Download - Web Channel Security 3.0
-
7/22/2019 Web Channel Security 3.0
1/118
Security GuideSAP Web Channel Experience Management 3.0
Target Audience
System administrators
Technology consultants
Security consultants
CUSTOMERDocument version: 1.4 2013-02-07
-
7/22/2019 Web Channel Security 3.0
2/118
Document History
CAUTION
Before you start the implementation, make sure you have the latest version of this document.
You can find the latest version on SAP Service Marketplace at http://service.sap.com/
securityguideor at http://service.sap.com/wec-inst.
The following table provides an overview of the most important document changes:
Version Date Description1.0 2012-11-29 Initial Version
1.1 2012-12-05 Restructuring done to make what was previously section 15.9 into chapter 16 Security
Checklist.
1.2 2013-01-10 Addition of reference to SAP Note 1029819 to chapter 2.2 Important SAP Notes.
1.3 2013-01-16 Correction in section 12.4.1 Restricting Access to the Administration Area of Web Channel
Applications.
1.4 2013-02-07 Addition of caution in section 8.1.1.1 HTTPS Switch.
2/118 CUSTOMER 2013-02-07
http://service.sap.com/wec-insthttp://service.sap.com/securityguidehttp://service.sap.com/securityguide -
7/22/2019 Web Channel Security 3.0
3/118
Table of Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1 Why Is Security Necessary? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 Overview of the Guide's Main Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1 Fundamental Security Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2 Important SAP Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 4 Security Aspects of Data, Data Flow, and Processes . . . . . . . . . . . . . . . . . 17
4.1 General Data Flow of Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . 17
4.2 Data and Data Flow of Specific Web Channel Functionality . . . . . . . . . . . . . . . 18
4.2.1 Web Channel Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2.2 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2.3 Product Catalog and Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2.3.1 Product Catalog: Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2.3.2 Product Catalog: Adding to the Shopping Cart . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2.3.3 Product Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 5 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1.1 User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1.2 Internet User Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.1.2.1 Web Shop Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.1.2.2 Web Channel Builder Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2.1 Service User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2.2 Administration User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.2.3 Internet User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.2.3.1 UME Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2013-02-07 CUSTOMER 3/118
-
7/22/2019 Web Channel Security 3.0
4/118
5.2.3.2 Web Channel Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2.3.3 Follow-On Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2.3.4 User Identification Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2.3.5 Early Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.3 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.3.1 User Administration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.3.1.1 Service Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.3.1.2 Web Channel Builder Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.3.1.3 Web Shop Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.3.1.4 Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.3.2 User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.3.3 Users Relevant for Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.4 User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.5 Integration into Single Sign-On (SSO) Environments . . . . . . . . . . . . . . . . . . . 37
5.5.1 Secure Network Communications (SNC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.6 User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 6 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.1 Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.1.1 Roles and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.1.1.1 Predefined User Roles on SAP NetWeaver AS ABAP . . . . . . . . . . . . . . . . . . . . . 396.1.1.2 Predefined User Roles on SAP NetWeaver MDM . . . . . . . . . . . . . . . . . . . . . . . 43
6.1.1.3 Predefined User Role on SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . . . . . . 44
6.1.1.4 Additional Aspects of Web Channel User Roles . . . . . . . . . . . . . . . . . . . . . . . . 45
6.1.1.5 Authorization Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.1.2 SU24 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6.1.2.1 Service Name Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.1.2.2 Web Channel Module ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.1.2.3 Service Name Suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.1.2.4 Authorization Trace Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
6.2 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
6.2.1 Standard Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
6.2.2 Critical Authorizations and Combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.2.3 Special Web Channel Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.2.3.1 Document Authorization Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.2.3.2 Web Channel Builder Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.2.3.3 Authorization Values of Different Web Channel Builder User
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4/118 CUSTOMER 2013-02-07
http://-/?-http://-/?-http://-/?-http://-/?- -
7/22/2019 Web Channel Security 3.0
5/118
6.2.3.4 Authorizations Required for Setting Certain Request URL
Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.2.3.5 Authorizations for Development, Testing, and Support . . . . . . . . . . . . . . . . . 57
6.2.4 Business Object Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.2.4.1 Authorizations Based on the Access Control Engine in SAP CRM . . . . . . . . . . 57
6.2.4.2 Business Object Access Control in SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Chapter 7 Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.1 Session Security Protection on SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . 59
7.1.1 Recommended Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.1.1.1 Switch to HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
7.1.1.2 HTTPS for Whole Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
7.1.2 Session Security Aspects of the Product Catalog . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 8 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
8.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
8.1.1 HTTPS for Web Channel Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.1.1.1 HTTPS Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.1.1.2 HTTPS Servlet Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
8.1.1.3 Grace Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
8.1.1.4 HTTPS in the Administration Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688.2 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
8.2.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
8.2.2 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
8.3 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
8.3.1 RFC Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
8.3.1.1 Automatic Creation of Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
8.3.2 SAP NetWeaver MDM Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Chapter 9 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
9.1 Storage Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
9.1.1 SAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
9.1.2 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
9.1.2.1 HTTPSRequired Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
9.1.2.2 COMSAPWECUM01 Cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
9.1.2.3 Java Cart Cookie (recoverCart) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
9.1.2.4 Additional Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
9.1.3 Database of SAP NetWeaver AS Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
2013-02-07 CUSTOMER 5/118
-
7/22/2019 Web Channel Security 3.0
6/118
9.1.4 Secure Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
9.1.5 File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
9.1.6 Encryption of Payment Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
9.1.7 Encryption of Gift Card Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
9.1.8 Customer-Specific List Price . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 10 Web Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
10.1 HTTP Request Serialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
10.2 Cross Site Scripting (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
10.3 Input Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
10.4 Session Riding: Cross Site Request Forgery (XSRF) . . . . . . . . . . . . . . . . . . . . . 83
10.5 File Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
10.5.1 Virus Scanning for Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
10.5.2 Upload of Attachments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
10.6 Cookie Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
10.6.1 Secure Cookie Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
10.6.2 HttpOnly Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
10.6.3 Application Cookie Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
10.7 Session Fixation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
10.8 Fast Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
10.9 Distributed Denial-of-Service Attacks (DDOS) . . . . . . . . . . . . . . . . . . . . . . . . . 8810.10 URL Session Rewriting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
10.11 ZIP Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
10.12 Autocompletion Attribute of UI Components . . . . . . . . . . . . . . . . . . . . . . . . . 89
10.13 Clickjacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 11 Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
11.1 Integrating Payment Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
11.2 Securing the Communication Between the Back-End System and SAP
NetWeaver MDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Chapter 12 Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
12.1 Security-Relevant Module Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
12.2 Web Channel Builder (WECB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
12.2.1 Web Channel Builder Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
12.2.2 Application Preview in Web Channel Builder . . . . . . . . . . . . . . . . . . . . . . . . . . 94
12.2.3 Web Channel Builder Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
12.2.4 Web Channel Builder Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
7/118
12.2.5 Web Channel Builder Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
12.3 Web Channel User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
12.3.1 User Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
12.3.2 Self-Registration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
12.3.3 Forgotten Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
12.3.4 Guest User Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
12.3.5 User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
12.3.6 Digitally-Signed E-Mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
12.4 Web Channel Administration Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
12.4.1 Restricting Access to the Administration Area of Web Channel
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
12.5 Security-Relevant Information for Other Web Channel Modules . . . . . . . . . . 98
12.5.1 Java Cart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
12.6 Additional Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
12.6.1 JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
12.6.2 AJAX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
12.6.3 Theme Server Location and HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
12.6.4 Search Engine Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
12.6.5 Web Application ID (WEC-APPID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
12.6.6 Error Page and Runtime Error Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
12.6.7 URL Parameter wec-debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10012.6.8 Exception Hierarchy and Mapping to Error Pages . . . . . . . . . . . . . . . . . . . . . . 101
12.6.9 Dynamic UI Help Texts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Chapter 13 Payment Card Security According to PCI-DSS . . . . . . . . . . . . . . . . . . . . . 103
Chapter 14 Security Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
14.1 Web Channel Log and Trace Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
14.2 Session Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
14.3 Excluding Sensitive Data from Session Tracing . . . . . . . . . . . . . . . . . . . . . . . 106
Chapter 15 Web Service Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
15.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
15.1.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
15.1.2 Authentication Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
15.2 Communication Channel Security: Force HTTPS . . . . . . . . . . . . . . . . . . . . . 109
15.3 Error Handling: Project Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
15.4 Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
2013-02-07 CUSTOMER 7/118
-
7/22/2019 Web Channel Security 3.0
8/118
15.5 Session Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
15.6 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
15.7 Authorization Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
15.8 Cross-Site Request Forgery Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Chapter 16 Security Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
8/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
9/118
1 Introduction
CAUTION
This guide does not replace the administration or operation guides that are available for productive
operations.
This document is not included as part of the installation guides, configuration guides, technical
operation manuals, or upgrade guides. Such guides are only relevant for a certain phase of the software
lifecycle, whereas security guides provide information that is relevant for all lifecycle phases.
1.1 Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, security
demands are also on the rise. When using a distributed system, you need to be sure that your data and
processes support your business needs without allowing unauthorized access to critical information.
User errors, negligence, or attempted manipulation of your system should not result in loss of
information or processing time.These security demands also apply to SAP Web Channel Experience Management (Web Channel).
Web Channel allows you to do your business over the Internet. Security is therefore important, because
any business-related information can be accessed and your application can be the target of many
different attack scenarios.
The following table provides an overview of some attack scenarios and references to subsections that
contain details on how to protect your application:
Attack Scenarios
Attack Type Description Relevant Subsections
Broken access control Authenticated users are not required to performrestrictions on the activities.
User Administration andAuthentication
Data Storage Security
Other Security-Relevant
Information
Broken authentication
and session management
The account credentials and session tokens may
not be properly protected. As a result, attackers
can overcome authentication restrictions to
access passwords, keys, session cookies, or other
tokens and assume other users identities.
Network and Communication
Security
Storage that is not secure Data stored in the files is not protected
accordingly.
Data Storage Security
1 Introduction
1.1 Why Is Security Necessary?
2013-02-07 CUSTOMER 9/118
-
7/22/2019 Web Channel Security 3.0
10/118
Attack Type Description Relevant Subsections
Distributed denial-of-
service (DDOS)
DDOS attacks Other Security-Relevant
Information
Cross-site request forgery
attack
Cross-site request forgery, also known as a one-
click attack or session riding and abbreviated as
CSRF (pronounced sea-surf) or XSRF, is a type of
malicious violation of a Web site whereby
unauthorized commands are transmitted from a
user that the Web site trusts. Unlike cross-site
scripting (XSS), which exploits the trust a user has
for a particular site, CSRF exploits the trust that a
site has in a user's browser. For more information,
see https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF).
Web Application Security
Cross-site scripting Cross-site scripting (XSS) attacks are a type of
injection problem, in which malicious scripts areinjected into the otherwise benign and trusted
Web sites. Cross-site scripting attacks occur when
an attacker uses a Web application to send
malicious code, generally in the form of a browser
side script, to a different end user. For more
information, see https://www.owasp.org/
index.php/Cross-site_Scripting_(XSS).
Web Application Security
Session Fixation Session fixation is an attack that permits an
attacker to hijack a valid user session. The attack
explores a limitation in the way the Web
application manages the session ID, morespecifically the vulnerable Web application. When
authenticating a user, it doesnt assign a new
session ID, making it possible to use an existing
session ID. The attack consists of inducing a user
to authenticate himself with a known session ID,
and then hijacking the user-validated session by
the knowledge of the used session ID. The attacker
has to provide a legitimate Web application session
ID and try to make the victim's browser use it.
The session fixation attack is a class of session
hijacking, which steals the established sessionbetween the client and the Web server after the
user logs in. Instead, the session fixation attack
fixes an established session on the victim's
browser, so the attack starts before the user logs
in. For more information, see https://
www.owasp.org/index.php/Session_fixation.
Session Security Protection
Web Application Security
To assist you in securing Web Channel scenarios and applications, we provide this security guide.
1 Introduction
1.1 Why Is Security Necessary?
10/118 CUSTOMER 2013-02-07
https://www.owasp.org/index.php/Session_fixationhttps://www.owasp.org/index.php/Session_fixationhttps://www.owasp.org/index.php/Session_fixationhttps://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 -
7/22/2019 Web Channel Security 3.0
11/118
1.2 Overview of the Guide's Main Sections
The security guide contains the following main sections:
Before You Start
This section contains information about why security is necessary, how to use this document, and
references to other security guides that build the foundation for this security guide.
Technical System Landscape
This section provides an overview of the technical components and communication paths that
are used by Web Channel applications.
Security Aspects of Data, Data Flow, and Processes
This section provides information on data and data flows for Web Channel applications.
User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects: Recommended tools to use for user management
User types that are required by Web Channel applications
Standard users that are delivered with Web Channel applications
Overview of the user synchronization strategy, if several components or products are involved
Overview of how integration into single sign-on environments is possible
Authorization
This section provides an overview of the authorization concept that applies to Web Channel
applications.
Session Security Protection
This section provides session security protection information including recommended settings,
details on in-session switching from HTTP to HTTPS, and security information pertaining to the
product catalog.
Network and Communication Security
This section provides an overview of the communication paths used by Web Channel and the
security mechanisms that apply. It also includes our recommendations for the network topology
to restrict access at the network level.
Data Storage SecurityThis section provides an overview of any critical data that is used by Web Channel applications and
the security mechanisms that apply.
Web Application Security
This section provides security information that applies to Web applications. The section includes
countermeasures for specific attack scenarios.
Security for Additional Applications
This section provides security information that applies to applications that are used with Web
Channel applications.
1 Introduction
1.2 Overview of the Guide's Main Sections
2013-02-07 CUSTOMER 11/118
-
7/22/2019 Web Channel Security 3.0
12/118
Other Security-Relevant Information
This section contains information about Web Channel application security that was not covered
in the previous sections.
Payment Card Security According to PCI-DSS
This section provides information about payment card security.
Security Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant
information, for example, so you can reproduce activities if a security breach occurs.
Web Service Security
This section provides security information relevant for Web Channel Web services.
Security Checklist
This section provides an overview of the tasks required to ensure Web Channel application security.
1 Introduction
1.2 Overview of the Guide's Main Sections
12/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
13/118
2 Before You Start
2.1 Fundamental Security Guides
SAP Web Channel Experience Management uses a frameworkthat provides logic composition
capabilities to expose functionality from a SAP CRM or SAP ERP back end in Web Channel applications.
Web Channel applications based on SAP CRM can include e-commerce, e-service, and e-marketing
functionality. With SAP ERP, the functionality is restricted to e-commerce. To enable Web Channel
scenarios, Web Channel applications leverage different components such as the Internet Pricing and
Configuration Engine (IPC), or product catalogs on SAP NetWeaver Master Data Management (SAP
NetWeaver MDM) servers. Furthermore, third-party products for knowledge management and other
functionality can be included.
Web Channel application scenarios are built using ABAP functionality (RFC function modules) on the
SAP CRM or SAP ERP server and Java-based functionalityon the SAP NetWeaver Application Server
Java (SAP NetWeaver AS Java). The Java-based applications on the SAP NetWeaver AS Java provide the
user interface that is based on Java Server Faces (JSF).
The corresponding security guides also apply to the Web Channel applications. The most relevant
sections or specific restrictions are listed in the following table:
Fundamental Security Guides
Scenario-, Application-, orComponent Security Guide Guide
SAP NetWeaver AS Java/ABAP http://service.sap.com/securityguide SAP NetWeaver
SAP CRM http://service.sap.com/securityguide SAP Business Suite
Applications SAP CRM
SAP ERP http://service.sap.com/securityguide SAP Business Suite
Applications SAP ERP
SAP NetWeaver MDM Product
Catalog
http://service.sap.com/securityguide SAP NetWeaver SAP
NetWeaver MDM
For a complete list of the available SAP Security Guides, see SAP Service Marketplace at http://
service.sap.com/securityguide.
2.2 Important SAP Notes
The SAP Notes that are relevant to the security of Web Channel are listed inthe following table:
2 Before You Start
2.1 Fundamental Security Guides
2013-02-07 CUSTOMER 13/118
http://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguidehttp://service.sap.com/securityguide -
7/22/2019 Web Channel Security 3.0
14/118
SAP Note Title
891659 Composite Security Note: AS Java
77503 Audit Information System
1029819 Encryption of payment cards in SD and customer master
You can also find a list of security-relevant SAP Hot News and SAP Notes on SAP Service Marketplace
at http://service.sap.com/securitynotes.
2.3 Additional Information
For more information about specific topics, see the relevant documents on SAP Service Marketplace,
as listed in the following table:
Content SAP Service Marketplace Address
Security http://service.sap.com/security
Security Guides http://service.sap.com/securityguide
Related SAP Notes http://service.sap.com/notes
Released Platforms http://service.sap.com/platforms
Network Security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
2 Before You Start
2.3 Additional Information
14/118 CUSTOMER 2013-02-07
http://service.sap.com/solutionmanagerhttp://service.sap.com/securityguidehttp://service.sap.com/platformshttp://service.sap.com/noteshttp://service.sap.com/securityguidehttp://service.sap.com/securityhttp://service.sap.com/securitynoteshttp://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1029819&_NLANG=en&_NVERS=0http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=77503&_NLANG=en&_NVERS=0http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=891659&_NLANG=en&_NVERS=0 -
7/22/2019 Web Channel Security 3.0
15/118
3 Technical System Landscape
The figure below shows an overview of the technical system landscape for Web Channel.
Figure 1: Technical System Landscape
Web Channel applications are deployed to SAP NetWeaver AS Java and run in the Web Container of
SAP NetWeaver AS Java. Different back-end systems can be used to run the business logic. Standard
Web Channel supports the SAP CRM or SAP ERP back ends. The SAP NetWeaver MDM server provides
the product catalog functionality.
3 Technical System Landscape
2013-02-07 CUSTOMER 15/118
-
7/22/2019 Web Channel Security 3.0
16/118
Figure 2: Web Channel UI Based on Java Server Faces
The Web Channel UI is based on Java Server Faces 2.0, with Apache MyFaces 2.1.7 and Velocity templates
being used for UI rendering.. AJAX capabilities are provided using jQuery library. Web Channel
applications can run in different Web browsers. Web Channel applications are called via HTTP and
HTTPS. Connections to the back-end system are built via RFC using the SAP Java Connector (JCo).
The destination information is maintained in the destination service of SAP NetWeaver AS Java. Web
Channel Builder (WECB) is used to configure Web Channel applications. To allow application support
and monitoring, each Web Channel application provides an Administration area.
For more information about the technical system landscape, see the resources listed in the following
table:
Topic Guide/Tool Quick Link to the SAP Service Marketplace
Technical description for Web Channel and
the underlying components such as SAP
NetWeaver
Master Guide http://service.sap.com/wec-inst
Installation Guide for Web Channel Installation Guide http://service.sap.com/wec-inst
High availability High Availability
for SAP Solutions
http://sdn.sap.com/irj/sdn/ha
Technical landscape design - http://sdn.sap.com/irj/sdn/
landscapedesign
Security See applicable
documents
http://sdn.sap.com/irj/sdn/security
3 Technical System Landscape
16/118 CUSTOMER 2013-02-07
http://sdn.sap.com/irj/sdn/hahttp://service.sap.com/wec-insthttp://sdn.sap.com/irj/sdn/securityhttp://sdn.sap.com/irj/sdn/landscapedesignhttp://sdn.sap.com/irj/sdn/landscapedesignhttp://sdn.sap.com/irj/sdn/hahttp://service.sap.com/wec-insthttp://service.sap.com/wec-inst -
7/22/2019 Web Channel Security 3.0
17/118
4 Security Aspects of Data, Data Flow,and Processes
4.1 General Data Flow of Web Channel Applications
The figure below shows an overview of the data flow for Web Channel applications using a SAP CRM
back-end system:
Figure 3: Data Flow for Web Channel Applications with SAP CRM Back End
The table below shows the security aspect to be considered for the process step and what mechanism
applies:Step Description Security Measure
1 User Submits Form Communication protocol HTTPS
2 Process Business Data RFC based on destination using the current
SAP NetWeaver AS Java User Management
Engine (UME) user
User Type: Dialog User SNC
3 Return Data Not applicable
4 Return 302 Response Not applicable
5 Perform Redirect Communication protocol HTTPS
6 Display Result Communication protocol HTTPS
4 Security Aspects of Data, Data Flow, and Processes
4.1 General Data Flow of Web Channel Applications
2013-02-07 CUSTOMER 17/118
-
7/22/2019 Web Channel Security 3.0
18/118
4.2 Data and Data Flow of Specific Web Channel Functionality
This section describes the security aspects of data and data flow of the specific Web Channel processes.
4.2.1 Web Channel Builder
Web Channel Builder is used to create and maintain Web Channel application configurations. It also
provides an approval process to allow distributed responsibilities for the release of application
configurations.
Initially the Web Channel configuration data is stored in the XML files below the CDM folder in the
application WEB-INF folder. The configurations are transferred into the Java DB after the start of the
application. Afterwards the Java DB is always used to store configuration data.
4.2.2 User Management
Figure 4: Logon Data Flow
Step Description Security Measure
1 User Submits Logon Form Communication protocol HTTPS
User type: Dialog (UME) user
2 Check for Business Partner RFC based on destination SNC
User type: Service user
3 BP Available Not applicable
4 UME Authentication Programmatic UME authentication (UME
API call)
5 User Authenticated Not applicable
4 Security Aspects of Data, Data Flow, and Processes
4.2 Data and Data Flow of Specific Web Channel Functionality
18/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
19/118
Step Description Security Measure
6 UME User Details Programmatic UME API call
7 Return User Details Not applicable
8 Get Business Partner Details RFC based on destination SNCUser type: Dialog user
9 Return BP Details Not applicable
10 Welcome User Not applicable
4.2.3 Product Catalog and Product Registration
The figure below provides an overview of the systems involved in the data flow for the product catalog
and product registration.
Figure 5: Product Catalog
4.2.3.1 Product Catalog: Browsing
The product catalog operates in the following modes:
Anonymous
This allows non-registered users to browse the catalog.
Registered user
This allows Internet users in the consumer and contact scenarios to browse the catalog.
4 Security Aspects of Data, Data Flow, and Processes
4.2 Data and Data Flow of Specific Web Channel Functionality
2013-02-07 CUSTOMER 19/118
-
7/22/2019 Web Channel Security 3.0
20/118
4.2.3.2 Product Catalog: Adding to the Shopping Cart
Web Channel provides the following options for shopping carts:
Back-end cart
With this option, the Web shop is configured with back-end functionality from either SAP CRM
or SAP ERP. To add a product to the cart, the user must log on by either registering, or providing
a user name and password. For more information, see User Administration Toolsin the section User
Managementof this guide.
Java cart
With this option, the Web shop is configured with a Java cart, thereby reducing the load on the
back end. With this scenario, logon is not required, although it is still possible, to add products,
view, or modify cart contents. At checkout time, user logon is mandatory.
Figure 6: Back-End Cart
4 Security Aspects of Data, Data Flow, and Processes
4.2 Data and Data Flow of Specific Web Channel Functionality
20/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
21/118
Figure 7: Java Cart
4.2.3.3 Product Registration
Figure 8: Product Registration
Product registration requires a user to be logged on.
4 Security Aspects of Data, Data Flow, and Processes
4.2 Data and Data Flow of Specific Web Channel Functionality
2013-02-07 CUSTOMER 21/118
-
7/22/2019 Web Channel Security 3.0
22/118
This page is left blank for documentsthat are printed on both sides.
-
7/22/2019 Web Channel Security 3.0
23/118
5 User Administration andAuthentication
Web Channel applications leverage the user management and authentication mechanisms provided
with the SAP NetWeaver platform, in particular the SAP NetWeaver AS ABAP and Java. Therefore, the
security recommendations and guidelines for user administration and authentication as described in
the SAP NetWeaver Application Server ABAP Security Guideand the SAP NetWeaver Application Server Java Security
Guidealso apply to Web Channel applications.
In addition to these guidelines, information about user administration and authentication that
specifically applies to Web Channel applications is available in the following topics:
User Management
This topic lists the tools to utilize for user management, the types of users required, and the standard
users that are delivered with Web Channel applications.
User Data Synchronization
Integration intoSingle Sign-On Environments
This topic describes how Web Channel applications support single sign-on mechanisms.
5.1 Users
5.1.1 User Types
To use Web Channel applications, different users are needed, such as the following:
Service users
Service or technical users are used to access business functionality on the SAP CRM or SAP ERP
back-end servers that can be used anonymously. These service users are maintained in the
corresponding SAP NetWeaver AS Java destinations and are used to establish anonymous stateless
or stateful connections to the back-end systems.
Administrators
Administrators are internal users who have the task to administer SAP NetWeaver AS Java and SAP
NetWeaver AS ABAP. These users can use the Admin area of Web Channel applications.
Reference users
A reference user provides default authorizations to Internet users in the self-registration process.
The user is not used for any dialog.
Internet users
5 User Administration and Authentication
5.1 Users
2013-02-07 CUSTOMER 23/118
-
7/22/2019 Web Channel Security 3.0
24/118
Internet users are external or internal users who access the business functionality provided by Web
Channel applications. For Web Channel applications, the following kinds of Internet users can be
differentiated:
Web shop customers
To enable the usage of Web Channel business functions, Internet users of Web Channel
applications are linked to business partners. Different Internet user models, dependent on the
back-end system in use, exist for the Web Channel scenarios.
Delegated user administrator
Internet user with special authorizations to create and administer other Internet users for
their company.
Web Channel Builder users
For the internally used Web Channel Builder application, internal users are needed. For this
application no linkage to a business partner is needed.
5.1.2 Internet User Models
This section describes how the Internet users are modeled in the specific ABAP back-end system.
NOTE
If the User Management Engine (UME) used for authentication uses a different user persistency
than the back-end system (for example LDAP or database), an additional UME user must exist inthe UME data persistency. If Web Channel user management functionality is used to create and
maintain users, this is managed. Additional UME users need to be created if other functionality
(non-Web Channel) is used.
5.1.2.1 Web Shop Customers
Consumer Scenario
In the consumer scenario, the Internet user is linked to a business partner that represents a consumer.
The realization of the business partner depends on the back-end system.
5 User Administration and Authentication
5.1 Users
24/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
25/118
Figure 9: SAP CRM Consumer Scenario
On the SAP CRM back end, the business partner is realized as a business partner with partner role
Consumer. The linkage between the business partner and the SU01user is built using the Central Person(table HRP1001).
Figure 10: SAP ERP Consumer Scenario
On the SAP ERP back end, the business partner is realized as a KNA1customer. The linkage between the
business partner and the SU01user is built using the user object references (table USAPREF).
Contact Scenario
In the contact scenario, the Internet user is linked to a business partner that represents a contact person
for one or more customers. How the business partner is realized depends on the back-end system.
5 User Administration and Authentication
5.1 Users
2013-02-07 CUSTOMER 25/118
-
7/22/2019 Web Channel Security 3.0
26/118
Figure 11: SAP CRM Contact Scenario
On the SAP CRM back end, partners with partner roles Contact Personand Sold-to-Partyare used.
Figure 12: SAP ERP Contact Scenario
On the SAP ERP back end, the contact person is equivalent to an entry in the KNVKtable that is linked
to a KNAIcustomer.
5.1.2.2 Web Channel Builder Users
Web Channel Builder (WECB) users do not need a business partner. In this case, only an SU01user mustexist on the back-end system used for the WECB application.
5.2 User Authentication
5.2.1 Service User Authentication
Service users are specified in the destinations used by Web Channel applications. The authentication
of service users happens implicitly on SAP NetWeaver AS ABAP if a connection is established to the SAP
CRM or SAP ERP back-end system based on the destination containing the service user.
5 User Administration and Authentication
5.2 User Authentication
26/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
27/118
5.2.2 Administration User Authentication
For the Web Channel Administration area of Web Channel applications, container-based
authentication is used: In the Web descriptor, a security constraint is declared that secures the Web
resources of the Web Channel Administration area. The default SAP NetWeaver AS Java authentication
stack (ticket authorization) is used.
5.2.3 Internet User Authentication
Web Channel Internet user authentication consists of several authentication steps induced by the
Internet user model that is used for a Web Channel application. The step sequence below does not
reflect the sequence of processing at runtime.
Web Channel provides two different user authentication approaches depending on the User Storage
Systemsettings:
UME authentication
Web Channel logon (ABAP logon)
NOTE
Only UME authentication provides single sign-on (SSO) support, as well as sufficient protection
against session fixation attacks. For more information, see the following:
Integration into Single Sign-On Environmentsin this chapter
Session Security Protectionchapter
Session Fixationin the Session Security Chapter
5.2.3.1 UME Authentication
Web Channel applications use their own logon views for authentication. The logon views are embedded
into other Web Channel application pages. Consequently, the programmatic authentication of the
User Management Engine (UME), located on SAP NetWeaver AS Java, is used to authenticate users.
The programmatic authentication relies on the configured security policy of the Web Channel
application. A policy configuration determines the logon views that are in the authentication stack,
and any configurations that apply to that stack. For more information, see Authorization Concept of the AS
Java: http://help.sap.com/saphelp_nw73/helpdata/en/48/c943f3825c581ce10000000a42189c/
frameset.htm.
NOTE
The policy configuration property can be specified for the application configuration in the User
module of Web Channel Builder. The default value is Form, which defines a UME logon with a
username and password, but without SSO support.
5 User Administration and Authentication
5.2 User Authentication
2013-02-07 CUSTOMER 27/118
http://help.sap.com/saphelp_nw73/helpdata/en/48/c943f3825c581ce10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/48/c943f3825c581ce10000000a42189c/frameset.htm -
7/22/2019 Web Channel Security 3.0
28/118
With the Usermodule, container-based authentication is avoided. For this reason, do not enter any
security constraints to the Web descriptor of Web Channel applications for common Web Channel
Web resources. The programmatic authentication of the Web Channel applications relies on the
security policyformor the corresponding logon module stack.
For more information, see Policy Configurations and Authentication Stacks: http://help.sap.com/
saphelp_nw73/helpdata/en/99/f66e424925c253e10000000a1550b0/frameset.htm.
5.2.3.2 Web Channel Logon
With Web Channel logon, no UME logon takes place. Internet users are authenticated via RFC modules
that call the ABAP Identity Management for authentication.
RECOMMENDATION
We recommend using UME authentication for Web Channel applications. In addition to the Web
Channel logon, UME authentication enables the usage of session security protection on SAP
NetWeaver AS Java. For more information, see the sections Session Security Protectionand Communication
Channel Securityin this guide.
5.2.3.3 Follow-On Steps
Authorization check (only valid for Web Channel Builder users)
For Web Channel Builder, access is controlled by the authorization object COM_WEC_AP. The logon
process is only successful if the Internet users have been granted the required authorization.
Business partner determination (only valid for Web shop customers)
For Web shop customers of Web Channel applications, a business partner must be linked to the
user. During the logon of a Web shop customer, the existence of a business partner is checked on
the back-end system. The Web application is only usable if the required business partner exists.
5.2.3.4 User Identification Types
Web Channel supports the following user identification types:
User Name (based on UME and the SU01user ID)
User Alias (based on the SU01user alias)
E-Mail Address
Technical ID (for example, the Web shop customer ID)
The user ID and user alias identification types are based on UME and SU01user data, whereas e-mail
address and technical ID are based on business partner data. If the user alias, e-mail address, or technical
ID is used initially, the system retrieves the user ID related to the given identification. The user ID is
5 User Administration and Authentication
5.2 User Authentication
28/118 CUSTOMER 2013-02-07
http://help.sap.com/saphelp_nw73/helpdata/en/99/f66e424925c253e10000000a1550b0/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/99/f66e424925c253e10000000a1550b0/frameset.htm -
7/22/2019 Web Channel Security 3.0
29/118
then used for the authentication with the given password. For example, when a user enters their e-
mail address, the system retrieves the business partner, and determines the related user object. The
user ID of the user object is then used for authentication.
RECOMMENDATION
For optimal security, use the user ID or user alias instead of e-mail address or technical ID.
5.2.3.5 Early Logon
You can configure early logon for Web Channel applications in the Usermodule of Web Channel
Builder. When you enable this setting, Web shop customers must log on before they can enter the Web
shop.
5.3 User Management
User management for Web Channel uses the mechanisms provided with SAP NetWeaver AS ABAP and
SAP NetWeaver AS Java, for example, tools, user types, and password policies. For an overview of how
these mechanisms apply to Web Channel applications, seethe sections below. In addition, we provide
a list of the standard users required for operating Web Channel applications.
5.3.1 User Administration Tools
5.3.1.1 Service Users
The table below shows the tools to use for the user management and user administration of service
users.
Tool Detailed Description Prerequisites
Service user and role maintenance
with SAP NetWeaver AS ABAP
(transactions SU01, PFCG)
For more information, see User and
Role Administration of Application Server
ABAP: http://help.sap.com/
saphelp_nw70ehp2/helpdata/en/
52/671126439b11d1896f0000e8322d
00/frameset.htm.
Select the user type Service.
User Management Engine with SAP
NetWeaver AS Java
For more information, see User
Management Engine: http://
help.sap.com/saphelp_nw73/
helpdata/en/5b/
5d2706ebc04e4d98036f2e1dcfd47d/
frameset.htm.
UME user persistency equals back-
end system, for example SAP CRM
or SAP ERP.
5 User Administration and Authentication
5.3 User Management
2013-02-07 CUSTOMER 29/118
http://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm -
7/22/2019 Web Channel Security 3.0
30/118
5.3.1.2 Web Channel Builder Users
The table below shows the tools to use for user management and user administration of Internet (dialog)
users of Web Channel Builder (WECB).
The configuration of the user storage system determines whether a WECB user can be created using
the Identity Management of SAP NetWeaver AS ABAP or/and SAP NetWeaver AS Java.
Tool Detailed Description Prerequisites
User and role
maintenance with
SAP NetWeaver AS
ABAP (transactions
SU01, PFCG)
For more information, see User and Role Administration of Application Server
ABAP: http://help.sap.com/saphelp_nw70ehp2/helpdata/en/
52/671126439b11d1896f0000e8322d00/frameset.htm.
Select the user type Dialog.
-
User Management
Engine with SAPNetWeaver AS Java
For more information, see User Management Engine: http://help.sap.com/
saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/
frameset.htm.
If the user storage system is set to UME Only, it is sufficient to create the
Internet user using SAP NetWeaver AS Java Identity Management.
If the user storage system is set to ABAP and UME, the Internet user must
be created using both SAP NetWeaver AS Java and SAP NetWeaver AS ABAP
Identity Management.
User storage
systemincludes UME
5.3.1.3 Web Shop Customers
This section explains how to create and maintain Web shop customers.
Creating Web Shop Customers
You can create Web shop customers using either tool-based or manual methods.
Tool-Based Creation
The following options are available for tool-based creation of Web shop customers:
User Self-registration
This consists of Web shop customers using the registration guided activity to create their own
Internet users in the configured user storage system. In the consumer scenario, registration is
always available. In the contact scenario, you must enable registration in the Usermodule in WebChannel Builder. As part of the procedure to enable registration, you must activate one of the
following registration types:
With New Sold-To Party
This allows the customer to register both their company and their user.
With Existing Sold-To Party and Contact
This requires the customer to enter a valid company ID, and allows them to enter only their
own data as the contact person.
5 User Administration and Authentication
5.3 User Management
30/118 CUSTOMER 2013-02-07
http://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm -
7/22/2019 Web Channel Security 3.0
31/118
You can control registration in the contact scenario by means of a workflow. This allows customers
to register themselves and their company in the Web shop, but requires the approval of the Web
shop administrator.
Delegated user administration
This option is available for the contact scenario and is enabled in the Usermodule of Web Channel
Builder. It allows delegated user administrators to create and maintain users for all of the sold-to
parties to which they are assigned. You can also configure this setting so that the first contact for
a new sold-to party is given superuser privileges that allow them to create and maintain users for
their company. As the creation and maintenance of users are security-critical operations, we
recommend that you offer authorizations selectively, and that you not assign them to reference
users that are used for registration. For more information, see SAP Library for SAP Web Channel
Experience Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and
then Application Help. In SAP Library, choose User Management Delegated User Administration .
Manual Creation
Since an Internet user consists of an SU01user and a business partner, user creation cannot be achieved
using SAP NetWeaver user maintenance alone. For Web shop customers, business partner maintenance
functionality is needed as well. Web shop customers can be created in both the consumer scenario and
the contact scenario using manual methods. Manual creation may be necessary if users are needed for
development and testing.
The following table lists approaches for manually creating Internet users in the consumer scenario.
Tool Detailed Description Prerequisites
SAP CRM business
partner maintenance in
SAP GUI (transaction
BP)
1. Create business partner with partner role
Consumer(CRM006).
2. Maintain the Internet user partner role.
Only available in SAP GUI
SAP CRM business
partner maintenance in
WebClient UI
- Only available in WebClient UI
NOTE
The application does not
support central user
administration.
SAP ERP customer
maintenance
(transactions VD0*)
SAP ERP user and role
maintenance with SAP
NetWeaver AS ABAP
(transactions SU01,
PFCG)
1. Create a customer.
2. Create an SU01user.
3. Create user references to the related customer
(object type KNA1).
-
User Management
Engine with SAP
NetWeaver AS Java
For more information, see User Management Engine:
http://help.sap.com/saphelp_nw73/helpdata/
Internet user is already created
using the tools mentioned above.
If the user storage system is set to
5 User Administration and Authentication
5.3 User Management
2013-02-07 CUSTOMER 31/118
http://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/wec -
7/22/2019 Web Channel Security 3.0
32/118
Tool Detailed Description Prerequisites
en/5b/5d2706ebc04e4d98036f2e1dcfd47d/
frameset.htm.
UME Only, the Internet user must
be created in the UME as well.
The following table lists approaches for manually creating Internet users in the contact scenario.
Tool Detailed Description Prerequisites
SAP CRM business
partner maintenance
in SAP GUI
(transaction BP)
1. Create business partner with business partner
role Contact Person BUP001.
2. Maintain Internet user partner role.
For more information, see Business Partners: http://
help.sap.com/saphelp_crm700_ehp02/helpdata/en/
52/cff837a9aae651e10000009b38f8cf/frameset.htm
Only available in SAP GUI
WebClient UI business
partner maintenance
- Only available in WebClient UI
NOTE
The application does not
support central user
administration.
SAP ERP customer and
contact person
maintenance
(transactions VD0*and
VAP*)
SAP ERP user and role
maintenance with SAP
NetWeaver AS ABAP(transactions SU01and
PFCG)
1. Create a customer and a contact person.
2. Create an SU01user.
3. Create user references to the related contact
person (object type BUS1006001) and related
customer (object type KNA1).
-
User Management
Engine with SAP
NetWeaver AS Java
For more information, see User Management Engine:
http://help.sap.com/saphelp_nw73/helpdata/en/
5b/5d2706ebc04e4d98036f2e1dcfd47d/
frameset.htm.
Internet user is already created
using the tools mentioned
above. If the user storage system
is set to UME Only, the Internet
user must be created in the UME
as well.
Delegated user administrators can use the tools described above to create Internet users. For more
information, see SAP Library for SAP Web Channel Experience Management on SAP Help Portal at
http://help.sap.com/wec. Choose a release and then Application Help. In SAP Library, choose User
Management Creation of and Search for Delegated User Administrators .
Maintaining Web Shop Customers
The table below shows the tools that can be used to maintain the user partof an Internet user.
Tool Detailed Description Prerequisites
Administrator user and
role maintenance with
SAP NetWeaver AS
For more information, see User and Role Administration of Application
Server ABAP: http://help.sap.com/saphelp_nw70ehp2/
You have created
an Internet user.
5 User Administration and Authentication
5.3 User Management
32/118 CUSTOMER 2013-02-07
http://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/wechttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_crm700_ehp02/helpdata/en/52/cff837a9aae651e10000009b38f8cf/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm -
7/22/2019 Web Channel Security 3.0
33/118
Tool Detailed Description Prerequisites
ABAP (transactions
SU01, PFCG)
helpdata/en/52/671126439b11d1896f0000e8322d00/
frameset.htm.
Select the user type Service.
User ManagementEngine with SAP
NetWeaver AS Java
For more information, see User Management Engine: http://
help.sap.com/saphelp_nw73/helpdata/en/5b/
5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm.
You have createdan Internet user.
UME user
persistency equals
back-end system,
for example SAP
CRM or SAP ERP.
The table below shows the tools that can be used to maintain the business partnerpart of an Internet
user.
ToolDetailedDescription Prerequisites
SAP CRM business partner maintenance
in SAP GUI (transaction BP)
- Only available in SAP GUI
SAP CRM business partner maintenance
in WebClient UI
- Only available in WebClient UI
NOTE
The application does not support central
user administration.
SAP ERP customer maintenance
(transactions VD0*)
- -
Web shop customers can maintain their own Internet user with Web Channel self-service. This allows
them to change their password and address data.
Depending on the settings made in Web Channel Builder, Web shop customers in the contact scenario
can also be maintained by company superusers using delegated user administration.
5.3.1.4 Administrators
The table below shows the tools to use for the user management and user administration of
administrators.
Tool Detailed Description Prerequisites
User Management Engine with SAP
NetWeaver AS Java
For more information, see User
Management Engine: http://
help.sap.com/saphelp_nw73/
helpdata/en/5b/
5d2706ebc04e4d98036f2e1dcfd47d
/frameset.htm
-
5 User Administration and Authentication
5.3 User Management
2013-02-07 CUSTOMER 33/118
http://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htmhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm -
7/22/2019 Web Channel Security 3.0
34/118
-
7/22/2019 Web Channel Security 3.0
35/118
The tables below show the users required for operating SAP Web Channel Experience Management.
Delivered Users on SAP NetWeaver MDM Repository
System User Password Role
SAP NetWeaver MDM Admin initial Admin
SAP Web Channel Experience Management Users (Consumer Scenario and Contact Scenario)
System User Type Description
Configured back-end
system: SAP CRM or SAP
ERP
Technical user
for anonymous
functionality
Service user User for establishing the stateless connection
between Web Channel applications and the
configured back-end system.
Created using the User Maintenance(SU01)
transaction in SAP NetWeaver AS ABAP or
user management in SAP NetWeaver AS Java,
if UME persistency equals ABAP back end.
The user ID and password must be stored in
the RFC destination for the connection.
Configured back-end
system: SAP CRM or SAP
ERP
(and UME if user
persistency unequals
ABAP back-end system)
Internet user Dialog user The user that logs on to Web Channel
applications. The full-state connection is
established with this user.
Created using one of the user management
tools mentioned above.
Configured back-end
system: SAP CRM or SAP
ERP
Reference user Reference user This user is needed if self-registration is
configured for consumer scenario
applications.
The user is automatically assigned to Internet
users for authorization purposes.
SAP NetWeaver MDM Technical user - This user is needed for product catalog
functionality.
The user is used to establish connections to the
SAP NetWeaver MDM server that provides the
product catalogs.
This user must have the role
WEBCHANNEL_CATALOGDISPLAY_ROLE.
Web Channel Builder UsersSystem User Type Description
Configured back-end
system: SAP CRM or SAP
ERP
Technical user
for anonymous
functionality
Service user User for establishing the stateless connection
between Web Channel applications and the
configured back-end system.
Created using the User Maintenance(SU01)
transaction on SAP NetWeaver AS ABAP or
user management in SAP NetWeaver AS Java.
The user ID and password must be stored in
the RFC destination for the connection.
5 User Administration and Authentication
5.3 User Management
2013-02-07 CUSTOMER 35/118
-
7/22/2019 Web Channel Security 3.0
36/118
System User Type Description
Configured back-end
system: SAP CRM or SAP
ERP
Web Channel
Builder User
Dialog user The user that logs on to Web Channel Builder
applications. The full-state connection is
established with this user.
Created using the User Maintenance(SU01)transaction in SAP NetWeaver AS ABAP or
user management in SAP NetWeaver AS Java.
SAP NetWeaver AS Java Users Required for Administration
System User Delivered Type Default Password Description
SAP
NetWeaver
AS Java
Administrato
r
Yes (part of
SAP
NetWeaver
AS Java
installation)
User
administered
on SAP
NetWeaver
AS Java
As defined during
the installation of
SAP NetWeaver AS
Java
We recommend that you
create a new user with
fewer rights for the
administration of Web
Channel applications on
SAP NetWeaver AS Javainstead of using the SAP
NetWeaver AS Java
Administrator.
Users Required for the Web Channel Administration Area
System User Delivered TypeDefaultPassword Description
SAP
NetWeaver
AS Java
Administrator - User
administered
on SAP
NetWeaver ASJava
- User who uses the Web Channel admin
area. The user has role Web
Channeladmin. The role is mapped to the
server role Administrators.
5.4 User Data Synchronization
Web Channel can use the SAP NetWeaver AS Java User Management Engine (UME) for authentication.
The UME can use the following types of data sources:
Database of SAP NetWeaver AS Java
Directory service (LDAP)
User Management of SAP NetWeaver AS ABAP
Based on the configured UME data source, the Web Channel user storage configuration must be set
up accordingly. For more information, see the section Installing SAP NetWeaver 730 SP02 AS Javain the
SAP Web Channel Experience Management Installation Guide.
The configured UME data source influences the Internet users of Web Channel applications.
For Web Channel applications, users must be defined on the specific Web Channel ABAP back-end
system (SAP CRM or SAP ERP). If the UME data source is different from the Web Channel ABAP back-
end system, this means that two user entities with the same user ID are defined: one user in the UME
and one user on the back-end system. The only exception is that the back-end system is used as UME
user persistency.
5 User Administration and Authentication
5.4 User Data Synchronization
36/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
37/118
There is no automatic user data synchronization between the ABAP back-end system and the UME
user persistency. However, the Web Channel user management enables user creation and maintenance
on the UME and the back-end system if Web Channel user management functions, such as self-
registration or the user administration, are used.
NOTE
If other applications are used to maintain users, for example the UME or the SU01on the back-
end system, data synchronization must be carried out manually.
5.5 Integration into Single Sign-On (SSO) Environments
Single sign-on (SSO) is a specialized form of software authentication that enables users to authenticate
once to gain access to resources for multiple software systems. Web Channel makes use of various SSOoptions provided by SAP NetWeaver, such as client certificates, logon tickets, and SAML2.0.
For information about the different options and how to configure your SAP NetWeaver AS, see Single
Sign-On for Web-Based Access: http://help.sap.com/saphelp_nw73/helpdata/en/4a/
672251117a0c89e10000000a42189b/frameset.htm.
When you configure a Web Channel application, you specify the type of SSO authentication to use by
selecting the corresponding policy configuration. For more information, see UME Authenticationin the
User Authenticationsection of this guide.
5.5.1 Secure Network Communications (SNC)
SNC is available for user authentication and can be used in an SSO environment when using SAP GUI
for Windows or remote function calls (RFC).
SNC can be used for the connections from SAP NetWeaver AS Java to SAP CRM or SAP ERP. To use
SNC, maintain the Web Channel RFC destinations to the SAP CRM or SAP ERP system accordingly.
For more information about the required destinations for Web Channel applications, see the section
Communication Destinationsin this guide.
For more information about SNC as part of network and transport layer security in SAP NetWeaver,
see Secure Network Communications (SNC): http://help.sap.com/saphelp_nw73/helpdata/en/
e6/56f466e99a11d1a5b00000e835363f/frameset.htm.
NOTE
The certificate used by SAP NetWeaver AS Java must be accepted by the back-end system.
5.6 User Management Configuration
In addition to settings specific to user management in UME and in the ABAP back-end systems, you
make settings in the Usermodule of Web Channel Builder to define authentication and user
5 User Administration and Authentication
5.5 Integration into Single Sign-On (SSO) Environments
2013-02-07 CUSTOMER 37/118
http://help.sap.com/saphelp_nw73/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/e6/56f466e99a11d1a5b00000e835363f/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/4a/672251117a0c89e10000000a42189b/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/4a/672251117a0c89e10000000a42189b/frameset.htm -
7/22/2019 Web Channel Security 3.0
38/118
identification types. You can also specify early logon, user registration settings, e-mail templates,
methods for handling forgotten passwords (for example, security questions), and enable the guest user
scenario and delegated user administration.
5 User Administration and Authentication
5.6 User Management Configuration
38/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
39/118
6 Authorization
6.1 Authorization Concept
Web Channel applications use the authorization concept provided by SAP NetWeaver. Therefore, the
recommendations and guidelines for authorizations apply as described in the SAP NetWeaver Security
Guide: http://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/
frameset.htm.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles.
When using ABAP technology, use the profile generator (transactionPFCG) for role maintenance. When
using Java, use the UME user administration.
NOTE
Since most of the business functionality of Web Channel applications runs on the SAP CRM or
SAP ERP system, the ABAP authorization concept is used more often. SAP NetWeaver AS Java
user groups are used if Web Channel applications need to be secured by Web container security
constraints.
6.1.1 Roles and Profiles
User roles are the container for authorization objects needed for specific tasks and functionality. The
authorizations are provided by authorization profiles. User roles and profiles are assigned to service
users and Internet users to enable the usage of Web Channel functionality.
Several Web Channel user roles are predefined and included in the standard delivery. Some roles are
delivered on SAP NetWeaver AS ABAP, and others are delivered on SAP NetWeaver AS Java.
The following subsections provide overviews of available predefined roles for each platform. We
recommend that you create your own copies of the roles, or run authorization traces to enable the
creation of user roles that suit your Web Channel applications.
6.1.1.1 Predefined User Roles on SAP NetWeaver AS ABAP
This section explains the user roles for various Web Channel applications in each back-end system.
NOTE
Create your own user roles as described in Authorization Proposalsin this chapter, and specify the
authorization values according to your needs.
6 Authorization
6.1 Authorization Concept
2013-02-07 CUSTOMER 39/118
http://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htmhttp://help.sap.com/saphelp_nw73/helpdata/en/4a/af6fd65e233893e10000000a42189c/frameset.htm -
7/22/2019 Web Channel Security 3.0
40/118
User Roles for Web Channel Builder
You use Web Channel Builder to configure Web Channel applications, send new or changed application
configurations through an approval process, set the go-live date for an application configuration, and
create product views.Web Channel Builder supports various different user roles, and Web Channel Builder users must be
assigned to one of these roles before they can launch the application. The back-end system (SAP CRM
or SAP ERP) used for the Web Channel applications determines which roles must be assigned to the
user.
To create and assign Web Channel Builder users, you must first configure user management
functionality in both the relevant back-end system (transaction SU01in either SAP CRM or SAP ERP),
and in SAP NetWeaver AS Java User Management Engine (UME).If the user persistence in UME differs
from that used in the back-end system, you must create an additional UME user that has the same user
ID as the Web Channel Builder user in the back-end system. This additional user is only required for
authentication purposes, and should not be assigned any roles in UME.
The following table lists the common user roles for SAP CRM and SAP ERP that are contained in the
standard delivery of Web Channel Builder (WECB).
User Roles on SAP CRM or SAP ERP
System Role User Description
SAP CRMSAP_CRM_WEC_WCB_ADMIN WECB
Administrator
Web Channel Builder administrator with full
application configuration authorizationSAP ERP SAP_ERP_WEC_WCB_ADMIN
SAP CRMSAP_CRM_WEC_WCB_USER
WECB User Web Channel Builder user with limitedapplication configuration authorization
This is the main user for creating and editing
Web Channel applications and
configurations. This user can also submit
configurations for approval.
SAP ERP SAP_ERP_WEC_WCB_USER
SAP CRMSAP_CRM_WEC_WCB_MANAGER WECB Manager Web Channel Builder manager with
application configuration authorization on
manager level
This user can view all applications and
configurations and approve or reject
configurations that have been submitted for
approval.
SAP ERP SAP_ERP_WEC_WCB_MANAGER
SAP CRMSAP_CRM_WEC_WCB_USER_DISPLAY WECB User Web Channel Builder user with display
authorizationSAP ERP SAP_ERP_WEC_WCB_USER_DISPLAY
SAP CRMSAP_CRM_WEC_WCB_TU WECB Service
User
Web Channel Builder service user
This user is for technical users of WECB. The
user is maintained in destinations used by
WECB.
SAP ERP SAP_ERP_WEC_WCB_TU
SAP CRMSAP_CRM_WEC_WCB_PROD_VIEWS WECB User for
Product Views
Web Channel Builder user with
authorization to create product views
This user can access and use all functionality
on the Product Viewstab page. If you would like
SAP ERP SAP_ERP_WEC_WCB_PROD_VIEWS
6 Authorization
6.1 Authorization Concept
40/118 CUSTOMER 2013-02-07
-
7/22/2019 Web Channel Security 3.0
41/118
System Role User Description
certain users to be able to display product
views without being able to modify them,
you need to create a copy of this user and
restrict its activity level.SAP CRMSAP_CRM_WEC_WCB_TU_PROD_VIEWS WECB Service
User for Product
Views
Web Channel Builder service user for
product views
These roles are assigned to the technical users
that are used for the destinations in Web
Channel Builder.
SAP ERP SAP_ERP_WEC_WCB_TU_PROD_VIEWS
Additional Information Regarding User Roles for Product Views
When you create a product view, you specify the back-end destination that it uses. This allows you to
create product views for back ends other than the back-end system used by the WebChannel
application. In mixed scenarios like this, you create the WECB Service User for Product Views on theback-end system that is used by the product view. If the product view is created for SAP CRM, you
assign the role SAP_CRM_WEC_WCB_TU_PROD_VIEWSto the user, and if the product view is created for SAP
ERP, you assign the role SAP_ERP_WEC_TU_PROD_VIEWSto the user. If the Web Channel application and
the product view use the same back end, you can assign the service user roles for both the WECB Service
User and the WECB Service User for Product Views to the same service user.
Figure 13: Product Views
For more information about product views, see SAP Library for SAP Web Channel Experience
Management on SAP Help Portal at http://help.sap.com/wec. Choose a release and then Application
Help. In SAP Library, choose Configuration Configuring Web Channel Applications (Web Channel Builder)
Product Views .
Example User Roles for Web Channel Applications
As of Web Channel 3.0, example user roles are available that are based on external services and their
authorization proposals. There is one technical role and one Internet user role for each back-end system.
6 Authorization
6.1 Authorization Concept
2013-02-07 CUSTOMER 41/118
http://help.sap.com/wechttp://help.sap.com/wec -
7/22/2019 Web Channel Security 3.0
42/118
Example Internet User Roles
System Role
SAP CRM SAP_CRM_WEC_WU_ALL
SAP ERP SAP_ERP_WEC_WU_ALL
Example Service User Roles
System Role
SAP CRM SAP_CRM_WEC_TU_ALL
SAP ERP SAP_ERP_WEC_TU_ALL
These user roles are examples that support Web Channel applications based on delivered templates. If
you plan to create Web Channel applications without using templates, we recommend that you
perform authorization traces and that you create and maintain your own user roles.
The example user roles contain the WEC_MODULEor ERP_WEC_MODULEexternal services in their menus.
You u