sap extended warehouse management 9.5 security guide
TRANSCRIPT
Security Guide CUSTOMER
Document Version: 1.2 – 2018-04-20
SAP Extended Warehouse Management 9.5 Security GuideUsing SAP SCM 7.0 including SAP enhancement package 4, SAP ERP 6.0 including SAP enhancement package 8, or SAP NetWeaver 7.5
Content
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Security Aspects of Data Flow and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.2 User Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255.3 Integration Into Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
6 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276.1 Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316.2 Maintaining Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336.3 Maintaining Authorizations for Integration with SAP Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . 336.4 Maintaining Authorizations for Enterprise Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
7 Session Security Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.2 Unified Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428.3 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428.4 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
9 Internet Communication Framework Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
10 Application-Specific Virus Scan Profile (ABAP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
11 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
12 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5212.1 Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5312.2 Read Access Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
13 Security for Additional Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
14 Enterprise Services Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
15 Other Security-Relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
2 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Content
15.1 User Frontend. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
16 Security-Relevant Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
17 Services for Security Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
18 Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
SAP Extended Warehouse Management 9.5 Security GuideContent C U S T O M E R 3
Document History
CautionBefore you start the implementation, make sure you have the latest version of this document. You can find the latest version at http://help.sap.com/ewm under Security SAP Extended Warehouse Management 9.5 Security Guide .
The following table provides an overview of the most important document changes:
Version Date Description
1.2 2018-04-20 Security-Relevant Logging and Tracing chapter updated to include change documents for shift sequence assignment of processor.
1.1 2018-04-04 Authorizations, Authorization Objects, Deletion of Personal Data, and Security-Relevant Logging and Tracing chapters updated for SAP EWM 9.5 FP02.
Minor changes made to the Security Aspects of Data Flow and Processes, Internet Communication Framework Security, Data Protection, Other Security-Relevant Information, and User Frontend chapters for SAP EWM 9.5 FP02.
1.0 2017-11-30 Initial version of the Security Guide for SAP EWM 9.5.
4 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Document History
1 Introduction
CautionThis guide does not replace the administration or operation guides that are available for productive operations.
Target Audience
● Technology consultants● Security consultants● System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation on your system should not result in loss of information or reductions in processing time. These demands on security apply likewise to SAP Extended Warehouse Management (SAP EWM). To assist you in securing SAP EWM, we provide this SAP EWM Security Guide.
RecommendationWe strongly recommend that you also consult the SAP NetWeaver Security Guide.
About This Document
This Security Guide provides an overview of the security-relevant information that applies to SAP EWM 9.5.
Applications in SAP EWM 9.5
SAP EWM 9.5 contains multiple applications that can be used independently of each other. For example, SAP Dock Appointment Scheduling is technically part of the SAP EWM 9.5 installation, but it can be used independently of other SAP EWM applications as a standalone application. If you are using SAP Dock Appointment Scheduling only, without any integration to SAP EWM, some parts of the guide are not relevant.
SAP Extended Warehouse Management 9.5 Security GuideIntroduction C U S T O M E R 5
The following list describes the levels of relevance of this guide:
● Several sections of this guide describe steps that are independent of the applications or business processes used, and you must always implement these steps. For example, securing an SAP NetWeaver system. This is true for most parts of this document. These sections are not marked.
● Other sections of this guide describe topics that are relevant for both SAP EWM in general and Dock Appointment Scheduling. These sections are not marked. Here if the term SAP EWM is used, it means the SAP EWM 9.5 system installation, including Dock Appointment Scheduling.
● Some sections of this guide are only necessary depending on which processes or applications of SAP EWM 9.5 you are using. These sections can be either specific to Dock Appointment Scheduling or for specific SAP EWM processes. These sections are marked as relevant for Dock Appointment Scheduling or SAP EWM applications. In these sections only, you can omit the steps that are specifically for SAP EWM applications or Dock Appointment Scheduling.This guide uses the following keys to identify the applications:○ Relevant only if you are using Dock Appointment Scheduling○ Not relevant for Dock Appointment Scheduling
The guide also differentiates between standalone Dock Appointment Scheduling and Dock Appointment Scheduling integrated with SAP EWM.○ SAP EWM: SAP EWM-only processes○ All: Applies to both Dock Appointment Scheduling and SAP EWM
Overview of the Main Sections
The Security Guide comprises the following main sections:
● Before You StartThis section contains information about why security is necessary, how to use this document, and references to other Security Guides that build the foundation for this Security Guide.
● Technical System LandscapeThis section provides an overview of the technical components and communication paths that are used by SAP EWM.
● Security Aspects of Data Flow and ProcessesThis section provides an overview of the security aspects involved throughout the most widely-used processes within SAP EWM.
● User Administration and AuthenticationThis section provides an overview of the following user administration and authentication aspects:○ Recommended tools to use for user management.○ User types that are required by SAP EWM.○ Standard users that are delivered with SAP EWM.○ Overview of the user synchronization strategy, if several components or products are involved○ Overview of how integration with Single Sign-On environments is possible.
● AuthorizationsThis section provides an overview of the authorization concept that applies to SAP EWM.
● Session Security ProtectionThis section provides information about activating secure session management, which prevents JavaScript or plug-ins from accessing the SAP logon ticket or security session cookie(s).
● Network and Communication SecurityThis section provides an overview of the communication paths used by SAP EWM, and the security mechanisms that apply. It also includes our recommendations for the network topology to restrict access at the network level.
6 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Introduction
● Internet Communication Framework SecurityThis section provides an overview of the Internet Communication Framework (ICF) services that are used by SAP EWM.
● Application-Specific Virus Scan Profile (ABAP)This section provides an overview of the behavior of the AS ABAP when application-specific virus scan profiles are activated.
● Data Storage SecurityThis section provides an overview of any critical data that is used by SAP EWM and the security mechanisms that apply.
● Data ProtectionThis section provides information about how SAP EWM protects personal or sensitive data.
● Security for Third-Party or Additional ApplicationsThis section provides security information that applies to third-party or additional applications that are used with SAP EWM.
● Dispensable Functions with Impacts on SecurityThis section provides an overview of functions that have impacts on security and can be disabled or removed from the system.
● Enterprise Services SecurityThis section provides an overview of the security aspects that apply to the enterprise services delivered with SAP EWM.
● Other Security-Relevant InformationThis section contains information about:○ Web browser as a user frontend○ RF device as user frontend
● Security-Relevant Logging and TracingThis section provides an overview of the trace and log files that contain security-relevant information, for example, so you can reproduce activities if a security breach does occur.
● Services for Security Lifecycle ManagementThis section provides an overview of services provided by Active Global Support that are available to assist you in maintaining security in your SAP systems on an ongoing basis.
● AppendixThis section provides references to further information.
SAP Extended Warehouse Management 9.5 Security GuideIntroduction C U S T O M E R 7
2 Before You Start
Fundamental Security Guides and Documentation
SAP Extended Warehouse Management (SAP EWM) is based on SAP NetWeaver. With respect to SAP Fiori and SAPUI5 apps, SAP Gateway plays a fundamental role. Therefore, the corresponding Security Guides also apply to SAP EWM. Pay particular attention to the most relevant sections or specific restrictions as indicated in the table below.
Fundamental Security Guides and Documentation
Guide/Documentation Path to the Guide/Documentation
SAP NetWeaver Security Guides http://help.sap.com/nw SAP NetWeaver Platform SAP
NetWeaver 7.5 Security SAP NetWeaver Security
Guide .
SAP NetWeaver Application Help http://help.sap.com/nw SAP NetWeaver Platform SAP
NetWeaver 7.5 Application Help SAP NetWeaver Library:
Function-Oriented View .
SAP EWM Master Guide http://help.sap.com/ewm Installation and Upgrade SAP
Extended Warehouse Management 9.5 Master Guide .
The SAP EWM component is built on further components and uses further components. Therefore, the corresponding Security Guides also apply to SAP EWM. The Master Guide contains more information regarding the components necessary for business scenarios and processes.
SAP EWM Application Help http://help.sap.com/ewm Application Help SAP Extended
Warehouse Management (SAP EWM) .
Related Security Guides
The following table provides an overview of all related Security Guides. You can find them using the NetWeaver guide finder at http://help.sap.com/viewer/nwguidefinder. Alternatively, see http://help.sap.com/nw SAP NetWeaver Platform SAP NetWeaver 7.5 Security SAP NetWeaver Security Guide and then follow the paths listed below.
8 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Before You Start
Related Security Guides for SAP NetWeaver Products
Product See Application Relevance
Operating system and database platforms
Security Guides for the Operating System and Database Platforms All
SAP NetWeaver Application Server
● Security Guides for SAP NetWeaver Functional Units Security Guides for
the Application Server :
○ Security Guides for AS ABAP SAP NetWeaver Application Server for
ABAP Security Guide
○ Security Guides for AS Java SAP NetWeaver Application Server for
Java Security Guide
○ Security Aspects for AS Infrastructure Functional Units Security
Settings for the SAP Message Server
○ Security Guides for Business Services SAP Interactive Forms by
Adobe Security Guide
○ Security Guides for Business Services SAP Knowledge Warehouse
Security Guide
○ Security Aspects for AS Infrastructure Functional Units AS ABAP with
Integrated ITS
● Security Guides for SAP NetWeaver Functional Units Security Guides for
Composition Environment Composite Application Framework Security
Guide
● Security Aspects for Lifecycle Management Virus Protection and SAP GUI
Integrity Checks
All
EP Core (EPC) and Enterprise Portal (EP)
Security Guides for SAP NetWeaver Functional Units Security Guides for
Enterprise Portal (EP) and EP Core - Application Portal (EPC)
All
SAP Business Warehouse (SAP BW)
Security Guides for SAP NetWeaver Functional Units Security Guide SAP BW All
SAP NetWeaver Development Infrastructure (NWDI)
Security Aspects for Lifecycle Management Security of the SAP NetWeaver
Development Infrastructure
All
SAP NetWeaver Mobile
Security Guides for SAP NetWeaver Functional Units Security Guide for SAP
NetWeaver Mobile
All
SAP Extended Warehouse Management 9.5 Security GuideBefore You Start C U S T O M E R 9
Product See Application Relevance
SAP NetWeaver Process Integration (SAP NetWeaver PI)
Security Guides for SAP NetWeaver Functional Units SAP Process Integration
Security Guide
Relevant only if integration with SAP Transportation Management is carried out based on SAP NetWeaver PI
Security guides for standalone engines, clients, and tools
● Security Guides for SAP NetWeaver Functional Units Search and
Classification (TREX) Security Guide
● Security Guides for SAP NetWeaver Functional Units Security Guides for
the Application Server Security Guides for Business Services SAP Content
Server Security Guide Introductionand subsequent chapters
● Security Guides for SAP NetWeaver Functional Units Security Guides for
the Application Server Security Aspects for AS Infrastructure Functional Units
Security Information for SAP Web Dispatcher
All
Connectivity and interoperability
Security Guides for Connectivity and Interoperability Technologies, for example:
● RFC/ICF Security Guide● Security Guide for Connectivity with the AS Java● Security Aspects for Web Services
All
Lifecycle Management
Security Aspects for Lifecycle Management, for example:
● System Landscape Directory Security Guide● Auditing and Logging
All
SAP Gateway SAP Gateway Foundation at http://help.sap.com/nw SAP NetWeaver 7.5
SAP NetWeaver Library: Function-Oriented View SAP Gateway Foundation
(SAP_GWFND) SAP Gateway Foundation Security Guide
Relevant if you are using SAP Fiori or SAPUI5 or other components that make use of SAP Gateway. This is, for example, the case for SAP Fiori delivery apps, Labor Demand Planning, or the Carrier user interface using SAPUI5 for Dock Appointment Scheduling.
10 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Before You Start
Product See Application Relevance
Web Dynpro ABAP Security Guide
Security Guides for SAP NetWeaver Functional Units Security Guides for the
Application Server Security Guides for AS ABAP Security Guide for Web Dynpro
ABAP
Relevant only if you are using Web Dynpro user interfaces. For example, Dock Appointment Scheduling or the Shipping Cockpit.
This is especially important if you plan to use Dock Appointment Scheduling and the Collaborative Scenarios.
SAP Fiori security information
SAP Fiori Implementation Information at http://help.sap.com/fiori_implementation
under SAP Fiori: Security
Relevant if you are using SAP Fiori apps in SAP EWM.
Important SAP Notes
The most important SAP Notes that apply to the security of SAP EWM are shown in the table below:
Important SAP Notes
SAP Note Number
Title Comment
25591 Password change for DBM and DBA users
The SAP R/3 user password is to be changed.
30724 Data Protection and Security in SAP Systems
None
110600 SAP Security Library (SAPSECULIB)
None
128447 Trusted/Trusting Systems Needed for Customizing of trusted/trusting system RFC connections.
138498 Single Sign-On Solutions Information about Single Sign-On solutions for SAP systems
389220 Problems with Pasting the Certifi-cate Request Reply
None
SAP Extended Warehouse Management 9.5 Security GuideBefore You Start C U S T O M E R 11
SAP Note Number
Title Comment
447543 APO: Authorizations too Comprehensive/Not User-Specific
None
510007 Setting Up SSL on the Web Application Server ABAP
None
616555 LiveCache >= 7.4: Password Change
The passwords of the standard liveCache user, the database system administrator, the DBM user, should be changed in the liveCache environment.
637052 Missing Authorization Object for Database Views
None
662340 SSF Encryption Using the SAPCrytolib
The SAP Cryptographic Library has to be used for encrypting data in the SAP system.
683528 Security Note: SAP MaxDB This note provides information about the secure operation of SAP DB/MaxDB and liveCache.
727839 Authorization Role for the SAP SCM – SAP R/3 Integration
None
792366 Subsequent Implementing a Security Level for Documents
Knowledge Provider: what needs to be taken into account if an application of the Knowledge Provider (KPro) decides to change the security level for documents for one or more of their PHIO classes.
1517416 Collective security note for SAP EWM
This note contains additional security-relevant information and notes for SAP EWM.
1515223 SAP NetWeaver Process Integration: Release Recommendation
This note sets out our recommendation on which release of SAP NetWeaver PI you should use.
1536783 SAP Security Recommendations – Protecting Java- and ABAP BAS
This note provides information on where to find the SAP Security Recommendations Protecting Java- and ABAP-Based SAP Applications Against Common Attacks December 2010 white paper.
900000 NetWeaver Business Client – FAQ None
RecommendationFor a list of additional security-relevant SAP Hot News and SAP Notes, see the SAP Support Portal at http://support.sap.com/securitynotes .
12 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Before You Start
3 Technical System Landscape
For more information about the technical system landscape, see the SAP Extended Warehouse Management (SAP EWM) Master Guide at http://help.sap.com/ewm under Installation and Upgrade SAP Extended Warehouse Management 9.5 Master Guide .
SAP Extended Warehouse Management 9.5 Security GuideTechnical System Landscape C U S T O M E R 13
4 Security Aspects of Data Flow and Processes
SAP Extended Warehouse Management (SAP EWM) can be installed, distributed, and used in multiple different scenarios. For more information, see Technical System Landscape [page 13].
The following table describes some typical processes and communication channels, along with appropriate security measures:
Process Security Measure Application Relevance
SAP EWM receives data from SAP ERP (such as deliveries and master data) and sends data to SAP ERP (such as confir-mations and stock updates). This is typically done using standard qRFC/RFC technology.
Ensure appropriate user authorizations. For more information, see Communication Channel Security [page 39].
Not relevant for standalone Dock Appointment Scheduling
Mobile devices can be connected using HTTP/ITS mobile. This is done based on the Internet Communication Framework (ICF) service for RFUI.
For more information, see Internet Communication Framework Security [page 46].
Not relevant for standalone Dock Appointment Scheduling
For certain scenarios, such as connecting automated physical processes (for example, conveyor systems) via SAP Plant Connectivity, RFCs are used. Depending on the scenario, IDOCs may also be used (for example, when warehouse control units are used).
For more information, see the SAP Net
Weaver Security Guide under Network
and Communication Security
Transport Layer Security .
Not relevant for standalone Dock Appointment Scheduling
SAP EWM offers the possibility for upload and download of data. In many of these transactions it is possible to either choose a local file system (PC) or files on the application server.
Ensure that only a few people can access these transactions, and that access to the application server file system is restricted. You should design logical paths and filenames to restrict the access. For more information, see Data Storage Security [page 48].
Not relevant for standalone Dock Appointment Scheduling
14 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Security Aspects of Data Flow and Processes
Process Security Measure Application Relevance
SAP EWM offers a collaborative scenario for Dock Appointment Scheduling. This enables appointment planners for carriers to access the system using SAP Gateway or Web Dynpro ABAP technology, for example, from outside the company network.
In this scenario, users outside of the company or firewall may access the system. For such scenarios, special attention must be paid to assigning authorizations to these users, and to the system setup and how the access from outside the company is granted. For more information, see Collaborative Scenario using Dock Appointment Scheduling in Network and Communication Security [page 38].
Relevant only if you are using Dock Appointment Scheduling
SAP EWM offers a scenario for Labor Demand Planning. This enables users to access the SAP EWM system from a mobile device.
In this scenario, users can access the system from mobile devices using SAP Gateway. For more information see Labor Demand Planning in Network and Communication Security [page 38].
Relevant only if you are using Labor Demand Planning from a mobile device
SAP EWM offers a scenario for direct integration to SAP Transportation Management (SAP TM).
In this scenario, SAP EWM receives inbound messages from SAP TM and can send outbound messages to SAP TM. The communication is performed using enterprise services.
Relevant only if you are using a direct integration to SAP TM
SAP EWM offers a scenario for Warehouse Billing where there is an integration with the SAP TM system.
In this scenario, SAP EWM can extract billing-relevant information from SAP TM and send order and settlement information back to SAP TM. The communication is performed using enterprise services or web services.
Relevant only if you are using Warehouse Billing with SAP TM
SAP EWM Fiori apps, for example, for deliveries or returns processing.
In this scenario, SAP Fiori accesses SAP EWM using SAP Gateway. For more information, see http://help.sap.com/fiori
. In particular, see SAP Fiori implementation information as well as security and installation information.
Relevant only if you are using SAP Fiori apps with SAP EWM
SAP EWM DAS Carrier Collaboration Scenario using SAP Gateway and SAPUI5
In the diagram, some collaborative processes for Dock Appointment Scheduling within SAP EWM 9.5 are explained in detail. Since you can access the application from the internet, higher security risks exist. The diagram shows the data flows along with some possible security measures to be taken into consideration. These scenarios show the Dock Appointment Scheduling Application for external carriers. However, the diagram also shows how you can access the application using Web Dynpro and SAP Gateway.
SAP Extended Warehouse Management 9.5 Security GuideSecurity Aspects of Data Flow and Processes C U S T O M E R 15
DAS Carrier UI Using SAP Gateway
Step Description Security Measure
1 A user uses the internet to specify the URL to the SAP EWM Carrier user interface (UI)
You need to create a User. We recommend that authentication is done using certificates that need to be exchanged with the external user beforehand. This avoids authentication by the user with a user name and password. The authorization of the user depends on a separate SAP Gateway system, or SAP Gateway system and SAP EWM system used together.
2 Port for https communication needs to be open so that request is not blocked by a firewall
Firewall needs to be maintained accordingly.
3 URL filter checks if this URL is maintained in a white list. Request is not forwarded if the URL is not in a white list.
SAP Web Dispatcher needs to be configured as a URL filter. Only the URLs to ICF services for the DAS Carrier UI5, the SAP Gateway services for the DAS Carrier UI, and for supporting services must be maintained in the white list. Otherwise, external users could access internal services for which they are not authorized. For more information, see http://
help.sap.com/nw75 under Application Help SAP NetWeaver Library: Function-
Oriented View Application Server Application Server Infrastructure Components of
SAP NetWeaver Application Server SAP Web Dispatcher Administration of the SAP
Web Dispatcher SAP Web Dispatcher as a URL Filter .
16 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Security Aspects of Data Flow and Processes
Step Description Security Measure
4 ICF node for DAS Carrier UI5 accessed and checked for activity
ICF nodes for DAS Carrier UI5 (supporting services and SAP Gateway services) need to be active. The relevant paths are as follows:
● /sap/bc/ui5_ui5scwu/ui_das_carrier can also be activated by activating the SAP Gateway service /SCWM/DAS_CARRIER_ACCESS_SRV
● /sap/opu/odata/ui2/page_builder_pers can also be activated by activating the SAP Gateway service /UI2/PAGE_BUILDER_PERS
5 SAP EWM is accessed
Authorization profile for the role of the external user needs to be maintained accordingly. Secure HTTP Session Management should be activated on the ABAP AS as described in SAP Note 13229.5 .
6 SAP Gateway requests data from SAP EWM system
Trusted RFC sent to SAP EWM to get the relevant data. This describes a landscape where a separate SAP Gateway system is used independent of SAP EWM. Further landscape and installation options are available. For this, see the SAP Gateway documentation.
7 Result is displayed in the browser of the user
-
RecommendationTo access the SAP EWM system externally, we recommend that you define a system alias in the web dispatcher. The web dispatcher redirects the request to the correct hostname and port so that an external user can use a hyperlink, which contains the alias, to access the system.
SAP EWM Carrier Access Using DAS Web Dynpro UIs
RecommendationAccess by a Carrier using Web Dynpro UIs is also possible since SAP EWM 9.1, but we strongly recommend that you use the Carrier Access using SAP Gateway and SAPUI5 instead.
SAP Extended Warehouse Management 9.5 Security GuideSecurity Aspects of Data Flow and Processes C U S T O M E R 17
Carrier Access Using DAS Web Dynpro User Interfaces
DAS Web Dynpro UIs are accessed from outside the firewall. In this scenario only the Web Dynpro UIs are considered for the role of an external carrier planner (PFCG role /SCWM/DAS_EXT_CARR_PLANNER).
Step Description Security Measure
1 User from Internet calls URL to SAP EWM DAS Web Dynpro UIs
User needs to be created. We recommend that authentication is done using certificates, which need to be exchanged with the external user beforehand so that the Internet user cannot log on to the portal by entering a user name and password.
2 Port for https communication needs to be open so that request is not blocked by firewall
Firewall needs to be maintained accordingly.
18 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Security Aspects of Data Flow and Processes
Step Description Security Measure
3 URL filter checks if this URL is maintained in white list. If the URL is not in the white list, request is not forwarded
SAP Web Dispatcher needs to be configured as a URL filter. Only the URLs to ICF services for the DAS Web Dynpro UI and for supporting services must be maintained in the white list. Otherwise, external users could access internal services for which they are not author
ized. For more information, see http://help.sap.com/nw75 under Application Help
SAP NetWeaver Library: Function-Oriented View Application Server Application Server
Infrastructure Components of SAP NetWeaver Application Server SAP Web Dispatcher
Administration of the SAP Web Dispatcher SAP Web Dispatcher as a URL Filter .
4 ICF node for DAS Web Dynpro accessed and checked for activity
ICF nodes for DAS Web Dynpro (supporting services and SAP Gateway services) need to be active. The relevant paths are as follows:
● /sap/bc/webdynpro/scwm/ DSAPP_LIST● /sap/bc/webdynpro/scwm/ DSAPP_MAINT
5 SAP EWM is accessed
Authorization profile for the role of the external user needs to be maintained accordingly. Secure HTTP Session Management should be activated on the ABAP AS as described in SAP Note 13229.5 .
6 SAP Gateway requests data from SAP EWM system
Trusted RFC sent to SAP EWM to get the relevant data. This describes a landscape where a separate SAP Gateway system is used independent of SAP EWM. Further landscape and installation options are available. For this, see the SAP Gateway documentation.
7 Result is displayed in the browser of the user
-
SAP Extended Warehouse Management 9.5 Security GuideSecurity Aspects of Data Flow and Processes C U S T O M E R 19
5 User Administration and Authentication
SAP Extended Warehouse Management (SAP EWM) uses the user management and authentication mechanisms provided with the SAP NetWeaver platform, in particular the SAP NetWeaver Application Server ABAP. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Application Server ABAP Security Guide also apply to SAP EWM. For more information, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide .
In addition to these guidelines, we include information about user administration and authentication that specifically applies to SAP EWM in the following topics:
● User Management [page 20]This topic lists the tools to use for user management, the types of users required, and the standard users that are delivered with SAP EWM.
● User Data Synchronization [page 25]SAP EWM shares user data with SAP NetWeaver. This topic describes how the user data is synchronized with these other sources.
● Integration Into Single Sign-On Environments [page 25]This topic describes how SAP EWM supports Single Sign-On mechanisms.
5.1 User Management
User management for SAP Extended Warehouse Management (SAP EWM) uses the mechanisms provided with the SAP NetWeaver Application Server, for example, tools, user types, and password policies. For an overview of how these mechanisms apply to SAP EWM, see the sections below. In addition, we provide a list of the standard users required for operating SAP EWM.
NoteFor an overview of the information necessary for securing operations with SAP NetWeaver Identity Management, see http://help.sap.com/nw75 under Application Help SAP NetWeaver Library: Function-Oriented View Security Identity Management .
20 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
User Administration and Authentication
User Administration Tools
The following table shows the tools needed for user management and user administration with SAP EWM:
User Management Tools
Tool Detailed Description
User Management for the ABAP Engine (transaction SU01) Use the user management transaction SU01 to maintain users in ABAP-based systems.
Profile Generator (transaction PFCG) Use the Profile Generator to create roles and assign authorizations to users in ABAP-based systems.
Central User Administration (CUA) Use the CUA to centrally maintain users for multiple ABAP-based systems. Synchronization with a directory server is also supported.
User Management Engine (UME) administration console Use the web-based UME administration console to maintain users, roles and authorizations in Java-based systems that use the UME for the user store, for example, the SAP NetWeaver Application Server Java and the Enterprise Portal. The UME also supports various persistency options, such as the ABAP Engine or a directory server.
SAP NetWeaver Application Server Java user management using the Visual Administrator
Use the Visual Administrator to maintain users and roles on the SAP NetWeaver Application Server Java. SAP NetWeaver Application Server Java also supports a pluggable user store concept. The UME is the default user store.
NoteFor a detailed description of the user management tools available in SAP NetWeaver, see the SAP NetWeaver Security Guide under User Administration and Authentication User Management in the section User Management Tools.
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run.
The user types that are required for SAP EWM include the following:
● Individual users○ Dialog users are used for business users who are assigned to roles that allow them to work individually on
their dedicated tasks in your SAP EWM system.
SAP Extended Warehouse Management 9.5 Security GuideUser Administration and Authentication C U S T O M E R 21
○ Internet users are used for external users who are allowed to access your SAP EWM system from the Internet. If your scenario contains the collaborative scenario for appointment planners for carrier, employees of the carrier can log on via the Internet
● Technical users○ Service users are used for technical purposes, such as service administrators, and are usually available to
a larger, anonymous group of users.○ Communication users are used for dialog-free communication for external RFC calls, for example, for the
communication between your SAP EWM system and an SAP ERP system and also, for communication between two SAP systems using SAP Gateway.
○ Background users are used for running background jobs and executing reports.
For more information about these user types, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide User Administration and Authentication User Management User Types .
The user types required for SAP EWM include the following:
Users
System User Delivered?
Type Default Password
Detailed Description Application Relevance
SAP EWM 9.5
<sapsid>adm Yes SAP System Administrator
Dialog User
To be entered
SAP EWM System Administrator All
SAP EWM 9.5
<sapsid>adm Yes SAP System Administrator
To be entered
SAP EWM System Administrator All
SAP SCM 7.0 Server including SAP enhancement package 4
<sapsid>adm Yes SAP System Administrator
Dialog User
To be entered
http://help.sap.com/scm
Installation and Upgrade
Installation Guide Installation Guides for SAP EHP4 for SAP SCM
7.0
All, if SAP EWM is installed on top of an SCM Server system
22 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
User Administration and Authentication
System User Delivered?
Type Default Password
Detailed Description Application Relevance
SAP NetWeaver AS
SAP Standard ABAP Users (SAP*, DDIC, EARLYWATCH, SAPCPIC)
Yes See SAP NetWeaver Security Guide
See SAP NetWeaver 7.5 Security Guide
See the Protecting Special Users section in the SAP NetWeaver Se
curity Guide under Security Guides for SAP NetWeaver
Functional Units Security Guides
for the Application Server Security
Guides for AS ABAP SAP NetWeaver Application Server for
ABAP Security Guide User
Administration and Authentication
User Management .
-
SAP NetWeaver AS
SAP Standard Java Users (Administrator, Guest, Emergency)
Yes See SAP NetWeaver 7.5 Security Guide
See SAP NetWeaver 7.5 Security Guide
See the Standard Users and Standard User Groups section in the SAP NetWeaver Security Guide un
der Security Guides for SAP
NetWeaver Functional UnitsSecurity Guides for the Application
Server Security Guides for AS
Java SAP NetWeaver Application
Server for Java Security Guide User Administration and
Authentication User Administration and Standard
Users .
-
SAP EWM 9.5
RFC communication users (you need an RFC communication user for each RFC destination described in section Communication Destinations [page 43])
No Communication user
The authorizations of the user depend on the business case. For more information, see Authorizations [page 27] in this Security Guide.
Communication Destinations [page 43], Authorizations [page 27], and SAP EWM Application Help at http://help.sap.com/ewm
Not relevant for standalone Dock Appointment Scheduling
SAP Extended Warehouse Management 9.5 Security GuideUser Administration and Authentication C U S T O M E R 23
System User Delivered?
Type Default Password
Detailed Description Application Relevance
SAP EWM 9.5
Business processing users (you need a user in each component for each employee working with the system)
No Dialog user To be entered
Authorizations [page 27] and SAP EWM Application Help at http://help.sap.com/ewm
All
SAP EWM 9.5
Users for employees of a carrier who takes part in the collaborative scenario for Dock Appointment Scheduling
No Internet user and Communication user (if a separate system with SAP Gateway is used)
To be entered
Authorizations [page 27] and SAP EWM Application Help at http://help.sap.com/ewm
Relevant only if you are using Dock Appointment Scheduling
SAP EWM 9.5
User for Labor Demand Planning used from a mobile device
No Communication user
To be entered
Used for access from a mobile device in Labor Demand Planning. The user is used for the connection from SAP Gateway to SAP EWM.
Relevant only if you are using mobile devices in Labor Demand Planning
Note
For more information about user types, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide Network Security for SAP NetWeaver AS ABAP .
For more information about SAP NetWeaver standard users, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security
Guides for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide User Administration and Authentication User Management in the section Protecting Standard Users.
For more information about SAP NetWeaver password rules, see SAP Library for SAP NetWeaver under SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server ABAP Configuration of User and Role Administration First Installation ProcedureLogon and Password Security in the ABAP System Password Rules .
24 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
User Administration and Authentication
RecommendationWe recommend changing the user IDs and passwords for users that are automatically created during installation.
5.2 User Data Synchronization
To save administrative effort, you can synchronize user data in your system landscape. Since SAP Extended Warehouse Management (SAP EWM) is based on SAP NetWeaver 7.5, all the mechanisms for user data synchronization of SAP NetWeaver 7.5 are available for SAP EWM.
NoteFor information about user data synchronization in SAP NetWeaver, see http://help.sap.com/nw75 under
Application Help SAP NetWeaver Library: Function-Oriented View Security Identity ManagementIdentity Management for System Landscapes .
5.3 Integration Into Single Sign-On Environments
SAP Extended Warehouse Management (SAP EWM) supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver Security Guides also apply to SAP EWM.
Note● For more information about integration into single sign-on environments based on SAP NetWeaver, see the
SAP NetWeaver Security Guide under User Administration and Authentication User Authentication and Single Sign-On the Integration section.
● For more information about authentication on the SAP NetWeaver Application Server ABAP, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guide for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide User Administration and Authentication .
● For information on SAP Fiori and single sign-on, see SAP Fiori on SAP Help Portal at http://help.sap.com/fiori_implementation . Choose your SAP NetWeaver release and SAP Fiori: Security.
The following mechanisms are supported:
● Secure Network Communications (SNC)SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls.For more information, see the SAP NetWeaver Security Guide under Network and Communication Security
Transport Layer Security Secure Network Communications (SNC) .
SAP Extended Warehouse Management 9.5 Security GuideUser Administration and Authentication C U S T O M E R 25
● SAP logon ticketsSAP EWM supports the use of logon tickets for SSO when using a web browser as the front-end client. In this case, users can be issued a logon ticket after they have authenticated themselves with the initial SAP system. The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.For more information, see the SAP NetWeaver Security Guide under User Administration and Authentication
User Authentication and Single Sign-On .● Client certificates
As an alternative to user authentication by means of a user ID and passwords, users using a web browser as a front-end client can also provide X.509 client certificates to use for authentication. In this case, user authentication is performed on the web server using the Secure Sockets Layer Protocol (SSL Protocol) and no passwords have to be transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.For more information, see the SAP NetWeaver Security Guide under User Administration and Authentication
User Authentication and Single Sign-On in the Client Certificates section.
RecommendationIf you use any of the following, we recommend that you use client certificates instead of authentication with user name and password:
● The collaborative scenario for Dock Appointment Scheduling, with carriers and users who have access to your system from the Internet
● The mobile application for Labor Demand Planning
This prevents Internet users from trying to log on with another user’s user name.
26 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
User Administration and Authentication
6 Authorizations
Use
SAP Extended Warehouse Management (SAP EWM) uses the authorization concept provided by the SAP NetWeaver AS ABAP or AS Java. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP or SAP NetWeaver AS Security Guide Java also apply to SAP Extended Warehouse Management (SAP EWM).
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For role maintenance, use the profile generator (transaction PFCG) on the AS ABAP and the User Management Engine’s user administration console on the AS Java.
NoteFor information about the authorization concept of SAP NetWeaver, see http://help.sap.com/nw75 under
Application Help SAP NetWeaver Library: Function-Oriented View Security Identity Management :
● User and Role Administration of Application Server ABAP ABAP Authorization Concept
● User Management of SAP NetWeaver AS for Java Authorization Concept of SAP NetWeaver AS for Java
Role and Authorization Concept for SAP EWM
Standard Roles
With SAP EWM, SAP delivers SAP standard roles to cover the most-used business cases. These roles can be used as examples, or as a copy master for your own roles. You can find the SAP standard roles in the Profile Generator (transaction code PFCG) using input help. You can use search terms to restrict the selection to the required standard roles.
You can find the application-relevant roles using the following search terms:
● The search term */SCWM* lists all SAP EWM-relevant SAP standard roles.The role short text helps you find the role covering your business needs. The documentation of the role provides you with a detailed description of the role content.
● The search term*/SCWM/*DAS* lists all roles that are relevant for Dock Appointment Scheduling.● The search term */SCWU* lists all roles that are relevant for the UI components using SAP Gateway. This is
currently the role /SCWU/DAS_CARRIER_ACCESS which is for the UI5 carrier user interface of Dock Appointment Scheduling.
Alternatively, you can use the transaction SUIM to find the PFCG roles for EWM. In transaction SUIM, choose Roles Roles by Complex Selection Criteria . Then enter the above mentioned search criteria (for example */
SCWM*) in the Role field.
SAP Extended Warehouse Management 9.5 Security GuideAuthorizations C U S T O M E R 27
For information about roles in SAP EWM, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) Roles for Extended Warehouse Management (EWM) .
For information about users and roles in SAP NetWeaver, see http://help.sap.com/nw75 under Application HelpSAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role
Administration of Application Server ABAP and User Management of the Application Server Java.
RecommendationTo avoid authorizations being misused, we recommend that users are assigned only the minimal authorizations that they require for their work. Never assign full authorizations.
It is very important that RFC users are assigned only minimal authorizations.
For an overview of the role administration and more information about how a delivered standard role can be used and adjusted to your own needs, see http://help.sap.com/nw75 under Application Help SAP NetWeaver Library: Function-Oriented View Security Identity Management User and Role Administration of Application Server ABAP Configuration of User and Role Administration Role Administration . See Role Administration Functions and, for example, Changing Standard Roles or Creating Derived Roles and Copying Authorizations.
Read-Only Access for Auditors
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP EWM provides a role for read-only access to defined data. For an audit, the auditor needs to be able to view data. However, the auditor must not be allowed to change any data. This can be achieved by assigning the /SCWM/INFORMATION role to a user.
Warehouse-Based Authorization
Warehouse-Specific Field in Authorization Objects
If you have multiple warehouses modelled in SAP EWM, you may need people working in one warehouse to be able to access data from another warehouse. Many authorization objects in SAP EWM contain a specific authorization field for this purpose, for example:
● /SCWM/LGNU (Warehouse Number/Warehouse Complex)This is the most commonly used authorization field. It is used, for example, in EWM monitor authorization object /SCWM/MO.
● /SCWM/ORG (Location/Organizational Unit)● /SCMB/LGNU (Warehouse Number/Warehouse Complex)
Warehouse in Customizing or Administration
28 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Authorizations
In other cases, such as in administration or Customizing, SAP EWM does not use specific authorization objects. Instead, you can use generic authorization objects to limit the access to tables and views, for example:
● S_TABU_NAM (Table Access by Generic Standard Tools)● S_TABU_LIN (Authorization for Organizational Unit)
ExampleThe Customizing activity Define Storage Bin Types has the assigned Customizing object /SCWM/T303. The underlying database table /SCWM/T303 contains field LGNUM (warehouse number) with data element /SCWM/LGNUM (Warehouse Number/Warehouse Complex). You can use generic authorization objects to limit the access to tables and views, as follows:
● Use authorization object S_TABU_NAM to limit access to Customizing object /SCWM/T303.● Use authorization object S_TABU_LIN to limit access based on organizational criteria.
You can also use authorization field ORG_CRIT (Organization Criterion for Key-Specific Authorization) and use value /SCWM/LGNU (Warehouse Number/Warehouse Complex) to be able to enter a warehouse in ORG_FIELD1.
For more information, see the documentation of authorization objects S_TABU_NAM and S_TABU_LIN in transaction SU21.
BRFplus
BRFplus is sometimes used in SAP EWM, for example, in Labor Management. However, BRFplus does not recognize organizational units such as the warehouse. Therefore, if BRFplus entities should be separated based on warehouse, you must consider this during the implementation phase so that you can use alternative BRFplus mechanisms.
For information about the authorization concept of BRFplus, see http://help.sap.com/nw75. Search for Business Rule Framework plus (BRFplus) and then choose Concepts Authorizations .
Critical Roles and Authorization Combinations
Expert Role
SAP EWM provides the expert role EWM: Warehouse Expert (/SCWM/EXPERT). This role contains almost all transactions and authorizations for SAP EWM and the corresponding Customizing. Therefore, we recommend that you assign this role very carefully and only to very specific users, and that you do not assign this role to normal users or users who work in specific SAP EWM areas only.
Warehouse Management Monitor: General
In the warehouse management monitor (/SCWM/MON), you can monitor and access a wide area of application content and also trigger actions. Due to the high amount of different data that can be accessed, this may be critical and you may want to restrict the access to the monitor and to the data and actions which can be used. Therefore, the warehouse management monitor provides a concept to restrict which persons can access which monitor nodes and which actions can be triggered. The corresponding authorization object is /SCWM/MO.
For more information, see the documentation of the warehouse management monitor at http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) Monitoring
Warehouse Management Monitor .
SAP Extended Warehouse Management 9.5 Security GuideAuthorizations C U S T O M E R 29
Warehouse Management Monitor: Authorization to Display Batch Execution Data
In the warehouse management monitor, you can execute selections using batch jobs. You can view the results in the warehouse management monitor. During the selection, the system performs the normal authorization checks and selects and stores only data for which the user has authorization in the data containers for the warehouse management monitor. But if these data containers are then displayed by other users, the system does not perform these authorization checks. Therefore, you should only grant the authorization to display batch execution data for monitor nodes or users where these checks are not critical.
The authorization object used for the authorization to display batch execution data in the warehouse management monitor is /SCWM/DATC. For more information about this authorization object, see the documentation of authorization object /SCWM/DATC in the system.
Appointment Planner for Carrier
NoteThis role is relevant only if you are using Dock Appointment Scheduling.
SAP Dock Appointment Scheduling offers a collaboration scenario where appointment planners for carriers can log on to the SAP Dock Appointment Scheduling system, and view and maintain appointments for their carrier Since this potentially means that employees of a different company access SAP Dock Appointment Scheduling from outside the company network, you must put a special focus on authorizations.
This kind of user should have very limited authorizations. As well as this, they should be able to access data of their own carrier only, and not be able to access other carriers’ data. They should not be able to see internal data, like overall capacities of loading points. Therefore you must be very careful and restrictive when assigning roles and authorizations to this kind of user.
SAP Dock Appointment Scheduling delivers special roles for this: Appointment Planner for Carrier in Dock Appointment Scheduling (/SCWM/DAS_EXT_CARR_PLANNER).
This role contains only one Web Dynpro screen in the menu, Maintain Appointments – Textual (/SCWM/DSAPP_LIST). This screen allows the appointment planners for carriers to view and create appointments. The Web Dynpro application Direct Access to Appointment – Textual (/SCWM/DSAPP_MAINT) is also available, but it is not visible in the user menu, as it is started indirectly from the Maintain Appointments – Textual screen.
The role also contains very limited number of authorization objects.
RecommendationWe highly recommend that you define, in the roles, the loading points for which a user may view or create appointments. You can do this in the authorization field Loading Point (/SCWM/DSLP) in the authorization objects Loading Appointment (/SCWM/DSAP) and Slot (/SCWM/DSSL).
If the carrier accesses the scenario using SAP Gateway and not the Web Dynpro UIs, then remove the Web Dynpro applications from your copy of /SCWM/DAS_EXT_CARR_PLANNER (remember the rule that only minimal authorizations should be granted). In this scenario in addition the role /SCWU/DAS_CARRIER_ACCESS has to be used in the SAP Gateway system.
In addition, the authorization field User Process Scope for Dock Appointment Scheduling (/SCWM/DSPS) is very important. It is available on the authorization objects Loading Appointment and Slot. For appointment planners for carriers, set this field to Scope for an Appointment Planner for Carrier. This ensures that this user can create and
30 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Authorizations
view appointments only for the carrier that is assigned to him or her. Otherwise such a user could create appointments for any carrier.
For more information, see the SAP Dock Appointment Scheduling documentation at http://help.sap.com/ewm92 under Application Help SAP Library SAP Extended Warehouse Management (SAP EWM) SAP Dock
Appointment Scheduling Collaboration with Carriers .
6.1 Authorization Objects
Use
A set of authorization objects is available in SAP Extended Warehouse Management (SAP EWM).
Authorization objects enable you to define complex authorizations by grouping up to 10 authorization fields in an AND relationship to check whether a user is allowed to perform a certain action. To pass an authorization test for an object, the user must satisfy the authorization check for each field in the object.
NoteFor information about the authorization concept of SAP NetWeaver, see http://help.sap.com/nw75 under
Application Help SAP NetWeaver Library: Function-Oriented View Security Identity ManagementUser and Role Administration of Application Server ABAP ABAP Authorization Concept .
Procedure
To gain an overview of the authorization objects for SAP EWM, proceed as follows:
1. Call the transaction for displaying active authorization objects (AUTH_DISPLAY_OBJECTS). Alternatively, you can use transaction SU21.
2. In the overview, expand the Authorizations Extended Warehouse Management subtree.If you want to display the technical names of the authorization objects, choose Edit Technical namesTechnical names on .
3. If you want to get a detailed description, choose the Information pushbutton next to the authorization object you are interested in.
NoteIf you are using SAP Dock Appointment Scheduling, ensure that you have read the information regarding the authorization objects for SAP Dock Appointment Scheduling, and especially the authorization field User Process Scope for Dock Appointment Scheduling (/SCWM/DSPS). See Critical Roles and Authorization Combinations in Network and Communication Security [page 38].
SAP Extended Warehouse Management 9.5 Security GuideAuthorizations C U S T O M E R 31
Some special basis authorization objects are as follows:
Authorization Object Field Value Description
S_RFC ACTVT
RFC_NAME
RFC_TYPE
(16) Execute For example, to enable display of queue contents.
S_RFCACL RFC_SYSID
RFC_CLIENT
RFC_USER
RFC_EQUSER
RFC_TCODE
RFC_INFO
ACTVT
(16) Execute Authorization check for RFC users, especially for trusted systems. This is required for SAP Gateway services. For example for the SAP Fiori or SAPUI5 user interfaces of Labor Demand Planning and Dock Appointment Scheduling
S_SERVICE SRV_NAME
SRV_TYPE
<Value1>
<Value2>
This authorization object is automatically checked when external services are started. This is required for SAP Gateway services used by SAP EWM. For example for the SAP Fiori or SAPUI5 user interfaces of Labor Demand Planning and Dock Appointment Scheduling
Special Authorization Objects in SAP EWM
The following authorization objects control special functions in SAP EWM. As the functions are for different SAP EWM areas and partially contain critical functions, you should be careful when assigning these authorizations and the values. It is advisable not to assign a wild card (*) for the functions. For example, /SCWM/SLFU contains, among others, the authorization to grant and post counting differences.
Authorization Object Field Value Description
/SCWM/SFUN /SCWM/SFUN See documentation for the authorization fields
EWM special functions
/SCWM/SLFU /SCWM/LGNU
/SCWM/SLFU
See documentation for the authorization fields
EWM special functions per warehouse number
32 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Authorizations
Authorization Object Field Value Description
/SCWM/SLFE /SCWM/LGNU
/SCWM/ENTL
/SCWM/SLFU
See documentation for the authorization fields
EWM special functions per warehouse number and party entitled to dispose
6.2 Maintaining Authorizations
In SAP Extended Warehouse Management (SAP EWM), you can assign users to various standard user roles. For more information, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) Roles for Extended Warehouse Management (EWM) .
If you want to display the authorization objects in SAP EWM, on the SAP Easy Access screen, choose ToolsABAP Workbench Development Other Tools Authorization Objects Objects .
For more information, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) General Functions Authorizations .
NoteIf you are using SAP Dock Appointment Scheduling, ensure that you have read the information regarding roles for SAP Dock Appointment Scheduling. See Critical Roles and Authorization Combinations in Network and Communication Security [page 38].
6.3 Maintaining Authorizations for Integration with SAP Components
Maintaining Authorizations for SAP Extended Warehouse Management (SAP EWM) – SAP ERP Integration
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP Extended Warehouse Management 9.5 Security GuideAuthorizations C U S T O M E R 33
Using Standard Roles for SAP EWM – SAP ERP Integration
For the integration of SAP EWM and SAP ERP, use the authorization roles for the RFC destination users.
Note
For more information about these roles, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) Roles for Extended Warehouse Management (EWM) .
For the integration from an ERP to an EWM system, for example, the role/SCWM/ERP_EWM_INTEGRATION exists.
For the integration from EWM to an ERP system, the corresponding RFC users also require the proper authorizations. For more information, see SAP Note 727839 .
In some cases, for example, for migration functions like transaction /SCWM/MIG_PRODUCT, the RFC enabled function module RFC_READ_TABLE is called on ERP side from EWM. For such scenarios, the corresponding RFC user requires this authorization. To avoid misuse, you should restrict the tables to be accessed to a minimum. You can therefore use the authorization objects S_TABU_NAM or S_TABU_DIS. For more information about which applications require which table accesses, see SAP Note 1539105 .
If your grant the usage of RFC function RFC_READ_TABLE to an RFC user, it is very important that you restrict the tables that can be accessed to a minimum to avoid misuse.
Maintaining Authorizations for Data Transfer to SAP NetWeaver Business Warehouse
NoteThis is not relevant for standalone Dock Appointment Scheduling.
Maintaining Authorizations for Data Transfer between SAP EWM Shipping and Receiving (S&R) and SAP Dock Appointment Scheduling
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP Dock Appointment Scheduling and S&R are two independent components. But it is also possible to integrate the components, for example, so that the system communicates appointment status changes in SAP Dock Appointment Scheduling to S&R and appointment status changes in S&R to SAP Dock Appointment Scheduling. For more information, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) SAP Dock Appointment Scheduling Integration with SAP EWM .
34 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Authorizations
For integration between SAP Dock Appointment Scheduling and S&R, the system uses queued Remote Function Call (qRFC) technology.
Using Standard Roles for SAP Dock Appointment Scheduling to SAP EWM Integration
For the integration from SAP Dock Appointment Scheduling to S&R, the technical role /SCWM/DAS_TO_EWM_INTEGRATION is available. It contains the necessary authorizations to update the relevant S&R objects. The role does not contain any menu entries or transactions, as it is only a technical role for Remote Function Call (RFC) communication. You must assign this role to the SAP Dock Appointment Scheduling user or RFC user, depending on if you use RFC communication, with which the integration is done.
Authorizations and Roles for SAP DAS Collaborative Carrier Scenario
Dock Appointment Scheduling offers the feature Collaboration with Carriers using multiple UI technologies each with different deployment and security options. See SAP Note 2065193 that contains recommendations for the different options and lists the respective prerequisites.
Maintaining RFC Authorizations for Internal Communication in SAP EWM
For RFC communication, users usually require the authorizations for authorization object S_RFC. As RFCs are potential security risks, you should be very restrictive in granting them.
In certain cases, SAP EWM also uses RFCs for internal purposes, for example for parallel processing or for asynchronous communication. For these purposes, no RFC authorizations have to be granted as these calls are within the SAP EWM system.
SAP EWM also uses specific RFC-enabled function modules, which are used to extract content from queued RFCs (qRFC). For example, these function modules are used to extract the warehouse number or delivery number from qRFCs.
These function modules do not perform data changes in SAP EWM and also do not return data to a caller. They are required for delivery processing and for displaying of message queue entries in the warehouse management monitor.
The function modules are in the following special function groups:
● /SCWM/CORE_MQ_REPLAY Message Queue Moni: Replay Functions● /SCWM/CORE_RF_MQ_REPLAY Replay Function Modules for RF● /SCWM/DELIVERY_MQ_REPLAY Replay Function Modules for Deliveries● /SCWM/ERP_MQ_REPLAY Replay Function Modules - ERP Interface● /SCWM/SR_MQ_REPLAY Replay Function Modules - S&R● /SCWM/VAS_MQ_REPLAY Replay Function Modules for VAS
SAP Extended Warehouse Management 9.5 Security GuideAuthorizations C U S T O M E R 35
● /SCWM/WC_SERVICE_MQ_REPLAY Replay Function Modules for Workcenter● /SCWM/WAVE_MGMT_MQ_REPLAY Replay Function Modules for Wave
If you use the message queue monitor node in the warehouse management monitor, you must add these function groups to authorization S_RFC. Use the activity Execute (16) and the Function Group (FUGR) type of RFC object.
For delivery and warehouse task processing, for example, confirming and creation of warehouse tasks, you must add the following function group to authorization S_RFC:
● /SCWM/DELIVERY_MQ_REPLAY Replay Function Modules for Deliveries
These authorizations are already in the standard roles in SAP EWM, so they are only relevant if you create your own roles.
6.4 Maintaining Authorizations for Enterprise Services
Accessing SAP functions via web services follows the standard SAP authorization concept. This concept is based on authorizations for specific authorization objects. The system checks for the required authorization for an authorization object during the execution of a web service. If a user does not have this authorization, the execution is terminated, and an error message is returned.
Enterprise services use standard authorization objects that are available for SAP Extended Warehouse Management (SAP EWM), including authorization default values for web services. In addition, you need the authorization S_SERVICE to start external services. To create and consume web services, you require the authorizations belonging to the role SAP_BC_WEBSERVICE_ADMIN as well as authorization for the Internet Communication Framework (S_ICF_ADMIN).
For more information about authorizations for web services, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies Security Aspects for Web Services
Authorizations .
36 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Authorizations
7 Session Security Protection
To increase security and prevent access to the SAP logon ticket and security session cookies, we recommend activating secure session management.
We also highly recommend using SSL to protect the network communications where these security-relevant cookies are transferred.
Session Security Protection on the AS ABAP
To activate session security on the AS ABAP, set the corresponding profile parameters and activate the session security for the clients using transaction SICF_SESSIONS. For more information, a list of the relevant profile parameters, and detailed instructions, see http://help.sap.com/nw75 under Application Help SAP NetWeaver Library: Function-Oriented View Security User Authentication and Single Sign-On Authentication Infrastructure AS ABAP Authentication Infrastructure Activating HTTP Security Session Management on SAP NetWeaver AS for ABAP .
SAP Extended Warehouse Management 9.5 Security GuideSession Security Protection C U S T O M E R 37
8 Network and Communication Security
Your network infrastructure is important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back-end system’s database or files. Additionally, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.
The network topology for SAP Extended Warehouse Management (SAP EWM) is based on the topology used by the SAP NetWeaver platform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver Security Guide also apply to SAP EWM. Details that specifically apply to SAP EWM are described in the following topics:
● Communication Channel Security [page 39]● Network Security [page 42]● Communication Destinations [page 43]
For more information, see the SAP NetWeaver Security Guide under the following sections:
● Network and Communication Security● Security Aspects for Connectivity and Interoperability Technologies
Web Dynpro User Interfaces
In SAP EWM, Web Dynpro UI technology is used in several applications. For example, in Advanced Production Supply, Dock Appointment Scheduling, or Shipping Cockpit. The proposed usage is that these UIs are used within the company’s firewall.
For more information, see the NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP Security Guide: Web Dynpro for ABAP .
Collaborative Scenario using SAP Dock Appointment Scheduling
NoteThis is relevant only if you are using Dock Appointment Scheduling.
38 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Network and Communication Security
In a collaborative scenario, users from other companies, such as carriers, can access data from SAP Dock Appointment Scheduling. For example, carriers can create or view loading appointments. For this, such users require access the Dock Appointment Scheduling system from outside the company’s network.
If you use such a scenario, you must pay special attention to the network setup and zones or topology, for example, if firewalls, demilitarized zones, ports, should be used, and which ones.
The application is built using a HTML5 UI. The system uses OData as the communication channel between the backend and the SAP UI5 frontend. The corresponding OData service is /SCWM/DAS_CARRIER_ACCESS_SRV. It also uses the general service /UI2/PAGE_BUILDER_PERS.
You can find information about relevant roles and authorization for this collaborative scenario in the chapter Maintaining Authorizations for Integration with SAP Components [page 33].
For more information on how to secure a scenario with SAP Gateway, and the relevant authorizations and roles needed for using SAP Gateway, see the SAP Gateway Security Guide at http://help.sap.com/nw75 under SAP NetWeaver Library: Function-Oriented View SAP Gateway Foundation (SAP_GWFND) SAP Gateway Foundation Security Guide .
Mobile Access to Labor Demand Planning
Labor Demand Planning offers the possibility to access data from a mobile device. The proposed usage is that these mobile applications are used within the company’s firewall.
SAP Note 1894045 contains additional information about how these applications can be set up.
The application is built using a HTML5 UI. The system uses OData as the communication channel between the backend and the SAP UI5 frontend. The corresponding OData service is /SCWM/LM_LABOR_DEMAND_PLANNING. It also uses the general service /UI2/PAGE_BUILDER_PERS
For more information on how to secure a scenario with SAP Gateway, and the relevant authorizations and roles needed for using SAP Gateway, see the SAP Gateway Security Guide at http://help.sap.com/nw75 under SAP NetWeaver Library: Function-Oriented View SAP Gateway Foundation (SAP_GWFND) SAP Gateway Foundation Security Guide .
If you are using the application outside of the company’s firewall, which is not the proposed usage, you should ensure that minimal authorizations are used for accessing the SAP Gateway and the SAP EWM system. Also, in such a case, you should consider the technical system landscape and setup proposals in the SAP Gateway Security Guide.
8.1 Communication Channel Security
SAP EWM uses several protocols for communication to internal and external applications. These can be SAP systems or third-party systems. The following protocols are supported:
● HTTPSHTTP connections are protected by the Transport Layer Security (TLS) protocol. This protocol used to be known as Secure Sockets Layer (SSL).
SAP Extended Warehouse Management 9.5 Security GuideNetwork and Communication Security C U S T O M E R 39
● RFCRFC connections can be protected using Secure Network Communications (SNC). For detailed recommendations on securing RFC connections, see SAP Note 2008727 and the SAP Whitepaper Securing Remote Function Calls attached to it.
● SOAPSOAP connections are protected with Web services security.
● IDoc● REST
Note
NoteWe strongly recommend using secure protocols (TLS, SNC) whenever possible.
For more information on securing the protocols above, see the respective chapters in the SAP NetWeaver Security Guide.
The table below shows the communication channels used by SAP EWM, the protocol used for each connection, and the type of data transferred.
Communication Channel Protocol Used Type of Data Transferred Application Relevance
Front-end client that uses SAP GUI for Windows for the application server
DIAG All application and Customizing data
All
SAP ERP RFC and IDOC Master data and transaction data
Not relevant for standalone Dock Appointment Scheduling
SAP SCM RFC ATP data Not relevant for standalone Dock Appointment Scheduling
SAP SCM RFC Master data Not relevant for standalone Dock Appointment Scheduling
SAP GTS RFC GTS-relevant data Not relevant for standalone Dock Appointment Scheduling
SAP NetWeaver BW RFC Data sources Not relevant for standalone Dock Appointment Scheduling
SAP CRM RFC and IDOC Billing data, business partners Not relevant for standalone Dock Appointment Scheduling
40 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Network and Communication Security
Communication Channel Protocol Used Type of Data Transferred Application Relevance
Warehouse Control Units or PLCs
RFC, IDOC (depending on whether or not SAP plant connectivity is used)
Transaction data Not relevant for standalone Dock Appointment Scheduling
Legacy systems RFC, IDOC, HTTP, File Depends on legacy scenario All
SAP Plant Connectivity RFC Application Data Not relevant for standalone Dock Appointment Scheduling
Frontend client using a web browser or SAP NetWeaver Business Client.
HTTP/HTTPS All application and Customizing data
All
SAP Gateway (in case a dedicated Gateway system is used)
RFC Depends on scenario/configu-ration.
Depends on scenario.
SAP Transportation Management
WebService / RFC Application Data Not relevant for standalone Dock Appointment Scheduling
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL) protocol.
RecommendationWe strongly recommend using secure protocols (SSL, SNC) whenever possible.
For more information, see the SAP NetWeaver Security Guide under Network and Communication SecurityTransport Layer Security .
Note that many of the entries depend on the configuration and how SAP EWM is used. For example, usage of SAP GTS, SAP NetWeaver BW, legacy systems, and further components is optional and depends on how the system is used. Also, if parts of underlying components (SAP SCM Basis, SAP NetWeaver) are used they may also offer further communication channels.
For more detailed information about external messages that can be sent to and from SAP EWM, see http://help.sap.com/ewm under Operations SAP Extended Warehouse Management 9.5 Operations Guide .
Core Interface (CIF) – SAP ERP
NoteThis is not relevant for Dock Appointment Scheduling.
SAP Extended Warehouse Management 9.5 Security GuideNetwork and Communication Security C U S T O M E R 41
The integration of SAP EWM and SAP ERP is technically based on CIF. Since CIF is technically based on the RFC provided by SAP NetWeaver, we strongly recommend that you consult the SAP NetWeaver Security Guide regarding communication channel security.
You should at least enable Secure Network Communication (SNC) while configuring the RFC destination for your SAP EWM – SAP ERP integration.
NoteFor more information about the integration of SAP EWM and SAP ERP, see http://help.sap.com/scm under
Application Help SAP Library SAP Advanced Planning and Optimization (SAP APO) Integration via Core Interface (CIF) Technical Integration .
8.2 Unified Connectivity
If your SAP EWM system can be accessed remotely using Remote Function Calls (RFCs), you can significantly increase protection by using the Unified Connectivity (UCON) administration framework.
Generally, external access to the function modules using RFCs is controlled by special authorization checks and the corresponding roles with purpose-specific assignments to users. UCON also provides a simple but comprehensive way of controlling which remote function modules (RFMs) can be called by other systems: an RFM can only be called externally if it is assigned to a Communication Assembly (CA).
External access is blocked for all RFMs not assigned to a CA. In this way, it is possible to control and restrict external access to RFMs independently from the user context.
For more information, see http://help.sap.com/nw75 under Application Help Function-Oriented ViewApplication Server Application Server Infrastructure Functions and Tools of SAP NetWeaver Application Server
Connectivity Components of SAP Communication Technology Unified Connectivity .
8.3 Network Security
SAP EWM is based on SAP NetWeaver technology. Therefore, for information about network security, see the respective sections in the SAP NetWeaver Security Guide. This includes information on using firewall systems for access control and using network segmentation.
If your system provides Internet services, you should ensure you protect your network infrastructure with a firewall at least. You can further increase the security of your system (or group of systems) by diving the system into groups, placing the groups in different network segments, and then protecting each segment from unauthorized access by a firewall.
Bear in mind that unauthorized access is also possible internally if a malicious user has managed to gain control of one of your systems.
42 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Network and Communication Security
Ports
SAP EWM runs on SAP NetWeaver and uses the ports from the AS ABAP. For more information, see the SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server for ABAP Security GuideNetwork Security for SAP NetWeaver AS for ABAP Ports of SAP NetWeaver Application Server for ABAP .
For other components, for example, SAPinst, SAProuter, or the SAP Web Dispatcher, see also TCP/IP Ports of All SAP Products at https://help.sap.com/viewer/ports.
8.4 Communication Destinations
CautionIf not implemented and used with care, users and authorizations for connection destinations can cause serious security flaws.
Follow the following rules for connection users and authorizations, as follows:
● Choose user type: <system>● Assign only the minimum required authorizations to the user.● Choose a secure and secret password for the user.● Store only connection user logon data for users of type system.● Choose trusted system functionality whenever possible, rather than storing connection user logon data.
NoteThis is not relevant for standalone Dock Appointment Scheduling.
This is not relevant if the system does not use communication to external systems.
The following table shows an overview of the communication destinations used by SAP Extended Warehouse Management (SAP EWM):
Connection Destinations
Destination Delivered Type User, Authorizations Description
<EWM name>CLNT<client>
No RFC – ERP Use the Profile Generator (transaction code PFCG) to define an appropriate profile, and see SAP Notes 447543
and 727839 .
For more information, see Customizing for SCM
Basis under Integration Basic Settings for
Creating the System Landscape Assign RFC
Destinations to Various Application Cases .
SAP Extended Warehouse Management 9.5 Security GuideNetwork and Communication Security C U S T O M E R 43
Destination Delivered Type User, Authorizations Description
EWM to SAP R/3 or SAP ERP
No RFC – ERP (qRFC)
Use the Profile Generator (transaction code PFCG) to define an appropriate profile, and see SAP Notes 447543
and 727839 .
For more information, see Customizing for Extended Warehouse Management under
Interfaces ERP Integration General
Settings Control for RFC Queue and Cus
tomizing for SCM Basis under IntegrationBasic Settings for Creating the System Landscape
Assign RFC Destinations to Various Application
Cases .
EWM to SAP APO (APO instance)
No RFC – ERP Use the Profile Generator (transaction PFCG) to define an appropriate profile, and see SAP Notes 447543 and 727839 .
For more information, see Customizing for Extended Warehouse Management under
Goods Receipt Process Slotting General
Settings Change Information for APO
Instances .
EWM to Third party geocoding application
No RFC None For more information, see Customizing for SAP
NetWeaver under General Settings Set
Geocoding or http://help.sap.com/ewm under
Application Help SAP Extended Warehouse
Management (SAP EWM) SCM Basis SCM
Basis Master Data Location .
EWM to Non-SAP Systems
No RFC – ERP None For more information, see Customizing for Extended Warehouse Management under
Interfaces Non-SAP Systems Connect
Subsystem .
EWM to SAP GTS No RFC – None For more information, see Customizing for Extended Warehouse Management under
Interfaces GTS Integration Basic Settings
of GTS Integration .
EWM to SAP NetWeaver Business Warehouse (SAP NetWeaver BW)
No RFC – ERP None For more information, see Customizing for SAP
ERP under Integration with Other SAP
Components Data Transfer to Business
Warehouse and Customizing for Extended
Warehouse Management under Interfaces
SAP Business Information Warehouse .
44 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Network and Communication Security
Destination Delivered Type User, Authorizations Description
EWM to SAP Plant Connectivity
No RFC None This function is only available if you implement the sample implementation in BAdI: Determination of HU Weight Using Scale (/SCWM/EX_WRKC_UI_GET_WEIGHT). For more information, see Customizing for Extended Warehouse
Management under Business Add-Ins (BAdIs)
for Extended Warehouse Management Master
Data Work Center Adjust User Interface for
Work Center BAdI: Determination of HU Weight
Using Scale .
SAP EWM to SAP TM No WebService/RFC
None For more information, see http://
help.sap.com/ewm under Additional
Information SAP Solution Manager .
NoteFor more information about communication destinations of SAP NetWeaver, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies.
SAP Extended Warehouse Management 9.5 Security GuideNetwork and Communication Security C U S T O M E R 45
9 Internet Communication Framework Security
You should only activate those services that are needed for the applications running in your system. For SAP Extended Warehouse Management (SAP EWM), the following main services are available:
● /sap/bc/gui/sap/its/scwm/rfuiThis service can be used, for example, to allow warehouse workers to use transaction/SCWM/RFUI from mobile applications. The service can be accessed by using ITS mobile. For more information, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) Radio Frequency Framework Work Processing Using Radio Frequency Resource Management Using Radio Frequency .
● /sap/bc/webdynpro/scwm/In this path various Web Dynpro UIs for SAP EWM as well as for Dock Appointment Scheduling are contained.
● /sap/bc/ui5_ui5/scwu/This contains SAPUI5 user interfaces which are for example used for Labor Demand Planning (LDP) or Collaborative Carrier Scenario for Dock Appointment Scheduling.
● /sap/opu/odata/scwm/This contains ODATA SAP Gateway services which are, for example, used for LDP or Collaborative Carrier Scenario for Dock Appointment Scheduling.
● /sap/opu/odata/ui2Contains services which are partly used from SAP EWM. For example, PAGE_BUILDER_PERS is used for LDP and DAS Carrier Collaboration.
● /sap/bc/srt/xip/scwmContains services which are used for XI communication.
● /sap/bc/srt/rfc/scwmContains services which are used for RFC communication. For example, RFID_AII_EWM which is used to exchange RFID information with SAP Auto-ID Infrastructure (SAP AII).
Use the transaction SICF to activate this service.
If your firewalls use URL filtering, also note the URLs used for the service and adjust your firewall settings accordingly.
For more information, see http://help.sap.com/nw75 under Application Help SAP NetWeaver Library: Function-Oriented View Application Server Application Server Infrastructure Functions and Tools of SAP NetWeaver Application Server Connectivity Components of SAP Communication TechnologyCommunication Between ABAP and Non-ABAP Technologies Internet Communication FrameworkDevelopment Server-Side Development Creating and Configuring ICF Services Activating and Deactivating ICF Services .
For more information about ICF security, see the SAP NetWeaver Security Guide under Security Guides for Connectivity and Interoperability Technologies RFC/IFC Security Guide .
46 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Internet Communication Framework Security
10 Application-Specific Virus Scan Profile (ABAP)
SAP provides an interface for virus scanners to prevent manipulated or malicious files from damaging the system. To manage the interface and what file types are checked or blocked, there are virus scan profiles. Different applications rely on default profiles or application-specific profiles.
To use a virus scanner with the SAP system, you must activate and set up the virus scan interface. During this process, you also set up the default behavior. SAP also provides default profiles.
For more information, see http://help.sap.com/nw75 under Application Help SAP NetWeaver Library: Function-Oriented View Security Security Developer Documentation Secure Programming Secure Programming – Java Secure Programming SAP Virus Scan Interface and see SAP Note 1693981(Unauthorized modification of displayed content).
SAP Extended Warehouse Management (SAP EWM) also uses the virus scan interface, for example, during file upload to the SAP EWM system.
SAP Extended Warehouse Management 9.5 Security GuideApplication-Specific Virus Scan Profile (ABAP) C U S T O M E R 47
11 Data Storage Security
The data storage security of SAP NetWeaver and components installed on that database is described in detail in the SAP NetWeaver Security Guide.
NoteFor more information about the data storage security of SAP NetWeaver, see the SAP NetWeaver Security Guide under Security Guides for the Operating System and Database Platforms.
In general, all business data of the SAP Extended Warehouse Management (SAP EWM) is stored in the system database. If SAP liveCache is used, some business data is also stored there. This business data is protected by the authorization concept of SAP NetWeaver and SAP EWM.
In some special cases, business-relevant data is stored elsewhere (for example, in a file system).
Using Logical Path and File Names to Protect Access to the File System
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP EWM may save data in files in the file system and may read data from the file system. Therefore, it is important explicitly to provide access to the corresponding files in the file system without allowing access to other directories or files (also known as directory traversal). This is achieved by specifying logical paths and file names in the system that map to the physical paths and file names. This mapping is validated at runtime and if access is requested to a directory (including subdirectories) that does not match a stored mapping, then an error occurs.
In some cases fixed logical file names are also used in applications which cannot be changed.
The following lists show the logical file names and paths used by SAP EWM and for which programs these file names and paths:
Logical File Names and File Paths Used in SAP EWM
The following logical file names have been created in order to enable the validation of physical file names:
● EWM_PI_DOWNLOADTransactions/programs using this logical file name:○ Transaction /SCWM/PI_DOWNLOAD○ Program /SCWM/R_PI_STOCK_DWNLD
48 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Data Storage Security
Parameters and format used in this context:○ <PARAM_1>=Warehouse number(CHAR 4)○ <PARAM_2> =Counter (NUM2)
Logical file path used:○ EWM_GLOBAL_PATH
Comment: The logical file name is fixed and cannot be changed. The logical file contains a physical file name. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name.
● EWM_PI_UPLOADTransactions/programs using this logical file name:○ Transaction /SCWM/PI_UPLOAD○ Program /SCWM/R_PI_FILEUPLD
Parameters and format used in this context:○ <PARAM_1> = Warehouse number (CHAR4)○ <PARAM_2> = Creation Date (DATS8)○ <PARAM_3> = Counter (NUM2)
Logical file path used:○ EWM_GLOBAL_PATH
Comment: The logical file name is fixed and cannot be changed. The logical file contains a physical file name. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name.
● EWM_STOCK_UPLOADTransactions/programs using this logical file name:○ Transaction /SCWM/ISU○ Program /SCWM/R_INITIALSTOCKUPLOAD
Parameters and format used in this context:○ <PARAM_1> = Warehouse number (CHAR4)
Logical file path used:○ EWM_STOCK_UPLOAD_PATH
● EWM_STOBIN_UPLOADTransactions/programs using this logical file name:○ Transaction /SCWM/SBUP○ Program /SCWM/TLAGP_UPLOAD
Logical file path used:○ EWM_STOBIN_UPLOAD_PATH
● EWM_STOBIN_SORT_UPLOADTransactions/programs using this logical file name:○ Transaction /SCWM/SRTUP○ Program /SCWM/TLAGPS_UPLOAD
Logical file path used:○ EWM_STOBIN_SORT_UPLOAD_PATH
● EWM_MS_RESULTTransactions/programs using this logical file name:○ Transaction /SCWM/MS_RESULT
SAP Extended Warehouse Management 9.5 Security GuideData Storage Security C U S T O M E R 49
○ Program /SCWM/R_MS_RESULT_READParameters and format used in this context:○ <PARAM_1>=Warehouse number (CHAR4)
Logical file path used:○ EWM_GLOBAL_PATH
Comment: The logical file name is fixed and cannot be changed. The logical file contains a physical file name. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name.
● EWM_ELS_FRML● EWM_ELS_ST● EWM_ELS_STE● EWM_ELS_SEQ● EWM_ELS_ASS
Transactions/programs using this logical file name:○ Transaction /SCWM/ELS_UPLOAD○ Program /SCWM/ELS_UPLOAD
Logical file path used:○ EWM_GLOBAL_PATH
Comment: The logical file name is fixed and cannot be changed. The logical file contains a physical file name. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name.
● EWM_MS_RESULTTransactions/programs using this logical file name:○ Transaction /SCWM/PI_SAMP_UPDATE○ Program /SCWM/PI_SAMP_UPDATE_RESULT
Parameters and format used in this context:○ <PARAM_1>=Warehouse number (CHAR4)
Logical file path used:○ EWM_GLOBAL_PATH
Comment: The logical file name is fixed and cannot be changed. The logical file contains a physical file name. The logical file path contains a physical path. The validation and alias definition do not apply for this logical file name
● EWM_PRODUCT_UPLOADTransactions/programs using this logical file name:○ Transaction /SCWM/MIG_PRODUCT○ Program /SCWM/R_MIG_PRODUCT
Logical file path used:○ EWM_PRODUCT_UPLOAD_PATH
● EWM_PACKSPEC_UPLOADTransactions/programs using this logical file name:○ Transaction SCWM/MIG_PRODUCT and /SCWM/IPU○ Program /SCWM/R_MIG_PRODUCT and /SCWM/R_PS_DATA_LOAD
Logical file path used in this context:○ EWM_PACKSPEC_UPLOAD_PATH
● EWM_PI_COMPL_UPLOAD
50 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Data Storage Security
Transactions/programs using this logical file name:○ Transaction /SCWM/MIG_PI_COMPL○ Program /SCWM/R_MIG_PI_COMPL
Logical file path used in this context:○ EWM_PI_COMPL_UPLOAD_PATH
Activating the Validation of Logical Path and File Names
Note that this only applies to logical file names that are not fixed.
These logical paths and file names, as well as any subdirectories, are specified in the system for the corresponding programs. For downward compatibility, the validation at runtime is deactivated by default. To activate the validation at runtime, maintain the physical path using the transactions FILE (client-independent) and SF01 (client-specific). To find out which paths are being used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information, see the following at http://help.sap.com/nw75:
● The SAP NetWeaver Application Help under SAP NetWeaver Library: Function-Oriented View Application Server Application Server ABAP Other Services Services for Application Developers Logical File Names
● The SAP NetWeaver Security Guide under Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP SAP NetWeaver Application Server for ABAP Security Guide Special Topics Protecting Access to the File System Using Logical Path and File Names
● The SAP NetWeaver Application Help under SAP NetWeaver Library: Function-Oriented View SecuritySystem Security System Security for SAP NetWeaver AS for ABAP Only Security Audit Log
SAP Extended Warehouse Management 9.5 Security GuideData Storage Security C U S T O M E R 51
12 Data Protection
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements and data privacy.
This section and any other sections in this Security Guide do not give any advice on whether these features and functions are the best method to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations with regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis and under consideration of the given system landscape and the applicable legal requirements.
NoteIn the majority of cases, compliance with data privacy laws is not a product feature.
SAP software supports data privacy by providing security features and specific data-protection-relevant functions such as functions for the simplified blocking and deletion of personal data.
SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.
Glossary
Term Definition
Personal data Information about an identified or identifiable natural person.
Business purpose A legal, contractual, or in other form justified reason for the processing of personal data. The assumption is that any purpose has an end that is usually already defined when the purpose starts.
Blocking A method of restricting access to data for which the primary business purpose has ended.
Deletion Deletion of personal data so that the data is no longer usable.
Retention period The time period during which data must be available.
End of purpose (EoP) A method of identifying the point in time for a data set when the processing of personal data is no longer required for the primary business purpose. After the EoP has been reached, the data is blocked and can only be accessed by users with special authorization.
52 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Data Protection
Some basic requirements that support data protection are often referred to as technical and organizational measures (TOM). The following topics are related to data protection and require appropriate TOMs:
● Access control: Authentication features as described in section User Administration and Authentication (see User Administration and Authentication [page 20])
● Authorizations: Authorization concept as described in section Authorizations (see Authorizations [page 27])● Read access logging: as described in section Read Access Logging (see Read Access Logging [page 62])● Transmission control / Communication security: as described in section Network and Communication
Security (see Network and Communication Security [page 38]) and Security Aspects of Data Flow and Processes (see Security Aspects of Data Flow and Processes [page 14])
● Input control / Change logging: Change logging is described in the Security-Relevant Logging and Tracing section (see Security-Relevant Logging and Tracing [page 67])
● Availability control as described in:○ Section Data Storage Security (see Data Storage Security [page 48])
○ SAP NetWeaver Database Administration documentation at http://help.sap.com/nw75 under SAP NetWeaver Library: Function-Oriented View Database Administration
○ SAP Business Continuity documentation at http://help.sap.com/nw75 under SAP NetWeaver Library: Function-Oriented View Solution Life Cycle Management SAP Business Continuity
● Separation by purpose: Is subject to the organizational model implemented and must be applied as part of the authorization concept.
CautionThe extent to which data protection is ensured depends on secure system operation. Network security, security note implementation, adequate logging of system changes, and appropriate usage of the system are the basic technical requirements for compliance with data privacy legislation and other legislation.
Configuration of Data Protection Functions
Certain central functions that support data protection compliance are grouped in Customizing for Cross-Application Components under Data Protection.
Additional industry-specific, scenario-specific or application-specific configuration might be required.
For information about the application-specific configuration, see the application-specific Customizing in SPRO.
12.1 Deletion of Personal Data
SAP Extended Warehouse Management (SAP EWM) might process data (personal data) that is subject to the data protection laws applicable in specific countries as described in SAP Note 1825544 .
The SAP Information Lifecycle Management (ILM) component supports the entire software lifecycle including the storage, retention, blocking, and deletion of data. SAP EWM uses SAP ILM to support the deletion of personal data as described in the following sections.
SAP Extended Warehouse Management 9.5 Security GuideData Protection C U S T O M E R 53
SAP delivers an end of purpose (EoP) check for SAP EWM.
SAP delivers a where-used check (WUC) for SAP EWM.
All applications register either an EoP check in the Customizing settings for the blocking and deletion of business partners or a WUC. For information about the Customizing of blocking and deletion for SAP EWM, see Configuration: Simplified Blocking and Deletion.
End of Purpose Check
An end of purpose check determines whether data is still relevant for business activities based on the retention period defined for the data. The retention period of data consists of the following phases.
● Phase one: The relevant data is actively used.● Phase two: The relevant data is actively available in the system.● Phase three: The relevant data needs to be retained for other reasons.
For example, processing of data is no longer required for the primary business purpose, but to comply with legal rules for retention, the data must still be available. In phase three, the relevant data is blocked.Blocking of data prevents the business users of SAP applications from displaying and using data that may include personal data and is no longer relevant for business activities.
Blocking of data can impact system behavior in the following ways:
● Display: The system does not display blocked data.● Change: It is not possible to change a business object that contains blocked data.● Create: It is not possible to create a business object that contains blocked data.● Copy/Follow-Up: It is not possible to copy a business object or perform follow-up activities for a business
object that contains blocked data.● Search: It is not possible to search for blocked data or to search for a business object using blocked data in the
search criteria.
It is possible to display blocked data if a user has special authorization; however, it is still not possible to create, change, copy, or perform follow-up activities on blocked data.
For information about the configuration settings required to enable this three-phase based end of purpose check, see Process Flow and Configuration: Simplified Blocking and Deletion.
Where-Used Check
A where-used check (WUC) is a simple check to ensure data integrity in case of potential blocking. The WUC in SAP EWM checks whether dependent data for a business partner exists which is relevant for a WUC. If relevant dependent data exists, that is, if the data is still required for business activities, the system does not block the business partner.
If you still want to block the data, the dependent data must be deleted by using the existing archiving and deletion tools or by using any other customer-specific solution.
54 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Data Protection
Integration with Other Solutions
In the majority of cases, different installed applications run interdependently. An example of an application that uses central master data is an SAP ERP system that transfers inbound deliveries to SAP EWM. In this case, the vendor of the inbound delivery is contained as a business partner (ship-from role) in the inbound delivery in SAP EWM.
Relevant Application Objects and Available Deletion Functionality
The deletion of objects is usually done using either archiving services or special functions. For more information, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM)
Archiving in Extended Warehouse Management (SCM-EWM) and Data Destruction in Extended Warehouse Management (SCM-EWM) .
We recommend that you view the SAP Extended Warehouse Management 9.5 Operations Guide, available at http://help.sap.com/ewm under Operations. There, regular steps, such as archiving or deletion, are described together with proposals on how and when they should be executed.
Application Detailed Description Provided Deletion Functionality
EWM Warehouse Request Processing, such as inbound delivery, outbound delivery order, or production material request
Business partner data is stored in warehouse requests. For example, in the Ship To and Ship From fields in the warehouse request header or as owner and entitled at item level in the partner data.
Deletion of the objects can be done using the archiving services. The archiving objects are:
● DLV_INBInternal warehouse requests (inbound delivery)
● DLV_OUTInternal warehouse requests (outbound delivery)
● DLV_REQWarehouse requests from external systems
● DLV_PRODProduction material request
SAP Extended Warehouse Management 9.5 Security GuideData Protection C U S T O M E R 55
Application Detailed Description Provided Deletion Functionality
EWM Labor Management In Labor Management, the Processor field is written in several SAP EWM documents. For example, the warehouse order and executed workload.
In Labor Management, Time and Attendance data such as clock-in and clock-out times of processors can be stored in the SAP EWM system.
Deletion of the objects containing processor data can be done using the archiving services. The archiving objects are:
● WME_WOWarehouse order
● WME_EWLExecuted workload
● WME_EPDPerformance document
● WME_ILTIndirect labor task
Deletion of time and attendance data can be done using the destruction report /SCWM/TATT_DES. This report uses the data destruction object EWM_TATT and defined retention periods for time and attendance records.
EWM Shipping and Receiving In Shipping and Receiving, in the transportation unit object the field for the carrier may contain a business partner.
Deletion of the objects can be done using the archiving services. The archiving objects are:
● WME_TUTU activity
● WME_VEHVehicle activity
EWM Warehouse Order Processing Warehouse order processing data can contain business partner data. For example, in fields for owner or party entitled to dispose.
Deletion of the objects can be done using the archiving services. The archiving object is WME_TO (warehouse task).
EWM Value Added Services If value added services (VAS) are used, in the corresponding VAS order the field for entitled and owner may contain a business partner.
Deletion of the objects can be done using the archiving services. The archiving object is WME_VAS (VAS order).
EWM Wave Management Wave data can contain business partner data. For example, in fields for owner or party entitled to dispose.
Deletion of the objects can be done using the archiving services. The archiving object is WME_WAVE (waves).
EWM Proof of Delivery If proof of delivery is used (transaction /SCWM/POD_IMP), then this object may contain business partners in the fields for carrier, entitled, or processor.
Deletion can be done using transaction /SCWM/POD_IMP.
56 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Data Protection
Application Detailed Description Provided Deletion Functionality
EWM Stock Data In SAP EWM, stock data can contain business partner data. For example, in fields for owner or party entitled to dispose.
Deletion is not possible directly. The corresponding stock has to be cleared so that no stock exists any more. Report /LIME/BACKGROUND_DELETE_EXEC is available.
EWM Dock Appointment Scheduling In loading appointments in SAP Dock Appointment Scheduling, the field for the carrier may contain a business partner.
Deletion of loading appointments is possible using destruction report /SCWM/DSAPP_DES. This report uses the data destruction object EWM_DSAPP and defined retention periods for the loading appointments.
Transportation Management in EWM In the shipment and freight document objects, the business partner is contained.
Deletion of the objects can be done using the archiving services. The archiving objects are:
● TM_SHPShipment
● TM_FRDFreight document
EWM Warehouse Billing In Warehouse Billing, snapshots can contain a business partner.
Billing measurement (BOPF object /SCWM/BM) can be deleted by archiving using archiving object EWM_WBM.
Billing measure request (BOPF object /SCWM/WB_BMR) can be deleted using deletion report /SCWM/WB_WBMR_DELETION.
Account Assignment Data Account Assignment Data can contain a business partner (party entitled to dispose)
Account Assignment Data can be deleted using transaction /SCWM/ACC_IMP_ERP.
Express Shipping Interface (ESI) ESI manifests can contain address, location or other contact data of a partner.
Deletion of the objects can be done using the archiving services. The archiving objects are:
● EWM_ESI_MFESI manifest
● EWM_ESI_PAESI parcel
Global Batch Traceability (GBT) Interfacing
For communication to GBT, the tracking events which get temporarily stored in EWM can contain a business partner
The GBT tracking events can be deleted using report /SCWM/GBT_R_EVENT_DELETION.
SAP Extended Warehouse Management 9.5 Security GuideData Protection C U S T O M E R 57
Configuration Settings and Application Tables with Automatic Deletion
In most cases, EWM data which contains a business partner is deleted by application-specific measures, such as those described in the table Relevant Application Objects and Available Deletion Functionality.
In other cases, a where-used check (WUC) prevents the deletion/blocking of the business partner if the business partner is still used by an application. In order to be able to delete the business partner, this usage has to be removed manually. A WUC is typically then done if it is not possible to delete these entries automatically. For examples, refer to the table Relevant Application Objects and Available EoP/WUC Functionality.
For further cases, where no application-specific deletion is done or WUC is used, EWM can automatically delete such entries during the deletion of the business partner. This is done, for example, for settings and configuration or other data which can be business partner-specific (in most cases this is the business partner for the party entitled to dispose).
Examples include:
● Staging Area and Door Determination (Inbound) /SCWM/STADET_IN● Staging Area and Door Determination (Outbound) /SCWM/STADET_OUT● Determine Algorithm Profiles for Cartonization Planning /SCWM/CAPPDET● Disallow RFID Goods Movements /SCWM/RFID_POST● Assign Warehouse Number/Party Authorized to Customs ID /SCWM/GTS_MAPWH● Historical slotting data in table /SCWM/SLOTHIST● Maintain Consolidation Group /SCWM/DSGR● Assign Bin to Product/Entitled in PSA /SCWM/PSASTAGE2● Maintain Fixed Storage Bin /SCWM/BINMAT
Relevant Application Objects and Available EoP/WUC Functionality
Application Implemented Solution (EoP or WUC) Further Information
EWM Warehouse Request Processing, such as inbound delivery, outbound delivery order, or production material request
An EoP check is implemented for the business partner object.
An EoP check is done for the following documents:
● Outbound delivery request● Outbound delivery order● Outbound delivery● Inbound delivery notification● Inbound delivery● Production material request
58 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Data Protection
Application Implemented Solution (EoP or WUC) Further Information
EWM Labor Management An EoP check is implemented for the business partner object.
An EoP check is done for the following documents:
● Executed workload● Employee performance document● Warehouse order● Indirect labor task● Time and attendance
For indirect labor tasks, the data is stored using order document management (ODM).
The ODM data type is ILT. The corresponding header component is ILT with structure /SCWM/S_ILT_ODM.
EWM Shipping And Receiving An EoP check is implemented for the business partner object.
An EoP check is done for the following documents:
● Transportation unit● Vehicle● Transportation unit activity● Vehicle activity
EWM Value Added Services An EoP check is implemented for the business partner object.
An EoP check is done for VAS documents.
The data is stored using ODM. The ODM data type is VASO. The corresponding item component is VASI with structure /SCWM/S_VAS_ODM_ITM.
EWM Proof of Delivery A WUC is implemented for the business partner object.
A WUC check is done for the /SCWM/POD database table.
EWM Stock Data A WUC is implemented for the business partner object.
● /SCWM/STOCK_IW01● /SCWM/STOCK_IW02● /SCWM/STOCK_IW03● /SCWM/STOCK_IW04
EWM Dock Appointment Scheduling An EoP check is implemented for the business partner (carrier) object.
An EoP check is done for loading appointments.
SAP Extended Warehouse Management 9.5 Security GuideData Protection C U S T O M E R 59
Application Implemented Solution (EoP or WUC) Further Information
Transportation Management in EWM An EoP check is implemented for the business partner object.
An EoP check is done for the following documents:
● Freight order● Shipment
The data is stored using ODM, as follows:
● For shipments the ODM data type is TMSH. The corresponding header component is TSHD with structure /SCMB/TMDL_ODM_SHP_HDR_STR.
● For freight documents the ODM data type is TMFR. The corresponding header component is TMFH with structure /SCMB/TMDL_ODM_FRD_HDR_STR.
Transportation Management in EWM Warehouse Billing
An EoP check is implemented for the business partner object.
An EoP check is done for warehouse billing measurement documents.
Wave Management An EoP check is implemented for the business partner object.
An EoP check is done for waves.
Physical Inventory An EoP check is implemented for the business partner object.
An EoP check is done for physical inventory documents.
Warehouse Orders and Warehouse Tasks An EoP check is implemented for the business partner object.
An EoP check is done for warehouse orders and warehouse tasks.
Account Assignment Data A WUC is implemented for the business partner object.
A WUC is implemented for the Account Assignment Data which can be replicated using transaction /SCWM/ACC_IMP_ERP.
Global Batch Traceability (GBT) Interfacing
A WUC is implemented for the business partner object.
A WUC is implemented for the tracking events.
Process Flow
1. Before archiving data, you must define residence times and retention periods in SAP Information and Lifecycle Management (ILM).
2. You choose whether data deletion is required for data stored in archive files or data stored in the database, also depending on the type of deletion functionality available.
3. You do the following:
60 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Data Protection
○ Run transaction IRMPOL and maintain the required residence and retention policies for the central business partner (ILM object: CA_BUPA).
○ Run transaction IRMPOL and maintain the retention policies for the SAP ILM objects of the SAP EWM application:○ DLV_INB (inbound delivery)○ DLV_OUT (outbound delivery)○ DLV_PROD (production material request)○ DLV_REQ (delivery request)○ EWM_DSAPP (loading appointment)○ EWM_ESI_MF (ESI manifest)○ EWM_ESI_PA (ESI parcel)○ EWM_TATT (time and attendance)○ EWM_WBM (warehouse billing measurement)○ LIME_PI (physical inventory document)○ TM_FRD (freight order)○ TM_SHP (shipment)○ WME_DOOR (door)○ WME_EPD (employee performance document)○ WME_EWL (executed workload)○ WME_HU (handling unit)○ WME_ILT (indirect labor task)○ WME_MFS (telegram flow)○ WME_RSRC (relevant resource data)○ WME_TO (warehouse task)○ WME_TU (transportation unit activity)○ WME_VAS (value added service)○ WME_VEH (vehicle activity)○ WME_WAVE (wave)○ WME_WO (warehouse order)
○ Run transaction BUPA_PRE_EOP to enable the EoP check function for the central business partner.○ Run transaction IRMPOL and maintain the required residence and retention policies for the customer
master and vendor master in SAP ERP (ILM objects: FI_ACCPAYB, FI_ACCRECV, FI_ACCKNVK).○ Run transaction CVP_PRE_EOP to enable the EoP check function for the customer master and vendor
master in SAP ERP.4. Business users can request unblocking of blocked data by using transaction BUP_REQ_UNBLK.5. If you have the needed authorizations, you can unblock data by running the transaction BUPA_PRE_EOP and
CVP_UNBLOCK_MD.6. You delete data by using the transaction ILM_DESTRUCTION for the ILM objects of SAP EWM.
For information about how to configure blocking and deletion for SAP EWM, see section Configuration: Simplified Blocking and Deletion.
SAP Extended Warehouse Management 9.5 Security GuideData Protection C U S T O M E R 61
Creating the Start of Retention Time for Existing Documents
You use the following reports to create the start of retention time (SoRT) for existing documents that refer to business partners or carriers.
● SoRT Data Creation for Existing EWM Documents (/SCWM/DPP_CREATE_SORT_EWM)● Create Start of Retention Time for Existing Appointment Documents (/SCWM/RDPP_CREATE_SORT_DAS)
For more information, refer to the report documentation in the system.
Configuration: Simplified Blocking and Deletion
You configure the settings related to the blocking and deletion of business partner master data in Customizing for Cross-Application Components under Data Protection.
● Define the settings for authorization management in Customizing for Cross-Application Components under Data Protection Authorization Management .
● Define the settings for blocking in Customizing for Cross-Application Components under Blocking and Unblocking Business Partner .
You configure the settings related to the blocking and deletion of customer and vendor master data in Customizing.
12.2 Read Access Logging
Read access to personal data is partially based on legislation, and it is subject to logging functionality. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information such as which business users accessed personal data (for example, fields related to bank account data), and when they did so.
In RAL, you can configure which read-access information to log and under which conditions.
For more information, see http://help.sap.com/nw75 under Application Help SAP NetWeaver Library: Function-Oriented View Security System Security System Security for SAP NetWeaver AS for ABAP OnlyRead Access Logging .
For up-to-date information on the delivered RAL configurations, see SAP Note 2347271 .
62 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Data Protection
13 Security for Additional Applications
Geocoding
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP Extended Warehouse Management (SAP EWM) can, in some cases, make use of third party geocoding applications, for example, PTV eServer. The software could be used, for example, to calculate geographical information for the locations or distances for transportation lanes. To connect to the third party software, this software may require an RFC destination on the SAP EWM side. This RFC is described in the Communication Destinations section (see Communication Destinations [page 43]).
For more information on geocoding, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) SCM Basis SCM Basis Master Data Location . For any security issues regarding the third party application, for example, PTV eServer software, see the third party documentation.
SAP Plant Connectivity for Scale Integration
SAP EWM can, in some cases, integrate an external scale. The software could be used, for example, to calculate the weight of a handling unit. In BAdI: Determination of HU Weight Using Scale (/SCWM/EX_WRKC_UI_GET_WEIGHT), a sample implementation exists for this. In this example, the system uses SAP Plant Connectivity to integrate an external scale. This software may require an RFC destination on the SAP EWM side to connect to SAP Plant Connectivity. For more information, see Communication Destinations [page 43].
For more information on SAP Plant Connectivity, see http://help.sap.com/pco , where you can also find the Security Guide for your release.
SAP Extended Warehouse Management 9.5 Security GuideSecurity for Additional Applications C U S T O M E R 63
14 Enterprise Services Security
The following chapters in the SAP NetWeaver Security Guides are relevant for all enterprise services delivered with SAP Extended Warehouse Management (SAP EWM). You can find them using the NetWeaver guide finder at http://help.sap.com/viewer/nwguidefinder or by following the paths below in the SAP NetWeaver Security Guide:
● User Administration and Authentication● Network and Communication Security
● Security Guides for SAP NetWeaver Functional Units SAP Process Integration Security Guide
● Security Guides for Connectivity and Interoperability Technologies Security Guide Web Services
● Security Guides for Connectivity and Interoperability Technologies Security Aspects for Web Services● Security Guides for the Operating System and Database Platforms● Security Aspects for Lifecycle Management
● Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS ABAP
● Security Guides for SAP NetWeaver Functional Units Security Guides for the Application Server Security Guides for AS Java
64 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Enterprise Services Security
15 Other Security-Relevant Information
15.1 User Frontend
To use the web browser as a user front end, you must first activate JavaScript (Active Scripting), to ensure a working user interface. This could, however, conflict with your security policy regarding web services.
SAP NetWeaver Business Client
SAP NetWeaver Business Client (NWBC) is the proposed UI for using Web Dynpro applications, for example, from SAP Dock Appointment Scheduling, Transit Warehousing, or Shipping Cockpit in SAP EWM.
For more information about SAP NetWeaver Business Client, see SAP Note 900000 .
See also http://help.sap.com/nw under SAP NetWeaver 7.31 Application Help SAP NetWeaver Library: Function-Oriented View Application Server Application Server for ABAP UI Technologies in ABAP SAP NetWeaver Business Client 7 Security Aspects .
Making Browser Settings for Easy Graphics Framework (EGF)
NoteThis is not relevant for standalone Dock Appointment Scheduling.
If you work with Microsoft Internet Explorer in the Easy Graphics Framework (EGF), you must have installed Microsoft Internet Explorer version 5 or higher.
For more information about the security settings, see http://help.sap.com/ewm under Application Help SAP Extended Warehouse Management (SAP EWM) Monitoring Easy Graphics Framework .
RF Device as a User Frontend
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP Extended Warehouse Management 9.5 Security GuideOther Security-Relevant Information C U S T O M E R 65
To use an RF device as a user front end, you can use a mobile PC running SAP Front End. In addition, a third-party Telnet server is necessary. For any security issues regarding the Telnet server software, consult the third-party software documentation.
For more information about SAP Front End, see the SAP Front End Installation Guide. You can find this guide using the SAP NetWeaver Guide Finder at http://help.sap.com/viewer/nwguidefinder.
SAP Dock Appointment Scheduling
NoteThis is relevant only if you are using Dock Appointment Scheduling.
If you use the Web Dynpro applications Create Time Slots in Graphical View, Change Time Slots in Graphical View, or Maintain Appointments – Graphical, you must install Microsoft Silverlight version 5 or later. Note that this does not apply for the UI Dock Appointment Scheduling for Carrier as this uses SAPUI5.
Access from UIs using OData and SAP Gateway
Labor Demand Planning and Dock Appointment Scheduling UI for Carriers use SAP Gateway to access SAP EWM data. For more information, see Network and Communication Security [page 38].
66 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Other Security-Relevant Information
16 Security-Relevant Logging and Tracing
SAP systems keep various logs for system administration, monitoring, problem solving, and auditing purposes. Audits and logs are important for monitoring the security of your system and to track events, in case of problems.
NoteAuditing and logging for SAP Extended Warehouse Management (SAP EWM) is described in detail in the SAP NetWeaver Security Guide under Security Aspects for Lifecycle Management Auditing and Logging .
Security Audit Log Triggered by Virus Scan Interface (VSI)
The class CL_VSI automatically creates entries in the Security Audit Log for infections and scan errors found, together with the following information:
● Profile● Profile step allowing the detection of the scanner-group● Kind of virus found, with internal virus ID of the scan engine, if available● User name and time stamp
The messages logged are located in the message class VSCAN, using the system log messages BU8 and BU9 (created in SE92). The severities are set to High and Medium, respectively. The severity of the audit class is set to Miscellaneous. For more information, see Customizing for SAP NetWeaver under Application Server System Administration Virus Scan Interface .
Audit Information System (AIS)
Information on auditing and logging for the Audit Information System (AIS) is described in detail in the SAP NetWeaver Security Guide. For more information, see the SAP NetWeaver Security Guide under Security Aspects for Lifecycle Management Auditing and Logging Audit Information System (AIS) .
SAP EWM
NoteThis is not relevant for standalone Dock Appointment Scheduling.
SAP EWM auditing and logging is governed by the transactions and Customizing activities listed in the table below.
SAP Extended Warehouse Management 9.5 Security GuideSecurity-Relevant Logging and Tracing C U S T O M E R 67
Auditing and logging in SAP EWM is governed by change documents. Change documents have to be activated in Customizing before they can be used.
Change Documents for Delivery Objects
When change documents are activated and used in the system, each field in the SCM delivery documents is linked to change documents. The change documents provide information about which fields have been changed and about the old and new values. When you use change documents, you can define that the SCM system creates a log that shows which user has changed data in a delivery document and the specific time at which the change was made.
You can also run reports that retrieve archived documents. The reports are not separate transactions but they are contained in the SCM standard transactions, such as the Maintain Outbound Delivery Order transaction (the Open Advanced Search pushbutton is used).
The following Customizing activities are relevant for SAP EWM auditing and logging. You can set – per document type of delivery – whether a change document is to be written for each delivery document. You can make these settings for all document categories in SAP EWM. In other words, you can make these settings for all delivery documents in SAP EWM, including posting changes and internal moves.
Customizing Activity Path in Customizing for Extended Warehouse Management
Activation of change documents for inbound delivery Goods Receipt Process Inbound Delivery Define
Document Types for Inbound Delivery Process
(or: Goods Receipt Process Inbound Delivery Wizards
Use Wizard to Define Document Types for Inbound Delivery
Process ). Select the Change Documents indicator.
Activation of change documents for expected goods receipt Goods Receipt Process Expected Goods Receipt
Manual Settings Define Document Types for Expected
Goods Receipt
(or: Goods Receipt Process Expected Goods ReceiptUse Wizard to Define Document Types for Expected Goods
Receipt ). Select the Change Documents checkbox
Activation of change documents for outbound delivery Goods Receipt Process Expected Goods Receipt
Manual Settings Define Document Types for Expected
Goods Receipt
68 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Security-Relevant Logging and Tracing
Customizing Activity Path in Customizing for Extended Warehouse Management
Activation of change documents for posting changes Internal Warehouse Processes Delivery Processing
Posting Changes Define Document Types for Posting Change
Process
(or: Internal Warehouse Processes Delivery Processing
Posting Changes Wizards Use Wizard to Define Document
Types for Posting Change Process ). Select the Change Documents checkbox.
Activation of change documents for stock transfers Internal Warehouse Processes Delivery Processing
Stock Transfers Define Document Types for the Stock
Transfer Process
(or: Internal Warehouse Processes Delivery Processing
Stock Transfers Wizards Use Wizard to Define Document
Types for the Stock Transfer Process ). Select the Change Documents checkbox.
The following transactions are relevant for SAP EWM auditing and logging (in each of these transactions, you can use the Open Advanced Search pushbutton on the screen for that transaction, to retrieve and display archived report data):
Transaction Description Path on the SAP Easy Access screen
Maintain Inbound Delivery Extended Warehouse Management Delivery Processing
Inbound Delivery Maintain Inbound Delivery .
Maintain Expected Goods Receipt Extended Warehouse Management Delivery Processing
Inbound Delivery Expected Goods Receipt Maintain
Expected Goods Receipt .
Maintain Outbound Delivery Order Extended Warehouse Management Delivery Processing
Outbound Delivery Maintain Outbound Delivery Order .
Maintain Posting Change Extended Warehouse Management Delivery Processing
Posting Change Maintain Posting Change .
Maintain Internal Stock Transfer Extended Warehouse Management Delivery Processing
Maintain Internal Stock Transfer .
Change Documents for Labor Management Objects
SAP Extended Warehouse Management 9.5 Security GuideSecurity-Relevant Logging and Tracing C U S T O M E R 69
You can activate change documents for the following Labor Management objects in Customizing for Extended Warehouse Management under Labor Management Activate Change Documents :
● ProcessorThe activation of change documents is at client level. You can display the change documents in either of the following ways:○ In transaction RSSCD100, in the Object Class field enter /SCMB/PRR, and in the Object ID field enter the
processor.
○ In transaction Maintain Business Partner, transaction code BP, via the menu option Extras Change History .
● Processor (for Shift Sequence Assignment)The activation of change documents is at client level. You can display the change documents in transaction RSSCD100. In the Object Class field, enter /SAPAPO/CD_RES. In the Object ID field, enter the <client><processor> without a space in between, for example, 003DOE.
● Time and AttendanceThe activation of change documents is at warehouse level. You can display the change documents in transaction RSSCD100. In the Object Class field, enter /SCWM/TATT. In the Object ID field, enter the <warehouse number>_<processor>_<date in format YYYYMMDD>_<time in format HHMMSS> with date and time in the time zone of the warehouse, for example, EW01_DOE_20180404_092911.
● Performance DocumentThe activation of change documents is at client level. You can display the change documents in either of the following ways:○ In transaction RSSCD100, in the Object Class field enter /SCWM/EPD. In the Object ID field, enter the
document number of the performance document without leading zeroes.○ In transaction Employee Performance Overview, transaction code /SCWM/EPERF.
70 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Security-Relevant Logging and Tracing
17 Services for Security Lifecycle Management
The following services are available from Active Global Support to assist you in maintaining security in your SAP systems on an ongoing basis.
Security Chapter in the EarlyWatch Alert (EWA) Report
This service regularly monitors the Security chapter in the EarlyWatch Alert report of your system. It tells you:
● Whether SAP Security Notes have been identified as missing on your system.In this case, analyze and implement the identified SAP Notes if possible. If you cannot implement the SAP Notes, the report should be able to help you decide on how to handle the individual cases.
● Whether an accumulation of critical basis authorizations has been identified.In this case, verify whether the accumulation of critical basis authorizations is okay for your system. If not, correct the situation. If you consider the situation okay, you should still check for any significant changes compared to former EWA reports.
● Whether standard users with default passwords have been identified on your system.In this case, change the corresponding passwords to non-default values.
Security Optimization Service (SOS)
The Security Optimization Service can be used for a more thorough security analysis of your system, including:
● Critical authorizations in detail● Security-relevant configuration parameters● Critical users● Missing security patches
This service is available as a self-service within SAP Solution Manager, as a remote service, or as an on-site service. We recommend that you use it regularly (for example, once a year) and in particular after significant system changes or in preparation for a system audit.
Security Configuration Validation
The Security Configuration Validation can be used to monitor a system landscape for compliance with predefined settings continuously, for example, from your company-specific SAP Security Policy. This primarily covers configuration parameters, but it also covers critical security properties like the existence of a non-trivial Gateway configuration or making sure that standard users do not have default passwords.
SAP Extended Warehouse Management 9.5 Security GuideServices for Security Lifecycle Management C U S T O M E R 71
Security in the Run SAP Methodology / Secure Operations Standard
With the E2E Solution Operations Standard Security service, a best practice recommendation is available on how to operate SAP systems and landscapes in a secure manner. It guides you through the most important security operation areas and links to detailed security information from SAP's knowledge base wherever appropriate.
More Information
For more information about these services, see:
● EarlyWatch Alert: https://support.sap.com/en/offerings-programs/support-services/earlywatch-alert.html● Security Optimization Service/Security Notes Report: https://support.sap.com/sos● Comprehensive list of Security Notes:http://support.sap.com/securitynotes● Configuration Validation: https://support.sap.com/en/solution-manager/solution-manager-71/processes-71/
change-control-management.html● Run SAP Roadmap, including the Security and the Secure Operations Standard: https://support.sap.com/
support-programs-services/methodologies/implement-sap.html (See the Run SAP chapters 2.6.3, 3.6.3 and 5.6.3)
72 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Services for Security Lifecycle Management
18 Appendix
Quick Links to Related Information
Content Quick Link
SAP Extended Warehouse Management (SAP EWM) Master Guides, Installation Guides, Upgrade Guides, Solution Management Guides
http://help.sap.com/ewm
SAP EWM Community https://www.sap.com/community/topic/extended-warehouse-management.html
SAP NetWeaver http://help.sap.com/nw
SAP NetWeaver Guide Finder http://help.sap.com/viewer/nwguidefinder
SAP NetWeaver Community https://www.sap.com/community/topic/netweaver.html
SAP Supply Chain Management http://help.sap.com/scm
SAP Notes http://support.sap.com/notes
SAP Security Notes & News http://support.sap.com/securitynotes
Security Community https://www.sap.com/community/topic/security.html
SAP Solution Manager http://support.sap.com/solutionmanager
SAP Extended Warehouse Management 9.5 Security GuideAppendix C U S T O M E R 73
Important Disclaimers and Legal Information
HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.
Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related LanguageWe try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
74 C U S T O M E RSAP Extended Warehouse Management 9.5 Security Guide
Important Disclaimers and Legal Information
SAP Extended Warehouse Management 9.5 Security GuideImportant Disclaimers and Legal Information C U S T O M E R 75
go.sap.com/registration/contact.html
© 2018 SAP SE or an SAP affiliate company. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.