sap® extended warehouse management 9.4 security … · dock appointment scheduling is technically...
TRANSCRIPT
Security GuideDocument version: 1.1 – 2016-08-10
SAP® Extended Warehouse Management 9.4 Security GuideUsing SAP SCM 7.0 including SAP enhancement package 4, SAP ERP 6.0 including SAP enhancement package 8, or SAP NetWeaver® 7.5
CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company. Alle Rechte vorbehalten. All rights reserved. Tous droits réservés. Все права защищены.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/
legal/copyright/index.epx#trademark for additional trademark information and notices.
2
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved. SAP® Extended Warehouse Management 9.4 Security Guide
Typographic Conventions
Table 1
Example Description
<Example> Angle brackets indicate that you replace these words or characters with appropriate entries to make entries in the system, for example, “Enter your <User Name>”.
Example Example Arrows separating the parts of a navigation path, for example, menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the documentation
www.sap.com Textual cross-references to an internet address
/example Quicklinks added to the internet address of a homepage to enable quick access to specific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example ● Words or characters quoted from the screen. These include field labels, screen titles, pushbutton labels, menu names, and menu options.
● Cross-references to other documentation or published works
Example ● Output on the screen following a user action, for example, messages
● Source code or syntax quoted directly from a program
● File and directory names and their paths, names of variables and parameters, and names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE
EXAMPLE Keys on the keyboard
SAP® Extended Warehouse Management 9.4 Security GuideTypographic Conventions
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 3
Document History
CautionBefore you start the implementation, make sure you have the latest version of this document. You can find the
latest version at the following location: service.sap.com under SAP Business Suite Applications SAP SCM SAP Extended Warehouse Management SAP Extended Warehouse Management 9.4 Security Guide .
The following table provides an overview of the most important document changes.
Table 2
Version Date Description
1.1 2016-08-10 Deletion of Personal Data chapter updated for SAP EWM 9.4 SP01
1.0 2016-05-12 Initial version of the Security Guide for SAP EWM 9.4
4
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideDocument History
Content
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4 Security Aspects of Data Flow and Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5 User Administration and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235.1 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235.2 User Data Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.3 Integration Into Single Sign-On Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6 Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306.1 Authorization Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336.2 Maintaining Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346.3 Maintaining Authorizations for Integration with SAP Components . . . . . . . . . . . . . . . . . . . . . . . . . . 346.4 Maintaining Authorizations for Enterprise Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
7 Session Security Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
8 Network and Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.1 Communication Channel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.2 Unified Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438.3 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438.4 Communication Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
9 Internet Communication Framework Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
10 Application-Specific Virus Scan Profile (ABAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
11 Data Storage Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
12 Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5412.1 Deletion of Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5512.2 Read Access Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
13 Security for Additional Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
14 Enterprise Services Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
15 Other Security-Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6415.1 User Frontend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6415.2 Data Protection and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
SAP® Extended Warehouse Management 9.4 Security GuideContent
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 5
16 Security-Relevant Logging and Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
17 Services for Security Lifecycle Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
18 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
6
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideContent
1 Introduction
CautionThis guide does not replace the administration or operation guides that are available for productive operations.
Target Audience
● Technology consultants
● Security consultants
● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary
With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or reductions in processing time. These demands on security apply likewise to the SAP Extended Warehouse Management (SAP EWM) component. To assist you in securing your SAP EWM component, we provide this SAP EWM Component Security Guide.
RecommendationWe strongly recommend that you also consult the SAP NetWeaver Security Guide.
About This Document
This Security Guide provides an overview of the security-relevant information that applies to the SAP EWM 9.4 component.
Applications in SAP EWM 9.4
SAP EWM 9.4 contains multiple applications that can be used independently of each other. For example, SAP Dock Appointment Scheduling is technically part of the SAP EWM 9.4 installation, but it can be used independently of other SAP EWM applications as a standalone application. If you are using SAP Dock Appointment Scheduling only, without any integration to SAP EWM, some parts of the guide are not relevant.
The following list describes the levels of relevance of this guide:
● Several sections of this guide describe steps that are independent of the applications or business processes used, and you must always implement these steps. For example, securing an SAP NetWeaver system. This is true for most parts of this document. These sections are not marked.
● Other sections of this guide describe topics that are relevant for both SAP EWM in general and Dock Appointment Scheduling. These sections are not marked. Here if the term SAP EWM is used, it means the SAP EWM 9.4 system installation, including Dock Appointment Scheduling.
SAP® Extended Warehouse Management 9.4 Security GuideIntroduction
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 7
● Some sections of this guide are only necessary depending on which processes or applications of SAP EWM 9.4 you are using. These sections can be either specific to Dock Appointment Scheduling or for specific SAP EWM processes. These sections are marked as relevant for Dock Appointment Scheduling or SAP EWM applications. In these sections only, you can omit the steps that are specifically for SAP EWM applications or Dock Appointment Scheduling.
This guide uses the following keys to identify the applications:
○ Relevant only if you are using Dock Appointment Scheduling
○ Not relevant for Dock Appointment Scheduling
The guide also differentiates between standalone Dock Appointment Scheduling and Dock Appointment Scheduling integrated with SAP EWM.
○ SAP EWM: SAP EWM-only processes
○ All: Applies to both Dock Appointment Scheduling and SAP EWM
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You Start
This section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.
● Technical System Landscape
This section provides an overview of the technical components and communication paths that are used by the SAP EWM component.
● Security Aspects of Data Flow and Processes
This section provides an overview of the security aspects involved throughout the most widely-used processes within the SAP EWM component.
● User Administration and Authentication
This section provides an overview of the following user administration and authentication aspects:
○ Recommended tools to use for user management.
○ User types that are required by the SAP EWM component.
○ Standard users that are delivered with the SAP EWM component.
○ Overview of the user synchronization strategy, if several components or products are involved
○ Overview of how integration with Single Sign-On environments is possible.
● Authorizations
This section provides an overview of the authorization concept that applies to the SAP EWM component.
● Session Security Protection
This section provides information about activating secure session management, which prevents JavaScript or plug-ins from accessing the SAP logon ticket or security session cookies.
● Network and Communication Security
This section provides an overview of the communication paths used by the SAP EWM component, and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
● Internet Communication Framework Security
This section provides an overview of the Internet Communication Framework (ICF) services that are used by the SAP EWM component.
8
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideIntroduction
● Application-Specific Virus Scan Profile (ABAP)
This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles are activated.
● Data Storage Security
This section provides an overview of any critical data that is used by the SAP EWM component and the security mechanisms that apply.
● Data Protection
This section provides information about how the SAP EWM component protects personal or sensitive data.
● Security for Third-Party or Additional Applications
This section provides security information that applies to third-party or additional applications that are used with the SAP EWM component.
● Dispensable Functions with Impacts on Security
This section provides an overview of functions that have impacts on security and can be disabled or removed from the system.
● Enterprise Services Security
This section provides an overview of the security aspects that apply to the enterprise services delivered with SAP EWM.
● Other Security-Relevant Information
This section contains information about:
○ Web browser as a user frontend
○ RF device as user frontend
○ Data protection and privacy
● Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain security-relevant information. If a security breach occurs, you can reproduce activities, for example.
● Services for Security Lifecycle Management
This section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.
● Appendix
This section provides references to further information.
SAP® Extended Warehouse Management 9.4 Security GuideIntroduction
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 9
2 Before You Start
Fundamental Security Guides and DocumentationSAP EWM 9.4 is based on SAP NetWeaver. With respect to SAP Fiori and SAPUI5 apps, SAP NetWeaver Gateway plays a fundamental role. This means that the corresponding Security Guides are also applicable for SAP EWM. For a complete list of the available SAP Security Guides, see SAP Service Marketplace at service.sap.com/
securityguide .
This Component Security Guide often provides references to other documentation. You can find this security-relevant documentation for the SAP Extended Warehouse Management (SAP EWM) component as follows:
Table 3: Fundamental Security Guides and Documentation
Guide/Documentation Path to the Guide/Documentation
SAP NetWeaver Security Guides help.sap.com/nw SAP NetWeaver Platform SAP
NetWeaver 7.5 Security Information Security Guide .
SAP NetWeaver Application Help help.sap.com/nw SAP NetWeaver Platform SAP
NetWeaver 7.5 Application Help Function-Oriented
View .
SAP EWM Master Guide service.sap.com/instguides SAP Business Suite
Applications SAP EWM Using SAP EWM 9.4 Master
Guide .
The SAP EWM component is built on further components and uses further components. Therefore, the corresponding Security Guides also apply to SAP EWM. The Master guide contains more information regarding the components necessary for business scenarios and processes.
SAP Library for SAP Extended Warehouse Management (SAP EWM)
help.sap.com/ewm SAP Extended Warehouse
Management 9.4 Application Help SAP Library . In SAP Library, choose SAP Extended Warehouse Management (SAP EWM).
Related Security GuidesThe following table provides an overview of all related security guides for this component. For the Security Guides
mentioned, see SAP Help Portal at help.sap.com/netweaver SAP NetWeaver Platform SAP NetWeaver 7.5 Security Information Security Guide .
Table 4: Related Security Guides for SAP NetWeaver Products
Product See Application Relevance
Operating System and Database Platforms
Security Guides for the Operating System and Database Platforms
All
SAP NetWeaver Application Server ● Security Guides for SAP
NetWeaver Functional Units
All
10
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideBefore You Start
Product See Application Relevance
Security Guides for the Application
Server :
○ Security Guides for AS
ABAP SAP NetWeaver Application Server for ABAP
Security Guide
○ Security Guides for AS
Java SAP NetWeaver Application Server for Java
Security Guide
○ Security Aspects for AS Infrastructure Functional
Units Security Settings for
the SAP Message Server
○ Security Guides for
Business Services SAP Interactive Forms by Adobe
Security Guide
○ Security Guides for
Business Services SAP Knowledge Warehouse
Security Guide
○ Security Aspects for AS Infrastructure Functional
Units AS ABAP with
Integrated ITS
● Security Guides for SAP
NetWeaver Functional Units Security Guides for Composition
Environment Composite Application Framework Security
Guide
● Security Aspects for Lifecycle
Management Virus Protection
and SAP GUI Integrity Checks
EP Core (EPC) and Enterprise Portal (EP)
Security Guides for SAP NetWeaver
Functional Units Security Guides for Enterprise Portal (EP) and EP Core -
Application Portal (EPC)
All
SAP Business Warehouse (SAP BW) Security Guides for SAP NetWeaver
Functional Units Security Guide SAP
BW
All
SAP® Extended Warehouse Management 9.4 Security GuideBefore You Start
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 11
Product See Application Relevance
SAP NetWeaver Development Infrastructure (NWDI)
Security Aspects for Lifecycle
Management Security of the SAP NetWeaver Development
Infrastructure
All
SAP NetWeaver Mobile Security Guides for SAP NetWeaver
Functional Units Security Guide for
SAP NetWeaver Mobile
All
SAP NetWeaver Process Integration (SAP NetWeaver PI)
Security Guides for SAP NetWeaver
Functional Units SAP Process
Integration Security Guide
Relevant only if integration with SAP Transportation Management is carried out based on SAP NetWeaver PI
Security Guides for Standalone Engines, Clients, and Tools
● Security Guides for SAP
NetWeaver Functional UnitsSearch and Classification (TREX)
Security Guide
● Security Guides for SAP
NetWeaver Functional UnitsSecurity Guides for the Application
Server Security Guides for
Business Services SAP Content
Server Security Guide
Introduction
and subsequent chapters
● Security Guides for SAP
NetWeaver Functional UnitsSecurity Guides for the Application
Server Security Aspects for AS
Infrastructure Functional UnitsSecurity Information for SAP Web
Dispatcher
All
Connectivity and Interoperability Security Guides for Connectivity and Interoperability Technologies, for example:
● RFC/ICF Security Guide
● Security Guide for Connectivity with the AS Java
● Security Aspects for Web Services
All
Lifecycle Management Security Aspects for Lifecycle Management, for example:
● System Landscape Directory Security Guide
● Auditing and Logging
All
12
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideBefore You Start
Product See Application Relevance
SAP NetWeaver Gateway SAP NetWeaver Gateway on SAP Help
Portal at help.sap.com/nw in SAP
Library, choose SAP NetWeaver 7.5SAP NetWeaver Library: Function-
Oriented View SAP Gateway
Foundation (SAP_GWFND) SAP
Gateway Foundation Security Guide
Relevant if you are using SAP Fiori or SAPUI5 or other components that make use of SAP Gateway. This is, for example, the case for SAP Fiori delivery apps, Labor Demand Planning, or the Carrier user interface using SAPUI5 for Dock Appointment Scheduling.
Web Dynpro ABAP Security Guide Security Guides for SAP NetWeaver
Functional Units Security Guides for
the Application Server Security Guides
for AS ABAP Security Guide for Web
Dynpro ABAP
Relevant only if you are using Web Dynpro user interfaces. For example, Dock Appointment Scheduling or the Shipping Cockpit.
This is especially important if you plan to use Dock Appointment Scheduling and the Collaborative Scenarios.
SAP Fiori Security Information help.sap.com/fiori_implementation
Security information With SAP
NetWeaver 7.5
Relevant if you are using SAP Fiori apps in SAP EWM.
Important SAP Notes
The most important SAP Notes that apply to the security of the SAP EWM component are shown in the following table:
Table 5: Important SAP Notes
SAP Note Number Title Comment
25591 Password change for DBM and DBA users
The SAP R/3 user password is to be changed.
30724 Data Protection and Security in SAP Systems
None
110600 SAP Security Library (SAPSECULIB) None
128447 Trusted/Trusting Systems Needed for Customizing of trusted/trusting system RFC connections.
138498 Single Sign-On Solutions Information about Single Sign-On solutions for SAP systems
389220 Problems with Pasting the Certificate Request Reply
None
447543 APO: Authorizations too Comprehensive/Not User-Specific
None
510007 Setting Up SSL on the Web Application Server ABAP
None
616555 LiveCache >= 7.4: Password Change The passwords of the standard liveCache user, the database system
SAP® Extended Warehouse Management 9.4 Security GuideBefore You Start
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 13
SAP Note Number Title Comment
administrator, the DBM user, should be changed in the liveCache environment.
637052 Missing Authorization Object for Database Views
None
662340 SSF Encryption Using the SAPCrytolib The SAP Cryptographic Library has to be used for encrypting data in the SAP system.
683528 Security Note: SAP MaxDB This note provides information about the secure operation of SAP DB/MaxDB and liveCache.
727839 Authorization Role for the SAP SCM – SAP R/3 Integration
None
792366 Subsequent Implementing a Security Level for Documents
Knowledge Provider: what needs to be taken into account if an application of the Knowledge Provider (KPro) decides to change the security level for documents for one or more of their PHIO classes.
1517416 Collective security note for SAP EWM This note contains additional security-relevant information and notes for SAP EWM.
1515223 SAP NetWeaver Process Integration: Release Recommendation
This note sets out our recommendation on which release of SAP NetWeaver PI you should use.
1536783 SAP Security Recommendations – Protecting Java- and ABAP BAS
This note provides information on where to find the SAP Security Recommendations Protecting Java- and ABAP-Based SAP® Applications Against Common Attacks December 2010 white paper.
900000 NetWeaver Business Client – FAQ None
RecommendationFor a list of additional security-relevant SAP Hot News and SAP Notes, see SAP Service Marketplace at:
● service.sap.com/securitynotes
● service.sap.com/security SAP Security Notes
Additional Information
For more information about specific topics, see the Quick Links as shown in the table below.
14
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideBefore You Start
Table 6: Quick Links to Additional Information
Content Quick Link on SAP Service Marketplace or SDN
Security scn.sap.com/community/security
Security Guides service.sap.com/securityguide
Related SAP Notes service.sap.com/notes
Released Platforms service.sap.com/pam
Network Security service.sap.com/securityguide
SAP Solution Manager service.sap.com/solutionmanager
SAP NetWeaver scn.sap.com/community/netweaver
SAP EWM scn.sap.com/community/extended-warehouse-
management
SAP® Extended Warehouse Management 9.4 Security GuideBefore You Start
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 15
3 Technical System Landscape
For more information about the technical system landscape, see the resources listed in the following table:
Table 7: More Information About the Technical System Landscape
Topic Guide or Tool Quick Link to SAP Service Marketplace or SDN
Technical System Landscape SAP Extended Warehouse Management (SAP EWM) Master Guide
service.sap.com/instguides
SAP Business Suite Applications SAP
EWM Using SAP EWM 9.4 Master
Guide
Technical System Landscape & Installation
SAP SCM Installation Guides ● scn.sap.com/docs/DOC-8140
● service.sap.com/instguides
SAP Business Suite
Applications SAP SCM SAP
SCM Server Using SAP enhancement package 3 for SCM
Server 7.0 Installation GuidesInstallation Guides for SAP EHP 3
for SAP SCM 7.0
Security Security Guide service.sap.com/securityguides
16
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideTechnical System Landscape
4 Security Aspects of Data Flow and Processes
SAP Extended Warehouse Management (SAP EWM) can be installed, distributed, and used in multiple different scenarios. For more information, see Technical System Landscape [page 16].The following table describes some typical processes and communication channels, along with appropriate security measures:
Table 8
Process Security Measure Application Relevance
SAP EWM receives data from SAP ERP (such as deliveries and master data) and sends data to SAP ERP (such as confirmations and stock updates). This is typically done using standard qRFC/RFC technology.
Ensure appropriate user authorizations. For more information, see Communication Channel Security [page 40].
Not relevant for standalone Dock Appointment Scheduling
Mobile devices can be connected using HTTP/ITS mobile (it is also possible to use the SAP console). This is done based on the Internet Communication Framework (ICF) service for RFUI.
For more information, see Internet Communication Framework Security [page 48].
Not relevant for standalone Dock Appointment Scheduling
For certain scenarios, such as connecting automated physical processes (for example, conveyor systems) via SAP Plant Connectivity, RFCs are used. Depending on the scenario, IDOCs may also be used (for example, when warehouse control units are used).
For more information, see the SAP NetWeaver Security Guide for SAP
NetWeaver 7.5 under Network and
Communication Security Transport
Layer Security .
Not relevant for standalone Dock Appointment Scheduling
SAP EWM offers the possibility for upload and download of data. In many of these transactions it is possible to either choose a local file system (PC) or files on the application server.
Ensure that only a few people can access these transactions, and that access to the application server file system is restricted. You should design logical paths and filenames to restrict the access. For more information, see Data Storage Security [page 50].
Not relevant for standalone Dock Appointment Scheduling
SAP EWM offers a collaborative scenario for Dock Appointment Scheduling. This enables appointment planners for carriers to access the system using SAP NetWeaver Gateway or Web Dynpro ABAP technology, for
In this scenario, users outside of the company or firewall may access the system. For such scenarios, special attention must be paid to assigning authorizations to these users, and to the system setup and how the access from outside the company is granted. For
Relevant only if you are using Dock Appointment Scheduling
SAP® Extended Warehouse Management 9.4 Security GuideSecurity Aspects of Data Flow and Processes
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 17
Process Security Measure Application Relevance
example, from outside the company network.
more information, see Collaborative Scenario using Dock Appointment Scheduling in Network and Communication Security [page 39].
SAP EWM offers a scenario for Labor Demand Planning. This enables users to access the SAP EWM system from a mobile device.
In this scenario, users can access the system from mobile devices using SAP NetWeaver Gateway. For more information see Labor Demand Planning in Network and Communication Security [page 39].
Relevant only if you are using Labor Demand Planning from a mobile device
SAP EWM offers a scenario for direct integration to SAP Transportation Management (SAP TM).
In this scenario, SAP EWM receives inbound messages from SAP TM and can send outbound messages to SAP TM. The communication is performed using enterprise services.
Relevant only if you are using a direct integration to SAP TM
SAP EWM offers a scenario for Warehouse Billing where there is an integration with the SAP TM system.
In this scenario, SAP EWM can extract billing-relevant information from SAP TM and send order and settlement information back to SAP TM. The communication is performed using enterprise services or Web services.
Relevant only if you are using Warehouse Billing with SAP TM
SAP EWM Fiori apps, for example, for deliveries or returns processing.
In this scenario, SAP Fiori accesses SAP EWM using SAP NetWeaver Gateway. For more information, see SAP Library for SAP Fiori on SAP Help Portal at
help.sap.com/fiori . In particular, see SAP Fiori implementation information as well as security and installation information.
Relevant only if you are using SAP Fiori apps with SAP EWM
SAP EWM DAS Carrier Collaboration Scenario using SAP NW Gateway and SAPUI5
In the diagram, some collaborative processes for Dock Appointment Scheduling within SAP EWM 9.4 are explained in detail. Since you can access the application from the internet, higher security risks exist. The data flows along with some possible security measures to be taken into consideration are shown in the diagram. These scenarios show the Dock Appointment Scheduling Application for external carriers. However, the diagram also shows how you can access the application using Webdynpro and SAP NW Gateway.
18
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideSecurity Aspects of Data Flow and Processes
Figure 1: DAS Carrier UI Using SAP NW Gateway
Table 9
Step Description Security Measure
1 A user uses the internet to specify the URL to the SAP EWM Carrier user interface (UI)
You need to create a User. We recommend that authentication is done using certificates that need to be exchanged with the external user beforehand. This avoids authentication by the user with a user name and password. The authorization of the user depends on a separate Gateway system, or Gateway system and SAP EWM system used together.
2 Port for https communication needs
to be open so that request is not blocked by a firewall
Firewall needs to be maintained accordingly.
3 URL filter checks if this URL is maintained in a white list. Request is not forwarded if the URL is not in a white list.
SAP Web Dispatcher needs to be configured as a URL filter. Only the URLs to ICF services for the DAS Carrier UI5, the Gateway Services for the DAS Carrier UI, and for supporting services must be maintained in the white list. Otherwise, external users could access internal services for which they are not authorized. For more information, see SAP Library for SAP NetWeaver 7.5 on
SAP Help Portal at help.sap.com/nw .
In SAP Library, choose SAP
SAP® Extended Warehouse Management 9.4 Security GuideSecurity Aspects of Data Flow and Processes
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 19
Step Description Security Measure
NetWeaver SAP NetWeaver Library:
Function-Oriented View Application
Server Application Server
Infrastructure SAP Web DispatcherAdministration of the SAP Web
Dispatcher SAP Web Dispatcher as a
URL Filter .
4 ICF node for DAS Carrier UI5 accessed and checked for activity
ICF nodes for DAS Carrier UI5 (supporting services and gateway services) need to be active. The relevant paths are as follows:
● /sap/bc/ui5_ui5scwu/ui_das_carrier can also be
activated by activating the Gateway service /SCWM/DAS_CARRIER_ACCESS_SRV
● /sap/opu/odata/ui2/page_builder_pers can also
be activated by activating the Gateway service /UI2/PAGE_BUILDER_PERS
5 SAP EWM is accessed Authorization profile for the role of the external user needs to be maintained accordingly. Secure HTTP Session Management should be activated on the ABAP AS as described in SAP Note
1322944 .
6 Gateway requests data from SAP EWM system
Trusted RFC sent to SAP EWM to get the relevant data. This describes a landscape where a separate NW Gateway system is used independent of SAP EWM. Further landscape and installation options are available. For this have a look at the NW Gateway documentation.
7 Result is displayed in the browser of the user
-
RecommendationTo access the SAP EWM system externally, we recommend that you define a system alias in the web dispatcher. The web dispatcher redirects the request to the correct hostname and port so that an external user can use a hyperlink, which contains the alias, to access the system.
20
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideSecurity Aspects of Data Flow and Processes
SAP EWM Carrier Access Using DAS Web Dynpro-UIs
RecommendationAccess by a Carrier using Web Dynpro UIs is also possible since SAP EWM 9.1 but we strongly recommend that you use the Carrier Access using SAP NW gateway and SAPUI5 instead.
Figure 2: Carrier Access Using DAS Web Dynpro User Interfaces
DAS Web Dynpro UIs are accessed from outside the firewall. In this scenario only the Web Dynpro UIs are considered for the role of an external carrier planner (PFCG role /SCWM/DAS_EXT_CARR_PLANNER).
Table 10
Step Description Security Measure
1 User from Internet calls URL to SAP EWM DAS Web Dynpro UIs
User needs to be created. We recommend that authentication is done using certificates, which need to be exchanged with the external user beforehand so that the Internet user cannot log on to the portal by entering a user name and password.
2 Port for https communication needs to be open so that request is not blocked by firewall
Firewall needs to be maintained accordingly.
3 URL filter checks if this URL is maintained in white list. If the URL is not in the white list, request is not forwarded
SAP Web Dispatcher needs to be configured as a URL filter. Only the URLs to ICF services for the DAS Web Dynpro UI and for supporting services must be maintained in the white list. Otherwise, external users could access
SAP® Extended Warehouse Management 9.4 Security GuideSecurity Aspects of Data Flow and Processes
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 21
Step Description Security Measure
internal services for which they are not authorized. For more information, see SAP Library for SAP NetWeaver 7.5 on
SAP Help Portal at help.sap.com/nw .
In SAP Library, choose SAP
NetWeaver SAP NetWeaver Library:
Function-Oriented View Application
Server Application Server
Infrastructure SAP Web DispatcherAdministration of the SAP Web
Dispatcher SAP Web Dispatcher as a
URL Filter .
4 ICF node for DAS Web Dynpro accessed and checked for activity
ICF nodes for DAS Web Dynpro (supporting services and gateway services) need to be active. The relevant paths are as follows:
● /sap/bc/webdynpro/scwm/ DSAPP_LIST
● /sap/bc/webdynpro/scwm/ DSAPP_MAINT
5 SAP EWM is accessed Authorization profile for the role of the external user needs to be maintained accordingly. Secure HTTP Session Management should be activated on the ABAP AS as described in SAP Note
1322944 .
6 Gateway requests data from SAP EWM system
Trusted RFC sent to SAP EWM to get the relevant data. This describes a landscape where a separate NW Gateway system is used independent on SAP EWM. Further landscape and installation options are available. For this have a look at the NW Gateway documentation.
7 Result is displayed in the browser of the user
-
22
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideSecurity Aspects of Data Flow and Processes
5 User Administration and Authentication
SAP Extended Warehouse Management (SAP EWM) uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide [SAP Library] also apply to the SAP EWM component. For more information, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide .
In addition to these guidelines, we include information about user administration and authentication that specifically applies to the SAP EWM component in the following topics:
● User Management [external document]
This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with the SAP EWM component.
● User Data Synchronization [external document]
The SAP EWM component shares user data with SAP NetWeaver 7.5. This topic describes how the user data is synchronized with these other sources.
● Integration Into Single Sign-On Environments [external document]
This topic describes how the SAP EWM component supports Single Sign-On mechanisms.
5.1 User Management
User management for SAP Extended Warehouse Management (SAP EWM) uses the mechanisms provided with the SAP NetWeaver Application Server, for example, tools, user types, and password policies. For an overview of how these mechanisms apply to the SAP EWM component, see the sections below. In addition, we provide a list of the standard users required for operating the SAP EWM component.
NoteFor an overview of the information necessary for securing operations with SAP NetWeaver Identity Management, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management .
User Administration Tools
The following table shows the tools needed for user management and user administration with the SAP EWM component:
Table 11: User Management Tools
Tool Detailed Description
User Management for the ABAP Engine (transaction SU01) Use the user management transaction SU01 to maintain
users in ABAP-based systems.
SAP® Extended Warehouse Management 9.4 Security GuideUser Administration and Authentication
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 23
Tool Detailed Description
Profile Generator (transaction PFCG) Use the Profile Generator to create roles and assign authorizations to users in ABAP-based systems.
Central User Administration (CUA) Use the CUA to centrally maintain users for multiple ABAP-based systems. Synchronization with a directory server is also supported.
User Management Engine (UME) administration console Use the Web-based UME administration console to maintain users, roles and authorizations in Java-based systems that use the UME for the user store, for example, the SAP NetWeaver Application Server Java and the Enterprise Portal. The UME also supports various persistency options, such as the ABAP Engine or a directory server.
SAP NetWeaver Application Server Java user management using the Visual Administrator
Use the Visual Administrator to maintain users and roles on the SAP NetWeaver Application Server Java. SAP NetWeaver Application Server Java also supports a pluggable user store concept. The UME is the default user store.
NoteFor a detailed description of the user management tools available in SAP NetWeaver, see the SAP NetWeaver Security Guide under User Administration and Authentication User Management in the section User Management Tools.
User Types
It is necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but the users under whom background processing jobs run do not.
The user types that are required for SAP EWM include the following:
● Individual users
○ Dialog users are used for business users who are assigned to roles that allow them to work individually on their dedicated tasks in your SAP EWM 9.4 system.
○ Internet users are used for external users who are allowed to access your SAP EWM 9.4 system from the Internet. If your scenario contains the collaborative scenario for appointment planners for carrier, employees of the carrier can log on via the Internet
● Technical users
○ Service users are used for technical purposes, such as service administrators, and are usually available to a larger, anonymous group of users.
○ Communication users are used for dialog-free communication for external RFC calls, for example, for the communication between your SAP EWM 9.4 system and an SAP ERP system and also, for communication between two SAP systems using SAP NetWeaver Gateway.
● Background users are used for running background jobs and executing reports.
For more information about these user types, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide User Administration and Authentication User Management User Types .
24
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideUser Administration and Authentication
The user types required for SAP EWM include the following:
Table 12: Users
System User Delivered?
Type Default Password
Detailed Description Application Relevance
SAP EWM 9.4
<sapsid>adm
Yes SAP System Administrator
Dialog User
To be entered
SAP EWM System Administrator All
SAP EWM 9.4
<sapsid>adm
Yes SAP System Administrator
To be entered
SAP EWM System Administrator All
SAP SCM 7.0 Server including SAP enhancement package 3
<sapsid>adm
Yes SAP System Administrator
Dialog User
To be entered
service.sap.com/instguides
SAP Business Suite
Applications SAP SCM SAP
SCM Server Using SAP enhancement package 3 for SAP
SCM Server 7.0 Installation
Guides Installation Guides for
SAP EHP3 for SAP SCM 7.0
Generic Installation Guides
All, if SAP EWM is installed on top of an SCM Server system
SAP NetWeaver AS
SAP Standard ABAP Users (SAP*,
DDIC,
EARLYWATCH,
SAPCPIC)
Yes See SAP NetWeaver Security Guide
See SAP NetWeaver Security Guide
See the Protecting Special Users
section in help.sap.com under
Technology SAP NetWeaver
Platform SAP NetWeaver 7.5
Security Guide Security Guides
for the AS ABAP SAP NetWeaver Application Server
ABAP Security Guide User Administration and
Authentication User
Management .
-
SAP NetWeaver AS
SAP Standard Java Users (Administrator, Guest, Emergency)
Yes See SAP NetWeaver 7.5 Security Guide
See SAP NetWeaver 7.5 Security Guide
See the Standard Users and Standard User Groups section in
help.sap.com under
Technology SAP NetWeaver
Platform SAP NetWeaver 7.5
Security Guide Security Guides for SAP NetWeaver Functional
Units Security Guides for the
Application Server Security
Guides for AS Java SAP
-
SAP® Extended Warehouse Management 9.4 Security GuideUser Administration and Authentication
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 25
System User Delivered?
Type Default Password
Detailed Description Application Relevance
NetWeaver Application Server
Java Security Guide User Administration and
Authentication User Administration and Standard
Users .
SAP NetWeaver AS Java
SAPJSF Yes Communication user
To be entered
service.sap.com/instguides
SAP Business Suite
Applications SAP SCM SAP
SCM Server Using SAP enhancement package 3 for SAP
SCM Server 7.0 Installation
Guides Installation Guides for
SAP EHP3 for SAP SCM 7.0
Generic Installation Guides .
All
SAP EWM 9.4
RFC communication users (you need an RFC communication user for each RFC destination described in section Communication Destinations [external document])
No Communication user
The authorizations of the user depend on the business case. For more information, see Authorizations [external document] in this Security Guide.
SAP Library for Extended Warehouse Management (SAP EWM) 9.4Communication Destinations [external document] and Authorizations [external document]
Not relevant for standalone Dock Appointment Scheduling
SAP EWM 9.4
Business processing users (you need a
No Dialog user
To be entered
SAP EWM 9.4 documentation and Authorizations [external document]
All
26
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideUser Administration and Authentication
System User Delivered?
Type Default Password
Detailed Description Application Relevance
user in each component for each employee working with the system)
SAP EWM 9.4
Users for employees of a carrier who takes part in the collaborative scenario for Dock Appointment Scheduling
No Internet user and Communication user (if a separate system with SAP NetWeaver Gateway is used)
To be entered
Documentation for SAP EWM 9.4 under Authorizations [external document]
Relevant only if you are using Dock Appointment Scheduling
SAP EWM 9.4
User for Labor Demand Planning used from a mobile device
No Communication user
To be entered
Used for access from a mobile device in Labor Demand Planning. The user is used for the connection from SAP NetWeaver Gateway to SAP EWM.
Relevant only if you are using mobile devices in Labor Demand Planning
NoteFor more information about user types, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAPSAP NetWeaver Application Server ABAP Security Guide Network Security for SAP NetWeaver AS ABAP .
For more information about SAP NetWeaver standard users, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security
Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide User Administration and Authentication User Management in the section Protecting Standard Users .
For more information about SAP NetWeaver password rules, see SAP Library for SAP NetWeaver under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration
SAP® Extended Warehouse Management 9.4 Security GuideUser Administration and Authentication
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 27
of Application Server ABAP Configuration of User and Role Administration First Installation Procedure Logon and Password Security in the ABAP System Password Rules .
RecommendationWe recommend changing the user IDs and passwords for users that are automatically created during installation.
5.2 User Data Synchronization
To save administrative effort, you can synchronize user data in your system landscape. Since the SAP Extended Warehouse Management (SAP EWM) component is based on SAP NetWeaver 7.5, all the mechanisms for user data synchronization of SAP NetWeaver 7.5 are available for SAP EWM.
NoteFor information about user data synchronization in SAP NetWeaver, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management Identity Management for System Landscapes .
5.3 Integration Into Single Sign-On Environments
The SAP Extended Warehouse Management (SAP EWM) component supports the single sign-on (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guides also apply to the SAP EWM component.
Note● For more information about integration into single sign-on environments based on SAP NetWeaver, see
the SAP NetWeaver Security Guide under User Administration and Authentication User Authentication and Single Sign-On in the Integration section.
● For more information about authentication on the SAP NetWeaver Application Server ABAP, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guide for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide User Administration and Authentication .
● For information on SAP Fiori and single sign-on, see SAP Library for SAP Fiori on SAP Help Portal at
help.sap.com/fiori_implementation . In SAP Library, choose Security Information With SAP NetWeaver 7.5 .
The following mechanisms are supported:
● Secure Network Communications (SNC)
SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.
28
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideUser Administration and Authentication
For more information, see the SAP NetWeaver Security Guide under Network and Communication Security Transport Layer Security Secure Network Communications (SNC) .
● SAP logon tickets
The SAP EWM component supports the use of logon tickets for SSO when using a web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.
For more information, see the SAP NetWeaver Security Guide under User Administration and Authentication User Authentication and Single Sign-On .
● Client certificates
As an alternative to user authentication by means of a user ID and passwords, users using a web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the Web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
For more information, see the SAP NetWeaver Security Guide under User Administration and Authentication User Authentication and Single Sign-On in the Client Certificates section.
RecommendationIf you use any of the following, we recommend that you use client certificates instead of authentication with user name and password:
● The collaborative scenario for Dock Appointment Scheduling, with carriers and users who have access to your system from the Internet
● The mobile application for Labor Demand Planning
This prevents Internet users from trying to log on with another user’s user name.
SAP® Extended Warehouse Management 9.4 Security GuideUser Administration and Authentication
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 29
6 Authorizations
The authorization concept of the SAP Extended Warehouse Management (SAP EWM) component is based on the authorization concept of SAP NetWeaver. This concept protects transactions and programs in SAP systems from unauthorized access. Based on the authorization concept, the administrator assigns authorizations to the users that determine which actions users can execute in the SAP system after they have logged on to the system and authenticated themselves.
To access business objects or execute SAP transactions, a user requires corresponding authorizations, since business objects or transactions are protected by authorization objects. The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. The authorizations are combined in an authorization profile that is associated with a role. The user administrators then assign the corresponding roles using the user master record, so that users can use the appropriate transactions for their tasks.
NoteFor information about the authorization concept of SAP NetWeaver, see SAP Library for SAP NetWeaver on
SAP Help Portal at help.sap.com/nw . In SAP Library, choose Function-Oriented View Security Identity Management :
● User and Role Administration of Application Server ABAP ABAP Authorization Concept
● User Management of SAP NetWeaver AS for Java Authorization Concept of SAP NetWeaver AS for Java
RecommendationWe recommend that you use the role maintenance functions and the Profile Generator (transaction code PFCG) to maintain your roles, authorizations, and profiles. The role maintenance functions support you in performing your task, by automating various processes and allowing you more flexibility in your authorization plan. You can also use the central user administration functions to maintain your own new roles or those provided by SAP centrally, and to assign the roles to any number of users.
The roles you assign to your users define the user menu that is displayed after the users have logged on to the SAP system. Roles also contain the authorizations to allow users to access the transactions, reports, Web-based applications, and so on, that are contained in the menu.
For information about role maintenance and the Profile Generator, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server ABAP AS ABAP Authorization Concept Organizing Authorization Administration in the section Organization if You Are Using the Role Administration Tool.
RecommendationTo avoid authorizations being misused, we recommend that users are assigned only the minimal authorizations that they require for their work. Never assign full authorizations.
It is very important that RFC users are assigned only minimal authorizations.
For an overview of the role administration and more information about how a delivered standard role can be used and adjusted to your own needs, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server
30
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations
ABAP Configuration of User and Role Administration Role Administration . See Role Administration Functions and, for example, Changing Standard Roles or Creating Derived Roles and Copying Authorizations.
With the component SAP EWM, SAP delivers SAP standard roles to cover the most-used business cases. These roles can be used as examples, or as a copy master for your own roles.
You can find the SAP standard roles in the Profile Generator (transaction code PFCG) using input help. You can use search terms to restrict the selection to the required standard roles.
You can find the application-relevant roles using the following search terms:
● The search term */SCWM* lists all SAP EWM-relevant SAP standard roles.
The role short text helps you find the role covering your business needs. The documentation of the role provides you with a detailed description of the role content.
● The search term*/SCWM/*DAS*lists all roles that are relevant for Dock Appointment Scheduling.
● The search term */SCWU* lists all roles that are relevant for the UI components using SAP NetWeaver Gateway. This is currently the role /SCWU/DAS_CARRIER_ACCESS which is for the UI5 carrier user interface of Dock Appointment Scheduling.
Alternatively, you can use the transaction SUIM to find the PFCG roles for EWM. In transaction SUIM, choose Roles Roles by Complex Selection Criteria . Then enter the above mentioned search criteria (for example */
SCWM*) in the Role field.
Role and Authorization Concept for SAP EWM
Read-Only Access for Auditors
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP EWM provides a role for read-only access for all data. For an audit, the auditor needs to be able to read all data. However, the auditor must not be allowed to change any data. This can be achieved by assigning the /SCWM/INFORMATION role to a user.
Standard Roles
For information about roles in SAP EWM, see the SAP EWM documentation under Roles for Extended Warehouse Management (EWM).
For information about users and roles in SAP NetWeaver, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server ABAP and User Management of the Application Server Java.
Critical Roles and Authorization Combinations
Expert Role
SAP EWM provides the expert role EWM: Warehouse Expert (/SCWM/EXPERT). This role contains almost all transactions and authorizations for SAP EWM and the corresponding customizing. Therefore, we recommend that you assign this role very carefully and only to very specific users, and that you do not assign this role to normal users or users who work in specific SAP EWM areas only.
SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 31
Appointment Planner for Carrier
NoteThis role is relevant only if you are using Dock Appointment Scheduling.
SAP Dock Appointment Scheduling offers a collaboration scenario where appointment planners for carriers can log on to the SAP Dock Appointment Scheduling system, and view and maintain appointments for their carrier.
Since this potentially means that employees of a different company access SAP Dock Appointment Scheduling from outside the company network, you must put a special focus on authorizations.
This kind of user should have very limited authorizations. As well as this, they should be able to access data of their own carrier only, and not be able to access other carriers’ data. They should not be able to see internal data, like overall capacities of loading points. Therefore you must be very careful and restrictive when assigning roles and authorizations to this kind of user.
SAP Dock Appointment Scheduling delivers special roles for this: Appointment Planner for Carrier in Dock Appointment Scheduling (/SCWM/DAS_EXT_CARR_PLANNER).
This role contains only one Web Dynpro screen in the menu, Maintain Appointments – Textual (/SCWM/DSAPP_LIST). This screen allows the appointment planners for carriers to view and create appointments. The Web Dynpro application Direct Access to Appointment – Textual (/SCWM/DSAPP_MAINT) is also available, but it is not visible in the user menu, as it is started indirectly from the Maintain Appointments – Textual screen.
The role also contains very limited number of authorization objects.
RecommendationWe highly recommend that you define, in the roles, the loading points for which a user may view or create appointments. You can do this in the authorization field Loading Point (/SCWM/DSLP) in the authorization objects Loading Appointment (/SCWM/DSAP) and Slot (/SCWM/DSSL).
If the carrier access the scenario using NW gateway should is used and not the using Web Dynpro UIs, then remove the web dynpro applications from your copy of /SCWM/DAS_EXT_CARR_PLANNER (remember the rule that only minimal authorizations should be granted). In this scenario in addition the role /SCWU/DAS_CARRIER_ACCESS has to be used in the gateway system.
In addition, the authorization field User Process Scope for Dock Appointment Scheduling (/SCWM/DSPS) is very important. It is available on the authorization objects Loading Appointment and Slot. For appointment planners for carriers, set this field to Scope for an Appointment Planner for Carrier. This ensures that this user can create and view appointments only for the carrier that is assigned to him or her. Otherwise such a user could create appointments for any carrier.
For more information, see the SAP Dock Appointment Scheduling documentation at help.sap.com/ewm92
Application Help SAP Library . In SAP Library, choose SAP Extended Warehouse Management (SAP EWM) SAP Dock Appointment Scheduling Collaboration with Carriers .
Warehouse Management Monitor: Authorization to Display Batch Execution Data
In the warehouse management monitor (/SCWM/MON), you can execute selections using batch jobs. You can view the results in the warehouse management monitor. During the selection, the system performs the normal authorization checks and selects and stores only data for which the user has authorization in the data containers for the warehouse management monitor. But if these data containers are then displayed by other users, the system does not perform these authorization checks. Therefore, you should only grant the authorization to display batch execution data for monitor nodes or users where these checks are not critical.
The authorization object used for the authorization to display batch execution data in the warehouse management monitor is /SCWM/DATC. For more information about this authorization object, see the
32
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations
documentation of authorization object /SCWM/DATC and the documentation of the warehouse management monitor in SAP Library for SAP EWM under SAP Extended Warehouse Management (SAP EWM) MonitoringWarehouse Management Monitor .
6.1 Authorization Objects
A set of authorization objects is available in SAP Extended Warehouse Management (SAP EWM).
Authorization objects enable you to define complex authorizations by grouping up to 10 authorization fields in an AND relationship to check whether a user is allowed to perform a certain action. To pass an authorization test for an object, the user must satisfy the authorization check for each field in the object.
NoteFor information about the authorization concept of SAP NetWeaver, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server ABAP AS ABAP Authorization Concept .
Procedure
To gain an overview of the authorization objects for SAP EWM, proceed as follows:
1. Call the transaction for displaying active authorization objects (AUTH_DISPLAY_OBJECTS).
2. In the overview, expand the Authorizations Extended Warehouse Management subtree.
If you want to display the technical names of the authorization objects, choose Edit Technical namesTechnical names on .
3. If you want to get a detailed description, choose the Information pushbutton next to the authorization object you are interested in.
NoteIf you are using SAP Dock Appointment Scheduling, ensure that you have read the information regarding the authorization objects for SAP Dock Appointment Scheduling, and especially the authorization field User Process Scope for Dock Appointment Scheduling (/SCWM/DSPS). See Critical Roles and Authorization Combinations in Network and Communication Security [page 39].
Some special basis authorization objects are as follows:
Table 13
Authorization Object Field Value Description
S_RFC ACTVTRFC_NAMERFC_TYPE
(16) Execute For example, to enable display of queue contents.
S_RFCACL RFC_SYSID
RFC_CLIENT
RFC_USER
(16) Execute Authorization check for RFC users, especially for trusted systems. This is required for Gateway Services. For
SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 33
RFC_EQUSERRFC_TCODERFC_INFOACTVT
example for the SAP Fiori or SAPUI5 user interfaces of Labor Demand Planning and Dock Appointment Scheduling
S_SERVICE SRV_NAMESRV_TYPE
<Value1>
<Value2>
This authorization object is automatically checked when external services are started. This is required for Gateway Services used by the SAP EWM. For example for the SAP Fiori or SAPUI5 user interfaces of Labor Demand Planning and Dock Appointment Scheduling
6.2 Maintaining Authorizations
Using the SAP Extended Warehouse Management (SAP EWM) component, you can assign users to various standard user roles. For more information about Roles for Extended Warehouse Management (EWM), see SAP
Library for SAP Extended Warehouse Management (SAP EWM) 9.4 on SAP Help Portal at help.sap.com .
If you want to display the authorization objects in SAP EWM, on the SAP Easy Access screen, choose ToolsABAP Workbench Development Other Tools Authorization Objects Objects .
For more information, see the SAP Library for SAP Extended Warehouse Management (SAP EWM) 9.4 on SAP
Help Portal at help.sap.com General Functions Authorizations .
NoteIf you are using SAP Dock Appointment Scheduling, ensure that you have read the information regarding roles for SAP Dock Appointment Scheduling. See Critical Roles and Authorization Combinations in Network and Communication Security [page 39].
6.3 Maintaining Authorizations for Integration with SAP Components
Procedure
Maintaining Authorizations for SAP Extended Warehouse Management (SAP EWM) – SAP ERP Integration
NoteThis is not relevant for standalone Dock Appointment Scheduling.
34
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations
Using Standard Roles for SAP EWM – SAP ERP Integration
For the integration of SAP EWM and SAP ERP, use the authorization roles for the RFC destination users.
NoteFor more information about these roles, see the SAP EWM documentation under Roles for Extended Warehouse Management (EWM).
For the integration from an ERP to an EWM system, for example, the role/SCWM/ERP_EWM_INTEGRATION exists.
For the integration from EWM to an ERP system, the corresponding RFC users also require the proper
authorizations. For more information, see SAP Note 727839 .
In some cases, for example, for migration functions like transaction /SCWM/MIG_PRODUCT, the RFC enabled function module RFC_READ_TABLE is called on ERP side from EWM. For such scenarios, the corresponding RFC user requires this authorization. To avoid misuse, you should restrict the tables to be accessed to a minimum. You can therefore use the authorization objects S_TABU_NAM or S_TABU_DIS. For more information about which
applications require which table accesses, see SAP Note 1539105 .
If your grant the usage of RFC function RFC_READ_TABLE to an RFC user, it is very important that you restrict the tables that can be accessed to a minimum to avoid misuse.
Maintaining Authorizations for Data Transfer to SAP NetWeaver Business Warehouse
NoteThis is not relevant for standalone Dock Appointment Scheduling.
Limiting Authorizations for Extraction
NoteYou can exclude DataSources from the extraction to the SAP NetWeaver Business Warehouse (SAP NetWeaver BW). Data that is stored in the extraction structure of this DataSource cannot be transferred to SAP NetWeaver BW.
1. In Customizing for SAP EWM, choose Integration with Other SAP Components Data Transfer to Business Warehouse General Settings Limit Authorizations for Extraction .
2. Choose New Entries.
3. Choose a DataSource that you want to exclude from the extraction.
4. Choose the SAP NetWeaver BW system for which you want no more data for this DataSource to be extracted.
5. In the Ex. Extr. field, enter whether or not you want to exclude the DataSource from the extraction.
6. Save your entries.
7. Specify a transport request.
Maintaining Authorizations for Data Transfer between SAP EWM Shipping and Receiving (S&R) and SAP Dock Appointment Scheduling
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP Dock Appointment Scheduling and S&R are two independent components. But it is also possible to integrate the components, for example, so that the system communicates appointment status changes in SAP Dock
SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 35
Appointment Scheduling to S&R and appointment status changes in S&R to SAP Dock Appointment Scheduling. For more information, see the SAP EWM documentation under SAP Dock Appointment SchedulingIntegration with SAP EWM .
For integration between SAP Dock Appointment Scheduling and S&R, the system uses queued Remote Function Call (qRFC) technology.
Using Standard Roles for SAP Dock Appointment Scheduling to SAP EWM Integration
For the integration from SAP Dock Appointment Scheduling to S&R, the technical role /SCWM/DAS_TO_EWM_INTEGRATION is available. It contains the necessary authorizations to update the relevant S&R objects. The role does not contain any menu entries or transactions, as it is only a technical role for Remote Function Call (RFC) communication. You must assign this role to the SAP Dock Appointment Scheduling user or RFC user, depending on if you use RFC communication, with which the integration is done.
Authorizations and Roles for SAP DAS Collaborative Carrier Scenario
Dock Appointment Scheduling offers the feature Collaboration with Carriers using multiple UI technologies each
with different deployment and security options. See SAP Note 2065193 that contains recommendations for the different options and lists the respective prerequisites.
Maintaining RFC Authorizations for Internal Communication in SAP EWM
For RFC communication, users usually require the authorizations for authorization object S_RFC. As RFCs are potential security risks, you should be very restrictive in granting them.
In certain cases, SAP EWM also uses RFCs for internal purposes, for example for parallel processing or for asynchronous communication. For these purposes, no RFC authorizations have to be granted as these calls are within the SAP EWM system.
SAP EWM also uses specific RFC-enabled function modules, which are used to extract content from queued RFCs (qRFC). For example, these function modules are used to extract the warehouse number or delivery number from qRFCs.
These function modules do not perform data changes in SAP EWM and also do not return data to a caller. They are required for delivery processing and for displaying of message queue entries in the warehouse management monitor.
The function modules are in the following special function groups:
● /SCWM/CORE_MQ_REPLAY Message Queue Moni: Replay Functions
● /SCWM/CORE_RF_MQ_REPLAY Replay Function Modules for RF
● /SCWM/DELIVERY_MQ_REPLAY Replay Function Modules for Deliveries
● /SCWM/ERP_MQ_REPLAY Replay Function Modules - ERP Interface
● /SCWM/SR_MQ_REPLAY Replay Function Modules - S&R
● /SCWM/VAS_MQ_REPLAY Replay Function Modules for VAS
● /SCWM/WC_SERVICE_MQ_REPLAY Replay Function Modules for Workcenter
● /SCWM/WAVE_MGMT_MQ_REPLAY Replay Function Modules for Wave
If you use the message queue monitor node in the warehouse management monitor, you must add these function groups to authorization S_RFC. Use the activity Execute (16) and the Function Group (FUGR) type of RFC object.
For delivery and warehouse task processing, for example, confirming and creation of warehouse tasks, you must add the following function group to authorization S_RFC:
● /SCWM/DELIVERY_MQ_REPLAY Replay Function Modules for Deliveries
36
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations
These authorizations are already in the standard roles in SAP EWM, so they are only relevant if you create your own roles.
6.4 Maintaining Authorizations for Enterprise Services
Accessing SAP functions via web services follows the standard SAP authorization concept. This concept is based on authorizations for specific authorization objects. The system checks for the required authorization for an authorization object during the execution of a web service. If a user does not have this authorization, the execution is terminated, and an error message is returned.
Enterprise services use standard authorization objects that are available for SAP Extended Warehouse Management (SAP EWM), including authorization default values for web services. In addition, you need the authorization S_SERVICE to start external services. To create and consume web services, you require the authorizations belonging to the role SAP_BC_WEBSERVICE_ADMIN as well as authorization for the Internet Communication Framework (S_ICF_ADMIN).
For more information about authorizations for web services, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies Security Aspects for Web Services
Authorizations .
SAP® Extended Warehouse Management 9.4 Security GuideAuthorizations
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 37
7 Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookies, we recommend activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.
Session Security Protection on the AS ABAP
To activate session security on the AS ABAP, set the corresponding profile parameters and activate the session security for the clients using transaction SICF_SESSIONS. For more information, a list of the relevant profile parameters, and detailed instructions, see the SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Security User Authentication and Single Sign-On Authentication Infrastructure AS ABAP Authentication Infrastructure Activating HTTP Security Session Management on AS ABAP .
38
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideSession Security Protection
8 Network and Communication Security
Your network infrastructure is important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back-end system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for the SAP Extended Warehouse Management (SAP EWM) component is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to the SAP EWM component. Details that specifically apply to the SAP EWM component are described in the following topics:
● Communication Channel Security [page 40]
This topic describes the communication paths and protocols used by the SAP EWM.
● Network Security [page 43]
This topic describes the recommended network topology for the SAP EWM component. It shows the appropriate network segments for the various client and server components and where to use firewalls for access protection. It also includes a list of the ports needed to operate the SAP EWM component.
● Communication Destinations [page 44]
This topic describes the information needed for the various communication paths, for example, which users are used for which communications.
For more information, see the SAP NetWeaver Security Guide under the following sections:
● Network and Communication Security
● Security Aspects for Connectivity and Interoperability Technologies
Web Dynpro User Interfaces
In EWM, Web Dynpro UI technology is used in several applications. For example, in Advanced Production Supply, Dock Appointment Scheduling, or Shipping Cockpit. The proposed usage is that these UIs are used within the company’s firewall.
For more information, see the NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP Web Dynpro ABAP Security Guide .
Collaborative Scenario using SAP Dock Appointment Scheduling
NoteThis is relevant only if you are using Dock Appointment Scheduling.
In a collaborative scenario, users from other companies, such as carriers, can access data from SAP Dock Appointment Scheduling. For example, carriers can create or view loading appointments. For this, such users require access the Dock Appointment Scheduling system from outside the company’s network.
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 39
If you use such a scenario, you must pay special attention to the network setup and zones or topology, for example, if firewalls, demilitarized zones, ports, should be used, and which ones.
The application is built using a HTML5 UI. The system uses OData as the communication channel between the backend and the SAP UI5 frontend. The corresponding OData service is /SCWM/DAS_CARRIER_ACCESS_SRV. It also uses the general service /UI2/PAGE_BUILDER_PERS.
You can find information about relevant roles and authorization for this collaborative scenario in chapter Maintaining Authorizations for Integration with SAP Components.
For more information on how to secure a scenario with SAP NetWeaver Gateway, and the relevant authorizations and roles needed for using SAP NetWeaver Gateway, see the SAP NetWeaver Gateway Security Guide on SAP
Help Portal at SAP NetWeaver Gateway help.sap.com/nw SAP NetWeaver 7.5 SAP NetWeaver Library: Function-Oriented View SAP NetWeaver Gateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Security Guide .
Mobile Access to Labor Demand Planning
Labor Demand Planning offers the possibility to access data from a mobile device. The proposed usage is that these mobile applications are used within the company’s firewall.
SAP Note 1894045 contains additional information about how these applications can be set up.
The application is built using a HTML5 UI. The system uses OData as the communication channel between the backend and the SAP UI5 frontend. The corresponding OData service is /SCWM/LM_LABOR_DEMAND_PLANNING. It also uses the general service /UI2/PAGE_BUILDER_PERSFor more information on how to secure a scenario with SAP NetWeaver Gateway, and the relevant authorizations and roles needed for using SAP NetWeaver Gateway, see the SAP NetWeaver Gateway Security Guide on SAP
Help Portal at SAP NetWeaver Gateway help.sap.com/nw SAP NetWeaver 7.5 SAP NetWeaver Library: Function-Oriented View SAP NetWeaver Gateway Foundation (SAP_GWFND) SAP NetWeaver Gateway Foundation Security Guide .
If you are using the application outside of the company’s firewall, which is not the proposed usage, you should ensure that minimal authorizations are used for accessing the SAP NetWeaver Gateway and the SAP EWM system. Also, in such a case, you should consider the technical system landscape and setup proposals in the SAP NetWeaver Gateway Security Guide.
8.1 Communication Channel Security
Since communication channels transfer all kinds of your business data, they should be protected against unauthorized access. SAP offers general recommendations and technologies to protect your system landscape, based on SAP NetWeaver.
CautionYou should activate the Secure Network Communication (SNC) within all communication channels in SAP EWM to achieve a secure system landscape. For more information, see the SAP NetWeaver Security Guide under Network and Communication Security Transport Layer Security Secure Network Communications (SNC) .
For a detailed description of all communication channels within the SAP EWM component, see SAP Service
Marketplace at service.sap.com/scm SAP SCM in Detail Technology Architecture Overview .
40
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
NoteFor more information about the communication security of SAP NetWeaver, see the SAP NetWeaver Security Guide under Network and Communication Security.
For more information about security aspects for connectivity and interoperability of SAP NetWeaver, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies.
The following table shows the communication channels used by SAP EWM, the protocol used for each connection, and the type of data transferred.
Table 14
Communication Channel Protocol Used Type of Data Transferred Application Relevance
Front-end client that uses SAP GUI for Windows for the application server
DIAG All application and customizing data
All
SAP ERP RFC and IDOC Master data and transaction data
Not relevant for standalone Dock Appointment Scheduling
SAP SCM RFC ATP data Not relevant for standalone Dock Appointment Scheduling
SAP SCM RFC Master data Not relevant for standalone Dock Appointment Scheduling
SAP GTS RFC GTS-relevant data Not relevant for standalone Dock Appointment Scheduling
SAP NetWeaver BW RFC Data sources Not relevant for standalone Dock Appointment Scheduling
SAP CRM RFC and IDOC Billing data, business partners
Not relevant for standalone Dock Appointment Scheduling
Warehouse Control Units or PLCs
RFC, IDOC (depending on whether or not SAP plant connectivity is used)
Transaction data Not relevant for standalone Dock Appointment Scheduling
Legacy systems RFC, IDOC, HTTP, File Depends on legacy scenario All
SAP Plant Connectivity RFC Application Data Not relevant for standalone Dock Appointment Scheduling
Frontend client using a web browser or SAP NetWeaver Business Client.
HTTP/HTTPS All application and customizing data
All
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 41
Communication Channel Protocol Used Type of Data Transferred Application Relevance
SAP NetWeaver Gateway (in case a dedicated Gateway system is used)
RFC Depends on scenario/configuration.
Depends on scenario.
SAP Transportation Management
WebService / RFC Application Data Not relevant for standalone Dock Appointment Scheduling
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
RecommendationWe strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see the SAP NetWeaver Security Guide under Network and Communication SecurityTransport Layer Security .
Note that many of the entries depend on the configuration and how SAP EWM is used. For example, usage of SAP GTS, SAP NetWeaver BW, legacy systems, and further components is optional and depends on how the system is used. Also, if parts of underlying components (SAP SCM Basis, SAP NetWeaver) are used they may also offer further communication channels.
For more detailed information about external messages that can be sent to and from SAP EWM, see the appendix
of the EWM Application Operations Guide at service.sap.com/instguides SAP Business Suite Applications SAP SCM SAP EWM Using SAP EWM 9.4 Application Operations Guide for SAP EWM 9.4 .
Core Interface (CIF) – SAP ERP
NoteThis is not relevant for Dock Appointment Scheduling.
The integration of SAP EWM and SAP ERP is technically based on CIF. Since CIF is technically based on the RFC provided by SAP NetWeaver, we strongly recommend that you consult the SAP NetWeaver Security Guide regarding communication channel security.
You should at least enable Secure Network Communication (SNC) while configuring the RFC destination for your SAP EWM – SAP ERP integration.
NoteFor more information about the integration of SAP EWM and SAP ERP, see SAP Help Portal at
help.sap.com/scm SAP SCM Server SAP Enhancement Package 3 for SAP SCM 7.0 Application Help SAP Library . In SAP Library, choose SAP Advanced Planning and Optimization (SAP APO)Integration via Core Interface (CIF) Technical Integration .
42
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
8.2 Unified Connectivity
If your SAP EWM system can be accessed remotely using Remote Function Calls (RFCs), you can significantly increase protection by using the Unified Connectivity (UCON) administration framework.
Generally, external access to the function modules using RFCs is controlled by special authorization checks and the corresponding roles with purpose-specific assignments to users. UCON also provides a simple but comprehensive way of controlling which remote function modules (RFMs) can be called by other systems: an RFM can only be called externally if it is assigned to a Communication Assembly (CA).
External access is blocked for all RFMs not assigned to a CA. In this way, it is possible to control and restrict external access to RFMs independently from the user context.
For more information, see SAP Library for SAP NetWeaver on SAP Help Portal at help.sap.com/nw . In SAP Library, choose Function-Oriented View Application Server Application Server Infrastructure Functions and Tools of SAP NetWeaver Application Server Connectivity Components of SAP Communication TechnologyUnified Connectivity .
8.3 Network Security
Your network infrastructure is important in protecting your system. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping.
We offer general recommendations to protect your system landscape, based on SAP NetWeaver.
RecommendationFor information about network security for SAP NetWeaver, see the SAP NetWeaver Security Guide under Network and Communication Security.
A minimum security demand for your network infrastructure is the use of a firewall for all your services provided over the Internet.
A more secure variant is to protect your systems (or groups of systems) by locating the different groups in different network segments, each protected with a firewall against unauthorized access. External security attacks can also come from inside, if the intruder has already taken over control of one of your systems.
NoteFor more information about the technical components of your SAP Extended Warehouse Management (SAP
EWM) component, see SAP Service Marketplace at service.sap.com/scm SAP SCM in Detail Technology .
For more information about access control using firewalls, see the SAP NetWeaver Security Guide under Network and Communication Security Using Firewall Systems for Access Control .
Ports
SAP EWM runs on SAP NetWeaver and uses the ports from the AS ABAP. For more information, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide Network Security for SAP NetWeaver AS ABAP AS ABAP Ports .
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 43
For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also the document TCP/IP Ports Used by SAP Applications, which can be found using the Search field on SAP Developer Network at
sdn.sap.com/irj/sdn/security .
8.4 Communication Destinations
CautionIf not implemented and used with care, users and authorizations for connection destinations can cause serious security flaws.
Follow the following rules for connection users and authorizations, as follows:
● Choose user type: <system>
● Assign only the minimum required authorizations to the user.
● Choose a secure and secret password for the user.
● Store only connection user logon data for users of type system.
● Choose trusted system functionality whenever possible, rather than storing connection user logon data.
NoteThis is not relevant for standalone Dock Appointment Scheduling.
This is not relevant if the system does not use communication to external systems.
The following table shows an overview of the communication destinations used by the SAP Extended Warehouse Management (SAP EWM) component:
Connection Destinations
Table 15
Destination Delivered Type User, Authorizations Description
<EWM name>CLNT<client>
No RFC – ERP Use the Profile Generator (transaction code PFCG) to define an appropriate profile, and see SAP Notes
447543 and 727839
.
For more information, see Customizing for SCM Basis under
Integration Basic Settings for Creating the System
Landscape Assign RFC Destinations to Various Application
Cases .
EWM to SAP R/3 or SAP ERP
No RFC – ERP (qRFC) Use the Profile Generator (transaction code PFCG) to define an appropriate profile, and see SAP Notes
For more information, see Customizing for Extended Warehouse Management under
Interfaces ERP
Integration General
Settings Control for
44
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
Destination Delivered Type User, Authorizations Description
447543 and 727839
.
RFC Queue and Customizing for SCM Basis under
Integration Basic Settings for Creating the System
Landscape Assign RFC Destinations to Various Application
Cases .
EWM to SAP APO (APO instance)
No RFC – ERP Use the Profile Generator (transaction PFCG) to define an appropriate profile, and see SAP Notes
447543 and 727839
.
For more information, see Customizing for Extended Warehouse Management under
Goods Receipt
Process Slotting
General SettingsChange Information for
APO Instances .
EWM to Third party geocoding application
No RFC None For more information, see Customizing for SAP NetWeaver under
General Settings
Set Geocoding or SAP Library for SAP EWM on SAP Help Portal at
help.sap.com/ewm . In SAP Library choose
SCM Basis SCM
Basis Master Data
Location .
EWM to Non-SAP Systems
No RFC – ERP None For more information, see Customizing for Extended Warehouse Management under
Interfaces Non-
SAP Systems
Connect Subsystem .
EWM to SAP GTS No RFC – None For more information, see Customizing for Extended Warehouse Management under
Interfaces GTS
Integration Basic
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 45
Destination Delivered Type User, Authorizations Description
Settings of GTS
Integration .
EWM to SAP NetWeaver Business Warehouse (SAP NetWeaver BW)
No RFC – ERP None For more information, see Customizing for SAP ERP under
Integration with Other SAP
Components Data Transfer to Business
Warehouse and Customizing for Extended Warehouse Management under
Interfaces SAP Business
Information
Warehouse .
EWM to SAP Plant Connectivity
No RFC None This function is only available if you implement the sample implementation in BAdI: Determination of HU Weight Using Scale (/SCWM/EX_WRKC_UI_GET_WEIGHT). For more
information, see Customizing for Extended Warehouse Management under
Business Add-Ins (BAdIs) for Extended Warehouse
Management Master
Data Work CenterAdjust User Interface
for Work Center BAdI: Determination of HU Weight Using
Scale .
SAP EWM to SAP TM No WebService/RFC None For more information, see SAP Service Marketplace at
service.sap.com/sc
m SAP SCM in
46
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
Destination Delivered Type User, Authorizations Description
Detail
Warehousing Information on Extended Warehouse Management in SAP
SCM Solution
Manager Content .
NoteFor more information about communication destinations of SAP NetWeaver, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies.
SAP® Extended Warehouse Management 9.4 Security GuideNetwork and Communication Security
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 47
9 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For SAP EWM the following main services are available:
● /sap/bc/gui/sap/its/scwm/rfui○ This service can be used, for example, to allow warehouse workers to use transaction/SCWM/RFUI from
mobile applications. The service can be accessed from the SAP console or by using ITS mobile. For more information, see the SAP EWM documentation under Radio Frequency Framework Work Processing Using Radio Frequency Resource Management Using Radio Frequency .
○ /sap/bc/webdynpro/scwm/○ In this path various web dynpro UIs for SAP EWM as well as for Dock Appointment Scheduling are
contained.
○ /sap/bc/ui5_ui5/scwu/○ This contains SAPUI5 user interfaces which are for example used for LDP (labor demand planning)
or Collaborative Carrier Scenario for Dock Appointment Scheduling
○ /sap/opu/odata/scwm/○ This contains ODATA Gateway services which are, for example, used for LDP (labor demand
planning) or Collaborative Carrier Scenario for Dock Appointment Scheduling
○ /sap/opu/odata/ui2○ Contains services which are partly used from SAP EWM. For example, PAGE_BUILDER_PERS is used
for LDP and DAS Carrier Collaboration.
○ /sap/bc/srt/xip/scwm○ Contains services which are used for XI communication.
○ /sap/bc/srt/rfc/scwm○ Contains services which are used for RFC communication. For example, RFID_AII_EWM which is
used to exchange RFID information with SAP Auto-ID Infrastructure (SAP AII).
Use the transaction SICF to activate this service.
If your firewalls use URL filtering, also note the URLs used for the service and adjust your firewall settings accordingly.
For more information, see the SAP NetWeaver Documentation under SAP NetWeaver Library: Function-Oriented View Application Server Application Server Infrastructure Connectivity Components of SAP Communication Technology Communication Between ABAP and Non-ABAP Technologies Internet Communication Framework Development Server-Side Development Creating and Configuring ICF ServicesActivating and Deactivating ICF Services .
For more information about ICF security, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies RFC/IFC Security Guide .
48
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideInternet Communication Framework Security
10 Application-Specific Virus Scan Profile (ABAP)
SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system. To manage the interface and the file types that are checked or blocked, you can use virus scan profiles. Different applications rely on default profiles or application-specific profiles.
To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During this process, you also set up the default behavior. SAP also provides default profiles.
For more information, see SAP Library for SAP NetWeaver 7.5 at help.sap.com//nw . In SAP Library, choose SAP NetWeaver SAP NetWeaver Library: Function-Oriented View Security Security Developer Documentation Secure Programming Secure Programming – JavaSecure Programming SAP Virus Scan
Interface and see SAP Note 1693981 (Unauthorized modification of displayed content).
The SAP Extended Warehouse Management (SAP EWM) component also uses the virus scan interface, for example, during file upload to the SAP EWM system.
SAP® Extended Warehouse Management 9.4 Security GuideApplication-Specific Virus Scan Profile (ABAP)
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 49
11 Data Storage Security
The data storage security of SAP NetWeaver and components installed on that database is described in detail in the SAP NetWeaver Security Guide.
NoteFor more information about the data storage security of SAP NetWeaver, see the SAP NetWeaver Security Guide under Security Guides for the Operating System and Database Platforms.
In general, all business data of the SAP EWM component is stored in the system database. If SAP liveCache is used, some business data is also stored there. This business data is protected by the authorization concept of SAP NetWeaver and SAP EWM.
In some special cases, business-relevant data is stored elsewhere (for example, in a file system).
Using Logical Path and Filenames to Protect Access to the File System
NoteThis is not relevant for standalone Dock Appointment Scheduling.
The SAP EWM component may save data in files in the file system and may read data from the file system. Therefore, it is important explicitly to provide access to the corresponding files in the file system without allowing access to other directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is requested to a directory that does not match a stored mapping, then an error occurs.
In some cases fixed logical file names are also used in applications which cannot be changed.
The following lists show the logical filenames and paths used by SAP EWM and the programs to which they apply.
Logical Filenames and File Paths Used in SAP EWM
To enable the validation of physical filenames, the following logical filenames have been created:
● EWM_PI_DOWNLOADTransactions/programs using this logical filename:
○ Transaction /SCWM/PI_DOWNLOAD○ Program /SCWM/R_PI_STOCK_DWNLDParameters and format used in this context:
○ <PARAM_1>=Warehouse number(CHAR 4)
○ <PARAM_2> =Counter (NUM2)
Logical file path used:
○ EWM_GLOBAL_PATHComment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical filename.
● EWM_PI_UPLOAD
50
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideData Storage Security
Transactions/programs using this logical filename:
○ Transaction /SCWM/PI_UPLOAD○ Program /SCWM/R_PI_FILEUPLDParameters and format used in this context:
○ <PARAM_1> = Warehouse number (CHAR4)
○ <PARAM_2> = Creation Date (DATS8)
○ <PARAM_3> = Counter (NUM2)
Logical file path used:
○ EWM_GLOBAL_PATHComment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical filename.
● EWM_STOCK_UPLOADTransactions/programs using this logical filename:
○ Transaction /SCWM/ISU○ Program /SCWM/R_INITIALSTOCKUPLOADParameters and format used in this context:
○ <PARAM_1> = Warehouse number (CHAR4)
Logical file path used:
○ EWM_STOCK_UPLOAD_PATH● EWM_STOBIN_UPLOAD
Transactions/programs using this logical filename:
○ Transaction /SCWM/SBUP○ Program /SCWM/TLAGP_UPLOADLogical file path used:
○ EWM_STOBIN_UPLOAD_PATH● EWM_STOBIN_SORT_UPLOAD
Transactions/programs using this logical filename:
○ Transaction /SCWM/SRTUP○ Program /SCWM/TLAGPS_UPLOADLogical file path used:
○ EWM_STOBIN_SORT_UPLOAD_PATH● EWM_MS_RESULT
Transactions/programs using this logical filename:
○ Transaction /SCWM/MS_RESULT○ Program /SCWM/R_MS_RESULT_READParameters and format used in this context:
○ <PARAM_1>=Warehouse number (CHAR4)
Logical file path used:
○ EWM_GLOBAL_PATH
SAP® Extended Warehouse Management 9.4 Security GuideData Storage Security
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 51
Comment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name.
● EWM_ELS_FRML● EWM_ELS_ST● EWM_ELS_STE● EWM_ELS_SEQ● EWM_ELS_ASS
Transactions/programs using this logical filename:
○ Transaction /SCWM/ELS_UPLOAD○ Program /SCWM/ELS_UPLOADLogical file path used:
○ EWM_GLOBAL_PATHComment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name.
● EWM_MS_RESULTTransactions/programs using this logical filename:
○ Transaction /SCWM/PI_SAMP_UPDATE○ Program /SCWM/PI_SAMP_UPDATE_RESULTParameters and format used in this context:
○ <PARAM_1>=Warehouse number (CHAR4)
Logical file path used:
○ EWM_GLOBAL_PATHComment: The logical filename is fixed and cannot be changed. The logical file contains a physical filename. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name
● EWM_PRODUCT_UPLOADTransactions/programs using this logical filename:
○ Transaction /SCWM/MIG_PRODUCT○ Program /SCWM/R_MIG_PRODUCTLogical file path used:
○ EWM_PRODUCT_UPLOAD_PATH● EWM_PACKSPEC_UPLOAD
Transactions/programs using this logical filename:
○ Transaction SCWM/MIG_PRODUCT and /SCWM/IPU○ Program /SCWM/R_MIG_PRODUCT and /SCWM/R_PS_DATA_LOADLogical file path used in this context:
○ EWM_PACKSPEC_UPLOAD_PATH● EWM_PI_COMPL_UPLOAD
Transactions/programs using this logical filename:
52
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideData Storage Security
○ Transaction /SCWM/MIG_PI_COMPL○ Program /SCWM/R_MIG_PI_COMPLLogical file path used in this context:
○ EWM_PI_COMPL_UPLOAD_PATH
Activating the Validation of Logical Path and Filenames
Note that this only applies to logical filenames that are not fixed.
These logical paths and filenames are specified in the system for the corresponding programs. For downward compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which paths are being used by your system, you can activate the corresponding settings in the security audit log.
For more information, see the following:
● The SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View Application Server Application Server ABAP Other Services Services for Application Developers Logical File Names
● The SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server ABAP Security Guide Special Topics Protecting Access to the File System Using Logical Path and File Names
● The SAP NetWeaver documentation under SAP NetWeaver Library: Function-Oriented View SecuritySystem Security System Security for SAP NetWeaver AS ABAP Only Security Audit Log
SAP® Extended Warehouse Management 9.4 Security GuideData Storage Security
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 53
12 Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any information on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any information or recommendations with regard to additional features that would be required in a particular environment. Decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.
NoteIn the majority of cases, compliance with data privacy laws is not a product feature.
SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data.
SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.
Glossary
Table 16
Term Definition
Personal data Information about an identified or identifiable natural person.
Business purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts.
Blocking A method of restricting access to data for which the primary business purpose has ended.
Deletion Deletion of personal data so that the data is no longer usable.
Retention period The time period during which data must be available.
End of purpose (EoP) A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization.
Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). The following topics are related to data protection and require appropriate TOMs:
● Access control: Authentication features as described in the User Administration and Authentication section (see User Administration and Authentication [page 23])
54
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideData Protection
● Authorizations: Authorization concept as described in the Authorizations section (see Authorizations [page 30])
● Read access logging: as described in the Read Access Logging section (see Read Access Logging [page 60])
● Transmission control/Communication security: as described in the Network and Communication Security section (see Network and Communication Security [page 39]) and the Security Aspects of Data Flow and Processes section (see Security Aspects of Data Flow and Processes [page 17])
● Input control/Change logging: Change logging is described in Security-Relevant Logging and Tracing
● Availability control as described in:
○ Data Storage Security section (see Data Storage Security [page 50])
○ SAP NetWeaver Database Administration SAP Library documentation
○ SAP Business Continuity documentation in the SAP NetWeaver Application Help under Function-Oriented View Solution Life Cycle Management SAP Business Continuity
● Separation by purpose: Is subject to the organizational model implemented and must be applied as part of the authorization concept.
CautionThe extent to which data protection is ensured depends on secure system operation. Network security, security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation.
Configuration of Data Protection Functions
Certain central functions that support data protection compliance are grouped in Customizing for Cross-Application Components under Data Protection.
Additional industry-specific, scenario-specific or application-specific configuration might be required.
For information about the application-specific configuration, see the application-specific Customizing in SPRO.
12.1 Deletion of Personal Data
SAP Extended Warehouse Management (SAP EWM) can process data, for example, personal data that is subject
to the data protection laws applicable in specific countries as described in SAP Note 1825544 . The SAP Information Lifecycle Management (SAP ILM) component supports the entire software lifecycle including the storage, retention, blocking, and deletion of data. SAP EWM uses SAP ILM to support the deletion of personal data as described in the following sections. SAP delivers an end of purpose check (EoP check) for SAP EWM. All applications register an EoP check in the Customizing settings for the blocking and deletion of business partners. For information about the Customizing of blocking and deletion in SAP EWM, see Configuration: Simplified Blocking and Deletion below.
End of Purpose Check
An end of purpose check (EoP check) ensures data integrity in case of potential blocking. The EoP check in SAP EWM checks whether any dependent data for a certain business partner exists in relevant SAP EWM tables. If dependent data exists and the data is still required for business activities (that is, EoP has not been reached and the retention time for the document referring to the business partner is not over), the system does not block the business partner. If you want to block the data before EoP, you must delete the document and also change the retention times for this document, or apply any other customer-specific solution. Even if the object is deleted or
SAP® Extended Warehouse Management 9.4 Security GuideData Protection
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 55
archived, the retention times maintained for the SAP ILM live policy still apply. SAP EWM stores the start of the retention time for all business partners of any completed document in the database, which is used during the EoP check to determine whether the retention time is over.
Integration with Other Solutions
In the majority of cases, different installed applications run interdependently. An example of an application that uses central master data is an SAP ERP system that transfers inbound deliveries to SAP EWM. In this case, the vendor of the inbound delivery is contained as a business partner (ship-from role) in the inbound delivery in SAP EWM.
Relevant Application Objects and Available Deletion Functionality
The deletion of objects is usually done using either archiving services or special functions. For more information,
see SAP Library for SAP Extended Warehouse Management on SAP Help Portal at help.sap.com/ewm . In SAP Library, choose Archiving in Extended Warehouse Management (SCM-EWM) .
We recommend that you view the SAP EWM application operations guide. There, regular steps, such as archiving or deletion, are described together with proposals on how and when they should be executed.
Table 17
Application Detailed Description Provided Deletion Functionality
EWM Warehouse Request Processing, such as inbound delivery, outbound delivery order, or production material request
Business partner data is stored in warehouse requests. For example, in the Ship To and Ship From fields in the warehouse request header or as owner and entitled at item level in the partner data.
Deletion of the objects can be done using the archiving services. The archiving objects are:
● DLV_INBInternal warehouse requests (inbound delivery)
● DLV_OUTInternal warehouse requests (outbound delivery)
● DLV_REQWarehouse requests from external systems
● DLV_PRODProduction material request
56
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideData Protection
Application Detailed Description Provided Deletion Functionality
EWM Labor Management In Labor Management, the Processor field is written in several SAP EWM documents. For example, the warehouse order and executed workload.
Deletion of the objects can be done using the archiving services. The archiving objects are:
● WME_WOWarehouse order
● WME_EWLExecuted workload
● WME_EPDPerformance document
● WME_ILTIndirect labor task
EWM Shipping and Receiving In Shipping and Receiving, in the transportation unit object the field for the carrier may contain a business partner.
Deletion of the objects can be done using the archiving services. The archiving objects are:
● WME_TUTU activity
● WME_VEHVehicle activity
EWM Value Added Services If value added services (VAS) are used, in the corresponding VAS order the field for entitled and owner may contain a business partner.
Deletion of the objects can be done using the archiving services. The archiving object is WME_VAS (VAS
order).
EWM Proof of Delivery If proof of delivery is used (transaction /SCWM/POD_IMP), then this object may
contain business partners in the fields for carrier, entitled, or processor.
Deletion can be done using transaction /SCWM/POD_IMP.
EWM Stock Data In SAP EWM, stock data can contain business partner data. For example, in fields for owner or entitled.
Deletion is not possible directly. The corresponding stock has to be cleared so that no stock exists any more. Report /LIME/BACKGROUND_DELETE_EXEC is
available.
EWM Dock Appointment Scheduling In dock appointments in SAP Dock Appointment Scheduling, the field for the carrier may contain a business partner.
Deletion is possible using report /SCWM/R_DAS_DELETE.
Transportation Management in EWM In the shipment and freight document objects, the business partner is contained.
Deletion of the objects can be done using the archiving services. The archiving objects are:
● TM_SHP
SAP® Extended Warehouse Management 9.4 Security GuideData Protection
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 57
Application Detailed Description Provided Deletion Functionality
Shipment
● TM_FRDFreight document
EWM Warehouse Billing In Warehouse Billing, snapshots can contain a business partner.
Billing measurement (BOPF object /SCWM/BM) can be deleted by archiving
using archiving object EWM_WBM.
Billing measure request (BOPF object /SCWM/WB_BMR) can be deleted using
deletion report /SCWM/WB_WBMR_DELETION.
Relevant Application Objects and Available EoP Functionality
Table 18
Application Implemented Solution (EoP or Where-Used Check)
Further Information
EWM Warehouse Request Processing, such as inbound delivery, outbound delivery order, or production material request
An EoP check is implemented for the business partner object.
An EoP check is done for the following documents:
● Outbound delivery request
● Outbound delivery order
● Outbound delivery
● Inbound delivery notification
● Inbound delivery
● Production material request
EWM Labor Management An EoP check is implemented for the business partner object.
An EoP check is done for the following documents:
● Executed workload
● Employee performance document
● Warehouse order
● Indirect labor task
For indirect labor tasks, the data is stored using order document management (ODM).
The ODM data type is ILT. The corresponding header component is ILT with structure /SCWM/S_ILT_ODM.
EWM Shipping And Receiving An EoP check is implemented for the business partner object.
An EoP check is done for the following documents:
● Transportation unit
● Vehicle
● Transportation unit activity
58
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideData Protection
Application Implemented Solution (EoP or Where-Used Check)
Further Information
● Vehicle activity
EWM Value Added Services An EoP check is implemented for the business partner object.
An EoP check is done for VAS documents.
The data is stored using ODM. The ODM data type is VASO. The corresponding item component is VASI with structure /SCWM/S_VAS_ODM_ITM.
EWM Proof of Delivery A where-used check (WUC) is implemented for the business partner object.
A WUC check is done for the SCWM/POD database table.
EWM Stock Data A WUC is implemented for the business partner object.
● /SCWM/STOCK_IW01● /SCWM/STOCK_IW02● /SCWM/STOCK_IW03● /SCWM/STOCK_IW04
EWM Dock Appointment Scheduling A WUC is implemented for the business partner object.
A WUC check is done for the /SCWM/D_DSAPP database table.
Transportation Management in EWM An EoP check is implemented for the business partner object.
An EoP check is done for the following documents:
● Freight order
● Shipment
The data is stored using ODM, as follows:
● For shipments the ODM data type is TMSH. The corresponding header component is TSHD with structure /SCMB/TMDL_ODM_SHP_HDR_STR.
● For freight documents the ODM data type is TMFR. The corresponding header component is TMFH with structure /SCMB/TMDL_ODM_FRD_HDR_STR.
Transportation Management in EWM Warehouse Billing
An EoP check is implemented for the business partner object.
An EoP check is done for warehouse billing measurement documents.
Process Flow
Before archiving data, you must define residence times and retention periods in SAP ILM.
You choose whether data deletion is required for data stored in archive files or data stored in the database, also depending on the type of deletion functionality available.
You do the following:
SAP® Extended Warehouse Management 9.4 Security GuideData Protection
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 59
● Run transaction IRMPOL and maintain the required residence and retention policies for the central business partner (ILM object: CA_BUPA).
● Run transaction IRMPOL and maintain the retention policies for the SAP ILM objects of the SAP EWM application:
○ DLV_INB (inbound delivery)
○ DLV_OUT (outbound delivery)
○ DLV_PROD (production material request)
○ DLV_REQ (delivery request)
○ EWM_WBM (warehouse billing measurement)
○ LIME_PI (physical inventory document)
○ TM_FRD (freight order)
○ TM_SHP (shipment)
○ WME_DOOR (door)
○ WME_EPD (employee performance document)
○ WME_EWL (executed workload)
○ WME_HU (handling unit)
○ WME_ILT (indirect labor task)
○ WME_TO (warehouse task)
○ WME_TU (transportation unit activity)
○ WME_VAS (value added service)
○ WME_VEH (vehicle activity)
○ WME_WAVE (wave)
○ WME_WO (warehouse order)
● Run transaction BUPA_PRE_EOP to enable the EoP check function for the central business partner.
● Run transaction IRMPOL and maintain the required residence and retention policies for the customer master and vendor master in SAP ERP (ILM objects: FI_ACCPAYB, FI_ACCRECV, FI_ACCKNVK).
● Run transaction CVP_PRE_EOP to enable the EoP check function for the customer master and vendor master in SAP ERP.
● Business users can request unblocking of blocked data by using transaction BUP_REQ_UNBLK.
● If you have the necessary authorizations, you can unblock data by running transaction BUPA_PRE_EOP and CVP_UNBLOCK_MD.
● You delete data by using transaction BUPA_PRE_EOP for the ILM objects of SAP EWM.
For information about how to configure blocking and deletion for SAP EWM, see Configuration: Simplified Blocking and Deletion below.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for Cross-Application Components under Data Protection.
● Define the settings for authorization management in Customizing for Cross-Application Components under Data Protection Authorization Management .
60
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideData Protection
● Define the settings for blocking in Customizing for Cross-Application Components under Blocking and Unblocking Business Partner .
You configure the settings related to the blocking and deletion of customer and vendor master data in Customizing.
12.2 Read Access Logging
If no trace or log that records which business users have accessed data is stored, it is difficult to track the persons responsible for any data leaks to the outside world. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information such as which business users accessed personal data, for example, of a business partner, and in which time frame.
In RAL, you can configure which read-access information to log and under which conditions. For more information
about RAL, see SAP Library for SAP NetWeaver 7.5 at help.sap.com//nw . In SAP Library, choose SAP NetWeaver SAP NetWeaver Library: Function-Oriented View System Security System Security for SAP NetWeaver Application Server ABAP Only Read Access Logging .
SAP® Extended Warehouse Management 9.4 Security GuideData Protection
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 61
13 Security for Additional Applications
Geocoding
NoteThis is not relevant for standalone Dock Appointment Scheduling.
The SAP Extended Warehouse Management (SAP EWM) component can, in some cases, make use of third party geocoding applications, for example, PTV eServer. The software could be used, for example, to calculate geographical information for the locations or distances for transportation lanes. To connect to the third party software, this software may require an RFC destination on the SAP EWM side. This RFC is described in the Communication Destinations section (see Communication Destinations [page 44]).
For more information on geocoding, see SAP Library for SAP EWM on SAP Help Portal at help.sap.com/ewm . In SAP Library, choose SCM Basis SCM Basis Master Data Location . For any security issues regarding the third party application, for example, PTV eServer software, see the third party documentation.
SAP Plant Connectivity for Scale Integration
The SAP EWM component can, in some cases, integrate an external scale. The software could be used, for example, to calculate the weight of a handling unit. In BAdI: Determination of HU Weight Using Scale (/SCWM/EX_WRKC_UI_GET_WEIGHT), a sample implementation exists for this. In this example, the system uses SAP Plant Connectivity to integrate an external scale. This software may require an RFC destination on the SAP EWM side to connect to SAP Plant Connectivity. For more information, see Communication Destinations [page 44].
For more information on SAP Plant Connectivity, see SAP Help Portal at help.sap.com/pco and the security
information for SAP Plant Connectivity on SAP Service Marketplace at service.sap.com/securityguidesSAP Business Suite Applications SAP Manufacturing Security Guide Plant Connectivity 2.2 .
62
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideSecurity for Additional Applications
14 Enterprise Services Security
The following chapters in the SAP NetWeaver Security Guide are relevant for all enterprise services delivered with SAP Extended Warehouse Management:
● User Administration and Authentication
● Network and Communication Security
● SAP NetWeaver Process Integration Security Guide
● Security Guide Web Services
● Security Aspects for Web Services
● Security Guides for the Operating System and Database Platforms
● Security Aspects for Lifecycle Management
● Security Guides for the AS ABAP
● Security Guides for the AS Java
For more information about special security requirements for web services, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies Security Aspects for Web Services .
SAP® Extended Warehouse Management 9.4 Security GuideEnterprise Services Security
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 63
15 Other Security-Relevant Information
You can find other security-relevant information for the following:
● User Frontend [page 64]
● Data Protection and Privacy [page 65]
15.1 User Frontend
To use the web browser as a user front end, you must first activate Java script (Active Scripting), to ensure a working user interface. This could, however, conflict with your security policy regarding web services.
SAP NetWeaver Business Client
SAP NetWeaver Business Client is the proposed UI for using Web Dynpro applications, for example, from SAP Dock Appointment Scheduling, Transit Warehousing, or Shipping Cockpit in SAP EWM.
For more information about SAP NetWeaver Business Client, see SAP Note 900000 .
See also the Security Guide for SAP NetWeaver Business Client on SAP Help Portal at help.sap.com/nw-
uiaddon/ Security Information Security Guide .
Making Browser Settings for Easy Graphics Framework (EGF)
NoteThis is not relevant for standalone Dock Appointment Scheduling.
If you work with Microsoft Internet Explorer in the Easy Graphics Framework (EGF), you must have installed Microsoft Internet Explorer version 5 or higher.
For more information about the security settings, see the SAP EWM documentation under Monitoring Easy Graphics Framework .
RF Device as a User Frontend
NoteThis is not relevant for standalone Dock Appointment Scheduling.
To use an RF device as a user front end, you can use a mobile PC running SAP Front End, or a character-based device using SAP Console. SAP Console is part of the SAP Front End installation. In addition, a third-party Telnet server is necessary. For any security issues regarding the Telnet server software, consult the third-party software documentation.
For more information about SAP Front End, see SAP Service Marketplace at service.sap.com/instguidesSAP NetWeaver SAP NetWeaver 7.5 Installation 4 - Installation - Clients SAP Front End Installation Guide .
64
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideOther Security-Relevant Information
SAP Dock Appointment Scheduling
NoteThis is relevant only if you are using Dock Appointment Scheduling.
If you use the Web Dynpro applications Create Time Slots in Graphical View, Change Time Slots in Graphical View, or Maintain Appointments – Graphical, you must install Microsoft® Silverlight® version 5 or later. Note that this does not apply for the UI Dock Appointment Scheduling for Carrier as this uses SAPUI5.
Access from UIs using OData and Gateway
Labor Demand Planning and Dock Appointment Scheduling UI for Carriers use SAP NetWeaver Gateway to access SAP EWM data. For more information, see Network and Communication Security [page 39].
15.2 Data Protection and Privacy
You can use the RSCRDOMA report to determine tables where certain domains that contain person-related data are used. For example, the variant SAP&DS_USNAM shows all tables where standard domains for user names are used (if further domains exist and are used in your system, you can add them to the selection).
You can check which values the variant uses to filter the result (for example if you want less domains or more domains to be used).
Activities
You can execute the variant with the following selection criteria to filter the result and display a where-used list for domains in tables:
1. On the SAP Easy Access screen, choose Tools ABAP Workbench Development ABAP Editor .
2. Enter RSCRDOMA as the program name.
3. Select the Variants subobject and choose Display.
4. Enter the SAP&DS_USNAM variant.
5. Select the Values subobject and choose Display.
SAP® Extended Warehouse Management 9.4 Security GuideOther Security-Relevant Information
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 65
16 Security-Relevant Logging and Tracing
SAP systems keep various logs for system administration, monitoring, problem solving, and auditing purposes. Audits and logs are important for monitoring the security of your system and to track events, in case of problems.
NoteAuditing and logging for the SAP Extended Warehouse Management (SAP EWM) component is described in detail in the SAP NetWeaver Security Guide. For more information, see the SAP NetWeaver Security Guide under Security Aspects for Lifecycle Management Auditing and Logging .
Security Audit Log Triggered by Virus Scan Interface (VSI)
The class CL_VSI automatically creates entries in the Security Audit Log for infections and scan errors found, together with the following information:
● Profile
● Profile step allowing the detection of the scanner-group
● Kind of virus found, with internal virus ID of the scan engine, if available
● User name and time stamp
The messages logged are located in the message class VSCAN, using the system log messages BU8 and BU9 (created in SE92). The severities are set to High and Medium, respectively. The severity of the audit class is set to Miscellaneous. For more information, see Customizing for SAP NetWeaver under Application Server System Administration Virus Scan Interface .
Audit Information System (AIS)
Information on auditing and logging for the Audit Information System (AIS) is described in detail in the SAP NetWeaver Security Guide. For more information, see the SAP NetWeaver Security Guide under Security Aspects for Lifecycle Management Auditing and Logging Audit Information System (AIS) .
SAP EWM
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP EWM auditing and logging is governed by the transactions and customizing activities listed in the table below.
Auditing and logging in SAP EWM is governed by change documents. Change documents have to be activated in Customizing before they can be used.
When change documents are activated and used in the system, each field in the SCM delivery documents is linked to change documents. The change documents provide information about which fields have been changed and about the old and new values. When you use change documents, you can define that the SCM system creates a log that shows which user has changed data in a delivery document and the specific time at which the change was made.
You can also run reports that retrieve archived documents. The reports are not separate transactions but they are contained in the SCM standard transactions, such as the Maintain Outbound Delivery Order transaction (the Open Advanced Search pushbutton is used).
66
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideSecurity-Relevant Logging and Tracing
The following Customizing activities are relevant for SAP EWM auditing and logging (in SCM Customizing, you can set – per document type of delivery – whether a change document is to be written for each delivery document. You can make these settings for all document categories in SAP EWM. In other words, you can make these settings for all delivery documents in SAP EWM, including posting changes and internal moves).
Table 19
Customizing Activity Path in Customizing for SAP EWM
Activation of change documents for inbound delivery Extended Warehouse Management Goods Receipt
Process Inbound Delivery Manual Settings Define
Document Types for Inbound Delivery Process (or:
Extended Warehouse Management Goods Receipt
Process Inbound Delivery Use Wizard to Define
Document Types for Inbound Delivery Process ). Select the Change Documents indicator.
Activation of change documents for expected goods receipt Extended Warehouse Management Goods Receipt
Process Inbound Delivery Manual Settings Define
Document Types for Expected Goods Receipt (or
Extended Warehouse Management Goods Receipt
Process Expected Goods Receipt Use Wizard to Define
Document Types for Expected Goods Receipt ). Select the Change Documents checkbox
Activation of change documents for outbound delivery Extended Warehouse Management Goods Receipt
Process Inbound Delivery Manual Settings Define
Document Types for Expected Goods Receipt
Activation of change documents for posting changes Extended Warehouse Management Internal Warehouse
Processes Delivery Processing Posting Changes
Manual Settings Define Document Types for Posting
Change Process (or: Extended Warehouse
Management Internal Warehouse Processes Delivery
Processing Posting Changes Use Wizard to Define
Document Types for Posting Change Process ). Select the Change Documents checkbox.
Activation of change documents for stock transfers Extended Warehouse Management Internal Warehouse
Processes Delivery Processing Stock Transfers Manual
Settings Define Document Types for the Stock Transfer
Process (or: Extended Warehouse Management
Internal Warehouse Processes Delivery Processing Stock
Transfers Use Wizard to Define Document Types for the
Stock Transfer Process ). Select the Change Documents checkbox.
The following transactions are relevant for SAP EWM auditing and logging (in each of these transactions, you can use the Open Advanced Search pushbutton on the screen for that transaction, to retrieve and display archived report data):
Table 20
Transaction Description Menu Path in the SAP EWM System
SAP® Extended Warehouse Management 9.4 Security GuideSecurity-Relevant Logging and Tracing
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 67
Maintain Inbound Delivery On the SAP Easy Access screen, choose Extended
Warehouse Management Delivery Processing Inbound
Delivery Maintain Inbound Delivery .
Maintain Expected Goods Receipt On the SAP Easy Access screen, choose Extended
Warehouse Management Delivery Processing Inbound
Delivery Expected Goods Receipt Maintain Expected
Goods Receipt .
Maintain Outbound Delivery Order On the SAP Easy Access screen, choose Extended
Warehouse Management Delivery Processing Outbound
Delivery Maintain Outbound Delivery Order .
Maintain Posting Change On the SAP Easy Access screen, choose Extended
Warehouse Management Delivery Processing Posting
Change Maintain Posting Change .
Maintain Internal Stock Transfer On the SAP Easy Access screen, choose Extended Warehouse Management Delivery Processing Maintain Internal Stock Transfer.
68
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideSecurity-Relevant Logging and Tracing
17 Services for Security Lifecycle Management
The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis.
Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:
● Whether SAP Security Notes have been identified as missing on your system.
In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP Notes, the report should be able to help you decide on how to handle the individual cases.
● Whether an accumulation of critical basis authorizations has been identified.
In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports.
Whether standard users with default passwords have been identified on your system.
In this case, change the corresponding passwords to non-default values.
Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including:
● Critical authorizations in detail
● Security-relevant configuration parameters
● Critical users
● Missing security patches
This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site service. We recommend that you use it regularly (for example, once a year) and in particular after significant system changes or in preparation for a system audit.
Security Configuration Validation
The Security Configuration Validation can be used to monitor a system landscape for compliance with predefined settings continuously, for example, from your company-specific SAP Security Policy. This primarily covers configuration parameters, but it also covers critical security properties like the existence of a nontrivial Gateway configuration or making sure that standard users do not have default passwords.
Security in the Run SAP Methodology/Secure Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in a secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP's knowledge base wherever appropriate.
SAP® Extended Warehouse Management 9.4 Security GuideServices for Security Lifecycle Management
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 69
More Information
For more information about these services, see:
Run SAP Roadmap, including the Security and the Secure Operations Standard: http://service.sap.com/runsap (See the Run SAP chapters 2.6.3, 3.6.3 and 5.6.3)
● EarlyWatch Alert: service.sap.com/ewa
● Security Optimization Service/Security Notes Report:service.sap.com/sos
● Comprehensive list of Security Notes:service.sap.com/securitynotes
● Configuration Validation: service.sap.com/changecontrol
● Run SAP Roadmap, including the Security and the Secure Operations Standard: service.sap.com/runsap
(See the Run SAP chapters 2.6.3, 3.6.3 and 5.6.3)
70
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.All rights reserved.
SAP® Extended Warehouse Management 9.4 Security GuideServices for Security Lifecycle Management
18 Appendix
For more information about the security of SAP applications, see SAP Service Marketplace at service.sap.com/
security.
For more information about security guides of SAP applications, see SAP Service Marketplace at
service.sap.com/securityguide .
Related Information
For more information about topics related to security, see the links shown in the following table:
Quick Links to Related InformationTable 21
Content Quick Link on SAP Service Marketplace
(http://service.sap.com)
Master Guides, Installation Guides, Upgrade Guides, Solution Management Guides
service.sap.com/instguides
Related SAP Notes service.sap.com/notes
Released platforms service.sap.com/platforms
Network security service.sap.com/securityguide
Technical infrastructure service.sap.com/installnw74
SAP Solution Manager service.sap.com/solutionmanager
SAP Supply Chain Management service.sap.com/scm
SAP® Extended Warehouse Management 9.4 Security GuideAppendix
CUSTOMER© Copyright 2016 SAP SE or an SAP affiliate company.
All rights reserved. 71
www.sap.com