sap security - solution manager

SECURITY GUIDE

SAP SolutionManager 7.0 as ofSP16

Scenarios:Service DeskImplementation of SAP SolutionsUpgrade of SAP SolutionsChange ManagementSolution MonitoringDelivery of SAP ServicesRoot Cause Analyses

April 2008

Target Audience Technology consultants System administrators

© Copyright 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in anyform or for any purpose without the express permission of SAP AG.The information contained herein may be changed without priornotice.

Some software products marketed by SAP AG and its distributorscontain proprietary software components of other software vendors.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® andSQL Server® are registered trademarks of Microsoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®,MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries,pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®,Netfinity®, Tivoli®, Informix and Informix® Dynamic Server

TM are

trademarks of IBM Corp. in USA and/or other countries.

ORACLE® is a registered trademark of ORACLE Corporation.

UNIX®, X/Open®, OSF/1®, and Motif ® are registered trademarks ofthe Open Group.

Citrix®, the Citrix logo, ICA®, Program Neighborhood ®, MetaFrame®,WinFrame®, VideoFrame®, MultiWin® and other Citrix product namesreferenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registeredtrademarks of W3C®, World Wide Web Consortium, MassachusettsInstitute of Technology.

JAVA® is a registered trademark of Sun Microsystems, Inc.

J2EE™ is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc.,used under license for technology invented and implemented byNetscape.

SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP BusinessWorkflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE,Management Cockpit, mySAP, mySAP.com, and other SAP productsand services mentioned herein as well as their respective logos aretrademarks or registered trademarks of SAP AG in Germany and inseveral other countries all over the world. MarketSet and EnterpriseBuyer are jointly owned trademarks of SAP Markets and CommerceOne. All other product and service names mentioned are thetrademarks of their respective owners.

DisclaimerSome components of this product are based on Java™. Any codechange in these components may cause unpredictable and severemalfunctions and is therefore expressively prohibited, as is anydecompilation of these components.

Any Java™ Source Code delivered with this product is only to be usedby SAP’s Support Services and may not be modified or altered in anyway.

Documentation in the SAP Service MarketplaceYou can find this documentation at the following address:http://service.sap.com/instguides

SAP AGNeurottstraße 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www.sap.com

http://service.sap.com/instguides

http://www.sap.com/

Security Guide: SAP Solution Manager 7.0

April 2008 3

Typographic Conventions

Type Style Represents

Example Text Words or characters that appear on thescreen. These include field names,screen titles, pushbuttons as well as

menu names, paths and options.Cross-references to other documentation

Example text Emphasized words or phrases in bodytext, titles of graphics and tables

EXAMPLE TEXT Names of elements in the system. Theseinclude report names, program names,

transaction codes, table names, andindividual key words of a programminglanguage, when surrounded by body

text, for example, SELECT andINCLUDE.

Example text Screen output. This includes file anddirectory names and their paths,

messages, names of variables andparameters, source code as well asnames of installation, upgrade and

database tools.

Example text Exact user entry. These are words orcharacters that you enter in the system

exactly as they appear in thedocumentation.

<Example text> Variable user entry. Pointed bracketsindicate that you replace these words

and characters with appropriate entries.

EXAMPLE TEXT Keys on the keyboard, for example,function keys (such as F2) or the

ENTER key.

Icons

Icon MeaningCaution

Example

Note

Recommendation

Syntax

Security Guide: SAP Solution Manager 7.0 as of SP16

4 April 2008

ContentContent ...................................................................................................................................................................... 4

History of Changes.................................................................................................................................................... 5Quick Links to Additional Information .................................................................................................................... 6Recommendations for Additional Components ........................................................................................................ 6

Introduction .............................................................................................................................................................. 8

System Landscape ..................................................................................................................................................... 8

Network and Communication Security ...................................................................................................................10

User Administration and Authentication.................................................................................................................14

Authorizations..........................................................................................................................................................16

Backgroundjobs .......................................................................................................................................................39

Trace and Log Files..................................................................................................................................................43

APPENDIX...............................................................................................................................................................44Security Parameters for Individual Scenarios ..........................................................................................................44Examples Authorization Restriction........................................................................................................................46


April 2008 5

History of ChangesThis Security Guide is updated with each new Support Package Stack in SAP Service Marketplace atservice.sap.com/instguides -> SAP Components -> SAP Solution Manager -> <current release>.This document is not included as part of the Installation Guide, Configuration Guide, Sizing Guide orUpgrade Guide. These guides are only relevant for a certain phase of the software life cycle, whereby theSecurity Guides provide information that is relevant for all life cycle phases. The Solution Manager is builton mySAP Customer Relation Management 2005 and SAP NetWeaver. Therefore, the correspondingSecurity Guides also apply to the Solution Manager. Pay particular attention to the most relevant sections orspecific restrictions as indicated in the table below. For a complete list of the available SAP Security Guides,see the Quick Link: securityguide on the SAP Service Marketplace.

Information on Solution Manager Diagnostics may not be complete in this Guide. For securitytopics on Diagnostics, see: service.sap.com/diagnostics -> Installation and Upgrade.Make sure you have the latest version of the Security Guide.

The following table provides an overview of the most important changes that were made in the latestversions:

Date of Update Topic

This Security Guide is based on the currently available Guide:Authorization Concept of SAP Solution Manager as of SP09

Topic on Authorization moved from Configuration Guide to SecurityGuide and/or IMG (transaction SPRO), e.g. roles moved toadditional documentation in IMG documents (e.g. roles for scenarioIssue Management can be found either in overview on roles inSecurity Guide or in more detail in the according IMG documentationfor Issue Management)

New roles for solution authorization. Authorization objectD_SOL_VSBL is now included in roles SAP_SM_SOLUTION_*. Theauthorization object is deactivated in all other roles. See chapter:Roles in Solution Manager. for an overview. It needs to be granted inaddition to the role for the functionality, e.g Maintenance Optimizer.See examples in the APPENDIX

New roles for: Job Scheduling Issue Management Maintenance Optimizer (additional)

See chapter: Roles in Solution Manager.

New roles for Work Center approach, see chapter Work CenterRoles and the according example.

SP15 06.02.2008

Composite role SAP_SM_BPMO_COMP for background userSM_BPMO. See chapter Communication Destinations.

SP16 New roles for:- Solution Documentation Assistant See chapter: Roles in SolutionManager. and chapter Work Center Roles- Third Party Product: BMC AppSight for SAP Client DiagnosticsSee chapter: Roles in Solution Manager.

28.04.2008 Name change: SAP Solution Manager 4.0 becomes SAP SolutionManager 7.0


6 April 2008

Documentation types in the software life cycle:

For a detailled overview on which documentation is relevant for each individual phase, see SAPNote 1088980. We strongly recommend that you use the documents available here. The guidesare regularly updated.

Quick Links to Additional InformationContent Note...

Security service.sap.com/security

Security Guides service.sap.com/securityguide

Related SAP Notes service.sap.com/notes

Technical infrastructure/ Network security service.sap.com/network

SAP Solution Manager service.sap.com/solutionmanager

Recommendations for Additional ComponentsThe following table lists further useful information for additional components:

Content Note...

Diagnostics See the according documents for installationand configurationservice.sap.com/diagnostics

System Landscape Directory service.sap.com/sld

Software Lifecycle Manager service.sap.com/slm

Adobe Document Services service.sap.com/adobe

Business Intelligence service.sap.com/bi


April 2008 7

SAP Quality Center by HP service.sap.com/solutionmanager

SAP Redwood Job Scheduling service.sap.com/job-scheduling

Master Guide SAP NetWeaver 7.0 service.sap.com/installNW70

One Transport Order service.sap.com/solutionmanager ->Media Library -> Technical Papers

Help on Application Usage for SolutionManager; Links to further documentation forSAP NetWeaver, SAP Business Suite

help.sap.com

Help on SAP NetWeaver (ABAP and Java) foradditional components

help.sap.com/nw70 -> FunctionalView -> Solution LifecycleManagement -> Software LifecycleManagement


8 April 2008

Introduction

This guide does not replace the daily operations handbook that we recommend customers tocreate for their specific productive operations.

With the increasing use of distributed systems and the Internet for managing business data, the demands onsecurity are also on the rise. When using a distributed system, you need to be sure that your data andprocesses support your business needs without allowing unauthorized access to critical information. Usererrors, negligence, or attempted manipulation on your system should not result in loss of information orprocessing time. These demands on security apply likewise to SAP Solution Manager.To assist you insecuring SAP Solution Manager, we provide this Security Guide.Therefore, when analyzing the security risk for Solution Manager and your system landscape, you should beable to answer the following questions:

What are your security requirements in regard to availability, confidentiality and data integrity? Are there any threads (and their relevance) that could compromise your security? What are the measures (and costs) that are to be undertaken to safeguard the system?

System LandscapeArchitectureSolution Manager is working with the ABAP and the Java (Solution Manager Diagnostics only) stack. It isrunning on a SAP CRM-5.0 Server. To use Solution Manager you need SAP GUI or Web Browser (in case ofwork center functionality). Communication with other systems is working via RFC technology and via WebServices. For more information on the appropriate usage types, see Master Guide Solution Manager onservice.sap.com/instguides -> SAP Components -> SAP Solution Manager -> <current release>.

The figure below shows an overview of the the technical system landscape for the Solution Manager(including its satellite systems and SAP Service and Support).

Satellite System(s)

Content Development at SAP SAP Service & SupportSolution Manager System

Business ProcessRepository (BPR)

KnowledgeWarehouse (KW)

Product Planningand MaintenanceSystem (PPMS)

MasterComponent

Repository (MCR)

Software LifecycleManagement

(SLM)

SAP Solution Manager

SAP ChangeManager

Service Delivery

Problem MessageHandling

R

R

ProcessManagement

Infrastructure (PMI)

Computing CenterManagement

System (CCMS)

Service DataControl Center

(SDCC)

ImplementationGuide (IMG)

RR R

R

SystemLandscape

Directory (SLD)

RComputing Center

ManagementSystem (CCMS)

R

R

R

CRM Server

Support Desk

Change RequestManager

R R

R

R

R


April 2008 9

ScenariosSolution Manager is a tool which supports your whole product life-cycle, that is the life-cycle of your businessprocesses and systems within ONE single system/platform. According to these aspects of the product life-cycle, various scenarios can be differentiated. A scenario describes a grouping of functionalities whichsupport the sequential and logical relationships of processes within the life-cycle of the product. Therefore,we differentiate between scenarios (e.g. 1. Implementation/Upgrade of SAP Solutions), processes (e.g.Roadmap) and additional functionalities (e.g. Document Management).

Implementation/Upgrade of SAP SolutionsRoadmapProject ManagementBusiness BlueprintConfiguration Solution MonitoringTest Management EarlyWatch AlertE-Learning Service Level ReportingSolution Documentation Assistant System Administration

Change Management System MonitoringMaintenance Optimizer Bus. Process MonitoringChange Request Managemen Solution Reporting

Job Scheduling

Service DeskService Desk Standard Usage Delivery of SAP ServicesService Providers Issue ManagementThird Party Interface Onsite/Remote Service

Root Cause Analyses Service PlanExpert-on-Demand

------------------------------------------------------------------------------------------------------------------------- PLUS

System Landscape (SMSY)Service Data Control Center (SDCCN)Solution Design (SOLMAN_DIRECTORY)Customizing DistributionRolloutWork CenterBI - AnalysisThird Party Product Integration


10 April 2008

Network and Communication SecurityNetwork TopologyYour network infrastructure is extremely important in protecting your system. It needs to support thecommunication necessary for your business and your needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operatingsystem and application level) or network attacks such as eavesdropping. If users cannot log on to yourapplication or database servers at the operating system or database layer, then there is no way for intrudersto compromise the machines and gain access to the backend system’s database or files. Additionally, ifusers are not able to connect to the server LAN (local area network), they cannot exploit well-known bugsand security holes in network services on the server machines.The network topology for the Solution Manager is based on the topology used by the SAP NetWeaverplatform. Therefore, the security guidelines and recommendations described in the SAP NetWeaver SecurityGuide also apply to the Solution Manager.

Communication ChannelsThe table below shows the communication channels used by the Solution Manager, the protocol used forthe connection, and the type of data transferred.

Communication Channel Protocolused

Type of Data transferred

Solution Manager to OSS RFC Exchange of Problem messages, Retrieval ofServices

Solution Manager to OSS Secure Area HTTP(S) Logon data to systems opened for SAP Support

Solution Manager to Satellite Systemsand back

RFC see chapter RFC connections

Solution Manager to SAP ServiceMarketplace

HTTP(S) Search for notes

Solution Manager Support Desk to ThirdParty Support Desks

SOAP Problem Messages

Solution Manager to Quality Center by HP SOAP Test Requirements


April 2008 11

Communication DestinationsThe figure below shows an overview of the communication destinations used by Solution Manager(including its satellite systems, Third Party Products and SAP Service and Support):

The table below shows an overview of communication destinations used by the Solution Manager for RFCcommunications.

RFCDestination

Name

Target HostName

SystemNumber

LogonClient

Logon User(Password)

Use (Scenario) How Created

To SAPNet R/3 FrontendSAPOSS (ABAP

connection)/H/SAPROUTER/S/<XX>/sapserv

<X>/H/oss001

01 001 OSS_RFC(CPIC)

Notes Assistant Maintain technicalsettings in

transaction “OSS1”

SAP-OSS (ABAPconnection)

/H/SAPROUTER/S/<XX>/sapserv

<X>/H/oss001

01 001 S-User(Customer-

specific)

Exchange problem messageswith SAP (Scenario: ServiceDesk); Synchronize SystemData with Support Portal and

send data about satellitesystems (SMSY); Transfer ofSolution, Issue data transferfeedback to SAP (Scenario:

Service Delivery); ServiceConnection

TransactionSOLUTION_MANAGER; Menu path:

Edit->GlobalSettings

SAP-OSS-LIST-O01 (ABAPconnection)


<X>/H/oss001

01 001 S-User(Customer-

specific)

Retrieve information aboutwhich messages have beenchanged at SAP (Scenario:

Service Desk)

Transaction SM59

SDCC_OSS(ABAP connection)

(will begenerated) See

Used by the Service DataControl Center to

A copy of theSAPOSS

SAP Systems

SAP SMP

SAPSolutionManager

http (s)CustomerSAP

OSS (O01)RFCSAPOSSSAP-OSSSAP-OSS-LIST-O01SDCC-OSS

http (s)

RFC

RFCSM_<SID>CLNT<client>_LOGINSM_<SID>CLNT<client>_READSM_<SID>CLNT<client>_TRUSTEDSM_<SID>CLNT<client>_TMW

RFCBPM_LOCAL_<client>

RFCSM_<SID>CLNT<client>_BACK

Third PartyProducts


12 April 2008

RFCDestination

Name

Target HostName

SystemNumber

LogonClient



SAP Note763561

communicate with the SAP NetR/3 Frontend system; UpdateService Definitions (Scenarios:Solution Monitoring for EWA

and Service Plan)

destination toSDDC_OSS; a

new user is usedSDCC_NEW with

Password:download.

SAPNET_RFC(ABAP connection)


<X>/H/oss001


Send EarlyWatch Alerts(Scenarios: Solution

Monitoring for EWA andService Plan)

A copy of theSAPOSS

destination toSAPNET_RFC

SAP-SMP (HTTPconnection)

Target host:websmp230.sap-ag.de; Serviceno. 80; Pathprefix:/sap/bc/bsp/spn/swdc/slm/

001 S-User(Customer-

specific)

To send an up-to-date versionof the component ST-SER fordelivery of Services by SAPActive Global Support(Scenario: Service Delivery)

Transaction SM59

SAPNET_RTCC(ABAP connection)


X/H/oss001


Service Preparation Check(RTCCTOOL) (Scenario:

Service Delivery)

Createdautomatically by

RTCCTOOL. copy of

SAPOSS

<SM_SP>_<customer number


<X>/H/oss001

01 001 S-User(Customerspecific no

authorizationneeded)

Service Desk -> Value AddedReseller

You automaticallycreate customerRFCs based on

RFC SAP-OSS viaReport

To Satellite System from Solution Manager SystemSM_<SID>CLNT<c

lient>_LOGIN(ABAP connection)

Satellite System Customer-specific

Customer-specific

empty Execute TransactionsScenarios: Solution Monitoring

and Implementation andDistribution

Transaction SMSY

SM_<SID>CLNT<client>_READ

(ABAP connection)

Satellite System SatelliteSystem-specific

SatelliteSystemspecific

Default user:SOLMAN<SID><Client> (will be

generated)

for read access Scenarios:Solution Monitoring and

Implementation andDistribution

Transaction SMSY

SM_<SID>CLNT<client>_TRUSTED

(ABAP connection)


SatelliteSystem-specific

empty Log on through a trustedconnection

Scenarios: Solution Monitoringand Implementation and

Distribution

Transaction SMSY

SM_<SID>CLNT<client>_TMW(ABAP connection)


SatelliteSystemspecific

Default user:SOLTMW<SID><Client> (will begenerated)

For creating, releasingtransport requests

Transaction SMSY

From Satellite System to Solution Manager SystemSM_<SID>CLNT<c

lient>BACK(ABAP connection)

SolutionManager System

Customer-specific

Customer-specific

Default user:SOLMAN<SID>

(will begenerated)

Send Service Desk messages,send session data, check

locked customizing objectsScenarios: Service Desk,Solution Monitoring and

Implementation andDistribution

Transaction SMSY

Local System (Solution Manager)


April 2008 13

RFCDestination

Name

Target HostName

SystemNumber

LogonClient



BPM_LOCAL_<CLIENT> (ABAPconnection)

empty empty Client usedfor Business

ProcessMonitoring

SM_BPMO(Customer-

specific)SAP_SM_BPMO_COMP includesSAP_SM_S_CS

MREG(acc.to profile:S_CSMREG),

SAP_SUPPDESK_CREATE andSAP_IDOC_EVE

RYONE

Business Process Monitoring(Scenario: Solution Monitoring)

During BusinessProcess

Monitoring Setup

CCMSPING.<server>

CSMREG Service Level Reporting withCCMSping (Registered Server

Program->ProgramID:<server>.ccmsping

.00)

You can find the current list of all ports used by SAP in the following document "TCP/IP Ports Used by SAPApplications". You can find the document in SAP Service Marketplace: service.sap.com/security -> Securityin Detail -> Infrastructure Security.The following table displays all used TCP/IP Default Ports for Solution Manager Diagnostics:

System Ports used on Solution ManagerDiagnostics Server

Ports used on each monitoredSatellite System

Open inSAProut tab

ABAP Gateway 33nn (nn: instance no.), e.g. 3301HTTP Port ofJ2EE Engine

5nn00 (nn: instance no. of SMD), e.g.50100

5nn00 (nn: instance no. of managedsystem), e.g. 50200

X

P4 5nn04 nn: instance no. of SMD), e.g.50104

Database depends on DBMS, e.g. 1433 onMS SQL Server

Introscope 6001 (Listener port) 6001LoadRunner 5001 (Load Generator)J2EEstandalonelogviewer

26000 For details, refer toAdvancedDiagnostics Setup Guide

SSL (Secure Socket Layer) for HTTP - ConnectionsBSP Applications and WebDynpro technologyInterfaces maintenance such as BSP and WebDynpro need HTTP/S. Web Dynpro for ABAP or Web Dynprofor ABAP (WD4A, WDA) is the SAP standard UI technology for developing Web applications in the ABAPenvironment.Most scenarios in Solution Manager use either BSP or WebDynpro technology. The Internet CommunicationFramework (ICF) provides the infrastructure for handling HTTP requests in work processes in an SAPsystem (server and client). It enables you to use standard protocols (HTTP, HTTPS, and SMTP) to operatecommunications between systems through the Internet. You do not need any additional SAP programlibraries (other than the SAP Web Application Server). The only condition is that your system platform isInternet-compliant. This scenario gives you a maximum amount of flexibility in responding to varyingcommunication requirements.Communications operated through the ICF have the following benefits:

Increased security: The HTTPS protocol guarantees secure data transmission at the same level asmodern security standards for RFC/SNC communication and other interfaces.


14 April 2008

Increased flexibility: Using the ICF, the user can open a connection to an SAP system across theInternet from any location. After you install the Web Application Server, all Internet CommunicationFramework (ICF) services are delivered as inactive for security reasons. To activate them, see IMGfor Solution Manager -> Basic Settings -> Standard Configuration -> Activate HTTP Services(transaction SPRO).

Reduced technological barriers: The open HTTP standard is used worldwide, which makes itefficient to install and configure.

Setting up SSL

It is strongly recommended to set up SSL for NetWeaver AS and Java (e.g. MaintenanceOptimizer and SLM it is necessary). See: Online Help on System Security for SAP Web ASABAP and Java on service.sap.com/security -> Media Library -> Literature.

Relevant information sources

Information Source Note

SAP Note 510007 Setting Up SSL on the Web Application Server(Procedure on how to set up SSL)

SAP Note 1000000 Web Dynpro ABAP FAQ (General authorizationchecks for services and application areavailable over the ICF)

SAP Note 938809 Web Dynpro ABAP checklist for creatingproblem mesasges (If you create an errormessage for WebDynpro ABAP undercomponent BC-WD-ABA, see the checklist inSAP Note)

SAP Note 810159 Subsequent installation of SAP JAVA CRYPTOTOOLKIT

Application help for security topics connectedto ICF - Services

help.sap.com/nw2004s

Installation Guide service.sap.com/instguides -> SAPComponents -> SAP Solution Manager<current release>.

System Security for SAP Web AS ABAP andJava (Help on setting up system security forABAP and Java)

service.sap.com/security -> Media Library-> Literature

HTTP Connect Service for SAP SupportDue to the firewall between customer systems and SAP systems it is not possible to display pages of BSPsor WebDynpro applications in SAP Solution Manager using standard Service or Support connections. Toreceive Support from SAP for these technology types you need to set up an HTTP Connect Service. To doso, follow the descriptions in SAP Note: 1072324.

You need to maintain this connection for onsite and remote support. To secure this HTTP toremote support you should secure with HTTPS.

User Administration and AuthenticationGeneralThe Solution Manager uses the User Management and authentication mechanisms provided with the SAPNetWeaver platform, in particular the SAP Web Application Server ABAP. If you use the Solution ManagerDiagnostics, the user management and authentication mechanisms provided with the SAP Web Application


April 2008 15

Server Java are used, too. Therefore, the security recommendations and guidelines for user administrationand authentication as described in the SAP NetWeaver Application Server ABAP Security Guide and theSAP NetWeaver Application Server Java Security Guide also apply to Solution Manager.

User Management ToolsUser Management for SAP Solution Manager uses the mechanisms provided by the SAP NetWeaverApplication Server ABAP and Java, for example, tools (ABAP: SU01 and Java: UME), user types, andpassword policies. For an overview of how these mechanisms apply for the Solution Manager, see thesections below. In addition, we provide a list of the standard users required for operating the SolutionManager. As the mechanisms provided by the SAP NetWeaver Application Server Java only apply forSolution Manager Diagnostics consult the according Guide on service.sap.com/diagnostics.

Standard UsersThe table below shows the standard users that are necessary for operating the Solution Manager.


Use How Created Required Roles(Authorizations)

OSS_RFC (CPIC) Notes Assistant

S-User (Customer-specific)

Exchange problem messages with SAP;Retrieve information which messages have

been changed at SAP

The S-user for the SAPSupport Portal is requested via

www.service.sap.com.

See chapter: S-Userauthorizations

SOLMAN<SystemID ofSAP Solution

Manager><CLNT>(Customer-specific)

For Read access; Scenarios: SolutionMonitoring, Implementation and Distribution;

Service Desk; Change Management

Transaction SMSY,automatically generated

See chapter: RFC-Connections READ, TMW,

BACK

SOLTMW<SystemID ofSAP SolutionManager><CLNT>(Customer-specific)

Change Request Management Transaction SMSY,automatically generated


BACK

SOLMAN<SystemID ofSatellite

system><_Version>(Customer-specific)

SDCCN, Service Desk Message from SatelliteSystems

Transaction SMSY,automatically generated


BACK

CSMREG (Customer-specific)

For data collection (to get CCMS alerts)Only required if SMSY is not used to generate

RFC destinations; Business ProcessMonitoring; required, if CCMSPing for Service

Level Reporting in scenario SolutionMonitoring is used

RZ10 See chapter: RFC-Connections READ, TMW,

BACK and Background Users

OSS_RFC (CPIC) Notes Assistant ; Update Service Definitions;Service Preparation Check (RTCCTOOL)

SLDAPIUSER(Customer-specific)

To send data from SAP Solution Manager toSLD

During installation -

SAPJSF (Service User) To read data from SLD During installation SAP_BC_JSF_COMMUNICATION_RO

Service UserJ2EE_ADMIN

(Customer-specific)

Context: Application integration infrastructure(SLD): User, who is able to write on thedatabase tables of the SAP SystemLandscape Directory (SLD). User who makesthe RFC calls from the SLD.

Context: J2EE Administration; user who hasadministrator rights in a connected SAP

J2EE Engine. Used to attach a local UME tothe central ABAP user management.

During installation SAP_BC_AI_LANDSCAPE_DB_RFC; SAP_J2EE_ADMIN

Service User

J2EE_GUEST(Customer-specific)

Users who have guest authorizations in a

connected SAP J2EE Engine.

During installation SAP_J2EE_GUEST

http://www.service.sap.com./


16 April 2008

Integration into Single Sign-On Environments (SSO)SAP Solution Manager uses different front ends (SAP GUI and Web browser - in this case, an HTMLControl). Multiple sessions are opened on the server that require, for example, a second logon. The useruses SAP GUI to log on to a system, the application uses the SAP GUI for HTML Control to call another BSPapplication, and the system then prompts the user to reenter the logon data.The Solution Manager supports the Single Sign-On (SSO) mechanisms provided by the SAP NetWeaver.Therefore, the security recommendations and guidelines for user administration and authentication asdescribed in the SAP NetWeaver Security Guide (SAP Library) also apply to the SAP Solution Manager.The supported mechanisms are listed below:

Secure Network Communications (SNC) SNC is available for user authentication and provides for an SSO environment when using the SAP GUI for Windows or Remote Function Calls. For more information, see Secure Network Communications (SAP Library) in the SAP NetWeaver Application Server ABAP Security Guide.

SAP logon tickets The Solution Manager supports the use of logon tickets for SSO when using a Web browser to access Solution Manager documents via URLs from outside. In this case, users can be issued a logon ticket after they have authenticated themselves with the Solution Manager system. The ticket can then be submitted to the system as an authentication token each time the users access documents via URLs from within the same Browser session. The user does not need to enter a user ID or password for authentication but can access the system directly after the system has checked the logon ticket.

For more information on how to use Single Sign-On on the SAP Service Marketplace go to:service.sap.com/sso-smp.

AuthorizationsAuthorization Concept in GeneralFor ABAP SystemsAuthorizations can be displayed by roles (for systems with Basis >= WebApplication Server 6.10) or profiles(for systems with Basis <WebApplication Server 6.10) which are assigned to the respective users in thesystem (transaction PFCG). Roles can either be single roles or composite roles which in themselves consistof single roles.As of basis release >=WebApplication Server 6.10, an authorization is based on specific transactions andso-called authorization objects which are inherently connected to these transactions or programs.Authorization objects consist of authorization fields. A role is always assigned to one or more authorizationprofiles by the profile generator (transaction PFCG).As of basis release <WebApplication Server 6.10, an authorization is based on specific profiles whichinclude objects with authorizations that can be maintained. These profiles need to be activated and can thenbe assigned a user in the user administration (transaction SU01).Roles are created and authorization objects are maintained according to the specific needs of the scenarioor functionality, mostly depending on who is using which transaction in which context. For instance, inmost businesses administration tasks will be processed by the system administrator, project organisation islead by a project manager, or day to day tasks are fullfilled by the key user etc. Hence, most roles aredesigned according to these business roles. Still, in some areas of usage, functionality plays a major partand roles are designed solely to fullfill the according requirements, such as Solution Monitoring.Authorizations and the authorization concept in a company are maintained and assigned by the systemadministrator.

For Java SystemsIn general, for Java systems the Web-based User Management Engine (UME) administration console isused to maintain users, roles and authorizations in Java-based systems that use the UME for the user store.In a system landscape containing a combination of ABAP and Java components, it makes sense to integrateyour user management so that you can use the same user data across different systems and canadministrate this data centrally.


April 2008 17

SAP Solution Manager Authorization ConceptThis paragraph covers information on general concepts in regard to roles and authorizations. In thisrespect, it refers to both background users and automatically applied profiles as well as the individualscenarios and the roles used which are relevant for SAP Solution Manager and its satellite systems.Before starting to assign any roles to users, you are strongly adviced to create a thorough authorizationconcept. The roles mentioned in this document are delivered by SAP as template roles with a number ofdefault values, which you need to customize according to your individual needs. All values that are genericand individual for your company, you have to maintain according to your authorization concept.The SAP Solution Manager authorization concept is based on the overall SAP authorization concept which isrelevant for all SAP systems.As SAP Solution Manager 7.0 is based on SAP Netweaver Application Server (Application Server ABAPand Application Server Java), we recommend that you configure the User Management Engine of the Javaapplication to use the ABAP user management (transaction SU01) of the Application Server ABAP (see SAPReference Implementation Guide; transaction SPRO).The UME of the Application Server Java is configuredagainst the user management of the Application Server ABAP.SAP role assignments appear as user-to-group assignments in the UME administration console. Therefore,you have to have set up UME groups, which correspond to roles of the Application Server ABAP (PFCGroles).

In the UME administration console, you cannot assign users or groups to the groups thatcorrespond to SAP ABAP roles. These groups are read-only in the J2EE engine, with theexception that you can assign UME roles and security roles to them.

The following figure illustrates the integration of J2EE Engine security roles, UME roles, and SAP roles.

Object Recommended Tool

Users Use transaction SU01 in the ABAP system(s).

PFCG roles Use the Profile Generator (transaction PFCG) in the Solution Managersystem.

J2EE securityroles and UMEroles

(Only applies to Java application)Use the UME administration console to manage UME roles and the VisualAdministrator of the Application Server Java to manage J2EE securityroles. Both of these tools are part of Application Server Java.To integrate the Java-based authorizations supplied by J2EE securityroles and UME roles with PFCG roles, you can integrate PFCG roles asgroups in Application Server Java.

RFC Connection: TrustedTo work with a heterogeneous system landscape with SAP Solution Manager as the managing platform youneed to create RFC connections between SAP Solution Manager and the various Satellite systems(component systems). The appropriate Satellite or component system needs to be made known in the SAPSolution Manager system as so-called “Trusted System” and vica versa. In other words, the server system"trusting system" (SAP Solution Manager system) trusts the user administration of the client system "trustedsystem" (Satellite system). Trusted systems can log on to the so-called “Trusting System” without password.User specific data are controlled in the trusting system. This is called a trusting trusted RFC connection. Yougenerate this RFC connection in the SAP Solution Manager within the transaction SMSY.

Trusted RFCs need to be maintained from both sides, that is Solution Manager to Satellitesystem and Satellite system to Solution Manager system.

In order to communicate successfully with each other both SAP Solution Manager and the appropriateSatellite system need to have the same username created in their user administration (transaction SU01).


18 April 2008

If you use SAP router between Solution Manager and satellite systems you might have problemsin some functionalities, e.g:. BSP Applications. RFC which should open a new window (session).To solve these issues, see SAP Note 555162

Authorization Object S_RFCACLTo be able to create the trusted RFC connection you need to have the authorization object S_RFCACLassigned in the Solution Manager and in the Satellite system for this current user. The role SAP_S_RFCACL(as of SAP NetWeaver Application Server 7.00) contains the authorization object S_RFCACL which consistsof a number of authorization fields which allow a trusting trusted relation between SAP Solution Manager andany Satellite system. Due to the high potential risk of such an RFC connection the authorization objectS_RFCACL is not included in SAP_ALL.

In order to restrict user access you need to maintain for this authorization object field"RFC_USER" with the value ' '. The trusting RFC destination usually has the 'Current User'setting in SM59. Fore more information, see: help.sap.com/nw70.

Authorization errors in the usage of an RFC destination with set 'Trusted Systems' indicators aredocumented by the following message: "No Authorization to logon as Trusted System (Trusted RC = #).Every authorization error when using an RFC Destination with a set 'Trusted Systems' indicator is designatedas a RABAX (ABAP Exception). This RABAX contains detailed error information. Proceed as follows toanalyze the error:

1. Choose Transaction ST22 and the desired selection period.2. Choose the corresponding entry under the User SAPSYS and the program name

CALL_FUNCTION_SYSCALL_ONLY. In the paragraph, 'Troubleshooting' you will find all thenecessary information to correct the error.

Return code

Returncode explanation To do0 Invalid logon data (user and client) for the

Trusting SystemCreate a corresponding user inthe Client system for the user inthe Server System (TrustingSystem)

1 The calling system is not a TrustedSystem, or the security ID for the Systemis invalid.

Create the Trusted RFC again.

2 The user has no authorization containingthe authorization object S_RFCACL or islogged on as the protected user 'DDIC' orSAP*'.

Either supply the user with thecorresponding authorization or donot use the protected users'DDIC' or SAP* (see profileparamter and value:login/no_automatic_user_sapstar= 0)

3 The time stamp of the logon data isinvalid.

Check the system time on theclient and on the server and thevalidity date of the logon data. Thesystem times of both systemshave to be synchronised.

Now, you can start to setup your system landscape with SAP Solution Manager as the central platform.


April 2008 19

RFC Connections READ, TMW, BACKBefore you can use all mentioned scenarios you need to set up your System Landscape in the SolutionManager, which includes:

defining all your systems (referred to as Satellite systems), creating appropriate logical components, assign your Satellite systems to the logical components, set up your solution design.

The transfer of data between SAP Solution Manager and its Satellite systems is managed by according RFCconnections:

READ (SM_<SID>CLNT<Client>_READ): Used for transfer of data, eg. in CustomizingDistribution, Change Request Management, Service Desk, Root Cause Analysis, Monitoring. SIDand Client refer to the connected satellite system.TMW (SM_<SID>CLNT<Client>_TMW): Used for Change Request Management, used to allowremote creation of transport requests with tasks for the designated developers in the developmentsystems. SID and Client refer to the connected satellite system.TRUSTED (SM_<SID>CLNT<Client>_TRUSTED): Enables e.g. customizing data transfer fromthe source to the target system and to enter analyses transactions for System Monitoring andBusiness Process Monitoring (as described in chapter: RFC Connection: TRUSTED). SID andClient refer to the connected satellite system.BACK (SM_<SID>CLNT<Client>_BACK): Used to send SDCCN data or send messages from asatellite system to the SAP Solution Manager system; to check locked customizing objects againstchanges in scenario Customizing Distribution; provides integration of Change RequestManagement into the Service Desk. This RFC destination needs a functioning READ destination.SID and Client refer to the SAP Solution Manager system.

In order to create them as easily as possible, the system generates so-called automatically createdbackground users for the appropriate RFC connection needed, when you execute the RFC generation intransaction SMSY. These users are automatically assigned the according profiles to allow a smooth datatransfer. In the following screen shot you can see three screen partitions:

RFCs from the Solution Manager to the Satellite system RFCs from the Satellite system to the Solution Manager RFCs that are to be generated, including RFCs for System Monitoring: information retrieval via the

RFC Destination for Data Collection and analysis via RFC Destination for Analysis.


20 April 2008

As you can see for the READ, TMW and BACK RFC connections, the system provides you with a user,which will automatically be created in the Satellite system as soon as you generate this RFC connection.These users are also automatically assigned the according profiles. In case you want to use an alreadyexisting user of your Satellite system, you would enter this user and specify the password or not.In this example, DT1 CLNT 800 is the Solution Manager system and ID3 CLNT 800 is the Satellite system,users and password will be automatically generated by the system.


April 2008 21

Profiles Assigned to Background System UsersUser Role (Release >= 6.10) in Satellie

systemProfile (< 6.10) inSatellite system

Purpose

SAP_S_CUS_CMP S_CUS_CMP Data read access

SAP_S_CMSREG S_CMSREG Central system repository data

SAP_S_BDLSM_READ S_BDLSM_READ SDCCN data

SAP_SATELLITE_E2E S_AI_SMD_E2E End-to-End Diagnose (SolutionManager Diagnostics)

SOLMAN<SystemID of SAPSolution Manager><CLNT>

SAP_SM_S_USER_GRP S_USER_GRP User Group Display of all usersfor Licence AdministrationWorkbench (LAW) and BusinessPartner



SAP_S_BDLSM_READ S_BDLSM_READ Read SDCCN data

SAP_S_TMW_CREATE S_TMW_CREATE for creating and releasingtransport requests in

development systems as well asfor setting the project statusswitch for creating transport

requests

SOLTMW<SystemID ofSAP SolutionManager><CLNT>The most important task ofthe background user is tocreate and release transportrequests and tasks remotelyfrom Change RequestManagement. Requests thatare created in this way areknown to Change RequestManagement, which meansthat Change RequestManagement can control thedistribution of theserequests within thelandscape.

SAP_S_TMW_IMPORT S_TMW_IMPORT for importing transport requestsinto test systems (empty)



SAP_SV_FDB_NOTIF_BC_ADMIN Service Desk Messages

SAP_SUPPDESK_CREATE Service Desk Message Creation

SOLMAN<SystemID ofSatellitesystem><_Version>

SAP_S_BDLSM_READ S_BDLSM_READ SDCCN data1

These profiles are more or less static. You will also find the corresponding roles (SAP_<profilename>), which you would have to assign manually to the created users. These can easily bemaintained.In case of RFC problems after generation, see SAP Note 176277: Generating RFC traceinformation.

Authorization Object S_RFC to Call Function GroupsFor certain scenarios certain function groups are needed. In order to start RFC functions from certainfunction groups, users need to have the authorization object S_RFC in the trusting system (SAP SolutionManager system) as server system which is included in the according roles for the individual scenarios (seelater chapters). For instance, the "SYST" function group is needed to call a system. In case it is missing,executing the remote login in SM59 causes the "RFC_NO_AUTHORITY" ABAP runtime error in the targetsystem.

1 Requests that are created, released, or imported locally cannot be identified by Change Request Management in conjunction with achange request and are therefore not part of the Change Request Management transport control and distribution process. For thisreason, we recommend that no users (apart from administrators) have authorization to create transport requests or tasks in ChangeRequest Management-controlled clients.


22 April 2008

It is also needed in the Satellite systems. Authorization object S_RFC in the Satellite system is included inthe automatically generated profiles. The following table gives you an overview of the appropriate field valuesfor the field RFC_NAME needed for authorization object S_RFC in:S_CUS_CMPS_CSMREGD_SOLMAN_RFC

S_RFC

Profile Function Group Values in Field RFC_NAMES_CUS_CMP See SAP Note attachment: 831535

S_CSMREG See SAP Note attachment: 831535

D_SOLMAN_RFC See SAP Note attachment: 831535

Authorization Roles and Profiles in the SAP Solution Manager SystemDue to the system landscape of SAP Solution Manager System and Satellite Systems, it is necessary toassign users with corresponding roles in the SAP Solution Manager including Diagnostics as well as in theSatellite System (so-called Managed Systems in respect to Diagnostics). As most of the mentionedscenarios include actions in the SAP Solution Manager as well as information and data exchange from/toSAP Solution Manager and its Satellite systems, we differentiate for each scenario and process betweenroles for the SAP Solution Manager and corresponding roles (systems with Basis >= Web ApplicationServer 6.10) or profiles (systems with basis < Web Application Server 6.10) in the various Satellitesystems.

For details on all roles concerning Diagnostics, refer to Diagnostics Guides on the SAP ServiceMarketplace: service.sap.com/diagnostics Installation and Upgrade Guides.

The table below provides an overview of the roles and profiles for SAP Solution Manager system. For theApplication Server Java, the default user store is the ABAP database, thus users have to be created withintransaction SU01 only.For the according scenarios, users have to be also assigned in the Satellite Systems with the correspondingroles.

Solution Manager roles (for individual examples, see APPENDIX -> Examples)Scenario/Functionality Role Purpose

IMPLEMENTATION AND DISTRIBUTIONSee IMG activity: Information and Configuration (technical name: SOLMAN_RECOMMEND) for the scenario

SAP_SOL_PM_COMP 1) Composite role: Organizing and planning a project

SAP_SOL_AC_COMP 1) Composite role: Create Business content and thedocumentation of operational activities

SAP_SOL_BC_COMP 1) Composite role: Development of customer-specificprograms and authorizations

SAP_SOL_TC_COMP 1) Composite role: Installing systems and providingtechnical support

SAP_SOL_RO_COMP 1) Composite role: Read-only authorizations for SAPSolution Manager

SAP_SOL_RE_COMP 1) Composite role: Read user according to status(document management)

Implementation andUpgrade

SAP_SOL_LEARNING_MAP_DIS For restricted authorization for user


April 2008 23

Scenario/Functionality Role Purpose

SOLARSERVICE, which is used for accessing HTTPservices in the Solution Manager without login, e.g.for displaying HTML Learning Maps (1); see Basicsettings in IMG.

SAP_DMDDEF_DIS For restricted authorization for userSOLARSERVICE, which is used for accessing HTTPservices in the Solution Manager without login, e.g.for displaying HTML Learning Maps (1)

SAP_STWB_WORKFLOW_CREATE Use Workflow

SAP_STWB_WORKFLOW_ADMIN Admin Workflow, Authority to create BusinessPartner

Test Workbench (Workflow)(Extended Traceability package)See IMG activity: Information andConfiguration (technical name:SOLMAN_TEST_WF_INFO) for thescenario

SAP_STWB_WORKFLOW_DIS Display Workflow

SAP_RMDEF_RMAUTH_EXE For administrator purposes: change of roadmaps(needs to be granted in addition toSAP_SOL_*_COMP)

Changing of Roadmaps

SAP_RMDEF_RMAUTH_DIS For display purposes: display of roadmaps. (needsto be granted in addition to SAP_SOL_*_COMP)

SAP_SOL_TRAINING_ALL Single role (included in SAP_SOL* Composite roles),needed to use E-Learning Management tool.

E-Learning Management

SAP_SOL_TRAINING_EDIT Single role (included in SAP_SOL* Composite roles),needed to use E-Learning Management tool.

SAP_SDA_ALL Full authorization: needs to be added to accordingcomposite Implementation role(SAP_SOL_*_COMP) and Work Center role

Solution Documentation Assistant 4)

SAP_SDA_DIS Display authorization: needs to be added toaccording composite Implementation role(SAP_SOL_*_COMP) and Work Center role

GENERAL INFRASTRUCTUREsee IMG activity: Information and Configuration (technical name: SOLMAN_SYST_INFORMAT) Basic Settings -> System Landscape

SAP_SOLMAN_DIRECTORY_ADMIN Administer Data in Solution Directory

SAP_SOLMAN_DIRECTORY_EDIT Maintain Data in Solution Directory

Solution Directory

SAP_SOLMAN_DIRECTORY_DISPLAY Display Data in Solution Directory

SAP_SMSY_ALL Full authorization for transaction SMSY,maintenance of systems, servers, databases andlogical components

System Landscape Maintenance(SMSY)

SAP_SMSY_DISP Display authorization for transaction SMSY

SAP_SM_SOLUTION_ALL Full authorization for solutionsSolution

SAP_SM_SOLUTION_DIS Display authorization for solutions

SERVICE DESK

SAP_SUPPDESK_ADMIN Authorizations needed to configure the ServiceDesk. In addition, it contains the authorizations forthe roles SAP_SUPPDESK_PROCESS,SAP_SUPPDESK_DISPLAY, andSAP_SUPPDESK_CREATE,

SAP_SUPPDESK_PROCESS Authorizations needed for message (notification)processing, including the use of the solutiondatabase

SAP_SUPPDESK_CREATE Create support messages from the satellite systemsor in the central SAP Solution Manager system. If ageneric RFC user is used to create notifications inthe SAP Solution Manager system (that is, the useris specified in the RFC destination in transactionSM59 in the satellite systems), the role will only needto be assigned to this generic RFC user.

Service Desk-Messages

SAP_SUPPDESK_DISPLAY Display user


24 April 2008


SAP_SUPPCF_ADMIN Administrator authorization for creating andprocessing, and IMG, see: SAP Note 834534.

SAP_SUPPCF_CREATE Key user (IT-Operator) authorization to createmessages, see: SAP Note 834534.

Service Provider/Value AddedReseller

SAP_SUPPCF_PROCESS Support Employee authorization to processmessages, see: SAP Note 834534.

CHANGE MANAGEMENT

SAP_CM_CHANGE_MANAGER_COMP1)

Approving or rejecting change requests.

SAP_CM_DEVELOPER_COMP 1) Corrections in the development system; Correctionsin the maintenance and development systems

SAP_CM_TESTER_COMP 1) Testing corrections in the test system¸ Testing andvalidating corrections

SAP_CM_OPERATOR_COMP 1) Import corrections into the production system; Tasklists

SAP_CM_PRODUCTIONMANAGER_COMP 1)

Import corrections into the production system;Approve imports into the production systems

SAP_SOCM_REQUESTER Create change requests

Change Request Management ->Schedule Manager; Service Desk,cProjects

SAP_CM_ADMINISTRATOR_COMP 1) Customize and check Change RequestManagement functions; Administrative and technicalmaintenance; The task list administrator in ChangeRequest Management deals with the administrativeand technical side of maintenance cycles and urgentcorrections; in particular, the Schedule Managertask lists.

SAP_MAINT_OPT_ADMIN Full authorization for Maintenance Optimizer

SAP_MAINT_OPT_DISP Display authorization for Maintenance Optimizer

Maintenance Optimizersee IMG activity: Information andConfiguration (technical name:SOLMAN_MAINT_OPTIMIZ) BasicSettings -> Basic BC-Sets forConfiguration

SAP_MAINT_OPT_ADD Authorization to write Stack-Delta-XML folder intothe EPS Outbox of the operating system of SolutionManager (Stack-Delta-XML folder are relevant forJSPM (Java Support Package Manager) and SAPJup (SAP Java Upgrade) in Java systems

SOLUTION MONITORINGSee IMG activity: Information and Configuration (technical name: SOLMAN_MON_INFORMATI) for the scenario

SAP_SDCCN_ALL Service Data Control Center Administration, changesetup

SAP_SDCCN_DIS Service Data Control Center Display only

Service Data ControlCenter

SAP_SDCCN_EXE Maintain Service Data Control Center

SAP_SV_SOLUTION_MANAGER Full authorization for all functionalities withintransaction SOLUTION_MANAGER,

SAP_SV_SOLUTION_MANAGER_DISP Display authorization for all functionalities withintransaction SOLUTION_MANAGER,

SAP_SETUP_DSWP Full authorization for all sessions in area operationssetup

Complete Monitoring (setup and/oroperations of EWA; SLR, SystemMonitoring, Business Process andInterface Monitoring, CentralSystem Administration)

SAP_OP_DSWP Full authorization for all sessions in area operations

SAP_SETUP_DSWP_EWAFull authorization for session Early Watch Alert in

area operations setup (according to BundleID)Early Watch Alert

SAP_OP_DSWP_EWA Full authorization for session EarlyWatch Alert inarea operations (according to BundleID)

SAP_SETUP_DSWP_SLRFull authorization for session Service Level

Reporting in area operations setup (according toBundleID)

Service Level Reporting

SAP_OP_DSWP_SLR Full authorization for session Service LevelReporting in area operations (according to BundleID)


April 2008 25


SAP_SETUP_DSWP_SM Full authorization for session System Monitoring inarea operations setup (according to BundleID)

System Monitoring

SAP_OP_DSWP_SM Full authorization for session System Monitoring inarea operations setup (according to BundleID)

SAP_SETUP_DSWP_BPM Full authorization for session Business ProcessMonitoring in area operations setup (according to

BundleID)

Business Process Monitoring

SAP_OP_DSWP_BPM Full authorization for session Business ProcessMonitoring in area operations (according to

BundleID)

SAP_SETUP_DSWP_CSA Full authorization for session Central ServiceAdministration in area operations setup (according to

BundleID)

Central System Administration

SAP_OP_DSWP_CSA Full authorization for session Central ServiceAdministration in area operations (according to

BundleID)

JOB SCHEDULING MANAGEMENTSee IMG activity: Information and Configuration (technical name: SOLMAN_JSCHED_INFORM) for the scenario

SAP_SM_SCHEDULER_ADMIN Full authorization including communication toexternal tool

SAP_SM_SCHEDULER_EXE Execution authorization including communication toexternal tool

Job Scheduling

SAP_SM_SCHEDULER_DIS Display authorization

REPORTING

SAP_SOL_REP_ADMIN Authorization for reporting, maintaining systemavailability data, BI Reporting

Solution Reporting

SAP_SOL_REP_DISP Authorization for report execution and display only.

SAP_SM_ALEREMOTE Authorization for background user in SolutionManager Client, according to profile S_BI-WX_RFC(see SAP Note 150315)

BI EWA-Reporting 2)

SAP_BW_SOLUTION_MANAGER Authorization for transaction RRMX

IT Performance Reporting 5) Via Work Center System Monitoring See Work Center role and authorization mapping forWork Center System Monitoring

SERVICE CONNECTION and SOLUTION TRANSFER

Service Connection SAP_SERVICE_CONNECT Authorizations for Service Connection

Solution Transfer SAP_SOLUTION_TRANSFER Authorization to transfer a solution from one SAPSolution Manager system to another SAP SolutionManager system.

DIAGNOSTICS

SAP_SOLMANDIAG_SAPSUPPORT Contains the required authorizations for using theDiagnostics for user SAPSUPPORT, see also SAPNote 828533

SAP_SOLMANDIAG_E2E RFC Calls for Diagnostics (according profileS_SMDIAG_E2E)

SAP_SMDIAG_WIZARDAuthorization for using the Diagnostics Wizard totransfer data from Solution Manager to Diagnostics

SAP_SMDIAG_TEMPLATEAuthorization to edit templates for Diagnostics

Root Cause Analyses

SAP_BI_E2ESMD and E2E Diagnostics for BI Reporting viaDiagnostics according profile S_SMDIAG_BI 4),assigned to Diagnostics user SAPSUPPORT

THIRD PARTY PRODUCTS

SAP Quality Center by HPSee IMG activity: Information and

SAP_QC_BY_HP_ADMIN Full authorization to configure, send and receivedata to/from Quality Center; needs to be assignedadditionally with respective role for Implementation


26 April 2008


and Distribution scenario, e.g.SAP_SOL_PM_COMP

SAP_QC_BY_HP_EXE Authorization to work on the QC tab in SOLAR01/02,needs to be assigned additionally with respectiverole for Implementation and Distribution scenario,e.g. SAP_SOL_AC_COMP etc.

SAP_QC_BY_HP_DISP Display Authorization; needs to be assignedadditionally with respective role for Implementationand Distribution scenario, e.g.SAP_SOL_RO_COMP

Configuration (technical name:SOLMAN_QC_INFORMATIO) forthe scenario

SAP_QC_INTERFACE Authorization for background communication user

Service Desk Interface SAP_SUPPDESK_INTERFACE Authorization for bidirectional interface andconfiguration; needs to be assigned additionally withrespective roles for Service Desk scenario, e.g.SAP_SUPPDESK_ADMIN

SAP CPS (Redwood)See IMG activity: Information andConfiguration (technical name:SOLMAN_REDWOOD_INFOR) forthe scenario

SAP_SM_REDWOOD_COMMUNICATION

Redwood Users (Communication User) in RFCDestionation to Solution Manager

BMC AppSight for SAP ClientDiagnostics 4)

SAP_APPSIGHT_INTERFACE Authorization for background communication user

CONTINUES IMPROVEMENT

SAP_ISSUE_MANAGEMENT_ALL 4) Full authorization for Issue Management

SAP_ISSUE_MANAGEMENT_EXE 4) Operations Authorization for Issue Management

Issue ManagementSee IMG activity: Information andConfiguration (technical name:SOLMAN_ISSUE_INFORMA) forthe scenario

SAP_ISSUE_MANAGEMENT_DIS 4) Display Authorization for Issue Management

SERVICE DELIVERY

Onsite and Remote Service Delivery SAP_SOLMAN_ONSITE_COMPSAP_SOLMAN_ONSITE_ALL_COMP

SAP provides two main users for Onsite ServiceDelivery and Remote Service Delivery, see SAPNotes: 834534 and 872800

The following table shows which task list authorizations are assigned to the Schedule Manager roles thatincluded in the Change Request Management composite roles:

Developer Tester Prod.Manager

Operator Administrator

Display X X X X X

Create X --- --- --- X

Change --- --- --- --- X

Delete --- --- --- --- X

Run X X X X X

Changestatus

X X X X X

1) Composite roles with naming convention _COMP consist of a number of single roles, whichyou may also use individually.2) In the BI-Client (system) the following profiles are required:- Administrator (IMG): Profile S_RS_ALL (according role SAP_S_RS_ALL)- Backgrounduser ALEREMOTE: Profile S_BI-WHM_RFC (according roleSAP_BI_ALEREMOTE)


April 2008 27

3) To maintain actions, you need the additional role SAP_PPF_CONFIGURATOR4) New as of SP16For security information on passwords, see SAP Note 862989. New password rules as of SAPNetWeaver 2004s (NW ABAP 7.0)5) In the BI Client (system) the following roles are required:- for setup: SAP_BW_CCMS_SETUP, SAP_PI_CCMS_SETUP- to view the reports: SAP_BW_CCMS_REPORTING

For more information:

SAP Solution Manager Roles SAP Note 834534 (SAP Solution Manager Roles)

Role Maintenance online documentation: Choose Help Application HelpSolution Manager Projects Project PreparationRoles in Solution Manager

Change Request Management Roles Online documentation (in SAP Solution Manager system):Help Application Help SAP Solution ManagerChange Request Management Roles in Change RequestManagement

Authorization Roles and Profiles in the Satellite SystemsYou need to create users in the satellite systems to enable SAP Solution Manager users to access andconfigure these systems and perform test activities. Users are created in a satellite system using the UserMaintenance tool (transaction code SU01) in that system. In each satellite system, you need to assignauthorizations to users for IMG and the Customizing configuration transactions as well as the applicationtransactions to be configured.

For details on all roles concerning Diagnostics, refer to Diagnostics on the SAP ServiceMarketplace: service.sap.om/diagnostics Installation and Upgrade Guides. For SAP R/3Releases lower than SAP Web Application Server 6.10, the profiles listed in the table areavailable, but not the roles. Therefore, you have to explicitly assign the authorization profiles tothe relevant users.

The table below provides an overview of the roles and profiles for Satellite systems:Scenario Role (Release >= 610) Profile (Release<

610)Purpose

CHANGE MANAGEMENT

SAP_CHANGEMAN_DEVELOPER S_TMW_DEVELO Authorizations for developers;This profile contains CTSauthorizations for developers: Noauthorization to create transportrequests, and no authorization torelease transport requests but tocreate and release tasks.

SAP_CHANGEMAN_OPERATOR S_TMW_OPERA Authorizations for operators;This profile contains CTSauthorizations for operators: Alltransport authorizations; noconfiguration authorizations

Change RequestManagement

SAP_CHANGEMAN_ADMIN S_TMW_ADMIN Authorizations for administrators;This profile contains CTSauthorizations for administrators:All authorizations in the CTS(including configuration)

SERVICE DATA CONTROL CENTER

Service Data Control For Basis WebAs >=610 For Basis 4* Service Data Control Center


28 April 2008

Scenario Role (Release >= 610) Profile (Release<610)

Purpose

SAP_SDCCN_ALL S_SDCCN_ALL Administration, change setup

For Basis WebAs >=610SAP_SDCCN_EXE

For Basis 4*S_SDCCN_EXE

Maintain Service Data ControlCenter

Center

For Basis WebAs >=610SAP_SDCCN_DIS

For Basis 4*S_SDCCN_DIS

Service Data Control CenterDisplay only

SOLUTION MONITORING

System Monitoring and/orCentral SystemAdministration

SAP_BC_BASIS_ADMIN Contains main transactions forBasis Administration

IMPLEMENTATION AND DISTRIBUTION

SAP_BC_CUS_ADMIN Administration of Customizingprojects;

in addition: Authorization objectS_RFC is missing and needs to

be maintained (transactionPFCG).

values:ACTI: 16

RFC_NAME:S_SOLAR_RFC_00RFC_TYPE: FUGR

SAP_BC_CUS_CUSTOMIZER Changing customizing settingssee SAP_BC_CUS_ADMIN

Customizing Distributionand Comparison

S_CUS_CMP See also Online Documentation:SAP Solution Manager ->Projects -> Customizing

Distribution and Comparisonsystem settings

SAP_SOLAR_SATELITE_SCOUT Customizing ScoutCustomizing Scout andSystem Landscape

SAP_SOLAR_SATELITE_SMSY System Landscape

SAP_BC_CAT_TESTER Testing with CATTCATT

SAP_BC_CAT_TESTORGANIZER Testorganization with CATT

eCatt See SAP note 519858

SAP_TWB_TESTER Testing with test workbench

SAP_TWB_COORDINATOR Coordination with testworkbench

Testworkbench

SAP_TWB_ADMINISTRATOR Administration with testworkbench

SAP_BCS_ACTIV Activation BC Sets; see SAPnote 505603

SAP_BCS_CREAT Creating BC Sets

BC Sets

SAP_BCS_ADMIN Administration of BC Sets

DIAGNOSTICS

SAP_JAVA_SUPPORT Authorization for Diagnostics. Allusers of Diagnostics have to beassigned this role

SAP_JAVA_NWADMIN_CENTRAL_READONLY All users of Diagnostics have tobe assigned this role

Root Cause Analyses

SAP_SLD_GUESTFor read-only access to the SLDapplication, the user must belongto the group having the LcrUserJ2EE server role (e.g. a group


April 2008 29

Scenario Role (Release >= 610) Profile (Release<610)

Purpose

named SAP_SLD_GUEST).SAP_XI_DISPLAY_USER

Only for XI systemsSAP_XI_MONITOR

Only for XI systemsSAP_SATELLITE_E2E_DISP Display Diagnostics transactions

ST-PI

Roles and Profiles are customizing entries. If profiles are delivered with new or changedauthorizations they have to be transported to your productive client.

Import Authorization ChecksChange Request Management uses the import functions of the Transport Management System (TMS).The TMS remote infrastructure is based on RFC connections that point solely to the 000 client of a targetsystem. For this reason, you must make sure that Operators and Administrators have users both in theclient into which changes are imported, and in the 000 client of these systems.

Automatic ImportsIn test systems, it is sometimes necessary that imports are performed automatically. If you wantdevelopers within the Change Request Management scenario to start imports into a test systemautomatically, you must add the profile S_TMW_IMPORT to the user TMSADM in client 000 of the testsystem. Since S_TMW_IMPORT is delivered empty, you have to assign it the authorizationsS_CTS_IMPALL and S_CTS_IMPSGL, which are also contained in the authorization objectS_CTS_ADMI.

It is now possible to start an import into this system from every satellite system within yourdomain by using the CPIC user TMSADM; therefore, do not use this method in productionsystems or in any other security-critical systems.

The system where you want to start the import automatically must share the same transportdirectory as its preceding system. If the transport directories were different, the user who startsthe import would need “addtobuffer” authorizations for the buffer adjustment, which wouldpresent a security risk not only for the system concerned, but also for the whole landscape(including the production system).

Regarding Change Request Management, the following table shows which transport methods are assignedto the background users in the target client and in client 000. In addition, the table indicates which roles arerequired for real users when using trusted RFC destinations:


30 April 2008

(*) If you want developers within the Change Request Management scenario to start imports intoa test system automatically, you must add the profile S_TMW_IMPORT to the user TMSADM inclient 000 of the test system. You have to assign it the authorizations S_CTS_IMPALL andS_CTS_IMPSGL which are contained in S_CTS_ADMI.Do not use this method in production systems or in any other security-critical systems.The system where you want to start the import automatically must share the same transportdirectory as its preceding system.

For more information:

Role Maintenance Online documentation (in the SAP Solution Managersystem): Choose Help Application Help SolutionManager Projects Project Preparation Roles inSolution Manager

Change Request Management Roles Online documentation (in SAP Solution Manager system):Help Application Help SAP Solution ManagerChange Request Management Roles in Change RequestManagement

Authorizations for Customizing Online documentation for IMG (transaction SPRO) ->chapter Create Solution Manager Configuration User.

Authorizations for Customizing Distribution Online documentation (in the SAP Solution Manager)(transaction SCDT_SETUP) -> Help Application HelpCustomizing Distribution Customizing DistributionSystem Settings

Work Center Roles in the Solution Manager SystemAs of Solution Manager 7.0 SP15 a number of Work Center roles are delivered. Work Center Roles (namingconvention: SAP_SMWORK_<Work Center name>) are based on the authorization roles approach(transaction PFCG). Still, in contrast to authorization roles which contain a number of authorization objects,Work Center roles do not contain any active authorization objects, but only menu entries. The menu entriesconsist of a two folder hierachy. They display the menu hierarchy/entries in the NetWeaver Business Client(NWBC). The first level always consists of the homepage WebDynpro Application of the according WorkCenter (e.g. Incident Management). The second level consists of several related links, such as ServiceMarketplace etc.. Work Center roles are always single roles. They need to be assigned to the user inADDITION to the authorization roles for the individual scenarios (e.g. SAP_SUPPDESK_* andSAP_SUPPCF_*) and single role SAP_SMWORK_BASIC. Work Center roles do not contain authorizations,


April 2008 31

therefore it is not necessary to generate an authorization profile. If a user is to be assigned more than oneWork Center, the single roles can be combined to composite roles according to your needs. In this case, themerge of menu entries is not necessary and should not be done.

Each end user who works with Work Centers needs to be assigned roleSAP_SMWORK_BASIC. This role provides all the necessary authorizations for the WorkCenters themselves, such as authorization for POWL (table control) and navigation. It needs tobe fully maintained, including profile generation and user comparison.

The following table provides an overview and mapping of the Work Center roles and standard SolutionManager roles.

INCIDENT MANAGEMENTWork Center Role: SAP_SMWORK_INCIDENT_MAN

View Link Mapping of Authorization Roles

Overview

Messages

Search

SAP_SUPPDESK_*; (SAP_SUPPCF_* in case of Service Provider)

Reports SAP_SM_SOLUTION_* (in case of solution -dependend reporting), SAP_SOL_REP_*

New message SAP_SUPPDESK_*; (SAP_SUPPCF_* in case of Service Provider)

Search for SAP Note URL - no authorization check

Common Tasks

Transaction Monitori SAP_SUPPDESK_*; (SAP_SUPPCF_* in case of Service Provider)

CHANGE MANAGEMENTWork Center Role: SAP_SMWORK_CHANGE_MAN


Overview SAP_MAINT_OPT_* / SAP_SM_SOLUTION_* / SAP_CM_*_COMP

ChangeRequest

SAP_CM_*_COMP

Hot News SAP_SM_SOLUTION_*

MaintenanceOptimizer

SAP_MAINT_OPT_* / SAP_SM_SOLUTION_*

TestManagement

SAP_SOL_*_COMP (acc. to function, e.g. Tester or Testorganizer)

Reports SAP_SOL_REP_*/ SAP_SM_SOLUTION_*

New Change Request SAP_CM_*_COMPCommon tasks

New MaintenanceTransaction

SAP_MAINT_OPT_* / SAP_SM_SOLUTION_*

IMPLEMENTATION AND UPGRADEWork Center Role: SAP_SMWORK_IMPL


Overview Project Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Project Administration)

Access Business MapDownload SolutionComposerAccess SAP BestPractices

URL - Service Marketplace: no authorization checkEvaluate

Access BusinessProcess Repository

WebDynpro BPR - no authorization check


32 April 2008

Access projects Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Project Administration)

Access SolutionDirectory

SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_*

Projects Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)

SAP_SOL_*_COMP (Project Administration)

Roadmap Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Roadmap)Changing of RoadmapsSAP_RMDEF_RMAUTH_*

Plan

Business Blueprint Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Business Blueprint)

Configuration Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Business Blueprint)

E-Learning Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (E-Learning)

Customizing Distribution Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Customizing Distribution)

Build

BC-Sets No authorization check

Test - E-Learning ManagementSAP_SOL_TRAINING_*- General Infrastructure: Cutover to Test (transaction SOLMAN_DIRECTORY "SolutionDirectory")SAP_SOLMAN_DIRECTORY_*

Go to Solution Directory SAP_SOLMAN_DIRECTORY_*

Going Live Check URL-no authorization check

Going LivePreparation

SAP EarlyWatch Alert SAP_SM_SOLUTION_* / SAP_OP_DSWP_EWA

Reports Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP

Common Tasks Roadmap Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Roadmap)Changing (Define and Maintain) of RoadmapsSAP_RMDEF_RMAUTH_*

System Landscape SAP_SMSY_*

Project Administration Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (Project Administration)

Related Links

Learning Maps Implementation and Upgrade (according to Business role, e.g. Project Manager orTechnical Consultant etc.)SAP_SOL_*_COMP (E-Learning)

JOB MANAGEMENTWork Center Role: SAP_SMWORK_ JOB_MAN


Overview SAP_SM_SCHEDULER_ADMIN_*


April 2008 33

Job Monitoring SAP_OP_DSWP_BPM / SAP_SM_SOLUTION_*

JobDocumentation

Job Scheduling

Reporting

Common Tasks

SAP_SM_SCHEDULER_ADMIN_*

Related Links SAP Central ProcessScheduling by Redwood

URL - no authorization check

SERVICE DELIVERYWork Center Role: SAP_SMWORK_ SERVICE_DEV


Overview SAP_SV_SOLUTION_MANAGER, SAP_SM_SOLUTION_*,.SAP_ISSUE_MANAGEMENT_*

SAP DeliveredServices

Self DeliveredServices

SAP_SV_SOLUTION_MANAGER, SAP_SM_SOLUTION_*,.

Issue and TopIssues

Tasks

SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*

Reports SAP_SOL_REP_* / SAP_SM_SOLUTION_*

Create Issue

Create Top Issue

SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*

Display BusinessProcess

SAP_OP_DSWP_BPM (correct maintenance needed for display)/SAP_SM_SOLUTION_DIS

Common Tasks

Data TransferConfiguration

No authorization check

Related Links Solution ManagerOperations

SAP_SV_SOLUTION_MANAGER (full authorization for Solution Monitoring - Operationsand Setup)

SETUPWork Center Role: SAP_SMWORK_ SETUP


Overview Selfdiagnosis SAP_SM_SOLUTION_*

Solutions (create) SAP_SM_SOLUTION_*

Service Connection SAP_SERVICE_CONNECT

Solution Transfer SAP_SOLUTION_TRANSFER

Solution

Operations Setup (EWA) SAP_SETUP_DSWP_EWA/ SAP_SM_SOLUTION_*

Export and Import SAP_SOLAR_MIGRATIONProject

General project relatedtasks

SAP_SOL_*_COMP

Systems setup SAP_SMSY_*

Systems Maintenance SAP_SOLMAN_DIRECTORY_* / SAP_SM_SOLUTION_*

Systems

RFC-Destinations Template role for authorizations for SM59 is not delivered with ST, role must be createdindividually.

Users Template roles for authorizations for SU01, PFCG, SU10 or SUIM are not delivered withST, roles must be created individually. Alternatively, role SAP_BC_USER_ADMIN canbe used (NOTE: full administration authorization)

Specific Setup System Administration SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_CSA


34 April 2008

Service Level Reporting SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SLR

System Monitoring SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM

EarlyWatch Alert SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_EWA

Connectivity Monitoring Transaction: SOLUTION_MANAGER (no authorization check)

IT-PerformanceReporting

SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM

Landscape Maintenance SAP_SMSY_*

RFC Connection Error Transaction: SOLUTION_MANAGER (no authorization check)Common Tasks

Implementation Guide(SPRO)

Profile SAP_ALL

Implementation Guide(SPRO)

Profile SAP_ALL

Solution-Manager-Migration

SAP_SOLAR_MIGRATION

Related Links

General Task related tosystem configuration ofSolution Manager (IMG)

Profile SAP_ALL

SYSTEM ADMINISTRATIONWork Center Role: SAP_SMWORK_ SYS_ADMIN


Overview System (GeneralInfrastructure)

SAP_SMSY_*

UserManagement

Template roles for authorizations for SU01, PFCG, SU10 or SUIM are not delivered withST, roles must be created individually. Alternatively, role SAP_BC_USER_ADMIN canbe used (NOTE: full administration authorization)

AdministrationTools

Template roles for nonspecific Solution Manager transactions (functionalities) can befound in the according documentation for these functionalities

CSA SAP_SETUP_DSWP_CSA / SAP_SM_SOLUTION_*Setup

Solutions (GeneralInfrastructure)

SAP_SM_SOLUTION_*

DBA Cockpit SAP_BC_DB_ADMIN

Landscape PrintingAssistant

Template role for authorizations for transaction PAL is not delivered with ST, role mustbe created individually.

Solution ManagerDiagnostics


Related Links

Issue Manaagement SAP_ISSUE_MANAGEMENT_* / SAP_SM_SOLUTION_*

SYSTEM MONITORINGWork Center Role: SAP_SMWORK_ SYS_MON


Overview Systems/ solutions SAP_SMSY_* / SAP_SM_SOLUTION_*

Alert Inbox System alerts SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*

System / solutions SAP_SMSY_* / SAP_SM_SOLUTION_*ProactiveMonitoring

Template roles for nonspecific Solution Manager transactions (functionalities) can befound in the according documentation for these functionalities


April 2008 35

ConnectivityMonitoring

RFC Destinations SAP_SMSY_* / Template role for authorizations for SM59 is not delivered with ST, rolemust be created individually. Alternatively, role SAP_BC_USER_ADMIN can be used(NOTE: full administration authorization)

Job Monitoring Job Scheduling SAP_SM_SCHEDULER_*

Tab systems: EWAReporting

SAP_OP_DSWP_EWA / SAP_SM_SOLUTION_*

Tab systems: IT-Performance Reporting

SAP_OP_DSWP_SM / SAP_SM_SOLUTION_*

Tab solutions: ServiceLevel Reporting

SAP_OP_DSWP_SLR / SAP_SM_SOLUTION_*

Reporting

Tab solutions:AvailabilityReporting

SAP_SOL_REP_* / SAP_SM_SOLUTION_*

System Monitoring SAP_SETUP_DSWP_* / SAP_SM_SOLUTION_*

Service Level Reporting SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SLR

EarlyWatch Alert SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_EWA

Connectivity Monitoring Transaction: SOLUTION_MANAGER (no authorization check)

IT-PerformanceReporting

SAP_SM_SOLUTION_* / SAP_SETUP_DSWP_SM

Setup

Solutions SAP_SM_SOLUTION_*

Self Diagnosis SAP_SM_SOLUTION_*

Solution ManagerDiagnostics


Related Links

Wily Introscope URL - no authorization check

SYSTEM LANDSCAPE MANAGEMENTWork Center Role: SAP_SMWORK_ LANDSCAPE MANAGEMENT


Overview

DowntimeManagement

TransportManagement

SystemInstallation

Setup

System / solution SAP_SMSY_* / SAP_SM_SOLUTION_*

Common Tasks Create solution SAP_SM_SOLUTION_*

System LandscapeSolution Manager

SAP_SMSY_*Related Links

Service Connection SAP_SERVICE_CONNECT

BUSINESS PROCESS AND INTERFACE MONITORINGWork Center Role: SAP_SMWORK_ BPM


Overview Operation BusinessProcess Monitoring

SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*

BusinessProcess

Operation BusinessProcess Monitoring/Service Desk Message

SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*SAP_SUPPDESK_* / SAP_SUPPCF_* (in case of Service Provider)

Alert Detail SAP_OP_DSWP_BPM, SAP_SM_SOLUTION_*


36 April 2008

Alert Inbox

Reports

Solution Directory SAP_SOLMAN_DIRECTORY_*, SAP_SM_SOLUTION_*Common Tasks

Setup Business ProcessMonitoring

SAP_SETUP_DSWP_BPM /SAP_SM_SOLUTION_*

Related Links Solution ManagerOperation - transactionSOLUTION_MANAGER

SAP_SV_SOLUTION_MANAGER (full authorization for Solution Monitoring - Operationsand Setup)

ROOT CAUSE ANALYSISWork Center Role: SAP_SMWORK_ DIAG


Overview Configuration

Configuration

No authorization check

SAP DiagnosticsRelated Links

SAP Diagnostics Setup

URL- no authorization check

Solution Documentation AssistantWork Center Role: SAP_SMWORK_ SDA


Overview all SAP_SDA_* ; SAP_SOL_*_COMP

AnalysisProjects

all SAP_SDA_* ; SAP_SOL_*_COMP

Analyses all SAP_SDA_* ; SAP_SOL_*_COMP

Related Links all SAP_SDA_* ; SAP_SOL_*_COMP

Related Links all SAP_SDA_* ; SAP_SOL_*_COMP

For detailed information on menu entries, see SAP Note 834534

EXAMPLE: System Administrator

The role described underneath is delivered with Stack 15 as an example role. If you use thisrole, please copy it, maintain all authorization roles and execute the user comparison.

You want your System Administrator to use the Work Centers of Solution Manager. Your SystemAdministrator should maintain your System Landscape and should take care for the smooth running of all itssystems. Therefore, he/she uses the following Work Centers:

System Landscape Management (Work Center role: SAP_SMWORK_LANDSCAPE_MAN) System Monitoring (Work Center role: SAP_SMWORK_SYS_MON) System Administration (Work Center role: SAP_SMWORK_SYS_ADMIN)

According to the Mapping Table above, the Work Center roles for these three Work Centers need to begranted. In addition, the appropriate Authorizations roles with full authorization are needed:

Authorizations for Work Centers: SAP_SMWORK_BASIC System Landscape Maintenance: SAP_SMSY_ALL Solutions: SAP_SM_SOLUTION_ALL Setup System Monitoring: SAP_SETUP_DSWP_SM Setup System Administration: SAP_SETUP_DSWP_CSA Operations System Monitoring: SAP_OP_DSWP_SM Operations System Administration: SAP_OP_DSWP_CSA Service Connection: SAP_SERVICE_CONNECT


April 2008 37

Roles for transactions that are not delivered with Solution Manager (ST) are not included, as well as roles forIssue Management, Job Scheduling and Availability Reporting.

All roles were then included in a composite role for the System AdministratorSAP_SMWORK_ADMINISTRATOR_COMP and user comparison was executed.

SLD (System Landscape Directory) Security RolesIf you have attached the System Landscape Directory, you need to generate roles for set SLD users for thecommunication of ABAP and Java:

SLD User Role PurposeSLDAPIUSER No role required To send data from SAP Solution Manager to

SLD

SAPJSF (Service User) SAP_BC_JSF_COMMUNICATION_RO To read data from SLD

SAP_BC_AI_LANDSCAPE_DB_RFC Context: Application integrationinfrastructureThis role enables write access to thedatabase tables of the SAP SystemLandscape Directory (SLD). The role has tobe assigned to the user who makes theRFC calls from the SLD.

J2EE_ADMIN (Service User)

SAP_J2EE_ADMINRole that is assigned to the users that are tohave administrator rights in a connectedSAP J2EE Engine. Used to attach a localUME to the central ABAP usermanagement.

J2EE_GUEST (Service User) SAP_J2EE_GUESTRole that is assigned to the users that are tohave guest authorizations in a connectedSAP J2EE Engine.


38 April 2008

SLM (Software Lifecycle Manager) Security RolesThe security roles in the SLM are analogical to the security roles in the SLD. For detailled information see:help.sap.com/nw70 -> Functional View -> Solution Life Cycle Management -> Software Life CycleManagement.

S-User AuthorizationThe S-user is used for accessing SAP internal systems via special RFC destinations like SAP-OSS undSAP-OSS-LIST-O01 (see chapter Communication Destinations). Background jobs (see chapter BackgroundJobs) control the access via RFC destinations and the data communication. S-users (that have the correctauthorizations) are needed to open the gate and trigger dedicated functions at SAP side.For several use cases it is necessary to assign a SAP Support Portal contact to SAP Solution Managersystem users who will communicate with SAP Support Portal via RFC-Destination SAP-OSS. The contactyou maintain corresponds to the S-user in SAP Support Portal without 'S'. See: IMG (transaction SPRO)activity: Assign S-User for SAP Support Portal functionaliy (SOLMAN_PROFILE_PARAM).

For the customer specific RFC-Connection (scenario: Service Provider) no authorization for theassigned S-User is necessary.

In the SAP Support Portal, your S-user needs to have the following authorizations for the individualfunctionalities:

Service Desk and Expert-on-Demand

Create message ANLEG: Create SAP message

Create and send messages GOSAP: Send to SAP

Confirm messages QUITT: Confirm SAP message

PWDISP Display Secure AreaDisplay/change Secure Area

PWCHGE Change Secure Area

Value Added Reseller: Download Data from SAP

Administration Authorization ADMIN

Maintain all Logon Data Value GLOBAL

Maintain User Data USER

Maintain System Data INSTPROD

Value Added Reseller: Customer

Maintain System Data INSTPROD

Service Desk and Expert-on-Demand

Create message ANLEG: Create SAP message

GOSAP: Send to SAPSend messages

WAUFN: Reopen SAP message

Confirm messages QUITT: Confirm SAP message

PWDISP Display Secure AreaDisplay/change Secure Area

PWCHGE Change Secure Area

Service Connection

Open Service Connections SVER Open Service Connection

SVER Open Service ConnectionSetup/migrate a Service Connection

INSTPROD Maintain System Data


April 2008 39

SAP HotNews

SAP notes search NOTES: Search for notes

BackgroundjobsAs soon as a Solution is created within the Solution Manager system the backgroundjob SM:SCHEDULERwith program RDSWPJOBSCHEDULER is automatically started. This program executes all programs whichare marked as active in table DSWPJOB. You should not alter configurations in this table. See as well SAPNote 894279.The following table provides an overview over all backgroundjobs, whether they are included in DSWPJOBand which RFC connection is used:Backgroundjob/ program, report Use RFC Connection used (see as

well chapter CommunicationDestinations)

SERVICE DELIVERY

SM:GET CSN COMPONENTS/DSWP_GET_CSN_COMPONENTS

Transfer CSN Components to Solution Manager(DSWPJOB)

SAPOSS

SM:SYNC SOLMAN INFO/RDSMOPSERVICEINFOS

Self-Service: Components used by customers(DSWPJOB)

SAPOSS

SM:TOP ISSUE TRANSFER/RDSWPCI_TOPISSUE_TRANSFER

This transfers the top issues that you haveexchanged with SAP once a week. (DSWPJOB)

SAP-OSS

SM:SURVEY TRANSFER/RDSWPCI_SURVEY_TRANSFER

This transfers the questionnaires for customersatisfaction with the service session and issueprocessing to SAP. (DSWPJOB)

SAP-OSS

SM:SEND_SOLUTIONS_TO_SAP/RDSMOPCOLLECTSOLUTIONDATA

This report sends the data of the respectivelyconfigured solutions to SAP (DSWPJOB)

SAP-OSS

SM_SYNC_SAP SESSIONS/RDSWPCISERVICEPLAN;RDSMOPSERVICESESSIONSRDSWPBACKGROUNDSERVICES_4;RDSWPBACKGROUNDSERVICES_3;

Get Serviceplan from SAP (DSWPJOB ->RDSMOPSERVICESESSIONS;RDSWPBACKGROUNDSERVICES_4 andRDSWPBACKGROUNDSERVICES_3 non-active) The session scheduling in the serviceplan is updated daily by SAP. This report isnecessary to receive service plans from SAP

SAP-OSS

SM:FILL ISSUE BUFFER TABLE/DSWP_CI_ISSUE_BUFFER_TABLE

Fill Issue Buffer Table (DSWPJOB)

SM:MIGRATE_ISSUE_PROJECT_CONTEXT/RDSWPCI_ISSUE_PROJECT_CONTEXT1

(DSWPJOB)

SM:SYNC ISSUES FROM CRM/RDSWP_ISSUE_REFRESH

Table DSWPISSUE contains information fromthe CRM document and the support message(Context). This table is updated. (DSWPJOB)

SOLMAN_ISSUE_STATUS_REFRESH/RBM_REFOBJ_BUFFER_UPDATE

The SAP Solution Manager buffers messageattributes such as the current user and theprocessing status. This periodic job collectsthese message attributes from the messagesystem and makes them available for analysis.

SERVICE DESK

SM:RNOTIFUPDATE01/RNOTIFUPDATE01

This refreshes the contents of Support Desk orExpert-on-Demand messages that have beenprocessed by SAP. Recommendation:Deactivate this job and schedule a customer-specific variant (DSWPJOB).

SAP-OSS-LIST-O01

SM:GET CSN COMPONENTS/DSWP_GET_CSN_COMPONENTS

Transfer CSN Components to Solution Manager(DSWPJOB)

SAPOSS

AI_SDK_FILL_FILE_TYPE_TABLE/AI_SDK_FILL_FILE_TYPE_TABLE

Only specified file types can be sent to SAP, forsecurity reasons, all other attachments sent toSAP are refused by SAP. For SAP being able toread all the attachments which you send with

SAP-OSS


40 April 2008

Backgroundjob/ program, report Use RFC Connection used (see aswell chapter CommunicationDestinations)

your message, the program updates the file typetables AISDK_FILETX and AISDK_FILETY.

SOLUTION MONITORING

/BDL/TASK_PROCESSOR Starts all necessary tasks (Maintenance Task) insatellite systems for Service sessions (e.g.EWA) (automatically scheduled when SDCCN isactivated in Satellite system

TRUSTED or LOGIN

SM:EXEC SERVICES/RDSMOPBACK_AUTOSESSIONS

Executes Service sessions in Solution ManagerCarries out services daily (or weekly) andschedule new services (DSWPJOB)

SM:CSA SESSION REFRESH/DSVAS_APPL_CSA_REORG_TASKTABLE;RDSMOPSOL_MONIREFRESH

CSA Session Refresh (DSWPJOB) The CentralSystem Administration (CSA) session is openedin the background and processed every hour.This updates the task status icons in the SAPSolution Manager graphic.

SM:CSA UPDATE TASKSTATUS/DSVAS_APPL_CSA_UPD_TASKSTATUS

CSA Task Status Update (DSWPJOB) updatesstatus symbols of CSA tasks in the graphicaloverview of systems

SM:CSDCC HANDLE TASKS/RCSDCCHANDLETASKS

(DSWPJOB)

SM:SESSIONS RESET/RDSMOP_SESSSION_RESET

Session initialization. The set-up sessions areautomatically reset after a new ST-SER releaseis implemented or after a new Support Packageis imported. This ensures that these sessionsalways run on the newest check source code(DSWPJOB)

SM:MIGRATE EWACUSTOMIZING/RDSWPMIGRATEEWACUSTOMIZING

Migrate EWA Customizing (DSWPJOB)

SM:SET DEFAULT RATING/RDSWPSETDEFAULTRATINGHIERARCHY

Set default rating (DSWPJOB -> Non-active)

SM:SOLMAN MONITORING/RDSWP_FILL_CCMS_ALERTS

Supplies the monitoring object of the CCMS forevery solution with data from the SolutionManager, for example EWA, SL Reporting andTransaction SDCCN. (DSWPJOB)

TRUSTED or READ

SM:DOWNLOAD DELETION/RDSWPDOWNLOADDELETION

The download data which is more than 30 daysold, is deleted (DSWPJOB)

Program name:RDSWP_DTM_UPDATE_DT_STATUS

To update downtime status. To be run daily, at00:00 to 00:10 hrs; Period : 1.

CHANGE REQUEST MANAGEMENT

SM:TMWFLOW_CMSSYSCLO//TMWFLOW/CMSSYSCOL2

gets tracking data from systems, asynchronously(DSWPJOB)

READ; TMWFLOW

ROOT CAUSE ANALYSIS

SM:SOLMAN_DIAG_UPDATE/RSOLDIAG_CHECK_FOR_UPDATE

Checks your Solution Manager and notifies itabout the changes made to relevant data andparameters. (DSWPJOB)

IMPLEMENTATION (DOCUMENT MAMANGEMENT)

Jobname (customer-specific)/ RSTIRIDX Asynchronous indexing and de-indexing forDocument Management (manually, see alsoIMG -> Scenario-specific settings -> Cross-scenario -> Document Management -> Servers -> Connect Index Server for Full Text Search)

SM:ACCELERATE DOC USAGE/RDMD_ACCELERATE_DOC_USAGE

Accelerates the where-used list for documents inthe Solution. (DSWPJOB)

THIRD PARTY PRODUCTS

Jobname (customer-specific) /RS_SM_QC_REQUIREMENT_SYNC and

SAP Quality Center by HP send TestRequirements and receive Test Results(manually, see IMG -> Scenario-specific Settings


April 2008 41


RS_SM_QC_TESTRESULT_SYNC -> Third Party Integration -> SAP Quality Centerby HP

GENERAL INFRASTRUCTURE

REFRESH_ADMIN_DATA_FROM_SUPPORT/AI_SC_REFRESH_READ_ONLY_DATA

Periodically reads administrative data from SAPSupport Portal (System data synchronization inSMSY)

SAP-OSS

SEND_SYSTEM_RELATIONSHIP_TO_SUPP/AI_SC_SEND_SYSTEM_RELATIONSHIP

Periodically sends information which systemsare managed by Solution Manager

SAP-OSS

SERVICE_CONNECTION_LISTENER/AI_SC_LISTENER

Periodically checks in Solution Manager,whether a service connection is planned to beopened

SAP-OSS

LANDSCAPE FETCH/ RSGET_SMSY The job gets system data for the SolutionManager system landscape by automatic datatransfer from TMS/RFC or the SystemLandscape Directory (SLD); Default: TMS/RFC

SM:SYNC CONTENT FROM SAP/RDSWPBACKGROUNDSERVICES_1

(DSWPJOB -> non-active)

SM:MIGRATE_LANG_DEP_SAPSCRIPT/MIGRATE_LANG_DEP_SAPSCRIPT;RMIGRATE_LANG_DEP_SAPSCRIPT

(DSWPJOB ->MIGRATE_LANG_DEP_SAPSCRIPT non-active)

-

SM:CLEAR ARCHIVED DATA/RDARCH_CLEAN_DATABASE


SM:DYNAMIC TABU UPDATE/RDMD_DYNAMIC_TABU_UPDATE

Updates the table contents that are necessary tooperate the Solution Manager. (DSWPJOB)

SM:DMD CONSISTENCY/RDMD_INCONSISTENCIES

Checks the data model of a solution forinconsistencies (DSWPJOB)

RDMD_INCONSISTENCIES/RDMD_MIGRATE_OBJS_2_LANG_INDEP

(DSWPJOB)

SM:REMOVE INCONSISTENCIES/RDMD_REMOVE_INCON

Remove inconsistencies in the data model(DSWPJOP)

SM:REORG APPLICATION LOG/RDMD_REORG_APPLICATION_LOG

Reorganization of Application Log (DSWPJOB)

SM:REFRESH ENTRYSCREEN/RDSMOPSOLUTIONLISTUPDATE

Update of Solution list: The status of everysolution is determined for the overview list of allsolutions (the access screen in TransactionSOLUTION_MANAGER) (DSWPJOB)

SM:SERVICE ASSISTANT EVENTS/RDSVAS_EXECUTE_EVENTS


SM:HOURLY SERVICES/RDSWPBACKGROUNDSERVICES_3


SM:UPDATE RULES/RDSWPRULESUPDATE

A set of rules controls the services anddocuments that can be offered for theinformation about system infrastructure andprocesses that is maintained in the SolutionManager.(DSWPJOB)

SM:SELFDIAGNOSIS/RDSWP_SELF_DIAGNOSIS

Update Selfdiagnosis (DSWPJOB)

SM:MIGRATE SESS DL./RDSWP_SSA_MIGRATE_SESS_DL

(DSWPJOB)

SM:MOVE TO ARCHIVE QUEUE/RDSWP_SSA_MOVE_2_ARCHIVE_QUEUE

Move services and sessions to archive queue(DSWPJOB)

EMAIL_NOTIFICATION (csutomer specific)/RSCONN01 (variant SAP&CONNECTALL)

Periodic background job to send queued e-mails(manually scheduled via transaction SCOT) ->see also IMG -> Cross-scenario settings)

SM:RFC MONITORING/RWBA_RFC_WATCHER

To check RFC-Connections. To be run hourly ordaily (recommended between 10pm and 4am).


42 April 2008


The job executes RFCPING or RFC_PING.


April 2008 43

Trace and Log FilesThis section provides an overview of the trace and log files that contain security-relevant information, forexample, so you can reproduce activities if a security breach does occur.

System Landscape Update Logs RFC Logs Data save logs

Solution Manager Implementation All Tabs can be traced. Each change on the tab will be recorded. No changes of the assigned object are logged (except documents). One can specify which project and tab will be traced. Documentation will be versioned by each change.

Solution Manager OperationsTraces are available in Solution Directory

All tabs can be traced. Each change on tab will be recorded. No changes of the assigned object arelogged (except documents).

One can specify which Solution will be traced Documentation will be versioned by each change

Customizing Distribution Each distribution is logged Each distributed object is logged


44 April 2008

APPENDIXSecurity Parameters for Individual ScenariosGeneral RemarksIn the following paragraphs the main scenarios of SAP Solution Manager are described in regard to theabove mentioned security parameters.

For a complete description of all scenarios, see: Master Guide SAP Solution Manager <currentrelease>.

Usage data about which functionality/scenario is used by the customer is sent to SAP. See as well: SAPNote 939897 (How to disable this transfer)

Service DeliveryThe Services Delivery scenario comprises the following main functionalities:

Service PlanThe Service Plan is the central instance of collaboration with SAP containing delivered Services andServices that are to be delivered later on. In this regard, customers can accept or deny SAP Services. SAPServices are sent to the customer by SAP and confirmation of Service Delivery is sent by the customer toSAP via backgroundjob or in dialog. If you do not want to send any confirmation for Services to SAP, you donot activate this functionality. If no Service Plan information is sent, SAP can only deliver limited Services.Data which is sent:- GUIDs for Service Identification with values YES or NO.- Delivery DateService Plan makes use of WebDynpro Applications. In order to deliver Services a HTTP connect is needed.Expertise-on-Demand (EoD)Expertise on Demand describes the demand by a customer for an SAP expert on some topic.Solution TransferWhen you transfer solutions, all productive data of your chosen solutions are transferred by default. Whenyou made your solution known to SAP, its data are regularly updated by a backgroundjob. For eachindividual solution you can decide whether you want to transfer only productive data, all data or no data. Todisable it, see SAP Note 920153. During transfer a data download is sent to SAP via DMD_OPEN. This datapackage is only partially read and used by SAP. Information of logical components and business processesare bundled at SAP per customer. To view the data of a solution use reportRDSMOP_VIEW_SOLUTION_XML to save (as an XML file on your desktop) the information that is sent toSAP. You can then use the Internet Explorer to view this XML file. Solution Transfer makes use ofWebDynpro Applications.

Service Desk (Service Provider) and Issue ManagementService DeskThe Service Desk allows you to create support messages in the Solution Manager system and all connectedSatellite systems (see chapter RFC Destinations), send them to SAP, and receive replies from SAP.Communication between Solution Manager and SAP Service and Support is needed. There is also thepossibility to connect Third Party Service Desks via Web Services.Information on third party service desk interface is provided in service.sap.com/solutionmanager -> MediaLibrary -> Technical Papers -> Service Desk Web Service APIIssue ManagementIn Issue Management you can distinguish between Top Issues and Issues. Top Issues bundle Issues whichcontain the same problem. Issues describe potential problems. In contrast to Issues, Top Issues areaddressed towards Management. Issue data is sent via periodical backgroundjobs once a week after theinitial transfer. Initial transfer is done via dialog. You can avoid sending data by deleting this job. If no data issent to SAP, SAP Support can not deliver proactive support. For information on Top Issue data which is sent,see SAP Note 971138. To see the data of a Top Issue, use report RDSMOP_VIEW_TOPISSUE_XML to


April 2008 45

save (as an XML file on your desktop) the information that is sent to SAP. You can then use the InternetExplorer to view this XML file. Issue Management makes use of WebDynpro Applications.

Implementation and DistributionThe Implementation and Distribution scenario is used for the implementation of customer projects. Thisscenario includes an implementation roadmap, an editor for creating and maintaining business blueprints,access to the Implementation Guides (IMG), and tools for testing, monitoring and distributing Customizing.Communication between Solution Manager and satellite systems is needed. Satellite Systems are connectedvia RFC.

Solution MonitoringThe Solution Monitoring scenario provides support for functionalities such as Service-Level Reporting,EarlyWatch Alert, System Monitoring and Business Process Monitoring.Early Watch Alert contains data on system health. The data is collected automatically in the accordingsatellite system, send via RFC destination to the Solution Manager system, and then analyzed in SolutionManager. If you want to transfer download data of a service (EarlyWatch Alert and so on) from a satellitesystem into a Solution Manager system, but your satellite system has no RFC connection to the SolutionManager system, see SAP Note 657306.EarlyWatch Reports are send to SAP in case of a red rating. You can deactivate these settings in transactionSOLUTION_MANAGER, Operations Setup -> Solution Monitoring -> EarlyWatch Alert (column Send to SAP)The solution monitoring functionality allows you to monitor the state of multiple solution landscapes. SAPSolution Manager can be used to monitor the satellite systems in a landscape, as well as all the businessprocesses running on them. Via setup of RFC connections also the according RFC destinations for systemmonitoring (see IMG activity in transaction SPRO: SOLMAN_ASSIGN_RFCS) are set up.Solution Monitoring makes use of WebDynpro Applications.

Change ManagementYou can use the Maintenance Optimizer to download Support Package Stacks and Support Packages foryour various satellite systems. If the RFC connection to SAP or table AISUSER (S_user) is not maintained itis not possible to download SAP Service- and Support-Packages.

Currently, the Change Request Management scenario consists of a workflow for implementing urgentcorrections and support maintenance. This workflow is the result of an integration between the Service Deskand SAP Change Manager. The workflow starts with the occurrence of an error. This error is reported to theService Desk. If the error is serious enough to warrant the immediate implementation of a correction (urgentcorrection), a change request is created. This request is then approved, which results in the creation of achange document.

Root Cause AnalysisSAP Solution Manager Diagnostics provides root cause analysis of incidents in customer solutions poweredby SAP NetWeaver. It provides a read access to traces and configuration settings of SAP NetWeavercomponents.


46 April 2008

Examples Authorization Restriction

All examples are also contained in IMG documentation.

Solutions(see as well IMG activity: SOLMAN_SYST_INFORMAT)Maintain One Solution and Display All Other SolutionsProblem: User A needs to use Maintenance Optimizer for a number of systems which are contained insolution XXX. He/she should not be able to do anything in all other existing solutions, but should be able tosee them.Solution: role SAP_SM_SOLUTION_DIS needs to be maintained with authorization object D_SOL_VSBL.D_SOL_VSBL needs to be copied and maintained with act. 02 and solution ID for solution XXX. The role forMaintenance Optimizer SAP_MAINT_OPT_ADMIN is granted as well.Explanation: D_SOL_VSBL with 03 + * and 02 + <SolutionID> gives authorization to display all solutions butonly editing rights for one specific solution. Only for within the solution with editing rights the user is able towork with Maintenance Optimizer.Create Solution and Display AllProblem: User A should be able to create solutions and display XXX and YYY.Solution: In role SAP_SM_SOLUTION_ALL authorization object D_SOL_VSBL can be maintained asfollows: remove activities 02 + 06 (leaving 01 + 03) for solution-IDs for XXX and YYY.Explanation: Activity 01 is independent of solution-IDs. Activity 03 grants display only for the mentionedsolutions.

Project Administration(see as well IMG activity: SOLMAN_RECOMMEND -> authorizations -> Project Administration)Restriction of System LandscapeProblem: The system administrator creates the system landscape for your project. The project managermaintains all other data for the project, in the project administration. Your system administrator should nothave access to other project data than the system landscape.Solution: In role SAP_SOL_PROJ_ADMIN_* (contained in composite role SAP_SOL_*_COMP) he/sheshould receive the value 03 (display) for S_PROJECT and SYST (access to system landscape maintenancein a project) for S_PROJ_GEN.

Digital Signature(see as well IMG activity: SOLMAN_DIGSIG_INFORM)Restriction by Authorization GroupProblem: User A may execute individual signatures to which the authorization group PROD (production) hasbeen assigned but is not allowed to execute individual signatures with authorization group QUAL (qualityassurance).Solution: In role SAP_SOL_KW_* authorization object C_SIGN_BGR, he/she is assigned authorizationPROD for field SIGNAUTH.

Document Management(see as well IMG activity: SOLMAN_DOCU_INFORMAT)Unlocking of DocumentsProblem: You want to allow a user to unlock documents which are locked by a status schema.Solution: This can be controlled with the authorization object S_IWB and the activity 95.Project Restriction


April 2008 47

Problem: You want users who are assigned to a project to only be able to search for, edit or display thedocuments for this project.Solution: This can be done with the combination of folder group and project authorizations. Whendocuments are created for a project, the system puts them in a folder group which is assigned to the project,and its name, e.g. the folder group with the name <XYZ> is assigned to the project <XYZ>. You restrict thefollowing authorization object:

S_PROJECT with field PROJECT_ID

S_IWB and S_IWB_ATTR with field IWB_FLDGRP

Solution Monitoring(see as well IMG activity: SOLMAN_MON_INFORMATI)Session RestrictionProblem: The authorization object D_SOLMANBU controls the allowed activities for each session(BundleID), for the scenario Solution Monitoring. You want to restrict access to the Self-Service SAPEarlyWatch Health Check. SAP delivers no default role for this session.Solution: Copy the role SAP_OP_DSWP, and give the authorization object D_SOLMANBU the BundleIDEW_SELF.Monitoring Graphic RestrictionProblem: You want the user to able to display the Monitoring Graphic, but no further access to alerts or CSAsessions.Solution: In role SAP_OP_DSWP in authorization object D_SOLM_ACT remove activities 80 and 81.