Credit Memo Centrally Process Purchase Order Issue Purchase Order
BBPIV03
B_USERST_T
BBP_CFOLDER
S_TCODE BBP_BUDGET
BBP_CTR_EXT_CR BBP_CTR_EXT_PO
February 2005
32
Authorizations
Authorization Group
Authorization Objects
BBP_FUNCT
S_RFC
S_TCODE
BBP_CTR_EXT_WF
BBP_CTR_ MAINCC
BBP_PD_AUC
BBP_POC_DISPLY
Process Contract BBP_CTR_ MAIN Issue Contract Process Bid Invitation Process Auction Carry Out Sourcing Analysis SC per Cost Center Analysis SC per Product BBP_PPF_ CONT BBP_BID_I NV BBP_AUCT ION BBPSOCO 01 BBP_BW_S C4 BBP_BW_S C3
Manage BBPMAINI Business Partner NT Data Manage BBPMAINP Business Partner URCH (Hosted) Edit Addresses BBPADDRI NTV BBPAVLMA BC_A INT BBPWLRA0 1
BBP_PD_VL
BBPPU04
M_BBP_PC (PCMAS_ACT: 03, 04) S_ADMI_FCD (NADM) S_BTCH_JOB (job action: PLAN, RELE) S_CTS_ADMI (TABL) S_SPO_DEV S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT: 03, 16; SXMBACTION: RUNTIME) BC_C S_DEVELOP
BBPPU05
BBPPU06 BBPPU07
BBPSC04
BBPSC06
BBPSC14
BBPSC15
February 2005
33
Authorizations
Authorization Group
BC_Z
Authorization Objects
S_APPL_LOG (03) S_IDOCCTRL
S_RFC
S_TCODE
Purchase Manager
SAP_BBP_STAL_PU RCHASE_MANAGE R SAP_BBP_MULTI_P URCHASE_MANAG ER
Operational Purchaser
Shop
BBPSC01
AAAB
BBP_AUC_SRM_EX
SAP_EC_BBP_OP_P Create Public URCHASER Templates SAP_BBP_STAL_OP Confirm ERAT_PURCHASER Goods/Services Centrally Enter Invoice/Credit Memo Centrally
BBPSC05 BBPCF03
BBP_BID_EVAL BBP_BID_EXTSO
BBPIV03
B_USERST_T
BBP_CTR_EXT_CR
Process BBP_POC Purchase Orders Issue Purchase Orders Enter Purchase Order Response Process Purchase Order Response Assign Global Outline Agreement Process Contracts BBP_PPF BBPPCO02 BBPPCO01 BBP
BBP_PD_BID
BBP_PPF_CONT
BBP_PD_CNF
BBP_TRIGG_MEN
February 2005
34
Authorizations
Authorization Group
Authorization Objects
BBP_PD_CTR BBP_PD_INV BBP_PD_PO BBP_PD_QUO BBP_PD_SC M_BBP_PC (03, 04) S_ADMI_FCD (NADM) S_BTCH_JOB (job action: RELE) S_CTS_ADMI (TABL) S_SPO_DEV S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME)
S_RFC
S_TCODE
Display Changes BBP_SUPP BC_A _MONI Vendor Prescreening /sap/ros_pr escreen/mai n.do
BBPSC03
BBPSC04
BBPSC06
BC_Z
BBPSC14 BBPSC15 BBPSC16 BBPSC17 BBPSC18 BBPSC19 BBPSHOWVD BBPVE01 BWSP BWWF_WI_DECI CRMD_ORDER
February 2005
35
Authorizations
Authorization Group
Authorization Objects
S_RFC
S_TCODE
Strategic Purchaser
AAAB
BBP_AUC_SRM_EX
SAP_EC_BBP_ST_P Process Auction URCHASER SAP_BBP_STAL_ST RAT_PURCHASER Process Global Outline Agreement Process Purchase Order Response
BBP_BID_EVAL BBP_BID_EXTSO
B_USERST_T
BBP_CFOLDER
Process Contract BBP_CTR_ MAIN Issue Contract Process Vendor List BBP_PPF_ CONT BBPAVLMA INT BBP
Manage BBPMAINI Business Partner NT Data Edit Addresses Reassign Workload Vendor Prescreening BBPADDRI NTV BBPWLRA0 1 /sap/ros_pr escreen/mai n.do
BBP_PD_INV (ACTVT: 03) BBP_PD_PCO (ACTVT: 03) BBP_PD_PO BBP_PD_QUO BBP_PD_SC (ACTVT: 02, 03) BBP_PD_VL M_BBP_PC BC_A S_ADMI_FCD (NADM) S_BTCH_JOB (job action: RELE) S_CTS_ADMI (TABL) S_SPO_DEV
BBPRP01 BBPSC14
February 2005
36
Authorizations
Authorization Group
Authorization Objects
S_USER_AGR (01, 02, 03, 22, 36, 64, 78) S_USER_GRP (01, 02, 03, 06, 22, 78) S_USER_PRO (01, 02, 03, 07, 22) S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME) S_DEVELOP
S_RFC
S_TCODE
BBPSC15
BBPSC16
BBPSC17
BBPSHOWVD
BC_Z
Content Manager
SAP_EC_BBP_CON TENT_MANAGER
AAAB
/SAPCND/CM COMM_ATT COMM_ATTRSET (application: BBP; RSET use: PR) COM_ASET (01, 02, 03, 06) COM_CAT (01, 02, 03) COM_HIER (01, 02, 03) COM_IL (ACTVT: 01, 02, 03, 06; RELTYPE: PRDCTI, PRDCTN, PRDMPI, PRDMPN, PRDVND, PRDVNI) COM_PRD (01, 02, 03, 06) COM_PRD_CT (01, 02, 03, 06) S_IFC S_RFC S_TCODE COMM_PC AT_LOC CRM_PRD BBP_CT COMM_HIERARCHY COMM_PCAT_LOC COMM_PCAT_PROFILE
SAP_BBP_STAL_CO Process NTENT_MANAGER Products Activate Products Data Transfer from Product Master to Catalog
CONTENT
BC_A
February 2005
37
Authorizations
Authorization Group
Authorization Objects
S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME)
S_RFC
S_TCODE
BC_Z
Component Planner
BBPOR01
AAAB
S_TCODE
Only standard
SAP_EC_BBP_PLAN Component NER Planning for Projects SAP_BBP_STAL_PL ANNER Change Settings
BBPPS01
BBPAT05
Internal Dispatcher
SAP_EC_BBP_RECI PIENT SAP_BBP_STAL_RE CIPIENT SAP_BBP_MULTI_R ECIPIENT
BBPCF03
AAAB
S_TCODE
Only standard
BBP_PM01
BBP
BBPIV03
AAAB
S_TCODE
Only standard
BBP_TRIG G_MEN
BBP
BBP_FUNCT BBP_PD_INV (ACTVT: 01, 02, 03, 06) BBP_PD_PO (ACTVT: 03)
Bidder
SAP_EC_BBP_BIDD ER SAP_BBP_STAL_BI DDER SAP_BBP_MULTI_BI DDER
Process Bid
BBP_QUOT AAAB
/SAPCND/CM BBP_CFOL (application: BBP; DER use: PR) B_BUPA_RLT B_BUPR_BZT S_PRO_AUTH (03) BBP_FRAM EWORK
BBP_CFOLDER
BBPMAINE XT
BBPGLOBAL
February 2005
38
Authorizations
Authorization Group
Authorization Objects
S_RFC S_TCODE
S_RFC
S_TCODE
BBPVENDOR BBPWI
BBP
BBP_PD_AUC (03) BBP_PD_BID (03) BBP_VEND (ACTVT: 01, 02, 03, 06; BBP_OBJTYP: BUS2200, BUS2202, BUS2208)
BC_A
BC_Z
S_BDS_DS (ACTV: 01, 02, 03, 04, 30; CLASSTYPE: BO, CL, OT) PLOG
HR
Vendor
SAP_EC_BBP_VEN DOR
BBPCF01
AAAB
/SAPCND/CM BBP_CFOL (application: BBP; DER use: PR) B_BUPA_RLT B_BUPR_BZT S_PRO_AUTH (03) S_RFC S_TCODE BBP_FRAM EWORK
BBP_BGRD_APPROVAL
BBP_CFOLDER
SAP_BBP_STAL_VE Process User NDOR Data SAP_BBP_MULTI_V ENDOR Edit Addresses Inbox OLD Approval
BBPADDRE BBP_QUOT XT BBPFAKEW BBPGLOBAL P RFC1 RSAN SDIF SDIFRUNTI ME BBPMAINNEW BBPST01 BBPVENDOR BBPWI
February 2005
39
Authorizations
Authorization Group
Authorization Objects
BBP_VEND (ACTVT: 01, 02, 03, 06; BBP_OBJTYP: BUS2203, BUS2205)
S_RFC
S_TCODE
SI17_V
SWK1
BC_A BC_Z
S_TABU_DIS (03) S_BDS_DS (ACTV: 01, 02, 03, 04, 30; CLASSTYPE: BO, CL, OT) PLOG
SKBW SSCV
HR
SU_USER SURL SUSO SUSW SWLWFIN SWOR SYST SYSU WP_USER_ MENU
S_TCODE
BBPPU09
Customizable Messages Messages in XML Define Impersonal Account Process FIBackend Process Vendor Number in Backend Process Tax Code Monitor Shopping Cart
BBP_MS_M BBP SG1_C BBP_MS_M SG2_C BBP_MS_A BC_A CC_DET_C BBP_MS_B E_C BBP_BE_LI BC_C ST BBP_MS_M AP_TAX_C BBP_MON_ SC
BBPSHOWVD SYST
Administrator
Application Monitors
BBPADM_ COCKPIT
AAAB
B_BUPA_ATT
February 2005
40
Authorizations
Authorization Group
Authorization Objects
B_BUPA_FDG B_BUPA_GRP B_BUPA_RLT B_BUPR_BZT B_BUPR_FDG B_CCARD S_RFC
S_RFC
S_TCODE
SAP_EC_BBP_ADMI Monitor NISTRATOR Shopping Carts SAP_BBP_STAL_AD Monitor Contract MINISTRATOR Distribution SAP_BBP_MULTI_A DMINISTRATOR
Monitor Business BBP_SUPP Partner _MONI Synchronization with Backend Manage User Data Edit Internal Addresses Manage Business Partners Edit External Addresses Edit Attributes BBP_CLEA NER BBPUSER MAINT BBPADDRI NTC BBPMAINI NT BBPADDRI NTV BBPATTRM BBP AINT
S_TCODE BBP_BUYER BBP_FUNCT BBP_PD_AUC (03) BBP_PD_BID (03) BBP_PD_CNF (03) BBP_PD_CTR (03) BBP_PD_INV (03) BBP_PD_PCO (03) BBP_PD_PO (03) BBP_PD_QUO (03) BBP_PD_SC (ACTVT: 01, 02, 03, 04, 06) M_BBP_IM_1 M_BBP_PC BC_A S_ADMI_FCD S_ARCHIVE S_BTCH_ADM S_BTCH_JOB S_BTCH_NAM
February 2005
41
Authorizations
Authorization Group
Authorization Objects
S_CTS_ADMI S_DATASET S_ENQUE S_GUI S_RZL_ADM S_TABU_CLI S_TABU_DIS S_USER_AGR S_USER_AUT S_USER_GRP S_USER_PRO S_USER_SYS S_USER_TCD S_USER_VAL S_XMB_AUTH (ACTVT:16; SXMBACTION: RUNTIME) S_XMI_PROD
S_RFC
S_TCODE
BC_C
BC_Z
S_APPL_LOG S_IDOCCTRL S_IDOCDEFT S_IDOCMONI S_IDOCPART S_IDOCPORT S_IDOCREPA S_NUMBER S_SCD0 S_WF_WI S_WFAR_OBJ S_WFAR_PRI
February 2005
42
Authorizations
Authorization Group
HR
Authorization Objects
PLOG P_TCODE
S_RFC
S_TCODE
BBPMAINN AAAB EW
B_BUPR_BZT
BBPMAINNEW
S_TCODE
Create User
BBPAT03
AAAB
B_BUPA_RLT
BBPAT03
BBPAT04
S_TCODE
BBPAT04
BC_A
SU01
HR
PLOG
Subscribe Marketplace
SAP_EC_BBP_SUB SCRIBE_MARKETPL C
B_BUPA_RLT
ARFC
BBPSUBSCRIBE
S_RFC
BBP_ATTR_ ORG BBP_ATTR_ PD BBP_FRAM EWORK BBPFAKEW P RFC1 RSAN SDIFRUNTI ME SSCV SU_USER SWOR SYST SYSU
February 2005
43
Authorizations
Folder
Purchase Orders
Menu Entry
All New Changed In Process Confirmed Partially Confirmed
Administration Messages
HR
SAR Processor
SAP_EC_SUS_SAR_PROCESS OR
AAAB
Administration Messages
BBP
BBP_FUNCT BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2232, BUS2235)
BC_A
BC_Z
HR
February 2005
44
Authorizations
Folder
Purchase Orders Confirmations ASN Invoices
Menu Entry
All Approved Sent All In Process Invoiced Approved
BC_A
Messages
Read Messages
HR
Dispatcher
SAP_EC_SUS_DISPATCHER
AAAB
Administration Messages
BBP_SUS_PD (ACTVT: 02, 03, 09; BBP_OBJTYP: BUS2230, BUS2231, BUS2232, BUS2235) S_ADMI_FCD (NADM) S_USER_GRP (ACTVT: 02, 03, 05)
BC_A
BC_Z
HR
Service Agent
SAP_EC_SUS_SERVICE_AGEN T
AAAB
February 2005
45
Authorizations
Folder
Menu Entry
Rejected
Administration
Own Data
Messages
Read Messages
BC_A
Service Manager
SAP_EC_SUS_MANAGER
AAAB
Administration Messages
BBP BC_A
HR
PLOG
The Service Manager is allowed to search for and display his own confirmations and those of ALL Service Agents.
Vendor Administrator
SAP_EC_SUS_ADMIN_VENDOR
Administration
Create User Search User Own Data Company Data Customer Overview
AAAB
Messages
BBP_SUS_PD (ACTVT: 03; BBP_OBJTYP: BUS2235) S_ADMI_FCD (NADM) S_USER_AGR S_USER_GRP S_USER_PRO
HR
PLOG
February 2005
46
Authorizations
Folder
Administration
Menu Entry
Create User Search User Own Data
Messages
Bidder
SAP_EC_SUS_BIDDER
Bid Invitations
AAAB BC_A
February 2005
47
Authorizations
February 2005
48
Authorizations
Component
EBP
Shop Order Status Confirm Goods Receipt Enter Invoice / Credit Memo Inbox OLD Approval Change my Settings Change Attributes User Management
User Settings
Change my Settings
ebp.bbpat05
EBP
ebp.bbpattrmaint um.usermanagement
EBP UM
Approval
ebp.bbpapproval ebp.bbpbwsp_simple BBPMAINMANAGER bw.costcenterinfo 0TPL_0BBP_C02_Q1003_V002001 bw.shopcostinfo 0TPL_0BBP_SC_Q014_V01 0TPL_SR_VE_SERVICEPROVIDER ebp.bbpat05 ebp.bbpattrmaint um.usermanagement
EBP
Process Company Data Cost Center Information Shopping Cart Information Service Provider Information Change my Settings Change Attributes User Management
Shop
ebp.BBPSC01
EBP
ebp.bbpPCO02 ebp.bbpsc04
EBP EBP
February 2005
49
Authorizations
iView
Process Public Templates Confirm Goods/Services Centrally Enter Invoice/Credit Memo Centrally Shopping Cart Information Shopping Carts per Cost Center Shopping Carts per Product Vendor Prescreening
Component
EBP EBP EBP BW EBP EBP SUS
Process Purchase Orders Issue Purchase Orders Enter Purchase Order Response Process Purchase Order Response Schedule Monitoring Held Purchase Orders Pending Shopping Carts Analysis SC per Cost Center Analysis SC per Product Sourcing Process Global Outline Agreement Process Contracts Contract Usage Process Auctions Process Bid Invitation Shop Order Status Process Public Templates Confirm Goods/Services Centrally
EBP.BBP_POC
EBP
ebp.bbp_ppf BBPPCO02 BBPPCO01 bw.schedulemonitor 0TPL_0BBP_DS1_Q013_V002 bw.heldoders 0TPL_0BBP_PO_Q007_V02 bw.pendingcarts 0TPL_0BBP_SC_Q004_V02 BBP_BW_SC4 BBP_BW_SC3 ebp.bbpsoco01 BBP_CTR_SEARCC ebp.bbp_ctr_main bw.contractusage 0TPL_0BBP_CT_Q004 BBP_AUCTION com.sapmarkets.pct.srm.ebp.bbp_bid_ inv BBPSC01 BBPSC04 BBPSC05 BBPCF03
EBP EBP EBP BW BW BW EBP EBP EBP EBP EBP BW EBP EBP EBP EBP EBP EBP
February 2005
50
Authorizations
iView
Enter Invoice/Credit Memo Centrally Edit Addresses Display Changes
Component
EBP EBP EBP
Spend Analysis
bw.spendanalysis 0TPL_0BBP_C01_Q036034 bw.supplierallocation 0TPL_SR_GLS_SUPPL_ALLOC bw.vendorportfolioanalysis 0TPL_SR_VE_PORTFOLIO bw.topvendors 0TPL_SR_VE_TOPVENDORS com.sapmarkets.pct.srm.ebp.bbp_bid_ inv BBP_AUCTION bw.contractanalysis 0TPL_0BBP_CT_Q003 BBP_CTR_MAINCC BBP_CTR_MAIN ebp.bbp_ppf_cont BBPPCO01 ebp.bbpavlmaint bw.relationshipanalysis 0TPL_0BBP_C01_Q03032 bw.vendorprofile 0TPL_SR_VE_PROFILE ebp.bbpmainint ebp.bbpaddrintv 0TPL_BBP_C01_Q039 0TPL_BBP_C01_Q027 0TPL_BBP_PO_Q005_V02 BBPWLRA01
BW
Supplier Allocation Vendor Portfolio Analysis Top and Bottom Vendors Process Bid Invitation Process Auction Contract Analysis Process Global Outline Agreement Process Contracts Issue Contracts Process Purchase Order Response Process Vendor List Relationship Analysis Vendor Profile Manage Business Partners Edit External Addresses Measure EBP-Project Success Workload per Purchasing Group Workload Workload Reassignment
BW BW BW EBP EBP BW EBP EBP EBP EBP EBP BW BW EBP EBP BW BW BW EBP
BBP_CT_SCM_STAGING
EBP
BBP_CT_STAGING ebp.commpr01
EBP EBP
February 2005
51
Authorizations
iView
Activate Products
Component
EBP
Orders
ebp.bbpor01
EBP
ebp.bbpps01 BBPAT05
EBP EBP
Confirm Goods / Services Centrally Find Goods Recipient Open Item Analysis
ebp.bbpcf03
EBP
EBP BW
SRM_Accountant/ Accounting
Enter Invoice / Credit Memo Centrally Issue Document Backend Posting (Hosted) Invoice Analysis
ebp.bbpiv03
EBP
EBP EBP BW
User Management
um.usermanagement
UM
Application Monitors Monitor Shopping Carts Monitor Contract Distribution Monitor Business Partner Manage Business Partners Manage User Data Edit External Addresses Edit Internal Addresses
/CCM/CAT_CDC/CDC_MAIN.do
CCM
Application Monitors
ebp.bbpadm_cockpit
EBP
Catalog Manager/
Edit Catalogs
BSP_APPLICATION: /CCM/CAT_CDC/CDC_MAIN.do
CCM
February 2005
52
Authorizations
iView
Component
BSP_APPLICATION: /CCM/CAT_sup_catalog/create_sup_c at.htm BSP_APPLICATION: /CCM/CAT_pub_catalog/create_pub_c at.htm BSP_APPLICATION: /CCM/cat_supplier/start.htm BSP_APPLICATION: /CCM/CAT_PROTOCOL/display_proto cols.htm
CCM
CCM
CCM CCM
February 2005
53
Authorizations
1. Document check
Checks whether a user can access a document (shopping cart, purchase order, and so on) with a particular function (change, delete, and so on). Check fields:
o o o o
PORG PGR Transaction type Activity (prior to SRM 4.0 the only check field)
New object BBP_PD_AUC BBP_PD_BID BBP_PD_CNF BBP_PD_CTR BBP_PD_INV BBP_PD_PCO BBP_PD_PO BBP_PD_QUO BBP_PD_VL BBP_PD_SC
SRM document Live auction Bid invitation Confirmation Contract Invoice Purchase order response
M_BBP_PO M_BBP_Q_IN
February 2005
54
Authorizations
You can define that purchasers are only able to enter or display auctions for certain purchasing organizations and purchasing groups.
Bid invitation Authorization object: BBP_PD_BID You can define that purchasers are only able to enter, display, or publish bid invitations for certain purchasing organizations and purchasing groups.
Enter confirmation Authorization object: BBP_PD_CNF The purchasing organization and purchasing group fields are not checked.
Contracts Authorization object: BBP_PD_CTR You can define that purchasers are only able to enter and display contracts for certain purchasing organizations and purchasing groups.
Enter invoice Authorization object: BBP_PD_INV The purchasing organization and purchasing group fields are not checked.
Purchase orders Authorization object: BBP_PD_PO You can define that purchasers are only able to enter and display purchase orders for certain purchasing organizations and purchasing groups.
Bids Authorization object: BBP_PD_QUO You can define that purchasers are only able to display, accept, or reject bids for certain purchasing organizations and purchasing groups.
Vendor list Authorization object: BBP_PD_VL You can define that purchasers are only able to enter, display, or change vendor lists for certain purchasing organizations and purchasing groups.
Shopping cart Authorization object: BBP_PD_SC When you create and change shopping carts, no checks occur. In the Shopping Cart Status service, the system checks whether the current user is authorized to change, print, or delete shopping carts. If not, the relevant icons are not displayed. Since, in the status, the system only displays shopping carts belonging to the user, a check of organizational units is unnecessary.
Sourcing Cockpit
February 2005
55
Authorizations
When an item is transferred to the work area, the system checks against activity SO. 2. Check of special functions
When a transaction is called, the system checks the check object S_TCODE. If a transaction is included in a role, the appropriate authorization is automatically assigned during profile generation. SRM contains several services/functions that are not checked using S_TCODE (but these should not be available for all users). The authorization object BBP_FUNCT provides a simple access authorization: Checked value in field BBP_FUNCT CR_COMPANY MON_ALERTS CR_ASSETS BE_F4_HELP EVAL_VEND
Service/function Create purchasing company Access to monitors and alerts Create assets Call input help in R/3 Vendor evaluation
4. Checks in SUS
In SUS, checks are mainly performed in conjunction with the authorization object BBP_SUS_PD. The object contains the two parameters: BBP_OBJTYP Object type (with possible values) BUS2230 SUS Purchase Order BUS2231 Shipping Notification BUS2232 SUS Purchase Order Response BUS2233 SUS Confirmation BUS2234 SUS Invoice BUS2235 SUS Notification and ACTVT Activity 02 Create, change
February 2005
56
Authorizations
SUS users are employees working for a supplier and are therefore not assigned to a purchasing organization and a purchasing group. Generally, you can only control whether a user can display certain object types (with or without price) or change them. In the case of confirmations, the system also uses the authorization object BBP_FUNCT with the value GLOB_ACCSS to check whether a user wants to confirm all confirmations sent to the supplier.
5. Other Checks
Some authorization objects were already checked prior to SRM 4.0 and have not been changed in the scope of the new authorization concept: BBP_BUDGET Authorization for budget check The object controls whether a user can use the budget display (activity 03) or whether the user can also branch to the evaluation in BW (activity 28). M_BBP_PC Procurement card master data This object checks in transaction BBM1 whether the user is allowed to display and change procurement card master data. The checked parameters are: o o o o PCINS PCNUM PCBEGRU Procurement card company Procurement card number Authorization group
PCMAS_ACT Authorization activity for procurement card master Note: The following value assignment is valid for the authorization field PCMAS_ACT and differs from the standard activity ACTVT: 01 = Create 02 = Change 03 = Display 04 = Display list 05 = Delete
/SAPCND/CM Maintenance of conditions (product master, contract) You can use this to control to what extent a user can create and change master data for conditions.
February 2005
57
Authorizations
General checks for product masters When you start transaction COMMPR01 several authorization checks are carried out simultaneously with one of the activities listed above. COM_ASET ACTVT 03 Reading attributes
/SAPCND/CM
Partner Maintenance The following authorization objects are checked in partner maintenance (supplier view): Object Field Values
BBP_FUNCT BBP_FUNCT CR_COMPANY General check to establish whether the user can create business partners PLOG PPFCODE DISP PLVAR 01 OTYPE US, O INFOTYP 1000, 1222, 1001, 5500, 5501, 5502, 5503 SUBTYP 0020, A490, 0200, A002 Authorization checks during maintenance of personnel planning data and organizational structures. B_BUPA_RLT ACTVT 03 Checks which business partner roles can be processed.
8. Other Checks
In User Maintenance (transaction SU01) on the Personalization tab, there are several Personalization Objects available for workflows (BBP_WFL_SECURITY, BBP_APPROVAL_LIMIT, BBP_SPENDING_LIMIT) and shopping carts (BBP_USER_BUDGET). You can use these to restrict the authorizations of users or to define value limits for control of approval workflows. BAdIs have been integrated into the selection screens. These allow customers to further restrict the selected quantities. In the Business Information Warehouse (BW), authorization tables are read before the results list is tailored to the calling user. (Authorization checks are not carried out, but access to the database is controlled appropriately.) It is only possible to define several Companies in the hosted scenario. Consideration of Companies is hard-coded. Note:
February 2005
58
Authorizations
o o
The authorization profiles have to be regenerated after a system update because of the new authorization objects (transaction PFCG - Role Maintenance). The new authorization check is used as standard. If you do not want to use it, you can revert back to the previous authorization check: IMG: Supplier Relationship Management -> SRM Server -> Master Data -> Create User -> Switch Back to Old Authorization Checks (SRM 3.0) (If the indicator is set, the old authorization objects are used. If not, only the new ones are used for checking.) If required, you can enhance the standard checks. You can use the BAdI BBP_PD_AUTH_CHECK Further Authorization Check for SRM Documents to do this.
February 2005
59
Appendix
Appendix
Virus Checking of Document Attachments
SRM provides you with the opportunity to check office documents that you attach to SRM documents with a virus scanner before they are stored in the database. You must have a virus scanner installed and must have configured it correctly. For more information, see SAP Implementation Guide --> SAP Web Application Server -> System Administration -> Virus Scanner Interface. The virus scanning functions in SRM are activated when you implement BAdI BBP_ATT_CHECK. SAP supplies BAdI BBP_ATT_VIRSCAN as an example implementation. The interface contains a structure that is used in SRM for storage of attachments. The field PHIO_FNAME contains the file name and the tabular field PHIO_CONTENT contains the file part of the attachment (where the actual file is stored). Viruses are dealt with in the implementation. For example, the data part is deleted. An implementation of the function BBP_PD_MSG_ADD is also important. The messages from this function are transferred to the user interface.
February 2005
60
Appendix
Related Guides
For more information about the security of SAP applications, see: http://service.sap.com/security and http://service.sap.com/securityguide.
Documentation mentioned and pointed to in this Guide: Area/ Topic SRM Guide/ Documentation SRM Master Guide Link: http://service.sap.com /instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Master Guide - mySAP SRM /ibc-srm -> Catalog Content Management -> Business Scenario Configuration Guide /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Installation Guide Search and Classification (TREX) /instguides -> mySAP Business Suite Solutions -> mySAP SRM -> Using SAP EBP 5.0 -> Installation Guide: Live Auction Cockpit 2.0 /security -> Security in Detail -> SAP Security Guides -> SAP NetWeaver '04 Security Guide Administration of SAP WAS and SAP NetWeaver Components: SAP NetWeaver Technical Operations Manual Network and Communication Security
CCM TREX
CCM Configuration Guide TREX 6.1 Installation Guide LAC 2.0 Installation Guide SAP NetWeaver '04 Security Guide NetWeaver Technical Operations Manuals Network and Communication Security
LAC
NetWeaver
Network Integration
/security -> Security in Detail -> SAP Security Guides -> SAP NetWeaver '04 Security Guide -> Security Guides for the SAP NetWeaver Components -> SAP Web Application Server Security Guide SAP Web AS Security Guide for ABAP Technology SAP Web AS Security Guide for Java Technology User Authentication Internet Transaction Server Security Authentication and Single Sign-On
SSL
February 2005
61
Appendix
J2EE
Security Guide for Connectivity with the SAP J2EE Engine Transport Layer Security on the SAP J2EE Engine Configuring the Use of SSL on the SAP J2EE Engine
J2EE (SSL)
Configuring the Use of SSL on the SAP J2EE Engine SAProuter ITS Administration Guide RFC/ICF Security Guide SAP Web Dispatcher, Configuring the SAP Web Dispatcher to Support SSL TCP/IP Ports used by SAP Applications Security Aspects for BSP /security -> Security in Detail -> SAP Security Guides ->SAP Exchange Infrastructure (XI) Security Guides -> SAP Exchange Infrastructure Security Guide /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Installation Guide - SAP Exchange Infrastructure 3.0 /instguides -> SAP NetWeaver -> Release 04 -> Installation -> Configuration Guide - SAP XI 3.0 SAP Business Information Warehouse Security Guide
SAProuter Documentation ITS Administration Guide RFC Security Guide SAP Web Dispatcher Documentation Ports Settings Security Aspects for BSP XI Security Guide
XI Installation Guide XI Configuration Guide SAP BW (BI) SAP Business Information Warehouse Security Guide EP Security Guide
Enterprise Portal
You can find more guides related to the NetWeaver platform on the SAP Service Marketplace: http://service.sap.com -> SAP NetWeaver in Detail -> Solution Life-Cycle Management -> Installation -> Installation and Upgrade Guides -> SAP NetWeaver -> Installation You can find SRM-related guides on the SAP Service Marketplace: http://service.sap.com -> SAP NetWeaver in Detail -> Solution Life-Cycle Management -> Installation -> Installation and Upgrade Guides -> mySAP Business Suite Solutions -> mySAP SRM
February 2005
62
Appendix
Additional Information
Special Information for the Live Auction Cockpit 2.0
(Only relates to the SRM scenario Strategic Sourcing with LAC WPS 2.0.)
Which part of Live Auction should be set up in which network segment? The client portion of Live Auction (Java applet) is deployed on the Internet. The applet communicates with the LAC on J2EE (6.40) server. Therefore the external user has to allow the applet to be downloaded. The server portion (Web AS) should be located on the LAN. The SAP system (R/3) should be located on the LAN. Where exactly is data stored? System configuration data is stored in properties files on the WAS. (System configuration data is shipped with the system.) Runtime transactional data is stored in the database of the SAP system. (Transactional data is stored during run-time of the application.) No temporary data is stored anywhere else. Which type of data access is required at what point in time? Read access of system configuration data is required during server start-ups. Read and write accesses to transactional data are required during run-time. What level of protection is recommended for which data? Administration system permissions should be used to restrict access to Live Auction properties configuration in the WAS Visual Administrator. Customers must ensure that only system administrators should have access to WAS Visual Administrator. Configuration data in WAS Visual Administrator are protected by a password. Password Encryption Access to WAS Visual Administrator needs a password: This password is set during the installation of WAS. For the LAC scenario, the username is J2EE_ADMIN and password is what was set by the first accessing user (normally a consultant). Only a dummy password is stored as a file in the deployment EAR file before deployment of the application. Once the application is deployed, the value is internally encrypted in the database in J2EE and can only be accessed through J2EE Visual Administrator. After the deployment, you it is necessary to change the password via the Visual Administrator. (The Visual Administrator tool can be configured for the use of SSL. So the communication between Visual Administrator and J2EE server can be secured.) (In UME [part of the part of the J2EE 6.40], the properties values are stored in the same way. It is not necessary to encrypt the content of the password to be stored as real values in DB since communication between Visual Admin and J2EE server can be secure as well.) RFC users should be created for RFC/JCo connections to the SAP Systems. JCO-RFC-Password for Live Auction to SRM server:
February 2005
63
Appendix
The dummy password that is store in the LAC deployable application is required for the RFC connection between the Live Auction application and the SRM Server. Once WAS has been installed and the LAC application has been deployed, it is necessary to use the WAS Visual Administrator to configure this JCO-RFC-Password/ Username so that the live auction application can run. (At present, this JCO RFC password is visually encrypted as ***** when it is entered just like in R/3 transaction SU01. A consultant with administrator authorization on the J2EE engine can only reset the password, just like in the R/3 transaction SU01.)
Does the application require an Internet browser as the user interface? The SRM Live Auctions client (Java Applet) requires an Internet browser. Cookies are only used by User Management Engine (UME) for Single Sign-On (SSO) tickets. Which RFC/JCo destinations are delivered/required? The Live Auction application will establish RFC connections via JCo. (There is no need to maintain RFC destinations in SM 59 for Live Auction since the JCo server is not used.)
What is the minimum authorization required by the communication user for RFC/JCo connections? The communication user can be defined as a system user in a production system where this is no need for JCo/ABAP debugger. If the debugger needs to be used, the communication user must be defined as a dialog user. Furthermore, the user must have both purchaser and supplier profiles for Live Auction. (In a productive system, a dialog (RFC) user always represents a limited security risk.)
SSO and SAP Logon Tickets The SRM Live Auctions application uses UME API to verify Single-Sign-on tickets. No user data is replicated since all user data is in EBP Bidding Engine in SRM Server. (User data synchronization is not required.) By default, the SRM Live Auctions application accepts SAP Logon Tickets. Details for Login Scenario for SRM Live Auction:Purchaser and Bidder log into SRM through the standard login page. Inside the Bidding Engine auction user interface (Sourcing Cockpit) the Live Auction applet is launched. For Single-Sign-on and user validation the Java user management client is used. If the applets URL is directly typed into the browser window, the user is validated through UME 4.0 and redirected to a UME 4.0 login page. After successful login he gets redirected back to the applet.
February 2005
64
Appendix
ITS
Authorization and Roles No roles are delivered with Live Auction. All roles are delivered with SRM Server. Customers do not need to create any additional roles.
Are authorization technologies other than roles used? Yes, bidders must be added to an auctions invitation list in order to view and bid on that auction using Live Auction. Bidders are added into this invitation list (in the SRM Server system) when the auction is created. Since this is a private auction (Bidding Engine) there is no self-registration or subscription.
February 2005
65
Appendix
Logon/Users/Password There are two ways to create users for SAP Catalog Search Engine:
For security reasons, we recommend that you create named users in SAP Catalog Search Engine and that users use Single Sign-On to logon.
For more information on both options, see SAP Service Marketplace at http://service.sap.com/ibc-srm -> Catalog Content Management -> CCM Business Scenario Configuration Guide, chapter: Configuring SAP Catalog Search Engine
February 2005
66