Master Data Governance Security Guide

Document Version: 14.09.2012

(C) SAP AG 2

Copyright

© Copyright 2012 SAP AG. All rights reserved.

SAP Library document classification: PUBLIC

No part of this publication may be reproduced or transmitted in any form or for any

purpose without the express permission of SAP AG. The information contained

herein may be changed without prior notice.

No part of this publication may be reproduced or transmitted in any form or for any

purpose without the express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary

software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,

System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM,

Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER,

PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV,

GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent

Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered

trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and other

countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or

registered trademarks of Adobe Systems Incorporated in the United States and other

countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

(C) SAP AG 3

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and

MultiWin are trademarks or registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®,

World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-

C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple

Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl,

BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and

BlackBerry App World are trademarks or registered trademarks of Research in

Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google

Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store,

Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik

and Android are trademarks or registered trademarks of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

(C) SAP AG 4

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects

Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned

herein as well as their respective logos are trademarks or registered trademarks of

SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports,

Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products

and services mentioned herein as well as their respective logos are trademarks or

registered trademarks of Business Objects Software Ltd. Business Objects is an SAP

company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other

Sybase products and services mentioned herein as well as their respective logos are

trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered

trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP

company.

All other product and service names mentioned are the trademarks of their respective

companies. Data contained in this document serves informational purposes only.

National product specifications may vary.

These materials are subject to change without notice. These materials are provided

by SAP AG and its affiliated companies ("SAP Group") for informational purposes

only, without representation or warranty of any kind, and SAP Group shall not be

liable for errors or omissions with respect to the materials. The only warranties for

SAP Group products and services are those that are set forth in the express warranty

statements accompanying such products and services, if any. Nothing herein should

be construed as constituting an additional warranty.

(C) SAP AG 5

Icons in Body Text

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different

types of information at a glance. For more information, see Help on Help General

Information Classes and Information Classes for Business Information Warehouse on the

first page of any version of SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, graphic titles, and table titles.

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.

EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

(C) SAP AG 6

Master Data Governance Security Guide .................................................................. 7

Introduction ............................................................................................................ 7

Before You Start .................................................................................................... 9

Technical System Landscape ................................................................................ 9

User Management and Authentication ................................................................. 10

User Administration .......................................................................................... 10

User Data Synchronization ............................................................................... 13

Integration into Single Sign-On Environments .................................................. 13

Authorizations ...................................................................................................... 14

Network and Communication Security ................................................................. 15

Communication Channel Security .................................................................... 15

Network Security .............................................................................................. 16

Communication Destinations ............................................................................ 17

Use of Virus Scanners ...................................................................................... 17

Data Storage Security .......................................................................................... 17

Enterprise Services Security ................................................................................ 18

Security-Relevant Logs and Tracing .................................................................... 18

Segregation of Duties .......................................................................................... 19

Authorization Objects Used by Master Data Governance .................................... 20

Supplier Master Data Governance (CA-MDG-APP-SUP) ................................. 21

Customer Master Data Governance (CA-MDG-APP-CUS) .............................. 23

Material Master Data Governance (CA-MDG-APP-MM) ................................... 25

Financial Master Data Governance (CA-MDG-APP-FIN) ................................. 27

Custom Objects (CA-MDG-COB) ..................................................................... 29

Appendix ............................................................................................................. 29

(C) SAP AG 7

Master Data Governance Security Guide

The following guide covers the information that you require to operate Master Data

Governance securely. To make the information more accessible, it is divided into a

general part, containing information relevant for all components, and a separate part

for information specific for individual components.

Introduction

This guide does not replace the administration or operation guides that are available

for productive operations.

Target Audience

Technology consultants

Security consultants

System administrators

This document is not included as part of the Installation Guides, Configuration

Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only

relevant for a certain phase of the software life cycle, whereas the Security Guide

provides information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business

data, the demands on security are also on the rise. When using a distributed system,

you need to be sure that your data and processes support your business needs without

allowing unauthorized access to critical information. User errors, negligence, or

attempted manipulation of your system should not result in loss of information or

processing time. These demands on security apply likewise to Master Data

Governance. To assist you in securing Master Data Governance, we provide this

Security Guide.

Since Master Data Governance is based on and uses SAP NetWeaver technology, it is

essential that you consult the Security Guide for SAP NetWeaver. See SAP Service

Marketplace at http://service.sap.com/securityguide SAP NetWeaver .

For all Security Guides published by SAP, see SAP Service Marketplace at

http://service.sap.com/securityguide.

Overview of the Main Sections

The Security Guide comprises the following main sections:

Before You Start

(C) SAP AG 8

This section contains information about why security is necessary, how to use

this document, and references to other Security Guides that build the

foundation for this Security Guide.

Technical System Landscape

This section provides an overview of the technical components and

communication paths that are used by Master Data Governance.

User Management and Authentication

This section provides an overview of the following user administration and

authentication aspects:

o Recommended tools to use for user management

o User types that are required by Master Data Governance

o Standard users that are delivered with Master Data Governance

o Overview of the user synchronization strategy

o Overview of how integration into Single Sign-On environments is

possible

Authorizations

This section provides an overview of the authorization concept that applies to

Master Data Governance.

Network and Communication Security

This section provides an overview of the communication paths used by Master

Data Governance and the security mechanisms that apply. It also includes our

recommendations for the network topology to restrict access at the network

level.

Data Storage Security

This section provides an overview of any critical data that is used by Master

Data Governance and the security mechanisms that apply.

Enterprise Services Security

This section provides an overview of the security aspects that apply to the

enterprise services delivered with Master Data Governance.

Security-Relevant Logging and Tracing

This section provides an overview of the trace and log files that contain

security-relevant information, for example, so you can reproduce activities if a

security breach does occur.

Appendix

This section provides references to further information.

(C) SAP AG 9

Before You Start

This table contains the most important SAP notes concerning the safety of Master

Data Governance.

Title SAP

Note Comment

Code injection vulnerability in

UAC_ASSIGNMENT_CONTROL_TEST 1493809 MDG and XBRL

Data can be displayed without authorization 1489976

MDG (Financial Master

Data Governance, CA-

MDG-APP-FIN)

More Information

For more information about specific topics, see the sources in the table below.

Content Quick Link on SAP Service Marketplace or SDN

Security http://sdn.sap.com/irj/sdn/security

Security Guides http://service.sap.com/securityguide

Related Notes http://service.sap.com/notes

http://service.sap.com/securitynotes

Allowed platforms http://service.sap.com/pam

Network security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

Technical System Landscape

For information about the technical system landscape, see the sources listed in the

table below.

Subject Guide/Tool Quick Link to SAP Service Marketplace

Technical description Master Guide http://service.sap.com/instguides SAP

(C) SAP AG 10

of Master Data

Governance and the

underlying technical

components, such as

SAP NetWeaver

Business Suite Applications SAP Master Data

Governance

High availability

High

Availability

for SAP

Solutions

http://sdn.sap.com/irj/sdn/ha

Design of technical

landscape

See available

documents http://sdn.sap.com/irj/sdn/landscapedesign

Security See available

documents http://sdn.sap.com/irj/sdn/security

User Management and Authentication

Master Data Governance uses the user management and authentication mechanisms of

the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server.

Therefore, the security recommendations and guidelines for user management and

authentication that are described in the security guide for SAP NetWeaver

Application Server for ABAP Security Guide also apply to Master Data Governance.

In addition to these guidelines, we also supply information on user management and

authentication that is especially applicable to Master Data Governance in the

following sections:

User Administration

This section details the user management tools, the required user types, and

the standard users that are supplied with Master Data Governance.

User Data Synchronization

The components of Master Data Governance can use user data together with

other components. This section describes how the user data is synchronized

with these other sources.

Integration into Single Sign-On Environments

This section describes how Master Data Governance supports single sign-on-

mechanisms.

User Administration

(C) SAP AG 11

Master Data Governance user management uses the mechanisms provided by SAP

NetWeaver Application Server for ABAP, such as tools, user types, and the password

concept. For an overview of how these mechanisms apply for Master Data

Governance, see the sections below. In addition, we provide a list of the standard

users required for operating components of Master Data Governance.

User Administration Tools

The following table shows the user administration tools for Master Data Governance.

Tool Description

User maintenance for

ABAP-based systems

(transaction SU01)

For more information on the authorization objects

provided by the components of Master Data

Governance, see the component specific section.

Role maintenance with the

profile generator for ABAP-

based systems (PFCG)

For more information on the roles provided by Master

Data Governance, see the component specific section.

For more information, see User and Role Administration

of Application Server ABAP

Central User Administration

(CUA) for the maintenance

of multiple ABAP-based

systems

For more information, see Central User Administration.

User Management Engine

for SAP NetWeaver AS

Java (UME)

Administration console for maintenance of users, roles,

and authorizations in Java-based systems and in the

Enterprise Portal. The UME also provides persistence

options, such as ABAP Engine. For more information,

see User Management Engine.

Note

For more information on the tools that SAP provides for user administration with SAP

NetWeaver, see SAP Service Marketplace at http://service.sap.com/securityguide

SAP NetWeaver 7.0 Security Guides (Complete) Release User Administration

and Authentication .

End of the note.

User Types

It is often necessary to specify different security policies for different types of users.

For example, your policy may specify that individual users who perform tasks

interactively have to change their passwords on a regular basis, but not those users

under which background processing jobs run.

User types required for Master Data Governance include, for example:

Individual users

(C) SAP AG 12

o Dialog users

Dialog users are used for SAP GUI for Windows.

o Internet users for Web applications

Same policies apply as for dialog users, but used for Internet

connections.

Technical users:

o Service users are dialog users who are available for a large set of

anonymous users (for example, for anonymous system access via an

ITS service).

o Communication users are used for dialog-free communication between

systems.

o Background users can be used for processing in the background.

For more information about user types, see User Types in the Security Guide for SAP

NetWeaver AS ABAP.

Standard Users

The following table shows the standard users that are necessary for operating Master

Data Governance.

System User ID Type Password Additional

Information

SAP Web

Application

Server

(sapsid)adm SAP system

administrator Mandatory

SAP NetWeaver

installation guide

SAP Web

Application

Server

SAP Service

(sapsid)adm

SAP system

service

administrator

Mandatory SAP NetWeaver

installation guide

SAP Web

Application

Server

SAP Standard ABAP

Users (SAP*, DDIC,

EARLYWATCH,

SAPCPIC)

See SAP

NetWeaver

security guide

SAP NetWeaver

security guide

SAP Web

Application

Server

SAP Standard SAP

Web Application

Server Java Users

See SAP

NetWeaver

security guide

SAP NetWeaver

security guide

SAP ECC SAP Users Dialog users Mandatory

The number of users

depends on the area

of operation and the

business data to be

processed.

(C) SAP AG 13

Note

We recommend that you change the passwords and IDs of users that were created

automatically during the installation.

End of the note.

User Data Synchronization

By synchronizing user data, you can reduce effort and expense in the user

management of your system landscape. Since Master Data Governance is based on

SAP NetWeaver, you can use all of the mechanisms for user synchronization in SAP

NetWeaver here. For more information, see the SAP NetWeaver Security Guide on

SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver.

Note

You can use user data distributed across systems by replicating the data, for example

in a central directory such as LDAP.

End of the note.

Integration into Single Sign-On Environments

Master Data Governance supports the single sign-on (SSO) mechanisms provided by

SAP NetWeaver Application Server for ABAP technology. Therefore, the security

recommendations and guidelines for user management and authentication that are

described in the SAP NetWeaver Security Guide also apply to Master Data

Governance.

Master Data Governance supports the following mechanisms:

Secure Network Communication (SNC)

SNC is available for user authentication and provides for an SSO environment when

using the SAP GUI for Windows or Remote Function Calls.

SAP Logon Tickets

Master Data Governance supports the use of logon tickets for SSO when using a Web

browser as the front-end client. In this case, users can be issued a logon ticket after

they have authenticated themselves with the initial SAP system. The ticket can then

be submitted to other systems (SAP or external systems) as an authentication token.

The user does not need to enter a user ID or password for authentication, but can

access the system directly once it has checked the logon ticket. For more information,

see SAP Logon Tickets in the Security Guide for SAP NetWeaver Application Server.

Client Certificates

(C) SAP AG 14

As an alternative to user authentication using a user ID and passwords, users using a

Web browser as a front-end client can also provide X.509 client certificates to use for

authentication. In this case, user authentication is performed on the Web server using

the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to be

transferred. User authorizations are valid in accordance with the authorization concept

in the SAP system.

For more information see Client Certificates in the Security Guide for SAP

NetWeaver Application Server. For more information about available authentication

mechanisms, see SAP Library for SAP NetWeaver under User Authentication and

Single Sign-On.

Authorizations

Master Data Governance uses the authorization concept of SAP NetWeaver

Application Server ABAP. Therefore, the security recommendations and guidelines

for authorizations that are described in the Security Guide for SAP NetWeaver

Application Server ABAP also apply to Master Data Governance. You can use

authorizations to restrict the access of users to the system, and thereby protect

transactions and programs from unauthorized access.

The SAP NetWeaver Application Server authorization concept is based on assigning

authorizations to users based on roles. For role maintenance in SAP NetWeaver

Application Server for ABAP, use the profile generator (transaction PFCG), and in

SAP NetWeaver Application Server for Java, the user management console of the

User Management Engine (UME). You can define user-specific menus using roles.

Note

For more information about creating roles, see Role Administration.

End of the note.

Standard Roles and Standard Authorization Objects

SAP delivers standard roles covering the most frequent business transactions. You can

use these roles as a template for your own roles.

For a list of the standard roles and authorization objects used by components of

Master Data Governance, see the section of this document relevant to each

component.

Note

Before using the roles listed, you may want to check whether the standard roles

delivered by SAP meet your requirements.

End of the note.

Authorizations for Customizing Settings

(C) SAP AG 15

You can use Customizing roles to control access to the configuration of Master Data

Governance in the SAP Customizing Implementation Guide (IMG).

Network and Communication Security

Your network infrastructure is extremely important in protecting your system. Your

network needs to support the communication necessary for your business and your

needs without allowing unauthorized access. A well-defined network topology can

eliminate many security threats based on software flaws (at both the operating system

and application level) or network attacks such as eavesdropping. If users cannot log

on to your application or database servers at the operating system or database layer,

then there is no way for intruders to compromise the devices and gain access to the

backend system’s database or files. Additionally, if users are not able to connect to the

server LAN (local area network), they cannot exploit known bugs and security holes

in network services on the server machines.

The network topology for Master Data Governance is based on the topology used by

the SAP NetWeaver platform. Therefore, the security guidelines and

recommendations described in the SAP NetWeaver Security Guide also apply to

Master Data Governance. Details that relate directly to SAP ERP Central Component

are described in the following sections:

Communication Channel Security

This section contains a description of the communication channels and

protocols that are used by the components of Master Data Governance.

Network Security

This section contains information on the network topology recommended for

the components of Master Data Governance. It shows the appropriate network

segments for the various client and server components and where to use

firewalls for access protection. It also contains a list of the ports required for

operating the subcomponents of Master Data Governance.

Communication Destinations

This section describes the data needed for the various communication

channels, for example, which users are used for which communications.

For more information, see the following section in the SAP NetWeaver Security

Guide: Security Guides for Connectivity and Interoperability Technologies

Communication Channel Security

Communication channels transfer a wide variety of different business data that needs

to be protected from unauthorized access. SAP makes general recommendations and

(C) SAP AG 16

provides technology for the protection of your system landscape based on SAP

NetWeaver.

The table below shows the communication channels used by Master Data

Governance, the protocol used for the connection, and the type of data transferred.

Communication Path Protocol

Used

Type of Data

Transferred

Data Requiring

Special Protection

Application server to application

server

RFC,

HTTP(S) Integration data Business data

Application server to application

of a third party administrator HTTP(S) Application data

For example,

passwords, business

data

DIAG and RFC connections can be protected using Secure Network Communications

(SNC). HTTP connections are protected using the Secure Sockets Layer protocol

(SSL protocol).

Recommendation

We strongly recommend that you use secure protocols (SSL, SNC).

End of the recommendation.

For more information, see Transport Layer Security und Web Services Security in the

SAP NetWeaver Security Guide.

Network Security

Since Master Data Governance is based on SAP NetWeaver technology, for

information about network security, see the following sections of the SAP NetWeaver

Security Guide at http://help.sap.com SAP ERP Release/Language SAP

NetWeaver Library Administrator's Guide NetWeaver Security Guide Network

and Communication Security Network Services :

Using Firewall Systems for Access Control

Using Multiple Network Zones

If you provide services in the Internet, you should protect your network infrastructure

with a firewall at least. You can further increase the security of your system or group

of systems by placing the groups in different network segments, each of which you

then protect from unauthorized access by a firewall. You should bear in mind that

unauthorized access is also possible internally if a malicious user has managed to gain

control of one of your systems.

Ports

(C) SAP AG 17

Master Data Governance is executed in SAP NetWeaver and uses the ports of AS

ABAP or AS Java. For more information see the corresponding security guides for

SAP NetWeaver in the topics for AS ABAP Ports and AS Java Ports. For information

about other components, such as SAPinst, SAProuter, or SAP Web Dispatcher, see

the document TCP/IP Ports Used by SAP Applications in SAP Developer Network at

http://sdn.sap.com/irj/sdn/security under Infrastructure Security Network and

Communications Security .

Communication Destinations

The use of users and authorizations in an irresponsible manner can pose security risks.

You should therefore follow the security rules below when communicating between

systems:

Employ the user types system and communication.

Grant a user only the minimum authorizations.

Choose a secure password and do not divulge it to anyone else.

Only store user-specific logon data for users of type system and

communication.

Wherever possible, use trusted system functions instead of user-specific logon

data.

Use of Virus Scanners

If you upload files from application servers into Master Data Governance and you

want to use an virus scanner, a virus scanner must then be active on each application

server. For more information, see SAP Note 964305 (solution A).

Note

Work through the Customizing activities in the Implementation Guide under

the Virus Scan Interface node.

When doing this, use the virus scan profile

/MDG_BS_FILE_UPLOAD/MDG_VSCAN, which is delivered for Master Data

Governance.

End of the note.

When you upload files from the front-end into Master Data Governance, the system

uses the configuration you defined for virus scan profile /SIHTTP/HTTP_UPLOAD. For

more information, see SAP Note 1693981.

Data Storage Security

(C) SAP AG 18

Using Logical Paths and File Names to Protect Access to the File System

Master Data Governance saves data in files in the file system. Therefore, it is

important to explicitly provide access to the corresponding files in the file system

without allowing access to other directories or files (also known as directory

traversal). This is achieved by specifying logical paths and file names in the system

that map to the physical paths and file names. This mapping is validated at runtime

and if access is requested to a directory that does not match a stored mapping, then an

error occurs. In the application-specific part of this guide, there is a list for each

component of the logical file names and paths, where it is specified for which

programs these file names and paths apply.

Activating the Validation of Logical Paths and File Names

The logical paths and file names are entered in the system for the corresponding

programs. For downward compatibility, the validation at runtime is deactivated by

default. To activate the validation at runtime, maintain the physical path using the

transactions FILE (client-independent) and SF01 (client-dependent). To determine

which paths are used by your system, you can activate the appropriate settings in the

Security Audit Log.

More Information

Logical File Names

Protecting Access to the File System

Security Audit Logs

For information about data storage security, see the SAP NetWeaver Security Guide

at http://help.sap.com SAP NetWeaver Release/Language SAP NetWeaver

Library Administrator’s Guide NetWeaver Security Guide Security Guides for

the Operating System and Database Platforms

Enterprise Services Security

The following sections in the NetWeaver Security Guide are relevant for Master Data

Governance:

Web Services Security Guide

Recommended WS Security Scenarios

Security-Relevant Logs and Tracing

(C) SAP AG 19

The trace and log files of Master Data Governance use the standard mechanisms of

SAP NetWeaver. For more information, see the following sections in the SAP

NetWeaver Security Guide at http://service.sap.com/securityguide:

Auditing and Logging

Tracing and Logging (AS Java)

Segregation of Duties

Segregation of duties can be achieved by assigning roles to users and in addition by a

strict separation of the user groups for the workflow.

Activities

Assigning Roles to Users

You can assign roles to a user using the following transactions:

User Maintenance SU01

Use this transaction to assign one or more roles to one user.

Role Maintenance PFCG

Use this transaction to assign one or more users to one role.

Separating User Groups for the Workflow

Depending on the component of Master Data Governance you intent to configure use

the following Customizing activities to separate the user groups:

MDG-M, MDG-F

Run the Customizing activity under Master Data Governance General

Settings Process Modeling Workflow Rule-Based Workflow Configure

Rule-Based Workflow

MDG-S

Run the Customizing activity under Master Data Governance Master

Data Governance for Supplier Workflow Assign Processor to Change

Request Step Number in BRFplus for Supplier

MDG-C

Depending on the change request step, run the following Customizing

activities under:

o Master Data Governance General Settings Process Modeling

Workflow Other MDG Workflows Assign Processor to Change

Request Step Number (Simple Workflow)

(C) SAP AG 20

o Master Data Governance Master Data Governance for Supplier

Workflow Assign Processor to Change Request Step Number in

BRFplus for Supplier

For further information, see Configuring Master Data Governance for

Customer.

For informations about the corresponding roles, see the documents listed below:

Authorization Objects Used by Master Data Governance

Supplier Master Data Governance (CA-MDG-APP-SUP)

Customer Master Data Governance (CA-MDG-APP-CUS)

Material Master Data Governance (CA-MDG-APP-MM)

Financial Master Data Governance (CA-MDG-APP-FIN)

Custom Objects (CA-MDG-COB)

Authorization Objects Used by Master Data Governance

Authorization Objects

The following authorization objects are used by all components of Master Data

Governance.

Authorization

Object Description

MDG_MDF_TR Master Data: Transport

MDG_IDM Key Mapping

USMD_CREQ

Change Request

Note

Specify a number range for the object USMD_CREQ using

transaction SNRO.

End of the note.

USMD_MDAT Master Data

USMD_UI2 UI Configuration

DRF_RECEIVE Authorization for outbound messages for receiver systems

DRF_ADM Create Outbound Messages

(C) SAP AG 21

Authorization

Object Description

CA_POWL Authorization for iViews for personal object worklists

BCV_SPANEL Execute Side Panel

BCV_USAGE Usage of Business Context Viewer

MDG_DEF Data Export

MDG_DIF Data Import

Caution

For information about component specific authorization objects, see the

corresponding sections:

Supplier Master Data Governance (CA-MDG-APP-SUP)

Customer Master Data Governance (CA-MDG-APP-CUS)

Material Master Data Governance (CA-MDG-APP-MM)

Financial Master Data Governance (CA-MDG-APP-FIN)

Custom Objects (CA-MDG-COB)

End of the caution.

Standard Role

Role Name

SAP_MDG_ADMIN Master Data Governance Administrator

This role contains authorizations needed for administrative tasks and for setting up a

base configuration in all components of Master Data Governance. Some

authorizations enable critical activities. If multiple users in your organization are

entrusted with the administration and configuration of Master Data Governance, we

recommend that you split the role into several roles, each with its own set of

authorizations. The role does not contain the authorizations for the respective master

data transactions.

Supplier Master Data Governance (CA-MDG-APP-SUP)

Authorization Objects

Supplier Master Data Governance does not have dedicated authorization objects, but

instead uses the authorization objects of the business objects Business Partner and

(C) SAP AG 22

Vendor, the authorization objects of the Application Framework for Master Data

Governance, and the authorization objects of the Data Replication Framework.

Authorization Object Description

B_BUPA_GRP

Note

This authorization object is optional. You need to assign

this authorization object only if master data records are to

be specifically protected.

End of the note.

Business Partner:

Authorization Groups

B_BUPA_RLT Business Partner: BP Roles

B_BUPR_BZT

Business Partner

Relationships: Relationship

Categories

F_LFA1_APP Vendor: Application

Authorization

F_LFA1_BEK

Note

This authorization object is optional. You need to assign

this authorization object only if master data records are to

be specifically protected.

End of the note.

Vendor: Account

Authorization

F_LFA1_BUK Vendor: Authorization for

Company Codes

F_LFA1_GEN Vendor: Central Data

F_LFA1_GRP Vendor: Account Group

Authorization

M_LFM1_EKO Purchasing organization in

supplier master data

USMD_MDATH Hierarchy Authorization

Caution

Authorization objects used by all components of Master Data Governance are located

under Master Data Governance (CA-MDG)

(C) SAP AG 23

End of the caution.

Standard Roles

Role Name

SAP_MDGS_MENU_03 Master Data Governance for Supplier: Menu

SAP_MDGS_DISP_03 Master Data Governance for Supplier: Display

SAP_MDGS_REQ_03 Master Data Governance for Supplier: Requester

SAP_MDGS_SPEC_03 Master Data Governance for Supplier: Specialist

SAP_MDGS_STEW_03 Master Data Governance for Supplier: Data Steward

SAP_MDGS_LVC_MENU_03

Master Data Governance for Supplier: Lean

Requester Menu

SAP_MDGS_LVC_REQ_03

Master Data Governance for Supplier: Requester

Menu

If you want to restrict the authorizations for users or roles to specific values, go to

Create Authorizations for Data Model and define which entity types and attributes are

authorization relevant.

Customer Master Data Governance (CA-MDG-APP-CUS)

Authorization Objects

Customer Master Data Governance mainly uses the authorization objects of the

business objects Business Partner and Customer, the authorization objects of the

Application Framework for Master Data Governance, and the authorization objects of

the Data Replication Framework.

Note

Depending on whether you use the Customer Master Data Governance on a hub

system or on a client system a different set of authorization objects is required.

End of the note.

Authorization Object Description Hub Client

B_BUPA_GRP

Note

This authorization object is optional. You need

Business Partner:

Authorization Groups x x

(C) SAP AG 24

Authorization Object Description Hub Client

to assign this authorization object only if master

data records are to be specifically protected.

End of the note.

B_BUPA_RLT Business Partner: BP

Roles x x

B_BUPR_BZT

Business Partner

Relationships:

Relationship Categories

x x

F_KNA1_APP Customer: Application

Authorization x x

F_KNA1_BED

Note

This authorization object is optional. You do

not need to assign this authorization object if no

master records are to be specifically protected.

End of the note.

Customer: Account

Authorization x x

F_KNA1_BUK

Customer:

Authorization for

Company Codes

x x

F_KNA1_GEN Customer: Central Data x x

F_KNA1_GRP Customer: Account

Group Authorization x x

MDGC_LCOPY Copy Customer Master

Data from MDG Hub — x

USMD_MDATH Hierarchy Authorization x —

V_KNA1_VKO

Customer:

Authorization for Sales

Organizations

x x

Caution

Authorization objects used by all components of Master Data Governance are located

under Master Data Governance (CA-MDG)

End of the caution.

(C) SAP AG 25

Standard Roles

Role Name

SAP_MDGC_MENU_03 Master Data Governance for Customer: Menu

SAP_MDGC_DISP_03 Master Data Governance for Customer: Display

SAP_MDGC_REQ_03 Master Data Governance for Customer: Requester

SAP_MDGC_SPEC_03 Master Data Governance for Customer: Specialist

SAP_MDGC_STEW_03 Master Data Governance for Customer: Data Steward

If you want to restrict the authorizations for users or roles to specific values, go to

Create Authorizations for Data Model and define which entity types and attributes are

authorization relevant.

Material Master Data Governance (CA-MDG-APP-MM)

Authorization Objects

Material Master Data Governance does not have dedicated authorization objects, but

instead uses, for example, the authorization objects of the Material Master and the

Application Framework for Master Data Governance.

Authorization Object Description

M_MATE_MAT Material Master: Material

M_MATE_MAR Material Master: Material

Type

M_MATE_WGR Material Master: Material

Group

M_MATE_STA Material Master: Maintenance

Status

M_MATE_MTA Material Master: Change

Material Type

M_MATE_WRK Material Master: Plant

M_MATE_MAN Material Master: Central Data

M_MATE_NEU Material Master: Create

M_MATE_BUK Material Master: Company

(C) SAP AG 26

Authorization Object Description

Codes

M_MATE_VKO

Material Master: Sales

Organization/Distribution

Channel

M_MATE_LGN

Note

This authorization object might become relevant if

you enhance the data model for Material Master Data

Governance.

End of the note.

Material Master: Warehouse

Numbers

USMD_MDATH

Note

You need this authorization object if you create and

change hierarchies.

End of the note.

Hierarchies

C_KLAH_BKL Authorization for

Classification

C_KLAH_BSE Authorization for Selection

C_TCLA_BKA Authorization for Class Types

DRF_RECEIV Authorization for outbound

messages for receiver systems

DRF_ADM Create Outbound Messages

PLM_SPUSR

Note

You need this authorization object for the object type

PLM_MAT only if the search object connector of

SAP NetWeaver Enterprise Search is created for the

following Enterprise Search software components:

PLMWUI

Software components that include PLMWUI

Superuser by Object Type

(C) SAP AG 27

Authorization Object Description

For more information about SAP NetWeaver

Enterprise Search, see SAP NetWeaver Enterprise

Search.

End of the note.

Caution

Authorization objects used by all components of Master Data Governance are located

under Master Data Governance (CA-MDG)

End of the caution.

Standard Roles

Role Name

SAP_MDGM_MENU_03 Master Data Governance for Material: Menu

SAP_MDGM_DISP_03 Master Data Governance for Material: Display

SAP_MDGM_REQ_03 Master Data Governance for Material: Requester

SAP_MDGM_SPEC_03 Master Data Governance for Material: Specialist

SAP_MDGM_STEW_03 Master Data Governance for Material: Data Steward

If you want to restrict the authorizations for users or roles to specific values, go to

Create Authorizations for Data Model and define which entity types and attributes are

authorization relevant.

Financial Master Data Governance (CA-MDG-APP-FIN)

Authorization Objects

Authorization Object Description

USMD_DIST

Note

This authorization object is used if you have not activated

business function MDG_FOUNDATION.

(Switch: FIN_MDM_CORE_SFWS_EHP5)

End of the note.

Distribution

(C) SAP AG 28

Authorization Object Description

USMD_EDTN Edition

USMD_MDATH Hierarchy

Authorization

USMD_UI

Note

This authorization object is used if you have not activated

business function MDG_FOUNDATION.

(Switch: FIN_MDM_CORE_SFWS_EHP5)

End of the note.

UI Model

USMD_UI2

Note

This authorization object is used if you have activated business

function MDG_FOUNDATION. (Switch:

FIN_MDM_CORE_SFW5_EHP5)

End of the note.

UI Configuration for

Single Processing

Caution

Authorization objects used by all components of Master Data Governance are located

under Master Data Governance (CA-MDG)

End of the caution.

Standard Roles

Role Description

SAP_MDGF_MENU_03 Master Data Governance for Financials: Menu

SAP_MDGF_DISP Master Data Governance for Financials: Display

SAP_MDGF_REQ Master Data Governance for Financials: Requester

SAP_MDGF_SPEC Master Data Governance for Financials: Specialist

SAP_MDGF_STEW Master Data Governance for Financials: Data Steward

If you want to restrict the authorizations for users or roles to specific values, go to

Create Authorizations for Data Model and define which entity types and attributes are

authorization relevant.

(C) SAP AG 29

Custom Objects (CA-MDG-COB)

Authorization Objects

You can use the following authorization objects in the Custom Objects component:

Authorization Object Description

USMD_DIST Replication

USMD_DM Data Model

USMD_EDTN Edition Type

USMD_MDATH Hierarchies

USMD_UI UI Model

Caution

Authorization objects used by all components of Master Data Governance are located

under Master Data Governance (CA-MDG)

End of the caution.

Standard Role

Role Name

SAP_MDGX_MENU

Master data governance for self-defined

objects

SAP_MDGX_FND_SAMPLE_SF_03

Master data governance for self-defined

objects - Flight Data Model example

If you want to restrict the authorizations for users or roles to specific values, go to

Create Authorizations for Data Model and define which entity types and attributes are

authorization relevant.

Appendix

For more information about the security of SAP applications see SAP Service

Marketplace at http://service.sap.com/security.

You can also access additional security guides via SAP Service Marketplace at

http://service.sap.com/securityguide.

(C) SAP AG 30

For more information about security issues, see SAP Service Marketplace at

http://service.sap.com followed by:

Topic SAP Service

Marketplace

Master guides, installation guides, upgrade guides, and

Solution Management guides

/instguides

/ibc

Related notes /notes

Platforms /platforms

Network security /network

/securityguide

Technical infrastructure /ti

SAP Solution Manager /solutionmanager