sap security guide srm2007 sp03

7/27/2019 SAP Security Guide SRM2007 SP03

http://slidepdf.com/reader/full/sap-security-guide-srm2007-sp03 1/90

Application Security Guide

SAPSRM 2007Using SAP® SRM Server 6.0, SAP SRM-MDM

Catalog, SAP NetWeaver Portal 7.0

Document Version 2.0 - October 2007



©Copyright 2006 SAP AG. All rights reserved.

No part of this publication may be reproduced ortransmitted in any form or for any purpose without theexpress permission of SAP AG. The informationcontained herein may be changed without prior notice.

Some software products marketed by SAP AG and itsdistributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint areregistered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, ParallelSysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,Intelligent Miner, WebSphere, Netfinity, Tivoli, andInformix are trademarks or registered trademarks of IBM

Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registeredtrademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,WinFrame, VideoFrame, and MultiWin are trademarks orregistered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks orregistered trademarks of W3C®, World Wide WebConsortium, Massachusetts Institute of Technology.

J ava is a registered trademark of Sun Microsystems, Inc.

J avaScript is a registered trademark of SunMicrosystems, Inc., used under license for technologyinvented and implemented by Netscape.

MaxDB is a trademark of SQL AB, Sweden.

SAP, R/3, SAP, SAP.com, xApps, xApp, SAPNetWeaver, and other SAP products and servicesmentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG inGermany and in several other countries all over theworld. All other product and service names mentioned arethe trademarks of their respective companies. Datacontained in this document serves informational purposesonly. National product specifications may vary.

These materials are subject to change without notice.

These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposesonly, without representation or warranty of any kind, andSAP Group shall not be liable for errors or omissions withrespect to the materials. The only warranties for SAPGroup products and services are those that are set forthin the express warranty statements accompanying suchproducts and services, if any. Nothing herein should beconstrued as constituting an additional warranty.



Typographic Conventions

Type Style Represents

Example Text Words or characters that appearon the screen. These includefield names, screen titles, andpushbuttons, as well as menunames, paths, and options.

Cross-references to other

documentationExample text Emphasized words or phrases in

body text, titles of graphics, andtables

EXAMPLE TEXT Names of elements in thesystem. These include reportnames, program names,transaction codes, table names,and individual key words of aprogramming language, whensurrounded by body text, forexample, SELECT and

INCLUDE.Example text Screen output. This includes file

and directory names and theirpaths, messages, names of variables and parameters,source code, as well as namesof installation, upgrade, anddatabase tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in the

documentation.<Example text> Variable user entry. Pointed

brackets indicate that youreplace these words andcharacters with appropriateentries.

EXAMPLE TEXT Keys on the keyboard, forexample, function keys (such asF2) or the Ctrl key.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax



Contents

March 2007 4

Contents

1 Introduct ion......................................................................................51.1 Target Audience ...............................................................................5

1.2 About this Document .......................................................................5

2 Before You Start ..............................................................................6

2.1 Fundamental Securi ty Guides ........................................................6

2.2 Important SAP Notes .......................................................................7

2.3 Additional Information .....................................................................7

2.4 Overview of the Bus iness Scenarios .............................................7

2.5 Software Component Matrix ...........................................................92.6 The SAP SRM Business Scenarios and Relevant Components 12

3 Technical System Landscape ......................................................28

3.1 Architecture ....................................................................................28

4 Network Security and Communication Securit y........................33

4.1 Communication Channel Security................................................33

4.2 Network Securi ty ............................................................................37

4.3 Communication Destinations .......................................................37

5 Data Storage Secur it y ...................................................................396 Auditing and Logging ...................................................................40

7 User Administration and Authent ication ....................................46

7.1 User Management ..........................................................................46

7.2 Integration into Single Sign-On Landscapes ..............................46

8 Authorizations ...............................................................................47

8.1 ABAP Roles for SAP SRM Server 6.0 (Enterprise Buyer) ..........48

8.2 ABAP Roles for SAP SRM Server 6.0 (SUS)................................68

8.3 ABAP Authorization Objects for SAP SRM Server 6.0 (CategoryManagement) ........................................................................................74

8.4 Portal Roles (for NetWeaver Portal 7.0) .......................................76

8.5 Changes to the Author ization Check ...........................................84

9 Appendix ........................................................................................86

9.1 Data Privacy Statement .................................................................86

9.2 Virus Checking of Document Attachments .................................86

9.3 Additional Related Guides ............................................................87

9.4 Additional Information ...................................................................88



Introduction

March 2007 5

1 Introduction

This guide does not replace the administration or operations guides that are availablefor productive operations.

1.1 Target Audience

Technology consultants

System administrators

This document is not included as part of the installation guides, SAP Solution Manager content(configuration information), technical operation manuals, or upgrade guides. Such guides are onlyrelevant for a certain phase of the software life cycle, whereby the security guides provideinformation that is relevant for all life cycle phases.

1.2 About this Document

The solution SAP Supplier Relationship Management (SAP SRM) consists of different components,such as SAP Enterprise Buyer (EBP), SAP Bidding Engine (both reside on SRM Server), and LiveAuction Cockpit.

This cross-component security guide provides security-relevant information for the individual SRMcomponents.

In many cases, the required information has already been provided in other security guides and inthe configuration information or installation guides. In these cases, we have provided a reference to

the relevant sections within these guides.

Security in the context of an SRM solution comprises the following aspects:

User authentication

Support of Single Sign-On

Administration and checking of user authorizations to prevent unauthorized access to saveddata

Secure data transfer between users and the SRM application components, especially in thecase of browser-based access via the Internet

General access control, including protection of the system against unauthorized external

access Safeguarding of data against unauthorized access when business data is being exchanged

between SRM and external systems, especially in the case of data exchange with suppliersystems via the Internet

The individual components of the SAP SRM solution are based on the standard technology of SAPNetWeaver, like SAP Web Application Server (including Internet Transaction Server) andSAProuter. This means that only the official precepts of the SAP security strategy are used. Thestandard tools and mechanisms of the SAP NetWeaver platform are used.In 80 percent of cases, an SAP SRM system landscape comprises Enterprise Buyer and LiveAuction Cockpit. The User Management Engine (UME) is only required with SAP NetWeaver Portaland this is why UME is not covered by this guide.

This Security Guide focuses on specific SAP SRM implementations – the standard case is covered

by the security guides of the respective basis technologies.



Before You Start

March 2007 6

2 Before You Start

SAP has recently changed some of the naming of SAP products. Note that the oldnames are still in use and therefore the following product names are synonymous:

New Name Old Name

SAP SRM 2007 mySAP SRM 6.0

SAP NetWeaver 7.0 SAP NetWeaver 2004s

2.1 Fundamental Security Guides

SAP SRM is built on the technology of SAP NetWeaver. Therefore, the corresponding security

guides also apply to the SAP SRM solution. Pay particular attention to the most relevant sectionsas indicated in the table below.

Fundamental Security Guides

Scenario, Application or ComponentSecurity Guide

Most-Relevant Sections

SAP NetWeaver Security Guide See tables below.

Introduction to Security with the SAP NetWeaver Platform

Topic See

Technical System Landscape Technical System Landscape

User Administration and Authentication User Administration and Authentication

Network and Transport Layer Security Network and Communication Security

Secure Programming Secure Programming

Secur ity Guides for SAP NetWeaver According to Usage Types

Usage Type See

Application Server (AS) SAP NetWeaver Application Server ABAPSecurity Guide

SAP NetWeaver Application Server J ava SecurityGuide

Internet Transaction Server Security

Virus Protection and SAP GUI Integrity Checks

NetWeaver Portal (EP) Portal Security Guide

Business Information (BI) Security Guide for SAP NetWeaver BI

Process Integration (PI) SAP NetWeaver Process Integration SecurityGuide

Security Guides for Standalone Engines

http://help.sap.com/saphelp_nw04s/helpdata/en/ed/18cc38e6df4741a264bddcd4f98ae2/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/40/673345f530574fa23e0692b52a2e70/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/d7/8fa83f4d903c17e10000000a114084/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/fe/a7b5386f64b555e10000009b38f8cf/frameset.htm

http://help.sap.com/saphelp_nw2004s/helpdata/en/58/4d767ed850443c891ad27208789f56/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/4a/b3b638faa32d19e10000009b38f8cf/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/57/d8bfcf38f66f48b95ce1f52b3f5184/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/18/d0ff3ae6ce0c77e10000000a11402f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/9b/ec3767f37211d3a6510000e835363f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/5c/429f00a14aa54195b1c63ae1512d10/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/41/845cdb9c548b419ee4e089841f1b6c/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/f7/c2953fc405330ee10000000a114084/frameset.htm




http://help.sap.com/saphelp_nw04s/helpdata/en/41/845cdb9c548b419ee4e089841f1b6c/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/9b/ec3767f37211d3a6510000e835363f/frameset.htm






http://help.sap.com/saphelp_nw2004s/helpdata/en/58/4d767ed850443c891ad27208789f56/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/d7/8fa83f4d903c17e10000000a114084/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/40/673345f530574fa23e0692b52a2e70/frameset.htm




Before You Start

March 2007 7

Engine See

Search and Classification (TREX) Search and Classification (TREX) Security Guide

For a complete list of the available SAP Security Guides, see SAP Service Marketplace atservice.sap.com/securityguide .

2.2 Important SAP Notes

The most important SAP Notes that apply to SAP SRM are shown in the table below:

SAP Note Number Title

39267 Availability of the SAP Security Guide

595519 Include EBP in a portal

843740 Data protection text for vendor maintenance

420085 Logon Ticket Cache

For more SAP Notes on security, see SAP Service Marketplace atservice.sap.com/security SAP Security Notes SAP Notes on SAP

Security or the notes for the application area BC-J AS-SEC and BC-SEC.

2.3 Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

Content Quick Link on the SAP Service Marketplace

Security http://service.sap.com/security

Security Guides http://service.sap.com/securityguide

Related SAP Notes http://service.sap.com/notes

Released platforms http://service.sap.com/platforms

Network security http://service.sap.com/network

http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

2.4 Overview of the Business Scenarios

Before you start the security setup, you need to decide which SRM components need to beinstalled. You should also have carried out a rough sizing exercise to answer questions on thetechnical setup.

You can use this Security Guide to define the network structure, for example firewalls, routers, loadbalancing, protocols used, and the necessary configuration of the components, as well as aconcept for user administration.

In this section, you can find the Software Component Matrix, and details of the components usedfor each business scenario.

http://help.sap.com/saphelp_nw04s/helpdata/en/1d/e6d9610acada409d59945617271169/frameset.htm

http://service.sap.com/~sapidb/011000358700010410632000E/NOTES.HTM



http://service.sap.com/security


http://service.sap.com/notes

http://service.sap.com/platforms

http://service.sap.com/network


http://service.sap.com/solutionmanager

http://service.sap.com/solutionmanager


http://service.sap.com/network

http://service.sap.com/platforms



http://service.sap.com/security



http://help.sap.com/saphelp_nw04s/helpdata/en/1d/e6d9610acada409d59945617271169/frameset.htm



Before You Start

March 2007 8

For more information about the business scenarios, see the SAP SRM Master Guideon SAP Service Marketplace atservice.sap.com/instguides SAP Business

Suite Applications

SAP SRM

Using SRM Server 6.0.



Before You Start

March 2007 9

2.5 Software Component Matrix

This section provides an overview of which business scenarios use which components in this SAP

Business Suite solution. The exact locations of the required software components on the corresponding DVD(s) and CD(s)that are shipped with the SAP SRM 6.0 package can be found underservice.sap.com/instguides SAP Business Suite Applications SAP SRM.

Software Components SRM Business Scenarios

SAP

Delivered

Content

S e l f S e r v i c e P r o c u r e m e n t

P l a n D r i v e n P

r o c u r e m e n t

S e r v i c e P r o c

u r e m e n t

C a t a l o g C o n t e n t M a n a g e m e

A n a l y t i c s

C a t e g o r y M a n a g e m e n t

C o n t r a c t M a n

a g e m e n t

S t r a t e g i c

S o

u r c i n g

SAP®Supplier Relationship

Management Server 6.0

(SAP SRM Server 6.0,

based on SAP®Web

Application Server

7.00, comprises SAP®

Enterprise Buyer, SAP®

Bidding Engine and Supplier

Self-Services)

M M M M M M M M

Live Auction Cockpit web

presentation server

(LACWPS) 6.0

- - - - - - - M (i)

SRM-MDM Catalog 1.0 O O O M - - O O

SAP WebAS ABAP 7.00 M M M M M M M M

SAP WebAS J ava 7.00 M M M M M M M MSAP NetWeaver®2004s

Search and Classification

(TREX)

O M - - - O O O

SAP NetWeaver®BI 7.0 O O O - M M O O

SAP

NetWeaver®BI_CONT

7.03

O O O - M M O O

http://service.sap.com/instguides

http://service.sap.com/instguides



Before You Start

March 2007 10

SAP NetWeaver®

Enterprise Portal 7.0

M M M M M M M M

Business

Package for

SRM Server

6.0

M M M M M M M M

Business

Package for

Category

Management

O O O O O M O O

SAP NetWeaver®Process

Integration 7.0

O M M O M

(iii)

- O O

XI Content

for SAP SRM

Server 6.0

O M M O - - O O

XI Content

for SAP

NetWeaver

BI Content

7.03

O O O O - - - -

XI Content for

SRM-MDM

Catalog

O O O O - - O O

SAP NetWeaver®MDM 5.5 M O - M M

(iii)

- O O

SAP NetWeaver®Adobe

Document Server 7.0

O O M - - - O O

Duet 1.0 O - - - - - M

(ii)

-

cProject 4.0 - O - O - O - O

SAP Document Builder - - - - - - M

(ii)

-

SAP®R/3 OLTP as of 3.1i up

to SAP®R/3 Enterprise 4.70,

ERP 1.0, ERP 2.0

(SAP R/3 4.6C or higher

recommended)

M M O - O O O O

SAP R/3 Plug-In 2004.1 or

higher if one is available

M M O - O O O O



Before You Start

March 2007 11

SAP GUI 7.0 or Higher M M M M M M M M

0 = Optional business or technology enhancement for this scenarioLegend:

M = Mandatory minimum requirement for the deployment variants of this scenario

(i) With Live Auction

(ii) Legal & Operational Contract Collaboration

(iii) For Master Data Harmonization / Consolidation

You require SAP®NetWeaver 2004s TREX in the following cases:

o When you use the contract management application to search for information such asvendor texts, internal notes, and attachments.

o When you want to use the metadata search functionality or use BI accelerator within

Analytics.



Before You Start

March 2007 12

2.6 The SAP SRM Business Scenarios and Relevant

Components The following section provides an overview of the business scenarios of SAP SRM with a diagramof the component landscape and a textual description of the relevant components:

Contract Management

Service Procurement

Strategic Sourcing

Plan-Driven Procurement

Catalog Content Management (SRM-MDM Catalog)

Self-Service Procurement

Spend Analysis

Legend:

XML



Before You Start

March 2007 13

Contract Management

Contract Management enables your purchasers to create, change, and monitor purchasingcontracts. They can use the catalogs provided by SAP SRM-MDM Catalog to add items tocontracts. SAP BI 7.0 is used to carry out evaluations. SAP Exchange Infrastructure (XI) is also

necessary in this business scenario to upload external flat files for product category hierarchies andsupplier hierarchies.

The SRM Server (EBP) Web front-end uses ABAP Web Dynpro technology. The Web front-end of SAP SRM-MDM Catalog 1.0 uses J ava Web Dynpro technology. SAP Business Intelligence isrealized using Business Server Pages (BSP) technology.

Depending on the requirements of the SRM 6.0 installation (should SRM Server (EBP) be availablevia the Internet?) and depending on the internal Security Policy, the following has to be carried out:

SAP SRM Server 6.0Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)

SAP SRM-MDM Catalog 1.0:Enable SAP Web AS J ava 7.0 SSL (See Transport Layer Security on the SAP J 2EE

Engine: Section Configuring the Use of SSL on the SAP J2EE Engine)

https://help.sap.com/saphelp_nw04s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm



Before You Start

March 2007 14

SAP BI 7.0:Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and fromSAP SRM Server 6.0

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog 1.0

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP BI 7.0

Configure SSO between SAP SRM Server 6.0, SAP SRM-MDM Catalog 1.0 and SAP BI7.0

If necessary, configure SNC connections between SAP SRM Server and the back-endsystem

If necessary, configure SNC connections between SAP SRM Server/backend system andSAP BI 7.0

If necessary, connect SAP SRM Server 6.0 (EBP), SAP SRM Server 6.0 (SUS), and SAPSRM-MDM Catalog via HTTPS and FTPS and SNC to SAP Exchange Infrastructure (XI)(See SAP NetWeaver Process Integration Security Guide and Network andCommunication Security)










Before You Start

March 2007 15

Service Procurement

This business scenario is used to cover the entire service procurement process.

The SRM Server (SUS) web front-end uses Business Server Pages (BSP) technology.

Necessary steps:

SAP SRM Server 6.0 (SUS):Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)

Configure Enterprise Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0 (SUS)

Depending on whether SAP SRM Server (EBP) is also to be made available via the internet, ordepending on the internal Security Policy, the following might also be necessary:

SAP SRM Server 6.0:Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)

SAP SRM-MDM Catalog 1.0:Enable SAP Web AS 7.0 J ava SSL (configure HTTPS protocol)

SAP BI 7.0:Enable SAP Web AS 7.0 SSL (configure HTTPS protocol)



Before You Start

March 2007 16

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0



Configure SSO between SAP SRM Server 6.0, SAP SRM-MDM Catalog.0 and SAP BI 7.0



If necessary, connect SAP SRM Server 6.0 (EBP), SAP SRM Server 6.0 (SUS), and SAPSRM-MDM Catalog via HTTPS and FTPS and SNC to SAP Exchange Infrastructure (XI)(See SAP NetWeaver Process Integration Security Guide and Network andCommunication Security)

The SRM@ERP2005 business scenario Supplier Self-Registration is identical to theabove business scenario Service Procurement in the SAP SRM standard.











Before You Start

March 2007 17

Strategic Sourcing

Within Strategic Sourcing, bid invitations are created in SAP SRM Server and suppliers are invitedto participate in these bid invitations by submitting bids. Bid invitations can also be converted intolive auctions. Live auctions occur in SAP Live Auction Cockpit (LAC) WPS. SAP LAC WPS consistsof a server part running on an SAP J 2EE 7.0 and a J ava applet that communicates with the server.

The J ava applet is loaded into the browser of the user and is executed locally.

Necessary steps:

SAP SRM Server 6.0 (EBP/Bidding Engine):Enable SAP Web AS ABAP 7.0 SSL (configure HTTPS protocol)

SAP LAC WPS 6.0Enable SAP Web AS J ava 7.0 SSL

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0 (EBP/Bidding Engine)

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from for SAPLAC WPS 6.0



Before You Start

March 2007 18

Optional (if components are accessed via the Internet or if the Intranet Security Policy requiresusage of HTTPS):

Enable SAP SRM-MDM Catalog 1.0:SAP Web AS 7.0 J ava SSL (configure HTTPS protocol)

Enable SAP BI 7.0: SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)







Before You Start

March 2007 19


Plan-Driven Procurement (Direct Procurement) automates and streamlines ordering processes forregularly-needed core materials. Suppliers can process purchase orders directly in SAP SRMServer (SUS). The purchase orders are transferred to SAP SRM Server (SUS) from the back-endsystem via SAP Exchange Infrastructure (XI).

The Web front-end of SAP SRM Server (SUS) is realized using Business Server Pages (BSP)technology.

Since suppliers log on to SAP SRM Server (SUS) via the Internet, the HTTPS protocol shoulddefinitely be configured for SAP SRM Server (SUS).

Necessary steps:

SAP SRM Server 6.0 (SUS):Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0 (SUS)

If SAP SRM Server (EBP) is also to be accessed via the Internet, or depending on the internalSecurity Policy, it might be necessary to do the following:

SAP SRM Server 6.0 (EBP):Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)




Before You Start

March 2007 20

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRMServer 6.0 (EBP)




If necessary, connect SAP SRM Server 6.0 (EBP) and SAP SRM Server 6.0 (SUS) viaHTTPS and SNC to SAP Exchange Infrastructure(See SAP NetWeaver Process Integration Security Guide and Network andCommunication Security)











Before You Start

March 2007 21

Catalog Content Management (SRM-MDM Catalog)

The SRM-MDM Catalog search UI is realized using J ava Web Dynpro technology. Catalogs can beuploaded via the file system using the MDM Import Manager in XML or Excel format. Contract datacan be loaded via SAP Exchange Infrastructure (XI) and the MDM Import Manager from SAP SRMServer system.

In the scope of a procurement process, transfer of product data from SAP SRM-MDM Catalog toSAP SRM Server occurs via HTTP(S) in accordance with the Open Catalog Interface (OCI)specification via the user browser.

Necessary steps:

Enable SAP Web AS 7.0 ABAP SSL (configure HTTPS protocol)

Enable SAP Web AS 7.0 J ava SSL (configure HTTPS protocol)



Before You Start

March 2007 22

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog 1.0If necessary, connect SAP SRM-MDM Catalog via FTPS to SAP Exchange Infrastructure(XI)(see SAP NetWeaver Process Integration Security Guide and Network and CommunicationSecurity).

For MDM Security related information, refer to the SAP NetWeaver MDM 5.5 Security Guide onSAP Service Marketplace atservice.sap.com/mdm Installation & Upgrade Guides






http://service.sap.com/~sapidb/011000358700005996182005E








Before You Start

March 2007 23


Self-Service Procurement (Indirect Procurement) enables your employees to create and managetheir own requirement requests. They can search in catalogs provided by SAP SRM-MDM Catalog.SAP BI 7.0 is used to carry out evaluations.

Depending on the requirements of the SRM 6.0 installation (should SAP SRM Server (EBP) beavailable via the Internet?) and depending on the internal Security Policy, the following has to becarried out:


SAP SRM-MDM Catalog 1.0:Enable SAP Web AS 7.0 J ava SSL (configure HTTPS protocol)

SAP BI 7.0:





Configure SSO between SAP SRM Server 6.0, SAP SRM-MDM Catalog 1.0 and SAP BI7.0




Before You Start

March 2007 24


The Extended Self-Service Procurement business scenario is almost the same as thestandard Self-Service Procurement business scenario, except that it is extended by aSUS system that is connected to the SAP ECC system.



Before You Start

March 2007 25

Category Management

Category Management enables your employees to create sourcing, contracting and operationsstrategies, to transform these strategies into initiatives, and to manage these initiatives.

Necessary steps:





For security relevant information on Collaborative Project Management (cProjects) 4.0, refer tothe SAP Project and Portfolio Management 4.00 Security Guide on SAP Service Marketplaceatservice.sap.com/instguides SAP Business Suite Applications SAP PLM

using cProject Suite 4.00.

http://service.sap.com/~sapdownload/011000358700005294932005E/PPM40_SecGuide_May06.pdf





Before You Start

March 2007 26

Spend Analysis

SRM 6.0 enables you to consolidate data in SAP Business Intelligence (SAP BI) and to carry outevaluations. The data for this comes from SAP SRM Server or its back-end system via RFC/SNC.Users access the reports via a Web front-end that is realized using BSP technology.

If BI reports are also made available to suppliers, SAP BI has to be accessible via theInternet. If it is only available to the purchasers, it depends on the individualrealization of the scenario:

Should the SRM system landscape be available to the purchasers via the Internetor only via the Intranet?

Does the internal security policy require that HTTPS be used for all Web-basedapplications?

Necessary steps:




Before You Start

March 2007 27

Configure NetWeaver Portal (EP 7.0) for secure access/connection to and from SAP SRM-MDM Catalog

If necessary, configure SNC between SAP SRM Server/backend system and SAPBusiness Intelligence



Technical System Landscape

March 2007 28

3 Technical System LandscapeSRM supports various presentation technologies on which the individual SRM components run andvia which user access and data transfer occurs. The architecture, determined by the respective

presentation technology, is crucial for the security of an SRM system. The architecture determinesthe security concept.

3.1 Architecture

The architecture of an SRM system landscape is heavily dependent on the security measures thatare in turn determined by the data to be transferred and the data channels.

In an SRM system landscape, there are two types of channel via which data is exchanged andwhich require careful attention in terms of provision of security during data exchange via externalinterfaces:

Exchange of data via external user interfaces

Exchange of data/documents via external system interfaces

In both cases, the SRM security concept incorporates a Demilitarized Zone (DMZ) that is delimitedby an internal and an external firewall. Within the DMZ there is an application gateway.

We recommend that you use SAP Web Dispatcher. URLs and ports for the systemsbehind the internal firewall can be configured in any way and are not known to usersoutside of the external firewall.

In this way, the SRM security concept follows the usual SAP security standards thatare used on a world-wide basis.

Exchange of Data via External User Interfaces

Data exchange via external user interfaces occurs in SRM in the following ways:

Data exchange via the application gateway using an internal Internet Transaction Server(ITS) or for components with Web front-end on Business Server Pages (BSP) technologyBSP is used for Supplier Self-Services (SUS) and Supplier Registration (ROS)

ITS is only relevant in certain use cases depending on which SRM 6.0 SP is installed.

Data exchange via J ava applet Live Auction Cockpit WPS(also via application gateway)

Data exchange via Duet

Data Exchange via the Application Gateway for Applications with Web Frontends

The following SRM scenarios, where the Web front-end is based on ITS or BSP technology, workon this principle:


http://help.sap.com/saphelp_nw04s/helpdata/en/42/5cfd3b0e59774ee10000000a114084/frameset.htm






March 2007 29


Service Procurement

Catalog Content Management

Spend Analysis

(Strategic Sourcing with Bidding Engine but without LAC WPS)

Contract Management

Basic Representation of the Communication Paths of the SRM Components to the Outsidevia the Application Gateway.

The SAP Web Dispatcher functions as an application gateway and is used as a "software Webswitch" between the Internet and your SAP SRM Server system, which consists of one or moreWeb Application Servers. You therefore have only one point of access for HTTP(S) requests inyour system. Furthermore, SAP Web Dispatcher balances the load, so that the request is alwayssent to the server with the greatest capacity.

For more information, see the documentation about SAP Web Dispatcher.

SAP Web Dispatcher is connected to the Internet Communication Manager (ICM) via the internalfirewall of the DMZ.

All security aspects are dealt with via the ITS and SAP Web AS.



http://help.sap.com/saphelp_nw2004s/helpdata/en/fe/7cf83b0255a206e10000000a11402f/frameset.htm







March 2007 30

In this way, the SRM security concept, like all other SAP solutions, is entirely based on the generalSAP security standards.

System Landscape Architecture

For external access a landscape as illustrated in the above figure is recommended. The landscapeenables constraint on accesses to the external facing portal and Web Dynpro applications througha web dispatcher configuration.

See also:

http://service.sap.com/notes SAP Note 517484 (Inactive Services in theInternet Communication Framework)

Portal Security Guide

Security Issues in Web Dynpro for ABAP

Data Exchange via Java Applet Live Auction Cockpit WPS

In the SRM business scenario Strategic Sourcing, a J ava applet is loaded in the browser of anexternal supplier for live auctions (not for auctions via the Sourcing application in SRM BiddingEngine). This applet communicates with the server part of LAC on the SAP J 2EE Engine 7.0 via theapplication gateway.



http://help.sap.com/saphelp_nw2004s/helpdata/en/af/0489ce55002f44a8c927371bedf719/frameset.htm







March 2007 31

Basic Representation of the Communication Paths of the SRM Components Including LACWPS 6.0 to the Outside.

The ABAP Sourcing application allows external suppliers to participate in bid invitations that arecreated and evaluated using SAP Bidding Engine. Auctions can be converted into live auctions andare then processed in LAC.

LAC is a J ava component LAC WPS on presentation level whose runtime environment is the J 2EEEngine of SAP Web AS 7.0.

LAC WPS consists of a server part that runs on J2EE 7.0 and a J ava Applet that is loaded into thebrowser of the user and executed locally there. The applet communicates via HTTP(S) with theserver part. The server communicates with SAP SRM Server via RFC. A digitally signed version of the J ava applet for the functions Approval Preview and Follow-On Documents (document history) isavailable in addition to the unsigned applet currently in use.

Communication between the J ava applet and the LAC WPS server occurs just like any HTTP(S)-

based communication with the Internet via application gateway that exists in the DMZ. (Each typeof communication with the Internet that occurs via HTTP(S) makes use of the application gateway.)

All security aspects are dealt with by SAP Web AS.

Data Exchange via Duet User Interface

The specifics of the Duet user interface are covered in the Duet 1.0: SAP Administration Guide. You can find this guide on SAP Service Marketplace atservice.sap.com/instguides SAP

xApps Duet Duet 1.0 Duet 1.0: SAP Administration Guide.




March 2007 32

Exchange of Data/Documents via External System Interfaces

In an SRM system landscape, the Exchange Infrastructure (XI) is used to transfer data in the form

of documents via external system interfaces. Here, too, XI is connected to the Internet via the SAPWeb Dispatcher located in the DMZ.

All security aspects are dealt with by SAP Web Dispatcher and XI.

For more information, see SAP Web Dispatcher and SAP NetWeaver Process IntegrationSecurity Guide










Network Security and Communication Security

March 2007 33

4 Network Security and Communication Security Your network infrastructure is important in protecting your system. Your network needs to supportthe communication necessary for your business needs without allowing unauthorized access. A

well-defined network topology can eliminate many security threats based on software flaws (at boththe operating system and application level) or network attacks such as eavesdropping. If userscannot log on to your application or database servers at the operating system or database layer,then there is no way for intruders to compromise the machines and gain access to the back-endsystem’s database or files. Additionally, if users cannot connect to the LAN (local area network)server, they also cannot exploit well-known bugs and security holes in network services on theserver machines.

The network topology for SAP SRM solution is based on the topology used by the SAP NetWeaverplatform. Therefore, the security guidelines and recommendations described in the SAP NetWeaverSecurity Guide also apply to SAP SRM.

4.1 Communication Channel Security

This section deals with measures to protect data that is being transferred from unauthorizedaccess.

Data transfer is by means of HTTPS (SSL encryption) that is also used in SAP system landscapes.

We recommend using the same protocol – either HTTP or HTTPS – consistently in allsystem objects. This means all the deployed objects have to be configured in exactlythe same way regarding HTTP(S) throughout. This is done especially to avoidproblems caused by J avaScript-based communication between the single layers.

The mechanisms to use for transport layer security and encryption depend on the protocols used.For Internet protocols such as HTTP, you can use the Secure Sockets Layer (SSL) protocol toprovide the protection. For SAP protocols such as dialog and RFC, you can use Secure NetworkCommunications. See Network Security for SAP Web AS ABAP and Network Security for the SAP

J 2EE Engine for an overview of the corresponding SAP Web AS connections and the securitymechanism to use.

We recommend that you consult the following documentation in the SAP NetWeaver SecurityGuide Network and Communication Security.

See the following topics:

Basic Network Topology for SAP Systems Network Services

Using Firewall Systems for Access Control

Application-Level Gateways Provided by SAP

Example Network Topology Using an SAProuter

Example Network Topology When Using SAP Remote Services

Using Multiple Network Zones

Transport Layer Security

Secure Network Communications (SNC)




http://help.sap.com/saphelp_nw04s/helpdata/en/13/bdd13ffc9a4a21e10000000a1550b0/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/9d/44d7bc73ddce4f96f09de874350e78/frameset.htm







http://help.sap.com/saphelp_nw04s/helpdata/en/0a/0a2e00ef6211d3a6510000e835363f/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/0a/0a2e1bef6211d3a6510000e835363f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/0a/0a2e1eef6211d3a6510000e835363f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/0a/0a2e0cef6211d3a6510000e835363f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/4d/f48f9fcf2442c38132cba624cd4a05/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/8d/f3da779bd02c4fa54fda5d6944f2d6/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/8d/f3da779bd02c4fa54fda5d6944f2d6/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/4d/f48f9fcf2442c38132cba624cd4a05/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/0a/0a2e0cef6211d3a6510000e835363f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/0a/0a2e1eef6211d3a6510000e835363f/frameset.htm















March 2007 34

SNC-Protected Communication Paths in SAP Systems

Additional Information on Network Security

Enabling SSL (HTTPS) for SAP Web Application Server 7.0

This section is relevant for all Web applications that are based both on the ITS 7.0 and on BSP,that is all scenarios with the exception of Strategic Sourcing with LAC WPS 6.0.

This safeguards data against unauthorized access when business data is being exchangedbetween SRM and external systems, especially in the case of data exchange with supplier systemsvia the Internet.

The electronic exchange of business data between SRM and a connected supplier must also beprotected. Purchase orders and shipping notifications contain confidential information that an SAPSRM customer wants to protect from unauthorized access. Here also, SRM makes use of thestandard Internet features. With the HTTP adapter, SAP Exchange Infrastructure supports theSecure HTTP protocol. By means of this protocol, all data is saved during the entire transfer fromthe sending system to the receiving system. As far as the automatic authentication of theparticipating systems, SAP SRM relies on the exchange of certificates, which guarantees state-of-the-art security.

The communication channels within the SAP SRM system landscape can be made secure usingHTTPS (SSL). However, it only makes sense to use this coding technology to achieve overallsecurity for the channels.

Consult the Network and Transport Layer Security guide before carrying out the SSL settings forthe SAP Web AS 7.0:

Using the Secure Sockets Layer Protocol with the SAP Web AS ABAP

o Configuring the SAP Web AS for Supporting SSL

To carry out the SSL settings for the ITS 7.0 (internal ITS on SAP Web AS 7.0) proceed inaccordance with the following sections of the SAP NetWeaver Application Server Security Guide:

Internet Transaction Server Security

o A Secure Network Infrastructure for the ITS

o Protecting the Server and Network Components

o TCP Ports Used by the ITS

For security issues regarding SRM applications with a Web front-end on BSP-basis,see Security Aspects for BSP.

Portal and Web Dynpro SSL Configuration

Enter SSL in Portal system maintenance for the SRM system entry and enable SSL for the Portalserver as well. For more information, see topics Configuring the SAP Web AS for Supporting SSLand Configuration Settings and SAP Note 510007: Setting up SSL on the Web Application Server.

http://help.sap.com/saphelp_nw04s/helpdata/en/0a/0a2e24ef6211d3a6510000e835363f/content.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/69/b0bbd6dde71141bee8806586144796/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/65/6a563cef658a06e10000000a11405a/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/ff/10e4e86ebf6a40bad1844e76a25dca/frameset.htm



http://help.sap.com/saphelp_nw04s/helpdata/en/1e/82daf3ee9911d3a6510000e835363f/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/1e/82db02ee9911d3a6510000e835363f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/1c/db8d3f7057eb0ce10000000a114084/frameset.htm



http://help.sap.com/saphelp_nw2004s/helpdata/en/49/53f23f6fb9f206e10000000a1550b0/frameset.htm











http://help.sap.com/saphelp_nw04s/helpdata/en/3a/7cddde33ff05cae10000000a128c20/frameset.htm







March 2007 35

Enabling SSL for J2EE 7.0

This section is relevant if you want to implement the SRM scenario Strategic Sourcing with LACWPS 6.0 (LAC WPS runs on the J 2EE of SAP Web AS 7.0).

To configure SSL for LAC on J 2EE 7.0, proceed in accordance with the following documentation: Configuring the Use of SSL on the SAP J 2EE Engine

See also:

Security Guide for Connectivity with the SAP J 2EE Engine

Transport Layer Security on the SAP J 2EE Engine

Secure Connection of Application Systems to SAP XI

All XI runtime components using the HTTP protocol support the encryption of the HTTP datastream by means of the SSL protocol, also known as HTTPS. HTTPS data streams are completelytransparent to the Exchange Infrastructure.

Depending on the protocol used, all data (including passwords) is transmitted through the network(Intranet or Internet) in plain text. To maintain the confidentiality of this data, you can applytransport layer encryption to the connection between the business systems, the Integration Server,the adapters, and the Web browser.

We especially recommend that you use encryption when you transmit passwords,orders, company-specific information or any other data that you consider sensitive.

You can use Secure Sockets Layer (SSL) or Secure Network Communication (SNC) to increasethe security of the following connections:

Between adapters and Integration Server

Between business systems and Integration Server

Between PCK and Integration Server

Between business systems and adapters

Adapters, business systems, and Integration Servers communicate with each other using the RFCor HTTP protocol, which can be secured by SNC or SSL respectively.

Find detailed information here:

SAP NetWeaver Process Integration Security Guide Network and Communication SecurityHTTP and SSL and Adapter-Specific Security Configuration

Here you find information to send and receive messages with the Adapter Engine using HTTPS/SSL: Configuration Guide - SAP XI 7.0: Chapter 10 Communication and Security and 10.1 HTTPSConfiguration for the Adapter Engine.

Integration of SAP SRM Server (EBP) Services into SAPNetWeaver Portal

Ensure that you have downloaded all of the relevant portal roles for SRM 6.0 from SAP ServiceMarketplace at service.sap.com/swdc . Here you can also find the current Business Packagefor SAP SRM 6.0.

Security Information:

http://help.sap.com/saphelp_nw04s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/b3/17d13fa69a4921e10000000a1550b0/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/bc/2ee9a2d023d64eac961745ea2cb503/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/72/e52c4057cb185de10000000a1550b0/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm







http://help.sap.com/saphelp_nw04s/helpdata/en/f5/799add57aeee4f889265094a04695c/frameset.htm

http://www.service.sap.com/swdc



http://help.sap.com/saphelp_nw04s/helpdata/en/f5/799add57aeee4f889265094a04695c/frameset.htm





http://help.sap.com/saphelp_nw04s/helpdata/en/72/e52c4057cb185de10000000a1550b0/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/bc/2ee9a2d023d64eac961745ea2cb503/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/b3/17d13fa69a4921e10000000a1550b0/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm




March 2007 36

Portal Security Guide Network and Communication Security Communication ChannelSecurity Communication between Internal Components / Communication with BackendSystems.

Important Note: The portal and the connected back-end systems must use the same

protocol (both use HTTP or both use HTTPS; no other combination ispossible).

The portal and the connected back-end system must be in the samedomain.

If you wish to implement your own SAP SRM Server (EBP) services, youmust ensure that the iViews of the EBP services have EPCF level "2".







March 2007 37

4.2 Network Security

General Access Control, Including Protection of the System and Stored Data Against

Unauthorized External Access,General Standards: Firewalls, DMZ, SNCSAP Standards: ITS, SAProuter

SAP SRM is a solution with many external interfaces, including interfaces to the Internet. Thismakes SAP SRM vulnerable to attempts from outsiders to access confidential data. Indeed, studieshave shown that unauthorized access by internal employees also represents a considerable risk.As a pure business solution, SAP SRM can offer protection in this regard based on theAuthorization Concept within SAP Web AS (SAP Authorization Concept). It is important tounderstand that SAP SRM is embedded in a comprehensive protection concept that offersprotection both on a physical level and also, through additional firewalls, protected access to alllevels of an IT infrastructure. As the SAP SRM architecture graphic shows, we recommendprotecting the different SRM components using appropriate firewalls. This includes setting up aDMZ (Demilitarized Zone) that protects all critical components from direct access via the Internet.

Furthermore, we recommend installing protection against access to the entire data store of thevarious SRM applications components.

For more information on firewalls and the relevant settings, see the section Network andCommunication Security Using Firewall Systems for Access Control ( for firewall settings) inthe SAP NetWeaver Security Guide and SAProuter in the SRM documentation (for SAProutersettings).

For more information on the settings for Security Network Communications (SNC), see thesection SNC-protected Communication in the SAP NetWeaver Application Server SecurityGuide.

See also:Additional Information on Network Security

4.3 Communication Destinations

All relevant communication destinations (such as RFC, IDoc, and so on) for SAP SRM aredescribed in SAP Solution Manager.

The following table provides an overview of where to find the relevant information in SAP SolutionManager:

Configuration Settings for Solution / Business Scenario

Path in SAP Solution Manager Section

SAP SRM 2007 SAP Solution Manager Configuration SAP SRM 2007 Basic Settings for SAP SRM

SystemConnections

Self-Service Procurement SAP Solution Manager Configuration

SAP SRM 2007 Basic Settings for Self-Service Procurement

SystemConnections

Plan-Driven Procurement SAP Solution Manager Configuration

SAP SRM 2007 Basic Settings forPlan-Driven Procurement

SystemConnections

http://help.sap.com/saphelp_nw04s/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm







http://help.sap.com/saphelp_nw04s/helpdata/en/8c/2ec59131d7f84ea514a67d628925a9/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/4f/992ce8446d11d189700000e8322d00/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/bf/65721bfdc0fc4c93ccf6ca97d160c9/frameset.htm
















March 2007 38

Configuration Settings for Solution / Business Scenario

Path in SAP Solution Manager Section

Service Procurement SAP Solution Manager Configuration

Structures SAP SRM 2007 BasicSettings for Service Procurement

SystemConnections

Spend Analysis SAP Solution Manager Configuration

Structures SAP SRM 2007 BasicSettings for Spend Analysis

SystemConnections

Strategic Sourcing SAP Solution Manager Configuration

Structures SAP SRM 2007 BasicSettings for SAP SRM

SystemConnections

Contract Management SAP Solution Manager Configuration

Structures SAP SRM 2007 BasicSettings for SAP SRM

SystemConnections

SRM-MDM Catalog (CatalogContent Management)

SAP Solution Manager ConfigurationStructures SAP SRM 2007 BasicSettings for SRM-MDM Catalog(Catalog Content Management)

SystemConnections

Category Management SAP Solution Manager Configuration

Structures SAP SRM 2007 Basic

Settings for Category Management

Backend Configuration

IntegratecProjectsandIntegrate the SAPBI System

Duet SAP Solution Manager Configuration

Structures SAP SRM 2007 Basic

Settings for SAP SRM

Duet

ConfigurationContent for Duet



User Administration and Authentication

March 2007 39

5 Data Storage SecuritySRM runs using SAP standard technologies only (SAP NetWeaver Application Server ABAPSecurity Guide, SAP NetWeaver Application Server J ava Security Guide) and does not use any

external tools. The UI is realized using the Internet Transaction Server, Business Server Pages,and Web Dynpro. This means that there are no persistent cookies and authentication data beyondthe usual amount.

For more information about the use of the Internet Transaction Server, Business Server Pages andWeb Dynpro, see:

Security Aspects for BSP

Internet Transaction Server

Security Aspects of Web Dynpro for J ava and Security Issues in Web Dynpro for ABAP

Data Storage

Security-relevant and personal data (for users and business partners) is stored in the standard SAPdatabase tables. Access to these tables is protected by the SAP authorization checks.

http://help.sap.com/saphelp_nw04s/helpdata/en/4e/b3b638faa32d19e10000009b38f8cf/frameset.htm



http://help.sap.com/saphelp_nw04s/helpdata/en/7c/9817be794d804c920aaed073b7b0ed/frameset.htm


http://help.sap.com/saphelp_nw04s/helpdata/en/e9/bb153aab4a0c0ee10000000a114084/frameset.htm



http://help.sap.com/saphelp_nw04s/helpdata/DE/18/d0ff3ae6ce0c77e10000000a11402f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/f7/f289c67c759a41b570890c62a03519/frameset.htm





http://help.sap.com/saphelp_nw04s/helpdata/DE/18/d0ff3ae6ce0c77e10000000a11402f/frameset.htm









March 2007 40

6 Auditing and Logging To log changes on various SAP objects to appraise and retrace them afterwards and to fulfill thelegal auditing and logging requirements, SAP NetWeaver provides standard tools and functions.

These are described in the SAP NetWeaver Security Guide under Auditing and Logging and arerelevant if you use SAP SRM.

The most relevant items regarding auditing and logging in SAP SRM are specified below:

Version History of SU01-User and Business Partner

SU01-User

Using the standard transaction SU01, menu path Information -> Change Documents for Users, alog table is displayed. This table lists all the actions that have changed user data so far:

You can also use transaction SUIM to enter the User Information System that provides you with awide range of functions relating to user history:



http://help.sap.com/saphelp_nw04s/helpdata/en/8e/a8b5386f64b555e10000009b38f8cf/frameset.htm







March 2007 41

Business Partner

Using the standard transaction BP, menu path Extras -> Change History -> For This Partner , a logtable is displayed depending on a changed field selected. The table contains all the changes evercarried out:




March 2007 42




March 2007 43




March 2007 44

Change Documents of Business Documents

Change documents are another logging tool available to you. A change document logs changes toa business object. You access the change documents by selecting Tracking Change Documents

from within the corresponding business document. This view shows every change made to thebusiness document down to the field level.

Appl ication Monitor ing

SRM provides a number of application monitors to evaluate various critical system and documentstatuses, changes, and errors. The monitoring results are only available in the portal to the

administrator and are presented in graphical form in an iView in the Administration Work Center.




March 2007 45

Authorization to view and process alerts is handled by portal role and iView assignment as well asin authorization object BBP_FUNCT (MON_ALERTS). The monitoring information is read from theSRM back-end, and is recorded in the Statistic Records in CCMS (monitors under: SAP EnterpriseBuyer Monitors).

http://help.sap.com/saphelp_nw04s/helpdata/en/c7/69bcc3f36611d3a6510000e835363f/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/c7/69bcc3f36611d3a6510000e835363f/frameset.htm




March 2007 46

7 User Administration and Authentication This section describes how user data is protected from unauthorized access and the aspects of authorization.

User Administration and Authentication is based on standard SAP NetWeaver Application Serverfunctionality. At a minimum, users need to be authenticated on the SAP NetWeaver Portal, basedon SAP NetWeaver Application Server J ava, and the SAP SRM Server, based on SAP NetWeaverApplication Server ABAP.

For more information about User Administration and Authentication on the SAP NetWeaverApplication Server, refer to

SAP NetWeaver Security Guide User Administration and Authentication

SAP NetWeaver Application Server ABAP Security Guide User Authentication

SAP NetWeaver Application Server Java Security Guide User Administration and Authentication

Portal Security Guide User Administration and Authentication

Internet Transaction Server Security Authenticating Users

7.1 User Management

SAP SRM supports user authentication using user accounts and passwords. It also supports userauthentication using X.509 certificates and, this way, integrates seamlessly with public keyinfrastructure.

The following types of roles are supported:

SAP SRM Server roles and portal roles.

New users can only be created by the user administrator or by a manager. In the case of self-registration by new users, the actual release of the new account has to be approved by the useradministrator or manager.

7.2 Integration into Single Sign-On LandscapesSupport of Single Sign-On on SRM

SAP SRM consists of a range of different application components, and certain SAP SRM usersmust access several of these applications. Therefore, the support of Single Sign-On (SSO) is asignificant benefit. In SAP SRM the standard SSO mechanism is used (the initial applicationgenerates the SSO cookie, which is stored in the user’s web browser and other applications acceptit). (For security reasons, the cookie is placed in the main memory and is automatically deleted as

soon as the user actively logs off or closes the browser.) Using this cookie, users can access allSRM applications for which they are authorized without having to authenticate themselves again,that is, go through the authentication process again. When the user accesses applications basedon SAP R/3, such as SAP EBP, the cookie is converted to an SAP Logon ticket on-the-fly.

Single Sign-On in SRM is supported with the SAP NetWeaver Portal.

For more information on SSO and Authentication Methods on SAP Web AS, see:

SAP NetWeaver Application Server Security Guide Authentication and Single Sign-On

User Authentication and Single Sign-On Using Logon Tickets




http://help.sap.com/saphelp_nw2004s/helpdata/en/3c/32f9870e9e9e4d86f8f32780aa90e1/frameset.htm





http://help.sap.com/saphelp_nw04s/helpdata/en/d6/031c3ac9fb1d75e10000000a114084/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/f8/18da3a82f9cc38e10000000a114084/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/e5/4344b6d24a05408ca4faa94554e851/frameset.htm

http://help.sap.com/saphelp_nw04s/helpdata/en/d6/031c3ac9fb1d75e10000000a114084/frameset.htm




http://help.sap.com/saphelp_nw2004s/helpdata/en/3c/32f9870e9e9e4d86f8f32780aa90e1/frameset.htm






Authorizations

March 2007 47

8 AuthorizationsIn SAP SRM one or more predefined roles are assigned to each user or user account. Dependingon the role, the user is authorized to carry out certain transactions and access certain data. In

addition, each user or user account is assigned to its company and/or organizational unit. By way of this assignment, the user inherits additional attributes that further restrict access, for example,employees may only assign purchase orders to their own cost centers.

In the standard SAP SRM delivery, customers receive predefined role templates that they canextend or adapt to their specific requirements. The standard roles include roles for managers,employees, and so on.

Individual users access SRM transactions and data via their browsers and then transfer sensitiveconfidential data. This information must be protected against unauthorized access. As standard,this is taken care of by encoding all data during the transfer from the Web Server to the browser.SRM follows the standard in this case and supports secure HTTP.

Roles for System Configuration

Users wanting to set up or configure an SAP SRM Server system are assigned to the SRM Administrator role, which provides them with the required authorizations. The necessaryCustomizing authorizations ensure that these setup users are able to carry out IMG projects.

For more information, see Identity Management Users and Roles (BC-SEC-USR).

SRM does not supply separate Customizing or setup roles. Instead, you should usethe functions provided in Role Maintenance (transaction PFCG). Here you can definea role corresponding to your individual IMG project with all the authorizations youneed to access the corresponding IMG activities. For more information about building

a role for a Customizing project, see the documentation for the transaction PFCG.

http://help.sap.com/saphelp_nw04s/helpdata/en/81/0e0f61b566dc44bbb4055b3ccd25be/frameset.htm





Authorizations

March 2007 48

8.1 ABAP Roles for SAP SRM Server 6.0 (EnterpriseBuyer)

The following roles are delivered:

Roles/TechnicalNames

Services(menuoption)

Auth.Group

Auth. Object s S_RFC S_TCODE

Manager EditAttributes

AAAB S_RFC BBPMAINAPP

BBP_BID_WF_APP

SAP_EC_BBP_MANAGER

ProcessCompanyData(hosted)

S_TCODE BBP_BID_WF_REV

SAP_BBP_STAL_MANAGER

BBP BBP_FUNCT(BBP_FUNCT=BE_F4_HELP)

BBP_CTR_WF_RVW

SAP_BBP_MULTI_MANAGER

BBP_PD_PO(ACTVT: 03;BBP_PROCTY=empty)

BBP_POC_DISPLY

BBP_QUO_WF_REV

BBP_QUOT_EXTWF

BBPBWSC1

BBPMAINAPP

BBPPU05

BBPPU07

BBPRP01BBPSC07

BWSP

T*

Purchasing Assistant

SAP_EC_BBP_SECRETARY

CreatePublic Templates


BBPPU04

SAP_BBP_STAL_SECRETARY

EnterPurchaseOrderResponse

BBP_PD_PO(ACTVT: 03;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_PO

SAP_BBP_MULTI_SECRETARY

ConfirmGoods /ServicesCentrally

BBP_PD_CNF(ACTVT: 01, 02,03;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_CNF



Authorizations

March 2007 49



Auth.Group


Enter Invoice/ CreditMemoCentrally


BBPPU10

ShoppingCarts perCost Center

BBP_PD_SC(ACTVT: 01, 02,03, 04, 06, 33;BBP_PROCTY=empty)

BBPSC03

ShoppingCarts perProduct

BBPSC04

PreselectSuppliers

BBPSC06

Purchasing

Assistant

ProfessionalPurchaser

SAP_EC_BBP_PURCHASER


B_BUPA_RLT(RLTYP=BBP000,BBP005,BBPUP001,BBPUP002,BBPUP003,CRM007)

BBP_LA_ BIZAPI

BBP_BID_DISP

SAP_BBP_STAL_PUR

CHASER

Confirm

Goods /ServicesCentrally

BBP_PD_CNF

(ACTVT: 01, 02,03, 06,33;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_CNF

SAP_BBP_MULTI_PURCHASER

Enter Invoice/ CreditMemo

B_USERST_T BBP_BID_EXTSO

InvoiceMonitor

CRM_BUHI BBP_BID_WF_APP

Settings for

InvoiceMonitor

S_ICF BBP_BID_WF_CRE

ProcessPurchaseOrder

BBP_PD_PO(Actvt 01, 02, 03,06, 33, C4, C5;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_PO



Authorizations

March 2007 50



Auth.Group


IssuePurchaseOrder

BBP BBP_PD_PO(Actvt 04,;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_PO

ProcessPurchaseOrderResponse

BBP_PD_PCO(ACTVT: 01, 02,03, 04, 06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty; )

BBP_PD_PCO

ProcessGlobalOutlineAgreement

BBP_FUNCT(BBP_FUNCT=BE_F4_HELP,CR_COMPANY,EVAL_VEND,CTR_NOV)

BBP_CTR_DISP

ProcessContract

BBP_PD_AUC(ACTVT<>G7;BBP_PROCTY=empty)

BBP_CTR_EXT_CR

IssueContract

BBP_PD_BID(ACTVT<>G7;BBP_PROCTY=empty)

BBP_CTR_EXT_PO

PerformMassChanges

BBP_PD_CNF(ACTVT<>G7;BBP_PROCTY=empty)

BBP_CTR_EXT_WF

ChangeSuppliers inContracts

BBP_PD_CTR(ACTVT<>G7;BBP_PROCTY=empty)

BBP_CTR_WF_CRE

PurchaseOrderEvaluationper Contract

BBP_PD_INV(ACTVT<>G7;BBP_PROCTY=empty)

BBP_CTR_WF_RVW

UploadContracts

BBP_PD_PCO(ACTVT<>G7;BBP_PROCTY=empty)

BBP_POC_DISPLY

DownloadContracts

BBP_PD_PO(ACTVT<>G7;BBP_PROCTY=empty)

BBP_POC_EDIT

ProcessQuotaArrangement

BBP_PD_VL(ACTVT=01,02,03,06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORG

empty)

BBP_PD_VL



Authorizations

March 2007 51



Auth.Group


Process BidInvitation

BBP_PD_SC(ACTVT<>G7;BBP_PROCTY=empty)

BBP_QUO_WF_REV

Process Bidas Substitute

BBP_PD_VL(ACTVT<>G7;BBP_PROCTY=empty)

BBP_QUOT_DISP

ProcessAuction

BBP_VEND(BBP_OBJTYP=BUS2200,BUS2202)

BBP_QUOT_EXTWF

ShoppingCartEvaluationper Cost

Center

BC_A S_BTCH_ADM(BTCADMIN:empty)

BBPAVLDISP

ShoppingCartEvaluationper Product

S_ADMI_FCD(NADM)

BBPCF07

ManageBusinessPartner Data

S_BTCH_J OB(job action: PLAN,RELE)

BBPDIFF

ManageBusinessPartner(Hosted)

S_CTS_ADMI(TABL)

BBPIV07

Edit

Addresses

S_SPO_DEV BBPIV09

ProcessSupplier List

BBP_PD_VL(ACTVT=01,02,03,06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty

)

BBP_PD_VL

ReassignWorkload

BBP_PD_PO

BBP_PD_SC

BBP_PD_BID

BBP_PD_CTR

ACTVT =02

BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty

BBPPCO_WF

DisplayChanges

S_USER_PRO(01, 02, 03, 07,22; PROFILE=empty)

BBPPO01



Authorizations

March 2007 52



Auth.Group


PreselectSuppliers

S_XMB_AUTH(ACTVT: 03, 16;SXMBACTION:RUNTIME)

BBPPU02

BC_Z S_APPL_LOG(03)

BBPPU04

S_IDOCCTRL BBPPU05

BBPPU06

BBPPU07

BBPPU10

BBPQADISP

BBPQAMAINT

BBPRP01

BBPSC03

BBPSC04

BBPSC06

BBPSC11

BBPSC14

BBPSC15

BBPSC16

BBPSC17

BBPSC18

BBPSC19

BBPSHOWVD

BBPVE01

BWSP

BWWF_WI_DECI

CRMD_ORDER

Purchasing Manager

SAP_BBP_STAL_PURCHASE_

MANAGER

SAP_BBP_MULTI_PURCHASE_MANAGER

OperationalPurchaser

SAP_EC_BBP_OP_PURCHASER


/SAPCND/CM(application: BBP;use: PR)

BBP_BID_DISP



Authorizations

March 2007 53



Auth.Group


SAP_BBP_STAL_OPERAT_ PURCHASER

ConfirmGoods /ServicesCentrally

BBP_PD_CNF(ACTVT: 01, 02,03, 06,33;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_CNF


B_BUPR_BZT BBP_BID_EXTSO

InvoiceMonitor

B_USERST_T BBP_BID_WF_CRE

Settings forInvoice

Monitor

CRM_BUHI BBP_BID_WF_REV

ProcessPurchaseOrders

BBP_PD_PO(Actvt 01, 02, 03,06, 33, C4, C5;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_PO

IssuePurchaseOrders

BBP BBP_PD_PO(Actvt 04,;BBP_PROCTYPempty;

BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_PO

EnterPurchaseOrderResponse

BBP_PD_PCO(ACTVT: 01, 02,03, 04, 06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty; )

BBP_PD_PCO

ProcessPurchase

OrderResponse

BBP_PD_PCO(ACTVT: 01, 02,

03, 04, 06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty; )

BBP_PD_PCO

AssignGlobalOutlineAgreement


BBP_CTR_EXT_WF

Process BidInvitations

BBP_PD_CNF(ACTVT<>G7;BBP_PROCTY=empty)

BBP_CTR_MAIN



Authorizations

March 2007 54



Auth.Group



BBP_PD_CTR(ACTVT=01, 02,03;BBP_PROCTY=empty)

BBP_CTR_WF_CRE

ProcessAuctions


BBP_CTR_WF_RVW

Carry OutSourcing

BBP_PD_PCO(ACTVT<>G7;BBP_PROCTY=empty)

BBP_POC_DISPLY


BBP_PD_VL(ACTVT=01,02,03,06;

BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_VL

Analysis SCper CostCenter

BBP_PD_QUO(ACTVT<>G7;BBP_PROCTY=empty)

BBP_POC_WF_REQ

Analysis SCper Product


BBP_PPF_CONT

EditAddresses

BBP_VEND(BBP_OBJTYP=BUS2200,BUS2202)

BBP_QUO_WF_REV

DisplayChanges

M_BBP_PC(PCMAS_ACT =03, 04)

BBP_QUOT_DISP

PreselectSuppliers


BBP_TRIGG_MEN

S_ADMI_FCD(NADM)

BBPAVLDISP

S_BTCH_J OB

(job action: RELE)

BBPCF07

S_CTS_ADMI(TABL)

BBPDIFF

S_SPO_DEV BBPIV07

S_USER_AGR(01, 02, 03, 22,36, 64, 78;ACT_GROUP=empty)

BBPIV09

S_USER_GRP(01, 02, 03, 06,22, 78; CLASS=empty)

BBPMAINAPP



Authorizations

March 2007 55



Auth.Group



BBPPCO_WF

S_XMB_AUTH(ACTVT:16;SXMBACTION:RUNTIME)

BBPPO01

BC_Z S_APPL_LOG(03)

BBPPU02

S_IDOCCTRL BBPPU04

BBPPU05

BBPPU06

BBPPU07

BBPPU10

BBPQADISP

BBPQAMAINT

BBPRP01

BBPSC03

BBPSC04

BBPSC06

BBPSC11

BBPSC14

BBPSC15

BBPSC16

BBPSC17

BBPSC18

BBPSC19

BBPSHOWVD

BBPVE01

BWSP

BWWF_WI_DECI

CRMD_ORDER

Strategic Purchaser Process BidInvitation

AAAB /SAPCND/CM(application: BBP;use: PR)

BACV BBP_AUC_SRM_EX



Authorizations

March 2007 56



Auth.Group


SAP_EC_BBP_ST_PURCHASER


B_BUPA_RLT(RLTYP=000000,BBP000,BBP001,BBP003,BBP004,BBP005,BUP001,BUP002,BUP003,BUP004,BUP005,CRM007,CRM008)

BBP_LA_ BIZAPI

BBP_BID_DISP

SAP_BBP_STAL_STRAT_PURCHASER

ProcessAuction

B_BUPR_BZT BBP_LA_ MAINTENANCE

BBP_BID_EVAL

ProcessGlobalOutlineAgreement

B_USERST_T BBPMAINAPP

BBP_BID_EXTSO

ProcessContract

CRM_BUHI BBP_BID_WF_APP

IssueContract

S_TCODE BBP_BID_WF_CRE

PerformMassChanges

BBP BBP_BUDGET BBP_BID_WF_REV

UploadContracts

BBP_CTR_2(ACTVT: 01, 02,

03, 04, 06;BBP_PROCTY:empty;BBP_SECTN:empty;BBP_SENSTV:empty)

BBP_CFOLDER

DownloadContracts

BBP_FUNCT(BBP_FUNCT=BE_F4_HELP,CR_COMPANY,EVAL_VEND,CTR_NOV)

BBP_CTR_DISP

ChangeSuppliers inContracts

BBP_PD_AUC(ACTVT<>G7;BBP_PROCTY=empty)

BBP_CTR_DC

PurchaseOrderEvaluationper Contract


BBP_CTR_EXT_CR


BBP_PD_VL(ACTVT=01,02,03,06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORG

empty)

BBP_PD_VL



Authorizations

March 2007 57



Auth.Group


ProcessSupplier List

BBP_PD_VL(ACTVT=01,02,03,06;BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty)

BBP_PD_VL

ManageBusinessPartner Data


BBP_CTR_WF_CRE

EditAddresses

BBP_PD_PCO(ACTVT<>G7;BBP_PROCTY=

empty)

BBP_CTR_WF_RVW

ReassignWorkload

BBP_PD_PO

BBP_PD_SC

BBP_PD_BID

BBP_PD_CTR

ACTVT =02

BBP_PROCTYPempty;BBP_PURGRPempty;BBP_PURORGempty

BBPPCO_WF

PreselectSuppliers

BBP_PD_QUO(ACTVT<>G7;BBP_PROCTY=empty)

BBP_POC_DISPLY


BBP_POC_EDIT

BBP_PD_VL(ACTVT<>G7;BBP_PROCTY=empty)

BBP_POC_WF_REQ

BBP_VEND(BBP_OBJTYP=

BUS2200,BUS2202)

BBP_PPF

M_BBP_PC BBP_QUO_WF_REV


BBP_QUOT_DISP

S_ADMI_FCD(NADM)

BBP_QUOT_EXTWF

S_BTCH_J OB(job action: RELE)

BBPAVLDISP

S_CTS_ADMI(TABL)

BBPBWSC1



Authorizations

March 2007 58



Auth.Group


S_SPO_DEV BBPCF07

S_USER_AGR(01, 02, 03, 22,36, 64, 78;ACT_GROUP=empty)

BBPCF09

S_USER_GRP(01, 02, 03, 06,22, 78; CLASS=empty)

BBPDIFF


BBPIV07

S_XMB_AUTH

(ACTVT:16;SXMBACTION:RUNTIME)

BBPMAINAPP

S_DEVELOP BBPPCO_WF

BC_Z S_APPL_LOG(03)

BBPPO01

S_IDOCCTRL BBPPU02

BBPPU04

BBPPU05

BBPPU06

BBPPU07

BBPPU10

BBPQADISP

BBPQAMAINT

BBPRP01

BBPSC03

BBPSC04

BBPSC06

BBPSC07

BBPSC11

BBPSC14BBPSC15

BBPSC16

BBPSC17

BBPSC18

BBPSC19

BBPSHOWVD

BBPSOCO01

BBPVE01

BBPVE01



Authorizations

March 2007 59



Auth.Group


BWSP

BWWF_WI_DECI

CRMD_ORDER

T*

Content Manager ImportProductMasterHierarchies

AAAB /SAPCND/CM(application: BBP;use: PR)

COMM_A TTRSET

COMM_ATTRSET

SAP_EC_BBP_CONTENT_MANAGER

ImportProducts

COM_ASET(ACVT =01, 02,03, 06)

COMM_PCAT_LOC

COMM_HIERARCHY

SAP_BBP_STAL_CON

TENT_MANAGER

Process

Products

COM_CAT

(ACVT =01, 02,03)

CRM_PR

D

COMM_PCAT_LOC

ActivateProducts

COM_HIER(ACVT =01, 02,03)

BBP_CT COMM_PCAT_PROFILE

Data Transferfrom ProductMaster toCatalog

COM_IL (ACTVT=F370 01, 02, 03,06; RELTYPE:PRDCTI,PRDCTN,PRDMPI,PRDMPN,PRDVND,PRDVNI)

MaintainProducts inSUS

COM_PRD (01,02, 03, 06)

ContentManager

COM_PRD_CT(01, 02, 03, 06)

S_IFC

S_RFC

S_TCODE

BC_A S_BTCH_J OB(job action: PLAN,RELE)

S_XMB_AUTH

(ACTVT:16;SXMBACTION:RUNTIME)

S_DATASET(ACVT =33)

BC_Z S_APPL_LOG(ACVT 03;ALG_OBJ ECT:COM_PRODUCT _CATALOG;ALG_SUBOBJ :EXPORT_XML)



Authorizations

March 2007 60



Auth.Group


Component Planner ComponentPlanning forOrders

AAAB S_TCODE / Standard only

SAP_EC_BBP_PLANNER

ComponentPlanning forProjects

SAP_BBP_STAL_PLANNER

ChangeSettings

ComponentsPlanner

Internal Dispatcher ConfirmGoods /Services

Centrally


SAP_BBP_STAL_RECIPIENT

InternalDispatcher

BBP_PD_CNF(BBP_PROCTY=empty)

BBP_PD_CNF

SAP_BBP_MULTI_RECIPIENT


Account s PayableClerk



SAP_EC_BBP_ACCO

UNTANT

Invoice

Monitor

S_ICF

SAP_BBP_STAL_ACCOUNTANT

Settings forInvoiceMonitor


SAP_BBP_MULTI_ACCOUNTANT

IssueDocument

BBP_PD_CNF(ACTVT: 03;BBP_PROCTY=empty)

BackendPosting(Hosted)


BBP_PD_PO

(ACTVT: 03;BBP_PROCTY=empty)

Bidder Process Bid AAAB /SAPCND/CM(application: BBP;use: PR)

BACV BBP_CFOLDER

SAP_EC_BBP_BIDDER

ProcessUser Data

B_BUP A_RLT BBP_CFOLDER

BBPGLOBAL

SAP_BBP_STAL_BIDDER

Alert Inbox B_BUPR_BZT BBP_FRAMEWORK

BBPMAINNEW

SAP_BBP_MULTI_BIDDER

S_PRO_AUTH(03)

BBP_LA_ BIZAPI

BBPST01



Authorizations

March 2007 61



Auth.Group


S_RFC BBP_LA_ MAINTENANCE

BBPVENDOR

S_TCODE BBPFAKEWP

BBPWI

BBP BBP_PD_AUC(ACTVT: 03;BBP_PROCTY=empty)

RFC1

BBP_PD_BID(ACTVT: 03;BBP_PROCTY=empty)

RSAN

BBP_PD_QUO(ACTVT=01, 02,

03, 33;BBP_PROCTY=empty)

SDIF

BBP_VEND(ACTVT: 01, 02,03, 06;BBP_OBJ TYP:BUS2200,BUS2202,BUS2208)

SDIFRUN TIME


SI17_V

S_TABU_DIS

(03)

SKBW

BC_Z S_BDS_DS(ACTV: 01, 02,03, 04, 30;CLASSTYPE:BO, CL, OT)

SSCV

HR PLOG (INFOTYP:1000, 1001, 1222,5500, 5501, 5502,5503; ISTAT: 1;OTYPE: BP, CP,O, S, US, P;SUBTYP: A002,B002, A003,B003, A008,

A208, B008,A012, B012,B207, B208,B209, A490,B490, A491,B491, A492,B492, A493,B493, A494,B494, 0020,0100, 0200, 0300)

SU_USER

SURL

SUSO

SUSW

SWLWFIN



Authorizations

March 2007 62



Auth.Group


SWOR

SYST

SYSU

WP_USER_MENU

Supplier EnterDelivery /Service

AAAB BBP_PD_CNF

ACTVT 01, 03

BBP_PD_CNF

SAP_EC_BBP_VENDOR


B_BUP A_RLT BBP_FRAMEWORK

BBP_CFOLDER

SAP_BBP_STAL_VEN

DOR

Process

User Data

B_BUPR_BZT BBPADD

REXT

BBP_QUOT

SAP_BBP_MULTI_VENDOR

EditAddresses

S_PRO_AUTH(03)

BBPFAKEWP

BBPGLOBAL

BBP_PD_INV(ACTVT: 01, 03;BBP_PROCTY=empty)

SDIFRUN TIME

BBPWI


SI17_V SWK1

BBP_VEND(ACTVT: 01, 02,

03, 06;BBP_OBJ TYP:BUS2203,BUS2205)

SKBW

BC_A S_TABU_DIS(03)

SSCV

BC_Z S_BDS_DS(ACTV: 01, 02,03, 04, 30;CLASSTYPE:BO, CL, OT)

SU_USER

HR PLOG (INFOTYP:1000, 1001, 1222,5500, 5501, 5502,

5503; ISTAT: 1;OTYPE: BP, CP,O, S, US, P;SUBTYP: A002,B002, A003,B003, A008,A208, B008,A012, B012,B207, B208,B209, A490,B490, A491,B491, A492,B492, A493,B493, A494,B494, 0020,0100, 0200, 0300)

SURL



Authorizations

March 2007 63



Auth.Group


SUSO

SUSW

SWLWFIN

SWOR

SYST

SYSU

WP_USER_MENU

Company Administ rator (MarketSet)

ProcessLocalAccounting

Data

AAAB S_TCODE BBPPU09

SAP_EC_BBP_COMPANY_ADMIN

Customizable Messages

BBP BBP_FUNCT(MON_ALERTS)

BBPSHOWVD

SAP_BBP_MULTI_COMPANY_ADMIN

Messages inXML

BP_PD_SC(ACTVT: 01, 02,03, 06;BBP_PROCTY=empty)

SYST

DefineImpersonalAccount

BC_A S_TABU_CLI

Process F I-Backend

S_TABU_DIS(ACTVT: 02, 03)

ProcessSupplierNumber inBackend

BC_C S_TRANSLAT(ACTVT: 02)

Process TaxCode

MonitorShoppingCart

Administ rator ApplicationMonitors

AAAB B_BUPA_ATT * *

SAP_BC_BMT_WFM_ ADMIN Migration

SAP_EC_BBP_ADMINISTRATOR

MonitorShoppingCarts

B_BUPA_FDG

SAP_BBP_STAL_ADMINISTRATOR

MonitorContractDistribution

B_BUPA_GRP

SAP_BBP_MULTI_ADMINISTRATOR

MonitorBusinessPartner

B_BUPA_RLT

Synchronization withBackend

B_BUPR_BZT



Authorizations

March 2007 64



Auth.Group


ManageUser Data

B_BUPR_FDG

Edit InternalAddresses

B_CCARD

ManageBusinessPartners

COM_ASET

Edit ExternalAddresses

CRM_BUHI

EditAttributes

S_RFC

Administrator

S_TCODE

BBP BBP_BUYER

BBP_FUNCT

BBP_PD_AUC(03)

BBP_PD_BID(03)

BBP_PD_CNF(03)

BBP_PD_CTR(03)

BBP_PD_INV(03)

BBP_PD_PCO(03)

BBP_PD_PO (03)

BBP_PD_QUO(03)

BBP_PD_SC(ACTVT: 01, 02,03, 04, 06)

M_BBP_IM_1

M_BBP_PC

BC_A S_ADMI_FCD

S_ARCHIVE

S_BTCH_ADM

S_BTCH_J OB

S_BTCH_NAM

S_CTS_ADMI

S_DATASET

S_ENQUE

S_GUI

S_RZL_ADM

S_TABU_CLI



Authorizations

March 2007 66



Auth.Group


P_TCODE

Create Supp lier (Dummy)

AAAB B_BUPR_BZT(ACTVT 01, 02,03; RELTYPBUR010)

/ BBPMAINNEW

SAP_EC_BBP_CREA TEVENDOR

S_TCODE

Create User (Dummy)

SAP_EC_BBP_CREA TEUSER

AAAB B_BUPA_RLT / BBPAT03

S_TCODE BBPAT04

HR PLOG (INFOTYP:1000, 1001, 1222,5500, 5501, 5502,5503; ISTAT: 1;OTYPE: BP, CP,O, S, US, P;SUBTYP: A002,B002, A003,B003, A008,A208, B008,A012, B012,B207, B208,B209, A490,B490, A491,B491, A492,

B492, A493,B493, A494,B494, 0020,0100, 0200, 0300)

SubscribeMarketplace

Subscribe toEBP onMarketplace

AAAB B_BUPA_RLT ARFC BBPSUBSCRIBE

SAP_EC_BBP_SUBSCRIBE_MARKETPLC

S_RFC BBP_ATTR_ORG

S_TCODE BBP_ATTR_PD



Authorizations

March 2007 67



Auth.Group


HR PLOG (INFOTYP:1000, 1001, 1222,5500, 5501, 5502,5503; ISTAT: 1;OTYPE: BP, CP,O, S, US, P;SUBTYP: A002,B002, A003,B003, A008,A208, B008,A012, B012,B207, B208,B209, A490,B490, A491,B491, A492,B492, A493,B493, A494,B494, 0020,

0100, 0200, 0300)

BBP_FRAMEWORK

BBPFAKEWP

RFC1

RSAN

SDIFRUN TIME

SSCV

SUSW

SWOR

SYSTSYSU

SAP_BBP_CMS_CON TRACT_CREATOR

BBP_CMS;S_SERVICE

SAP_EC_BBP_EMPLOYEE

BBP_CMS;S_SERVICE



Authorizations

March 2007 68

8.2 ABAP Roles for SAP SRM Server 6.0 (SUS)

Roles/

Technical Names

Folder Menu Option Auth.

Group

Author izat ion Objects

Order Processor Search

SAP_EC_SUS_ORDER_ PROCESSOR

Purchase Orders All AAAB B_BUPA_ATT

New B_BUPA_FDG

Changed B_BUPA_GRP

In Process B_BUPA_RLT

Confirmed B_BUPR_BZT

Partially Confirmed S_TCODE (SICF)

Rejected S_RFC

Canceled byCustomer

Administration Own Data BBP BBP_FUNCT

Messages Read Messages BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2232,BUS2235; BBP_SUBTY: ‘ ‘ )

BBP BBP_SUS_AC

BC_A S_ADMI_FCD (NADM)

S_ARCHIVE

S_USER_GRP (ACTVT: 02, 03, 05)

BC_Z S_BDS_DS (ACTVT: 03;CLASSNAME: DEVC_STXD_BITMAP;CLASSTYPE: OT)

HR PLOG

SAR Processor Search

SAP_EC_SUS_SAR_PROCESSOR

SchedulingAgreement Releases

All AAAB B_BUPA_ATT

New B_BUPA_FDG

Delivery Block B_BUPA_GRP

In Process B_BUPA_RLT

B_BUPR_BZT

S_TCODE (SICF)

S_RFC

Administration Own Data BBP BBP_FUNCT

Messages Read Messages BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2232,BUS2235; BBP_ SUBTY: SR)

BBP BBP_SUS_AC



Authorizations

March 2007 69

Roles/Technical Names

Folder Menu Option Auth.Group



S_ARCHIVE



HR PLOG

Invoicer Search

SAP_EC_SUS_INVOICER


Changed B_BUPA_FDG

In Process B_BUPA_GRP

Confirmed B_BUPA_RLT

Partly Confirmed B_BUPR_BZT

S_TCODE (SICF)

Confirmations Canceled S_RFC

In Process

CompletionReported

Rejected

All

In Process

Approved

Notifications fromPurchaser

Goods Receipt - All

Goods Receipt –New

Cancellation of Goods Receipt – All

Cancellation of Goods Receipt –New

Return Delivery - All

Return Delivery -New

ShippingNotifications

All

Sent



Authorizations

March 2007 70




Invoices and CreditMemos

All

In Process BBP BBP_FUNCT

Document Sent BBP BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2231,BUS2232, BUS2233, BUS2234,BUS2235; BBP_SUBTY: ‘ ‘, ‘CA’, ‘CF’,‘RT’, ‘SR’)

Approved BC_A S_ADMI_FCD (NADM)

Rejected S_USER_GRP (ACTVT: 02, 03, 05)

Create Invoice S_ARCHIVE

Administration Own Data BC_Z S_BDS_DS (ACTVT: 03;CLASSNAME: DEVC_STXD_BITMAP;

CLASSTYPE: OT)

Messages Read Messages HR PLOG

BBP BBP_SUS_AC

Supplier Preselect Search

SAP_EC_SUS_ROS_PROCESSOR

Manage BusinessPartners

Transfer Supplier AAAB B_BUPA_ATT

Preselect Suppliers B_BUPA_FDG

Supplier Monitor B_BUPA_GRP

B_BUPA_RLT

B_BUPR_BZT

S_RFC

S_TCODE

BBP BBP_SUS_AC

BC_A S_ADMI_FCD

S_USER_AGR

S_USER_GRP

S_USER_PRO

HR PLOG

Dispatcher Search

SAP_EC_SUS_DISPATCHER


New

Changed

In Process

Confirmed



Authorizations

March 2007 71




Partly Confirmed


All B_BUPA_FDG


Sent B_BUPA_RLT


Goods Receipt – All S_RFC

Goods Receipt –New

Cancellation of Goods Receipt – All

Cancellation of Goods Receipt –New

Return Delivery – All


Administration Own Data B_BUPR_BZT

Messages Read Messages S_TCODE (SICF)

BBP BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2231,

BUS2232, BUS2233, BUS2235;BBP_SUBTY: ‘ ’, CA, CF, RT)

BBP BBP_SUS_AC



S_ARCHIVE


BBP BBP_SUS_AC

HR PLOG

Service Agent Search

SAP_EC_SUS_SERVICE _AGENT

Purchase Orders Confirmed AAAB B_BUPA_ATT

In Process

Partly Confirmed

Confirmations All B_BUPA_FDG




Authorizations

March 2007 72




CompletionReported

S_RFC

Cancelled B_BUPA_RLT

Approved B_BUPR_BZT

Rejected S_TCODE (SICF)

Administration Own Data BBP BBP_SUS_P2 (ACTVT: 02, 03, 09;BBP_OBJ TYP: BUS2230, BUS2232,BUS2233, BUS2235; BBP_SUBTY: ‘ ‘)

Messages Read Messages BC_A S_ADMI_FCD (NADM)


S_ARCHIVE

BBP BBP_SUS_AC

HR PLOG

Service Manager

SAP_EC_SUS_MANAGER

Evaluations AAAB

S_TCODE (SICF)

S_RFC


BBP BBP_SUS_AC

BBP_SUS_P2 (ACTVT: 03;BBP_OBJ TYP: BUS2235;BBP_SUBTY: ‘ ‘)

Supplier Administrator

Search

SAP_EC_SUS_ADMIN_V

ENDOR

Administration Create User AAAB B_BUPA_ATT

Find User B_BUPA_FDG

Own Data B_BUPA_GRP

Company Data B_BUPA_RLT

Customer List B_BUPR_BZT

Messages Read Messages S_TCODE (SICF, SU01)

BBP BBP_SUS_ P2 (ACTVT: 03;BBP_OBJ TYP: BUS2235;BBP_SUBTY: ‘ ‘)




Authorizations

March 2007 73




S_USER_AGR

S_USER_GRP

S_USER_PRO

BBP BBP_SUS_AC

HR PLOG

Purchaser Administrator

Search

SAP_EC_SUS_ADMIN_PURCHASER

Administration Create User AAAB B_BUPA_ATT

Find User B_BUPA_FDG

Own Data B_BUPA_GRP

Find Supplier B_BUPA_RLT (ACTVT: 01, 02, 03)


Goods Receipt - All B_BUPR_BZT

Goods Receipt -New

S_TCODE (BBP_SUS_BP_ADM,SICF, SU01)

S_RFC

Cancellation of Goods Receipt - All

BBP BBP_SUS_P2 (ACTVT: 02, 03;BBP_OBJ TYP: BUS2235;BBP_SUBTY: *)

Cancellation of Goods Receipt -New


Return Delivery - All S_USER_AGR


S_USER_GRP

S_ARCHIVE

Purchase Orders All S_USER_PRO

New BBP BBP_SUS_AC

Changed HR PLOG

In Process

Confirmed

Partly Confirmed

Rejected

Canceled byCustomer


All

In Process

Sent



Authorizations

March 2007 74




Confirmations All

In Process

CompletionReported

Approved

Rejected

Canceled

Invoices and CreditMemos

All

In Process

Document Sent

Approved

Rejected

Messages Process Messages

Read Messages

Bidder Search

SAP_EC_SUS_BIDDER Bid Invitations AAAB S_TCODE (SICF)

S_RFC


BBP BBP_SUS_ P2 (ACTVT: 03,BBP_OBJ TYP: BUS2235,BBP_SUBTY: ‘ ‘)

BBP BBP_SUS_AC

8.3 ABAP Authorization Objects for SAP SRM Server 6.0(Category Management)

There are no roles delivered for Category Management. Authorization is controlled by usingthe delivered Authorization Object (BBP_CM_OBJ) that must be configured and assigned toexisting roles (or users)

Assign the Authorization Object BBP_CM_OBJ to the relevant roles. This object has twoparameters:

Object Type refers to the Program (PROG), Methodology (METH) or Initiative (INIT)

Activity refers to the authorizations Create orGenerate, Change, and Display for the objecttypes.



Authorizations

March 2007 75

For details refer to the section Solution Manager under the section SAP Solution Manager

Solutions/Applications SAP SRM Configuration Structures SAP SRM 2007 Basic

Settings for Category Management Backend Configuration Assigning Backend Authorizations.



Authorizations

March 2007 76

8.4 Portal Roles (for NetWeaver Portal 7.0)

Portal Role Top Level Entry iView iView Transaction Code Component

Employee Self-Service

Employee Self-Services

Shop Appl. wda_l_fp_gaf

Appl. Parametersapsrm_mode=CREATE&sapsrm_botype=BUS2121&sapsrm_portalbaseurl=<Portal.BaseURL>&sapsrm_pcdlocation=<IView.ID>

Config./SAPSRM/WDAC_GAF_SC

EBP

Check Status Appl. Powl

Appl.ParameterAPPLID=SAPSRM_E_CHECK

STATUSConfig./SAPSRM/WDA_POWL_SC

EBP

Manager Home Cost Center Overview CMD=LDOC&INFOCUBE=0SR_C02&QUERY=0SR_C02_Q0002&VARIABLE_SCREEN=X

BI

PO Val per Requester CMD=LDOC&INFOCUBE=0SR_C02&QUERY=0SR_C02_Q0001&VARIABLE_SCREEN=X

BI

Purchase Values per Order CMD=LDOC&INFOCUBE=0BBP_C02&QUERY=0BBP_C02 _Q009&VARIABLE_SCREEN=X

BI

Info CMD=LDOC&INFOCUBE=0BBP_SC&QUERY=0BBP_SC_ Q014&VARIABLE_SCREEN=X

BI

Approved CMD=LDOC&INFOCUBE=0BBP_SCA&QUERY=0BBP_SCA_Q002&VARIABLE_SCREEN=X

BI

Purchasing Assistant

Purchasing My Purchasing Documents Appl. Powl

Appl.Parameter

APPLID=SAPSRM_PA_PURCHASING

Config./SAPSRM/WDA_POWL

EBP

Process Public Templates BBPSC05 EBP

Confirm Goods / ServicesCentrally

BBPCF03 EBP

Enter Invoice / Credit MemoCentrally

BBPIV03 EBP

Preselect Supplier /sap/ros_prescreen/main.do SUS



Authorizations

March 2007 77


OperationalPurchaser

Home Open Approvals:Confirmations

CMD=LDOC&INFOCUBE=0BBP_CON&QUERY=0BBP_CONF_Q010&VARIABLE_SCREEN=X

BI

Overview of Return Deliveries CMD=LDOC&INFOCUBE=0BBP_CON&QUERY=0BBP_CONF_Q013&VARIABLE_SCREEN=X

BI

Contract Usage cmd=ldoc&TEMP LATE_ ID=0TPL_0BBP_CT_Q004

BI

Status of Documents CMD=LDOC&INFOCUBE=0BBP_CON&QUERY=0BBP_CONF_Q007&VARIABLE_SCREEN=X

BI

Status CMD=LDOC&INFOCUBE=0BBP_PO&QUERY=0BBP_PO_ Q007&VARIABLE_SCREEN=X

BI

per Order No with Items CMD=LDOC&INFOCUBE=0BBP_PO&QUERY=0BBP_PO_ Q008&VARIABLE_SCREEN=X

BI

Accepted Quantities perOrder and Item

CMD=LDOC&INFOCUBE=0BBP_PO&QUERY=0BBP_PO_ Q010&VARIABLE_SCREEN=X

BI

Status CMD=LDOC&INFOCUBE=0BBP_SC&QUERY=0BBP_SC_ Q007&VARIABLE_SCREEN=X

BI

Pending Shopping Carts cmd=ldoc&TEMPLATE_ID=0TPL_0BBP_SC_Q004_V02

BI

Shopping Cart per CostCenter

bbp_bw_sc4 EBP

Shopping Cart per Product bbp_bw_sc3 EBP

Purchasing My Purchasing Documents Appl. Powl

Appl.ParameterAPPLID=SAPSRM_OP_PURCHASING


EBP

Carry Out Sourcing Appl. wda_ l_fp_gaf Appl.Parametersapsrm_mode=CREATE&sap

srm_botype=AOBSOCO&sapsrm_portalbaseurl=<Portal.BaseURL>&sapsrm_pcdlocation=<IView.ID>

Config./SAPSRM/WDAC_L_FP_GAF _SOCO

EBP

Issue Purchase Order BBP_PPF EBP

Process Public Templates bbpsc05 EBP


Bbpcf03 EBP


BBPIV03 EBP



Authorizations

March 2007 78


My Sourcing Documents Appl. Powl

Appl.ParameterAPPLID=SAPSRM_OP _Sourc

ingConfig./SAPSRM/WDA_POWL

EBP

Preselect Supplier sap/ros_prescreen/main.do SUS

Edit Addresses BBPADDRINTV EBP

Display Changes BBP_SUPP_MONI EBP

My Invoicing Documents Appl. Powl

Appl.ParameterAPPLID=SAPSRM_OP _ INVOICING


EBP

Invoice Monitor Appl. bbp_inv_main EBP

Settings for Invoice Monitor Appl. bbp_iv_ims_cust EBP

StrategicPurchaser

Home ABC Analysis forSuppliers(Lorenz Curve)

CMD=LDOC&INFOCUBE=0SR_MC01&QUERY=0SR_MC01_Q0007&VARIABLE_SCREEN=X

BI

Top 15 Suppliers CMD=LDOC&INFOCUBE=0SR_FIC01&QUERY=0SR_FIC01_Q0004&VARIABLE_SCREEN=X

BI

Invoice Value per Supplierand G/L Account in Period

CMD=LDOC&INFOCUBE=0SR_FIC01&QUERY=0SR_FIC0

1_Q0001&VARIABLE_SCREEN=X

BI

Net Invoice Volume w/wo PORef

CMD=LDOC&INFOCUBE=0SR_FIC01&QUERY=0SR_FIC01_Q0002&VARIABLE_SCREEN=X

BI

Pareto Analysis According toPO Vol


BI

Procurement Value Analysis CMD=LDOC&INFOCUBE=0SR_MC01&QUERY=0SR_MC01_Q0001&VARIABLE_SCREEN=X

BI

Procurement ValuesAccording to UNSPSC Code

CMD=LDOC&INFOCUBE=0BBP_C01&QUERY=0SR_MC01 _Q0008&VARIABLE_SCREEN=X

BI

Spend Analysis CMD=LDOC&INFOCUBE=0BBP_C01&QUERY=0SR_FIC01_Q0001&VARIABLE_SCREEN=X

BI

Analysis Report: SupplierEvaluation

CMD=LDOC&INFOCUBE=0SR_VE_C1&QUERY=0SR_VE_ C1_Q013&VARIABLE_SCREEN=X

BI



Authorizations

March 2007 79


Cobweb Diagram SupplierScores

CMD=LDOC&INFOCUBE=0SR_VE_C1&QUERY=0SR_VE_ C1_Q010&VARIABLE_SCREEN=X

BI

Supplier Portfolio with POValue and Overall Score

CMD=LDOC&INFOCUBE=0SR_VE_M1&QUERY=0SR_VE _M1_Q001&VARIABLE_SCREEN=X

BI

Supplier Portfolio Analysis cmd=ldoc&TEMPLATE_ID=0TPL_SR_VE_PORTFOLIO

BI

Top and Bottom Supplier cmd=ldoc&TEMPLATE_ID=0TPL_SR_VE_TOPVENDORS

BI

Contract Details CMD=LDOC&INFOCUBE=0SRCT_DS1&QUERY=0SRCT_ DS1_Q003&VARIABLE_SCREEN=X

BI

Expiring Contracts CMD=LDOC&INFOCUBE=0S

RCT_DS1&QUERY=0SRCT_ DS1_Q004&VARIABLE_SCREEN=X

BI

Maverick Buying Analysis CMD=LDOC&INFOCUBE=0SR_MC02&QUERY=0SR_MC02_Q0002&VARIABLE_SCREEN=X

BI

Contract Analysis cmd=ldoc&TEMPLATE_ID=0TPL_0BBP_CT_Q003

BI

Price Trend Analysis perProduct


BI

Workload per Purchasing

Group

CMD=LDOC&INFOCUBE=0S

R_MC02&QUERY=0SR_MC02_Q0003&VARIABLE_SCREEN=X

BI

Relationship Analysis cmd=ldoc&TEMPLATE_ID=0TPL_0BBP_C01_Q03032

BI

Supplier P rofile cmd=ldoc&TEMP LATE_ ID=0TPL_SR_VE_PROFILE

BI

StrategicPurchasing

My Sourcing Documents Appl. Powl

Appl.ParameterAPPLID=SAPSRM_SP_Sourcing


EBP

My Contract Documents Appl. Powl

Appl.ParameterAPPLID=SAPSRM_SP_CONTRACTMANAGEMENT


EBP

Issue Contract BBP_PPF_CONT EBP

My Business PartnerDocuments

Appl. Powl

Appl.ParameterAPPLID=SAPSRM_SP_BUSINESSPARTNER


EBP



Authorizations

March 2007 80


Process Supplier List Bbpavlmaint EBP

Manage Business Partners BBPMAININT EBP

Edit Addresses BBPADDRINTV EBP

Preselect Supplier sap/ros_prescreen/main.do SUS

Display Changes BBP_SUPP_MONI EBP

SRM ComponentPlanner

ComponentPlanning

Component Planning forOrders

BBPOR01 EBP

Component Planning forProjects

BBPPS01 EBP

Goods Recipient Home Open Item Analysis CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q002&VARIABLE_SCREEN=X

BI

Delayed Delivery CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q009&VARIABLE_SCREEN=X

BI

Deadline Monitoring - CurrentValues for Req. Delivery Date

CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q013&VARIABLE_SCREEN=X

BI

Confirmation DocumentOverview


BI

CentralConfirmation

My Central ConfirmationDocuments

Appl. Powl

Appl.ParameterAPPLID=SAPSRM_R_CENTRALCONFIRMATION


EBP


BBPCF03 EBP

Find Goods Recipient BBP_PM01 EBP

Invoicer Home Excessive Invoices CMD=LDOC&INFOCUBE=0SR_MC02&QUERY=0SR_MC02_Q3002&VARIABLE_SCREEN=X

BI

Invoice Document Overview CMD=LDOC&INFOCUBE=0SR_MC02&QUERY=0SR_MC02_Q3001&VARIABLE_SCREEN=X

BI

Invoice Status CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_ Q007&VARIABLE_SCREEN=X

BI

Invoice Analysis cmd=ldoc&TEMPLATE_ ID=0TPL_BBP_DS1_Q002

BI

Open Items (Invoices) CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q004&VARIABLE_SCREEN=X

BI



Authorizations

March 2007 81


Variance Invoice Val/Order Val CMD=LDOC&INFOCUBE=0BBP_DS1&QUERY=0BBP_DS1 _Q006&VARIABLE_SCREEN=X

BI

Contract CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_ Q012&VARIABLE_SCREEN=X

BI

Invoice Number with Items CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_ Q008&VARIABLE_SCREEN=X

BI

Product/Product Cat CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_ Q006&VARIABLE_SCREEN=X

BI

Supplier CMD=LDOC&INFOCUBE=0BBP_INV&QUERY=0BBP_INV_

Q002&VARIABLE_SCREEN=X

BI

Invoicing My Invoicing Documents Appl. P owl

Appl.ParameterAPPLID=SAPSRM_I_INVOICING


EBP

Invoice Monitor Appl. bbp_inv_main EBP

Settings for Invoice Monitor Appl. bbp_iv_ims_cust EBP


BBPIV03 EBP

Issue Document BBP_TRIGG EBP

Backend Posting (Hosted) BBPBC1 EBP

SRM Administrator SRMAdministration

Application Monitor BBPADM_Cockpit EBP

Monitor Shopping Carts BBP_MON_SC EBP

Monitor Contract Distribution BBP_CTR_MON EBP

Monitor Business Partner BBP_SUPP_MONI EBP

Manage Business Partners BBPMAININT EBP

Manage Employee Data BBPUM01 EBP

Edit External Addresses BBPADDRINTV EBP

Edit Internal Addresses BBPADDRINTC EBP

Edit Attributes BBPATTRMAINT EBP

Synchronization withBackends

BBP_CLEANER EBP

General Attributes PPOMA_BBP EBP

Invoicer Invoicing

Invoice BBPIV09/!?subtype=IV EBP

Credit Memo BBPIV09/!?subtype=CM EBP

Subsequent Credit BBPIV09/!?subtype=SC EBP



Authorizations

March 2007 82


Subsequent Debit BBPIV09/!?subtype=SD EBP

Invoice/Credit Memo BBPIV03 EBP

Invoice Management ABAP Web Dynpro:

bbp_inv_main

EBP

Invoice Post Processing MIR4 ECC

Document Overview BSP_APPLICATION:SRM_DOC_LIST/doc_overview.htm

EBP

Document Quick Access BSP_APPLICATION:SRM_DOC_QUICKAC/quickaccess.htm

EBP

Excessive Invoice Document 0TPLI_0SR_MC02_Q3002 BI

Report Overview J ava Web Dynpro:

mss~lpa/ReportLaunchpadApp?role=IVC&instance=REP

ECC

Supplier OrderCollaboration

My Order CollaborationDocuments

Appl. Powl

Appl.ParameterAPPLID=SAPSRM_S_ORDERCOLLABORATION

Config./SAPSRM/WDA_SRM_S_COLLAB

EBP

Process User Data BBPMAINEXT EBP

Edit Addresses BBPADDREXT EBP

Confirmation Information TEMPLATE_ID=0BBP_CONF _SP _Q001

BI

PO History TEMPLATE_ID=0BBP_DS1_SP_Q001

BI

Open Deliveries TEMPLATE_ID=0BBP_DS1_SP_Q002

BI

Open Invoices TEMPLATE_ID=0BBP_DS1_SP_Q003

BI

PO Information TEMPLATE_ID=0BBP_PO_SP_Q001

BI

Contract History TEMPLATE_ID=0BBP_PO_SP_Q003

BI

Bidder Bid Invitations

and Auctions

Bid Overview Appl. Powl

Appl.ParameterAPPLID=SAPSRM_B_RFXANDAUCTIONS


EBP

CategoryManagement

Administ rator (com.sap.pct.srm.cm.administrator)

CategoryManagement(com.sap.pct.srm.cm.category_management)

Administrator Work Center com.sap.pct.srm.cm.administrator_work_center

SRM-CM

Application ConfigurationCheck

com.sap.pct.srm.cm.application_config_check

SRM-CM



Authorizations

March 2007 83


Category Manager (com.sap.pct.srm.cm_category_manager)

CategoryManagement(com.sap.pct.srm.cm.category_man

agement)

CM Work Center com.sap.pct.srm.cm.cm_work _center

SRM-CM

Chief ProcurementOffice(com.sap.pct.srm.cm.chief_procurement_officer)

CategoryManagement(com.sap.pct.srm.cm.category_management)

CPO Work Center com.sap.pct.srm.cm.cpo_work _center

SRM-CM

All other roles are “supported roles” (showcase roles with suffix “_” showcase that can be used bythe customer for a normal implementation).



Authorizations

March 2007 84

8.5 Changes to the Authorization Check

The following authorization objects have been extended or newly created for SAP SRM 6.0:

AuthorizationObject

Technical Name New or Extended (Descrip tion)

Purchasingcontract

BBP_PD_CTR Extended with: 33 (Read attachments), C4 (Cleardocuments), C5 (Change cleared documents), G7 (Cancelattachments)

Purchasingcontract

BBP_CTR_2 New: authorization object for use of the extended contractauthorization (in addition to and not alternatively toBBP_PD_CTR). Activate the extended contractauthorization in Customizing. For more information, see theImplementation Guide (IMG) for Supplier RelationshipManagement: SRM Server Cross-Application Basic

Settings

Activate Extended Authorizations for Contracts.Auction BBP_PD_AUC Extended with: 33 (Read attachments), 45 (Allow substitute

for a bidder), 69 (Reset), 74 (Allow/block bidder), A3(Start/Pause/Continue),C5 (Change public auctions), G7(Cancel attachments), PA (Extend validity), PU (Publish)

Bid invitation BBP_PD_BID Extended with: 33 (Read attachments), C5 (Change publicbid invitations), G7 (Cancel attachments), PU (Publish)

SUS Action BBP_SUS_AC New: User authorization per SUS action

Functions BBP_FUNCT Extended with: CTR_NOV (Mass transfer of a supplier intoall relevant contracts), PO_NOV (Mass transfer of asupplier into all relevant purchase orders), GLOB_ACCSS

(SUS: Confirm purchase orders of other users)

Bid BBP_PD_QUO Extended with: 33 (Read attachments), 75 (Accept), G7(Cancel attachments)

Purchase orderresponse

BBP_PD_PCO Extended with: G7 (Cancel attachments)

Purchase order BBP_PD_PO Extended with: 33 (Read attachments), C4 (Cleardocuments), C5 ( Change cleared documents), G7 (Cancelattachments)

Confirmation BBP_PD_CNF Extended with: 33 (Read attachments), G7 (Cancelattachments)

Shopping cart BBP_PD_SC Extended with: 33 (Read attachments), G7 (Cancelattachments), SO (Process in Sourcing)

Supplier list BBP_PD_VL Extended with: G7 (Cancel attachments)

Invoice BBP_PD_INV Extended with: 33 (Read attachments), 36 (Processexceptions), G7 (Cancel attachments)

SUSdocuments[new]

BBP_SUS_P2 New: Replaces BBP_SUS_PD and allows more detailedassignment of authorizations through a combination of document type and subtype.

ObjectAuthorizationfor Category

BBP_CM_OBJ New: Authorization object for Category Management. Formore information refer to the Solution Manager under: SAPSolution Manager Solutions/Applications SAP SRM



Authorizations

March 2007 85

Management Configuration Structures SAP SRM 2007 BasicSettings for Category Management BackendConfiguration Assigning Backend Authorizations.



Appendix

March 2007 86

9 Appendix

9.1 Data Privacy Statement

In the SRM system, personal user data, such as the name and address, is saved in the user masterrecord. To comply with legal requirements, functionality is available that only allows saving andusing of this user data if the affected user actively consents to this. This occurs via the display of atext on the relevant interfaces: the user must fill a checkbox at the end of the text to save it. Thecheckbox is not initially set.

In some countries, depending on the valid legal regulations, explicit written consentfrom external partners, such as suppliers, may be necessary.

You can activate the data privacy function for the following services:

Supplier Regis tration (SRM) and Suppl ier Registration (SUS)

In these cases the supplier as an external user must check the box to allow the supplierdata to be saved.

Business Partner Maintenance (SRM) and User Maintenance (SUS)

The internal processor checks the box and thus confirms that the external user, whose datais being processed, is aware of and consents to the data being saved.

Customizing

To make the Customizing settings for the data privacy statement for SRM, see the ImplementationGuide (IMG) for Supplier Relationship Management: SRM Server Master Data BusinessPartner Specify Data Privacy Settings for Vendors.

To make the Customizing settings for SUS, see the IMG for Supplier Relationship Management:Supplier Self-Services Settings for the User Interface Data Privacy Settings for Suppliers.

In these Customizing tables you can activate or deactivate the data privacy function and define thetechnical names of the texts to be displayed.

The texts that are displayed to the external user on self-registration and to the internaluser when maintaining business partners are predefined in the system as GeneralTexts. You can use transaction SE61 to copy them and modify them to suit yourrequirements.

9.2 Virus Checking of Document Attachments

SRM provides you with the opportunity to check documents that you attach to SRM documents witha virus scanner before they are stored in the database.

You must have a virus scanner installed and must have configured it correctly. For moreinformation, see SAP Implementation Guide SAP Web Application Server System Administration Virus Scanner Interface.

The virus scanning functions in SRM are activated when you implement BAdI BBP_ATT_CHECK.SAP supplies BAdI BBP_ATT_VIRSCAN as an example implementation. The interface contains astructure that is used in SRM for storage of attachments. The field PHIO_FNAME contains the file

name and the tabular field PHIO_CONTENT contains the file part of the attachment (where the



Appendix

March 2007 87

actual file is stored). Viruses are dealt with in the implementation. For example, the data part isdeleted.

An implementation of the function BBP_PD_MSG_ADD is also important. The messages from thisfunction are transferred to the user interface.

9.3 Additional Related Guides

Area/Topic

Guide/Documentation

Link:…

SRM SRM Master Guide service.sap.com/instguides SAP

Business Suite Applications SAP SRM UsingSAP SRM Server 6.0 Master Guide - SAP SRM

SRM-MDM Catalog SRM-MDM Catalogconfigurationinformation

SAP Solution Manager Solutions/Applications

SAP SRM Configuration Structures SAP

SRM 2007 Basic Settings for SRM-MDM

Catalog (Catalog Content Management)

LAC SRM 6.0 -InstallationDocumentation

service.sap.com/instguides SAP

Business Suite Applications SAP SRM UsingSAP SRM Server 6.0 Installation Documentation- SRM 6.0

Category Management ConfigurationGuide for SAPSRM CategoryManagement

SAP Solution Manager Solutions/Applications

SAP SRM Configuration Structures SAP

SRM 2007 Basic Settings for CategoryManagement

Duet Duet for MicrosoftOffice and SAP

Guides

service.sap.com/instguides SAP xApps

Duet Duet 1.0 Duet 1.0:SAP

Administration Guide/SAP Installation Guide/SAPMaster Guide/SAP Operations Guide

You can find more guides related to the SAP NetWeaver platform on SAP Service Marketplace atservice.sap.com/instguides SAP NetWeaver Release 2004s.

You can find SRM-related guides on SAP Service Marketplace atservice.sap.com/instguides SAP Business Suite Applications SAP SRM Using

SAP SRM Server 6.0.



Appendix

March 2007 88

9.4 Additional Information

Special Information for Live Auction Cockpit 6.0

(Only relates to the SRM scenario Strategic Sourcing with LAC WPS 6.0.)

Which part of Live Auction Cockpit should be set up in which network segment?

The client portion of Live Auction Cockpit (Java applet) is deployed on the Internet. The appletcommunicates with LAC on J 2EE (7.0) server. Therefore the external user has to allow the appletto be downloaded.

The server portion (Web AS) should be located on the LAN. The SAP system (ERP) should be located on the LAN.

Where exactly is data stored?

System configuration data is stored in properties files on the Web AS. (System configuration data isshipped with the system.)

Runtime transactional data is stored in the database of the SAP system. (Transactional data isstored during runtime of the application.)No temporary data is stored anywhere else.

Which type of data access is required at what point in time?

Read access of system configuration data is required during server start-ups.Read and write accesses to transactional data are required during runtime.

What l evel of protection is recommended fo r which data?

Administration system permissions should be used to restrict access to Live Auction Cockpitproperties configuration in the Web AS Visual Administrator. Customers must ensure that onlysystem administrators should have access to Web AS Visual Administrator. Configuration data inWeb AS Visual Administrator is protected by a password.

Password Encryption

Access to SAP Web AS Visual Administrator needs a password:

This password is set during the installation of Web AS. For the LAC scenario, theusername is J 2EE_ADMIN and password is what was set by the first accessing user.

Only a dummy password is stored as a file in the deployment EAR file beforedeployment of the application. Once the application is deployed, the value is internallyencrypted in the database in J 2EE and can only be accessed through J2EE Visual Administrator .

After the deployment, it is necessary for you to change the password via the Visual

Administrator . (The Visual Administrator tool can be configured for the use of SSL. Sothe communication between Visual Administrator and J2EE server can be secured.)

(In UME [part of the part of the J 2EE 7.0], the properties values are stored in thesame way. It is not necessary to encrypt the content of the password to be stored asreal values in DB since communication between Visual Admin and J 2EE server canbe secure as well.)

RFC users should be created for RFC/J Co connections to the SAP systems.

J CO-RFC-Password for Live Auction Cockpit to SAP SRM server:

The dummy password that is stored in the LAC deployable application is required forthe RFC connection between the Live Auction Cockpit application and SAP SRMServer. Once Web AS has been installed and the LAC application has been deployed,

it is necessary to use the Web AS Visual Administrator to configure this J CO-RFC-



Appendix

March 2007 89

Password/ Username so that the Live Auction Cockpit application can run.(At present, this J CO RFC password is visually encrypted as “*****” when it is entered

just like in R/3 transaction SU01. A user with administrator authorization on the J2EEengine can only reset the password, just like in the R/3 transaction SU01.)

Does the application require an Internet browser as the user interface?

The Live Auction Cockpit client (Java applet) requires an Internet browser.Cookies are only used by User Management Engine (UME) for Single Sign-On (SSO) tickets.

Which RFC/JCo destinations are delivered/required?

The Live Auction Cockpit application establishes RFC connections via J Co.(There is no need to maintain RFC destinations in SM 59 for Live Auction Cockpit since the J Coserver is not used.)

What is the minimum authorization required by the communication user for RFC/JCoconnections?

The communication user can be defined as a system user in a production system where this is no

need for JCo/ABAP debugger.If the debugger needs to be used, the communication user must be defined as a dialog user.Furthermore, the user must have both purchaser and supplier profiles for Live Auction Cockpit.(In a productive system, a dialog (RFC) user always represents a limited security risk.)

SSO and SAP Logon Tickets

The Live Auction Cockpit application uses UME API to verify Single Sign-On tickets.No user data is replicated since all user data is in SAP Bidding Engine in SAP SRM Server.(User data synchronization is not required.)

By default, the Live Auction Cockpit application accepts SAP Logon Tickets.

Details fo r Login Scenario for Li ve Auction: Purchaser and Bidder log into SRM throughthe standard login page.

Inside the Bidding Engine auction user interface (Sourcing) the Live Auction Cockpit applet islaunched.

For Single Sign-On and user validation the Java user management client is used.

If the applet’s URL is directly typed into the browser window, the user is validated through theUME Logon Applet and redirected to a UME login page. After successful login, the user isredirected back to the applet.

SRMServe

WebDynpro

SRM Live Auction 6.0

User

Launch Applet

thru SSO

SAP J 2EE Server 7.0

UME

UME

Logon

App



Appendix

Digitally-signed Java applet

As of SAP SRM 5.0/LAC WPS 5.0 the J ava applet is digitally signed. The user must confirm that heor she agrees to this usage.

Author ization and roles

No roles are delivered with Live Auction Cockpit. All roles are delivered with SAP SRM Server.Customers do not need to create any additional roles.

Are author izat ion technologies other than ro les used?

Yes, bidders must be added to an auction’s invitation list to view and bid on that auction using LiveAuction Cockpit.Bidders are added into this invitation list (in the SAP SRM Server system) when the auction iscreated. Since this is a private auction (SAP Bidding Engine) there is no self-registration orsubscription.

User interface settings

Live Auction Cockpit can preserve and restore various user interface (UI) settings so that the end

users do not need to adjust the UI each time they log in. These settings include:

Divider location

Dropdown box selection

Tab selection

Table column order

Table column width

All UI settings are stored as a browser cookie. Therefore, the end user's web browser must beconfigured to accept cookies to take advantage of this feature. If the end user's web browser isconfigured to block cookies, then UI settings are not preserved. However, all other Live Auction

Cockpit features remain functional.

No personal information is stored in the browser cookie.

Special Information for SRM-MDM Catalog

For information about SRM MDM Catalog, see the SAP MDM 5.5 SP04 Security Guide atservice.sap.com/installmdm .

Special Consideration for Offline Approvals

In SAP SRM, offline approval using e-mail is possible. However, offline approval does not provide asecure application configuration by default This approach can cause a security issue because it is