security mdg[1]
DESCRIPTION
Security MDG[1]TRANSCRIPT
Master Data Governance Security Guide
Document Version: 14.09.2012
(C) SAP AG 2
Copyright
© Copyright 2012 SAP AG. All rights reserved.
SAP Library document classification: PUBLIC
No part of this publication may be reproduced or transmitted in any form or for any
purpose without the express permission of SAP AG. The information contained
herein may be changed without prior notice.
No part of this publication may be reproduced or transmitted in any form or for any
purpose without the express permission of SAP AG. The information contained
herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,
System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM,
Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER,
PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV,
GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent
Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered
trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other
countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and other
countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
(C) SAP AG 3
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and
MultiWin are trademarks or registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®,
World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-
C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple
Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl,
BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and
BlackBerry App World are trademarks or registered trademarks of Research in
Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google
Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store,
Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik
and Android are trademarks or registered trademarks of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings LLC.
Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
(C) SAP AG 4
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of
SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports,
Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products
and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Business Objects Software Ltd. Business Objects is an SAP
company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other
Sybase products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered
trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP
company.
All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only.
National product specifications may vary.
These materials are subject to change without notice. These materials are provided
by SAP AG and its affiliated companies ("SAP Group") for informational purposes
only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for
SAP Group products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should
be construed as constituting an additional warranty.
(C) SAP AG 5
Icons in Body Text
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different
types of information at a glance. For more information, see Help on Help General
Information Classes and Information Classes for Business Information Warehouse on the
first page of any version of SAP Library.
Typographic Conventions
Type Style Description
Example text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text, graphic titles, and table titles.
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.
(C) SAP AG 6
Master Data Governance Security Guide .................................................................. 7
Introduction ............................................................................................................ 7
Before You Start .................................................................................................... 9
Technical System Landscape ................................................................................ 9
User Management and Authentication ................................................................. 10
User Administration .......................................................................................... 10
User Data Synchronization ............................................................................... 13
Integration into Single Sign-On Environments .................................................. 13
Authorizations ...................................................................................................... 14
Network and Communication Security ................................................................. 15
Communication Channel Security .................................................................... 15
Network Security .............................................................................................. 16
Communication Destinations ............................................................................ 17
Use of Virus Scanners ...................................................................................... 17
Data Storage Security .......................................................................................... 17
Enterprise Services Security ................................................................................ 18
Security-Relevant Logs and Tracing .................................................................... 18
Segregation of Duties .......................................................................................... 19
Authorization Objects Used by Master Data Governance .................................... 20
Supplier Master Data Governance (CA-MDG-APP-SUP) ................................. 21
Customer Master Data Governance (CA-MDG-APP-CUS) .............................. 23
Material Master Data Governance (CA-MDG-APP-MM) ................................... 25
Financial Master Data Governance (CA-MDG-APP-FIN) ................................. 27
Custom Objects (CA-MDG-COB) ..................................................................... 29
Appendix ............................................................................................................. 29
(C) SAP AG 7
Master Data Governance Security Guide
The following guide covers the information that you require to operate Master Data
Governance securely. To make the information more accessible, it is divided into a
general part, containing information relevant for all components, and a separate part
for information specific for individual components.
Introduction
This guide does not replace the administration or operation guides that are available
for productive operations.
Target Audience
Technology consultants
Security consultants
System administrators
This document is not included as part of the Installation Guides, Configuration
Guides, Technical Operation Manuals, or Upgrade Guides. Such guides are only
relevant for a certain phase of the software life cycle, whereas the Security Guide
provides information that is relevant for all life cycle phases.
Why Is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business
data, the demands on security are also on the rise. When using a distributed system,
you need to be sure that your data and processes support your business needs without
allowing unauthorized access to critical information. User errors, negligence, or
attempted manipulation of your system should not result in loss of information or
processing time. These demands on security apply likewise to Master Data
Governance. To assist you in securing Master Data Governance, we provide this
Security Guide.
Since Master Data Governance is based on and uses SAP NetWeaver technology, it is
essential that you consult the Security Guide for SAP NetWeaver. See SAP Service
Marketplace at http://service.sap.com/securityguide SAP NetWeaver .
For all Security Guides published by SAP, see SAP Service Marketplace at
http://service.sap.com/securityguide.
Overview of the Main Sections
The Security Guide comprises the following main sections:
Before You Start
(C) SAP AG 8
This section contains information about why security is necessary, how to use
this document, and references to other Security Guides that build the
foundation for this Security Guide.
Technical System Landscape
This section provides an overview of the technical components and
communication paths that are used by Master Data Governance.
User Management and Authentication
This section provides an overview of the following user administration and
authentication aspects:
o Recommended tools to use for user management
o User types that are required by Master Data Governance
o Standard users that are delivered with Master Data Governance
o Overview of the user synchronization strategy
o Overview of how integration into Single Sign-On environments is
possible
Authorizations
This section provides an overview of the authorization concept that applies to
Master Data Governance.
Network and Communication Security
This section provides an overview of the communication paths used by Master
Data Governance and the security mechanisms that apply. It also includes our
recommendations for the network topology to restrict access at the network
level.
Data Storage Security
This section provides an overview of any critical data that is used by Master
Data Governance and the security mechanisms that apply.
Enterprise Services Security
This section provides an overview of the security aspects that apply to the
enterprise services delivered with Master Data Governance.
Security-Relevant Logging and Tracing
This section provides an overview of the trace and log files that contain
security-relevant information, for example, so you can reproduce activities if a
security breach does occur.
Appendix
This section provides references to further information.
(C) SAP AG 9
Before You Start
This table contains the most important SAP notes concerning the safety of Master
Data Governance.
Title SAP
Note Comment
Code injection vulnerability in
UAC_ASSIGNMENT_CONTROL_TEST 1493809 MDG and XBRL
Data can be displayed without authorization 1489976
MDG (Financial Master
Data Governance, CA-
MDG-APP-FIN)
More Information
For more information about specific topics, see the sources in the table below.
Content Quick Link on SAP Service Marketplace or SDN
Security http://sdn.sap.com/irj/sdn/security
Security Guides http://service.sap.com/securityguide
Related Notes http://service.sap.com/notes
http://service.sap.com/securitynotes
Allowed platforms http://service.sap.com/pam
Network security http://service.sap.com/securityguide
SAP Solution Manager http://service.sap.com/solutionmanager
SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver
Technical System Landscape
For information about the technical system landscape, see the sources listed in the
table below.
Subject Guide/Tool Quick Link to SAP Service Marketplace
Technical description Master Guide http://service.sap.com/instguides SAP
(C) SAP AG 10
of Master Data
Governance and the
underlying technical
components, such as
SAP NetWeaver
Business Suite Applications SAP Master Data
Governance
High availability
High
Availability
for SAP
Solutions
http://sdn.sap.com/irj/sdn/ha
Design of technical
landscape
See available
documents http://sdn.sap.com/irj/sdn/landscapedesign
Security See available
documents http://sdn.sap.com/irj/sdn/security
User Management and Authentication
Master Data Governance uses the user management and authentication mechanisms of
the SAP NetWeaver platform, and in particular, SAP NetWeaver Application Server.
Therefore, the security recommendations and guidelines for user management and
authentication that are described in the security guide for SAP NetWeaver
Application Server for ABAP Security Guide also apply to Master Data Governance.
In addition to these guidelines, we also supply information on user management and
authentication that is especially applicable to Master Data Governance in the
following sections:
User Administration
This section details the user management tools, the required user types, and
the standard users that are supplied with Master Data Governance.
User Data Synchronization
The components of Master Data Governance can use user data together with
other components. This section describes how the user data is synchronized
with these other sources.
Integration into Single Sign-On Environments
This section describes how Master Data Governance supports single sign-on-
mechanisms.
User Administration
(C) SAP AG 11
Master Data Governance user management uses the mechanisms provided by SAP
NetWeaver Application Server for ABAP, such as tools, user types, and the password
concept. For an overview of how these mechanisms apply for Master Data
Governance, see the sections below. In addition, we provide a list of the standard
users required for operating components of Master Data Governance.
User Administration Tools
The following table shows the user administration tools for Master Data Governance.
Tool Description
User maintenance for
ABAP-based systems
(transaction SU01)
For more information on the authorization objects
provided by the components of Master Data
Governance, see the component specific section.
Role maintenance with the
profile generator for ABAP-
based systems (PFCG)
For more information on the roles provided by Master
Data Governance, see the component specific section.
For more information, see User and Role Administration
of Application Server ABAP
Central User Administration
(CUA) for the maintenance
of multiple ABAP-based
systems
For more information, see Central User Administration.
User Management Engine
for SAP NetWeaver AS
Java (UME)
Administration console for maintenance of users, roles,
and authorizations in Java-based systems and in the
Enterprise Portal. The UME also provides persistence
options, such as ABAP Engine. For more information,
see User Management Engine.
Note
For more information on the tools that SAP provides for user administration with SAP
NetWeaver, see SAP Service Marketplace at http://service.sap.com/securityguide
SAP NetWeaver 7.0 Security Guides (Complete) Release User Administration
and Authentication .
End of the note.
User Types
It is often necessary to specify different security policies for different types of users.
For example, your policy may specify that individual users who perform tasks
interactively have to change their passwords on a regular basis, but not those users
under which background processing jobs run.
User types required for Master Data Governance include, for example:
Individual users
(C) SAP AG 12
o Dialog users
Dialog users are used for SAP GUI for Windows.
o Internet users for Web applications
Same policies apply as for dialog users, but used for Internet
connections.
Technical users:
o Service users are dialog users who are available for a large set of
anonymous users (for example, for anonymous system access via an
ITS service).
o Communication users are used for dialog-free communication between
systems.
o Background users can be used for processing in the background.
For more information about user types, see User Types in the Security Guide for SAP
NetWeaver AS ABAP.
Standard Users
The following table shows the standard users that are necessary for operating Master
Data Governance.
System User ID Type Password Additional
Information
SAP Web
Application
Server
(sapsid)adm SAP system
administrator Mandatory
SAP NetWeaver
installation guide
SAP Web
Application
Server
SAP Service
(sapsid)adm
SAP system
service
administrator
Mandatory SAP NetWeaver
installation guide
SAP Web
Application
Server
SAP Standard ABAP
Users (SAP*, DDIC,
EARLYWATCH,
SAPCPIC)
See SAP
NetWeaver
security guide
SAP NetWeaver
security guide
SAP Web
Application
Server
SAP Standard SAP
Web Application
Server Java Users
See SAP
NetWeaver
security guide
SAP NetWeaver
security guide
SAP ECC SAP Users Dialog users Mandatory
The number of users
depends on the area
of operation and the
business data to be
processed.
(C) SAP AG 13
Note
We recommend that you change the passwords and IDs of users that were created
automatically during the installation.
End of the note.
User Data Synchronization
By synchronizing user data, you can reduce effort and expense in the user
management of your system landscape. Since Master Data Governance is based on
SAP NetWeaver, you can use all of the mechanisms for user synchronization in SAP
NetWeaver here. For more information, see the SAP NetWeaver Security Guide on
SAP Service Marketplace at service.sap.com/securityguide SAP NetWeaver.
Note
You can use user data distributed across systems by replicating the data, for example
in a central directory such as LDAP.
End of the note.
Integration into Single Sign-On Environments
Master Data Governance supports the single sign-on (SSO) mechanisms provided by
SAP NetWeaver Application Server for ABAP technology. Therefore, the security
recommendations and guidelines for user management and authentication that are
described in the SAP NetWeaver Security Guide also apply to Master Data
Governance.
Master Data Governance supports the following mechanisms:
Secure Network Communication (SNC)
SNC is available for user authentication and provides for an SSO environment when
using the SAP GUI for Windows or Remote Function Calls.
SAP Logon Tickets
Master Data Governance supports the use of logon tickets for SSO when using a Web
browser as the front-end client. In this case, users can be issued a logon ticket after
they have authenticated themselves with the initial SAP system. The ticket can then
be submitted to other systems (SAP or external systems) as an authentication token.
The user does not need to enter a user ID or password for authentication, but can
access the system directly once it has checked the logon ticket. For more information,
see SAP Logon Tickets in the Security Guide for SAP NetWeaver Application Server.
Client Certificates
(C) SAP AG 14
As an alternative to user authentication using a user ID and passwords, users using a
Web browser as a front-end client can also provide X.509 client certificates to use for
authentication. In this case, user authentication is performed on the Web server using
the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to be
transferred. User authorizations are valid in accordance with the authorization concept
in the SAP system.
For more information see Client Certificates in the Security Guide for SAP
NetWeaver Application Server. For more information about available authentication
mechanisms, see SAP Library for SAP NetWeaver under User Authentication and
Single Sign-On.
Authorizations
Master Data Governance uses the authorization concept of SAP NetWeaver
Application Server ABAP. Therefore, the security recommendations and guidelines
for authorizations that are described in the Security Guide for SAP NetWeaver
Application Server ABAP also apply to Master Data Governance. You can use
authorizations to restrict the access of users to the system, and thereby protect
transactions and programs from unauthorized access.
The SAP NetWeaver Application Server authorization concept is based on assigning
authorizations to users based on roles. For role maintenance in SAP NetWeaver
Application Server for ABAP, use the profile generator (transaction PFCG), and in
SAP NetWeaver Application Server for Java, the user management console of the
User Management Engine (UME). You can define user-specific menus using roles.
Note
For more information about creating roles, see Role Administration.
End of the note.
Standard Roles and Standard Authorization Objects
SAP delivers standard roles covering the most frequent business transactions. You can
use these roles as a template for your own roles.
For a list of the standard roles and authorization objects used by components of
Master Data Governance, see the section of this document relevant to each
component.
Note
Before using the roles listed, you may want to check whether the standard roles
delivered by SAP meet your requirements.
End of the note.
Authorizations for Customizing Settings
(C) SAP AG 15
You can use Customizing roles to control access to the configuration of Master Data
Governance in the SAP Customizing Implementation Guide (IMG).
Network and Communication Security
Your network infrastructure is extremely important in protecting your system. Your
network needs to support the communication necessary for your business and your
needs without allowing unauthorized access. A well-defined network topology can
eliminate many security threats based on software flaws (at both the operating system
and application level) or network attacks such as eavesdropping. If users cannot log
on to your application or database servers at the operating system or database layer,
then there is no way for intruders to compromise the devices and gain access to the
backend system’s database or files. Additionally, if users are not able to connect to the
server LAN (local area network), they cannot exploit known bugs and security holes
in network services on the server machines.
The network topology for Master Data Governance is based on the topology used by
the SAP NetWeaver platform. Therefore, the security guidelines and
recommendations described in the SAP NetWeaver Security Guide also apply to
Master Data Governance. Details that relate directly to SAP ERP Central Component
are described in the following sections:
Communication Channel Security
This section contains a description of the communication channels and
protocols that are used by the components of Master Data Governance.
Network Security
This section contains information on the network topology recommended for
the components of Master Data Governance. It shows the appropriate network
segments for the various client and server components and where to use
firewalls for access protection. It also contains a list of the ports required for
operating the subcomponents of Master Data Governance.
Communication Destinations
This section describes the data needed for the various communication
channels, for example, which users are used for which communications.
For more information, see the following section in the SAP NetWeaver Security
Guide: Security Guides for Connectivity and Interoperability Technologies
Communication Channel Security
Communication channels transfer a wide variety of different business data that needs
to be protected from unauthorized access. SAP makes general recommendations and
(C) SAP AG 16
provides technology for the protection of your system landscape based on SAP
NetWeaver.
The table below shows the communication channels used by Master Data
Governance, the protocol used for the connection, and the type of data transferred.
Communication Path Protocol
Used
Type of Data
Transferred
Data Requiring
Special Protection
Application server to application
server
RFC,
HTTP(S) Integration data Business data
Application server to application
of a third party administrator HTTP(S) Application data
For example,
passwords, business
data
DIAG and RFC connections can be protected using Secure Network Communications
(SNC). HTTP connections are protected using the Secure Sockets Layer protocol
(SSL protocol).
Recommendation
We strongly recommend that you use secure protocols (SSL, SNC).
End of the recommendation.
For more information, see Transport Layer Security und Web Services Security in the
SAP NetWeaver Security Guide.
Network Security
Since Master Data Governance is based on SAP NetWeaver technology, for
information about network security, see the following sections of the SAP NetWeaver
Security Guide at http://help.sap.com SAP ERP Release/Language SAP
NetWeaver Library Administrator's Guide NetWeaver Security Guide Network
and Communication Security Network Services :
Using Firewall Systems for Access Control
Using Multiple Network Zones
If you provide services in the Internet, you should protect your network infrastructure
with a firewall at least. You can further increase the security of your system or group
of systems by placing the groups in different network segments, each of which you
then protect from unauthorized access by a firewall. You should bear in mind that
unauthorized access is also possible internally if a malicious user has managed to gain
control of one of your systems.
Ports
(C) SAP AG 17
Master Data Governance is executed in SAP NetWeaver and uses the ports of AS
ABAP or AS Java. For more information see the corresponding security guides for
SAP NetWeaver in the topics for AS ABAP Ports and AS Java Ports. For information
about other components, such as SAPinst, SAProuter, or SAP Web Dispatcher, see
the document TCP/IP Ports Used by SAP Applications in SAP Developer Network at
http://sdn.sap.com/irj/sdn/security under Infrastructure Security Network and
Communications Security .
Communication Destinations
The use of users and authorizations in an irresponsible manner can pose security risks.
You should therefore follow the security rules below when communicating between
systems:
Employ the user types system and communication.
Grant a user only the minimum authorizations.
Choose a secure password and do not divulge it to anyone else.
Only store user-specific logon data for users of type system and
communication.
Wherever possible, use trusted system functions instead of user-specific logon
data.
Use of Virus Scanners
If you upload files from application servers into Master Data Governance and you
want to use an virus scanner, a virus scanner must then be active on each application
server. For more information, see SAP Note 964305 (solution A).
Note
Work through the Customizing activities in the Implementation Guide under
the Virus Scan Interface node.
When doing this, use the virus scan profile
/MDG_BS_FILE_UPLOAD/MDG_VSCAN, which is delivered for Master Data
Governance.
End of the note.
When you upload files from the front-end into Master Data Governance, the system
uses the configuration you defined for virus scan profile /SIHTTP/HTTP_UPLOAD. For
more information, see SAP Note 1693981.
Data Storage Security
(C) SAP AG 18
Using Logical Paths and File Names to Protect Access to the File System
Master Data Governance saves data in files in the file system. Therefore, it is
important to explicitly provide access to the corresponding files in the file system
without allowing access to other directories or files (also known as directory
traversal). This is achieved by specifying logical paths and file names in the system
that map to the physical paths and file names. This mapping is validated at runtime
and if access is requested to a directory that does not match a stored mapping, then an
error occurs. In the application-specific part of this guide, there is a list for each
component of the logical file names and paths, where it is specified for which
programs these file names and paths apply.
Activating the Validation of Logical Paths and File Names
The logical paths and file names are entered in the system for the corresponding
programs. For downward compatibility, the validation at runtime is deactivated by
default. To activate the validation at runtime, maintain the physical path using the
transactions FILE (client-independent) and SF01 (client-dependent). To determine
which paths are used by your system, you can activate the appropriate settings in the
Security Audit Log.
More Information
Logical File Names
Protecting Access to the File System
Security Audit Logs
For information about data storage security, see the SAP NetWeaver Security Guide
at http://help.sap.com SAP NetWeaver Release/Language SAP NetWeaver
Library Administrator’s Guide NetWeaver Security Guide Security Guides for
the Operating System and Database Platforms
Enterprise Services Security
The following sections in the NetWeaver Security Guide are relevant for Master Data
Governance:
Web Services Security Guide
Recommended WS Security Scenarios
Security-Relevant Logs and Tracing
(C) SAP AG 19
The trace and log files of Master Data Governance use the standard mechanisms of
SAP NetWeaver. For more information, see the following sections in the SAP
NetWeaver Security Guide at http://service.sap.com/securityguide:
Auditing and Logging
Tracing and Logging (AS Java)
Segregation of Duties
Segregation of duties can be achieved by assigning roles to users and in addition by a
strict separation of the user groups for the workflow.
Activities
Assigning Roles to Users
You can assign roles to a user using the following transactions:
User Maintenance SU01
Use this transaction to assign one or more roles to one user.
Role Maintenance PFCG
Use this transaction to assign one or more users to one role.
Separating User Groups for the Workflow
Depending on the component of Master Data Governance you intent to configure use
the following Customizing activities to separate the user groups:
MDG-M, MDG-F
Run the Customizing activity under Master Data Governance General
Settings Process Modeling Workflow Rule-Based Workflow Configure
Rule-Based Workflow
MDG-S
Run the Customizing activity under Master Data Governance Master
Data Governance for Supplier Workflow Assign Processor to Change
Request Step Number in BRFplus for Supplier
MDG-C
Depending on the change request step, run the following Customizing
activities under:
o Master Data Governance General Settings Process Modeling
Workflow Other MDG Workflows Assign Processor to Change
Request Step Number (Simple Workflow)
(C) SAP AG 20
o Master Data Governance Master Data Governance for Supplier
Workflow Assign Processor to Change Request Step Number in
BRFplus for Supplier
For further information, see Configuring Master Data Governance for
Customer.
For informations about the corresponding roles, see the documents listed below:
Authorization Objects Used by Master Data Governance
Supplier Master Data Governance (CA-MDG-APP-SUP)
Customer Master Data Governance (CA-MDG-APP-CUS)
Material Master Data Governance (CA-MDG-APP-MM)
Financial Master Data Governance (CA-MDG-APP-FIN)
Custom Objects (CA-MDG-COB)
Authorization Objects Used by Master Data Governance
Authorization Objects
The following authorization objects are used by all components of Master Data
Governance.
Authorization
Object Description
MDG_MDF_TR Master Data: Transport
MDG_IDM Key Mapping
USMD_CREQ
Change Request
Note
Specify a number range for the object USMD_CREQ using
transaction SNRO.
End of the note.
USMD_MDAT Master Data
USMD_UI2 UI Configuration
DRF_RECEIVE Authorization for outbound messages for receiver systems
DRF_ADM Create Outbound Messages
(C) SAP AG 21
Authorization
Object Description
CA_POWL Authorization for iViews for personal object worklists
BCV_SPANEL Execute Side Panel
BCV_USAGE Usage of Business Context Viewer
MDG_DEF Data Export
MDG_DIF Data Import
Caution
For information about component specific authorization objects, see the
corresponding sections:
Supplier Master Data Governance (CA-MDG-APP-SUP)
Customer Master Data Governance (CA-MDG-APP-CUS)
Material Master Data Governance (CA-MDG-APP-MM)
Financial Master Data Governance (CA-MDG-APP-FIN)
Custom Objects (CA-MDG-COB)
End of the caution.
Standard Role
Role Name
SAP_MDG_ADMIN Master Data Governance Administrator
This role contains authorizations needed for administrative tasks and for setting up a
base configuration in all components of Master Data Governance. Some
authorizations enable critical activities. If multiple users in your organization are
entrusted with the administration and configuration of Master Data Governance, we
recommend that you split the role into several roles, each with its own set of
authorizations. The role does not contain the authorizations for the respective master
data transactions.
Supplier Master Data Governance (CA-MDG-APP-SUP)
Authorization Objects
Supplier Master Data Governance does not have dedicated authorization objects, but
instead uses the authorization objects of the business objects Business Partner and
(C) SAP AG 22
Vendor, the authorization objects of the Application Framework for Master Data
Governance, and the authorization objects of the Data Replication Framework.
Authorization Object Description
B_BUPA_GRP
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.
End of the note.
Business Partner:
Authorization Groups
B_BUPA_RLT Business Partner: BP Roles
B_BUPR_BZT
Business Partner
Relationships: Relationship
Categories
F_LFA1_APP Vendor: Application
Authorization
F_LFA1_BEK
Note
This authorization object is optional. You need to assign
this authorization object only if master data records are to
be specifically protected.
End of the note.
Vendor: Account
Authorization
F_LFA1_BUK Vendor: Authorization for
Company Codes
F_LFA1_GEN Vendor: Central Data
F_LFA1_GRP Vendor: Account Group
Authorization
M_LFM1_EKO Purchasing organization in
supplier master data
USMD_MDATH Hierarchy Authorization
Caution
Authorization objects used by all components of Master Data Governance are located
under Master Data Governance (CA-MDG)
(C) SAP AG 23
End of the caution.
Standard Roles
Role Name
SAP_MDGS_MENU_03 Master Data Governance for Supplier: Menu
SAP_MDGS_DISP_03 Master Data Governance for Supplier: Display
SAP_MDGS_REQ_03 Master Data Governance for Supplier: Requester
SAP_MDGS_SPEC_03 Master Data Governance for Supplier: Specialist
SAP_MDGS_STEW_03 Master Data Governance for Supplier: Data Steward
SAP_MDGS_LVC_MENU_03
Master Data Governance for Supplier: Lean
Requester Menu
SAP_MDGS_LVC_REQ_03
Master Data Governance for Supplier: Requester
Menu
If you want to restrict the authorizations for users or roles to specific values, go to
Create Authorizations for Data Model and define which entity types and attributes are
authorization relevant.
Customer Master Data Governance (CA-MDG-APP-CUS)
Authorization Objects
Customer Master Data Governance mainly uses the authorization objects of the
business objects Business Partner and Customer, the authorization objects of the
Application Framework for Master Data Governance, and the authorization objects of
the Data Replication Framework.
Note
Depending on whether you use the Customer Master Data Governance on a hub
system or on a client system a different set of authorization objects is required.
End of the note.
Authorization Object Description Hub Client
B_BUPA_GRP
Note
This authorization object is optional. You need
Business Partner:
Authorization Groups x x
(C) SAP AG 24
Authorization Object Description Hub Client
to assign this authorization object only if master
data records are to be specifically protected.
End of the note.
B_BUPA_RLT Business Partner: BP
Roles x x
B_BUPR_BZT
Business Partner
Relationships:
Relationship Categories
x x
F_KNA1_APP Customer: Application
Authorization x x
F_KNA1_BED
Note
This authorization object is optional. You do
not need to assign this authorization object if no
master records are to be specifically protected.
End of the note.
Customer: Account
Authorization x x
F_KNA1_BUK
Customer:
Authorization for
Company Codes
x x
F_KNA1_GEN Customer: Central Data x x
F_KNA1_GRP Customer: Account
Group Authorization x x
MDGC_LCOPY Copy Customer Master
Data from MDG Hub — x
USMD_MDATH Hierarchy Authorization x —
V_KNA1_VKO
Customer:
Authorization for Sales
Organizations
x x
Caution
Authorization objects used by all components of Master Data Governance are located
under Master Data Governance (CA-MDG)
End of the caution.
(C) SAP AG 25
Standard Roles
Role Name
SAP_MDGC_MENU_03 Master Data Governance for Customer: Menu
SAP_MDGC_DISP_03 Master Data Governance for Customer: Display
SAP_MDGC_REQ_03 Master Data Governance for Customer: Requester
SAP_MDGC_SPEC_03 Master Data Governance for Customer: Specialist
SAP_MDGC_STEW_03 Master Data Governance for Customer: Data Steward
If you want to restrict the authorizations for users or roles to specific values, go to
Create Authorizations for Data Model and define which entity types and attributes are
authorization relevant.
Material Master Data Governance (CA-MDG-APP-MM)
Authorization Objects
Material Master Data Governance does not have dedicated authorization objects, but
instead uses, for example, the authorization objects of the Material Master and the
Application Framework for Master Data Governance.
Authorization Object Description
M_MATE_MAT Material Master: Material
M_MATE_MAR Material Master: Material
Type
M_MATE_WGR Material Master: Material
Group
M_MATE_STA Material Master: Maintenance
Status
M_MATE_MTA Material Master: Change
Material Type
M_MATE_WRK Material Master: Plant
M_MATE_MAN Material Master: Central Data
M_MATE_NEU Material Master: Create
M_MATE_BUK Material Master: Company
(C) SAP AG 26
Authorization Object Description
Codes
M_MATE_VKO
Material Master: Sales
Organization/Distribution
Channel
M_MATE_LGN
Note
This authorization object might become relevant if
you enhance the data model for Material Master Data
Governance.
End of the note.
Material Master: Warehouse
Numbers
USMD_MDATH
Note
You need this authorization object if you create and
change hierarchies.
End of the note.
Hierarchies
C_KLAH_BKL Authorization for
Classification
C_KLAH_BSE Authorization for Selection
C_TCLA_BKA Authorization for Class Types
DRF_RECEIV Authorization for outbound
messages for receiver systems
DRF_ADM Create Outbound Messages
PLM_SPUSR
Note
You need this authorization object for the object type
PLM_MAT only if the search object connector of
SAP NetWeaver Enterprise Search is created for the
following Enterprise Search software components:
PLMWUI
Software components that include PLMWUI
Superuser by Object Type
(C) SAP AG 27
Authorization Object Description
For more information about SAP NetWeaver
Enterprise Search, see SAP NetWeaver Enterprise
Search.
End of the note.
Caution
Authorization objects used by all components of Master Data Governance are located
under Master Data Governance (CA-MDG)
End of the caution.
Standard Roles
Role Name
SAP_MDGM_MENU_03 Master Data Governance for Material: Menu
SAP_MDGM_DISP_03 Master Data Governance for Material: Display
SAP_MDGM_REQ_03 Master Data Governance for Material: Requester
SAP_MDGM_SPEC_03 Master Data Governance for Material: Specialist
SAP_MDGM_STEW_03 Master Data Governance for Material: Data Steward
If you want to restrict the authorizations for users or roles to specific values, go to
Create Authorizations for Data Model and define which entity types and attributes are
authorization relevant.
Financial Master Data Governance (CA-MDG-APP-FIN)
Authorization Objects
Authorization Object Description
USMD_DIST
Note
This authorization object is used if you have not activated
business function MDG_FOUNDATION.
(Switch: FIN_MDM_CORE_SFWS_EHP5)
End of the note.
Distribution
(C) SAP AG 28
Authorization Object Description
USMD_EDTN Edition
USMD_MDATH Hierarchy
Authorization
USMD_UI
Note
This authorization object is used if you have not activated
business function MDG_FOUNDATION.
(Switch: FIN_MDM_CORE_SFWS_EHP5)
End of the note.
UI Model
USMD_UI2
Note
This authorization object is used if you have activated business
function MDG_FOUNDATION. (Switch:
FIN_MDM_CORE_SFW5_EHP5)
End of the note.
UI Configuration for
Single Processing
Caution
Authorization objects used by all components of Master Data Governance are located
under Master Data Governance (CA-MDG)
End of the caution.
Standard Roles
Role Description
SAP_MDGF_MENU_03 Master Data Governance for Financials: Menu
SAP_MDGF_DISP Master Data Governance for Financials: Display
SAP_MDGF_REQ Master Data Governance for Financials: Requester
SAP_MDGF_SPEC Master Data Governance for Financials: Specialist
SAP_MDGF_STEW Master Data Governance for Financials: Data Steward
If you want to restrict the authorizations for users or roles to specific values, go to
Create Authorizations for Data Model and define which entity types and attributes are
authorization relevant.
(C) SAP AG 29
Custom Objects (CA-MDG-COB)
Authorization Objects
You can use the following authorization objects in the Custom Objects component:
Authorization Object Description
USMD_DIST Replication
USMD_DM Data Model
USMD_EDTN Edition Type
USMD_MDATH Hierarchies
USMD_UI UI Model
Caution
Authorization objects used by all components of Master Data Governance are located
under Master Data Governance (CA-MDG)
End of the caution.
Standard Role
Role Name
SAP_MDGX_MENU
Master data governance for self-defined
objects
SAP_MDGX_FND_SAMPLE_SF_03
Master data governance for self-defined
objects - Flight Data Model example
If you want to restrict the authorizations for users or roles to specific values, go to
Create Authorizations for Data Model and define which entity types and attributes are
authorization relevant.
Appendix
For more information about the security of SAP applications see SAP Service
Marketplace at http://service.sap.com/security.
You can also access additional security guides via SAP Service Marketplace at
http://service.sap.com/securityguide.
(C) SAP AG 30
For more information about security issues, see SAP Service Marketplace at
http://service.sap.com followed by:
Topic SAP Service
Marketplace
Master guides, installation guides, upgrade guides, and
Solution Management guides
/instguides
/ibc
Related notes /notes
Platforms /platforms
Network security /network
/securityguide
Technical infrastructure /ti
SAP Solution Manager /solutionmanager